# Privacy Policy
**Last updated:** February 2026
**Version:** 2026.02
**Data Controller:** Raimondo Norberto Giamberduca
---
## 1. Introduction
Welcome to **Mind the Journey**, an interactive exploration platform dedicated to discovering the world through its cultures, landscapes, and stories.
This policy describes how we collect, use, and protect your personal data when you visit our site or use our interactive features, in compliance with the **General Data Protection Regulation (GDPR - EU Reg. 2016/679)** and applicable Italian laws.
---
## 2. Data Controller
**Raimondo Norberto Giamberduca**
Headquarters: \Monza MB Italy via Lecco 24
For privacy questions or to exercise your rights, contact us at the above address.
---
## 3. Data Collected and Purposes
### 3.1 Automatic Navigation Data
#### IP Addresses
When you visit our site, we automatically collect your **IP address** for:
- **Security and fraud prevention:** Protection from cyberattacks, unauthorized access attempts, and fraudulent behavior
- **Approximate geolocation:** Displaying your region of origin on the interactive 3D globe (country/region level only, never precise address)
- **Aggregate statistics:** Traffic analysis by geographic region to improve content
**Legal basis:** Legitimate interest (Art. 6(1)(f) GDPR)
**Retention:** 30 days in anonymized form (reduced to /16 subnet, e.g., 192.168.0.0)
**Anonymization:** IP immediately reduced by removing last two octets (IPv4) or last 6 groups (IPv6)
**Example:**
- Original IP: 192.168.123.45
- Anonymized IP saved: 192.168.0.0
#### User Agent and Technical Metadata
- **Browser and operating system:** To optimize experience across devices
- **Screen resolution:** To adapt 3D globe interface
- **Access timestamp:** For hourly usage statistics
**Legal basis:** Legitimate interest (Art. 6(1)(f) GDPR)
**Retention:** 90 days in aggregate form
---
### 3.2 Cookies and Tracking Technologies
We use different cookie categories. For complete details, see our [Cookie Policy](/cookies).
#### Essential Technical Cookies (Always Active)
Necessary for basic site functionality:
| Name | Purpose | Duration | Type |
|------|---------|----------|------|
| mtj\_consent | Stores your cookie preferences | 12 months | localStorage |
| mtj\_anon\_id | Anonymous ID for internal statistics | Persistent | localStorage |
| mtj\_language | Selected language (IT/EN) | Persistent | localStorage |
| mtj\_legal\_notice\_seen | Tracks legal notice view | Persistent | localStorage |
**Legal basis:** Technical necessity (Art. 6(1)(b) GDPR) - no explicit consent required
#### Analytics Cookies (Optional - Consent Required)
Activated only after explicit consent via cookie banner:
**Google Analytics 4** (if used):
- **Cookies:** \_ga, \_gid, \_gat\_gtag\_UA\_\*
- **Duration:** 2 years (_ga), 24 hours (_gid)
- **Purpose:** Aggregate statistics on visited pages, session duration, navigation flows
- **Third parties:** Google LLC (USA) - Extra-EU data transfer governed by Standard Contractual Clauses (SCC)
**Plausible Analytics** (privacy-friendly alternative):
- **Cookies:** None
- **Method:** Anonymous tracking without cookies
- **Compliance:** 100% GDPR compliant, data stored in EU
**Legal basis:** Explicit consent (Art. 6(1)(a) GDPR)
**Retention:** 14 months (Google Analytics), 12 months (Plausible)
#### Functional Cookies (Optional - Consent Required)
Improve personalized experience:
- **Preferred theme:** Saves chosen visual theme (BorderScapes, Wild Realms, etc.)
