1. Data Controller
The Data Controller of your personal data is:
- Name: Marius Trica
- Address: Brescia, Italy
- Contact email: tricabit@gmail.com
- Certified email (PEC): mariustrica@pec.it
For any request related to the processing of your personal data, please write to the email above. No Data Protection Officer (DPO) has been appointed, as the conditions of mandatory appointment under Article 37 GDPR are not met.
2. In plain language
Before the formal clauses, we openly state that:
- we do not sell your data to third parties;
- we do not profile you nor perform behavioural marketing;
- we do not train AI models on the contents of the files you upload;
- we do not use profiling cookies nor third-party analytics — only strictly necessary technical cookies;
- we delete the contents of uploaded files immediately after generating the report;
- we share your data only with the sub-processors strictly required to operate the service (authentication, email, hosting), listed in section 7.
3. What data we process
- Registration and account data handled through the Clerk authentication provider: email address, account unique identifier, any data associated with your chosen sign-in method (e.g. display name, profile picture if granted via social login), registration date and last access date.
- Browsing data and technical logs: IP address, browser user agent, request timestamps, session identifiers, application logs needed for security, diagnostics and abuse prevention.
- Content of uploaded files: the
package.jsonand lock files (package-lock.json,yarn.lock,pnpm-lock.yaml) you decide to upload to obtain the report. Such files may contain references to private packages, corporate repositories or other information potentially attributable to third parties: it is your responsibility to ensure you have the right to upload them (see the Terms of Service). - Transactional emails: destination email address, report content, delivery outcome.
We do not process special categories of personal data under Article 9 GDPR nor data relating to criminal convictions (Article 10 GDPR).
4. Purposes and legal bases
| # | Purpose | Legal basis (GDPR) | Data involved |
|---|---|---|---|
| a | Account creation and management, service delivery (file analysis, report generation and display) | Art. 6.1.b — performance of a contract to which you are a party | Account data, file content, report data |
| b | Email delivery of the report and service-related communications strictly connected to the service (e.g. signup confirmation, password reset, security notices) | Art. 6.1.b — performance of a contract | Email, account data, report content |
| c | Platform security, abuse/fraud/attack prevention, technical diagnostics | Art. 6.1.f — legitimate interest of the Controller in ensuring integrity and availability of the service | IP, technical logs, session identifiers |
| d | Compliance with legal obligations (e.g. requests from Judicial Authorities, exercise of data subject rights, recordkeeping) | Art. 6.1.c — legal obligation | Strictly necessary data |
| e | Possible defence in court, establishment or exercise of a legal right | Art. 6.1.f — legitimate interest | Strictly necessary data |
We do not use your data for marketing, profiling, scoring, automated decision-making under Article 22 GDPR, nor to train AI systems.
5. Mandatory or optional data provision
Providing the data referred to in section 3, points 1, 2 and 3 is required to deliver the service: without an account and without the upload of files it is technically impossible to generate the report. Refusal makes use of the service impossible.
Providing additional, optional data (e.g. profile picture, display name) is free and does not affect the usability of the service.
6. Retention periods
We apply the principle of storage limitation (Art. 5.1.e GDPR). Retention is as follows:
- Content of uploaded files (package.json, lock files): deleted immediately at the end of processing and report delivery.
- Structured data derived from the analysis (dependency lists, report outcomes) saved in the account: retained until account deletion or until your specific deletion request.
- Account data: retained for the duration of the contractual relationship and deleted within 30 days of account deletion, save legal obligations.
- Transactional emails: delivery metadata (recipient, date, outcome) are retained for up to 12 months.
- Technical and security logs: retained for up to 12 months from collection.
- Data retained for legal obligations or court defence: retained for the period prescribed by applicable law.
7. Recipients of your data
Your data are processed by the Controller and authorized personnel. To deliver the service we rely on the following data processors (sub-processors) under Article 28 GDPR, with whom a Data Processing Agreement (DPA) has been signed:
| Provider | Role | Location | Extra-EU transfer |
|---|---|---|---|
| Clerk, Inc. | Authentication and account management | United States | Yes — see section 8 |
| Resend | Transactional email delivery | United States | Yes — see section 8 |
| DigitalOcean | Web and database hosting infrastructure | United States | Yes — see section 8 |
| npm, Inc. / GitHub, Inc. | Querying public npm Registry APIs to retrieve package metadata (no personal identifying data is transmitted) | United States | Limited to package technical metadata |
We do not share your data with other third parties, except for:
- legitimate requests from Public or Judicial Authorities;
- defence in court of our rights;
- your explicit consent, where required.
We do not sell, transfer or license your personal data to third parties for commercial purposes.
8. Extra-EU transfers
Some of our processors (in particular Clerk, Resend and DigitalOcean) are located in the United States or process data on infrastructure outside the European Economic Area.
The transfer takes place on the basis of one or more of the following safeguards under Chapter V GDPR:
- EU-U.S. Data Privacy Framework adherence (EU Commission adequacy decision of 10 July 2023), where the provider is certified;
- Standard Contractual Clauses (SCC) approved by the EU Commission with Decision (EU) 2021/914;
- additional technical and organisational measures (e.g. encryption, pseudonymisation) where needed to ensure a level of protection essentially equivalent to that of the EU.
You can request a copy of the safeguards applied by writing to the Controller's email.
9. Your rights
As a data subject you may exercise at any time the rights provided by Articles 15-22 GDPR:
- Access to your personal data and processing information (Art. 15);
- Rectification of inaccurate or incomplete data (Art. 16);
- Erasure ("right to be forgotten") in the cases of Art. 17;
- Restriction of processing (Art. 18);
- Portability of your data in a structured, commonly used and machine-readable format (Art. 20);
- Objection to processing based on legitimate interest (Art. 21);
- Not to be subject to decisions based solely on automated processing, including profiling (Art. 22);
- Withdrawal of consent at any time, where applicable.
To exercise your rights, write to the Controller's email in section 1. We will respond within one month of receipt, save justified extensions under Art. 12 GDPR.
Right to lodge a complaint. You also have the right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — website: www.garanteprivacy.it) or with the supervisory authority of the EU Member State where you habitually reside, work or where the alleged infringement occurred (Art. 77 GDPR).
10. Automated decision-making and profiling
We do not carry out processing activities that produce legal effects on the data subject or similarly significantly affect them based solely on automated processing under Art. 22 GDPR. We do not profile.
The automated analysis of files you upload is performed only to generate the requested report and does not entail any evaluation of you as a person.
11. Data security
We adopt appropriate technical and organisational measures under Art. 32 GDPR to protect data from unauthorized access, loss, alteration or destruction. In particular:
- data transmission over HTTPS/TLS;
- deletion of uploaded files immediately after processing;
- backend system access limited to authorized and tracked personnel;
- use of qualified providers applying recognized security standards.
In the event of a personal data breach we will fulfil notification obligations under Articles 33 and 34 GDPR.
12. Changes to this notice
We may update this notice to reflect regulatory, technological or organisational changes. Material changes will be communicated via email to the address linked to the account and/or by a visible notice on the website, with at least 15 days notice before they take effect, unless the change is imposed by law within shorter timeframes.