Legal

The Data Controller of your personal data is Roberto Galati, a private individual based in Italy, operating Essential City Info.

Contact email for any privacy-related request: support@essentialcityinfo.com.

We are not legally required to designate a Data Protection Officer (DPO) under Article 37 GDPR, but the contact above handles all data-protection requests within statutory deadlines.

Account data (when you choose to register): email address, password (stored only as a salted hash by our authentication provider), display name, nationality (optional), preferred language.

Usage data: routes you visit inside the Service, language preference, device type, anonymous session identifiers.

Technical data: IP address (used by hosting providers strictly for security and to deliver the response, not stored by us in identifiable form), browser user-agent, basic crash diagnostics.

Geolocation data: approximate or precise location, only if you grant explicit browser permission. Location is processed in your browser/device to compute distances and is NOT stored on our servers.

Favourites and preferences: identifiers of points of interest you mark as favourite, stored locally on your device (localStorage) and, if you are logged in, optionally synced to your account.

Feedback data: optional text reports you voluntarily submit (e.g. "report incorrect data").

We do NOT knowingly collect special categories of data (Article 9 GDPR) such as health, religion, political opinions, biometrics, etc.

Providing the Service (showing nearby points of interest, ZTL zones, transit, alerts) — legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in operating the Service (Art. 6(1)(f)).

Authentication and account management — legal basis: performance of a contract (Art. 6(1)(b)).

Geolocation features — legal basis: your explicit consent (Art. 6(1)(a)), revocable at any time via your browser/device settings.

Security, fraud prevention, abuse mitigation — legal basis: legitimate interests (Art. 6(1)(f)).

Analytics and product improvement (if and when enabled) — legal basis: your consent (Art. 6(1)(a)) collected via cookie banner.

Compliance with legal obligations (e.g. responding to lawful requests from competent authorities) — legal basis: legal obligation (Art. 6(1)(c)).

Handling user feedback or support requests — legal basis: legitimate interest (Art. 6(1)(f)).

We rely on the following processors (sub-processors) that act on our documented instructions under Art. 28 GDPR:

Supabase (database, authentication, file storage) — operated by Supabase Inc., infrastructure in EU regions where available. Data processing agreement and Standard Contractual Clauses (SCCs) in place for any extra-EEA component.

Cloudflare (CDN, edge hosting, DDoS protection) — operated by Cloudflare Inc., USA. SCCs in place.

Lovable (development and deployment platform) — operated by Lovable AB, Sweden (EU).

Paddle (Merchant of Record, payment processing, billing, tax compliance, invoicing, fraud prevention, refunds and customer support for paid orders) — operated by Paddle.com Market Limited, United Kingdom, and its affiliates. When you purchase Premium, the following personal data is shared with Paddle: name, email address, billing address, IP address, country, payment method details and transaction information. Paddle acts as an independent data controller for payment data. See Paddle's Privacy Policy at https://www.paddle.com/legal/privacy and Buyer Terms at https://www.paddle.com/legal/checkout-buyer-terms.

Public/open-data sources we DISPLAY (we do not transmit your personal data to them): Roma Capitale, ATAC, Roma Mobilità, OpenStreetMap, Salutelazio, Protezione Civile, MIT, ARPA Lazio, Civil Aviation. These are sources we read FROM, not destinations we send to.

We do NOT sell, rent or trade your personal data to advertisers, data brokers or any third party for monetary or non-monetary consideration.

Your data is primarily stored on infrastructure located in the European Union. Where any processor operates servers outside the EEA, transfers are protected by appropriate safeguards under Chapter V GDPR, namely European Commission adequacy decisions, Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit and at rest).

For users in the United Kingdom, equivalent safeguards apply under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.

Account data: retained while your account is active and for up to 30 days after deletion request, unless longer retention is required by law (e.g. for accounting or to defend a legal claim).

Geolocation: NOT retained — processed in real time and discarded.

Favourites: until you delete them or your account.

Server logs: up to 30 days for security and debugging, then automatically purged or anonymised.

Backups: encrypted backups may persist for up to 30 additional days before rotation.

Feedback / support correspondence: up to 24 months from last interaction.

Right of access (Art. 15) — obtain a copy of your data.

Right to rectification (Art. 16) — correct inaccurate data.

Right to erasure / "right to be forgotten" (Art. 17) — request deletion.

Right to restriction (Art. 18) — limit how we use your data.

Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.

Right to object (Art. 21) — object to processing based on legitimate interest.

Right to withdraw consent at any time without affecting prior lawful processing.

Right not to be subject to automated decision-making (Art. 22) — we do NOT perform automated decisions that produce legal or similarly significant effects on you.

Right to lodge a complaint with a supervisory authority. For Italy: Garante per la Protezione dei Dati Personali — www.garanteprivacy.it. For other EU countries: your national DPA. For the UK: the Information Commissioner's Office (ICO) — ico.org.uk.

To exercise any right, email support@essentialcityinfo.com. We will respond within 30 days (extendable by 60 days for complex requests, with notice). We may ask for proof of identity to prevent fraudulent requests.

If you are a California resident you have the right to: (a) know what personal information we collect, use, disclose; (b) delete personal information; (c) correct inaccurate information; (d) opt out of "sale" or "sharing" of personal information; (e) limit the use of sensitive personal information; (f) non-discrimination for exercising your rights.

We do NOT sell or share your personal information for cross-context behavioural advertising as defined under the CPRA.

To exercise CCPA/CPRA rights, email support@essentialcityinfo.com with subject line "California Privacy Request". We will verify your identity before processing.

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including: TLS 1.2+ encryption in transit, encryption at rest for the database, role-based access control, Row-Level Security policies on every database table, hashed passwords (bcrypt/argon2), regular security reviews, principle of least privilege, and security headers (HSTS, X-Frame-Options, CSP where applicable).

No system can guarantee absolute security. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where the risk is high, also notify affected users without undue delay (Articles 33-34 GDPR).

The Service is not intended for and shall not be used by children under the age of 16 in the EU/EEA, 13 in the US/UK, or the equivalent minimum age in your jurisdiction. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, contact support@essentialcityinfo.com and we will promptly delete it.

We use a minimal set of strictly necessary localStorage/cookies (e.g. language preference, session token, favourites). We may, in the future, deploy first-party analytics; if so, a consent banner will be shown and processing will be suspended until you accept. See our separate Cookie Policy for full details.

The Service contains links to third-party websites and services (e.g. Google Maps, Roma Mobilità, ATAC, embassy websites). We are not responsible for the content, privacy practices or terms of those third parties. Review their respective policies before interacting with them.

We may update this Policy to reflect changes in law, technology or our practices. The "Last updated" date at the top will reflect the most recent revision. For material changes we will provide notice in-app, by email (if you have an account), or via a prominent notice on the website. Continued use after such notice constitutes acceptance.

Questions, complaints, or requests: support@essentialcityinfo.com.

Postal address available upon written request to the email above.