Privacy Policy

Last updated: 12 March 2026

This privacy policy describes the processing methods of the personal data of users (hereinafter "User" or "Data Subject") who use the mobile application CeliachIA (hereinafter "App") and the website appceliachia.com (hereinafter "Website"), pursuant to Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018.

1. Data Controller

The Controller of personal data processing is:

RENOR AND Partners S.r.l.
Registered office: Via Cicerone, 15 – 00072 Ariccia (RM), Italy
VAT number: 16768411007
Privacy email: privacy@appceliachia.com

2. Personal data collected

In relation to the use of the App and the Website, the Controller collects and processes the following categories of personal data:

2.1 Data provided by the User

  • Registration data: email address and password (stored in encrypted form via secure hashing).
  • Contact data: first name, last name, email and message subject, if the User fills in the contact form on the Website.
  • Label images: photographs taken by the User through the device's camera to analyze the ingredients of a product. The images are transmitted to the servers exclusively for analysis and are not associated with the User's identity.

2.2 Data collected automatically

  • Device identifier (deviceId): a unique code generated by the App to identify the device for authentication and scan management purposes.
  • Usage data: number of scans performed, subscription status and registration date.
  • IP address: automatically collected by the server for security purposes and to prevent abuse (rate limiting).
  • User-Agent: information about the browser or app used to access the service, collected for security purposes.

2.3 Data NOT collected

The App does not collect geolocation data, does not access the address book or other personal data on the device, and does not use tracking or advertising profiling tools (e.g. Google Analytics, Firebase Analytics, Facebook Pixel or similar). The camera is used exclusively for scanning barcodes and ingredient labels.

3. Purposes and legal basis of processing

Purpose Legal basis (art. 6 GDPR) Data processed
User account registration and management Performance of contract (art. 6.1.b) Email, password (hash), deviceId
Provision of the scanning and ingredient analysis service Performance of contract (art. 6.1.b) Label images, scan data, deviceId
Subscription and payment management Performance of contract (art. 6.1.b) Email, transaction data (managed by Stripe)
Sending transactional emails (password reset, account activation) Performance of contract (art. 6.1.b) Email
Response to contact requests Consent of the data subject (art. 6.1.a) First name, last name, email, message
Security, abuse prevention and rate limiting Legitimate interest (art. 6.1.f) IP address, User-Agent, deviceId
Compliance with legal, tax and accounting obligations Legal obligation (art. 6.1.c) Transaction data, email
Update and improvement of the product database Legitimate interest (art. 6.1.f) Scan data, label images (anonymized)

4. Processing methods

Personal data is processed using electronic tools and through organizational and logical methods strictly related to the purposes indicated above. The Controller adopts appropriate technical and organizational security measures to ensure a level of protection appropriate to the risk, including:

  • Encryption of passwords using secure hashing algorithms (bcrypt).
  • Communications between App/Website and server exclusively via HTTPS/TLS protocol.
  • Restriction of access to personal data to authorized personnel only.
  • Rate limiting systems to prevent brute-force attacks and abuse.
  • One-time tokens with expiration for password reset procedures.

5. Data retention

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, in compliance with the principle of minimization:

  • Account data: retained for the entire duration of the account and deleted within 30 days of the User's deletion request, subject to the retention period necessary for legal obligations.
  • Contact data (form): retained for the time necessary to manage the request and in any case no longer than 12 months from receipt.
  • Security data (IP, logs): retained for a maximum of 6 months, except for ongoing investigations.
  • Tax and accounting data: retained for 10 years, as required by Italian tax legislation.
  • Label images: processed in real time and not retained in a form associated with the User's identity.
  • Password reset tokens: automatically deleted after use or upon expiration.

6. Communication and transfer of data

Personal data may be communicated to third parties acting as Data Processors (art. 28 GDPR) and providing functional services for the provision of the service:

Provider Service Data processed Location
Google Cloud Platform (Firestore) Database and cloud infrastructure Account data, scans, deviceId European Union
Google Cloud Platform (Cloud Run) API hosting All data transmitted to the API European Union
Twilio SendGrid Transactional email delivery Email address USA (with Standard Contractual Clauses)
Stripe, Inc. Payment processing Payment data (managed directly by Stripe) USA/EU (with Standard Contractual Clauses)

6.1 Non-EU transfers

The main infrastructure (database and servers) resides in the European Union. Some third-party providers (SendGrid, Stripe) are based in the United States but operate in compliance with the GDPR through the following safeguards:

  • Standard Contractual Clauses (SCC) approved by the European Commission pursuant to art. 46.2.c GDPR.
  • EU-U.S. Data Privacy Framework, where applicable, pursuant to the Adequacy Decision of the European Commission.
  • Supplementary technical and organizational security measures.

