Privacy Policy

1. Data controller

Cuttalo srl, a company incorporated in Italy, registered office in Italy, VAT / P.IVA IT03242390734, acts as the data controller (titolare del trattamento) for personal data processed through DepScope (depscope.dev and subdomains, the “Service”).

Privacy contact: [email protected]. General contact: [email protected].

No Data Protection Officer (DPO) is appointed: DepScope does not perform large-scale monitoring of data subjects or process special categories of data (art. 37 GDPR). A privacy referent is available at the address above.

2. Data we collect

2.1 Anonymous API access (no account):

• IP address (stored salted/hashed for rate limiting and abuse detection; raw IP not retained beyond 24 hours)
• User-Agent string
• Requested package name, ecosystem, endpoint, HTTP method/status
• Timestamp, response time, cache hit/miss

2.2 Registered users (free / paid tier):

• Email address (magic-link authentication — no password stored)
• API key fingerprints (SHA-256; never raw)
• Usage counters per API key
• Session cookies (first-party, strictly necessary)
• Stripe customer ID (paid tiers only; no card data stored by us)

2.3 We do NOT collect:

• Passwords — magic-link authentication only
• Payment card details — handled entirely by Stripe
• Tracking / advertising cookies
• Data on minors under 16 (service not intended for minors)
• Sensitive/special categories of data (art. 9 GDPR)

3. Legal basis (art. 6 GDPR)

Each processing purpose maps to a specific legal basis:

• Contract — art. 6(1)(b): providing the Service you request (API responses, authentication, paid-tier delivery).
• Legitimate interest— art. 6(1)(f): anti-abuse, rate-limit enforcement, fraud prevention, security logs, service-quality metrics. Balancing test documented; you can object (see § 8).
• Legal obligation — art. 6(1)(c): tax and accounting records (art. 2220 Italian Civil Code — 10 years), fiscal invoices, AML obligations where applicable.
• Consent — art. 6(1)(a): marketing emails, non-essential cookies. Freely given, specific, revocable at any time.

4. Purposes of processing

• Operate and deliver the Service (API, dashboard, MCP server)
• Enforce free-tier rate limits (200 req/min per IP)
• Detect and block abuse, scraping, denial-of-service
• Improve caching strategy based on aggregate request patterns (no user-level profiling)
• Bill paid tiers and issue invoices
• Send service-critical notifications (security, downtime)
• Send marketing emails — only with prior opt-in consent

5. Retention periods

• Raw IP addresses: never stored on disk — SHA-256+salt hashed at request time; only the hash is persisted
• API access logs (hashed IP only): 30 days, then aggregated and anonymized
• Magic-link tokens: 15 minutes
• Session cookies: 30 days or until logout
• Account data: until deletion requested; dormant accounts deleted after 24 months of inactivity
• Invoices and tax records: 10 years (art. 2220 c.c. Italy)
• Marketing consent records: 5 years after withdrawal (evidence)
• Backups: 90 days rolling, then overwritten

6. Recipients and sub-processors

We do not sell, rent, or trade personal data. We share data only with the sub-processors below. A current list is maintained at /subprocessors.

• Stripe Payments Europe, Ltd. (Ireland, with affiliates in the US) — payment processing, billing. See Stripe Privacy.
• Cloudflare, Inc. (US, with EU PoPs) — CDN, DDoS protection, DNS. See Cloudflare Privacy.
• OVH / OVHcloud SAS (France) — object storage (S3 GRA) for encrypted off-site backups.
• Self-hosted SMTP (EU, our infrastructure) — transactional email (magic link, receipts).
• Anthropic, PBC (US) — only for the optional MCP integration if you connect DepScope tools to Claude; we do not initiate this transfer.

7. Transfers outside the EEA

Transfers to US providers (Stripe, Cloudflare) rely on both the EU–US Data Privacy Framework (adequacy decision of 10 July 2023) and Standard Contractual Clauses 2021/914 (Module 2), supplemented by the sub-processor's technical and organizational measures. You may request a copy of the SCCs by writing to [email protected].

8. Your rights (GDPR arts. 15–22)

• Access — confirmation and copy of your data (art. 15)
• Rectification — correct inaccurate data (art. 16)
• Erasure — “right to be forgotten” (art. 17)
• Restriction — pause processing (art. 18)
• Portability — export in machine-readable format (art. 20)
• Object — oppose processing based on legitimate interest (art. 21)
• Withdraw consent — without affecting prior processing (art. 7)
• Not be subject to automated decision-making (art. 22) — we do none

Write to [email protected]. We respond within 30 days (extendable to 90 for complex requests — art. 12 GDPR). Exercising rights is free; we may charge a reasonable fee only for manifestly unfounded or excessive requests.

Instant self-service for API callers: to erase or export the usage rows tied to your current IP hash, use POST /api/gdpr/delete or GET /api/gdpr/export. No account, no wait: the server hashes your IP, matches rows, and acts immediately. Machine-readable policy summary at /api/gdpr/policy.

9. Right to lodge a complaint

You may lodge a complaint with the Italian data protection authority (Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma): garanteprivacy.it. Users in other EEA states can contact their local supervisory authority.

10. Security

All traffic is served over HTTPS (TLS 1.2+). Passwords are never stored (magic-link auth). API keys are hashed with SHA-256 before storage. Database access is restricted to private network. Encrypted backups are stored off-site at OVH Gravelines (EU).

To report a security issue, see /security/disclosure or [email protected].

11. Cookies

We use only strictly necessary first-party cookies for session management and CSRF protection. Full cookie details, categories, and your choices are described at /cookies.

12. Changes to this policy

We may update this policy. Material changes will be announced via email to registered users and a banner at the top of the site at least 30 daysbefore taking effect. The updated version will replace the current one with a new “Last updated” date.

13. Governing law and jurisdiction

This policy is governed by the laws of the Italian Republic and applicable EU data-protection regulations. Exclusive jurisdiction for disputes is vested in the Courts of Taranto, Italy, save for mandatory consumer protection rules granting the consumer the right to sue in their place of domicile.