Privacy & Cookie Policy
Last updated: March 2026
This policy describes how personal data of users who visit and use the website ninjapublisher.com (hereinafter “Website” or “Service”) is processed, and which cookies and similar technologies are used by the Website. It is drafted pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”), Italian Legislative Decree 196/2003 as amended by Italian Legislative Decree 101/2018 (“Privacy Code”), and the Guidelines on cookies and other tracking tools issued by the Italian Data Protection Authority (provision no. 231 of June 10, 2021).
1. Data Controller
Ninja BSR di Vincenti Giovanni
Sole proprietorship
Via Brunelleschi 17, 90145 Palermo (PA), Italy
VAT Number: 07395630820
Email: admin@ninjapublisher.com
The Data Controller has not appointed a Data Protection Officer (DPO), as the appointment is not mandatory under Article 37 GDPR: the Data Controller does not carry out large-scale processing of special categories of data, nor regular and systematic monitoring of data subjects on a large scale.
2. Personal data collected
The Data Controller collects and processes the following categories of personal data:
a) Data voluntarily provided by the user
| Data | Collection method | Mandatory |
|---|---|---|
| Username | Provided by the user during registration | Yes |
| Email address | Provided by the user during registration | Yes |
b) Data collected automatically
| Data | Collection method | Purpose |
|---|---|---|
| Browser language | HTTP Accept-Language header |
Display the Website in the correct language |
| IP address | Automatic server logs (Hostinger) and security plugin (Wordfence) | Security, diagnostics, attack prevention |
| Browsing data | Server logs: visited URL, timestamp, user agent, HTTP response code | Technical server operation and diagnostics |
The Website does not use analytics tools (such as Google Analytics), tracking pixels, nor does it profile users. No special categories of personal data (sensitive data) within the meaning of Article 9 GDPR are processed.
3. Purposes and legal basis of processing
| Purpose | Data used | Legal basis |
|---|---|---|
| Registration and account management Creation and maintenance of the user account for access to the subscription-based Service |
Username, email | Performance of a contract (Art. 6.1.b GDPR) |
| Transactional communications Sending service-related emails: welcome, account confirmation, subscription notifications |
Performance of a contract (Art. 6.1.b GDPR) | |
| Payment management Processing subscriptions through the payment provider Paddle |
Email (transmitted to Paddle). Payment data collected directly by Paddle. | Performance of a contract (Art. 6.1.b GDPR) |
| Language localization Detection of the browser’s preferred language to display the Website in the correct language |
Browser language | Legitimate interest (Art. 6.1.f GDPR) |
| Website security Protection against cyberattacks, unauthorized access attempts, malware, and other security threats through the Wordfence plugin |
IP address, user agent, timestamp, login attempts | Legitimate interest (Art. 6.1.f GDPR) |
| Server logs Automatic recording of HTTP requests for diagnostics and security |
IP address, visited URL, timestamp, user agent, HTTP response code | Legitimate interest (Art. 6.1.f GDPR) |
| Legal compliance Retention of billing data for tax and accounting obligations |
Billing data (managed by Paddle) | Legal obligation (Art. 6.1.c GDPR) |
The Data Controller does not send marketing communications, newsletters, or promotional emails. The only emails sent are strictly related to the operation of the Service.
Note on legitimate interest: Where processing is based on the legitimate interest of the Data Controller (Art. 6.1.f GDPR), the user has the right to object to processing at any time, under the conditions set out in Article 21 GDPR. The legitimate interest has been assessed by balancing the security and operational needs of the Website with the rights and freedoms of data subjects.
4. Methods of processing
Personal data is processed using electronic tools, with logic strictly related to the stated purposes and in any case in a manner that ensures the security and confidentiality of the data, in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality (Art. 5 GDPR).
Appropriate technical and organizational security measures are adopted pursuant to Article 32 GDPR, including: encryption of communications via SSL/TLS, password hashing, web application firewall (Wordfence), periodic backups, and data access restricted to the Data Controller only.
