Privacy Policy

Last updated: February 2026

Version: 2026.02

Data Controller: Raimondo Norberto Giamberduca

1. Introduction

Welcome to Mind the Journey, an interactive exploration platform dedicated to discovering the world through its cultures, landscapes, and stories.

This policy describes how we collect, use, and protect your personal data when you visit our site or use our interactive features, in compliance with the General Data Protection Regulation (GDPR - EU Reg. 2016/679) and applicable Italian laws.

2. Data Controller

Raimondo Norberto Giamberduca

Email: privacy@mindthejourney.com

Headquarters: Monza MB Italy via Lecco 24

For privacy questions or to exercise your rights, contact us at the above address.

3. Data Collected and Purposes

3.1 Automatic Navigation Data

IP Addresses

When you visit our site, we automatically collect your IP address for:

Security and fraud prevention: Protection from cyberattacks, unauthorized access attempts, and fraudulent behavior
Approximate geolocation: Displaying your region of origin on the interactive 3D globe (country/region level only, never precise address)
Aggregate statistics: Traffic analysis by geographic region to improve content

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Retention: 30 days in anonymized form (reduced to /16 subnet, e.g., 192.168.0.0)

Anonymization: IP immediately reduced by removing last two octets (IPv4) or last 6 groups (IPv6)

Example:

Original IP: 192.168.123.45
Anonymized IP saved: 192.168.0.0

User Agent and Technical Metadata

Browser and operating system: To optimize experience across devices
Screen resolution: To adapt 3D globe interface
Access timestamp: For hourly usage statistics

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Retention: 90 days in aggregate form

3.2 Cookies and Tracking Technologies

We use different cookie categories. For complete details, see our Cookie Policy.

Essential Technical Cookies (Always Active)

Necessary for basic site functionality:

|------|---------|----------|------|

Legal basis: Technical necessity (Art. 6(1)(b) GDPR) - no explicit consent required

Analytics Cookies (Optional - Consent Required)

Activated only after explicit consent via cookie banner:

Google Analytics 4 (if used):

Cookies: _ga, _gid, _gat_gtag_UA_\*
Duration: 2 years (_ga), 24 hours (_gid)
Purpose: Aggregate statistics on visited pages, session duration, navigation flows
Third parties: Google LLC (USA) - Extra-EU data transfer governed by Standard Contractual Clauses (SCC)
Privacy Policy: https://policies.google.com/privacy
Opt-out: https://tools.google.com/dlpage/gaoptout

Plausible Analytics (privacy-friendly alternative):

Cookies: None
Method: Anonymous tracking without cookies
Compliance: 100% GDPR compliant, data stored in EU
Open source: https://plausible.io

Legal basis: Explicit consent (Art. 6(1)(a) GDPR)

Retention: 14 months (Google Analytics), 12 months (Plausible)

Functional Cookies (Optional - Consent Required)

Improve personalized experience:

Preferred theme: Saves chosen visual theme (BorderScapes, Wild Realms, etc.)
Saved destinations: Stores favorites locations
Applied filters: Remembers selected categories on globe

Legal basis: Explicit consent (Art. 6(1)(a) GDPR)

Retention: 24 months or until manual deletion

3.3 Third-Party Services

Hosting and CDN

Provider: [Replit / Vercel / other - to be specified]
Server location: European Union
Data transferred: Only technical data necessary for service delivery
DPA (Data Processing Agreement): Active

Interactive Maps

globe.gl (3D Globe): Open-source JavaScript library, no data sent to third parties
Mapbox GL JS (2D Maps): Possible future use for detailed maps

- Privacy Policy: https://www.mapbox.com/legal/privacy

- Data: Displayed coordinates, zoom level (anonymous)

IP Geolocation

Provider: ipapi.co / CloudFlare
Data transferred: Only anonymized IP
Purpose: Determine country/region for globe functionality
Retention: No storage at provider

3.4 Future Features (Not Yet Active)

When we implement the following features, we will update this policy:

Error Reporting

Data collected:

Email (optional, for response)
Problem description
Page URL
Screenshot (optional)
Browser and operating system
Timestamp

Purpose: Content quality improvement and error correction

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Retention: 90 days after problem resolution

Deletion: Automatic or on immediate request

User Account and Favorites

Data collected:

Email (required)
Password (encrypted hash, never plain text)
Username (optional)
Saved destinations
Created itineraries
Travel preferences

Purpose: Multi-device synchronization, preference storage

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Retention: Until account deletion or 24 months of inactivity

