Privacy policy
and data processing.
Information notice pursuant to EU Regulation 2016/679 (GDPR) on the processing of personal data collected through the SWater website and platform.
Privacy Policy — SWater Online
Last update: 14/05/2026
Version: 1.0
Note. This English version is provided for the convenience of non-Italian-speaking data subjects. In case of conflict or discrepancy between this version and the Italian one (privacy-it.md), the Italian version shall prevail.This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 ("Italian Privacy Code"), and describes the processing of personal data carried out within the SWater Online SaaS platform (the "Service").
1. Data controller
The controller of personal data processing is:
ELERIA di Andrea Vincenzo Abbondanza
Registered office: Casagiove (CE), Italy
VAT / Tax ID: IT04937660613
Certified email (PEC): andreabbondanza@pec-eu.it
Email: info@eleria.eu
Website: https://eleria.eu
(hereinafter, "ELERIA" or the "Controller").
ELERIA has not appointed a Data Protection Officer (DPO), as the requirements for mandatory appointment under Article 37 GDPR are not met. For any request concerning personal data protection, data subjects may contact the Controller directly at the addresses above.
2. Categories of personal data processed
In the course of providing the Service, ELERIA processes the following categories of personal data:
2.1 Account data
First name, last name, email address, password (stored exclusively in encrypted form by means of a non-reversible hash function), role within the Customer's organisation, language preference, optional photograph/avatar.
2.2 Billing and administrative data
Company name or name of the professional, VAT number, tax code, registered office address, certified email (PEC) address, SDI recipient code, payment data (excluding full credit-card data, which — where applicable — is handled directly by a payment gateway and does not transit through ELERIA's systems).
2.3 Usage and product data
Access history (date, time, IP address, user agent), list of calculations performed, modules used, input parameters provided, generated outputs (calculations, reports), templates uploaded by the Customer (e.g. Word models for Custom Reports), any interactions with the AI Assistant Bot (where activated).
2.4 Technical and security data
IP address, technical session identifiers, application logs, security logs, device and browser data. The use of cookies is governed separately by the Cookie Policy published on the official website of the Service, to which reference is made in full.
2.5 Support and communication data
Content of communications between the Customer and ELERIA (support emails, requests via contact form, support tickets), with the related metadata.
2.6 Authentication data and security factors
To ensure the security of access, where the user activates such features, ELERIA may process the following additional authentication data:
- Passkeys (WebAuthn / FIDO2) — cryptographic public key generated by the user's authenticator, credential identifier (credential ID), any authenticator metadata (AAGUID), the name assigned by the user to the passkey, the date of registration and the date of last use. The private key and any biometric data used to unlock it on the user's device (fingerprint, facial recognition, authenticator PIN) ARE NEVER transmitted to, or processed by, ELERIA: they remain confined exclusively to the user's device, which performs the biometric verification locally and signs a cryptographic challenge with the private key. The platform receives only the authentication outcome and the related signature, never the biometric data. ELERIA therefore does not process special categories of personal data within the meaning of Article 9 GDPR.
- Two-factor authentication (2FA) — depending on the method chosen by the user:
- TOTP (authenticator app, e.g. Google Authenticator, Authy, 1Password): shared secret generated at activation, stored in encrypted form at rest;
- Backup codes: stored exclusively as non-reversible hashes;
- SMS (where enabled by the platform): user's mobile phone number, used solely to send the verification code;
- Email (where enabled): the email address already stored as account data under Article 2.1, with no additional address collected.
- Active sessions and devices — technical device identifier (
device_id), user agent, IP address of the session, date and time of access, used for managing multiple sessions, detecting anomalous access and preventing fraud.
The data referred to in this paragraph is processed on the basis of performance of the contract (Art. 6.1.b GDPR) and the legitimate interest of the Controller in ensuring the security of the Service (Art. 6.1.f GDPR), also in implementation of the technical security obligations under Article 32 GDPR. Such data is deleted immediately upon revocation of the corresponding credential from the account's security panel and, in any case, upon account termination under the terms of Article 8.
