Privacy Policy
Version 1.0 - March 10, 2026
PRIVACY POLICY
GeoTapp Flow & TimeTracker
Version 1.0 - March 10, 2026
1. DATA CONTROLLER
GeoTapp by Michele Angelo Petraroli Via [Full Address], Trenzano (BS), Italy VAT NUMBER: IT04183990987 E-pošta: info@geotapp.com Certified e-mail: [pec@geotapp.pec.it] Phone: [+39 XXX XXXXXXX]
Data Protection Officer (DPO) : info@geotapp.com
2. PURPOSE AND LEGAL BASIS OF THE PROCESSING
2.1 Treatments Necessary for the Execution of the Contract (Art. 6.1.b GDPR)
| Purposes | Processed Data | Retention |
|---|---|---|
| SaaS service delivery | Email, first name, last name, CompanyID, role | Contract term + 5 years |
| Customer CRM management | Customer data, projects, suppliers | Contract duration + 5 years |
| Employee stamping | Entry/exit times, GPS lat/lng, work test photos | 5 years (Italian obligations art. 16 L. 300/70) |
| Shift and vacation management | Calendars, permission requests, absences | 5 years |
| Billing | Invoice data, amounts, Stripe payment data | 10 years (legal obligation) |
Explicit consent is not required for these treatments, as they are necessary for the execution of the contract.
2.2 Consent-based Treatments (Art. 6.1.a GDPR)
| Purposes | Processed Data | Consent | Retention |
|---|---|---|---|
| Precise geolocation | GPS lat/lng in real time | If explicitly requested | 12 months |
| Marketing newsletter | Email, name | Yes opt-in | Until revocation |
| Gemini AI profiling | Anonymous aggregated business data | Yes opt-in tier PRO | 24 months |
Consent can be revoked at any time via email info@geotapp.com or from account settings.
2.3 Processing for Legitimate Interest (Art. 6.1.f GDPR)
| Purposes | Processed Data | Interest | Retention |
|---|---|---|---|
| Internal communications | Messages channels, timestamps | Operational efficiency | 90 days |
| Anti-fraud security | IP address, device fingerprint | Service protection | 6 months |
| Product Improvement | Anonymous Analytics (Firebase) | Software Development | 24 Months |
Right to object: You can object to these treatments by writing to info@geotapp.com.
2.4 Processing for Legal Obligation (Art. 6.1.c GDPR)
- *Invoice storage: 10 years (art. 220 of the Italian Civil Code)
- Accounting data: 10 years (Presidential Decree 600/73)
- Employee stamps: 5 years (Workers' Statute)
3. CATEGORIES OF DATA COLLECTED
3.1 Identifying Data
- First name, last name, email
- Telephone number (optional)
- CompanyID (tenant identifier)
- Role (ADMIN/USER/ACCOUNTANT)
3.2 Location Data
- GPS latitude/longitude (encrypted AES-256)
- Text address derived from coordinates
- Geofence radius of company offices
- Anti-spoofing checks: iSmock flag, teleportation detection, accuracy validation
3.3 Work Data
- Stamping times (clock-in/clock-out)
- Pause and break
- Proof of work photos (Firebase storage)
- Assigned projects
- Vacation requests/permits
3.4 Business Data (CRM)
- Customers: personal data, contacts, projects
- Suppliers: VAT number, IBAN (encrypted)
- Invoices: amounts, deadlines, status
- First Note: bank transactions (via IMAP parsing)
3.5 Browsing Data
- IP address
- User-Agent browser
- Timestamp accesses
- Firebase Analytics events (anonymous)
3.6 Data NOT Collected
We do not collect:
- Sensitive data (health, biometrics, religion)
- Minor data (<18 years old)
- External communication content (no email content storage)
4. COLLECTION METHODS
4.1 Direct Collection
- Account registration: Signup form at https://geotappflow.web.app
- CRM configuration: User input on Flow dashboard
- Stamps: TimeTracker Android app
4.2 Automatic Collection
- Firebase Auth: Email/Google Sign-In
- Firebase Analytics: App/web events (anonymous)
- GPS Location: Android service (consent required)
- IMAP Email Parsing: Bank statements (consent)
4.3 Collection from Third Parties
- Stripe: Payment data (PCI-DSS compliant)
- Google Places API: Location addresses (autocomplete)
- GoCardless/EnableBanking: Open Banking Transactions
5. DATA SHARING AND SUB-PROCESSOR
5.1 Authorized Sub-Processors (Art. 28 GDPR)
| Supplier | Service | Place | SCC | Shared Data | Certifications |
|---|---|---|---|---|---|
| Google LLC | Firebase/Firestore | US/IE | Yes | All app data | SOC2, ISO 27001 |
| Stripe Inc | Payments | US/IE | Yes | Email, Amounts, Hash Card | PCI-DSS Level 1 |
| Meta Platforms | REMOVED | - | - | - |
Full list: https://geotapp.com/sub-processors
5.2 We Don't Sell Your Data
GeoTapp *DOES NOT sell, rent or transfer personal data to third parties for commercial purposes.
