1. Who is the Data Controller

The Data Controller is Informatica in Azienda di Emanuel Celano, the organization operating DAPI Certification (the “Service”).

Our data protection approach is based on transparency, data minimization, and respect for your fundamental rights under GDPR (Regulation EU 2016/679) and other applicable privacy regulations.

2. What Data We Process

Depending on your service request and how you interact with DAPI, we may process the following categories of personal data:

• Identification and contact data: Name, surname, email address, country of residence, and any additional information you voluntarily provide in the certification request form, email communications, or support interactions.
• Verification files submitted by you (the “Certification Files”): Typically up to four identity-related files including: (1) valid government-issued ID document (passport, national ID, driver’s license), (2) front-facing facial photograph, (3) voice audio recording, and (4) short verification video. The specific files required may vary based on your certification package.
• Technical metadata generated during certification: Original file names (as provided by you), file sizes, file formats, SHA-256 cryptographic hashes, qualified timestamp certificates, DAPI certification code, certification date, and internal process logs documenting chain of custody and integrity verification procedures.
• Website usage and technical data: When you visit our website, we collect limited technical information including IP address, user agent string, device type, browser information, referring URL, pages visited, and timestamps. This data is collected through server logs and, if enabled, analytics cookies for website security and performance optimization.
• Communication records: Emails, messages, and other communications between you and DAPI support related to your certification request, delivery, or inquiries.

3. What We Do NOT Do

DAPI is built on privacy-first principles. To be absolutely clear about what we do NOT do with your data:

• We do NOT create a public biometric database. DAPI is not a biometric registry, identity verification platform, or searchable database. Your biometric data is used solely for your private certification and is not stored in any form that allows searching, matching, or comparison with other users.
• We do NOT publish or make your certification public. Your certification package, certificate, and all related materials are private. Nothing is indexed by search engines, made publicly accessible, or published online. Only you receive the certification deliverables.
• We do NOT create searchable profiles or verification badges. There is no public “DAPI profile” associated with your name or identity. The certification exists exclusively as a private evidence package in your possession.
• We do NOT sell, rent, or trade personal data. Your data is never sold to third parties, data brokers, advertisers, or marketing companies. Period.
• We do NOT use your biometric data for purposes unrelated to your certification. Your facial photos, voice recordings, and verification video are processed exclusively to generate your requested certification—never for facial recognition systems, voice analysis products, AI training datasets, or any other purpose.

4. Purpose of Processing

We process your personal data only for legitimate, specific, and clearly defined purposes. Each processing activity is limited to what is necessary to achieve that purpose.

• Service delivery and contract performance: To execute the DAPI certification service you requested, including file reception, hash generation, timestamp application, certificate creation, quality control, and secure delivery of the complete certification package.
• Integrity and evidentiary value: To generate cryptographic hashes (SHA-256), apply qualified timestamps (eIDAS-compliant), create chain of custody documentation, and produce forensic evidence that supports the authenticity and temporal proof of your certified materials.
• Security and fraud prevention: To protect the Service against misuse, impersonation attempts, fraudulent certification requests, unauthorized access, and abuse of our systems. This includes legitimacy verification and security monitoring.
• Customer support and communication: To answer your questions, provide technical guidance, deliver secure instructions for file submission, assist with certificate usage, and resolve any issues related to your certification.
• Legal compliance and regulatory obligations: To meet requirements under applicable laws including accounting obligations, tax regulations, anti-money laundering rules (where applicable), and responding to lawful requests from competent authorities.
• Service improvement: To analyze aggregate, anonymized usage patterns (not individual data) for improving website performance, security measures, and certification process efficiency.

5. Legal Basis for Processing

Under GDPR and applicable data protection laws, we process personal data based on one or more of the following legal grounds:

• Performance of a contract (GDPR Art. 6(1)(b)): Processing is necessary to perform the DAPI certification service you requested and to which you are a party. This covers service delivery, file processing, certificate generation, and delivery.
• Legal obligation (GDPR Art. 6(1)(c)): Processing is required to comply with legal obligations including accounting requirements, tax regulations, and responses to lawful requests from competent authorities (courts, law enforcement, regulatory bodies).
• Legitimate interests (GDPR Art. 6(1)(f)): Processing is necessary for our legitimate interests in: (a) maintaining website security and preventing abuse, (b) fraud prevention and legitimacy verification, (c) protecting our systems and intellectual property, (d) internal administration and business operations. We carefully balance these interests against your rights and freedoms.
• Consent (GDPR Art. 6(1)(a)): Only when processing is based solely on your voluntary consent (for example, optional marketing communications if enabled, or optional analytics cookies). You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. Data Minimization and Retention

DAPI is specifically designed to minimize retention of sensitive biometric content while maintaining the verifiability and legal value of issued certifications. We follow strict data minimization principles.

