1. Data controller
The data controller for the personal data processed through GooUX is Altea Software S.r.l., registered office Via Werner von Siemens 29, 39100 Bolzano (BZ), Italy — VAT and tax code IT01587030212; registered with the Bolzano Company Register, REA BZ-130680; share capital €10,000 fully paid-up. You can contact us for any data protection matter at info@altea.it (certified email / PEC: alteabz@pec.it).
2. Personal data we process
| Category | Fields | Source |
|---|---|---|
| Account | username, email, securely hashed password, email-verification status, session cookies, login timestamps | Registration form |
| Billing profile | account type, company name, VAT, fiscal code, SDI, PEC, address, city, province, postal code, country, phone | Billing profile form |
| Subscription | plan, prepaid period, payment timestamps, payment amount, provider reference, AI credits, operation credits | Pricing flow + admin |
| Service usage | scan logs, AI usage (model, tokens, cost), workflow logs, running processes, scheduled scans, exclusion rules | Service operation |
| Scan data | URLs of YOUR domains, HTML content crawled, screenshots, sitemap snapshots, analyzer outputs | Website crawler / browser scanning |
| Technical | IP address (login attempts, rate limiting), user agent, CSRF tokens | HTTP requests |
| Consent audit | acceptance of Terms and of this Policy (date + version), profile-return events | Profile completion |
3. Purposes and legal bases (GDPR art. 6)
- Provide the Service (art. 6.1.b — contract): authentication, scanning, reporting, billing.
- Legal obligations (art. 6.1.c): invoicing, tax records, e-invoicing via SDI.
- Legitimate interest (art. 6.1.f): security logging, abuse prevention, rate limiting, fraud detection.
- Consent (art. 6.1.a): optional marketing communications (we do not currently send any without separate opt-in).
4. Sub-processors
We rely on the following third parties as processors. They access only the data strictly required for their function and are bound by a data processing agreement or equivalent contractual safeguards.
- Hosting: Amazon Web Services (AWS) — Plesk-managed server hosted in an EU region.
- Email delivery: Qboxmail S.r.l. (Italy-based SMTP provider) for transactional emails (verification, scheduled scan reports, profile-return notifications).
- Anthropic (Claude API): AI content generation, grammar check. Data sent: text extracts from your domains.
- Google (Gemini API): ALT text generation from images, structured data validation. Data sent: image URLs and metadata.
- Cloudflare Turnstile: anti-bot on registration form.
Homepage scans and external-link verification are performed by a headless browser (Puppeteer / Chrome) running on the Provider's own infrastructure — this is not a third-party service. No online payment processor is currently integrated; when one is enabled it will be added to the list above and the version of this Policy updated accordingly.
5. Data retention
- Account & billing data: kept while the account is active + 10 years for fiscal records as required by Italian law.
- Scan data (crawled content, reports, screenshots): kept for the lifetime of the account, or deleted within 30 days of account closure. Intermediate scan artifacts are rotated automatically.
- Daily homepage-monitoring data: retained 10 days.
- Workflow logs and AI usage logs: 24 months.
- Session cookies: 7 days (configurable per environment).
6. Your rights (GDPR art. 15-22)
You may, at any time, request:
- Access — a copy of your personal data.
- Rectification — correction of inaccurate data. For billing fields, use your account profile page.
- Erasure — subject to retention obligations for invoicing.
- Restriction of processing for specific purposes.
- Portability — export of your scan data in JSON/CSV; AI usage logs in CSV.
- Objection to processing based on legitimate interest.
- To lodge a complaint with the Italian Garante per la Protezione dei Dati Personali (garanteprivacy.it).
Send requests to info@altea.it. We respond within 30 days.
7. Cookies
- gooux_session: authentication session, 7 days, Secure, HttpOnly, SameSite=Lax. Set on the .gooux.com domain to keep you signed in across our subdomains.
- CSRF token cookie: anti-CSRF double-submit pattern, session lifetime.
- No third-party tracking, advertising or analytics cookies.
8. Data transfers outside the EU
Claude (Anthropic) and Gemini (Google) APIs may process content outside the EEA (United States). Both providers implement Standard Contractual Clauses approved by the European Commission. We do not send personal data of your end-users (only public-web content of domains you own) to these services.
9. Security measures
- HTTPS enforced site-wide; HSTS recommended.
- Passwords are stored only as secure, salted hashes.
- Protection against cross-site request forgery (CSRF) on all data-changing actions.
- Rate limiting on auth (login, password reset, registration).
- Strict access controls: every record is checked against the logged-in user, so you can only reach your own data.
- Sensitive reports can be protected with an optional password.
- Credentials are stored outside the public web area, with restricted access permissions.
10. Changes to this Policy
Material changes will be communicated by email and tracked by version. The version you accepted is recorded in your account profile. You may be asked to re-accept on a new version.
11. Contact
Data protection contact: info@altea.it (certified email / PEC: alteabz@pec.it).