Privacy Policy

1. Data Controller

The Data Controller for personal data processed through this application is:
Roboris S.r.l.
Via Sterpulino 1G, 56121 Pisa (PI), Italy
VAT ID: IT01566380505
Privacy Contact: privacy@roboris.com

For questions about how we handle your personal data, or to exercise your rights under applicable data protection law, please contact us at the address above.

2. Types of Data Collected

Roboris collects only the personal data strictly necessary to provide the Service. Data is collected either directly from you or automatically during your use of the application.

• Contact Data: Email address — required for account creation and authentication.
• Technical Data: IP address and system logs, collected for security monitoring and service operation.
• Usage Data: Information about software licences, machine configurations, and simulations associated with your account, including telemetry data used to verify licence validity and detect unauthorised use (as described in Section 6).
• Billing Data: Payment-related data (e.g. billing name, address, payment method) processed exclusively by our payment provider, Paddle. Roboris does not store full payment card details.

Passwords are stored in a securely hashed format and are not accessible to Roboris in plain text. We do not collect name, surname, phone number, or physical address beyond what is required for billing, and that billing data is managed by Paddle as an independent data controller.

We use the Meta (Facebook) Pixel to measure the effectiveness of our marketing campaigns.

3. Legal Bases and Purposes of Processing

We process your personal data on the following legal bases and for the following purposes:

• Performance of a contract (Art. 6(1)(b) GDPR): To create and manage your account, authenticate your identity, process your subscription, and provide the Eureka3X software and related services.
• Legitimate interests (Art. 6(1)(f) GDPR): To verify licence compliance, detect and prevent unauthorised use or fraud, maintain the security and integrity of our systems, and improve service reliability. Our legitimate interests in protecting the software and our users are not overridden by your rights given the limited nature of data collected for these purposes.
• Legal obligation (Art. 6(1)(c) GDPR): To retain billing and transaction records as required by Italian and EU tax and accounting law.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent for any specific processing activity (e.g. optional communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Third-Party Sub-Processors

To deliver the Service, Roboris uses the following sub-processors who may access or process personal data on our behalf. All sub-processors are bound by data processing agreements ensuring an adequate level of protection:

• Google Firebase Authentication — User authentication and identity management. Servers located in the United States. Data transfers to the US are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• Google Firebase Firestore, Storage & Functions — Database operations, file storage, and backend logic. Servers located within the European Union.
• Google Cloud Platform (GCP) Cloud Functions & Cloud Run — Used for executing internal microservices, including email delivery routing (e.g., account notifications) and legacy database synchronisation. Servers located within the European Union.
• ARUBA S.p.A. — Hosting and infrastructure services. Servers located within the European Union.
• Paddle.com Market Ltd — Payment processing, subscription management, and billing. Paddle acts as Merchant of Record and as an independent data controller for payment data. Please refer to Paddle's Privacy Policy for details of how they process your data.
• Meta Platforms Ireland Limited (Facebook Pixel) — We use the Meta Pixel to track page views and conversions, enabling us to measure the performance of our advertising campaigns. Data collected may include IP address, browser information, and interactions with the website.
• PostHog Inc. — We use PostHog for product analytics to understand how our application is used and to improve the user experience. All PostHog data is hosted on servers located within the European Union (EU) to ensure strict compliance with GDPR data residency requirements.
• OneSignal, Inc. — We use OneSignal to deliver push notifications and important account alerts. Data collected may include device identifiers, browser information, and interaction data with notifications.

Where personal data is transferred outside the European Economic Area (EEA), such transfers are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

5. Licence Telemetry

The Eureka3X software includes licence compliance and telemetry mechanisms that collect data to:

• Verify the validity of your software licence;
• Detect and prevent unauthorised use or licence circumvention;
• Collect anonymised statistical usage data to improve the software.

This data is tied to your account and device identifiers. By installing and using Eureka3X, you acknowledge and consent to this telemetry as a condition of use, as described in the Terms of Service. Telemetry data is processed on the legal basis of legitimate interest and contractual performance. We do not use telemetry data for advertising or profiling purposes.

6. Cookie Policy

This application uses technically necessary cookies to operate, as well as tracking cookies (Facebook Pixel, PostHog) to measure interactions and advertising effectiveness.

• Session Cookies: Required to maintain your authenticated session and ensure the application functions correctly.
• Preference Cookies: Used to store your consent to this cookie policy and your language preference.
• Tracking Cookies: Used by the Meta Pixel to track page views and conversions, and by PostHog for application analytics. You can control these via your browser settings or your Facebook Ad Preferences.

These cookies are strictly necessary for the operation of the application and do not require your prior consent under applicable law. You may disable cookies in your browser settings, but doing so may prevent the application from functioning correctly.

7. Data Security and Breach Notification

Roboris implements appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorised access. These measures include encryption of data in transit and at rest, access controls, and regular security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Roboris will notify the competent supervisory authority (the Italian Data Protection Authority, Garante per la protezione dei dati personali) within 72 hours of becoming aware, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay in accordance with Article 34 GDPR.

8. Data Retention

Personal data is retained only for as long as necessary for the purposes for which it was collected:

• Account and service data: Retained for the duration of your account. Upon account deletion or subscription termination, data is retained for a further 30 days to allow for recovery, after which it is permanently deleted. You may request earlier deletion by contacting privacy@roboris.com.
• Billing and payment records: Retained for 10 years as required by Italian and EU tax and accounting obligations (D.P.R. 633/1972 and related legislation).
• Security logs: Retained for a maximum of 12 months, unless a longer period is required for the investigation of a specific incident or legal obligation.

After the applicable retention period, personal data will be securely deleted or anonymised. Once data has been deleted, the rights of access, rectification, erasure, and portability can no longer be exercised in respect of that data.

9. Your Rights

As a data subject under the GDPR, you have the following rights regarding your personal data:

Per esercitare i tuoi diritti ai sensi del GDPR, inclusa la cancellazione dei tuoi dati, puoi inviare una richiesta a privacy@roboris.com. Risponderemo entro 30 giorni.

• Right of access (Art. 15): To obtain confirmation of whether we process your data and receive a copy of it.
• Right to rectification (Art. 16): To request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): To request deletion of your data where there is no longer a lawful basis for processing.
• Right to restriction of processing (Art. 18): To request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): To receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to object (Art. 21): To object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): To withdraw consent at any time where processing is consent-based, without affecting prior processing.
• Right to lodge a complaint: To file a complaint with the Italian supervisory authority (Garante per la protezione dei dati personali) or the supervisory authority in your EU member state of habitual residence.

To exercise any of these rights, submit a written request to privacy@roboris.com. Requests are free of charge and will be addressed within one month of receipt. Where requests are complex or numerous, we may extend this period by a further two months and will inform you accordingly.

10. Changes to This Policy

Roboris may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. Material changes will be communicated to you via email or an in-application notification at least 30 days before they take effect. The date of the most recent revision is shown at the top of this page.

Continued use of the application after the effective date of an updated Policy constitutes acceptance of the revised terms, to the extent permitted by applicable law.