- **Saved destinations:** Stores favorites locations
- **Applied filters:** Remembers selected categories on globe
**Legal basis:** Explicit consent (Art. 6(1)(a) GDPR)
**Retention:** 24 months or until manual deletion
---
### 3.3 Third-Party Services
#### Hosting and CDN
- **Provider:** [Replit / Vercel / other - to be specified]
- **Server location:** European Union
- **Data transferred:** Only technical data necessary for service delivery
- **DPA (Data Processing Agreement):** Active
#### Interactive Maps
- **globe.gl (3D Globe):** Open-source JavaScript library, no data sent to third parties
- **Mapbox GL JS (2D Maps):** Possible future use for detailed maps
- Data: Displayed coordinates, zoom level (anonymous)
#### IP Geolocation
- **Provider:** ipapi.co / CloudFlare
- **Data transferred:** Only anonymized IP
- **Purpose:** Determine country/region for globe functionality
- **Retention:** No storage at provider
---
### 3.4 Future Features (Not Yet Active)
When we implement the following features, we will update this policy:
#### Error Reporting
**Data collected:**
- Email (optional, for response)
- Problem description
- Page URL
- Screenshot (optional)
- Browser and operating system
- Timestamp
**Purpose:** Content quality improvement and error correction
**Legal basis:** Legitimate interest (Art. 6(1)(f) GDPR)
**Retention:** 90 days after problem resolution
**Deletion:** Automatic or on immediate request
#### User Account and Favorites
**Data collected:**
- Email (required)
- Password (encrypted hash, never plain text)
- Username (optional)
- Saved destinations
- Created itineraries
- Travel preferences
**Purpose:** Multi-device synchronization, preference storage
**Legal basis:** Contract performance (Art. 6(1)(b) GDPR)
**Retention:** Until account deletion or 24 months of inactivity
**Security:** Password with bcrypt (cost factor 12), mandatory HTTPS, encrypted backups
---
### 3.5 Error Reports and Community Contributions
When you use the error reporting system, we collect:
**Data collected:**
- **Email:** Required for guests, automatic for registered users
- **Error description:** Free text (max 1000 characters)
- **Correction suggestions:** Optional
- **Source URL:** Optional
- **Screenshot:** Optional (max 5MB, anonymized images)
- **Technical metadata:** Browser, OS, timestamp, anonymized IP
- **User ID:** If registered user
**Processing purposes:**
- Content quality and accuracy improvement
- Error correction
- Spam and abuse prevention
- Aggregate statistics on error types
- Contributor recognition (if authorized)
**Legal basis:**
- Art. 6(1)(f) GDPR - Legitimate interest (service improvement)
- Art. 6(1)(a) GDPR - Consent (if requesting public recognition)
**Data retention:**
- **Valid and accepted reports:** 24 months from resolution
- **Rejected reports:** 90 days
- **Spam reports:** 30 days + IP ban 12 months
- **Public changelog:** Permanent (reporter name only, if authorized)
**Transparency:**
Your reports are visible:
- ❌ NOT public during review
- ✅ Visible to you in dashboard (if registered user)
- ✅ Visible to internal staff with authorized access
- ✅ Public in changelog (outcome only, not full report content)
**Specific rights:**
- **Access:** View your reports in dashboard
- **Rectification:** Modify report within 48h of submission
- **Erasure:** Request data deletion (report may remain but anonymized)
- **Objection:** Refuse name publication in changelog
**Security:**
- IP anonymized (subnet /16) before saving
- Screenshots processed to remove sensitive data (AI)
- Emails encrypted at rest (AES-256)
- Staff access limited with audit log
**Contact:** privacy@mindthejourney.com for questions about report data processing.
---
## 4. Legal Basis for Processing
Your data is processed based on:
| Purpose | GDPR Legal Basis |
|---------|------------------|
| Technical site operation | Art. 6(1)(b) - Contract performance / Technical necessity |
| Security and fraud prevention | Art. 6(1)(f) - Legitimate interest |
| Analytics and service improvement | Art. 6(1)(a) - Explicit consent |
| Functional cookies | Art. 6(1)(a) - Explicit consent |
| Response to user requests | Art. 6(1)(b) - Contract performance |
| Legal obligations (e.g., invoice retention) | Art. 6(1)(c) - Legal obligation |
---
## 5. Data Sharing and Transfers
### 5.1 Data Recipients
Your data may be shared with:
- **Technical service providers:** Hosting, CDN, backup (all with active DPA)
- **Analytics services:** Google Analytics (if consent given) or Plausible
- **Competent authorities:** Only upon legal request (e.g., court order)
**We never sell or rent your data to third parties.**
### 5.2 Extra-EU Transfers
If you use Google Analytics, some data may be transferred to the USA to Google LLC.
**Adequate safeguards:**
- Standard Contractual Clauses (SCC) approved by European Commission
- Google is certified EU-US Data Privacy Framework
- You can object by disabling analytics cookies
If you use Plausible, **all data remains in the EU** (servers in Germany).
---
## 6. Data Retention
| Data Type | Retention Period | Rationale |
|-----------|------------------|-----------|
| **Cookie consents** | 12 months | Natural GDPR consent expiration |
| **Anonymized IPs** | 30 days | Sufficient for statistics and security |
| **Analytics logs** | 14 months | Google Analytics default |
| **Consent audit logs** | 12 months | GDPR compliance obligations |
| **Inactive accounts** | 24 months | Automatic deletion after inactivity |
| **Error reports** | 90 days post-resolution | Adequate time for follow-up |
At the end of indicated periods, data is **automatically deleted** or **irreversibly anonymized**.
---
## 7. User Rights (Art. 15-22 GDPR)
You have the right to:
### 7.1 Right of Access (Art. 15)
Obtain a copy of all personal data we hold about you.
**How to exercise:**
- Visit [Privacy Dashboard](/privacy-dashboard)
- Download JSON file with all your data
### 7.2 Right to Rectification (Art. 16)
Correct inaccurate or incomplete data.
**Example:** Change email associated with account, update incorrect preferences.
### 7.3 Right to Erasure - "Right to be Forgotten" (Art. 17)
Request complete deletion of your data.
