Privacy Policy
Version 2026-06-29·Effective 2026-06-29·Last updated 2026-06-29
This Privacy Policy explains how HPP Design processes personal data when users visit hpp-design.com, access app.hpp-design.com, create an account, use the hydropower turbine sizing tools, request support, subscribe to communications, or purchase paid services.
For the purposes of this Privacy Policy, "HPP Design", "we", "us" or "our" means 54 Holding Srl, with registered office at Via Giuseppe Mazzini 5, 37047 San Bonifacio (VR), Italy, VAT No. IT04395100235, email privacy@hpp-design.com.
1. Scope of this Privacy Policy
This Privacy Policy applies to:
- visitors to hpp-design.com;
- users who access app.hpp-design.com;
- people who create an HPP Design account;
- customers purchasing free or paid sizing services, bundles or other digital services;
- people contacting us for feedback, support, quotations or information;
- newsletter subscribers and other recipients of our communications.
This Privacy Policy does not apply to websites, platforms or services operated by third parties, even where they are linked from HPP Design.
2. Data controller and contact details
The data controller is:
54 Holding Srl
Registered office: Via Giuseppe Mazzini 5, 37047 San Bonifacio (VR), Italy
VAT No. / Tax Code: IT04395100235
Privacy contact: privacy@hpp-design.com
General contact: info@hpp-design.com
No Data Protection Officer has been appointed.
3. Definitions
"Personal data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure and deletion.
"User", "you" or "your" means any visitor, account holder, customer, representative of a company or other person using HPP Design.
"Services" means the HPP Design web application, hydropower turbine sizing tools, generated reports, account area, support features, paid bundles and related online services.
4. Personal data we collect
Depending on how you use HPP Design, we may process the following categories of personal data.
4.1 Account and identification data
Name, surname, email address, company or organisation name, role or professional details if provided, country, telephone number, account username, password hash, authentication data and account settings.
4.2 Business, billing and tax data
Billing name, billing address, country, VAT number or tax identification number, purchase history, selected plan or bundle, coupons, invoice data, Italian electronic invoicing details such as PEC and SDI where applicable, payment status and accounting records.
4.3 Payment data
Payment method selected, transaction identifiers, payment confirmation, payment failure information and limited payment metadata received from our payment provider. Payments are processed by Stripe: full payment card numbers and CVV codes are transmitted directly to Stripe and are not stored by HPP Design.
4.4 Service and project data
Data entered or generated while using the Services, such as sizing names, hydropower site parameters, net head, flow rate, grid frequency, units of measurement, selected turbine type, number of units, layouts, regulation strategies, generator choices, efficiency curves, cavitation-related values, cost estimates, generated PDF reports, configuration history and related metadata.
HPP Design is not intended for storing personal data about third parties inside project or sizing fields. Please do not enter personal data of third parties unless you have a lawful basis and the right to do so.
4.5 Communications and support data
Messages sent through forms, support requests, feedback, attachments if enabled, email correspondence, subject matter of requests, status of support tickets and related internal notes.
4.6 Technical, log and device data
IP address, browser type and version, operating system, device information, language, pages visited, date and time of access, session identifiers, login events, security logs, error logs, diagnostic information and other data automatically transmitted through internet communication protocols.
4.7 Cookie and analytics data
Cookie identifiers, consent choices, browsing interactions and analytics events, as described in the Cookie Policy.
4.8 Marketing preference data
Newsletter subscription status, consent records, preferences, unsubscribe requests, email delivery status and communication history.
5. Sources of personal data
We collect personal data directly from you when you create an account, enter sizing data, purchase services, contact us, use the app or interact with our cookie banner. We may also receive limited data from service providers, such as payment confirmation from Stripe, delivery status from our email provider, security logs from hosting providers, analytics reports from Google Analytics or business identification data from Albacross (where you have consented to marketing cookies).
