Privacy Notice

Provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and the applicable national legislation on the protection of personal data.

Last updated · April 26, 2026

This privacy notice (“Notice”) describes the manner in which Rifuel (“Rifuel”, “we”) processes the personal data of users (“User”, “you”) who access and use the Rifuel mobile application and the related institutional website (collectively, the “Service”). This Notice forms an integral part of the Terms of Service and applies to anyone who uses the Service in the capacity of a data subject within the meaning of the GDPR.

1. Data Controller

The Data Controller of personal data is Enzo Corsiero, with registered office at Via Cesare Battisti 168, 20099 Sesto San Giovanni (MI), Italy, who can be contacted for any request relating to data protection at the following address: personal@enzocorsiero.com.

No Data Protection Officer (“DPO”) has been appointed, as the conditions making such appointment mandatory under Article 37 GDPR are not met. The Data Controller nevertheless remains the sole competent point of contact for any matter relating to processing.

2. Definitions

Unless otherwise indicated, capitalised terms have the meaning ascribed to them by the GDPR. In particular:

  • Personal data: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
  • Processing: any operation performed on personal data (Art. 4(2) GDPR).
  • Data Processor: the natural or legal person who processes personal data on behalf of the Data Controller (Art. 4(8) GDPR).
  • Data Subject: the natural person to whom the personal data relate.

3. Scope of Application

The Service is intended for adult users residing in the European Economic Area (“EEA”), with particular reference to the markets of Italy, France, Austria, Slovenia, Spain, Portugal, as well as users residing in Switzerland. Processing is carried out in compliance with the GDPR and, where applicable, the Swiss Federal Act on Data Protection (nFADP) by virtue of the adequacy recognition between the EU and the Swiss Confederation.

4. Categories of Data Processed

In the course of providing the Service, Rifuel may process the following categories of personal data:

  • Registration and account identification data: e-mail address, first and last name (if provided through Apple or Google Sign-In), unique identifier (UUID) generated by the authentication system.
  • Access credentials: password, stored in encrypted form by means of cryptographically secure hashing algorithms (bcrypt) by the authentication service provider. The plaintext password is never accessible to the Data Controller.
  • Precise geolocation data: GPS coordinates collected from the device exclusively while the app is in the foreground, for the purpose of calculating the distance from fuel stations and providing relevant results. The point coordinates collected in real time are not storedon the Data Controller's servers.
  • Residential/habitual address: latitude and longitude of the location declared by the User as “home”, stored on the Data Controller's servers only if the User voluntarily enters them in the profile settings.
  • Vehicle data: name, fuel type, tank capacity, declared consumption, mileage, entered by the User.
  • Refuelling and expense data: price per litre, litres dispensed, amount, mileage, reference station, notes, date and time.
  • User-Generated Content (UGC): data relating to fuel stations reported by Users (name, address, brand, coordinates, indicated prices, opening hours, services).
  • Push notification tokens (FCM token): identifier issued by Firebase Cloud Messaging, associated with the User's account in order to deliver notifications to the device. The token is subject to rotation procedures and reconciliation across multiple devices.
  • Service preferences: language, currency, preferred fuel, search radius, alert configuration.
  • Technical and diagnostic logs: data relating to the infrastructure and necessary to ensure the security, operational continuity and integrity of the Service (e.g. logs of the hosting providers), processed in accordance with the contractual terms with the same.

Rifuel does not process special categories of data within the meaning of Article 9 GDPR, nor data relating to criminal convictions and offences within the meaning of Article 10 GDPR.

5. Purposes and Legal Bases of Processing

Data are processed for the purposes set out below, each based on the respective legal basis pursuant to Article 6 GDPR:

  • (a) Provision of the Service and related functions (creation and management of the account, authentication, synchronisation between devices, search and display of stations, trip planning, recording of refuelling, calculation of consumption). Legal basis: performance of a contract to which the User is a party (Art. 6(1) (b) GDPR).
  • (b) Real-time geolocation of the device. Legal basis: express consent of the User, collected through the authorisation mechanisms of the operating system (Art. 6(1)(a) GDPR). Consent is revocable at any time through the device settings.
  • (c) Sending of push notifications relating to the Service (price alerts, market anomalies, customised price thresholds). Legal basis: consent (Art. 6(1) (a) GDPR), with the option to disable from the app or operating system settings.
  • (d) Management of user reports on fuel stations and the related review/moderation phase. Legal basis: performance of the contract and legitimate interest of the Data Controller in maintaining the quality and integrity of the database (Art. 6(1)(b) and (f) GDPR).
  • (e) Security, fraud prevention, protection against abuse (detection of anomalous access, prevention of attacks). Legal basis: legitimate interest of the Data Controller in ensuring the security of the Service and Users (Art. 6(1)(f) GDPR).
  • (f) Compliance with legal obligations (response to requests from authorities, documentary retention, management of any disputes). Legal basis: legal obligation(Art. 6(1)(c) GDPR).
  • (g) Improvement of the Service through aggregate and anonymous analyses (usage statistics not attributable to individual Users). Legal basis: legitimate interest(Art. 6(1)(f) GDPR).

The User may, at any time, object to processing based on legitimate interest and revoke the consents given, on the understanding that revocation does not affect the lawfulness of processing carried out previously.

6. Nature of the Provision of Data

The provision of data strictly necessary for the performance of the contract (e.g. e-mail address for the creation of the account) is mandatory: any refusal entails the impossibility of accessing the related functions of the Service. The provision of data subject to consent (geolocation, push notifications, residential address) is optional: refusal only entails the limitation of the functions that require such data, with no impact on the remaining functionalities.

7. Methods of Processing

Processing is carried out using electronic tools and with logic strictly related to the purposes indicated above, in compliance with the principles of lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity and confidentiality (Article 5 GDPR). Adequate technical and organisational measures are adopted, including encryption in transit (TLS), access control through authentication, segregation of roles, Row-Level Security policies at database level and backup procedures.

8. Retention Periods

Data are retained for the time strictly necessary to achieve the purposes for which they were collected and, in any event, in accordance with the criteria set out below:

  • Account and profile data: for the entire duration of the contractual relationship and up to thirty (30) days from the request for deletion, unless otherwise required by law.
  • Data relating to vehicles, refuelling, expenses and searches: until deletion of the account or manual removal by the User; in the event of termination, removed or anonymised within thirty (30) days.
  • GPS coordinates collected in real time: processed in memory and not storedon the Data Controller's servers.
  • FCM tokens: retained until notifications are deactivated, the app is uninstalled or the account is deleted.
  • Notification logs: maximum twelve (12) months.
  • Station reports: approved content may remain indefinitely in dissociated form from the identity of the reporter, becoming part of the operational database of the Service. Rejected reports are deleted within ninety (90) days.
  • Anonymous and aggregated data: may be retained without time limits, as they are no longer attributable to an identified or identifiable person.
  • Data processed for legal obligations or for the defence of legal claims: for the period provided by the applicable legislation, or until the relevant decision becomes final.

9. Recipients and Data Processors

Personal data are not subject to dissemination and are not transferred to third parties for marketing purposes. They may be communicated to the following parties, duly appointed as Data Processors pursuant to Article 28 GDPR or qualifying as autonomous controllers where they act in such capacity:

  • Supabase, Inc.— provider of the authentication and database platform, with servers located in the European Union (Frankfurt, Germany) for the instance used.
  • Vercel, Inc.— provider of the hosting service for the backend and the website, with execution of functions in the Frankfurt region (Germany).
  • Google LLC / Google Ireland Ltd.— provider of Firebase Cloud Messaging for push notifications and, where the User selects it, of the Google Sign-In service.
  • Apple Inc. / Apple Distribution International Ltd.— where the User selects Sign in with Apple as the authentication method.
  • OpenStreetMap Foundation and CARTO— providers of map tiles. These parties receive only the technical tile requests, without directly identifying data of the User; they may nevertheless process the connection IP address according to their respective privacy notices.
  • Institutional bodies to which communication is mandatory by law, upon request of the judicial authority or other competent authorities.
  • Legal and tax advisors and appointed professionals, within the limits necessary for the performance of their respective mandates.

10. Transfers of Data Outside the European Economic Area

Data are processed primarily within the EEA. Should certain providers (in particular those based in the United States of America, such as Google and Apple for the services within their respective competence) carry out transfers outside the EEA, these take place on the basis of appropriate safeguards under Articles 44 et seq. GDPR, including, as the case may be, the adequacy decisions of the European Commission (e.g. EU-US Data Privacy Framework) and/or the Standard Contractual Clauses (“SCC”) approved by the Commission, supplemented, where necessary, by additional measures. A copy of the safeguards may be requested from the Data Controller by writing to the address indicated in §1.

