Skip to content
R
Remotica
🇮🇹 Italiano🇬🇧 English
# Privacy Policy
## Remotica

**Last Updated:** October 17, 2025
**Version:** 1.0

---

## 1. Data Controller

**Remotica**
[Legal Entity Name to be completed]
[Registered Office Address]
VAT Number: [To be completed]
Email: privacy@remotica.com
Website: https://remotica.app

---

## 2. Introduction

Remotica operates a digital platform that connects remote workers seeking workspaces with public venues (cafés, bars, coworking spaces) offering such spaces.

This privacy policy describes how Remotica collects, uses, stores, and protects the personal data of users, partners, and website visitors, in compliance with Regulation (EU) 2016/679 (GDPR).

---

## 3. Personal Data Collected

### 3.1 User Data (Remote Workers)

**Data collected during registration:**
- First and last name
- Email address
- Password (stored encrypted with bcrypt)

**Data collected during booking:**
- Booking details (workspace, date, time, duration)
- Payment information (processed by Stripe, not stored directly by Remotica)
- IP address (anonymized for analytics)
- Browser user agent

**Data collected during usage:**
- Booking history
- Feedback and reviews
- Screenshots attached to feedback (if voluntarily provided)
- Referral links used

### 3.2 Partner Data (Venues)

**Data collected during onboarding:**
- Venue name and business name
- VAT number
- Physical address of venue
- Email and phone number
- Name of legal representative
- Banking details (IBAN - collected and stored by Stripe, not by Remotica)

**Data collected during usage:**
- Booking and revenue statistics
- Availability hours
- Workspace information (WiFi, capacity, amenities)
- Venue photos and descriptions

### 3.3 Website Visitor Data

**Automatically collected data:**
- IP address (anonymized - last octet removed)
- Approximate geolocation (city and country via geoip-lite)
- Browser user agent (browser type, operating system, device)
- Pages visited and time spent
- Referrer (source website)

**Cookies and similar technologies:**
- Essential technical cookies for website functionality
- Analytics cookies (anonymized)
- For more details, see Cookie Policy

---

## 4. Legal Basis for Processing

Personal data processing is based on:

**a) Contract performance (Art. 6.1.b GDPR):**
- User/partner registration and account management
- Booking and payment processing
- Marketplace service provision

**b) Legitimate interest (Art. 6.1.f GDPR):**
- Fraud and abuse prevention
- Anonymized analytics to improve service
- Direct marketing to existing users/partners

**c) Explicit consent (Art. 6.1.a GDPR):**
- Promotional marketing via newsletter (opt-in)
- Non-essential cookies
- Screenshots attached to feedback

**d) Legal obligation (Art. 6.1.c GDPR):**
- Tax and accounting compliance
- Invoice and tax document retention

---

## 5. Processing Purposes

Personal data is processed for the following purposes:

### 5.1 Primary Purposes (essential for service)

- **Account management:** Creation and management of user and partner profiles
- **Bookings:** Processing, confirmation, and management of workspace bookings
- **Payments:** Payment processing via Stripe Connect
- **Communications:** Sending booking confirmations, notifications, service updates
- **Support:** Managing customer support requests
- **Security:** Fraud prevention, abuse, and unauthorized access

### 5.2 Secondary Purposes (service improvement)

- **Analytics:** Anonymized analysis to understand platform usage
- **UX improvement:** User experience optimization based on aggregated data
- **Testing:** Verification of service functionality and performance

### 5.3 Marketing Purposes (with consent)

- **Newsletter:** Sending promotional communications (opt-in users only)
- **Personalized offers:** Promotions based on booking history
- **Referral program:** Managing referral system and rewards

---

## 6. Data Sharing with Third Parties

Remotica shares personal data only with third parties strictly necessary to provide the service:

### 6.1 Payment Processors

**Stripe (Ireland):**
- **Data shared:** Email, name, payment information (credit cards)
- **Purpose:** Secure payment processing
- **Legal basis:** Contract performance
- **Safeguards:** Stripe is PCI-DSS certified and GDPR compliant
- **Stripe Privacy Policy:** https://stripe.com/privacy

