Fedele — Merchant Privacy Policy
Last updated: April 10, 2026
1. Who we are
This Privacy Policy explains how Fedele collects and uses personal data relating to visitors of our website (business.fedeleapp.com), businesses (Merchants) and their representatives who use the loyalty platform and related services.
Fedele is the Data Controller for merchant-related data and the Data Processor for end-customer data processed on behalf of Merchants (see Section 3).
Contact: info@fedeleapp.com
2. Website visitors and lead capture
a) Data collected from website visitors
When you visit our website (business.fedeleapp.com), we may collect:
- Analytics data (via Google Analytics 4, with your consent): pages visited, time on site, device type, browser, approximate location (country/region). No personally identifiable information is collected through analytics.
- Advertising data (via Meta Pixel, TikTok Pixel, and Google Ads, with your consent): page views and conversion events for advertising measurement and optimization.
Analytics and advertising data is only collected after you provide consent through our cookie banner.
b) Data collected through lead capture forms
When you download a report or resource from our website, we collect:
- Name and email address (required to deliver the requested content)
- Marketing consent (optional, recorded only if you opt in)
- Timestamp of submission
How we use this data:
- To deliver the requested content (report, guide, etc.) to your email address
- If you opted in to marketing: to send you educational content about customer retention. You can unsubscribe at any time via the link in each email.
Legal basis (GDPR Article 6):
- Article 6(1)(b) — contractual necessity: to deliver the content you requested
- Article 6(1)(a) — consent: for marketing communications, only if you explicitly opted in
Retention:
- Lead data (name, email) is retained for up to 12 months after collection if you do not become a Fedele customer. After this period, your data is deleted unless you have an active account.
- If you opted in to marketing and later unsubscribe, your email is removed from the marketing list within 10 business days. Your data may be retained in a suppression list to ensure we do not contact you again.
c) California residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect and why
- Request deletion of your personal information
- Opt out of the "sale" or "sharing" of your personal information (we do not sell or share your data with third parties for their own purposes)
To exercise these rights, contact us at info@fedeleapp.com.
3. Data we collect from Merchants
a) Account and business information
- Business name, VAT number, and registration details
- Contact name, email address, password (encrypted)
- Role within the company (e.g., owner, staff)
- Store locations or business category (if provided)
- Store images (uploaded)
b) Billing and payments
- Billing address, tax details, payment method (processed via third-party payment providers; we do not store full card details)
- Subscription plan, invoices, and payment history
c) Platform usage and analytics
- Login events, device type, IP address, browser version
- Feature usage, performance logs, error reports
- Aggregated metrics for product improvement
d) Communications
- Support requests and chat or email correspondence
- Marketing preferences and subscriptions
4. Our roles under the GDPR
| Data type | Role | Description |
|---|---|---|
| Merchant account, billing, analytics, support | Controller | Processing to provide and manage the platform |
| End-customer loyalty data | Processor | Processing according to documented instructions in the Data Processing Addendum (DPA) |
You, as the Merchant, remain the Data Controller for your customers' loyalty data.
5. How we use merchant data
We use the information to:
- Provide and maintain the Services (account creation, authentication, dashboard, barcode management)
- Process payments and issue invoices
- Provide support and communicate service updates
- Improve and protect the platform (monitoring, debugging, analytics)
- Comply with legal obligations (tax, accounting, anti-fraud)
- Send product updates or marketing communications, subject to consent
6. Legal bases for processing
Under Article 6 GDPR:
- Contractual necessity — to provide the Services and fulfill the agreement
- Legal obligation — for billing, tax, and accounting requirements
- Legitimate interests — for security, service improvement, and communication with business contacts
- Consent — for marketing communications or optional beta features
7. Data sharing and third-party providers
We share data only when necessary for the operation of the platform. Below are the main service providers (sub-processors) that process data on our behalf:
a) Infrastructure and hosting
Cloud services with data centres located in Germany (European Union).