3. Purposes of processing and legal bases
Personal data is processed for the following purposes, on the corresponding legal bases:
| # | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| (a) | Account registration and management; provision of the subscribed Service, including calculations, report generation and access to the REST API where applicable; technical support | Performance of the contract or pre-contractual measures — Art. 6.1.b |
| (b) | Invoicing, accounting, tax obligations, mandatory document retention | Legal obligation — Art. 6.1.c |
| (c) | Security of the Service: prevention of unauthorised access, detection of abuse and fraud, data integrity, retention of application and security logs | Legitimate interest of the Controller — Art. 6.1.f |
| (d) | Service communications: subscription expiry notices, operational communications regarding bug fixes, release of new features, user actions required (e.g. password update, acceptance of updated terms), maintenance notices, security communications | Performance of the contract — Art. 6.1.b — and legitimate interest of the Controller in keeping the Customer informed about the proper use of the Service — Art. 6.1.f |
| (e) | Defence of ELERIA's rights in court or out of court, ascertainment and pursuit of Customer's liabilities in case of breach | Legitimate interest of the Controller — Art. 6.1.f |
| (f) | Improvement of the Service and statistical analyses, carried out exclusively on aggregated and anonymised data | Legitimate interest of the Controller — Art. 6.1.f |
ELERIA does not carry out direct marketing, commercial profiling or sending of promotional newsletters. The communications referred to in letter (d) do not constitute promotional communications within the meaning of Article 130 of the Italian Privacy Code.
4. Service communications and right to object
The communications referred to in Article 3 letter (d) — bug-fix announcements, new features, required user actions, expiry notices, security alerts — are functional to the proper performance of the contract and to the Customer's informed use of the Service. They do not constitute direct marketing and are sent on a contractual and legitimate-interest basis, with no consent required.
The data subject is nonetheless entitled, pursuant to Article 21 GDPR, to object to the processing of his/her data for purposes based on legitimate interest, including such communications. Objecting to service communications may, however, prevent the data subject from receiving information that is relevant to the use of the Service (expiry notices, mandatory action requests, security communications); in any event, communications strictly necessary to perform the contract (e.g. invoice, payment confirmation, imminent expiry) will continue to be sent.
5. Methods of processing
Data is processed using electronic tools and organisational and logical methods strictly connected to the stated purposes. ELERIA adopts technical and organisational measures appropriate under Article 32 GDPR to safeguard the confidentiality, integrity and availability of data, including in particular:
- encryption of data in transit (TLS) and at rest, where technically applicable;
- password storage by way of hash functions with salt;
- access control via individual credentials, support for passkeys (WebAuthn/FIDO2) and two-factor authentication (TOTP, backup codes and, where enabled, email or SMS); any biometric data used to unlock passkeys on the user's device is never transmitted to the Service (see Article 2.6);
- logging of access and security events;
- logical segregation of data between Customers;
- periodic backups;
- incident-management and data-breach notification procedures.
Access to data is restricted to ELERIA's duly authorised and trained personnel, within the limits of their respective duties.
6. Recipients of data and external processors
Personal data may be disclosed to third parties that carry out, on behalf of ELERIA, specific activities necessary for the provision of the Service. Such parties act as Data Processors under Article 28 GDPR, pursuant to a specific appointment governing their role, purposes and security measures.
6.1 External processors appointed
At the date of publication of this Policy, the main external processors are:
- Amazon Web Services EMEA SARL (registered in Luxembourg), as the provider of the cloud infrastructure hosting the Service. Data is physically processed in data centres located within the European Economic Area.
ELERIA reserves the right to engage additional external processors (by way of example: transactional email providers, payment gateways, technical-support providers), appointed in writing pursuant to Article 28 GDPR. In such case, this Policy will be updated.