5.3 Extra-EU transfers
- Destination: USA (Firebase/Stripe)
- Warranties: Standard Contractual Clauses (SCC) EU 2021
- TIA: Transfer Impact Assessment completed (low risk)
- Encryption: TLS 1.3 + AES-256 at-rest
6. RIGHTS OF INTERESTED PARTIES (GDPR Articles 15-22)
6.1 Right of Access (Art. 15)
You can request a copy of your data via email info@geotapp.com. Response time: 30 days. Format: CSV/JSON/PDF.
6.2 Right to Rectification (Art. 16)
Correct inaccurate data in your account settings or by contacting info@geotapp.com.
6.3 Right to Cancellation (Art. 17 - Right to be Forgotten)
- Request: info@geotapp.com
- Time: 30 days
- Exceptions: Legal obligations (10-year invoices, 5-year stamps)
6.4 Right to Portability (Art. 20)
Automatic CSV/Excel export from the Flow dashboard. Data included: CRM, stamps, invoices, shifts.
6.5 Right to Opposition (Art. 21)
Oppose processing for legitimate interest (analytics, communications).
6.6 Right of Restriction (Art. 18)
Temporarily block treatments in the event of a dispute.
6.7 Right to Revoke Consent (Art. 7.3)
Revoke GPS/marketing consent from settings or via email.
6.8 Guarantor Authority Complaint
*Guarantor for the Protection of Personal Data Piazza di Monte Citorio n. 121, 00186 Rome E-pošta: garante@gpdp.it Tel: +39 06.696771 Website: https://www.garanteprivacy.it
7. SECURITY MEASURES (Art. 32 GDPR)
7.1 Technical Security
- Encryption at-rest: AES-256 (GPS, IBAN, email)
- In-transit encryption: TLS 1.3 (all communications)
- Hashing password: bcrypt with salt
- Firebase Security Rules: Multi-tenant strict (CompanyID filtering)
- GPS anti-spoofing: iSmock detection, teleportation check, accuracy validation
- Geofence validation: 100m radius tolerance
7.2 Organizational Security
- Access control: Role-based (ADMIN/USER/ACCOUNTANT)
- Audit logs: All logins tracked (Firebase Auth)
- Daily backups: Firebase automated backups
- Incident response plan: 72h breach notification
- Staff training: GDPR awareness annual training
7.3 Vulnerability and Patch
- Update policy: Critical patches within 48h
- Penetration testing: Yearly by third parties
- Vulnerability disclosure: security@geotapp.com
8. DATA BREACH NOTIFICATION (Art. 33-34 GDPR)
8.1 Internal Procedure
- Detection: Firebase/Stripe alerts monitoring
- Containment: Isolation of compromised resources (max 6h)
- Assessment: Gravity assessment and data involved (max 24 hours)
- Notification: Guarantor within 72 hours, interested if high risk
8.2 Breach Contacts
- Email: security@geotapp.com
- Emergency phone: [+39 XXX XXXXXXX]
- PGP Key: https://geotapp.com/pgp-key.asc
9. COOKIES AND TRACKING TECHNOLOGIES
9.1 Technical Cookies (Necessary - No Consent)
| Name | Purpose | Duration |
|---|---|---|
firebase-auth-token | Session authentication | 1 hour |
company-id | Multi-tenancy | Session |
theme-preference | Dark/light mode | 1 year |
9.2 Analytical Cookies (Consent Required)
| Name | Supplier | Purpose | Duration |
|---|---|---|---|
_ga | Google Analytics | Anonymous analytics | 2 years |
_firebase_analytics | Firebase | Performance monitoring | 1 year |
9.3 Consent Management
- Cookie banner: Shown at first login
- Opt-out: https://geotappflow.web.app/cookie-settings
- Google Analytics opt out: https://tools.google.com/dlpage/gaoptout
9.4 Local Storage
user-settings: UI preferences (no personal data)offline-cache: WorkSessions offline cache (encrypted)
2021 Privacy Guarantor Guidelines: Compliant.
10. DATA STORAGE
10.1 General Criteria
- Minimization principle: Only necessary data
- Retention by default: Contract duration + legal periods
- Automatic cancellation: Expired data via Cloud Functions scheduled
10.2 Detailed Storage Times
| Category | Retention | Reason |
|---|---|---|
| User account | Contract term + 5 years | Contract |
| Employee stamping | 5 years | Legal obligation Italy |
| GPS logs | 12 months | Minimization |
| Internal communications | 90 days | Legitimate interest |
| Invoices and payments | 10 years | Tax obligation |
| Anonymous analytics | 24 months | Product improvement |
11. UPDATES TO THE INFORMATION
- Substantial changes will be communicated via email or in-app.
- The updated version will be published on https://geotapp.com/privacy
- Date and version will always be indicated at the head of the document.
12. PRIVACY CONTACTS
For any request relating to personal data:
E-pošta: info@geotapp.com DPO: info@geotapp.com Site: https://geotapp.com
GeoTapp Privacy Policy - Version 1.0 - March 10, 2026