Privacy Policy
Last updated: May 13, 2026
1. Introduction
CertAddress, operated by 3V Solution, provides AI-powered address validation and normalization services for Italian postal addresses.
This Privacy Policy describes how we collect, use, store, and protect information when you use our services, including our API, web portal, and website.
By accessing or using CertAddress, you acknowledge that you have read, understood, and agree to the practices described in this policy.
2. Information We Collect
Account Information
When you register for an account, we collect:
- Company name and VAT number
- Contact name, email address, and phone number
- Business address (if provided)
Address Data
The addresses you submit for validation are processed in real-time. Address data is not permanently stored unless API usage logging is enabled for your account.
Usage Data
We automatically collect:
- API call timestamps and endpoints called
- Response times and confidence levels
- IP addresses used to access the service
Technical Data
Browser type, device information, and cookies necessary for session management and authentication.
Contact Form Submissions
When you use our contact form, we collect your name, email address, company name (if provided), and the content of your message.
3. How We Use Your Information
We use the information we collect to:
- Provide and improve our address validation service
- Manage your account and process billing
- Communicate about your account, service updates, and support requests
- Monitor service performance, enforce rate limits, and prevent abuse
- Comply with applicable legal obligations (tax, accounting, anti-fraud)
Legal basis (GDPR Article 6)
We process your personal data on the following legal bases:
- Contract performance (Art. 6.1.b) — processing necessary to provide the Service you signed up for (account management, API access, billing).
- Legal obligation (Art. 6.1.c) — processing required by law (tax records retention, fatturazione elettronica via SdI, accounting).
- Legitimate interest (Art. 6.1.f) — processing for service security, abuse prevention, rate limit enforcement, and product improvement (you can object at any time).
- Consent (Art. 6.1.a) — only where explicitly required (e.g., V3 beta tier opt-in).
We do not use your data for advertising, profiling, or automated decision-making with legal effects on you (see also Section 8).
4. Data Processing and Transfers
- Address data submitted for validation is processed in real-time and returned to you immediately.
- We use third-party geographic databases and geocoding services to validate and enrich addresses (see Section 7 for the full sub-processor list). Address data may be transmitted to these services as part of the validation process.
- We do not sell, share, or disclose your address data to third parties for marketing or advertising purposes.
- Processed results may be cached temporarily to improve service performance.
International data transfers
All primary data processing occurs within the European Economic Area (EEA). Specifically, our infrastructure is hosted by Hetzner Online GmbH in Germany.
Some sub-processors (e.g., HERE Technologies) may operate globally. Where a transfer of personal data outside the EEA occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with GDPR Articles 44-49.
5. Data Retention
- Account data: Retained for the duration of your account plus 5 years for legal and tax compliance purposes.
- API usage logs: Retained for 45 days, then automatically deleted.
- Address data: Processed in real-time and not permanently stored. May be cached temporarily for performance optimization.
- Contact form data: Retained until the inquiry is resolved, then archived.
6. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data is transmitted via HTTPS/TLS encryption.
- API keys are hashed and never stored in plaintext.
- Access to systems and data is restricted to authorized personnel only.
- We perform regular security monitoring and apply updates promptly.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Garante per la protezione dei dati personali without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).
7. Third-Party Services and Sub-Processors
Our service relies on third-party providers (sub-processors under GDPR Article 28) for data validation, geocoding, and infrastructure. The following sub-processors may process data submitted to CertAddress:
| Sub-processor | Service | Data processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (servers, storage) | All processed data (encrypted at rest) | Germany (EU) |
| HERE Technologies | Geocoding API (street + house number validation) | Address strings (no personal identifiers) | EU (with SCCs for any US transfers) |
| Agenzia delle Entrate (ANNCSU) | Italian official street registry | Address validation queries (local DB, no API calls) | Italy (EU) |
Data sources used (open data attribution)
CertAddress also relies on the following open data sources:
- OpenStreetMap — map data © OpenStreetMap contributors, licensed under Open Database License (ODbL) 1.0.
- ISTAT (Istituto Nazionale di Statistica) — Italian postal codes and municipalities, licensed under Creative Commons Attribution 3.0 Italy (CC BY 3.0 IT).
We select sub-processors that maintain appropriate data protection standards (ISO 27001, SOC 2, or equivalent). However, we do not control these third parties' privacy practices, and we encourage you to review their respective privacy policies.
Business customers may request a separate Data Processing Agreement (DPA) under GDPR Article 28 for documented compliance purposes.
8. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data ("right to be forgotten").
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — request your data in a structured, machine-readable format.
- Right to object — object to processing of your personal data in certain circumstances.
To exercise any of these rights, please contact us at the email address listed in Section 11 below.
Right to lodge a complaint
In addition to contacting us directly, you have the right to lodge a complaint with the Italian data protection supervisory authority (GDPR Art. 77):
- Garante per la protezione dei dati personali
- Piazza Venezia, 11 — 00187 Roma, Italy
- Email: protocollo@gpdp.it
- Website: www.garanteprivacy.it
Automated decision-making and profiling
We do not use your personal data for automated decision-making with legal or similarly significant effects on you, as defined in GDPR Article 22. We do not profile users or build behavioral models for targeting or advertising.
9. Cookies
- We use essential cookies only for session management and authentication.
- We do not use tracking, advertising, or third-party analytics cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.
Your continued use of the service after any changes constitutes your acceptance of the updated policy.
11. Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Email: info@certaddress.com
- Company: 3V Solution
- Privacy contact: data-protection inquiries handled by 3V Solution privacy contact at the email above.
Note: CertAddress is not currently required to designate a Data Protection Officer (DPO) under GDPR Article 37, as our processing does not constitute "large scale" systematic monitoring or special category data processing. Privacy inquiries are handled by our dedicated privacy contact at the email above.