Privacy policy

Privacy Policy

Welcome to the privacy and data processing page of UfficioCertificati. By using our services, you entrust us with your information. This page describes our privacy rules to help you understand how we collect, use, and share your data. The privacy policy is very important, and we hope you read it carefully.

1. Data Controller

The Data Controller for the personal data collected through the Platform www.ufficiocertificati.com is Claudio Arena, who can be reached at the following addresses:

E-mail: info@ufficiocertificati.it
PEC (Certified E-mail): ufficiocertificati@legalmail.it
Registered office: via Lombardia 12 - 98124 Messina

2. Personal data collected

The Controller collects the following categories of personal data:

2.1 Data provided directly by the user

During registration, request for a Service, or contact with the Controller, the user voluntarily provides data including: first and last name, tax code (fiscal code/equivalent), residential address, e-mail address, and telephone number. For Services involving third parties (e.g., a family member), the Customer also provides the identification data of the person to whom the requested document refers — first name, last name, date and place of birth.

The data may be collected via: registration form, Service request form, contact form, support chat, messaging services (e.g., WhatsApp), phone, or e-mail.

2.2 Data collected automatically during navigation

While browsing the site, technical data is automatically collected, including: IP address, browser type and device used, operating system, pages visited, duration of the visit, and approximate geographical location. These data are collected through cookies, web beacons, and similar tracking technologies, in compliance with the site's Cookie Policy.

2.3 Data collected through social networks

If the user interacts with the Controller's social profiles (Facebook, Instagram, LinkedIn, YouTube) or uses the sharing buttons on the site, data may be collected according to the respective privacy policies of the social platforms.

2.4 Sensitive data

The Controller does not intentionally collect or process special categories of personal data under Art. 9 of the GDPR (data concerning health, ethnic origin, political opinions, etc.). Should such data incidentally emerge in the context of a requested document, they will be processed exclusively for the purposes strictly necessary to execute the Service and based on the conditions set out in Art. 9, paragraph 2, of the GDPR.

3. Purposes of processing and legal bases

The collected personal data are processed for the following purposes:

3.1 Provision of Services — legal basis: performance of a contract (Art. 6.1.b GDPR)

Data are processed to manage Orders, execute the requested Services (obtaining certificates, apostilles, sworn translations), communicate with the Customer regarding the progress of the procedures, deliver the obtained documents, and manage any refunds or disputes.

3.2 Tax and legal compliance — legal basis: legal obligation (Art. 6.1.c GDPR)

Billing data and accounting information are kept for tax and accounting compliance required by Italian law (D.P.R. 600/1973, D.P.R. 633/1972 and subsequent amendments). Data are kept for the period required by law, even after the termination of the contractual relationship.

3.3 Security and fraud prevention — legal basis: legitimate interest (Art. 6.1.f GDPR)

Navigation data and certain information about the Order are processed to prevent, detect, and counter fraud, unlawful use of the Platform, and security breaches. The Controller's legitimate interest is to ensure the integrity of the Platform and the security of all users.

3.4 Platform improvement — legal basis: legitimate interest (Art. 6.1.f GDPR)

Navigation data collected through analytics tools (Google Analytics 4 configured in anonymized mode, Google Tag Manager) are used to analyze user behavior on the Platform and improve the user experience.

3.5 Newsletter and commercial communications — legal basis: consent (Art. 6.1.a GDPR)

With the user's explicit consent, contact data are used to send newsletters, updates on new Services, articles, and guides. Consent is entirely optional and can be revoked at any time by clicking the unsubscribe link present in each communication, or by contacting the Controller at info@ufficiocertificati.it.

3.6 Management of comments and reviews — legal basis: consent (Art. 6.1.a GDPR)

Should the user publish a comment on the blog or a review of a Service, the data provided (name, e-mail) are processed for the publication and management of the contribution.

4. Data retention period

Personal data are kept for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principles of minimization and storage limitation set out in the GDPR:

  • Contractual and Order data: for the entire duration of the contractual relationship and for 10 years following its conclusion, in compliance with tax and civil obligations.
  • Billing data: 10 years from the date of issuance of the tax document, according to Italian tax law (D.P.R. 600/1973, Art. 22 and D.P.R. 633/1972, Art. 39).
  • Navigation data and technical logs: maximum 12 months, except when required for the investigation of crimes or offenses.
  • Newsletter data: until the user revokes consent.
  • Account data: until the user deletes the account, except for data whose retention is required by law.

5. Data sharing and communication

Personal data are not sold to third parties. However, they may be communicated, to the extent strictly necessary, to the following categories of recipients:

5.1 Third-Party Professionals entrusted with Services

For the execution of Extra Services (sworn translations), the Customer's data and the document to be translated are shared with the appointed sworn translator.

5.2 Public bodies and archives

For the execution of the Basic Service, the identification data of the person to whom the document refers are communicated to the Municipality (Comune), the State Archive, or the competent parish archive, to the extent necessary to fulfill the request.

