Privacy policy

Last updated: 29 May 2026 · Effective: 29 May 2026

1. Who we are (data controller)

Tinnylab di Emilio Bonaceto · Sole Trader (Ditta Individuale, Italy) · VAT: IT03824330835. Contact: hello@scoredtools.com.

We comply with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and the Italian Personal Data Protection Code (Codice Privacy).

2. What data we collect

Visitors (anonymous)

• IP address (truncated to /24, kept 30 days max)
• User agent (browser type)
• Pages visited and referrer
• Time spent on page

Tools used: Google Analytics 4 (with anonymize_ip enabled), Microsoft Clarity (anonymized session recordings).

Newsletter subscribers

• Email address (required)
• Source of signup (homepage / lead-magnet / popup)
• UTM parameters from referring URL

Provider: Beehiiv (data processor — based in USA, GDPR-compliant via Standard Contractual Clauses).

SaaS users (Stack Builder)

• Email + name (signup)
• Saved stacks + form inputs
• Subscription data (Stripe)
• Affiliate click activity

Providers: Supabase (data processor, EU servers, GDPR-compliant), Stripe (payment processing).

Product buyers (Gumroad)

Gumroad is the Merchant of Record. We do not collect or store your payment details. Gumroad collects: email, name, payment, address (if applicable). Their privacy policy: gumroad.com/privacy.

3. Why we collect it (legal basis)

• Contract performance: process orders, deliver products, provide SaaS
• Legitimate interest: analytics, fraud prevention, site improvement
• Consent: marketing newsletter, optional cookies
• Legal obligation: tax/accounting records

4. How long we keep it

• Analytics: 14 months (GA4 default)
• Newsletter: until you unsubscribe + 6 months
• SaaS account: while active + 12 months after cancellation
• Order records: 10 years (Italian tax law)

5. Who we share with

We only share data with these processors:

• Beehiiv (newsletter)
• Supabase (database)
• Stripe (payments)
• Gumroad (digital product checkout, Merchant of Record)
• Vercel (hosting)
• Cloudflare (CDN, DNS)
• Google (Analytics)
• Microsoft (Clarity)

None of these processors sell your data. All sign Data Processing Agreements (DPA) with us.

6. Your rights (GDPR)

You have the right to:

• Access your data (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data (Art. 17 — "right to be forgotten")
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent (Art. 7)
• File a complaint with the Garante per la protezione dei dati personali (garanteprivacy.it)

To exercise any right, email dpo@scoredtools.com. We respond within 30 days.

7. International transfers

Some processors are based outside the EU (Stripe, Beehiiv, Gumroad). Transfers are protected by EU Standard Contractual Clauses + adequacy decisions.

8. Cookies

See our cookie policy.

9. Changes

We post material changes to this policy on this page. Material changes are also notified by email to active newsletter subscribers and SaaS users.

10. Contact

• Privacy questions: dpo@scoredtools.com
• Data Protection Officer: not required by GDPR (sole trader). Em is the data controller.
• Italian Data Protection Authority: garanteprivacy.it