Mega SSL Store

Privacy Policy

Effective date: April 16, 2026

1. Data Controller

The data controller for this website is Mega Labs di Paolo Iannelli (hereinafter “Mega SSL Store”, “we”, “us”, or “our”).

Email: [email protected]

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, postal address, and company name (if applicable).

2.2 Billing Data

For invoicing purposes, we may collect your VAT number (Partita IVA), fiscal code (Codice Fiscale), and SDI code for Italian electronic invoicing.

2.3 Payment Data

Payments are processed by Stripe and PayPal. We do not store your credit card numbers or payment details on our servers. These payment processors handle your payment information in accordance with the PCI-DSS standard.

2.4 Technical Data

When you visit our website, we automatically collect certain technical data including your IP address, browser type and version, operating system, referring URL, pages visited, and date/time of access.

2.5 Certificate Data

When you order an SSL certificate, you provide domain names, organization details, and contact information required by the Certificate Authority (Sectigo) for certificate validation and issuance.

3. Legal Bases for Processing

We process your personal data on the following legal bases under the GDPR (Regulation EU 2016/679):

  • Contract performance (Art. 6(1)(b)): Processing necessary to manage your account, process orders, and deliver SSL certificates.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and invoicing obligations under Italian law.
  • Legitimate interest (Art. 6(1)(f)): Processing for website security, fraud prevention, and service improvement.
  • Consent (Art. 6(1)(a)): Processing for marketing communications, only with your explicit consent. Note: our analytics solution (Umami) does not use cookies or collect personal data, so consent is not required for analytics.

4. Data Recipients

We share your personal data with the following categories of recipients, only to the extent necessary:

  • Sectigo / GoGetSSL: Certificate Authority and API provider for SSL certificate issuance and management.
  • Stripe: Payment processing for credit/debit card transactions.
  • PayPal: Alternative payment processing.
  • Brevo (Sendinblue): Transactional email delivery (order confirmations, certificate notifications).
  • Umami: Self-hosted, privacy-focused website analytics. No personal data is shared — all data remains on our servers. Umami does not use cookies and does not collect personally identifiable information.
  • FattureInCloud: Electronic invoicing for Italian tax compliance.

5. Data Retention

  • Account data: Retained while your account is active and for 10 years after account closure, as required by Italian tax and accounting law (Art. 2220 Codice Civile).
  • Billing and invoice data: Retained for 10 years as required by Italian fiscal regulations.
  • Analytics data: Our analytics (Umami) are self-hosted and do not collect personal data. Aggregated, anonymous traffic data is retained indefinitely for trend analysis.
  • Technical logs: Retained for a maximum of 90 days for security purposes.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether your data is being processed and access your personal data.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at [email protected].

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it.

7. International Data Transfers

Some of our service providers (Stripe, PayPal) process data in the United States. These transfers are protected by the EU-U.S. Data Privacy Framework (DPF) or, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

9. Changes to This Policy

We may update this privacy policy from time to time. The effective date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically. Continued use of our services after changes constitutes acceptance of the updated policy.