6. Purposes, legal bases and retention
We process personal data only where we have a lawful basis. The table below summarises the main processing activities.
| Purpose | Categories of data | Legal basis | Typical retention |
|---|---|---|---|
| Create and manage user accounts | Account data, authentication data, settings | Performance of a contract or pre-contractual steps | For the life of the account; inactive accounts may be frozen after 12 months and deleted after 24 months, unless a longer period is required |
| Provide the hydropower sizing tools and generated reports | Account data, service/project data, technical data | Performance of a contract | For the life of the account or until deletion by the user; generated data may be deleted following account termination or inactivity |
| Provide free features, paid bundles and professional services | Account data, service data, plan data | Performance of a contract | For the life of the account and for limitation periods where needed |
| Process payments and manage invoices | Billing, tax, payment metadata, transaction history | Performance of a contract; legal obligations relating to tax, accounting and invoicing | Usually 10 years for accounting and tax records, or any longer period required by law |
| Reply to support, feedback or information requests | Contact data, communications, support data | Performance of a contract; legitimate interests in assisting users and improving the Services | Normally up to 24 months after closure, unless needed for legal claims or statutory obligations |
| Send newsletters and optional marketing communications | Contact data, marketing preferences | Consent; in limited cases, legitimate interests where permitted by applicable law | Until consent is withdrawn or you unsubscribe; proof of consent may be retained for limitation periods |
| Maintain security, prevent misuse and debug errors | Technical data, logs, account events | Legitimate interests in securing the Services; legal obligations where applicable | Security logs are normally retained for a limited period, from 30 days to 12 months depending on risk and system needs |
| Analyse website and app use | Cookie/analytics data, technical data | Consent for analytics cookies | According to the Cookie Policy and analytics settings |
| Identify business visitors and generate B2B leads (Albacross) | Technical data, IP address, derived organisation/company data | Consent for marketing cookies | Until consent is withdrawn; according to the Cookie Policy and Albacross settings |
| Comply with legal obligations | Account, billing, tax, communications and technical data | Legal obligation | As required by applicable law |
| Establish, exercise or defend legal claims | Relevant account, billing, communications, logs and service data | Legitimate interests; legal obligation where applicable | For applicable limitation periods |
Where we rely on legitimate interests, we balance our interests against your rights and freedoms. You may object to processing based on legitimate interests where provided by applicable law.
7. Account, project and generated output data
Your account may contain technical project data and generated outputs. HPP Design processes this data to provide, maintain and improve the Services, to generate reports, to display previous sizings and to make purchased professional sizing credits usable.
You are responsible for the accuracy and lawfulness of any information you enter into HPP Design. Project and sizing data should not include unnecessary personal data.
8. Cookies and similar technologies
We use cookies and similar technologies for authentication, session management, security, preference storage, consent management and, with your consent, analytics. More information is available in the Cookie Policy.
Non-essential cookies are not placed before your consent.
9. Marketing communications
We send newsletters or marketing communications only where we have a lawful basis, such as your consent or another basis permitted by applicable law. You can unsubscribe at any time by using the unsubscribe link in the email or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
10. Who receives personal data
We may share personal data with the following categories of recipients where necessary for the purposes described above:
- hosting, cloud infrastructure, database and backup providers (currently Hetzner Online GmbH, with data centres in the European Union);
- email delivery, transactional email and newsletter providers (currently Brevo (Sendinblue SAS), France, with servers in the European Union);
- payment service providers (currently Stripe);
- accounting, electronic invoicing, tax and administrative service providers;
- analytics providers (currently Google Analytics, used only with your consent);
- business visitor identification and lead-generation providers (currently Albacross (Albacross Nordic AB), Sweden, used only with your consent);
- support/helpdesk and customer relationship tools where used;
- IT security, maintenance and development providers;
- professional advisers, auditors, insurers and legal consultants;
- public authorities, courts, regulators or law enforcement where required by law.
