Privacy Policy

1. Identity of the data controller

Pratica is an independent administrative service, operated as a sole trader under the law of England and Wales. For the purposes of the UK GDPR and the Data Protection Act 2018, Pratica is the data controller. The controller's contact point for all personal-data matters is info@pratica.uk.

2. Definitions

• Personal data — any information relating to an identified or identifiable natural person.
• Data controller — the entity that determines the purposes and means of processing. In this policy, Pratica.
• Data processor — a third party that processes personal data on behalf of the controller (for example, Stripe for payments).
• Special category data — data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. Italian citizenship files may incidentally reveal nationality of origin and family relationships.
• Data subject — the individual to whom personal data relates.

3. Where personal data comes from

• Directly from the client — intake forms, email, portal uploads, communications.
• From third-party processors — Stripe returns payment metadata; Supabase stores authentication tokens; Resend returns email-delivery status.
• Automatically — technical data captured by the website (IP address, browser fingerprint, page-view logs, error traces).
• From public records — in limited cases, Pratica retrieves civil-status records from Italian comuni or UK authorities (GRO, FCDO) on the client's behalf, using the client's name and date of birth.

4. Categories of personal data processed

• Contact details — full name, email address, telephone number, postal address.
• Account credentials — hashed password, authentication tokens, session identifiers.
• Service data — consulate of jurisdiction, appointment preference, citizenship pathway, eligibility notes.
• Civil-status records — birth, marriage, death, naturalisation certificates of the applicant and ancestors, provided by the client.
• Payment information — processed by Stripe. Pratica retains the card brand, last four digits, transaction identifier, and timestamps, but does not store full card numbers.
• Communications — emails exchanged with Pratica, portal messages, attachments.
• Consent records — IP address, user-agent, and timestamp of each acceptance checkbox ticked at checkout.
• Technical data — IP address, browser type, referrer, pages visited, server error traces.

5. Special category data

Italian citizenship files may incidentally contain information that qualifies as special category under UK GDPR Article 9 — in particular, data revealing nationality of origin, family relationships, and (rarely) religion through baptismal records. This data is processed only to the extent necessary for the recognition procedure and is shared only with the relevant consulate, comune, or UK authority on the client's instructions.

The lawful bases for processing special category data are UK GDPR Article 9.2.a (explicit consent given at checkout, by ticking the acceptance box before payment) and Article 9.2.f (processing is necessary for the establishment, exercise or defence of legal claims).

6. Purposes and lawful bases (UK GDPR Article 6)

• Performance of contract (Art. 6.1.b) — delivering the service the client has purchased, processing payments, managing the client portal.
• Legitimate interests (Art. 6.1.f) — record retention, fraud prevention, defending Pratica's rights in disputes, improving the service.
• Legal obligation (Art. 6.1.c) — HMRC tax retention, anti-money-laundering checks where applicable, response to lawful requests from authorities.
• Consent (Art. 6.1.a) — processing of special category data; potential future publication of a redacted screenshot of the booking on a public proof page, if Pratica chooses to publish such a page (see the Service Agreement); marketing communications (Pratica does not currently send any).

7. Sub-processors

Pratica engages the following third-party processors under Article 28 UK GDPR data-processing agreements. Each is bound by confidentiality, security, and breach-notification obligations.

• Stripe Payments UK Ltd — payment processing. PCI-DSS compliant. Data processed in the United Kingdom, Ireland and the United States, under Standard Contractual Clauses and UK adequacy regulations.
• Supabase Inc. — database and authentication hosting. EU region (Frankfurt). Covered by UK and EU adequacy decisions.
• Resend (Plumb Inc.) — transactional email infrastructure. Data processed in the United States under Standard Contractual Clauses (UK IDTA / EU SCCs).
• Vercel Inc. — website and serverless function hosting. Data processed in the European Union and the United States under Standard Contractual Clauses and UK adequacy regulations.
• Cloudflare Inc. — DNS, edge caching, and DDoS protection. Global routing under Standard Contractual Clauses.

Pratica does not sell, rent, or otherwise share personal data with third parties for their own marketing or profiling purposes. Before engaging a new sub-processor, this page is updated.

8. International transfers

Some of the processors listed above operate, or have infrastructure, outside the United Kingdom. Each international transfer is made under appropriate safeguards: adequacy decisions adopted by the UK Secretary of State (for EU/EEA transfers); the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (for transfers to third countries including the United States); and, where relevant, supplementary technical and organisational measures (encryption at rest and in transit, access controls, audit logs). A copy of the safeguards in force for a given transfer may be requested at info@pratica.uk.

