Privacy Policy

The data controller responsible for the personal data processed through Structura Planner is:

Francesco Agnoletto Email: hello@structuraplanner.com

For all privacy-related enquiries, including requests to exercise your data subject rights, please contact us at the email address above.

We collect and process the following categories of personal data:

1. Email address — collected during account registration and used for authentication, account management, and service communications. Stored in AWS Cognito.

2. Project data — all content you create within Structura Planner, including project names, selected techniques, deliverable configurations, and notes. Stored in AWS DynamoDB.

3. Payment data — if you subscribe to the Pro Tier, your payment details (card number, billing address) are collected and processed directly by Paddle.com as our Merchant of Record. Structura Planner does not receive, store, or have access to your payment card information.

4. Session tokens — essential authentication cookies set by AWS Cognito to maintain your logged-in session. These are technical cookies required for the service to function.

We use the personal data we collect for the following purposes:

- Providing and operating the Structura Planner service (storing your projects, enforcing tier limits, serving the application) - Authenticating your sessions and maintaining account security via AWS Cognito - Processing subscription payments through Paddle (Paddle receives your email address and payment information as our Merchant of Record) - Communicating with you about your account, service updates, or material changes to our terms and policies - Complying with applicable legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising or behavioural profiling.

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

- Contract performance (Art. 6(1)(b)): Processing your email address and project data is necessary to provide the service you have signed up for. Without this data, we cannot fulfil our obligations to you.

- Legitimate interest (Art. 6(1)(f)): We process minimal technical data (session tokens, request logs) to maintain the security and integrity of the service. Our interest in preventing fraud and protecting user accounts does not override your rights.

- Legal obligation (Art. 6(1)(c)): We may retain certain data (e.g., transaction records held by Paddle) to comply with applicable tax and financial record-keeping laws.

We work with the following third-party processors who may handle your personal data:

1. Paddle.com Market Limited — Payment processor and Merchant of Record for all Pro Tier subscriptions. Paddle receives your email address and payment information when you subscribe. Paddle processes this data under their own privacy policy: https://www.paddle.com/legal/privacy. Paddle is responsible for the security and compliance of payment data they collect.

2. Amazon Web Services (AWS) — Infrastructure provider for Structura Planner. AWS operates the services we use: Amplify (application hosting), Cognito (identity and authentication), and DynamoDB (database). Your email and project data are stored on AWS infrastructure. We have a Data Processing Addendum in place with AWS.

All third-party processors are contractually required to process your data only on our instructions and in compliance with applicable data protection law.

Structura Planner uses only essential cookies. These are session cookies set by AWS Cognito to maintain your authenticated session while you use the application. Without these cookies, the service cannot function.

We do not use advertising cookies, analytics cookies, or tracking pixels. No third-party marketing cookies are present on this site.

Under the GDPR ePrivacy Directive, consent is not required for strictly necessary cookies. For this reason, we do not display a cookie consent banner — there are no non-essential cookies requiring your consent.

We retain your personal data for as long as your account is active. Specifically:

- Your email address and authentication record in AWS Cognito are retained until you delete your account. - Your project data in AWS DynamoDB is retained until you delete individual projects or delete your account. - Upon account deletion, all your data in Cognito and DynamoDB is permanently removed. This process is irreversible.

Data held by Paddle in their capacity as Merchant of Record (e.g., transaction records) is subject to Paddle's own retention policies and legal obligations, which may require them to retain financial records beyond your account deletion.

As a data subject under the GDPR, you have the following rights:

- Right of access: You may request a copy of the personal data we hold about you. - Right to rectification: You may request correction of inaccurate personal data. - Right to erasure: You may request deletion of your personal data ('right to be forgotten'). You can exercise this directly by deleting your account at /account. - Right to restriction: You may request that we restrict processing of your data in certain circumstances. - Right to data portability: You may request your project data in a machine-readable format. Project data can be exported as Markdown via the Compile view. - Right to object: You may object to processing based on legitimate interest.

To exercise any of these rights (other than erasure, which is self-service), please email us at hello@structuraplanner.com. We will respond within 30 days.

If you believe we have processed your personal data in breach of the GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence. The supervisory authority for Italy is:

Garante per la protezione dei dati personali (Italian Data Protection Authority) Piazza Venezia 11 00187 Roma Italy Website: https://www.garanteprivacy.it

You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement.

Your data is processed on AWS infrastructure. The specific region may include data centres outside the European Economic Area (EEA). AWS has implemented standard contractual clauses and other appropriate safeguards to ensure compliance with GDPR requirements for international transfers.

Paddle, as our Merchant of Record, is headquartered in the United Kingdom and United States. Paddle has published documentation on their GDPR compliance and cross-border data transfer mechanisms at https://www.paddle.com/legal/gdpr.

Where data is transferred outside the EEA, we rely on appropriate safeguards such as standard contractual clauses approved by the European Commission.

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable legal requirements.

When we make material changes, we will notify you by email to the address associated with your account, or by displaying a notice within the application before the changes take effect. The updated policy will display the revised 'Last updated' date at the top.

Your continued use of Structura Planner after the effective date of any changes constitutes your acknowledgment of the updated policy.

For any questions about this Privacy Policy or to exercise your data subject rights, please contact:

Email: hello@structuraplanner.com