11. Rights of the Data Subject

As a Data Subject, you may exercise at any time, free of charge and through facilitated means, the rights provided for in Articles 15-22 GDPR and, in particular, the right of:

  • access to personal data and to the information referred to in Article 15 GDPR;
  • rectification of inaccurate data and completion of incomplete data (Article 16 GDPR);
  • erasure(“right to be forgotten”) pursuant to Article 17 GDPR; deletion of the account is available directly within the app;
  • restriction of processing in the cases provided for by Article 18 GDPR;
  • portability of the data provided, in a structured, commonly used and machine-readable format (Article 20 GDPR);
  • objection to processing based on legitimate interest, also for reasons relating to the personal situation (Article 21 GDPR);
  • withdrawal of consent at any time, without prejudice to the lawfulness of processing based on consent given prior to the withdrawal (Article 7(3) GDPR).

Requests may be addressed to personal@enzocorsiero.com. The Data Controller will respond to the request without undue delay and, in any case, within one (1) month from receipt, extendable by an additional two (2) months in cases of particular complexity.

12. Complaint to the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, the Data Subject who considers the processing to be unlawful has the right to lodge a complaint with the competent Supervisory Authority: in Italy, with the Garante per la protezione dei dati personali (Italian Data Protection Authority) (www.garanteprivacy.it), or with the authority of one's Member State of residence or of the place where the alleged infringement occurred (Article 77 GDPR).

13. Minors

The Service is not intended for minors under the age of sixteen (16). The Data Controller does not knowingly collect personal data of persons below the age limit set out in Article 8 GDPR and the national implementing legislation (in Italy, fourteen (14) years pursuant to Article 2-quinquies of Legislative Decree 196/2003). Should the Data Controller become aware of processing involving data of minors, it will promptly arrange for deletion, unless consent has been given by the holder of parental responsibility.

14. Data Security

Technical and organisational measures appropriate to ensuring a level of security adequate to the risk are adopted (Article 32 GDPR), including:

  • encryption of data in transit through TLS 1.2 protocols or higher;
  • storage of passwords by means of robust cryptographic hashing algorithms;
  • role-based access controls and Row-Level Security policies;
  • authentication via OAuth 2.0 with PKCE flows for third-party providers;
  • storage of the session token in secure storage at operating system level;
  • backup, monitoring and recovery procedures;
  • vulnerability management and incident response processes.

In the event of a personal data breach (“data breach”) likely to present a risk to the rights and freedoms of natural persons, the Data Controller will fulfil the obligations of notification to the Supervisory Authority (Article 33 GDPR) and, where appropriate, of communication to the Data Subjects (Article 34 GDPR), within the time limits prescribed by law.

The mobile app does not use cookies in the technical sense defined by Directive 2002/58/EC and subsequent amendments, nor third-party profiling tools for marketing purposes. The institutional website does not install analytics or tracking cookies; only any technical identifiers strictly necessary for the operation of the page are used, exempt from the consent requirement pursuant to Article 5(3) of the ePrivacy Directive and the guidelines of the Garante.

In line with Apple's App Tracking Transparencyframework, Rifuel declares that it does not carry out tracking of the User across third-party apps and websites; consequently no ATT prompt is shown pursuant to Apple's policies.

16. Automated Decision-Making and Profiling

The Data Controller does not carry out solely automated decision-making processes, including profiling, which produce legal effects or similarly significantly affect the User pursuant to Article 22 GDPR. Any statistical processing and calculation algorithms (e.g. determination of convenient stations or alerts of price anomalies) have a purely informative function and do not affect the legal sphere of the User.

17. Changes to the Privacy Notice

The Data Controller reserves the right to update this Notice to reflect regulatory, technical or organisational changes. The version in force is always available within the app and on the institutional website, with an indication of the date of the last update. In the event of material changes, the User will be informed with reasonable advance notice through the Service or by communication to the e-mail address of registration.

18. Contact

For any information, request or exercise of the rights referred to in §11, the User may contact the Data Controller at the address: personal@enzocorsiero.com.