Privacy Policy

Data controller

The data controller is indicated at the bottom of this page, together with the contact details for any data-protection request. You may contact the controller to exercise your rights or for any clarification about this policy.

Categories of data processed

We process: account data (email, username, name, avatar, language); game data (finds made, completions, verification method); geolocation data (latitude, longitude and GPS accuracy captured at an armed stage); the selfie taken at each stage, stored in a private repository; payment data (amounts, status, Stripe identifiers — no card data is stored by us); proof of the consents you give; and security logs (user identifier, event, IP address, technical details).

Purposes of processing

We process your data to: create and manage your account; deliver the treasure hunt and verify the stages (NFC, GPS and selfie); handle payments and the related tax obligations; keep proof of the consents you give; and ensure the security of the service and prevent fraud and abuse.

We do not carry out profiling for marketing purposes at launch. If in the future we introduce further purposes, we will inform you beforehand.

Legal bases

Account, selfie, geolocation and payment data are processed for the performance of the participation contract (Art. 6(1)(b) GDPR). Payments are also processed to comply with legal tax and accounting obligations (Art. 6(1)(c) GDPR).

Service security, audits and fraud prevention rely on our legitimate interest (Art. 6(1)(f) GDPR): the interest pursued is protecting the platform and its users from unauthorised access, tampering and fraudulent conduct. Keeping proof of consents follows the accountability principle (Arts. 5(2) and 7(1) GDPR).

Retention period

Payment data is kept for 10 years from the last entry, under civil-law and tax obligations (Art. 2220 of the Italian Civil Code). Selfies are kept for the duration of the hunt and for a window of about 90 days to handle any disputes. Game and geolocation data (finds) are kept for about 12 months to handle disputes. Audit and security logs are kept for about 6 months (extendable where there are justified anti-fraud needs).

If you request deletion of your account, the data is erased without undue delay, generally within about 30 days, save for legal obligations and the time needed to defend a right. For data with no fixed expiry we indicate the criteria used to determine the retention period.

Recipients and processors

Your data is processed by providers acting as data processors under agreements compliant with Art. 28 GDPR: Supabase (database and storage), Stripe (payments) and Vercel (hosting). Data may also be disclosed to tax or judicial authorities where required by law. We do not sell your data to third parties.

Transfers outside the EU

Some providers (Supabase, Stripe, Vercel) may process data in the United States. Such transfers take place with adequate safeguards, such as certification under the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (EU Dec. 2021/914). You may request a copy by contacting the controller.

Your rights

You have the right to access your data and to obtain its rectification, erasure and the restriction of processing, as well as the right to data portability and the right to object, within the limits set by the GDPR. Where processing is based on consent, you may withdraw it at any time (Art. 7(3) GDPR), without affecting the lawfulness of processing carried out before withdrawal. To exercise your rights you may contact the controller at the details below.

Complaint to the supervisory authority

If you believe that the processing of your data infringes the law, you have the right to lodge a complaint with the supervisory authority. In Italy the competent authority is the Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome; email protocollo@gpdp.it; certified email protocollo@pec.gpdp.it; website www.garanteprivacy.it.

Nature of provision

Providing account, selfie, geolocation and payment data is necessary to take part in the treasure hunts: refusal makes it impossible to deliver the service. Other data is optional and refusal does not affect participation.

Automated decisions

We do not take decisions based solely on automated processing that produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR: the proclamation of the winner is always subject to a human review of the selfie and of the completion evidence. We use automated anti-fraud checks (for example consistency of GPS and timings) as a support, but the final decision remains human.

Partially public profile

Some of your profile data may be visible to other participants, for example your username and avatar, in particular in leaderboards and game pages. Your email, real name and contact details are not made public.

Processing of the selfie

The selfie is a photographic image of the face, examined exclusively by a human operator for the sole visual comparison needed to validate the finds and the winner. No automatic facial recognition is performed, nor any extraction of biometric templates, nor liveness detection.

The legal basis for processing the selfie is the performance of the participation contract (Art. 6(1)(b) GDPR), the selfie being necessary to verify the winner, the core of the service. A photo of the face subject only to the visual review of an operator does not, in itself, constitute biometric data. For added protection, where required, we separately collect a specific explicit consent for this processing, which can be withdrawn at any time.

Data protection officer

The appointment of a Data Protection Officer (DPO) under Art. 37 GDPR is not mandatory. For privacy matters you can nonetheless write to us at the dedicated email address shown in our contact details.

Contact

For any request regarding the processing of your personal data or to exercise your rights, you may contact the controller at the details shown at the bottom of this page.