Privacy Policy

Last updated: 2026-04-19. Designed to support obligations under Regulation (EU) 2016/679 (GDPR) and the Italian Codice della Privacy (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018).

Short version: we collect only what the Service needs. All data is processed inside the EEA. We never sell it. We do not use tracking or advertising cookies. You can exercise GDPR rights by emailing privacy@eleion.io — reply within 30 days.

1. Data Controller

Eleion (Italy-based, pre-incorporation). The current legal entity acting as Data Controller (name, VAT ID, legal seat) is disclosed on request to privacy@eleion.io. Once the Italian corporate entity is registered, this Policy will be updated within 14 days.

A Data Protection Officer is not mandatory for current processing scale (GDPR Art. 37). An external DPO will be designated before we reach the enterprise tier; registration with the Italian Garante will be updated accordingly.

2. Personal data we process

Category	Examples	Legal basis (Art. 6)	Retention
Account	email, organization slug, Stripe customer ID	Contract (6.1.b)	Account lifetime + 90 days
Scan metadata	target URL, ownership proof hash, timestamps, scan profile, findings	Contract (6.1.b)	12 months
Audit / security logs	IP address, User-Agent, request/response size, Turnstile result	Legitimate interest (6.1.f) — abuse prevention	12 months
Payment data	Customer ID (card details held by Stripe, PCI-DSS)	Contract + legal (6.1.b, 6.1.c)	10 years (IT fiscal law)
Waitlist	email, optional domain, source IP at signup	Pre-contract (6.1.b) + consent (6.1.a)	Until unsubscribe

3. Purposes

Operate the Service — verify ownership, execute scans, deliver findings, enforce rate limits.
Bill accurately — issue invoices via the Italian Sistema di Interscambio where applicable.
Prevent abuse and investigate reported misuse of the Service.
Comply with legal obligations (fiscal, accounting, law enforcement requests under EU/IT law).

4. Who we share data with (sub-processors)

We disclose the minimum necessary to deliver the Service. Full list with countries and scope is published at /sub-processors and updated before adding any new processor.

Amazon Web Services — compute, database, storage in eu-central-1 (Frankfurt). AWS DPA signed. Processor inside EEA.
Stripe Payments Europe — payment processing. PCI-DSS Level 1 compliant.
Cloudflare — edge CDN, DNS, Turnstile captcha. EU data center with EU-jurisdiction representatives where available.
Resend — transactional email delivery.

We do not share scan findings with any party other than the tenant who created the scan, except under a valid legal order or documented abuse report from the verified asset owner.

5. International transfers (Schrems II)

Customer data is kept in AWS eu-central-1. Metadata that may transit control-plane infrastructure operated outside the EEA (e.g. AWS IAM, Route53) is covered by Standard Contractual Clauses (Decision 2021/914, Module 2) and supplementary measures: encryption at rest via customer-managed KMS, encryption in transit (TLS 1.2+), minimization of personal data in logs. Our Transfer Impact Assessment is available to enterprise customers under NDA.

6. Your rights (GDPR Art. 15–22 + Codice Privacy)

Access — copy of your personal data;
Rectification — correct inaccurate data;
Erasure — "right to be forgotten", subject to retention obligations (Art. 17);
Portability — export in machine-readable format;
Restriction — temporarily suspend processing;
Objection — object to processing based on legitimate interest;
Automated decisions — we do not take solely automated decisions that produce legal or similarly significant effects on you.

Exercise any right by emailing privacy@eleion.io. We respond within 30 days. You may also lodge a complaint with the Garante per la protezione dei dati personali or your local EU supervisory authority.

7. Security (GDPR Art. 32)

TLS 1.2+ in transit. AES-256 encryption at rest (AWS EBS, RDS, S3).
Customer data tenant-isolated at the database level (PostgreSQL Row Level Security, FORCE).
Least-privilege IAM + KMS keys rotated annually.
Audit logs append-only, retained 12 months.
Personnel access restricted and logged.
Backups daily, integrity-verified, retained 30 days off-region-copy where required.

8. Breach notification

If a personal-data breach occurs with risk to your rights and freedoms, we notify the Italian Garante within 72 hours (GDPR Art. 33) and you without undue delay where the risk is high (Art. 34).

9. Cookies

We use only strictly necessary cookies. Details at /cookies. No analytics, no advertising, no third-party tracking scripts.

10. Minors

The Service is a B2B security tool. It is not directed at or intended for persons under 18. We do not knowingly collect data of minors.

11. Changes

We notify material changes by email to registered accounts at least 30 days before effectiveness. Version history maintained at /privacy.