Privacy Policy

Last updated: June 18, 2026

This policy describes how Plinthos processes the personal data of users of the mobile app, the web app and the plinthos.app website, under Regulation (EU) 2016/679 ("GDPR").

1. Data controller

The data controller is Annunziato Cocciolo, based at Via Maiorana, 21, Italian tax code CCCNNZ93M09C710Y.

For any request regarding the processing of personal data, you can contact the controller at annunziatoco@gmail.com.

2. Categories of data collected

2.1 Registration and profile data

• Email address (required)
• First and last name
• Phone number (optional)
• Tax code (Landlords only, optional)
• Profile photo (optional)
• Role (Landlord or Tenant) and country of operation

2.2 Authentication data

• Password (stored encrypted via bcrypt — the controller has no access to it)
• For Google sign-in: Google identifier and associated email address
• Session and refresh tokens

2.3 App usage data (Landlords)

• Managed apartment data (name, city, address, size)
• Room and bed data
• Tenant data entered by the Landlord (name, phone, email, optional tax code, contract dates, rent, deposit)
• Payment history and uploaded receipts
• Bill data (amounts, periods, photos)
• Messages sent in chats
• Uploaded and shared documents
• Deadlines entered

2.4 App usage data (Tenants)

• Association to a room via invite code
• Payment history for rent and bill shares
• Uploaded payment receipts
• Messages sent in chats

2.5 Payment data

Plinthos does NOT collect or store credit-card details. Subscriptions bought from the mobile app are handled through Apple's App Store and the Google Play Store, using RevenueCat to validate transactions. Subscriptions bought from the web app are handled by Paddle.com Market Limited as Merchant of Record. Plinthos receives only the subscription status (active, expired, trial) and limited transaction metadata.

2.6 Technical and notification data

• Push notification tokens (Expo Push Token / FCM)
• Device identifier (for trial anti-fraud)
• Device language and notification preferences
• App and operating-system version

2.7 Diagnostic data

Where enabled, Plinthos uses error-diagnostics tools (Sentry) and product analytics (PostHog) to improve the service. Such data is processed in aggregated or pseudonymised form and does not include sensitive content such as messages or documents.

3. Purposes and legal bases

• Providing the service (performance of a contract — Art. 6.1.b GDPR): account creation and management; management of apartments, rooms, tenancies, payments, bills, messages.
• Accounting and tax obligations (legal obligation — Art. 6.1.c GDPR): retention of payment receipts and contract data within statutory limits.
• Subscription management (performance of a contract — Art. 6.1.b GDPR): via RevenueCat and Paddle to validate purchases and renewals.
• Operational notifications (contract and legitimate interest — Art. 6.1.b and f GDPR): push notifications and transactional emails (e.g. new payment, upcoming deadline).
• Service communications (legitimate interest — Art. 6.1.f GDPR): communications about app usage, trial expiry, payment issues.
• Product improvement (legitimate interest — Art. 6.1.f GDPR): anonymous usage analysis to improve features and experience.
• Security and fraud prevention (legitimate interest — Art. 6.1.f GDPR): protection against trial abuse and malicious use.
• Legal compliance (legal obligation — Art. 6.1.c GDPR): responding to requests from competent authorities.

4. Processing methods

Data is processed with electronic tools and on access-protected servers. Passwords are stored encrypted (bcrypt). Client-server communications use TLS 1.3. Data access is governed by Row Level Security (RLS) at the database level: each user can access only their own data.

5. Retention period

• Active accounts: data is retained for the duration of the contractual relationship.
• Account deletion: on a deletion request, data is immediately soft-deleted; after 30 days it is permanently deleted (hard-delete). Within that period you can request a data export in JSON format.
• Former tenants: after a contract ends, access data stays available for 30 days in read-only mode. After 12 months, identifying personal data (name, phone, email) is anonymised, keeping only accounting data required by tax obligations.
• Accounting and tax data: retained for 10 years as required by Italian law (Art. 2220 of the Civil Code).
• Diagnostic data: 90 days, in aggregated form.
• Security logs: 180 days.

