Parkly
Privacy Policy
1. Controller Identity
Titolare del trattamento (Data Controller)
DS TECH S.r.l.
Sede legale: Via Salaria n. 719 – 00138 Roma (RM), Italia
Sede operativa: Viale Restelli 3/7 – 20124 Milano, Italia
P.IVA: 09898921003 · REA: RM – 1195715
Capitale sociale: € 200.000 i.v.
Società soggetta a direzione e coordinamento di Dst S.r.l.
Website: www.dstech.it
Sede legale: Via Salaria n. 719 – 00138 Roma (RM), Italia
Sede operativa: Viale Restelli 3/7 – 20124 Milano, Italia
P.IVA: 09898921003 · REA: RM – 1195715
Capitale sociale: € 200.000 i.v.
Società soggetta a direzione e coordinamento di Dst S.r.l.
Website: www.dstech.it
Privacy contact
privacy@dstech.it
Data Protection Officer
dpo@dstech.it
2. Scope
This policy applies to Parkly, a parking spot management platform used by employees and visitors of DS TECH S.r.l. to book parking spaces.
It covers personal data collected through:
- The Parkly mobile/web application (SSO login via Microsoft Azure AD)
- The Parkly admin panel – role-restricted
- Automated system notifications (email, push)
- Visitor pass generation and visitor self-service pages
3. Data We Collect
3.1 Registered users (employees)
| Data | Source | Purpose |
|---|---|---|
| First name, last name | Azure AD SSO | Identity, personalisation |
| Corporate email address | Azure AD SSO | Authentication, notifications |
Azure AD identifier (OID / ssoId) | Azure AD SSO | Account linking (internal only) |
SSO provider (ssoProvider) | Azure AD SSO | Identity federation |
| Role (e.g. Utilizzatore, Assegnatario) | Admin assignment | Access control |
| Notification preferences (per-notification-type) | User settings | Email/push delivery |
| Device tokens (Firebase FCM) | Mobile app | Push notifications |
| Booking history | User activity | Service delivery |
| Assigned parking spot | Admin assignment | Reserved spot management |
3.2 Visitors
When a registered user creates a visitor booking, the following data is collected and stored on behalf of the hosting employee:
| Data | Required | Purpose |
|---|---|---|
| First name, last name | Yes | Visitor identification |
| Email address | Optional | Digital pass delivery, self-service access link |
| Phone number | Optional | Contact |
| Vehicle plate number | Optional | Access control |
| Notes | Optional | Additional context |
| Digital pass token (QR code) | Generated | Gate/access verification |
| HMAC-signed self-service token | Generated | Visitor self-service access (see §6.2) |
Important: Visitor data is provided by the hosting employee. The hosting employee is responsible for informing the visitor about the processing and obtaining any necessary consent.
3.3 Admin / audit data
| Data | Purpose |
|---|---|
| Admin email, action type, target, timestamp | Immutable audit log |
| Reason for administrative actions (e.g. spot suspension) | Accountability |
PII within AdminLog.details related to deleted users is anonymised at write time on USER_DELETED events.
3.4 System data
- Application logs (errors, system events) — do not contain PII beyond user ID
- Rate limiting data (IP address, in-memory only, TTL = 15 minutes)
5. How We Use Your Data
- Booking management: creating, confirming, and cancelling parking reservations
- Access management: assigning spots to employees, managing reserved spot confirmations
- Visitor access: generating digital passes (QR codes) for pre-authorised visitors and powering the visitor self-service page
- Notifications: sending booking confirmations, reminders, data-export-ready alerts, and visitor-data-change notices via email and push
- Administration: managing roles, categories, retention settings, and system configuration through the admin panel (routes are restricted by role weight)
- Audit trail: recording administrative actions for accountability and compliance
- Data-subject self-service: generating on-demand GDPR data exports (ZIP archive) delivered via a stateless signed download URL
We do not use personal data for:
- Advertising or marketing to third parties
- Automated profiling or scoring
- Selling or sharing data with third parties for commercial purposes
6. Data Subject Rights
6.1 Registered users
You have the following rights under GDPR:
| Right | How to exercise |
|---|---|
| Access (Art. 15) — obtain a copy of your data | In-app: Privacy self-service page → Export my data (ZIP download via signed URL, expires after the configured window). Or contact privacy@dstech.it. |
| Rectification (Art. 16) — correct inaccurate data | Identity data is sourced from Azure AD and must be corrected there; in-app settings cannot be edited directly. |
| Erasure (Art. 17) — delete your account | In-app: Settings → Delete account, or contact privacy@dstech.it. PII in related audit entries is anonymised on deletion. |
| Portability (Art. 20) — machine-readable export | In-app: Privacy self-service page (JSON in ZIP archive). |
| Object (Art. 21) — object to processing based on legitimate interest | Contact privacy@dstech.it. |
We will respond within 30 days. Complex requests may be extended to 90 days with notice.