**How to exercise:**
- Privacy Dashboard → "Delete All Data" (with confirmation)
**Timeline:** Immediate deletion from active systems, 30 days from backups.
**Exceptions:** We may refuse if necessary for:
- Legal obligations (e.g., invoices for 10 years)
- Defense in legal proceedings
- Exercise of freedom of expression
### 7.4 Right to Data Portability (Art. 20)
Receive your data in structured, machine-readable format (JSON).
**How to exercise:**
- Privacy Dashboard → "Export Data"
- Download JSON file with all data
### 7.5 Right to Object (Art. 21)
Object to processing based on legitimate interest (e.g., analytics).
**How to exercise:**
- Disable analytics cookies in banner
### 7.6 Right to Restriction (Art. 18)
Temporarily suspend processing while you verify/contest data.
### 7.7 Withdrawal of Consent
Withdraw previously given consent (e.g., analytics cookies) at any time.
**Effect:** Withdrawal does not invalidate already performed processing.
---
## 8. How to Exercise Your Rights
### Method 1: Privacy Dashboard (Immediate)
1. Visit [/privacy-dashboard](/privacy-dashboard)
2. View current consents
3. Export data (download JSON)
4. Modify cookie preferences
5. Delete account (with confirmation)
### Method 2: Email (Response within 30 days)
- Right you want to exercise
- Data necessary to identify you (email, anonymous ID if available)
- Reason (optional but helpful)
**Response time:** 30 days (extendable to 90 if complex request)
**Cost:** Free (except manifestly unfounded or excessive requests)
### Method 3: Complaint to Authority
If you believe your rights have been violated:
**Italian Data Protection Authority (Garante)**
Piazza Venezia, 11 - 00187 Rome, Italy
Tel: +39 06 696771
---
## 9. Data Security
We implement adequate technical and organizational measures to protect your data:
### Technical Measures
- **HTTPS/TLS 1.3 encryption:** All transmitted data is encrypted
- **IP anonymization:** Immediate reduction to /16 subnet
- **Encrypted passwords:** bcrypt with cost factor 12 (when we have accounts)
- **Firewall and DDoS protection:** Application and network level
- **Immutable audit logs:** Append-only JSONL files for traceability
- **Encrypted backups:** AES-256, stored in separate geographic location
### Organizational Measures
- **Limited access:** Only authorized personnel with need-to-know
- **Staff training:** Annual GDPR and security training
- **Data Breach Response Plan:** 72-hour notification procedure to Authority
- **Periodic reviews:** Quarterly security audits
- **DPA contracts:** With all data processing vendors
### Data Breach Notification
In case of personal data breach:
- **Notification to Authority:** Within 72 hours of discovery
- **Notification to you:** Without delay if high risk to your rights
- **Content:** Nature of violation, data involved, measures adopted, DPO contact
---
## 10. Children's Privacy
Mind the Journey is aimed at a general audience, including accompanied minors.
**Collection of minors' data (<14 years in Italy / <16 in many EU countries):**
- **NO account** without verifiable parental consent
- **Technical cookies:** Permitted (necessary for functionality)
- **Analytics cookies:** We request age confirmation or parental consent
If we become aware of having collected minors' data without consent, we **proceed to immediate deletion**.
**Parents:** To request deletion of your child's data, contact privacy@mindthejourney.com with proof of parenthood.
---
## 11. Links to External Sites
Mind the Journey contains links to third-party sites (hotels, tour operators, tourist guides, museums, cultural institutions).
**We are not responsible for:**
- Privacy policies of these external sites
- Data processing performed by third parties
- Content, prices or availability on external sites
- Transactions or bookings made through links
**Recommendation:** Always read the external site's privacy policy before providing personal data or making transactions.
---
## 12. Changes to Privacy Policy
We may update this policy for:
- Compliance with new regulations
- Introduction of new features
- Improvements requested by Authority
- User feedback
**Change notification:**
- **Substantial changes:** Notification banner + email (if you have account)
- **Minor changes:** Only date update at top of document
**Current version:** 2026.02 (February 2026)
We invite you to periodically review this policy by visiting [/privacy](/privacy).
---
## 13. Contacts and Questions
For any privacy questions, exercise of rights or problem reporting:
**Response time:** 5 business days (simple requests), 30 days (GDPR requests)
**Self-Service Dashboard:** [/privacy-dashboard](/privacy-dashboard)
**Privacy Officer / DPO:** [To be appointed if >250 employees or sensitive processing]
---
## 14. Glossary
- **GDPR:** General Data Protection Regulation (EU Reg. 2016/679)
- **DPA:** Data Processing Agreement
- **IP:** Internet Protocol address (network address)
- **Cookie:** Small text file stored by browser
- **localStorage:** Browser local storage (type of persistent cookie)
- **Anonymization:** Irreversible removal of identifying elements
- **Pseudonymization:** Replacement of identifiers with random IDs (reversible)
- **SCC:** Standard Contractual Clauses (EU Standard Contractual Clauses)
---
**Thank you for choosing Mind the Journey. Your privacy is our priority.**
*Last updated: February 2026 | Version 2026.02*
🍪 Cookie Settings 🍪