Privacy Policy

Last Updated: February 13, 2026

Version: 2.0

Information on the processing of user data who consult the Service

This Privacy Policy describes how we collect, use, and protect personal data in accordance with Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR").

According to Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes the methods of processing personal data of users who consult Coney's identity management service (hereinafter "Coney," "we," "us," "our," or the "Service") accessible electronically at:

This information applies to all users of the Service, whether registered or unregistered.

Table of Contents

  1. Data Controller
  2. Legal Basis of Processing
  3. Types of Personal Data Collected
  4. Purposes of Processing
  5. Data Retention Periods
  6. Data Recipients
  7. International Data Transfers
  8. Security Measures
  9. Cookies and Tracking Technologies
  10. Your Rights Under GDPR
  11. Data Breach Notification
  12. Payment Processing
  13. Changes to This Policy
  14. Contact Information

Data Controller

Following the use of the aforementioned Service, data relating to identified or identifiable individuals may be processed. The Data Controller is:

Antonio Christian Toscano Via Roma 79 89063 Melito di Porto Salvo (RC) Italy Email: [email protected]

For all matters related to personal data processing and GDPR compliance, you may contact us at the above email address.

Legal Basis of Processing

The personal data indicated on this page are processed by Coney on the following legal bases in accordance with Article 6 of the GDPR:

For Registered Users

For Website Visitors

Where Consent is Required

Where we request your explicit consent for specific processing activities (e.g., marketing communications), the legal basis for that processing will be your consent under Article 6(1)(a) GDPR. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Types of Personal Data Collected

1. Navigation Data

During their normal operation, the computer systems and software procedures used to operate the Service acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols.

This category of data includes: - IP addresses or domain names of the computers and terminals used by users - URI/URL addresses (Uniform Resource Identifier/Locator) of the requested resources - Time of the request - Method used to submit the request to the server - Size of the file obtained in response - Numerical code indicating the status of the response given by the server (successful, error, etc.) - Other parameters relating to the user's operating system and computer environment

2. Registration Data

When you register for an account, we collect: - Name and/or username - Email address - Password (stored in encrypted/hashed form) - Optional profile information you choose to provide - Account creation date and time

3. Data Provided by the User

The optional, explicit, and voluntary sending of messages to our contact addresses, as well as the completion and submission of forms present on the Service, involve the acquisition of the sender's contact data, necessary for responding, as well as all personal data included in the communications.

This may include: - Your name and email address - Any information you provide in support requests or feedback - Any personal data included in messages sent to us

4. Payment Data (Donations)

For users who choose to make a donation to unlock Bank Sync Access, we collect: - Billing information (name, address, VAT number if applicable) - Payment transaction data - Donation history

Important: Payment data is processed by our third-party payment providers (Stripe) who act as independent data controllers for such data. Their privacy policies apply to payment processing activities. Donations are currently one-time payments, not recurring subscriptions.

Purposes of Processing

We process your personal data for the following purposes:

1. Service Provision

2. Technical Operations

3. Security and Fraud Prevention

4. Legal Compliance

5. Communication

Data Retention Periods

We retain your personal data for no longer than is necessary for the purposes for which it was processed.

Specific Retention Periods

| Data Category | Retention Period | Rationale | |----------------|------------------|-----------| | Navigation and server logs | 7 days | Necessary for technical management and security. Deleted immediately after aggregation, except if needed for investigations by judicial authorities | | Account data for active users | Duration of account | As long as your account is active | | Account data for deleted accounts | Within a reasonable period, not exceeding 30 days after deletion | To enable account recovery if accidentally deleted | | Transaction and billing records | 10 years | Tax and accounting legal requirements | | Support communications | 2 years | Quality assurance and dispute resolution | | Marketing data (where consented) | Until consent withdrawal | As long as you consent to marketing | | Legal compliance data | As required by law | May exceed standard periods where required |

Upon request for erasure, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain such data.

