FitServer ShPK
Privacy Policy
Section 1
Data Controller
The Data Controller for personal data collected through www.fitserver.it and the FitCart platform is:
Tirana — Albania
Section 2
Personal Data Collected
In connection with the different features of the platform, we collect the following categories of personal data:
Data provided directly by the user
- Identification data: first name, last name, company name (for business users);
- Contact data: email address;
- Billing data: billing address, tax identification number or VAT number;
- Access credentials: username and password (stored in encrypted form).
Technical data collected automatically
- IP address and browsing data, collected exclusively for technical and security purposes;
- Session data necessary for the proper functioning of the reserved area;
- Access logs for VPS services and account features.
Payment-related data
Credit card data and payment instrument details are never stored on our servers. Processing takes place directly on the systems of certified payment providers (e.g. Stripe, PayPal), in compliance with their respective security standards (PCI-DSS). We receive only the transaction outcome confirmation and an anonymised identifier.
Section 3
Purposes and Legal Bases for Processing
Personal data is processed exclusively for the purposes listed in the table below. We do not use data for marketing purposes, commercial profiling or promotional communications of any kind.
| Purpose | Description | Legal basis |
|---|---|---|
| Account registration | Creation and management of the Customer's reserved area. | Performance of a contract (Art. 6.1.b GDPR) |
| Purchase of services and products | Order management, payment processing, issuance of invoices and receipts. | Performance of a contract (Art. 6.1.b GDPR) |
| Subscription and renewal management | Administration of active services, authorised recurring charges, subscription status updates. | Performance of a contract (Art. 6.1.b GDPR) |
| Transactional communications | Sending notifications regarding: payments received, upcoming payments, failed payments, service activation or deactivation, current subscription status. | Performance of a contract (Art. 6.1.b GDPR) |
| Security and fraud prevention | Customer identity verification, prevention of unauthorised access, service usage monitoring for contractual compliance. | Legitimate interest (Art. 6.1.f GDPR) |
| Legal obligations | Retention of tax and accounting data as required by law; responding to requests from competent authorities. | Legal obligation (Art. 6.1.c GDPR) |
Section 4
Cookies and Tracking Technologies
The website www.fitserver.it uses cookies exclusively for the purposes described below. We do not use profiling cookies, advertising cookies or third-party tracking technologies for commercial purposes.
Third-party cookies
The website may include third-party components strictly necessary for the technical functioning of the platform (e.g. payment providers such as Stripe and PayPal, which may set technical cookies during the checkout process). Such cookies are governed by the respective privacy policies of the providers, to which reference is made.
The website does not use Google Analytics, the Facebook Pixel, advertising retargeting cookies or any other behavioural tracking technology.
Managing cookies
Users may manage or disable cookies at any time through their browser settings. Disabling technical cookies may impair the correct functioning of the reserved area and the purchase process.
Section 5
Recipients of Data
Personal data is not transferred, sold or disclosed to third parties, except in the strictly necessary cases set out below.
Technical partners involved in service delivery
Where the purchased service or product directly involves a technical partner, only the data strictly necessary for the delivery of that service will be communicated exclusively to that partner. By way of example:
- Datacenter infrastructure provider: for the activation and management of the VPS service (e.g. server technical data, subscribed plan);
- Payment providers (Stripe, PayPal): for the secure management of financial transactions;
- Transactional email service provider: exclusively for sending the foreseen notifications (order confirmations, payment status, service status).
All technical partners act as Data Processors within the meaning of Art. 28 GDPR, bound by specific agreements ensuring that data is processed in compliance with applicable regulations.
Competent authorities
Data may be disclosed to judicial, tax or supervisory authorities, exclusively upon formal request and within the limits provided by law.
Section 6
Data Retention
Personal data is retained for the period strictly necessary for the purposes for which it was collected, in accordance with the following criteria:
| Data type | Retention period |
|---|---|
| Account and registration data | For the entire duration of the contractual relationship, plus 12 months from account deletion. |
| Billing and transaction data | 10 years from the invoice date, in compliance with Italian tax obligations (Presidential Decree 633/1972). |
| Technical and access logs | Maximum 12 months, unless longer retention is required to handle disputes or authority requests. |
| Transactional email communications | For the entire duration of the contractual relationship, plus 12 months. |
Upon expiry of the retention periods, data is securely deleted or irreversibly anonymised.
Section 7
International Transfers
FitServer ShPK is established in Albania. As a country that has aligned its data protection principles with European standards, transfers to the Controller's registered office are carried out in accordance with the recognised adequacy criteria.
Where certain technical services involve processing data in third countries (e.g. international cloud infrastructure), such transfers are carried out exclusively to countries benefiting from a European Commission adequacy decision, or on the basis of appropriate safeguards such as the Standard Contractual Clauses adopted by the European Commission (Art. 46 GDPR).
Upon request, the Controller provides specific information on the safeguards adopted for any international transfers carried out.
Section 8
Data Subject Rights
As a data subject, users may exercise the following rights at any time, pursuant to Arts. 15–22 GDPR:
- Right of access: to obtain confirmation as to whether or not personal data concerning them is being processed, and if so, to access such data.
- Right to rectification: to obtain the correction of inaccurate data or the completion of incomplete data.
- Right to erasure ("right to be forgotten"): to obtain the deletion of personal data, unless processing is necessary to comply with a legal obligation or to manage disputes.
- Right to restriction: to obtain restriction of processing of personal data in certain cases provided for by Art. 18 GDPR.
- Right to data portability: to receive personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller.
- Right to object: to object to the processing of personal data where the legal basis is the Controller's legitimate interest.
Requests to exercise rights may be submitted through the contact form available on the website or to the email address indicated in the Contacts section. The Controller responds within thirty (30) days of receiving the request.
Section 9
Contact and Complaints
For any questions regarding the processing of personal data, to exercise your rights or to report a violation, please contact the Controller through:
Rruga Dëshmorët e 4 Shkurtit, 1001
Tirana — Albania
Right to lodge a complaint with the supervisory authority
Users have the right to lodge a complaint with the competent supervisory authority. The reference authority in Italy is the Garante per la protezione dei dati personali (Italian Data Protection Authority):
- Website: www.garanteprivacy.it
- Address: Piazza Venezia 11, 00187 Rome, Italy
Users may also use the European Commission's ODR platform for alternative dispute resolution: https://ec.europa.eu/consumers/odr.
Updates to this notice
The Controller reserves the right to update this notice to reflect regulatory changes or variations in processing methods. The updated version is published on this page with the revision date. In case of material changes, registered users will be informed by email.