Privacy Policy - Vezpa App

1. Data Controller

Vezpa di Paolo Vezzola
Registered office: Via San Zeno 67, 25015 Desenzano del Garda (BS), Italy
VAT No.: 04449070988 · Tax Code: VZZPLA84C10D284C
Email: [email protected] · PEC: [email protected]

2. Scope of Application

This notice applies to the Vezpa App distributed through:

Apple App Store (iOS, macOS) — Bundle ID: it.vezpa.pms
Google Play Store (Android) — googleplay flavour
Microsoft Store (Windows) — MSIX
Direct sideload (Android APK, signed Windows installer) for use distributed directly by the Data Controller

Use of the app requires the creation of an account dedicated to the accommodation facility. The app is intended for professional users over 18 years of age (managers of accommodation facilities and their authorised staff).

3. Data collected by the App

3.1 User data (Managers and staff)

Personal data: first name, last name, email, phone number
Accommodation facility data
Credentials (password hashed on the backend, never transmitted in clear text)
Account identifiers (User ID)
Assigned role (manager, assistant, housekeeper, observer)

3.2 Guest data (Vezpa acts as Processor)

Important: guest data is owned by the facility. Vezpa acts as Data Processor pursuant to art. 28 GDPR, governed by the DPA.

Personal and contact data
Identity documents scanned or photographed using the device camera, with OCR extraction of textual data to facilitate registration
Stay and booking data

3.3 Technical and usage data

Device identifiers: model, operating system, app version
Push notification token (FCM): unique identifier managed by Google Firebase for sending notifications
SHA-256 hash of the trusted device: generated locally to enable subsequent biometric access, expiring 90 days after last use
Application and diagnostic logs: transmitted in batches to the backend via RemoteLogger for stability and security purposes; they do not contain sensitive personal content
IP address: collected by the backend for security purposes

4. Permissions requested by the App

Permission	Purpose	Mandatory
Camera	Capture images of guest identity documents for OCR and transmission to the authorities	Optional (alternative: manual entry)
Push notifications	Receive notifications about new bookings, check-ins, guest requests	Optional (the app works without)
Biometric authentication (Face ID / Touch ID / fingerprint / Windows Hello)	Quick login after the first authentication with password. Biometric data never leaves the device and is not shared with Vezpa.	Optional
Storage / Files	Local saving of PDF reports, invoices, guest registration forms generated by the app	Optional
Internet	Communication with Vezpa servers	Mandatory
REQUEST_INSTALL_PACKAGES (Android sideload only)	Automatic installation of updates via APK downloaded from Vezpa servers. Not present in the Google Play version.	Required only for the sideload flavour

5. SDKs and services integrated into the App

SDK / Service	Provider	Purpose	Data processed
Firebase Cloud Messaging (FCM)	Google LLC / Google Ireland Ltd	Sending push notifications	Device token, technical identifiers
StoreKit / Google Play Billing / Microsoft Store	Apple Inc. / Google LLC / Microsoft Corp.	Management of in-app purchases and subscriptions	Purchase token, subscription status, store account ID
Stripe SDK (guest payment page only)	Stripe Payments Europe Ltd	Card payment processing	Card data handled by Stripe, not transmitted to Vezpa
local_auth (biometrics)	Operating system (Apple / Google / Microsoft)	Local biometric unlock	No biometric data transmitted to Vezpa
Flutter Secure Storage	Platform (Keychain iOS/macOS, EncryptedSharedPreferences Android, DPAPI Windows)	Local storage of JWT tokens and credentials	Refresh tokens, encrypted by the operating system
share_plus	Open Source	Sharing files (PDF, reports) with system apps	Files chosen by the user

Vezpa does not integrate behavioural analytics SDKs (e.g. AppsFlyer, Mixpanel, Facebook SDK), advertising SDKs or profiling SDKs. No cross-app tracking under Apple App Tracking Transparency (ATT).

6. Purposes of Processing

Provision of the Vezpa App features (art. 6.1.b GDPR)
Legal obligations relating to guest registration, delegated by the facility (art. 6.1.c)
Security, fraud prevention, service stability (art. 6.1.f, legitimate interest)
Subscription and payment management (art. 6.1.b and 6.1.c)

Data is not used for advertising, profiling or tracking purposes.

7. Processing Methods and Security

Transmission via HTTPS/TLS 1.2+
Authentication with rotating JWT (access 15 min, refresh 180 days with blacklist)
System Secure Storage (Keychain / EncryptedSharedPreferences / DPAPI)
Optional 2FA TOTP
Backend servers located in the EU (Frankfurt) on DigitalOcean
Application logs monitored to detect anomalous access

8. Retention and Deletion

User data is retained for the duration of the contract + tax obligations (10 years for invoicing).

The user may request account deletion via the dedicated feature in the app or by writing to the Data Controller. Some data may be retained for legal obligations (invoicing, security logs).

Guest data (for which Vezpa is Processor) follows the Controller's instructions as regulated by the DPA.

9. Disclosure of Data

Data is not sold or disseminated. It may be communicated to the sub-processors listed at vezpa.it/subprocessors and, limited to booking data, to the OTA channels activated by the facility.

For data transmitted to public authorities (Police Headquarters, ISTAT, Feratel, SES, NTAK, eVisitor, SEF, UbyPort, eTurizem) please refer to the general Privacy Policy.

10. Extra-EU Transfers

Communications with US providers certified under the DPF (Google/Firebase, Stripe, Microsoft, DigitalOcean) take place on the basis of the EU-U.S. Data Privacy Framework (Commission Decision (EU) 2023/1795). Apple does not participate in the DPF: the contractual relationship for EU users is with Apple Distribution International Ltd (Ireland) and any transfers to Apple Inc. (USA) are governed by SCC 2021/914. Communications with STAAH (channel manager) take place on the basis of the EU Adequacy Decision for New Zealand (2013/65/EU). Tuya (China, optional) is governed by SCC 2021/914.

11. User Rights

Pursuant to articles 15-22 GDPR, the user may exercise rights of access, rectification, erasure, restriction, portability and objection. Requests may be submitted via the app, or to [email protected].

Complaints to the supervisory authority: Italian Data Protection Authority (Garante).

12. Minors

The App is intended exclusively for adult users (professional managers). It does not knowingly collect data of minors.

13. Changes to the Privacy Policy

This notice may be updated. Changes will be published on this page and, if substantial, communicated by email and dashboard with at least 15 days' notice.

PRIVACY POLICY – VEZPA APP