6. Recipients and processors

Data is processed solely by the Controller and by the following providers, appointed as data processors under Art. 28 GDPR:

• Supabase Inc. (USA, EU servers — Frankfurt) — backend infrastructure, database, authentication, storage and realtime. supabase.com/privacy
• RevenueCat, Inc. (USA) — subscription management and validation. revenuecat.com/privacy
• Paddle.com Market Limited (UK/EU) — Merchant of Record and payment processing for web purchases. paddle.com/legal/privacy
• Apple Inc. (USA / Ireland) — App Store, Apple Sign In, APNS notifications. apple.com/legal/privacy
• Google LLC (USA / Ireland) — Google Play Store, Google Sign In, Firebase Cloud Messaging (FCM) for push notifications. policies.google.com/privacy
• Expo Inc. (USA) — push-notification delivery service. expo.dev/privacy
• Resend (USA) — transactional email delivery. resend.com/legal/privacy-policy
• PostHog Inc. (EU servers) — product analytics, if enabled. posthog.com/privacy
• Sentry / Functional Software Inc. (USA, EU option) — crash monitoring, if enabled. sentry.io/privacy
• Cloudflare, Inc. (USA) — hosting of plinthos.app, DDoS protection and CDN. cloudflare.com/privacypolicy
• Google Ireland Ltd. (Ireland / USA) — Google Analytics 4, website usage statistics. Activated only with consent via the cookie banner (Consent Mode v2). policies.google.com/privacy

7. Transfers outside the EU

Some providers listed above are based in the United States. Transfers of personal data outside the European Economic Area (EEA) take place under one of the safeguards provided by the GDPR:

• European Commission adequacy decision (e.g. the EU-US Data Privacy Framework for certified providers);
• Standard Contractual Clauses ("SCC") approved by the European Commission;
• Supplementary technical encryption measures.

Structured data (main database, receipts, documents) is stored on servers located in the European Union (Supabase, Frankfurt region).

8. Your rights

At any time you may exercise the rights under Arts. 15-22 GDPR:

• Right of access (Art. 15): obtain confirmation of, and a copy of, the data processed;
• Right to rectification (Art. 16): correction of inaccurate or incomplete data;
• Right to erasure / "right to be forgotten" (Art. 17): deletion of data in the cases provided;
• Right to restriction (Art. 18): restriction of processing in specific cases;
• Right to portability (Art. 20): receive your data in a structured, machine-readable format (JSON) and transmit it to another controller;
• Right to object (Art. 21): object to processing based on legitimate interest;
• Right to withdraw consent: where processing is based on consent, at any time, without affecting the lawfulness of processing carried out before withdrawal.

How to exercise your rights

Data export and account deletion are available directly in the app, in the Settings section. You can also exercise your rights at any time by writing to the controller at annunziatoco@gmail.com. The controller responds within 30 days of receiving the request.

9. Complaint to the supervisory authority

You always have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) under Art. 77 GDPR, or with your local supervisory authority, if you believe your data is processed in breach of the Regulation.

10. Data security

Plinthos adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or alteration:

• Encryption in transit (TLS 1.3) and at rest for sensitive data;
• Row Level Security (RLS) at the database level to isolate data between users;
• Token authentication with expiry and refresh;
• Restricted access to production systems via individual credentials and MFA;
• Audit logging of sensitive operations;
• Security-event monitoring and alerts on anomalous activity.

11. Minors

Plinthos is not intended for individuals under 16 and does not knowingly collect their personal data. If a parent or guardian becomes aware that a minor has provided personal data, please contact the controller for deletion.

12. Changes to this policy

The controller may amend this policy at any time, giving notice to users via in-app notification or publication on plinthos.app/en/privacy. Material changes will be communicated with reasonable notice. The last-updated date is shown at the top of this document.

13. Contact

For any information or request regarding this policy, write to annunziatoco@gmail.com.