### 6.2 Hosting and Infrastructure

**Railway (USA):**
- **Data shared:** All data stored in database (PostgreSQL)
- **Purpose:** Application and database hosting
- **Legal basis:** Contract performance
- **Safeguards:** Standard Contractual Clauses (SCC) for extra-EU transfers
- **Railway Privacy Policy:** https://railway.app/legal/privacy

### 6.3 Analytics and Monitoring

**Internal Analytics (Remotica):**
- **Data shared:** Anonymized IPs, user agent, visited pages
- **Purpose:** Aggregate platform usage statistics
- **Legal basis:** Legitimate interest
- **Safeguards:** IP anonymization (last octet removal), aggregated data

### 6.4 Other Providers

**Email Services (to be specified if/when implemented):**
- Provider: [To be completed]
- Data shared: Email, name, communication content
- Purpose: Sending transactional emails and newsletters

**NOTE:** Remotica does NOT sell, rent, or share personal data with third parties for third-party marketing purposes.

---

## 7. Data Subject Rights (GDPR)

In compliance with Art. 15-22 GDPR, users have the following rights:

### 7.1 Right of Access (Art. 15)
Obtain confirmation that your data is being processed and receive a copy of personal data.

### 7.2 Right of Rectification (Art. 16)
Obtain correction of inaccurate data or completion of incomplete data.

### 7.3 Right to Erasure (Art. 17 - "Right to be Forgotten")
Obtain deletion of your personal data, subject to legal obligations.

### 7.4 Right to Restriction (Art. 18)
Obtain restriction of processing in specific circumstances.

### 7.5 Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.

### 7.6 Right to Object (Art. 21)
Object to processing of your data for marketing purposes or legitimate interest.

### 7.7 Right to Withdraw Consent
Withdraw previously given consent (e.g., newsletter) at any time.

### 7.8 Right to Lodge a Complaint
File a complaint with the supervisory authority:
**Italian Data Protection Authority (Garante)**
Piazza Venezia 11, 00187 Rome, Italy
Tel: +39 06.696771
Email: garante@gpdp.it
Website: https://www.garanteprivacy.it

---

## 8. How to Exercise Your Rights

To exercise the rights listed above, contact:

**Email:** privacy@remotica.com
**Subject:** GDPR Request - [specify right]

**Information to provide:**
- First and last name
- Email associated with account
- Specific description of request
- Identity document (for identity verification if necessary)

**Response time:** Remotica responds within **30 days** of receiving the request (Art. 12.3 GDPR).

---

## 9. Data Retention

### 9.1 Active User Data

**During account lifetime:**
- Personal data and credentials: retained until account deletion
- Booking history: retained for 24 months from last booking
- Payment data: retained by Stripe according to their policies

**After account deletion:**
- Personal data: deleted within 30 days (subject to legal obligations)
- Billing data: retained 10 years (tax obligation Art. 2220 Italian Civil Code)
- Analytics data: anonymized and aggregated (not attributable to user)

### 9.2 Partner Data

**During partnership:**
- Retained for the entire duration of partnership contract
- Booking and payment history: retained for accounting purposes

**After partnership termination:**
- Contractual data: retained 10 years (tax and legal obligations)
- Marketing data: deleted within 30 days (unless newsletter consent)

### 9.3 Visitor Data (Analytics)

- Anonymized data: retained indefinitely (not attributable)
- Cookies: according to duration specified in Cookie Policy (max 13 months)

---

## 10. Data Security

Remotica adopts adequate technical and organizational measures to protect personal data:

### 10.1 Technical Measures

- **Encryption:** User passwords with bcrypt (salting + hashing)
- **HTTPS/TLS:** All communications encrypted end-to-end
- **JWT:** Authentication tokens with expiration (24 hours)
- **Rate Limiting:** Protection from brute-force and DDoS attacks
- **Input Sanitization:** XSS and SQL injection prevention
- **Database:** PostgreSQL with automated daily backups

### 10.2 Organizational Measures

- **Limited access:** Only authorized personnel access data
- **Logging:** Recording of administrative activities (audit trail)
- **Training:** Personnel trained on GDPR and data protection
- **Incident Response:** Procedure for managing data breaches (within 72h)

### 10.3 Privacy by Design & by Default

- **IP Anonymization:** Implemented by default for analytics
- **Data Minimization:** Only strictly necessary data collected
- **Pseudonymization:** Where possible, use of non-directly attributable identifiers

---

## 11. Extra-EU Transfers

### 11.1 Railway (USA)

Data is hosted on Railway servers located in the United States.