5.3 Technology service providers

The Controller uses third-party providers for the provision of technological services (hosting, e-mail, payments, analytics). The updated list of providers is found in Art. 7.

5.4 Professional consultants

Data may be shared with accounting, legal firms, or other professionals providing consulting to the Controller, to the extent strictly necessary and subject to confidentiality obligations.

5.5 Judicial and supervisory authorities

Data may be communicated to the Judicial Authority, Law Enforcement Agencies, the Data Protection Authority, or other public authorities, if required by law or by order of the competent authority.

6. Data transfer outside the European Union

The collected data are processed predominantly within the European Union. Some third-party providers used by the Controller (indicated in Art. 7) are based or process data in the United States or other countries outside the EU. For more information on transfers and safeguards adopted by each provider, please refer to their respective Privacy Policies indicated in Art. 7.

7. Third-party providers

Below is a list of the main third-party providers used by the Controller, indicating the service provided, headquarters, and a link to the respective Privacy Policy.

7.1 Hosting and Web Platform

Shopify (Shopify Inc.)
Service: E-commerce platform, CMS, and managed hosting (including CDN, security, and server infrastructure)
Headquarters: Canada (with infrastructure and operational headquarters also in the United States and other countries)
Privacy Policy: https://www.shopify.com/legal/privacy

Google Fonts (Google LLC)
Service: Typographic font display service
Headquarters: United States
Privacy Policy: https://policies.google.com/privacy

7.2 Payments

Shopify Payments (Shopify Inc.)
Service: Card payment processing and online transaction management
Headquarters: Canada (with infrastructure and operational headquarters also in the United States and other countries)
Privacy Policy: https://www.shopify.com/legal/privacy

The Controller does not acquire or store payment card data. These data are processed exclusively by Stripe Inc. in a secure and PCI-DSS certified environment.

7.3 Communications and messaging

Gmail (Google LLC)
Service: E-mail service
Headquarters: United States
Privacy Policy: https://policies.google.com/privacy

Aruba S.p.A.
Service: E-mail hosting and cloud services
Headquarters: Italy
Privacy Policy: https://www.aruba.it/documenti/italiano/pdf/informativa-privacy-aruba.aspx

Microsoft Corporation
Service: Document and database management (Microsoft 365)
Headquarters: United States
Privacy Policy: https://privacy.microsoft.com/it-it/privacystatement

WhatsApp LLC (Meta Platforms)
Service: Customer support messaging
Headquarters: United States
Privacy Policy: https://www.whatsapp.com/legal/privacy-policy-eea

7.4 Newsletter and communications

Mailchimp (The Rocket Science Group LLC)
Service: Sending newsletters and e-mail communications
Headquarters: United States
Privacy Policy: https://mailchimp.com/legal/privacy/

MailerLite (UAB MailerLite)
Service: Sending newsletters and e-mail communications
Headquarters: Lithuania / EU
Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

Subscription to the newsletter is optional. To unsubscribe, simply click on the 'Unsubscribe' link at the bottom of every e-mail received, or contact the Controller at info@ufficiocertificati.it.

7.5 Analytics and digital marketing

Google Analytics 4 (Google LLC)
Service: Analysis of user traffic and behavior on the site (configured in anonymized mode)
Headquarters: United States
Privacy Policy: https://policies.google.com/privacy

The user can opt out of Google Analytics tracking by installing the browser add-on available at: https://tools.google.com/dlpage/gaoptout

Google Tag Manager (Google LLC)
Service: Centralized management of tracking tags
Headquarters: United States
Privacy Policy: https://policies.google.com/privacy

Microsoft Clarity (Microsoft Corporation)

Service: Analysis of user behavior on the website (heatmaps, session recordings, interactions)

Location: United States

Privacy Policy: https://privacy.microsoft.com/privacystatement

Microsoft Clarity is used to analyze user behavior on the Platform through tools such as heatmaps, session recordings and interaction metrics.

The service collects technical data (browser, device, operating system, screen resolution, pages visited, mouse movements, clicks, scrolls) and an IP address processed by Microsoft solely for approximate geolocation and subsequently anonymized.

Clarity automatically applies masking techniques (PII masking) to prevent the recording of identifiable personal data.

Processing takes place only after the user has given consent, collected through the cookie banner displayed on the site. If consent is not provided, the script is not loaded.

Data may be processed on servers located in the United States. Microsoft adheres to the Standard Contractual Clauses (SCCs) and provides adequate safeguards pursuant to Articles 44–49 of the GDPR.

Google Ads — Conversions (Google LLC)
Service: Measurement and optimization of advertising campaigns
Headquarters: United States
Privacy Policy: https://policies.google.com/privacy

The user can disable Google ad personalization by accessing the ad settings: https://adssettings.google.com/

7.6 Social networks

The site integrates link buttons to the Controller's social profiles and sharing buttons. The social networks involved are: Facebook, Instagram, LinkedIn, and YouTube (Meta Platforms / Google LLC).

8. Cookie Policy


What are cookies?

This Cookie Policy explains what cookies are, how we use them, the types of cookies we use (i.e., the information we collect using cookies and how that information is used), and how to manage cookie settings.

