WP·Care
⚠ This is a translated version for international readers. The legally binding version is the Italian original.
Legal document · Privacy notice

Privacy Policy · processing of your data

Version 1.0 · Effective from May 5, 2026 · GDPR · EU 2016/679 Italian Legislative Decree 196/2003
Operational draft. This document is complete in content but must be reviewed by legal counsel before publication in production, in particular the fields between [brackets] which require real data (TUTTUU legal name, VAT number, registered office, DPO contacts where applicable).
Table of contents
  1. Data controller
  2. Definitions
  3. Categories of data processed
  4. Purposes and legal basis
  5. Methods of processing
  6. Data retention period
  7. Data recipients
  8. Transfers outside the EU
  9. Your rights
  10. Cookies and similar technologies
  11. Data security
  12. Changes to this notice

01 Data controller

The data controller for personal data collected through the website wpsonar.tuttuu.it and the WPSonar service is [TUTTUU legal name · e.g. TUTTUU S.r.l.], with registered office at [full address], VAT number [xxxxxxxxxxx], Tax code [xxxxxxxxxxx], registered with the Companies Register of [province] under no. [xxxxxxx].

For any request regarding the processing of your personal data, you may contact us at care@tuttuu.it or by certified email (PEC) at [pec@xxxx.pec.it].

The controller has assessed that the appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 GDPR. For privacy-related requests, the contact above remains available.

02 Definitions

For the purposes of this document, the definitions in Article 4 GDPR apply. In particular:

Personal data Any information relating to an identified or identifiable natural person.
Processing Any operation performed on personal data (collection, recording, storage, consultation, communication, deletion).
Data subject The natural person to whom the personal data relate (website user, service customer, business client contact).
Data processor A third party that processes data on behalf of the Controller (e.g. hosting provider, payment gateway, AI suppliers).
Service WPSonar, the WordPress maintenance and monitoring service provided by TUTTUU.

03 Categories of data processed

3.1 Contact and qualification data (lead intake)

When you fill out the free audit or contact form we collect: first name, last name, email address, phone number, website URL, company name (where applicable), and the content of your answers to the AI qualification questions.

3.2 Contractual data (active customers)

For customers who activate a subscription we process: billing data (company name, VAT number, tax code, registered office, SDI code or PEC), payment data (handled through the secure gateway Stripe · we do not store card numbers), invoice and payment history, subscribed plan and renewal history.

3.3 Technical credentials of the customer site (operational data)

To deliver the service we ask for the WordPress and/or hosting credentials of the Customer. These are collected through an HTTPS-encrypted form, stored encrypted with AES-256-GCM in our database with a separate key, and auto-revoked after 7 days from the last intervention. They typically include: WordPress admin user, cPanel/SFTP credentials, and any third-party API keys relevant to the service (e.g. Cloudflare).

3.4 Audit log of actions

Every intervention performed on the Customer's site — automated (AI agent) or manual (operator) — is recorded in an append-only audit log: timestamp, action type, hash of pre/post state, outcome, and any rollback. These contain only technical metadata, not third-party data of the Customer.

3.5 Browsing data and technical logs

The site automatically collects: IP address, browser user-agent, access timestamp, pages visited, and referrer. This data is retained in server logs for security, debugging and aggregate statistics purposes.

3.6 Communication data

We retain emails exchanged with the Customer in our mailboxes care@tuttuu.it and related, any AI chatbot conversations for lead qualification, and support tickets.

04 Purposes and legal basis

We process your data for the following purposes, each with its own legal basis under Article 6 GDPR:

Purpose Legal basis
Service delivery (audit execution, maintenance, backup, monitoring of the Customer site) Art. 6.1.b — performance of a contract
Response to contact requests, free audit, quotes Art. 6.1.b — pre-contractual measures at the data subject's request
Tax and accounting compliance (electronic invoicing, invoice retention) Art. 6.1.c — legal obligation
Site security and abuse prevention (technical logs, malicious IP blocking) Art. 6.1.f — legitimate interest
Service communications (alert notifications, monthly report, renewal deadlines) Art. 6.1.b — performance of the contract
Marketing communications (newsletter, product news, case studies) Art. 6.1.a — revocable consent
Aggregate site traffic statistics Art. 6.1.f — legitimate interest

05 Methods of processing

Data processing is carried out mainly in automated form, through software tools, and is characterised by:

  • Pseudonymisation where possible (e.g. IP hashing in analytics logs)
  • At-rest encryption for Customer credentials (AES-256-GCM)
  • In-transit encryption for every communication (TLS 1.3)
  • Append-only audit log for every access to sensitive data
  • Minimisation principle: we collect only the data necessary for the stated purpose
  • Automated AI decisions: the system applies technical fixes (cache clear, disabling of plugins known to be buggy, restore from verified backup) autonomously within a safelist of actions pre-authorised by the Customer at contract signing; every action is logged and reversible