Processors act under our instructions and are required to apply appropriate security and confidentiality measures. Some recipients may also act as independent controllers for their own purposes: in particular, Albacross processes website-visitor data both as our processor (under its Data Processing Agreement) and as an independent controller for its own purposes, in which case its own privacy terms apply to that processing. A current list of processors can be requested at privacy@hpp-design.com.
11. International transfers
Some providers, such as Stripe and Google, may process personal data outside the European Economic Area, in particular in the United States. Where this happens, we rely on transfer mechanisms permitted by applicable data protection law, such as adequacy decisions (including the EU–US Data Privacy Framework, where the provider is certified), Standard Contractual Clauses and supplementary measures where appropriate.
You may request more information about the transfer safeguards used by contacting privacy@hpp-design.com.
12. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including to provide the Services, comply with legal obligations, resolve disputes and enforce agreements.
The main retention periods are:
| Data category | Retention period |
|---|---|
| Website and server logs | Normally no longer than 30 days, unless needed for security incidents, abuse prevention or legal requirements |
| Account data | Until account deletion or termination; inactive accounts may be frozen after 12 months and deleted after 24 months |
| Service and project data | Until deleted by the user or account termination; may be retained for a limited backup period |
| Billing, invoices and accounting records | Normally 10 years or any longer period required by law |
| Payment metadata | For the period necessary for payments, accounting, chargebacks, fraud prevention and legal obligations |
| Support and feedback messages | Normally up to 24 months after closure, unless needed for legal claims or compliance |
| Newsletter data | Until unsubscribe or withdrawal of consent; proof of consent may be retained for limitation periods |
| Cookie consent records | For the period described in the Cookie Policy, normally at least 6 months unless preferences are changed or cookies are deleted |
| Backups | Deleted or overwritten according to backup cycles and security policies |
When personal data is no longer required, we delete it or anonymise it, unless retention is required by law or for legal claims.
13. Security
We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures may include access controls, authentication, encryption in transit, backups, logging, security updates, confidentiality obligations and provider due diligence.
No online service can be guaranteed to be completely secure. You are responsible for keeping your credentials confidential and for notifying us promptly of any suspected unauthorised access.
14. Your rights
Subject to the conditions and limits of applicable law, you may have the right to:
- request access to your personal data;
- request rectification of inaccurate or incomplete data;
- request erasure of personal data;
- request restriction of processing;
- object to processing based on legitimate interests;
- object to direct marketing;
- request data portability;
- withdraw consent at any time, where processing is based on consent;
- lodge a complaint with a supervisory authority.
To exercise your rights, contact us at privacy@hpp-design.com. We may ask you for information necessary to verify your identity and process your request.
15. Complaint to the supervisory authority
You may lodge a complaint with the supervisory authority in your habitual residence, place of work or place of the alleged infringement. As HPP Design is established in Italy, the competent Italian authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).
16. Mandatory and optional data
Some personal data is necessary to create an account, provide the Services, process payments, issue invoices or comply with legal obligations. If you do not provide required data, we may be unable to create your account, provide the requested service or complete a transaction.
Optional data, such as newsletter consent or non-essential cookies, can be refused without preventing use of the core Services, although certain optional features may be unavailable.
17. Children
HPP Design is intended for professional and adult users. You must be at least 18 years old to create an account or purchase Services. We do not knowingly collect personal data from children.
18. Automated decision-making and profiling
We do not use personal data to make decisions based solely on automated processing that produce legal effects or similarly significant effects on users. The turbine sizing outputs generated by HPP Design are technical calculations based on user inputs and engineering models; they are not automated decisions about individuals.
19. Third-party links and services
HPP Design may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties. Please read their privacy notices before using their services.
20. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our Services, providers, legal obligations or processing activities. Material changes will be communicated through the website, app, email or another appropriate method.
21. Contact
For privacy questions or requests, contact:
54 Holding Srl
Email: privacy@hpp-design.com
Address: Via Giuseppe Mazzini 5, 37047 San Bonifacio (VR), Italy