Data Recipients

Internal Access

The personal data collected are processed by Coney's staff (Antonio Christian Toscano as the sole operator), who act on specific instructions provided in relation to the purposes and methods of the processing.

External Recipients

At present, we may share your personal data with the following categories of recipients:

1. Payment Processors

For donations that unlock Bank Sync Access, payment data is processed by: - Stripe (www.stripe.com) - Payment processing, billing data retention for donations - GoCardless (Nordigen) (www.gocardless.com) - Bank transaction import (available to users who have made a donation, requires explicit consent)

These entities act as independent data controllers for payment data. Their privacy policies are available on their respective websites and should be consulted for information on their data processing practices.

2. Technical Service Providers

We may engage third-party service providers to assist in providing the Service, such as: - Hosting and infrastructure providers - Email service providers - Cloud infrastructure providers (AWS, Google Cloud Platform, etc.) - Cloudflare (www.cloudflare.com) - DDoS protection, DNS services, and asset delivery (assets stored in EU bucket)

These providers act as data processors on our behalf and are bound by strict confidentiality obligations. They may only process your data in accordance with our instructions for the purpose of providing the Service.

3. Optional Integrations

With your explicit consent, you may connect optional third-party services: - Google Drive - Expense data sync to Google Sheets. You control what data is synced, and data is stored in your Google account.

4. Security and Monitoring Services

5. Legal Authorities

We may disclose your personal data to law enforcement, regulatory authorities, or courts when required to comply with applicable laws, regulations, or legal processes.

No Disclosure to Third Parties for Marketing

We do not sell, rent, or trade your personal data with third parties for their marketing purposes.

International Data Transfers

Data Stored Within the European Economic Area (EEA)

All personal data collected by Coney is primarily stored and processed within the European Economic Area (EEA), including servers located in Germany, France, and other EU countries.

Transfers to Third Countries

Some of our service providers process data outside the EEA. We ensure appropriate safeguards are in place for such transfers:

| Provider | Location | Safeguard Mechanism | |----------|----------|---------------------| | Stripe | United States | Standard Contractual Clauses (SCCs) | | Google | United States | Standard Contractual Clauses (SCCs) | | Rollbar | United States | Standard Contractual Clauses (SCCs) | | Cloudflare | United States | Standard Contractual Clauses (SCCs) | | GoCardless | European Union | GDPR compliant (no transfer required) |

Standard Contractual Clauses

For transfers to providers in the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for international data transfers, in accordance with Article 46 of the GDPR. These contractual clauses ensure that your personal data receives an adequate level of protection comparable to that within the EEA.

Your Rights Regarding International Transfers

You have the right to: - Request a copy of the Standard Contractual Clauses we have entered into with our service providers - Obtain information about the safeguards in place for international transfers - Lodge a complaint with a supervisory authority if you believe your data is not adequately protected

Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Technical Security Measures

Organizational Security Measures

Data Backups

We maintain regular backups of your data to ensure availability and recovery in case of data loss. Backups are stored securely and subject to the same security measures as our primary systems.

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

Cookies and Tracking Technologies

Cookies Used

We use the following types of cookies on our Service:

1. Essential Cookies

These cookies are strictly necessary for the operation of the Service. They enable core functionality such as user authentication, security, and access to secure areas.

No Profiling Cookies

We do not currently use profiling cookies to track or analyze user behavior for marketing or advertising purposes.

Third-Party Cookies

We do not currently use third-party cookies for tracking or analytics purposes.

Cookie Consent

Because we use only essential cookies necessary for the Service to function, we do not require your consent to place these cookies. However, you can manage your cookie preferences through your browser settings.

Please note that disabling cookies may affect the functionality of the Service and prevent you from accessing certain features.

Browser Settings

Most web browsers allow you to control cookies through their settings. You can: - Accept all cookies - Reject all cookies - Delete cookies already stored on your device - Set preferences for first-party and third-party cookies

For more information about cookie management in your browser, please visit the relevant help documentation.

Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

1. Right to Access (Article 15)

You have the right to obtain confirmation as to whether or not your personal data is being processed by us and, where that is the case, access to your personal data and information about: - The purposes of the processing - The categories of personal data concerned - The recipients or categories of recipient to whom the personal data has been or will be disclosed - Where possible, the envisaged period for which the personal data will be stored - The existence of the right to request rectification or erasure of your personal data or to restrict processing - The right to lodge a complaint with a supervisory authority - Information about the source of the data if it was not collected from you - The existence of automated decision-making, including profiling

2. Right to Rectification (Article 16)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies: - The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed - You withdraw your consent on which the processing is based and where there is no other legal ground for the processing - You object to the processing and there are no overriding legitimate grounds for the processing - The personal data have been unlawfully processed - The personal data have to be erased for compliance with a legal obligation in Union or Member State law

4. Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing where one of the following applies: - The accuracy of the personal data is contested by you - The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead - We no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims - You have objected to processing pending the verification whether the legitimate grounds of us override those of you

5. Right to Data Portability (Article 20)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, machine-readable format and have the right to transmit those data to another controller without hindrance from us.

6. Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6(1)(f) (legitimate interests). We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

7. Right to Withdraw Consent (Article 7)

Where the processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected] Mail: Antonio Christian Toscano, Via Roma 79, 89063 Melito di Porto Salvo (RC), Italy

We will respond to your request within 30 days of receipt. Where necessary, this period may be extended by a further 60 days, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.

You may lodge a complaint with:

Italian Data Protection Authority (Garante per la protezione dei dati personali) Address: Piazza di Monte Citorio n.121, 00186 Roma (RM) Email: [email protected] Website: www.garanteprivacy.it

You also have the right to seek a judicial remedy under Article 79 of the GDPR.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, not later than 72 hours after having become aware of it, in accordance with Article 33 of the GDPR.

The notification will include: - A description of the nature of the personal data breach - The categories and approximate number of data subjects concerned - The likely consequences of the personal data breach - The measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects

We will also notify the relevant supervisory authority in accordance with applicable law.

Payment Processing

For donations that unlock Bank Sync Access, we use third-party payment service providers to process payments. These providers act as independent data controllers for payment data.

Payment Processors

When you make a donation, your payment information is collected directly by the payment processor and processed in accordance with their privacy policies. We do not store or have access to your full credit card details; we only receive a payment confirmation and minimal transaction data necessary to verify your donation and unlock Bank Sync Access.

Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected], and we will take steps to delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes by: - Posting the updated policy on our website - Sending an email notification to registered users for significant changes

The date of the last update is indicated at the top of this policy. We encourage you to review this policy regularly to stay informed about how we protect your personal data.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

Links to Other Websites

Our Service may contain links to other websites that are not operated by us. We have no control over the content, privacy policies, or practices of any third-party websites or services. We encourage you to read the privacy policies of every website you visit.

Italian Consumer Rights

For consumers resident in Italy, this Privacy Policy is issued in accordance with: - General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 - Italian Consumer Code (Codice del Consumo) - Legislative Decree no. 206/2005 - Italian Privacy Code (Codice in materia di protezione dei dati personali) - Legislative Decree no. 196/2003 as amended by Legislative Decree no. 101/2018

Italian consumers have all rights granted by the GDPR as implemented in Italian law, and may exercise those rights through the mechanisms described above or through any additional rights provided under Italian law.

Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Antonio Christian Toscano Via Roma 79 89063 Melito di Porto Salvo (RC) Italy Email: [email protected]

Privacy Policy Version: 2.0 Last Updated: February 13, 2026

This Privacy Policy has been drafted in accordance with Article 13 of Regulation (EU) 2016/679 and related Italian legislation.

We value your privacy. This website uses only essential cookies to ensure functionality. We do not track your activity or share any information with third parties.