Cookies are small text files used to store small pieces of information. They are stored on the user's device when the website is loaded in the browser. These cookies help make the website function properly, make it more secure, provide a better user experience, and understand the website's performance to analyze what works and where improvements are needed.

How do we use cookies?

Like most online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

Types of cookies used

Cookie name Provider Purpose Duration Type
_shopify_y Shopify Identifies the user and supports essential site functions. 1 year Technical / first-party
_shopify_s Shopify Identifies the user session. 30 minutes Technical / first-party
_shopify_m Shopify Manages privacy and consent settings. 1 year Technical / first-party
_shopify_country Shopify Stores the user’s country to display correct content. Session Technical / first-party
secure_customer_sig Shopify Secure authentication for registered customers. 1 year Technical / first-party
cart Shopify Stores the shopping cart content. 2 weeks Technical / first-party
cart_currency Shopify Stores the cart currency. 2 weeks Technical / first-party
cart_sig Shopify Verifies cart integrity and prevents fraud. 2 weeks Technical / first-party
_ga Google Analytics Distinguishes unique users. 2 years Analytics / third-party
_ga_XXXXXX Google Analytics Session identification for specific properties. 2 years Analytics / third-party
_gid Google Analytics Distinguishes users within 24 hours. 24 hours Analytics / third-party
_gat Google Analytics Limits request rate. 1 minute Analytics / third-party
Google Tag Manager Does not set cookies; manages tags that may set cookies.
_gcl_au Google Ads Measures advertising conversions. 3 months Marketing / third-party
_gcl_aw Google Ads Tracks conversions after clicking a Google ad. 3 months Marketing / third-party
IDE Google (DoubleClick) Measures ad effectiveness and personalizes ads. 1 year Marketing / third-party
test_cookie Google (DoubleClick) Checks if the browser supports cookies. 15 minutes Technical / third-party
_clck Microsoft Clarity Identifies unique users and stores visit information. 1 year Analytics / third-party
_clsk Microsoft Clarity Connects pages viewed in a single session. 1 day Analytics / third-party

Manage cookie preferences

You can change your cookie settings at any time by clicking the "Consent Preferences" button above. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Below are the links to the support documents on how to manage and delete cookies from the major web browsers.

Chrome: https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using any other web browser, please visit your browser's official support documents.

9. Data security

The Controller adopts adequate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or accidental disclosure, in compliance with Art. 32 of the GDPR. In particular:

  • The site uses the HTTPS protocol with an SSL/TLS certificate for secure data transmission
  • Access to internal systems is protected by credentials and secure authentication
  • Data are stored on servers with adequate physical and logical security measures
  • Third-party providers are selected also based on the security guarantees they offer and are contractually bound to comply with high protection standards
  • Periodic checks are carried out on the effectiveness of the implemented security measures

10. Data subjects' rights

EU Regulation 2016/679 (GDPR) recognizes the following rights to data subjects, which can be exercised at any time by contacting the Controller at the addresses indicated in Art. 1:

Right of access (Art. 15 GDPR): obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the data and information regarding the processing (purposes, categories of data, recipients, retention period, etc.).

Right to rectification (Art. 16 GDPR): obtain the correction of inaccurate personal data or the completion of incomplete data.

Right to erasure / right to be forgotten (Art. 17 GDPR): obtain the erasure of your personal data in cases provided by law (e.g., data no longer necessary, withdrawal of consent, unlawful processing, legal obligation to erase), unless there are legitimate reasons requiring their retention (e.g., legal obligations, investigation of crimes).

Right to restriction of processing (Art. 18 GDPR): obtain restriction of processing in certain cases provided by law (e.g., contesting the accuracy of the data, unlawful processing but opposing erasure, need for retention to establish rights in court proceedings).

Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used and machine-readable format, and transmit them to another controller, where technically feasible, whenever the processing is based on consent or a contract and is carried out by automated means.

Right to object (Art. 21 GDPR): object at any time to the processing of your personal data for direct marketing purposes (including profiling) or for reasons related to your particular situation, when the processing is based on the legitimate interest of the Controller.

Right to withdraw consent: withdraw at any time the consent given for purposes requiring consent (newsletter, marketing cookies), without affecting the lawfulness of processing based on consent before its withdrawal.

How to exercise your rights

Requests can be sent:
– By e-mail to: info@ufficiocertificati.it
– By PEC to: ufficiocertificati@legalmail.it
– By regular mail to the registered office address

The Controller will provide an initial response to the request within 48 business hours. The final response will be provided within one month of receipt of the request, in accordance with Art. 12, paragraph 3, of the GDPR. This period may be extended by two further months in cases of particular complexity or a high number of requests; in this case, the Controller will inform the data subject of the extension and the reasons for the delay within one month of the request.

11. Further Information

We remind you that this policy may be subject to change, so we invite you to visit this page regularly. For more information, you can contact us at the following e-mail address: info@ufficiocertificati.it.

We also invite you to read the terms and conditions of the service, in addition to the frequently asked questions.