6.2 Other recipients
Data may also be disclosed to:
- professional advisors of the Controller (accountant, legal counsel) strictly to the extent necessary and acting as autonomous controllers for their own professional purposes;
- judicial or administrative authorities, in compliance with legal obligations or orders from authorities.
Personal data is not disseminated, sold or transferred to third parties for their own commercial purposes.
7. International data transfers
At the date of publication of this Policy, all personal data is processed and stored within the European Economic Area (EEA). No transfers to third countries are currently in place.
Should the transfer of personal data outside the EEA become necessary in the future, ELERIA will adopt the safeguards provided for by Articles 44 et seq. GDPR — in particular the Standard Contractual Clauses adopted by the European Commission — and will promptly inform the data subjects.
8. Retention period
Personal data is retained for the time strictly necessary to pursue the purposes for which it has been collected, and in any event:
| Data category | Retention period |
|---|---|
| Account data and Customer content | For the entire duration of the subscription, plus 12 months from termination, to allow possible reactivation without loss of history. After such period, data is deleted or anonymised. |
| Billing data and tax documentation | 10 years from the date of issue of the document, pursuant to Italian civil and tax legislation (Art. 2220 Italian Civil Code and D.P.R. 633/1972). |
| Access and security logs | Generally 6-12 months, save where longer retention is required for the defence of a right in court or for security-incident investigations. |
| Support communications | For the time necessary to handle the request and, thereafter, for a reasonable period not exceeding 24 months for traceability. |
| Data processed for defensive purposes | For the duration of the litigation and until the expiry of the deadlines for appeal. |
In case of early account deletion at the data subject's request, the retention periods provided by law for administrative and tax data remain unaffected.
9. Rights of the data subject
At any time, the data subject may exercise the following rights against the Controller, recognised by Articles 15-22 GDPR:
- right of access to personal data (Art. 15);
- right to rectification of inaccurate data or completion of incomplete data (Art. 16);
- right to erasure ("right to be forgotten") in the cases provided for in Art. 17;
- right to restriction of processing (Art. 18);
- right to data portability, in a structured, commonly used and machine-readable format (Art. 20);
- right to object to processing based on the Controller's legitimate interest (Art. 21), with the clarifications in Article 4 of this Policy.
The data subject also has the right, under Article 77 GDPR, to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (https://www.garanteprivacy.it).
9.1 How to exercise rights
Requests for the exercise of rights may be addressed to the Controller's contact details indicated in Article 1. ELERIA undertakes to respond without undue delay and, in any case, within one month of receipt of the request, save for a reasoned extension in the cases provided for in Article 12 GDPR.
The exercise of rights is free of charge, except for cases of manifestly unfounded or excessive requests under Article 12.5 GDPR.
10. Automated decision-making and profiling
ELERIA does not carry out fully automated decision-making processes under Article 22 GDPR, nor profiling activities, on the data subjects' personal data. Calculations performed by the Service constitute computations requested by the Customer based on inputs provided by the Customer itself, and do not produce legal or similarly significant effects on data subjects arising from decisions autonomously taken by the platform.
11. Provision of data and consequences of refusal
Provision of account data, billing data and data strictly necessary to provide the Service (Article 3 lett. a–c) is mandatory: failure to provide such data will prevent ELERIA from delivering the Service.
Provision of other data (by way of example: non-essential profile data, optional uploaded content) is optional.
12. Cookies
The use of cookies and similar technologies on the SWater Online website and application is governed separately by the Cookie Policy published on the official website of the Service, to which reference is made in full.
13. Amendments to this Policy
ELERIA reserves the right to update this Policy to reflect regulatory, organisational or Service-related changes. Amendments will be published on the official website and, if they have a material impact on the processing activities, communicated to data subjects with reasonable notice via dashboard and/or email.
14. Contacts
For any request, exercise of rights or clarification regarding personal data protection, data subjects may contact the Controller at the addresses indicated in Article 1.