Orangedev and the GDPR

Orangedev guarantees its customers the correct application of the provisions of the GDPR for the services provided. The processing of data carried out through our software takes place separately for each Service through the “Special Conditions for the Processing of Personal Data” (DPA), customized for the specific Service, generally provided as a separate document. The Data Controller is Orangedev S.r.l, with registered office in via Panciatichi 40, 50127 Florence. Each interested party can contact by sending his request to

Processing of the Customer’s personal data
Our customers’ data is handled with the utmost care, in compliance with the directives of the GDPR regulation.

Privacy by default and by design
Our software has always been designed and implemented following the concept of “Data protection by default and by design”.

Data integrity and security
We use encryption for data for which we believe we need to ensure a level of security appropriate to the risk of its loss or theft.

Log storage in accordance with the law
We undertake to keep the logs in accordance with the law for the period prescribed by Italian law.

Data export
The access logs and audit logs can be exported by the service administrators using special tools made available at any time during the period of validity of the contract.

Deletion of data
Users can delete their data at any time. When a request for definitive elimination is sent (such as the cancellation of an account used for the provision of our Services), the data will be removed from any system within a maximum of 90 days, unless otherwise required by law.

Data privacy
In order to maintain security and prevent data processing in violation of the regulation, we undertake to assess the risks inherent in processing and implement measures to mitigate such risks such as encryption to protect data in transit.

Vulnerability management
To detect any software vulnerabilities, we use internally developed tools; we also carry out periodic tests to check for possible violations.

Treatment Register
We have prepared the “Register of Processing”, i.e. a register of the processing activities carried out, available to the supervisory authority.

Staff training
All Orangedev collaborators have followed internal training courses relating to the provisions of the GDPR and are constantly updated and made aware of the issues of security and confidentiality of the data we process.

Orangedev as Data Controller
Orangedev srl operates as “Data Controller” when it determines the purposes and means of processing personal data. This is the case in which Orangedev collects data for billing, for improving the service, for sales initiatives, requests for technical assistance, commercial management or even when Orangedev processes the personal data of its employees. In this case, “your” data hosted on Orangedev services are not affected by the processing, unlike some information concerning you or your employees (for example information relating to the identity and coordinates of your contact in Orangedev within the context of a Support Request). More generally Orangedev guarantees to:

  • limit the collection of data to those strictly necessary;
  • not use personal data for purposes other than those for which they were originally collected;
  • retain personal data for a limited period, i.e. for the entire duration of the contract and the following 12 months;
  • not to transfer this data to third parties who are not part of the companies of the Group or who are not involved in the execution of the contract.


Orangedev as Data Processing Manager
Orangedev srl operates as a “Data Processor” when it processes personal data on behalf of a Data Controller, for example when using Orangedev services and storing users’ personal data on the Orangedev infrastructure. Within the limits of its technical constraints, Orangedev will process the data hosted exclusively according to the indications, and on behalf of the Customers, who are Data Controllers or have received instructions to be authorized by any other Data Controllers to allow Orangedev the Treatment. In these cases Orangedev undertakes to:

  • process personal data exclusively for the purpose of the correct execution of the services;
  • do not transfer your data outside the EU;
  • implement high security standards in order to ensure a high level of security for our services;
  • notify you as soon as possible in the event of a data breach;
  • assist you in fulfilling your regulatory obligations by providing you with adequate documentation of our services.


What Orangedev customers must do?
The new legislation requires you to adopt a series of measures to adequately protect the data of the people with whom your company or your studio has to work, for example the data of your employees and your customers. The first thing to do, therefore, is become aware:

  • Get informed (for example here , /index_it.htm and here and evaluate which of the new introduced by the new Regulation are applicable to your business.
  • Consult an expert to get legal advice related to your company;
  • Notify your customers/employees, for active services with us, that the Data Processing Manager is Orangedev;
  • Update your Privacy Policy to take into account that of Orangedev.


Contact data DPO (Data Processor) Paragraph 7 of article 37 of the European Privacy Regulation EU/2016/679 (GDPR) requires each data controller or each data processor to make public the contact details of their RPD (Data Processing Manager, also known as DPO, Data Protection Officer) and to communicate them to the Guarantor Authority for the Protection of Personal Data. In compliance with this rule, Orangedev s.r.l. publishes the contact details of its DPO, as communicated to the Privacy Guarantor on 17/07/2020:

Dati di contatto

FAQ (Frequently Asked Questions)

Who is the Data Controller? The Data Controller is the one who determines the purposes and means of the processing of personal data.

Who is the Data Processor? Data Processor is the person who processes personal data on behalf of a Data Controller.

What is personal data? Personal data is any information relating to an identified or identifiable living person.

What is sensitive data? Sensitive data are those that can reveal racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, health and sex life. Example of personal data:

  • name and surname;
  • home address;
  • e-mail address, such as;
  • identity card number;
  • location data (e.g. the location function on a mobile phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;


Examples of data not considered personal:

  • commercial register number of a company;
  • e-mail address not attributable to a well-identified person, for example “”;
  • anonymised data.


What constitutes data processing? Processing encompasses a wide range of operations performed on personal data, including those by manual or automated means. It includes the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, the comparison or interconnection, limitation, deletion or destruction of personal data.

Who is the owner of the data hosted and archived on Orangedev services? The data archived by the customer, who uses the Orangedev services, remain the property of the customer. Orangedev does not access these data or use them, except when strictly necessary and within the limits of its technical constraints.

In which cases can Orangedev access the Customer’s data hosted and archived on our services? Orangedev accesses data only in the following situations:

  • for the purpose of performing the services and in particular to optimize customer assistance when they contact Orangedev technical support. In this case, access to user data remains controlled thanks to precise authorizations and activity logs;
  • to fulfill legal obligations in the context of strictly controlled judicial and/or administrative requests.