Certification Files (Biometric Data)

Your identity files (ID document, facial photo, voice recording, verification video) are processed exclusively to produce your certification package and are NOT stored longer than necessary for delivery and quality verification:

• Workstation deletion: Files are permanently deleted from the certification workstation within 48 hours after certification delivery, using 7-pass DoD 5220.22-M overwrite standard that makes recovery impossible.
• Email deletion: Emails containing your files are deleted from mail servers within 30 days after certification delivery.
• Deletion confirmation: You receive written confirmation that the deletion protocol has been completed, with timestamp logging for verification.

Certification Metadata (Retained)

The following technical metadata is retained permanently because it is necessary to maintain the verifiability and legal value of your issued certification:

• Cryptographic hashes (SHA-256): Digital fingerprints that cannot be reverse-engineered to reconstruct original files
• Qualified timestamp certificates: RFC 3161 timestamps proving certification date
• Basic metadata: Your name, DAPI code, certification date, file technical specifications
• Process logs: Chain of custody documentation and integrity verification records
• Delivery receipts: Confirmation that certification package was delivered

Other Data Retention Periods

• Support communications: Retained for operational purposes for up to 2 years, or longer if required for legal/accounting obligations
• Website logs and analytics: Typically retained for 6-12 months for security and performance analysis
• Accounting/tax records: Retained for periods required by law (typically 10 years in Italy)

7. Where Data is Stored and Processed

Data is processed through controlled, secure channels with restricted access:

• Certification processing: Performed on encrypted offline workstation located in Italy, accessible only to the forensic expert responsible for certification. No cloud processing of biometric files.
• Email communications: Handled through certified email (PEC) providers and secure email services compliant with Italian and EU data protection standards.
• Website hosting: Infrastructure located in EU data centers with appropriate security certifications and GDPR compliance.
• Metadata storage: Retained certification metadata (hashes, timestamps, process logs) stored on secure servers in Italy/EU with encrypted backups.

Access to your data is strictly limited to authorized personnel directly involved in certification processing, delivery, and support. We implement role-based access controls, audit logging, and need-to-know principles.

8. Data Sharing and Recipients

We do not share your Certification Files or personal data with third parties except when necessary to provide the service or required by law. Possible recipients include:

• Timestamp service providers: eIDAS-qualified timestamp authorities that generate RFC 3161 timestamps. These providers receive only technical data (hashes), not your biometric files or personally identifiable information.
• Email/communication providers: Certified email (PEC) services and secure communication platforms used to send instructions and deliver your certification package. These providers process data as data processors under strict contractual obligations.
• Infrastructure and hosting providers: Server hosting, backup services, and technical infrastructure necessary for secure storage and website operation. Selected based on GDPR compliance and appropriate security standards.
• Legal and regulatory authorities: Courts, law enforcement agencies, tax authorities, or other competent authorities when disclosure is required by valid legal request, court order, or applicable law.
• Professional advisors: Legal counsel, accountants, or auditors when necessary for legal compliance, dispute resolution, or financial obligations (under professional secrecy obligations).

9. International Transfers

DAPI prioritizes data processing within the European Union to benefit from strong GDPR protections. However, if data must be transferred outside the EU/EEA (for example, if you are located outside Europe or if certain service providers operate internationally), we adopt safeguards required by law:

• Standard Contractual Clauses (SCCs): EU Commission approved contractual terms that ensure adequate data protection in countries without EU adequacy decisions.
• Adequacy decisions: Transfers to countries recognized by the EU Commission as providing adequate data protection (UK, Switzerland, Japan, etc.).
• Additional safeguards: Encryption in transit and at rest, access controls, security certifications, and contractual commitments from recipients.

