LEGAL DOCUMENT
VERSION
2026-06-03
SHA-256 DOCUMENT HASH
f6b8dc0c159be40850436b3807f3b60c764c2d46ba113a6567873f0e5548c0ab
PRIVACY POLICY — Q-PASS IDENTITY CLEARANCE
Version: 2026-06-03
Effective Date: June 3, 2026
Data Controller: Giardino di Roa S.R.L.
Contact: privacy@giardinodiroa.com
EU Representative: privacy@giardinodiroa.com
─────────────────────────────────────────────────────────────────────────────
1. OVERVIEW
─────────────────────────────────────────────────────────────────────────────
This Privacy Policy explains how Giardino di Roa S.R.L. ("we", "us")
collects, uses, and protects your personal data when you use Q-Pass.
It complies with:
• EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
• California Consumer Privacy Act (CCPA) / CPRA
• Brazil Lei Geral de Proteção de Dados (LGPD)
• Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
• UK GDPR (post-Brexit)
• Other applicable national privacy laws
─────────────────────────────────────────────────────────────────────────────
2. DATA WE COLLECT
─────────────────────────────────────────────────────────────────────────────
2.1 IDENTITY DATA
• Email address (required for authentication)
• First name, last name (collected at profile setup)
• Username (unique handle)
• Phone number and country code (optional)
2.2 AUTHENTICATION DATA
• Magic.link issuer DID and public wallet address
• WebAuthn credential identifiers (for passkey/Face ID users)
• Authentication method (magic link or WebAuthn)
2.3 DEVICE AND TECHNICAL DATA
• IP address
• Browser user agent string
• Device fingerprint: canvas rendering hash, screen resolution
and DPI, timezone, browser language, color depth, CPU core count,
approximate device memory, touch capability, platform identifier
• Session identifiers
2.4 LOCATION DATA
• Country and city (derived from IP via ipapi.co)
• Approximate latitude and longitude
2.5 CONSENT RECORDS
• Timestamp of Terms of Service and Privacy Policy acceptance
• SHA-256 hash of the document versions accepted
• Device fingerprint and IP at time of consent
• This data is retained as a legal record and cannot be deleted
upon request due to our legal obligations under ESIGN/eIDAS.
2.6 ACTIVITY DATA
• Login events: method, time, location, device
• Common login locations (aggregated, top locations by frequency)
─────────────────────────────────────────────────────────────────────────────
3. LEGAL BASIS FOR PROCESSING (GDPR)
─────────────────────────────────────────────────────────────────────────────
• Contractual necessity (Art. 6(1)(b)): Processing your identity data
to provide the authentication service.
• Legal obligation (Art. 6(1)(c)): Consent records retained to
demonstrate compliance with ESIGN, UETA, and eIDAS.
• Legitimate interests (Art. 6(1)(f)): Device fingerprinting for
fraud prevention and consent attribution. Security logging.
• Consent (Art. 6(1)(a)): Where explicitly obtained, for optional
features.
─────────────────────────────────────────────────────────────────────────────
4. DEVICE FINGERPRINTING
─────────────────────────────────────────────────────────────────────────────
Q-Pass collects a device fingerprint when you authenticate. This fingerprint
is used solely to:
(a) Link your consent record to your specific device at the time of signing
(b) Detect unauthorized access from unrecognized devices
(c) Support law enforcement or legal proceedings if required
Device fingerprinting data is treated as personal data under GDPR. The legal
basis is legitimate interest (fraud prevention, legal evidence) and, where
required, explicit consent given through the acceptance checkbox.
─────────────────────────────────────────────────────────────────────────────
5. DATA SHARING
─────────────────────────────────────────────────────────────────────────────
We do not sell your personal data. We may share data with:
• Magic.link (Fortmatic Inc.): authentication infrastructure
• Turso (ChiselStrike Inc.): encrypted database hosting
• ipapi.co: IP geolocation (IP address transmitted; no PII stored by them)
• Legal authorities: when required by valid legal process, court order,
or applicable law
─────────────────────────────────────────────────────────────────────────────
6. DATA RETENTION
─────────────────────────────────────────────────────────────────────────────
• Active user accounts: retained while account is active
• Consent records: minimum 7 years (legal compliance)
• Login event logs: 2 years rolling
• Deleted accounts: anonymized within 30 days, consent records retained
per legal obligation
─────────────────────────────────────────────────────────────────────────────
7. YOUR RIGHTS
─────────────────────────────────────────────────────────────────────────────
Depending on your jurisdiction, you may have the right to:
• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure ("right to be forgotten"): Delete your account and personal data,
subject to legal retention obligations (consent records are exempt)
• Portability: Receive your data in machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request limited processing in certain circumstances
• Withdraw consent: Where processing is based on consent
CCPA/CPRA rights (California residents): right to know, delete, correct,
opt-out of sale (we do not sell data), and non-discrimination.
To exercise any right, contact: privacy@giardinodiroa.com
─────────────────────────────────────────────────────────────────────────────
8. INTERNATIONAL TRANSFERS
─────────────────────────────────────────────────────────────────────────────
Your data may be processed in the United States and other countries.
For EU/UK data subjects, transfers to third countries are covered by
Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
─────────────────────────────────────────────────────────────────────────────
9. SECURITY
─────────────────────────────────────────────────────────────────────────────
We implement AES-256 encryption at rest, TLS 1.3 in transit, and
access controls limiting personnel access to personal data. No system
is 100% secure; notify us at security@giardinodiroa.com of any suspected breach.
─────────────────────────────────────────────────────────────────────────────
10. COOKIES AND TRACKING
─────────────────────────────────────────────────────────────────────────────
Q-Pass uses one session cookie (gdr-session) that is strictly necessary
for authentication. No advertising or analytics cookies are set.
No third-party trackers are loaded.
─────────────────────────────────────────────────────────────────────────────
11. CHILDREN
─────────────────────────────────────────────────────────────────────────────
Q-Pass is not directed to persons under 16. If you believe a minor has
registered, contact privacy@giardinodiroa.com for immediate deletion.
─────────────────────────────────────────────────────────────────────────────
12. CHANGES
─────────────────────────────────────────────────────────────────────────────
We will notify you of material changes by email. The updated Policy takes
effect on the date shown at the top. Continued use constitutes acceptance.
─────────────────────────────────────────────────────────────────────────────
13. SUPERVISORY AUTHORITY
─────────────────────────────────────────────────────────────────────────────
EU/UK residents have the right to lodge a complaint with your local data
protection authority. In the EU, this is the supervisory authority in your
Member State. In the UK, it is the Information Commissioner's Office (ICO).
─────────────────────────────────────────────────────────────────────────────
14. CONTACT
─────────────────────────────────────────────────────────────────────────────
Giardino di Roa S.R.L.
Data Protection Officer: privacy@giardinodiroa.com
Website: https://giardinodiroa.comThis document is cryptographically versioned. The SHA-256 hash above uniquely identifies the exact text you are reading. To verify: compute SHA-256 of the document body (UTF-8 encoded) and compare against the hash displayed above and stored in your consent record.