PRIVACY POLICY

The data controller is Prismal Group.

For any privacy-related questions, you can contact us at the email address: info@prismalgroup.it

We collect the following types of data:

• ✓Identification data (first name, last name, email, phone, company) provided through the contact form
• ✓Browsing data (IP address, browser type, pages visited, country of origin) collected automatically via Vercel Analytics
• ✓Technical cookies necessary for the website to function. Analytics cookies are only activated after your explicit consent via the cookie banner
• ✓IP address temporarily logged when submitting the contact form, solely for security purposes and abuse prevention (rate limiting)
• ✓Cookie consent preferences stored locally in the browser (localStorage) to remember your choice on the cookie banner

For users who have an account in the Private Area (a reserved section accessible only after registration by our team), we process additional data beyond what is collected through the contact form:

• ✓Login credentials: email and password (stored exclusively in hashed form via Supabase Auth, never accessible in plain text)
• ✓Username and access level (Client or Administration)
• ✓Account creation date and last login date, recorded for security and service management purposes
• ✓Projects associated with the user (name, link, status, assigned user), managed by the administration
• ✓PDF documents uploaded by the administration for sharing with the client, stored in a private bucket and accessible only via short-lived signed URLs
• ✓Session token (JWT) stored locally in the browser (localStorage, key "prismal-auth") to keep the user signed in without re-entering credentials on every navigation
• ✓Notifications sent by the team to the client: title, body, date, sender and type (manual or automatic). Automatic notifications are generated by the system on relevant events, such as a project status change
• ✓Chat messages between client and team: message text, sender, date and time, read/unread status. To prevent abuse a rate limit of 15 messages per minute is enforced, with progressive temporary blocks (1 minute, 1 hour, 8 hours) tracked for 24 hours. The administration may block, archive or clear a conversation
• ✓Temporary password reset codes: cryptographic SHA-256 hash of the 6-digit OTP code sent by email, opaque reset token generated only on successful verification, failed attempt counter and expiration timestamp. Codes expire within minutes and the row is deleted on reset completion

Purpose: providing the Private Area service (authentication, project management, document sharing, direct notifications and chat with the Prismal Group team, password recovery via verification code).

Legal basis: performance of a contract to which the data subject is a party (Art. 6(1)(b) GDPR) and the controller's legitimate interest in access security (last login logging, Art. 6(1)(f) GDPR).

Passwords are stored exclusively in hashed form (bcrypt algorithm) via Supabase Auth and are never accessible in plain text, not even by the administration. Sessions use signed JWT tokens. Uploaded documents are stored in a private bucket accessible only to the owner user and the administration, via signed URLs with time-limited expiration. Access to notifications and chat data is enforced by database-level security policies (Row Level Security): each user sees only their own messages and notifications. Password reset codes are stored only in hashed form and email delivery is handled by the Resend service.

Accounts are created exclusively by the administration upon request and following a contractual agreement. The data subject may at any time request the modification of their data or the deletion of their account by writing to info@prismalgroup.it.

Your data is processed for the following purposes:

• ✓Responding to requests submitted through the contact form
• ✓Improving the browsing experience on our website
• ✓Complying with legal obligations
• ✓Anonymous statistical analysis of website usage

Your data is processed in compliance with Art. 6 GDPR, on the following legal bases:

• ✓Explicit consent of the data subject (Art. 6(1)(a)) — for sending communications through the contact form and for analytics cookies
• ✓Performance of pre-contractual measures at the request of the data subject (Art. 6(1)(b)) — to respond to quote or information requests
• ✓Legitimate interest of the controller (Art. 6(1)(f)) — for website security, rate limiting and temporary IP address logging for abuse prevention
• ✓Compliance with legal obligations (Art. 6(1)(c))

We adopt appropriate technical and organizational security measures to protect your personal data from unauthorized access, loss, or destruction.

The website uses the HTTPS protocol to ensure encryption of data transmitted between your browser and our servers.

For the operation of the website, we use the following external services:

• ✓Vercel — website hosting and serverless functions. Vercel may collect browsing data (IP address, approximate geolocation) to ensure the operation of the service. Servers are primarily located in the USA. Vercel Privacy Policy
• ✓Vercel Analytics — web traffic analysis service. It is only activated after your explicit consent. It collects anonymous and aggregated data on visits (pages visited, country, device) without using profiling cookies. You can revoke your consent at any time by clearing the site data in your browser.
• ✓Resend — transactional email delivery service. The data entered in the contact form (first name, last name, email, phone, company, project type, message) is transmitted to Resend solely for the purpose of sending the notification email. Resend Privacy Policy
• ✓Supabase — database, authentication and storage. Supabase hosts: (a) requests submitted through the contact form; (b) user accounts of the Private Area (managed via Supabase Auth, with passwords stored exclusively in hashed form); (c) projects associated with users; (d) PDF documents shared in the Private Area, stored in a private bucket accessible only via short-lived signed URLs. Data is stored on Supabase infrastructure, with servers located in the region selected for the project (may be within or outside the European Union). Supabase Privacy Policy
• ✓Google Fonts — font delivery service for the Inter typeface. When the website loads, the browser makes a request to Google's servers, which may log the IP address according to its own policy. Google Privacy Policy

Data may be transferred outside the European Union (in particular to the USA). In such cases, the transfer is carried out in compliance with the safeguards provided by the GDPR, including the Standard Contractual Clauses approved by the European Commission.

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, and in any case no longer than provided by applicable legislation.

Data collected through the contact form is retained for a maximum of 24 months from the date of the request. Private Area account data and uploaded documents are retained for the duration of the contractual relationship and deleted at the data subject's request or upon termination of the relationship.

Under the GDPR (EU Regulation 2016/679), you have the right to:

• ✓Access your personal data
• ✓Request the rectification or deletion of your data
• ✓Object to the processing of your data
• ✓Request data portability
• ✓Withdraw your consent at any time
• ✓Lodge a complaint with the competent supervisory authority

To exercise your rights, write to: info@prismalgroup.it

In Italy, the supervisory authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it). In other EU Member States, the competent national data protection authority.