Legal
Privacy Policy — DFM Platform accounts & DFM Professional Packs purchases
Version 1.0 · Effective date: 2026-07-09 · This notice is provided under Articles 13–14 GDPR for the account, purchase and download functions of platform.defencefinancemonitor.com.
1. Controller
STRONCATURE S.R.L., registered office Via Garibaldi 169, 84061 Ogliastro Cilento (SA), Italy, VAT/Tax ID IT05960160652 (REA SA-486919) — e-mail: privacy@defencefinancemonitor.com (or packs@defencefinancemonitor.com). (No Data Protection Officer has been appointed, as not required for our processing scale.)
2. What data we process, why, and on which legal basis
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account data — name, e-mail, password hash, e-mail-verification status | Account creation, login, security | Contract performance (Art. 6(1)(b)) | Until account deletion + 12 months backup cycle |
| Order data — pack, licence tier, price, VAT data, billing details, order status, timestamps of Terms acceptance and withdrawal-waiver consent | Selling and delivering the Packs; proving consents | Contract performance (Art. 6(1)(b)); legal obligation for records (Art. 6(1)(c)) | 10 years (accounting/tax law, Art. 2220 c.c.) |
| Payment data — handled by Stripe: card details go directly to Stripe; we receive only tokens/identifiers, payment status and, where provided, VAT ID and billing country | Payment processing, fraud prevention, invoicing | Contract performance (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Stripe references: 10 years with order records |
| Download logs — entitlement, user ID, IP address, user agent, timestamp | Delivery, licence enforcement, security and abuse prevention | Legitimate interests (Art. 6(1)(f)): protecting paid content and systems | 12 months |
| Support correspondence | Handling requests and complaints | Contract performance / legitimate interests | 24 months after closure |
| Technical logs (web server) | Security, diagnostics | Legitimate interests (Art. 6(1)(f)) | Up to 12 months |
We do not use the purchase data for automated decision-making or profiling, and we do not sell personal data. Marketing e-mail, if ever introduced, will be based on consent or the existing-customer exemption with an opt-out in every message.
3. Cookies
The purchase flow uses only technical session cookies strictly necessary for login and checkout; these do not require consent. We do not set advertising or third-party analytics cookies in the packs flow. If this changes, a consent banner will be introduced.
4. Recipients and processors
- Stripe Payments Europe, Ltd. (payment services) — Stripe processes payment data also as an independent controller for its own compliance purposes; see stripe.com/privacy.
- Aruba S.p.A. — Ponte San Pietro (BG), Italy — infrastructure hosting (processor).
- Brevo (Sendinblue SAS), Paris, France — transactional e-mail (processor).
- Public authorities where required by law.
Article 28 data-processing agreements are in place with our processors (Stripe, Brevo, Aruba), concluded through their standard data-processing terms.
5. International transfers
Our systems are hosted in the EU. Stripe may transfer certain payment-related data outside the EEA (including to the USA); such transfers rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses as described in Stripe's own privacy documentation.
6. Your rights
You have the rights of access, rectification, erasure, restriction, portability and objection (Arts. 15–22 GDPR). Where processing is based on consent, you may withdraw it at any time with effect for the future. Contact: privacy@defencefinancemonitor.com. You may lodge a complaint with your supervisory authority — in Italy, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).
7. Security
Passwords are stored using strong one-way hashing (Argon2id); access to purchased files requires an authenticated session and a recorded entitlement; payment card data never touch our servers; access to production systems is restricted and logged; backups are encrypted and integrity-checked.
8. Data you enter into the Packs
The Pack files are used on your own systems. Any personal data you type into the downloaded files (e.g. names of beneficial owners, personnel clearance holders, suppliers) are processed by you as controller on your infrastructure; DFM has no access to them and no responsibility for that processing. Handle such data in accordance with GDPR and applicable security rules.
9. Changes
We may update this notice; material changes will be signalled on the Platform. The version in force at the time of your purchase is preserved with your order records.