**Safeguards adopted:**
- **Standard Contractual Clauses (SCC)** approved by European Commission
- **Privacy Shield Framework** (if applicable)
- **Supplementary technical measures:** Data encryption at-rest and in-transit

**Impact assessment:** Remotica has assessed that the transfer provides adequate safeguards according to GDPR Art. 46.

### 11.2 Stripe (Ireland - EU)

Stripe Europe Ltd is established in Ireland (EU), therefore NO extra-EU transfers apply for payments.

---

## 12. Cookies and Similar Technologies

Remotica uses cookies to improve user experience and analytics.

### 12.1 Essential Technical Cookies (always active)

- **Session cookies:** User authentication management (JWT)
- **Security cookies:** CSRF protection
- **Preference cookies:** Saving selected language

**Legal basis:** Legitimate interest (Art. 6.1.f GDPR)
**Consent required:** NO (strictly necessary)

### 12.2 Analytics Cookies (anonymized)

- **Remotica Analytics:** Anonymized page visit tracking
- **Data collected:** Anonymized IP, user agent, visited pages, time spent
- **Purpose:** Aggregate platform usage statistics

**Legal basis:** Legitimate interest (Art. 6.1.f GDPR)
**Consent required:** NO (anonymized)

### 12.3 Marketing Cookies (opt-in)

**NOT CURRENTLY IMPLEMENTED** - Will only be implemented with explicit consent.

For more details, see the complete **Cookie Policy**.

---

## 13. Minors

Remotica is NOT intended for persons under 18 years old.

If a parent/guardian discovers that their minor child has provided personal data without consent, they can contact privacy@remotica.com to request immediate deletion.

---

## 14. Privacy Policy Changes

Remotica reserves the right to modify this privacy policy.

**In case of substantial changes:**
- Notification via email to registered users (at least 30 days before)
- Informative banner on website
- "Last updated" date updated in header

**User obligation:** Periodically check the privacy policy to be informed of changes.

---

## 15. Contact

For questions, requests, or complaints regarding privacy:

**Email:** privacy@remotica.com
**PEC (if available):** [To be completed]
**Postal address:** [To be completed]

**Response time:** Within 30 working days from receiving the request.

---

## 16. DPO (Data Protection Officer)

**NOT CURRENTLY APPOINTED** - Remotica is assessing whether DPO appointment is mandatory according to Art. 37 GDPR.

If appointed, DPO contact details will be published here.

---

## 17. Brief Summary (TL;DR)

✅ **What we collect:** Name, email, booking history, anonymized IPs
✅ **Why:** Manage bookings, payments, improve service
✅ **Who we share with:** Stripe (payments), Railway (hosting)
✅ **Your rights:** Access, rectification, erasure, portability (GDPR)
✅ **Security:** Password encryption, HTTPS, daily backups
✅ **Contact:** privacy@remotica.com

---

**END OF PRIVACY POLICY**

---

## IMPLEMENTATION NOTES

**Before publishing this Privacy Policy:**

1. ✅ Complete [To be completed] fields with real Remotica data
2. ✅ Have it reviewed by privacy lawyer (€300-500)
3. ✅ Implement Cookie Banner with explicit consent for non-essential cookies
4. ✅ Verify compliance with Italian Data Protection Authority
5. ✅ Ensure IT (Italian) version equivalence
6. ✅ Publish on website with clearly visible footer link
7. ✅ Update partner contracts with reference to this policy

**Complementary documents to create:**
- Detailed Cookie Policy
- User Terms & Conditions
- Partner Terms & Conditions
- Data Processing Agreement (DPA) for partners processing user data
← Back to Home