Last updated: May 4, 2026
This privacy notice is provided pursuant to Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended (Italian Privacy Code) and other applicable laws (including, where relevant, CCPA/CPRA for California residents, UK GDPR for UK residents, and LGPD for Brazilian residents).
This notice is translated from the Italian original for convenience. In case of conflict, the Italian version prevails for legal interpretation.
1. Data controller
FA CUBE S.R.L. Registered office: Via Massa Avenza 16, 54100 Massa (MS), Italy Italian VAT no.: IT01255480459 Privacy email: privacy@geocite22.com Support email: support@geocite22.com
(the "Controller", "we", "us" or "our")
For any data-protection request, please write to privacy@geocite22.com.
2. Who this notice applies to
This notice applies to:
- visitors to the geocite22.com website (the "Site");
- customers who purchase a License or Credits for the GeoCite22 Plugin;
- registered users holding an Account on the Site;
- Plugin users with the Plugin installed on a Customer's WordPress site, in respect of any data the Plugin may collect;
- end visitors of Customer sites, where the Plugin processes their data on behalf of the Customer — in such case the Controller acts as Data Processor on behalf of the Customer, who is the autonomous Controller.
3. Categories of data processed
Depending on interaction, we may process the following categories of data:
3.1 Data you provide voluntarily
- Account / order data: first name, last name, business name, address, email, password (encrypted), country, VAT ID, tax code where applicable.
- Payment data: handled directly by Stripe. We only receive the transaction ID, the last 4 digits of the card, the brand, the country, the amount and the status. We never receive the full card number or CVV.
- Support data: content of emails, chats, tickets or messages sent to support.
- Marketing communication data: newsletter subscription preferences, opens/click data on emails (where consented).
3.2 Data collected automatically
- Technical browsing data: IP address, user agent, browser, OS, language, pages visited, referrers, timestamps.
- Cookies and similar technologies: see the Cookie Policy.
- Plugin telemetry: Plugin version, WordPress and PHP versions, site language, errors. Telemetry is optional and can be disabled in the Plugin settings; when active, it is designed not to include post content or end-visitor data.
3.3 AI-related data
3.3.1 BYO API Key (default mode)
When the User uses Plugin AI features with their own third-party API keys (e.g. OpenAI, Anthropic, Google), prompts, content sent and generated responses do not transit through our servers and are not accessible to the Controller. Requests go directly from the Customer's WordPress site to the chosen AI provider.
In this mode, the Customer is the autonomous Controller of AI-related data and engages directly with the provider, accepting that provider's terms and notices.
3.3.2 GeoCite22 Credits (optional gateway)
If the Customer activates a Credits-based plan (where available), the following may transit through our servers for License authentication, Credit deduction and routing to the AI provider: License identifier, selected AI model, approximate prompt and response size, call outcome. We do not retain prompt or response content beyond the strictly necessary transit time, except for security logs limited to metadata (timestamp, License ID, error code) for the purposes set out in section 4. Any different logging policies will be reflected in an updated version of this notice and/or in a dedicated DPA.
3.4 Data we do NOT process
We do not intentionally collect, and our systems are not designed to acquire:
- full credit-card numbers or CVV (handled directly by Stripe);
- the content of Customers' WordPress posts/pages, unless the Customer shares them with us in a support ticket;
- special categories of data (ethnic origin, political opinions, religion, health data, etc.).
4. Purposes and legal bases
| # | Purpose | Categories of data | Legal basis |
|---|---|---|---|
| a | Service provision (account creation, License activation, subscription management, support) | Account, payment, support | Contract performance (Art. 6(1)(b) GDPR) |
| b | Accounting and tax compliance (invoicing, record-keeping) | Account, payment | Legal obligation (Art. 6(1)(c) GDPR) |
| c | Security, fraud and abuse prevention | Browsing data, Plugin/Account logs | Legitimate interest (Art. 6(1)(f) GDPR) |
| d | Basic telemetry (Plugin/WP/PHP versions, errors) | Technical data | Legitimate interest or consent, where required |
| e | Newsletter and marketing communications about similar products | Email, preferences | Soft spam (Art. 130(4) of Italian Legislative Decree 196/2003) for existing customers and similar products; consent (Art. 6(1)(a) GDPR) otherwise |
| f | Analytical and marketing cookies | Cookie identifiers, browsing data | Consent (Art. 6(1)(a) GDPR) |
| g | Legal claims, dispute handling | All relevant data | Legitimate interest (Art. 6(1)(f) GDPR) |
| h | AI features in Credits gateway mode | License ID, consumption metadata | Contract performance (Art. 6(1)(b) GDPR) |
Whenever consent is required, the User may withdraw it at any time without affecting the lawfulness of processing based on consent prior to its withdrawal.
5. Data retention
| Data type | Retention period |
|---|---|
| Active Account data | For the duration of the relationship + 24 months after Account closure |
| Accounting/tax documents (invoices) | 10 years from issue (legal requirement) |
| Support communications | 36 months from last interaction |
| Security logs | Up to 12 months, except for investigative needs |
| Plugin telemetry | Up to 24 months in identifiable form, then aggregated/anonymized |
| Newsletter | Until unsubscription |
| Cookies | See Cookie Policy (per-cookie durations) |
After these periods, data is deleted or anonymized.