b) Subscription and payment management — Stripe
- Provider: Stripe, Inc. (USA)
- Data processed: Email address, payment card details, billing address, transaction history
- Purpose: Subscription management, recurring billing, payment processing, billing portal
- Safeguards: Stripe participates in the EU-US Data Privacy Framework and applies Standard Contractual Clauses (SCCs)
- Privacy Policy: https://stripe.com/privacy
c) Analytics and product improvement — Firebase Analytics
- Provider: Google LLC (USA)
- Data processed: App usage events (login, navigation, features used), pseudonymised user identifier, device type, operating system
- Purpose: Understand app usage, improve user experience, identify issues
- Note: No personally identifiable information (PII) is collected through this tool
- Safeguards: Google is certified under the EU-US Data Privacy Framework and applies SCCs
- Privacy Policy: https://policies.google.com/privacy
d) Error monitoring and stability — Sentry
- Provider: Functional Software, Inc. dba Sentry (USA)
- Data processed: Crash reports, error logs, technical device information, session identifier
- Data NOT collected: IP addresses, personally identifiable information (PII)
- Purpose: Identify and fix bugs, improve app stability
- Safeguards: Sentry applies Standard Contractual Clauses and technical protection measures
- Privacy Policy: https://sentry.io/privacy/
e) Product analytics and user behaviour — PostHog
- Provider: PostHog, Inc. (USA/UK)
- Data processed: User identifier (UUID), email address, usage events (navigation, clicks, onboarding steps, conversions), device type, operating system, browser, visited URL
- Data hosting: European Union (eu.i.posthog.com)
- Purpose: Understand how users interact with the platform, improve onboarding, optimise conversion flows
- Safeguards: EU data hosting, Standard Contractual Clauses (SCCs)
- Privacy Policy: https://posthog.com/privacy
f) Advertising measurement — TikTok Events
- Provider: TikTok Inc. / ByteDance Ltd. (USA/China)
- Data processed: Page views, conversion events, device information, advertising identifiers
- Purpose: Advertising measurement and campaign optimisation
- Safeguards: Standard Contractual Clauses (SCCs)
- Privacy Policy: https://www.tiktok.com/legal/privacy-policy
g) Legal authorities
Sharing when required by applicable law.
We do not sell or rent merchant data to third parties.
h) Website analytics and advertising
- Google Analytics 4 (Google LLC, USA): Pseudonymised usage data, no PII collected. Consent-gated via cookie banner.
- Meta Pixel (Meta Platforms, Inc., USA): Page views and conversion events for advertising optimization. Consent-gated via cookie banner.
- TikTok Pixel (TikTok Inc., USA): Page views and conversion events for advertising optimisation. Consent-gated via cookie banner.
- Google Ads (Google LLC, USA): Conversion tracking for advertising measurement. Consent-gated via cookie banner.
Safeguards: Google and Meta are certified under the EU-US Data Privacy Framework. TikTok applies Standard Contractual Clauses.
8. Data retention
- Account and business data: retained while the account remains active
- Billing and tax data: retained for 10 years as required by Italian law
- Support correspondence: retained for up to 2 years
- Analytics data: retained in aggregated and anonymised form
- Product analytics (PostHog): retained in accordance with PostHog's EU data retention policies
- Error logs (Sentry): retained for up to 90 days
Account deletion
When you request the deletion of your account:
- Your personal data (email, name, identifying data) is anonymised immediately
- We retain in anonymised form only the data necessary for legal and tax obligations (e.g., transactions, invoices)
- Anonymised data can no longer be linked back to you
9. Data location and transfers
- Core data is hosted on servers located in Germany (European Union)
- Some service providers (Stripe, Firebase, Sentry, TikTok) are based in the United States. PostHog (USA/UK) hosts data in the European Union.
For transfers outside the EEA/UK, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework (where applicable)
10. Security
We implement appropriate technical and organisational measures:
- Encryption in transit (TLS) and at rest
- Access controls and secure authentication
- Regular backups and monitoring
- Employee training on confidentiality and data protection
- Secure storage for tokens and credentials
Despite these measures, no system is completely secure; please keep your credentials confidential.
11. Your rights
Under the GDPR, you may request to:
- Access your data
- Rectify inaccuracies
- Delete your data (subject to retention obligations)
- Restrict or object to processing
- Receive a copy of your data (portability)
- Withdraw consent at any time for consent-based processing
To exercise these rights, send an email to info@fedeleapp.com. We will respond within 30 days as required by law.
12. Marketing communications
- We send marketing or product update emails to business contacts who have expressly consented
- You can unsubscribe at any time via the link in our emails or by contacting us
- Essential service communications (e.g., changes to terms, security issues) do not require consent
13. Local storage technologies (App)
The App uses local storage technologies on the device:
- Local cache (Hive): To improve performance and enable offline use
- Encrypted secure storage: To securely store session tokens and credentials
- Remote configurations (Firebase Remote Config): To update app parameters without requiring updates
This data remains on your device and is deleted when the app is uninstalled.
14. Changes to this policy
- The latest version will always be available on the website and in the app
- Significant changes will be communicated via email or in-app notice
- We encourage you to review this policy periodically
15. Contact and complaints
For privacy questions, rights requests, or complaints: info@fedeleapp.com
If you are in the EU and wish to raise concerns, you may contact the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority):
- Website: https://www.garanteprivacy.it
- Email: protocollo@gpdp.it