IT | EN

Privacy Policy

Version: 1.3  ·  Effective from: July 7, 2026  ·  Last updated: July 7, 2026
Print / Save PDF Previous versions Cookie Policy Terms of Service

This Privacy Policy is issued in compliance with Regulation (EU) 2016/679 («GDPR»), Italian Legislative Decree 196/2003 as amended, and Directive 2002/58/EC («ePrivacy»), describing how personal data of NEXO IP users is processed.

Table of contents

1. Data controller

The Data Controller is Nexo Labs S.r.l.s..

NameNexo Labs S.r.l.s.
Registered officeVia San Gabriele 4/A, 63066 Grottammare (AP), Italy
VAT / Tax ID02612080446
Companies Register (REA)AP - 317280
Emailprivacy@nexoip.it
Certified email (PEC)amministrazione@pec.nexolabs.it

2. Data Protection Officer (DPO)

Pursuant to Art. 37 GDPR, the Controller has assessed the obligation to appoint a DPO and has determined that such appointment is not mandatory, since its core activities do not involve regular and systematic monitoring of data subjects on a large scale, nor large-scale processing of special categories of data. Privacy enquiries may nonetheless be addressed to privacy@nexoip.it.

3. Categories of data processed

CategoryExamples
Account dataUsername, email, password hash, role, creation date, registration and login IP
Notification recipient contactsName, email, phone number of contacts configured by the user. Encrypted at rest (AES-128 Fernet).
SIA-IP eventsEvent code, timestamp, partition, zone, description, control panel IP. Do not directly identify natural persons.
Notification logsSend tracking (timestamp, channel, outcome) for service accountability.
Technical and security logsIP, user-agent, access timestamps, failed attempts, IP bans.
Credit movementsPrepaid credit amounts and balances stored in our database. No card data transits NEXO IP: top-up requests generate an order in Fatture in Cloud (TeamSystem) for the issuance of fiscal and accounting documents.
Invoicing dataCompany name or full name, address, VAT number or tax code, certified email (PEC) or SDI recipient code, country. Voluntarily provided by the user at top-up request, for the purpose of issuing fiscal and accounting documents.
ConsentsAccepted policy version, timestamp, IP, user-agent (Art. 7 GDPR — accountability).
Push subscriptions / WebAuthn credentialsBrowser push endpoint, biometric/passkey credentials when activated by the user.

4. Purposes and legal basis

PurposeLegal basisCategories
Providing the SIA-IP/API reception service and multi-channel notifications (SMS, WhatsApp, voice, email, Telegram, push)Contract performance (Art. 6.1.b)Account, contacts, events, logs
Authentication, session management, fraud/abuse preventionContract + legitimate interest (Art. 6.1.f) for securityAccount, technical logs
Prepaid credit and top-ups (admin)Contract performance (Art. 6.1.b)Credit movements
Accounting, tax and administrative obligations (issuing invoices/receipts)Legal obligation (Art. 6.1.c)Credit movements, invoicing data
Defense in legal proceedingsLegitimate interest (Art. 6.1.f)All relevant categories
Service improvement (anonymous/aggregate analytics)Legitimate interest (Art. 6.1.f)Aggregated technical logs

The service does NOT perform direct marketing, profiling or automated decision-making under Art. 22 GDPR.

5. Sub-processors (Art. 28 GDPR)

Sub-processorServiceDataLocationSafeguards
Telnyx LLCVoice calls (TeXML)Recipient phone number, alert contentUSA (optional EU region)EU SCC (2021/914) + vendor DPA
BulkGate s.r.o.SMS and WhatsAppRecipient phone number, alert contentEU (Czech Republic)EU controller (GDPR) + vendor DPA
Telegram FZ-LLC (Bot API)Telegram notificationsRecipient chat ID, alert contentVarious (cloud)Vendor ToS
Fatture in Cloud (TeamSystem S.p.A.)Order issuance and fiscal/accounting documentsInvoicing data (company name/full name, address, VAT number/tax code, PEC/SDI code, email), amountsItaly (EU)DPA under Art. 28 GDPR, EU hosting
SMTP provider (authsmtp.securemail.pro)Transactional email (OTP, notifications, alerts)Recipient email, message contentEuropean UnionTLS connections, DPA with vendor
Hosting infrastructure (Hetzner Online GmbH)Server hosting, database storageAll application dataEuropean Union (Germany)DPA under Art. 28 GDPR, ISO 27001 / BSI C5 certifications, encryption in transit and at rest
Web Push (self-hosted VAPID)Browser push notificationsEncrypted browser endpoint, notification payloadEndpoints managed by user's browser (Google FCM / Mozilla / Apple)Endpoints encrypted with locally generated VAPID keys

6. Data retention

CategoryRetention
Account data (active)Duration of contractual relationship
Account data after deletionImmediate anonymization on data subject request
Recipient contactsUser-controlled, editable / deletable anytime
SIA-IP events7 days (automatic deletion)
Notification logs7 days (automatic deletion)
Technical security logs90 days
GDPR audit log (Art. 5(2) accountability)5 years
Completed DSAR requests3 years
Tax/invoicing documents10 years (Italian Civil Code Art. 2220)
Push subscriptions90 days from last activity
Pending registrations (unverified OTP)30 days

7. International data transfers

Application data is hosted on infrastructure located in the European Union. Transfers to third countries occur only towards:

Transfers to third countries only take place where adequate safeguards under Chapter V GDPR are in place. Sub-processors' DPAs are publicly available on their websites and upon request.

8. Data subject rights

You may exercise the following rights anytime (Arts. 15-22 GDPR):

Self-service: registered users can directly exercise access (data export), rectification and erasure via the Privacy Dashboard. For more complex requests (portability, restriction, objection) contact privacy@nexoip.it. We respond within 30 days (extendable to 60 in complex cases, Art. 12 GDPR).

9. Cookies

The service uses strictly necessary technical cookies only (authenticated session, CSRF protection, language preference). These cookies are exempt from prior consent under Art. 122 D.lgs 196/2003 and Art. 5.3 of the ePrivacy Directive. See the Cookie Policy for details.

10. Data Breach procedure

  1. Identification and containment, isolation of compromised systems.
  2. Risk assessment for data subjects' rights and freedoms.
  3. Notification to the supervisory authority within 72 hours where risk is not unlikely (Art. 33).
  4. Communication to data subjects without undue delay if risk is high (Art. 34).
  5. Internal documentation of all breaches.
  6. Post-incident analysis and remediation.

11. Impact assessment (DPIA)

The Controller performed a preliminary impact assessment under Art. 35 GDPR, classifying processing as low/medium risk: no special categories (Art. 9), no large-scale systematic monitoring, no automated decision-making. A DPIA summary is available upon reasoned request at privacy@nexoip.it.

12. Records of processing (Art. 30)

The Controller maintains a Record of Processing Activities pursuant to Art. 30 GDPR. It is available to the supervisory authority and, upon reasoned request, to data subjects.

13. Security measures (Art. 32)

14. Changes and version history

This notice may be updated to reflect legal, organizational or technological changes. Material changes will be notified to registered users and require renewed explicit acceptance at next login.

Previous versions are available at /legal/versions/.

15. Contact

By accepting this Privacy Policy, you confirm having read, understood and consented to processing for the purposes set out, within the limits of the legal bases indicated.