Security: Password with bcrypt (cost factor 12), mandatory HTTPS, encrypted backups

3.5 Error Reports and Community Contributions

When you use the error reporting system, we collect:

Data collected:

Email: Required for guests, automatic for registered users
Error description: Free text (max 1000 characters)
Correction suggestions: Optional
Source URL: Optional
Screenshot: Optional (max 5MB, anonymized images)
Technical metadata: Browser, OS, timestamp, anonymized IP
User ID: If registered user

Processing purposes:

Content quality and accuracy improvement
Error correction
Spam and abuse prevention
Aggregate statistics on error types
Contributor recognition (if authorized)

Legal basis:

Art. 6(1)(f) GDPR - Legitimate interest (service improvement)
Art. 6(1)(a) GDPR - Consent (if requesting public recognition)

Data retention:

Valid and accepted reports: 24 months from resolution
Rejected reports: 90 days
Spam reports: 30 days + IP ban 12 months
Public changelog: Permanent (reporter name only, if authorized)

Transparency:

Your reports are visible:

❌ NOT public during review
✅ Visible to you in dashboard (if registered user)
✅ Visible to internal staff with authorized access
✅ Public in changelog (outcome only, not full report content)

Specific rights:

Access: View your reports in dashboard
Rectification: Modify report within 48h of submission
Erasure: Request data deletion (report may remain but anonymized)
Objection: Refuse name publication in changelog

Security:

IP anonymized (subnet /16) before saving
Screenshots processed to remove sensitive data (AI)
Emails encrypted at rest (AES-256)
Staff access limited with audit log

Contact: privacy@mindthejourney.com for questions about report data processing.

4. Legal Basis for Processing

Your data is processed based on:

| Purpose | GDPR Legal Basis |

|---------|------------------|

| Technical site operation | Art. 6(1)(b) - Contract performance / Technical necessity |

| Security and fraud prevention | Art. 6(1)(f) - Legitimate interest |

| Analytics and service improvement | Art. 6(1)(a) - Explicit consent |

| Functional cookies | Art. 6(1)(a) - Explicit consent |

| Response to user requests | Art. 6(1)(b) - Contract performance |

| Legal obligations (e.g., invoice retention) | Art. 6(1)(c) - Legal obligation |

5. Data Sharing and Transfers

5.1 Data Recipients

Your data may be shared with:

Technical service providers: Hosting, CDN, backup (all with active DPA)
Analytics services: Google Analytics (if consent given) or Plausible
Competent authorities: Only upon legal request (e.g., court order)

We never sell or rent your data to third parties.

5.2 Extra-EU Transfers

If you use Google Analytics, some data may be transferred to the USA to Google LLC.

Adequate safeguards:

Standard Contractual Clauses (SCC) approved by European Commission
Google is certified EU-US Data Privacy Framework
You can object by disabling analytics cookies

If you use Plausible, all data remains in the EU (servers in Germany).

6. Data Retention

| Data Type | Retention Period | Rationale |

|-----------|------------------|-----------|

| Cookie consents | 12 months | Natural GDPR consent expiration |

| Anonymized IPs | 30 days | Sufficient for statistics and security |

| Analytics logs | 14 months | Google Analytics default |

| Consent audit logs | 12 months | GDPR compliance obligations |

| Inactive accounts | 24 months | Automatic deletion after inactivity |

| Error reports | 90 days post-resolution | Adequate time for follow-up |

At the end of indicated periods, data is automatically deleted or irreversibly anonymized.

7. User Rights (Art. 15-22 GDPR)

You have the right to:

7.1 Right of Access (Art. 15)

Obtain a copy of all personal data we hold about you.

How to exercise:

Visit Privacy Dashboard
Download JSON file with all your data
Or write to privacy@mindthejourney.com

7.2 Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

Example: Change email associated with account, update incorrect preferences.

7.3 Right to Erasure - "Right to be Forgotten" (Art. 17)

Request complete deletion of your data.

How to exercise:

Privacy Dashboard → "Delete All Data" (with confirmation)
Or write to privacy@mindthejourney.com

Timeline: Immediate deletion from active systems, 30 days from backups.

Exceptions: We may refuse if necessary for:

Legal obligations (e.g., invoices for 10 years)
Defense in legal proceedings
Exercise of freedom of expression

7.4 Right to Data Portability (Art. 20)

Receive your data in structured, machine-readable format (JSON).