6. Recipients and processors
Data is processed by authorized personnel of the Controller. We may also share data with third parties acting as Data Processors under Art. 28 GDPR, on the basis of data processing agreements (DPAs). The main ones are:
| Vendor | Role | Location / transfers |
|---|---|---|
| Stripe Payments Europe Ltd. | Payments, subscriptions, invoicing | Ireland (EU), with onward transfers to the US under Standard Contractual Clauses |
| Hetzner Online GmbH | Hosting of the Site and Account data (Falkenstein/Nuremberg datacenters) | Germany (EU/EEA) |
| Cloudflare, Inc. | CDN, WAF security, DDoS mitigation | US, with SCC and Cloudflare's Data Processing Addendum |
| Plesk International GmbH | Hosting control panel | Switzerland, with SCC |
| Transactional email provider (e.g. Postmark, Mailgun, Brevo) | Sending transactional emails (order confirmation, password reset) | EU or US with SCC |
| Newsletter / email-marketing provider | Sending marketing communications, where consented | EU or US with SCC |
| Google Ireland Ltd. (Google Analytics 4) | Aggregate traffic statistics, activated only with prior consent | Ireland (EU), with SCC towards US |
| Tax accountant / fiscal advisor | Accounting compliance | Italy |
| Lawyers and legal advisors | Legal claims, when needed | Italy |
The up-to-date list of processors is available on request at privacy@geocite22.com.
Data may also be disclosed to public authorities upon legitimate request, in cases provided for by law.
We do not sell personal data to third parties.
7. Transfers outside the EEA
Where data is transferred outside the European Economic Area (e.g. to the US for Cloudflare and sometimes Stripe), transfers rely on:
- adequacy decisions of the European Commission (e.g. EU-US Data Privacy Framework, where applicable to the certified recipient);
- Standard Contractual Clauses (SCC) approved by the European Commission, supplemented by additional technical and organizational measures;
- other tools provided for in Chapter V GDPR.
A copy of the applicable SCC may be requested at privacy@geocite22.com.
8. Data subject rights
In line with Articles 15-22 GDPR and equivalent local laws, the data subject has the right to:
- access their data (Art. 15);
- rectify inaccurate or incomplete data (Art. 16);
- erase data ("right to be forgotten") in the cases provided (Art. 17);
- restrict processing (Art. 18);
- data portability (Art. 20);
- object to processing (Art. 21), including objecting to direct marketing at any time;
- not be subject to automated decisions producing legal effects (Art. 22);
- withdraw consent at any time (Art. 7);
- lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the supervisory authority of your EU Member State.
To exercise these rights, please write to privacy@geocite22.com. We will respond without undue delay and in any case within 30 days, extendable by 60 days for complex requests.
8.1 Specific rights for California residents (CCPA/CPRA)
California residents have the additional right to:
- request detailed information about data collected, sources, purposes, categories of recipients in the past 12 months;
- request deletion or correction of data;
- opt out of "sale" or "sharing" of data (we do not sell personal data; California residents may opt out of third-party advertising cookies via the cookie banner and/or "Global Privacy Control" signals).
8.2 Specific rights for UK residents (UK GDPR)
UK residents have the same rights as under GDPR and may complain to the Information Commissioner's Office (ICO).
9. Security
We adopt technical and organizational measures appropriate to the risk to protect data, including: encryption in transit (TLS), least-privilege access management, two-factor authentication for administrators, regular backups, environment segregation, periodic vendor assessment, staff training, processing-activity records.
Despite our efforts, no system is risk-free. In the event of a personal data breach posing risk to data subjects' rights and freedoms, we will notify the competent Authority within 72 hours and, if necessary, the data subjects, pursuant to Articles 33-34 GDPR.
10. Minors
The Services are not directed to children under 16. We do not knowingly collect data from minors. If we become aware of having collected data from a minor without valid parental consent, we will delete it.
11. Automated decision-making
We do not use personal data for automated decisions producing significant legal effects on the data subject under Article 22 GDPR. The Plugin's AI features are content-creation aids under the Customer's control.
12. Roles of Controller and Plugin Customers
The Customer who installs the Plugin on their own WordPress site acts as autonomous Controller in respect of their end visitors' data and the content published. It is the Customer's responsibility to:
- adopt an appropriate privacy notice on their site;
- correctly configure the Plugin's features;
- obtain any necessary consents from end users;
- handle any AI provider API keys in compliance with applicable law.
For Credits gateway mode (where activated), a dedicated DPA (Data Processing Agreement) may apply, which the Customer is invited to execute.
13. Changes to this notice
We may update this notice from time to time. The date of the latest update is shown at the top. For material changes we will provide notice on the Site and/or by email; for registered Customers, material changes will be communicated at least 30 days in advance.
14. Contact
For any data-protection request:
FA CUBE S.R.L. — Via Massa Avenza 16, 54100 Massa (MS), Italy Email: privacy@geocite22.com