5. Cookies and other technologies
Cookies are small text files that websites send to the user’s device (computer, tablet, smartphone), where they are stored and then retransmitted to the same websites on subsequent visits. Cookies allow the website to function properly and to remember user preferences.
This Website uses only essential technical cookies strictly necessary for the operation of the service and the security of the website. No profiling cookies, marketing cookies, or analytics cookies are used.
5.1 WordPress technical cookies (first-party)
| Cookie | Purpose | Duration |
|---|---|---|
wordpress_logged_in_* |
Identifies the authenticated user and maintains the login session after accessing the restricted area | Session / until logout |
wordpress_sec_* |
Ensures the security of the authenticated area and verifies the user’s identity | Session / until logout |
wp-settings-*wp-settings-time-* |
Stores user interface preferences in the administration panel | 1 year |
PHPSESSID |
PHP session identifier required for server operation | Session (deleted when the browser is closed) |
5.2 Security technical cookies (first-party, Wordfence)
| Cookie | Purpose | Duration |
|---|---|---|
wfwaf-authcookie-* |
Used by the Wordfence application firewall to verify whether the current user is authenticated and their access level, in order to apply the appropriate security rules | 12 hours (renewed on each access) |
wf_loginalerted_* |
Prevents repeated security alerts for the same login event | Session |
wfCBLBypass |
Technical cookie for Country Blocking bypass by authorized users (if enabled) | 24 hours |
All Wordfence cookies listed above are first-party technical cookies, installed directly on the ninjapublisher.com domain. They are strictly necessary for the security of the Website and do not track the user or perform any profiling.
5.3 Third-party cookies (Paddle, payments)
During the payment process, the Website uses an integrated overlay provided by Paddle.com Market Limited for subscription processing. Paddle may set its own technical cookies necessary to complete the transaction and prevent fraud.
These cookies are managed directly by Paddle and are subject to Paddle’s privacy policy: www.paddle.com/legal/privacy.
The Data Controller does not have access to cookies set by Paddle and does not use them for any tracking or profiling purposes.
5.4 Other technologies
The Website automatically detects the user’s browser language (via the HTTP Accept-Language header) in order to display content in the appropriate language. This information is not stored in cookies, is not associated with the user’s identity, and does not constitute tracking activity.
The Website does not use: web beacons, tracking pixels, fingerprinting techniques, local storage for tracking purposes, or any other profiling tools.
5.5 Consent banner
5.6 How to manage cookies
You can manage your cookie preferences through your browser settings. Below are links to instructions for the main browsers:
Please note: disabling technical cookies may compromise the proper functioning of the Website, prevent access to the restricted area, and reduce the effectiveness of security protections.
6. Recipients and data processors
Personal data may be disclosed to the following third parties, who act as data processors pursuant to Article 28 GDPR or as independent data controllers:
a) Paddle.com Market Limited — Payments
Paddle operates as Merchant of Record: for payment transactions, Paddle acts as an independent data controller for payment data (credit card, billing address). The Data Controller transmits the user’s email address to Paddle for subscription association, for which Paddle acts as a data processor.
Headquarters: United Kingdom
Privacy policy: www.paddle.com/legal/privacy
b) Hostinger International Ltd — Hosting
The Website is hosted on Hostinger’s servers, which acts as a data processor for all data stored on its infrastructure (database, server logs, files).
Headquarters: Lithuania (EU)
Privacy policy: www.hostinger.com/privacy-policy
c) Brevo (formerly Sendinblue) — Transactional emails
Transactional emails (welcome, account confirmation, subscription notifications) are sent through Brevo’s SMTP service, which acts as a data processor for the user email addresses necessary for delivery.
Headquarters: France (EU)
Privacy policy: www.brevo.com/legal/privacypolicy
d) Defiant Inc. (Wordfence) — Website security
The Wordfence security plugin, developed by Defiant Inc., processes IP addresses and security data to protect the Website from cyberattacks. Some data (IP addresses) may be transmitted to Defiant’s servers for firewall rule updates and threat intelligence.