The Controller does not sell, transfer or rent Users' personal data to third parties for marketing or profiling purposes.

7. Payments via Stripe

Subscription payments are managed via Stripe, Inc., a payment service provider certified PCI DSS Level 1. At the time of payment, credit card or payment method data is transmitted directly to Stripe servers and does not transit nor is it stored on the Controller's servers.

For more information on the data processing carried out by Stripe, please refer to the Stripe Privacy Policy.

8. Cookies and tracking technologies

The Website does not use profiling or third-party cookies for advertising purposes. No analytics or behavioral tracking tools are used.

Only technical cookies strictly necessary for the operation of the Website (e.g. for session management) may be used, which do not require the User's consent pursuant to art. 122 of the Italian Privacy Code and the Italian Data Protection Authority Measure no. 229/2014.

9. Rights of the Data Subject

As a Data Subject, the User has the right to exercise at any time the rights provided for by articles 15-22 of the GDPR, in particular:

  • Right of access (art. 15): obtain confirmation of the existence of processing and access one's personal data.
  • Right of rectification (art. 16): obtain the correction of inaccurate data or the completion of incomplete data.
  • Right to erasure (art. 17): obtain the erasure of one's personal data, in the cases provided for by law.
  • Right to restriction of processing (art. 18): obtain the restriction of the processing of one's data.
  • Right to data portability (art. 20): receive one's data in a structured, commonly used and machine-readable format.
  • Right to object (art. 21): object to the processing of one's data based on the legitimate interest of the Controller.
  • Right to withdraw consent (art. 7): withdraw consent at any time, without prejudice to the lawfulness of the processing carried out before the withdrawal.

To exercise their rights, the User can send a written request to:
privacy@appceliachia.com

The Controller undertakes to respond within 30 days from receipt of the request, as provided for by art. 12.3 GDPR.

10. Right to lodge a complaint

The User has the right to lodge a complaint with the competent Supervisory Authority. Since the Data Controller is established in Italy:

Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
Piazza Venezia, 11 – 00187 Rome (RM), Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

Users may also lodge a complaint with the data protection authority of the EU/EEA Member State in which they reside or work.

11. Minors

The service is not intended for persons under 16 years of age. The Controller does not knowingly collect personal data of minors under 16. If the Controller becomes aware of having collected personal data of a minor without the consent of the parent or legal guardian, it will promptly delete such data. To report such cases, please write to privacy@appceliachia.com.

12. Data security

The Controller adopts appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access, in compliance with art. 32 GDPR. The measures adopted include:

  • End-to-end encryption of communications (TLS 1.2+).
  • User passwords stored with bcrypt hashing; the Controller does not have access to passwords in clear text.
  • Infrastructure hosted on Google Cloud Platform with ISO 27001, SOC 2 and SOC 3 certification.
  • Protection mechanisms against brute-force attacks (temporary IP blocking after repeated attempts).
  • Payment data managed exclusively by Stripe (PCI DSS Level 1 certified) without transit on the Controller's servers.
  • Access to systems limited to strictly authorized personnel.

13. Changes to this privacy policy

The Controller reserves the right to make changes to this privacy policy at any time. Changes will be published on this page with indication of the date of last update. Users are invited to consult this page periodically. If the changes concern processing based on consent, the Controller will collect the User's consent again where necessary.

14. Contacts

For any information or request regarding this privacy policy, the User can contact the Controller at:

RENOR AND Partners S.r.l.
Via Cicerone, 15 – 00072 Ariccia (RM), Italy
Email: privacy@appceliachia.com

15. Applicable law and jurisdiction

This privacy policy is governed by Italian law and Regulation (EU) 2016/679 (GDPR). For any dispute relating to the interpretation or execution of this policy, the competent jurisdiction is that of Rome, except for any different mandatory jurisdiction provided for by law for the protection of the consumer.

CeliachIA is a product of RENOR & Partners in collaboration with Cloud Ninja

Privacy Policy · Terms and Conditions