06 Data retention period

Data category Retention period
Lead data not converted to customer 24 months from the last interaction, then automatic deletion
Active customer data For the entire duration of the contractual relationship
Technical credentials of the Customer site Auto-revoked after 7 days from the last intervention; the Customer may request earlier removal at any time
Invoices and accounting documents 10 years from issue (civil/tax obligation)
AI action audit log 5 years (forensic relevance in case of dispute)
Server technical logs 30 days
Customer site backups (encrypted B2) 30/90/365 days depending on the subscribed plan
Support emails 3 years from the last communication

07 Data recipients

Your data may be communicated to third parties acting as Data Processors under Article 28 GDPR, on the basis of data processing agreements (DPA). The main ones are:

Provider Purpose
cPanel hosting [provider] Hosting of wpsonar.tuttuu.it and application data
Stripe Payments Europe Ltd. Card payment processing · Stripe DPA
Backblaze B2 (Backblaze Inc., USA) Encrypted storage of Customer site backups
Anthropic PBC (USA) Claude API for AI lead qualifier, ticket triage, diagnose · only strictly necessary data
OpenAI / OpenRouter / Groq Alternative AI providers in the 5-tier routing · transient data
SMTP provider [Brevo / SendGrid / similar] Sending transactional emails (alerts, reports, confirmations)
Tax advisor / accountant Tax compliance · only billing data

Data is never assigned, sold or licensed to third parties for marketing, commercial profiling or other purposes not necessary for the delivery of the service.

08 Transfers outside the EU

Some of our providers (Anthropic, OpenAI, Backblaze) are based in the United States of America. Personal data transfers to these parties take place on the basis of:

  • Standard Contractual Clauses (SCC) of the European Commission (Decision 2021/914)
  • EU-US Data Privacy Framework where the provider adheres to it
  • Supplementary technical measures where applicable (end-to-end encryption, pseudonymisation)

For specific details of each transfer you may request a copy of the contractual clauses at care@tuttuu.it.

09 Your rights

Under Articles 15-22 GDPR you have the right to:

  • Access your personal data and receive a copy thereof (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erase the data ("right to be forgotten") in the cases provided for by Art. 17
  • Restrict processing in the cases of Art. 18
  • Receive your data in a structured and readable format (portability · Art. 20)
  • Object to processing based on legitimate interest or for marketing purposes (Art. 21)
  • Withdraw consent at any time for processing based on it (Art. 7.3)
  • Not be subject to automated decisions producing significant legal effects (Art. 22) — for AI decisions on the Customer site, a pre-authorised safelist and the possibility of human intervention are always provided

To exercise your rights, write to care@tuttuu.it specifying your request. We will respond within 30 days, save for an extension of 60 days justified in the case of complex requests.

If you believe that the processing of your data takes place in violation of the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with another competent supervisory authority.

10 Cookies and similar technologies

The wpsonar.tuttuu.it website uses the following cookies:

  • Technical/session cookies · necessary for operation (authentication, CSRF token, UI preferences). They do not require consent.
  • First-party analytics cookies, anonymised (no cross-site tracking, no Google Analytics). They do not require consent under the Italian Data Protection Authority's measure of May 8, 2014.
  • Third-party cookies · not currently used. Any future additions will be managed via a cookie banner compliant with the Italian Data Protection Authority's Cookie Guidelines (June 2021).

You can disable cookies from your browser settings. Disabling technical cookies may compromise some features of the site.

11 Data security

We adopt technical and organisational measures appropriate to ensure a level of security suited to the risk (Art. 32 GDPR), in particular:

  • Mandatory HTTPS/TLS 1.3 encryption across the entire domain
  • AES-256-GCM at-rest encryption for Customer technical credentials
  • Encryption key stored outside the database, in a server-side env var
  • Daily backup of the CRM database to encrypted off-site storage
  • Append-only audit log on every access to sensitive data
  • Auto-revocation of Customer credentials after 7 days of inactivity
  • Timely security updates on server systems
  • Strong password policies and 2FA for internal operators
  • Procedure for notifying the Italian Data Protection Authority within 72h in case of a data breach (Art. 33)

12 Changes to this notice

We reserve the right to amend this notice to align it with regulatory, organisational or technical developments. Substantial changes will be communicated by email to registered users with a minimum notice of 30 days. The date of last revision is shown at the top of this page.

For any question about this document, the protection of your data, or the exercise of your GDPR rights, write to us at care@tuttuu.it.