Headquarters: United States of America
Privacy policy: www.wordfence.com/privacy-policy
Personal data is not disseminated, nor is it disclosed to third parties other than those listed above, except where required by law.
7. Data transfers outside the EU
Some of the third parties listed above are headquartered or have sub-processors outside the European Economic Area (EEA). Transfers are carried out on the basis of the following safeguards:
| Recipient | Country | Safeguard |
|---|---|---|
| Paddle.com Market Ltd | United Kingdom | European Commission adequacy decision (June 28, 2021). For any additional transfers: Standard Contractual Clauses (SCCs). |
| Hostinger International Ltd | Lithuania (EU) | Headquartered in the EU. For any sub-processors outside the EU: Standard Contractual Clauses (SCCs). |
| Brevo (Sendinblue) | France (EU) | Headquartered in the EU. For any sub-processors outside the EU: Standard Contractual Clauses (SCCs). |
| Defiant Inc. (Wordfence) | United States | EU-US Data Privacy Framework (DPF), where applicable. Alternatively: Standard Contractual Clauses (SCCs). |
The user may request a copy of the safeguards adopted for transfers outside the EU by writing to admin@ninjapublisher.com.
8. Data retention period
| Data | Retention period |
|---|---|
| Username and email (active account) | For the entire duration of the subscription and active account |
| Username and email (deleted account) | Deleted within 7 days of the deletion request |
| Billing data (managed by Paddle) | Retained by Paddle for the period required by applicable tax obligations (up to 10 years) |
| Server logs (Hostinger) | Retained according to Hostinger’s policies (typically 30–90 days) |
| Security logs (Wordfence) | Traffic logs: 7 days (default). Firewall logs: 30 days (default). Configurable by the Data Controller. |
9. Data subject rights
As a data subject, the user may exercise the following rights under the GDPR at any time:
- Right of access (Art. 15) — obtain confirmation of the existence of processing and access to one’s personal data;
- Right to rectification (Art. 16) — obtain the correction of inaccurate data or the completion of incomplete data;
- Right to erasure (Art. 17) — obtain the deletion of one’s data, in the cases provided for by law;
- Right to restriction (Art. 18) — obtain the restriction of processing in the cases provided for by law;
- Right to data portability (Art. 20) — receive one’s data in a structured, commonly used, and machine-readable format;
- Right to object (Art. 21) — object at any time to the processing of one’s data based on the legitimate interest of the Data Controller (including security processing and server logs);
- Right to lodge a complaint — file a complaint with the competent supervisory authority: Garante per la Protezione dei Dati Personali (Italian Data Protection Authority), Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it, email: garante@gpdp.it.
How to exercise your rights: The user may exercise their rights by writing to admin@ninjapublisher.com. The Data Controller will respond within 30 days of receiving the request, extendable by a further 60 days in cases of particular complexity (Art. 12.3 GDPR). The exercise of rights is free of charge, except for manifestly unfounded or excessive requests.
10. Provision of data
The provision of personal data (username and email) is necessary for registration to the Service and subscription management. Failure to provide such data makes it impossible to create an account and use the Service.
Automatically collected data (IP address, server logs, security data) is processed for the technical operation and security of the Website and does not require active provision by the user.
11. Automated decision-making processes
The Data Controller does not employ any automated decision-making process, including profiling, within the meaning of Article 22 GDPR. The Wordfence plugin may automatically block IP addresses based on predefined security rules (e.g., too many failed login attempts): such blocking is a technical security measure and does not constitute profiling or an automated decision relating to personal data that produces legal or similarly significant effects on the data subject.
12. Changes to this policy
The Data Controller reserves the right to make changes to this Privacy & Cookie Policy at any time. The date of the last update is indicated at the top of this page. In the event of substantial changes, the Data Controller will notify registered users by email. Users are encouraged to review this page periodically.