6.2 Visitors
If your data was submitted as part of a visitor booking, you can:
- Access and edit your own data directly via the personalised link contained in the digital-pass email. The link carries a signed token tied to the specific booking.
- Request deletion by contacting privacy@dstech.it with your full name and approximate visit date, or by asking the hosting employee to cancel the booking (which removes your data from the active system).
Visitor booking data is also automatically purged by the retention job — see §7.
7. Data Retention
Retention is enforced by a scheduled job that runs daily and invokes the purge endpoints.
| Data | Retention period | Rationale |
|---|---|---|
| User account | Until account deletion | Contract necessity |
| Bookings (including visitor data) | 365 days after use | Service history, minimisation |
| Digital pass token | Invalidated after use or booking cancellation | Access control |
Audit logs (AdminLog) | 2 years | Accountability |
| Device tokens (FCM) | 90 days of inactivity | Notification delivery |
| Assignee confirmation requests (terminal state) | 90 days after use | Service history |
| GDPR data export files | Expire after the configured export window; purged from storage by the same cron job | Self-service access |
| Rate limiting data (IP) | 15 minutes | Abuse prevention |
8. Data Sharing and Transfers
8.1 Sub-processors
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Microsoft Azure AD | SSO identity provider | Email, name, OID | EU / US |
| Firebase (Google) | Push notifications | Device token, notification payload | US |
| Nodemailer / SMTP provider | Email delivery | Email address, name | EU |
| cron-job | Scheduled job triggers | No personal data | EU |
| Host | Application hosting | All request data | EU |
8.2 International transfers
Some sub-processors (Firebase, Microsoft Azure AD) may transfer data outside the EU/EEA. These transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
- Adequacy decisions where applicable
9. Security
We implement the following technical and organisational measures:
- Authentication: Microsoft Azure AD SSO
- Authorisation: Role-based access control with weighted privilege levels; admin routes are gated by role weight both in the API and in the UI
- Transport security: TLS/HTTPS for all connections; Helmet CSP directives configured for SSO, analytics and embeds
- Database: Hosted on VODAFONE-IT-ASN with encryption at rest
- Audit trail: Immutable log of all administrative actions; PII of deleted users is anonymised at write time
- Rate limiting: Applied to all API endpoints to prevent abuse, with dedicated limiters for visitor verification and visitor self-service edit flows
- Visitor pass tokens: Cryptographically secure 64-character hex tokens, single-use invalidation
- Data export URLs: Stateless, short-lived signed URLs — no token persisted in the database
- Internal identifiers: Azure AD
ssoIdis never exposed in API responses
10. Automated Decision-Making
Parkly does not make automated decisions with legal or similarly significant effects on individuals (Art. 22 GDPR). Booking availability is determined by configurable system rules, not individual profiling.
11. Changes to This Policy
We will notify registered users of material changes via email at least 30 days before they take effect. The current version is always available at /privacy-policy.html.
12. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:
- Italy: Garante per la protezione dei dati personali
- Other EU countries: Your national DPA
13. Contact
For any privacy-related requests or questions:
Email
privacy@dstech.it
Response time
Within 30 days