Processing Activities Registry
Record of processing activities pursuant to Art. 30 of Regulation (EU) 2016/679 (GDPR).
Data Controller
IDCERT S.r.l. Benefit Corporation
Pursuant to Art. 37 GDPR, the appointment of a DPO is not currently mandatory. This section will be updated if circumstances change.
Technical operation of the portal
Purpose (Art. 30.1.b)
Provision of web service, routing, page rendering
Legal Basis
Art. 6.1.f
Data Subjects (Art. 30.1.c)
Website visitors
Data Categories (Art. 30.1.c)
Navigation data (anonymized IP, user agent, URL)
Recipients (Art. 30.1.d)
Vercel Inc. (hosting), Supabase Inc. (database)
Extra-EU Transfers (Art. 30.1.e)
USA (Vercel) with SCCs; EU (Supabase eu-central-1)
Retention (Art. 30.1.f)
Duration of session
Art. 32 Measures (Art. 30.1.g)
HTTPS/TLS, CSP, HSTS, X-Frame-Options DENY, anonymized IP
Cookie consent management
Purpose (Art. 30.1.b)
Collection and recording of consent for GDPR accountability
Legal Basis
Art. 6.1.c
Data Subjects (Art. 30.1.c)
Website visitors
Data Categories (Art. 30.1.c)
Anonymous session ID, IP hash (SHA-256 + rotating salt), cookie preferences, policy version, user agent
Recipients (Art. 30.1.d)
Supabase Inc. (database, EU region)
Extra-EU Transfers (Art. 30.1.e)
EU (Supabase eu-central-1)
Retention (Art. 30.1.f)
36 months (accountability obligations)
Art. 32 Measures (Art. 30.1.g)
Supabase RLS, SHA-256 anonymized IP, CSRF protection, rate limiting
Contact request management
Purpose (Art. 30.1.b)
Responding to user requests sent through the contact form
Legal Basis
Art. 6.1.b
Data Subjects (Art. 30.1.c)
Users who fill out the contact form
Data Categories (Art. 30.1.c)
Name, email, subject, message, IP hash, language
Recipients (Art. 30.1.d)
Supabase Inc. (database, EU region)
Extra-EU Transfers (Art. 30.1.e)
EU (Supabase eu-central-1)
Retention (Art. 30.1.f)
12 months from request
Art. 32 Measures (Art. 30.1.g)
Supabase RLS, anti-bot honeypot, CSRF, rate limiting (3 req/10 min), anonymized IP
Google Analytics (consent-gated)
Purpose (Art. 30.1.b)
Anonymous statistical traffic analysis to improve the service
Legal Basis
Art. 6.1.a
Data Subjects (Art. 30.1.c)
Visitors who consent to analytics cookies
Data Categories (Art. 30.1.c)
Aggregated navigation data, IP anonymized by Google, _ga cookie
Recipients (Art. 30.1.d)
Google LLC
Extra-EU Transfers (Art. 30.1.e)
USA (Google) with EU-US Data Privacy Framework
Retention (Art. 30.1.f)
26 months (GA4 setting)
Art. 32 Measures (Art. 30.1.g)
Activated ONLY after explicit consent, anonymize_ip: true, SameSite=Lax;Secure cookies
User interface preferences
Purpose (Art. 30.1.b)
Storing language and theme preferences (light/dark)
Legal Basis
Art. 6.1.f
Data Subjects (Art. 30.1.c)
All visitors
Data Categories (Art. 30.1.c)
Language code (NEXT_LOCALE), theme (localStorage 'theme')
Recipients (Art. 30.1.d)
None (local data only)
Extra-EU Transfers (Art. 30.1.e)
None
Retention (Art. 30.1.f)
NEXT_LOCALE: 12 months; theme: until manual deletion
Art. 32 Measures (Art. 30.1.g)
Non-personal technical data, no transfer
Last updated: February 2026