Legal · GDPR

Privacy Policy.

Last updated: 1 June 2026 · Effective: 1 June 2026

This Privacy Policy explains how NexDam ("we", "us", "our") collects, uses, stores and protects personal data when you visit www.nexdam.it, use our services or contact us. We comply with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and applicable Italian data protection law.

1. Data Controller

NexDam
Email: postmaster@nexdam.it
Website: www.nexdam.it

For any privacy-related request you may contact us directly at the address above.

2. Data We Collect

2.1 Data you provide directly

Account registration: name, email address, company name, phone number, password (stored as a secure hash).
Contact form: name, email address, selected service, free-text message.
Project requests: service type, description, budget range, timeline.
Reviews: name, company (optional), star rating, review text.

2.2 Data collected automatically

Authentication tokens: session JWTs issued by Supabase Auth, stored only in your browser's local storage.
Server logs: IP address, browser type, pages visited, timestamp — retained for security purposes by Vercel and Cloudflare infrastructure.

2.3 Data we do NOT collect

Payment card details (we do not process payments directly).
Biometric data or sensitive special-category data under Art. 9 GDPR.
Precise geolocation.

3. Purposes and Legal Basis

Providing our services (account management, client dashboard, project communication) — legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Responding to enquiries sent via the contact form — legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Sending transactional emails (password reset, project updates, review requests) — legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Security and fraud prevention — legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Publishing reviews (only after your explicit approval) — legal basis: consent (Art. 6(1)(a) GDPR).

4. Data Retention

Account data: retained for the duration of your account. Deleted within 30 days of a confirmed account deletion request.
Contact messages: retained for up to 2 years for business correspondence purposes.
Project data and files: retained for the duration of the contractual relationship plus 5 years for legal and accounting obligations.
Session tokens: expire automatically as configured in Supabase Auth (default: 1 hour access token, 7 days refresh token).
Server logs: retained by Vercel/Cloudflare for up to 30 days.

5. Third-Party Processors

We use the following sub-processors. Each has signed a Data Processing Agreement (DPA) with us or provides standard contractual clauses:

Supabase Inc. (USA) — database and authentication. Privacy policy →
Vercel Inc. (USA) — hosting and serverless functions. Privacy policy →
Cloudflare Inc. (USA) — CDN, DNS and security. Privacy policy →
Resend Inc. (USA) — transactional email delivery. Privacy policy →

We do not sell, rent or share your personal data with any third party for marketing purposes.

6. International Data Transfers

Our sub-processors are based in the United States. Transfers are carried out under the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection as required by Art. 46 GDPR.

7. Your Rights Under GDPR

As a data subject you have the following rights, exercisable free of charge by contacting us at postmaster@nexdam.it:

Right of access (Art. 15) — obtain a copy of your personal data.
Right to rectification (Art. 16) — correct inaccurate data.
Right to erasure (Art. 17) — request deletion ("right to be forgotten").
Right to restriction (Art. 18) — limit how we process your data.
Right to data portability (Art. 20) — receive your data in a machine-readable format.
Right to object (Art. 21) — object to processing based on legitimate interest.
Right to withdraw consent — at any time, without affecting prior processing.

We will respond within 30 days. You also have the right to lodge a complaint with the Italian supervisory authority: Garante per la protezione dei dati personali — www.garanteprivacy.it.

8. Cookies and Tracking

We use only strictly necessary cookies and browser storage:

Supabase Auth tokens — stored in localStorage to maintain your login session. These are not advertising cookies.
Cloudflare — may set a __cf_bm cookie for bot management. This is a security-essential cookie exempt from consent requirements under ePrivacy rules.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising cookies. No cookie banner is shown because no consent-requiring cookies are set.

9. Minors

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page. For material changes we will notify registered users by email.

11. Contact

For any privacy-related question, request or complaint:

NexDam
📧 postmaster@nexdam.it
🌐 www.nexdam.it