Contact us if you need specific information about international transfers relevant to your certification, including details on the safeguards applied and copies of relevant transfer mechanisms.

10. Security Measures

We implement technical and organizational security measures appropriate to the sensitivity of the data, including biometric information. Security measures include (where relevant):

• Access controls: Role-based access, strong authentication, least-privilege principles, and audit logging of all access to sensitive data.
• Encryption: TLS/SSL encryption for data in transit (website, emails), and encryption at rest for stored sensitive data and backups.
• Offline processing: Certification Files processed on encrypted offline workstation not connected to internet during processing, eliminating remote attack vectors.
• Secure deletion: DoD 5220.22-M 7-pass overwrite for file deletion, making data recovery impossible.
• Cryptographic integrity: SHA-256 hashing ensures file integrity and detects any unauthorized modifications.
• Physical security: Controlled access to premises, secure workstation location, and protection of physical media.
• Monitoring and logging: Security monitoring, intrusion detection, audit trails, and regular security reviews.
• Incident response: Documented procedures for detecting, responding to, and reporting security incidents including data breaches.

11. Cookies and Tracking

DAPI uses cookies and similar technologies for essential website functionality, security, and (optionally) analytics. Our approach:

• Essential cookies: Required for website to function properly (session management, security, load balancing). These cannot be disabled and do not require consent as they are strictly necessary.
• Security cookies: Used to prevent abuse, detect suspicious activity, and protect against attacks (e.g., rate limiting, bot detection).
• Analytics cookies (if enabled): Help us understand how visitors use the website (page views, navigation patterns, error rates) to improve user experience. Analytics cookies are disabled by default and require your consent.
• Marketing cookies: DAPI does not use marketing, advertising, or tracking cookies from third-party networks.

You can control cookie preferences through your browser settings. Note that blocking essential cookies may affect website functionality. Detailed cookie information is available in our Cookie Policy.

12. Your Rights Under GDPR and Data Protection Laws

Depending on your jurisdiction (particularly if you are in the EU/EEA or UK), you have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of these rights, contact us using the official email address published on the website contact page. Please include:

• Your full name and contact information
• Your DAPI certification code (if applicable)
• Specific right you wish to exercise and relevant details
• Proof of identity (to prevent unauthorized access)

We will respond to your request within one month (extendable by two additional months for complex requests). If we cannot fulfill your request, we will explain the reason and inform you of your right to lodge a complaint with a supervisory authority.

13. Requests Involving Certified Evidence

Specifically, the following data may need to be retained even if you request deletion:

• Cryptographic hashes (SHA-256): Required to verify that certificates we issued remain authentic and have not been tampered with. Without retained hashes, the certificate loses verifiability.
• Timestamp certificates: Legal temporal proof that cannot be deleted without invalidating the timestamp’s evidentiary value.
• Chain of custody documentation: Process logs establishing how certification was performed, necessary for legal proceedings where methodology may be questioned.
• Certification metadata: Basic information (name, DAPI code, date) connecting you to the issued certificate, required if legal disputes involve certificate authenticity.

Legal basis for retention: GDPR Art. 17(3)(e) allows refusal of erasure when processing is necessary for establishment, exercise, or defense of legal claims—which is the core purpose of DAPI certification.

If you request deletion and we must refuse due to these limitations, we will:

• Explain specifically which data cannot be deleted and why
• Confirm deletion of any data that CAN be deleted (e.g., support communications, website usage data)
• Provide available alternatives (restriction, anonymization where possible)
• Inform you of your right to lodge a complaint with supervisory authority if you disagree

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes or improvements to the DAPI service
• Updates to applicable data protection laws or regulations
• New security measures or processing activities
• Feedback from supervisory authorities or data protection assessments

The latest version of this Privacy Policy will always be published on this page with the “Last updated” date at the top. Material changes that significantly affect your rights will be communicated to you via email (if we have your contact information) or prominent notice on the website.

Changes become effective from the date of publication. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. Contact & Data Protection Officer

For privacy questions, data protection inquiries, or to exercise your rights under GDPR and applicable data protection laws, please contact us using the official contact details published on the website.

Supervisory Authority (Italy): If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority:

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: garante@gpdp.it