Privacy Policy
Last updated: May 2026
1. Data Controller
ParetoStudio is operated from Italy. For any privacy-related matter, you can reach us at support@paretostudio.io.
2. Supervisory Authority
The competent supervisory authority is the Garante per la protezione dei dati personali (Italian Data Protection Authority). You have the right to lodge a complaint with the Garante at any time. More information: www.garanteprivacy.it.
3. Data We Collect
| Category | Data | Source |
|---|---|---|
| Account | Email, display name, hashed password | You (at signup) |
| Content | Prompts, agent configurations | You (in-app) |
| Billing | Plan type, subscription status, usage counters | Paddle (via webhooks) |
| Auth tokens | Session cookies (sb-*-auth-token) | Supabase Auth |
| Marketing | Newsletter consent flag and timestamp | You (at signup, optional) |
We do not collect IP addresses for profiling, device fingerprints, or any data beyond what is listed above.
4. Legal Basis for Processing
| Processing | Legal Basis | GDPR Article |
|---|---|---|
| Provide the service | Performance of contract | Art. 6(1)(b) |
| Process payments | Performance of contract | Art. 6(1)(b) |
| Send marketing emails | Consent (opt-in at signup) | Art. 6(1)(a) |
| Security logging | Legitimate interest | Art. 6(1)(f) |
5. How We Use Your Data
- Authenticate you and manage your session
- Store and display your prompts and agent configurations
- Process subscription payments and enforce plan limits
- Send transactional emails (account confirmation, password reset)
- Send marketing emails only if you opted in at signup
- Detect and prevent abuse (rate limiting, security logging)
6. Third-Party Service Providers (Sub-Processors)
| Provider | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Authentication, database, storage | EU (AWS eu-west-1) | View DPA |
| Paddle | Payment processing (Merchant of Record) | UK/US (EU SCCs) | View DPA |
| Vercel | Hosting, edge functions, cookieless analytics & performance metrics | US (EU SCCs) | View DPA |
| Upstash | Rate limiting (Redis) | EU (AWS eu-west-1) | View DPA |
| Sentry | Error monitoring & crash reporting | EU (Germany) | View DPA |
| PostHog | Product analytics (consent-based; no advertising or cross-site tracking) | EU (Ireland) | View DPA |
Payment processing is handled by Paddle, which acts as our Merchant of Record. Any changes to this arrangement will be reflected in this policy.
7. International Data Transfers
Your primary data (database, authentication) is stored in the EU (AWS eu-west-1, Ireland). Some sub-processors (Paddle, Vercel) may process data in the US under EU Standard Contractual Clauses (SCCs) as approved by the European Commission. We ensure that all transfers comply with GDPR Chapter V requirements.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Prompts and agents | Until you delete them or your account |
| Subscription metadata | Until account deletion |
| Webhook events (logs) | 90 days (auto-deleted) |
| Security logs | 90 days |
When you delete your account, all your data is permanently removed from our systems (cascading deletion). Paddle retains its own records per its privacy policy and applicable financial regulations.
9. Your Rights
Under GDPR, you have the right to:
- Access — Request a copy of your personal data
- Rectification— Correct inaccurate data (via Settings > Profile)
- Erasure— Delete your account and all associated data (via Settings > Danger Zone)
- Data portability— Export your data as JSON (via Settings > Your Data)
- Restriction — Request restriction of processing
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Withdraw marketing consent at any time
For self-service actions, visit your Settings page. For all other requests, email support@paretostudio.io. We respond to all requests within 30 days as required by GDPR Art. 12(3).
You also have the right to lodge a complaint with the Garante per la protezione dei dati personali.
10. Cookies
ParetoStudio uses two categories of cookies:
- Essential cookies —
sb-*-auth-token(Supabase authentication session). Strictly necessary for the service to function. No consent required under ePrivacy Directive Art. 5(3). - Analytics cookies (consent-based) —
ph_*(PostHog, EU region). Set only after you accept via the cookie banner. They help us understand how the app is used so we can improve it. You can decline, and nothing analytics-related is stored or sent. We do not load these until you opt in.
We do notuse advertising or cross-site tracking cookies, and we do not build individual advertising profiles. Our performance monitoring (Vercel Web Analytics & Speed Insights) remains cookieless and aggregated. PostHog analytics are processed in the EU and only with your consent.
11. Age Requirement
You must be at least 14 years old to use ParetoStudio, in accordance with Italian law (D.Lgs. 101/2018, Art. 2-quinquies, implementing GDPR Art. 8). If we become aware that a user is under 14, we will promptly delete their account and data.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or an in-app notice. The “Last updated” date at the top indicates when the policy was last revised.
For any questions or concerns about this Privacy Policy, contact us at support@paretostudio.io.