9. Retention periods

• Active case files — for the duration of the engagement plus 12 months thereafter.
• Civil-status documents submitted by the client — returned, deleted, or anonymised at the client's request after case closure, subject to retention requirements below.
• Payment records — 6 years from the end of the relevant tax year (HMRC requirement under the Finance Act).
• Email correspondence — 3 years from last contact.
• Consent records (timestamps, IP, user-agent captured at checkout) — 6 years from the date of the transaction, for evidentiary purposes in the event of a dispute or chargeback.
• Server access and error logs — 90 days.
• Backups — 35 days, on a rolling basis.

After the applicable retention period, personal data is securely deleted or anonymised. Erasure may be requested at any time, subject to retention requirements imposed by law.

10. Security measures

Pratica applies organisational and technical measures appropriate to the risk of the processing:

• TLS 1.2+ encryption in transit on all client-facing endpoints; AES-256 encryption at rest at the database and storage layer.
• Row-level security policies in the database, restricting access by user identity at the data layer.
• Passwords stored as salted hashes (bcrypt or equivalent); no reversible storage of authentication secrets.
• Multi-factor authentication on all administrative accounts.
• Access to personal data limited to what is strictly necessary for the engagement.
• Daily encrypted backups with 35-day rolling retention and tested restoration procedures.
• Vulnerability monitoring and routine dependency updates.

11. Personal data breaches

Where a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, Pratica notifies the Information Commissioner's Office (ICO) within 72 hours of becoming aware, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk, affected data subjects are notified directly and without undue delay, in accordance with Article 34.

12. Data subject rights (UK GDPR Articles 15–22)

The client and any other identified data subject is entitled to:

• access the personal data held by Pratica (Art. 15);
• rectify inaccurate or incomplete personal data (Art. 16);
• request erasure (the “right to be forgotten”), subject to retention obligations (Art. 17);
• restrict processing in specific circumstances (Art. 18);
• receive personal data in a structured, machine-readable format and transmit it to another controller (Art. 20);
• object to processing on grounds relating to a particular situation (Art. 21);
• withdraw consent at any time, where consent is the basis;
• not be subject to a decision based solely on automated processing (Art. 22) — see Section 13.

13. How to exercise these rights (Subject Access Requests)

To exercise any right under Section 12, email info@pratica.uk with the subject “Data Request”. Pratica may ask for proof of identity (typically a copy of a photo identity document) before disclosing personal data, in order to prevent unauthorised access.

Pratica responds to each request within one month of receipt, as required by Article 12(3) of the UK GDPR. For complex or numerous requests this period may be extended by two further months, with notice of the extension given within the first month. No fee is charged for a first request; a reasonable administrative fee may apply to manifestly unfounded, excessive, or repeated requests, in accordance with Article 12(5).

14. Automated decision-making and profiling

Pratica does not make decisions concerning clients based solely on automated processing, including profiling, that would produce legal or similarly significant effects on the data subject (UK GDPR Art. 22). Every service decision — eligibility, document acceptance, appointment scheduling — involves human assessment.

15. No sale of personal data; no targeted advertising

Pratica does not sell, rent, license, or otherwise share personal data with third parties for monetary or other valuable consideration. Pratica does not engage in cross-context behavioural advertising and does not deploy advertising cookies, tracking pixels, or profiling identifiers for marketing purposes.

16. Marketing communications

Pratica does not currently send marketing communications. If this changes, marketing email will be sent only with prior explicit consent, separately recorded from the service consent, and with an unsubscribe mechanism in every message.

17. Cookies and analytics

The pratica.uk website uses only essential cookies necessary for session management, authentication, and security (CSRF protection). Aggregate, non-identifying usage statistics are collected through Vercel Analytics (which does not deploy cross-site tracking cookies). Pratica does not use Google Analytics, Facebook Pixel, or any equivalent third-party advertising or profiling technology.

18. Children

Pratica's services are intended for adults of at least 18 years of age. Personal data of minors is processed only when submitted by a parent or guardian as part of a family citizenship file, and only to the extent necessary for that file. Pratica does not knowingly collect personal data from minors directly.

19. Changes to this policy

This policy may be updated periodically to reflect changes in the service, in applicable law, or in sub-processor relationships. Material changes will be reflected by an update to the date at the top of this page. Continued use of the service after a material update constitutes acknowledgement of the change.

20. Complaints

A data subject who believes that Pratica has not handled personal data in accordance with the UK GDPR is entitled to lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or via the ICO website at ico.org.uk. Pratica appreciates the opportunity to address concerns directly before a formal complaint is filed: please write to info@pratica.uk.

21. Contact

For any matter relating to personal data, including the exercise of rights under Sections 12 and 13, the direct contact point is info@pratica.uk.