Privacy Policy
Last updated: 2026-03-09
Data controller
The data controller is MONACI.AI SRL, with registered office at Viale Certosa snc, 84034 Padula (SA), Italy, VAT number 06359370654, operating under the TurboIntrastat brand. The data processors (Art. 28 GDPR) are Supabase Inc. for managed hosting and database services, and Google LLC for analytics services (Google Analytics 4, with consent). Personal data is processed in full compliance with EU Regulation 2016/679 (GDPR), in particular Articles 13 and 14 regarding the information to be provided to data subjects. For any privacy-related requests, you can contact us at supporto@turbointrastat.com.
Data collected
We collect the following categories of data: browsing data (IP address, browser type, pages visited), account data (name, email, company information provided during registration), documents uploaded for Intrastat processing. User identifiers are pseudonymized using UUIDs (universally unique identifiers), ensuring data cannot be directly attributed to an individual. The security events table records IP addresses, user agents, and timestamps exclusively for platform security purposes. Uploaded documents are processed exclusively for the purpose of the Intrastat service and are not used for any other purpose.
Purposes of processing
Data is processed for the following purposes: providing the Intrastat processing service (legal basis: contract execution, Art. 6.1.b GDPR); platform security and abuse prevention (legal basis: legitimate interest, Art. 6.1.f GDPR, Recital 49 — network and information system security); fiscal document retention (legal basis: legal obligation, Art. 6.1.c GDPR, in compliance with the Digital Administration Code and customs regulations); aggregate analytics via Plausible Analytics (cookieless solution that does not collect personal data and does not require consent).
Legal basis
Processing is based on: contract execution (document processing), legitimate interest (platform security), consent (where expressly required), legal obligation (fiscal document retention).
Third parties with data access
Personal data may be shared with the following third parties, each acting as data processor under Art. 28 GDPR: Supabase Inc. (San Francisco, USA) — hosting, database and authentication — Privacy Policy: https://supabase.com/privacy; Google LLC (Mountain View, USA) — Google Analytics 4 for web traffic analysis, activated only with user consent — Privacy Policy: https://policies.google.com/privacy; Resend Inc. (USA) — transactional email and newsletter delivery service — Privacy Policy: https://resend.com/legal/privacy-policy; Vercel Inc. (San Francisco, USA) — website hosting and CDN — Privacy Policy: https://vercel.com/legal/privacy-policy; Plausible Insights OÜ (Estonia, EU) — cookieless analytics, does not collect personal data — Privacy Policy: https://plausible.io/privacy. Data transfers to the USA are carried out under the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR.
Newsletter, marketing and sign-up forms
Users may subscribe to the TurboIntrastat newsletter via the form on the website, by providing their email address and accepting this Privacy Policy. Subscription requires double opt-in: after filling out the form, the user receives a confirmation email with a link to click to complete the subscription. The email address will be used exclusively for: Intrastat regulatory updates, TurboIntrastat service communications, informational content and promotional offers. Users may revoke consent at any time via the unsubscribe link in every email or by contacting supporto@turbointrastat.com. The legal basis is the data subject's consent (Art. 6.1.a GDPR). Contact and demo request forms collect name, email, company and message, processed on the basis of legitimate interest (Art. 6.1.f GDPR) to respond to the user's inquiry.
Statistics and analytics
TurboIntrastat uses two analytics services: Plausible Analytics (Plausible Insights OÜ, Estonia) — a cookieless GDPR-compliant solution that does not collect personal data, does not use cookies and does not require consent. Data is aggregated and anonymized. Google Analytics 4 (Google LLC, USA) — a web analytics service that uses cookies to collect anonymous statistical data about site usage (pages visited, session duration, traffic source). It is activated ONLY after the user's explicit consent via the cookie banner. Google acts as data processor under Art. 28 GDPR. Google Consent Mode v2 is active, ensuring respect for user consent preferences for analytics_storage, ad_storage, ad_user_data and ad_personalization.
Data retention
Retention periods are determined based on the Data Protection Impact Assessment (DPIA) conducted pursuant to Art. 35 GDPR: processed documents are retained for a maximum of 24 months from the processing date, after which they are automatically deleted; security logs are retained for 90 days in the active database and up to 12 months in archive, as justified by the DPIA for advanced persistent threat (APT) detection and incident response per NIST SP 800-61; enforcement history is retained for 36 months, in line with the statute of limitations for IT crimes (Art. 615-ter Italian Criminal Code); account data is retained for the duration of the contractual relationship. All data is encrypted at rest using AES-256 encryption. Expired data cleanup is performed automatically through scheduled processes.
Your rights
Under the GDPR, you have the following rights: right of access to your personal data (Art. 15), right to rectification of inaccurate data (Art. 16), right to erasure or right to be forgotten (Art. 17), right to restriction of processing (Art. 18), right to data portability in a structured format (Art. 20), right to object to processing (Art. 21), right not to be subject to decisions based solely on automated processing, including profiling, and the right to obtain human review of automated decisions (Art. 22). You also have the right to lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it). To exercise these rights, contact supporto@turbointrastat.com.
Data controller and contact
Data controller: MONACI.AI SRL, Viale Certosa snc, 84034 Padula (SA), Italy, VAT 06359370654. Email for privacy requests: supporto@turbointrastat.com. Email for security reports: security@turbointrastat.com. Pursuant to Art. 37 GDPR, the controller is not currently required to appoint a DPO (Data Protection Officer) as it does not carry out large-scale processing of sensitive data. The competent supervisory authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it), with whom you have the right to lodge a complaint pursuant to Art. 77 GDPR.