STROG

Privacy Policy

Last updated: 2026-06-04

Data controller

STROG (strog.finance) is the data controller for personal data processed through this site. Contact: support@strog.finance.

What we collect

Depending on how you use the service:

  • Account data (if you sign up): email address, password (stored only as a bcrypt hash — we never see the plaintext), display name, preferred language, timestamps.
  • Billing data (if you subscribe to Plus or Premium): handled by Stripe Payments Europe Ltd. We store only the Stripe Customer ID, Subscription ID, plan and renewal date. Card numbers, CVC and addresses never reach our servers.
  • Trial-abuse protection: a non-reversible card fingerprint provided by Stripe is stored to prevent multiple free trials on the same card.
  • Security telemetry: IP address (masked in alert emails), user-agent and timestamp of sensitive actions (login, password/email change) for fraud detection and account recovery.
  • Technical logs: standard web request logs (status, latency, error stack).

We do not use advertising or analytics trackers, and we do not sell or share data with marketers.

Why we process this data (lawful bases)

  • Contract performance (Art. 6(1)(b) GDPR): account creation, subscription management, transactional emails (confirm, reset, billing receipts).
  • Legal obligation (Art. 6(1)(c)): fiscal/accounting record retention for billing.
  • Legitimate interest (Art. 6(1)(f)): security, fraud prevention (e.g. card fingerprint, brute-force lockout, IP-based rate limit), service diagnostics.

Who we share data with

Sub-processors we rely on, strictly for the purposes above:

  • Stripe Payments Europe Ltd. — payment processing, customer portal, billing emails.
  • Hostinger International Ltd. — outgoing transactional email (SMTP relay).

We do not transfer data to other third parties for marketing, profiling or resale.

International transfers

Servers and database are hosted within the EU/EEA. Stripe may transfer billing data outside the EEA under the EU-US Data Privacy Framework and appropriate Standard Contractual Clauses.

Retention

  • Active account data: for as long as the account exists.
  • One-time tokens (email confirm, password reset, change-email): deleted 30 days after expiry or use.
  • Abandoned signup attempts (PendingSignup): deleted after 7 days.
  • Webhook event audit log: 90 days.
  • Deleted accounts are soft-deleted (email is anonymized, sessions invalidated) and fully purged after the legal retention period required for billing records (10 years where applicable).
  • Previous email after a change: retained 30 days for self-recovery in case of account hijack.

Cookies

Only strictly necessary cookies, all first-party:

  • strog_auth — encrypted session token (HttpOnly, Secure, SameSite=Lax). Required to keep you signed in.
  • strog_csrf — CSRF protection token. Required for any state-changing request.

No advertising, analytics or social-media cookies are used. Because they are strictly necessary, no consent banner is required.

Your rights

Under the GDPR you can at any time:

  • Access your data and obtain a copy (Art. 15).
  • Rectify inaccurate or outdated data (Art. 16) — from /account.
  • Erase your account (Art. 17) — from /account > Delete account.
  • Restrict or object to processing (Arts. 18, 21).
  • Receive your data in a portable format (Art. 20).
  • Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, garanteprivacy.it) or with your local supervisory authority.

Most rights are exercised directly from your account page. For everything else write to support@strog.finance.

Security

Passwords are stored with bcrypt at cost factor 12. Sessions can be revoked from any device, and all sessions are revoked automatically when you change your password. We send a security alert email to your registered address whenever your password or email is changed.

Changes to this policy

Material changes will be announced via in-app banner and via email at least 30 days before they take effect. The current version is always available at this URL.

Contact

For any privacy-related request: support@strog.finance