How to exercise:

Privacy Dashboard → "Export Data"
Download JSON file with all data

7.5 Right to Object (Art. 21)

Object to processing based on legitimate interest (e.g., analytics).

How to exercise:

Disable analytics cookies in banner
Or write to privacy@mindthejourney.com for complete objection

7.6 Right to Restriction (Art. 18)

Temporarily suspend processing while you verify/contest data.

7.7 Withdrawal of Consent

Withdraw previously given consent (e.g., analytics cookies) at any time.

Effect: Withdrawal does not invalidate already performed processing.

8. How to Exercise Your Rights

Method 1: Privacy Dashboard (Immediate)

1. Visit /privacy-dashboard

2. View current consents

3. Export data (download JSON)

4. Modify cookie preferences

5. Delete account (with confirmation)

Method 2: Email (Response within 30 days)

Write to privacy@mindthejourney.com indicating:

Right you want to exercise
Data necessary to identify you (email, anonymous ID if available)
Reason (optional but helpful)

Response time: 30 days (extendable to 90 if complex request)

Cost: Free (except manifestly unfounded or excessive requests)

Method 3: Complaint to Authority

If you believe your rights have been violated:

Italian Data Protection Authority (Garante)

Piazza Venezia, 11 - 00187 Rome, Italy

Tel: +39 06 696771

Email: garante@gpdp.it

Web: https://www.garanteprivacy.it

9. Data Security

We implement adequate technical and organizational measures to protect your data:

Technical Measures

HTTPS/TLS 1.3 encryption: All transmitted data is encrypted
IP anonymization: Immediate reduction to /16 subnet
Encrypted passwords: bcrypt with cost factor 12 (when we have accounts)
Firewall and DDoS protection: Application and network level
Immutable audit logs: Append-only JSONL files for traceability
Encrypted backups: AES-256, stored in separate geographic location

Organizational Measures

Limited access: Only authorized personnel with need-to-know
Staff training: Annual GDPR and security training
Data Breach Response Plan: 72-hour notification procedure to Authority
Periodic reviews: Quarterly security audits
DPA contracts: With all data processing vendors

Data Breach Notification

In case of personal data breach:

Notification to Authority: Within 72 hours of discovery
Notification to you: Without delay if high risk to your rights
Content: Nature of violation, data involved, measures adopted, DPO contact

10. Children's Privacy

Mind the Journey is aimed at a general audience, including accompanied minors.

Collection of minors' data (<14 years in Italy / <16 in many EU countries):

NO account without verifiable parental consent
Technical cookies: Permitted (necessary for functionality)
Analytics cookies: We request age confirmation or parental consent

If we become aware of having collected minors' data without consent, we proceed to immediate deletion.

Parents: To request deletion of your child's data, contact privacy@mindthejourney.com with proof of parenthood.

11. Links to External Sites

Mind the Journey contains links to third-party sites (hotels, tour operators, tourist guides, museums, cultural institutions).

We are not responsible for:

Privacy policies of these external sites
Data processing performed by third parties
Content, prices or availability on external sites
Transactions or bookings made through links

Recommendation: Always read the external site's privacy policy before providing personal data or making transactions.

12. Changes to Privacy Policy

We may update this policy for:

Compliance with new regulations
Introduction of new features
Improvements requested by Authority
User feedback

Change notification:

Substantial changes: Notification banner + email (if you have account)
Minor changes: Only date update at top of document

Current version: 2026.02 (February 2026)

Version history: Available on request at privacy@mindthejourney.com

We invite you to periodically review this policy by visiting /privacy.

13. Contacts and Questions

For any privacy questions, exercise of rights or problem reporting:

Email: privacy@mindthejourney.com

Response time: 5 business days (simple requests), 30 days (GDPR requests)

Self-Service Dashboard: /privacy-dashboard

Privacy Officer / DPO: [To be appointed if >250 employees or sensitive processing]

14. Glossary

GDPR: General Data Protection Regulation (EU Reg. 2016/679)
DPA: Data Processing Agreement
IP: Internet Protocol address (network address)
Cookie: Small text file stored by browser
localStorage: Browser local storage (type of persistent cookie)
Anonymization: Irreversible removal of identifying elements
Pseudonymization: Replacement of identifiers with random IDs (reversible)
SCC: Standard Contractual Clauses (EU Standard Contractual Clauses)

Thank you for choosing Mind the Journey. Your privacy is our priority.

*Last updated: February 2026 | Version 2026.02*