Privacy Policy

Introduction

Eya Sardinia Acrofest ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you browse our website, save a registration draft, register for the festival, upload documents, or use participant or admin access features.

We comply with the General Data Protection Regulation (GDPR) and applicable data protection laws. Where consent is required, we ask for it separately. This policy explains what data we process, why we process it, who receives it, how long we keep it, and what rights you can exercise.

Data Controller

The data controller responsible for your personal data is:

What Data We Collect

When you interact with Eya Sardinia Acrofest, we may collect the following personal data:

• Identity and legal details: Your full name and, when required for participation or membership, birth details, residence details, and tax code information.
• Contact and account details: Your email address, phone number, participant or admin account identifiers, and essential authentication data needed to access protected areas.
• Documents and compliance records: Medical certificates, membership proof, consent timestamps, and document metadata such as file name, type, size, and upload time.
• Registration and preference data: Your ticket selection, participant category, pricing or invitation details, workshop choices, accommodation, lunch, crew, merchandise, and media-preference answers.

We do not collect or store payment card details. Payments are processed by Stripe. We do store limited payment and billing metadata such as Stripe session or transaction IDs, payment status, amounts, and related registration references.

Accounts, Cookies, and Browser Storage

When you access protected participant or admin areas, or use draft-saving features, we also process the following technical and authentication data:

• Account and sign-in data such as user ID, email, role, password reset records, magic-link details, and, if you enable them, passkey credential metadata.
• Essential cookies and similar browser technologies to keep you signed in and remember limited preferences such as your selected language.
• Temporary registration drafts saved in your browser for up to 24 hours and, if you request cross-device recovery, a short-lived server-side draft and one-time recovery token.
• Technical and security logs such as IP address, user agent, request path, referrer, and service event data used to protect and diagnose the website.

Why We Collect Your Data

We collect and process your data for the following purposes:

• Registration and festival operations: To create, manage, price, confirm, and, when needed, recover or cancel your festival registration, including participant portal access and document review.
• Essential communications: To send confirmations, payment links, invitations, recovery links, schedule changes, document requests, and other operational updates.
• Safety, membership, and compliance: To verify medical certificates or membership proof, activate required insurance or association coverage, and meet sporting, safety, and administrative requirements.
• Security, fraud prevention, and legal obligations: To protect accounts and services, apply rate limits, investigate misuse, maintain audit trails, handle disputes, and comply with accounting, tax, and regulatory duties.

Legal basis: We process your data on the basis of contract performance (registration and participant services), consent where required, including for health-related documents and media choices, legal obligations, and our legitimate interests in keeping the festival, website, and accounts secure and well operated.

How Long We Keep Your Data

We retain your personal data for the following periods:

• Registration and document data: We keep registration records, pricing snapshots, consent records, and uploaded compliance documents for up to 2 years after the festival, unless a longer retention period is required by law.
• Account, session, and recovery data: Authenticated sessions are kept for up to 30 days unless revoked sooner. Password reset, magic-link, and draft-recovery tokens expire automatically, generally within 24 hours or less. Browser-stored drafts expire after 24 hours unless you clear them earlier.
• Email, payment, and audit records: We keep essential email delivery history and correspondence for up to 1 year for customer service and deliverability. Payment references, audit logs, and accounting records are kept for the period required by applicable law.

After the relevant retention period ends, we delete or anonymize the data unless we must keep it longer to meet legal, accounting, or dispute-resolution obligations.

Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right to access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct any inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): You can request deletion of your data, and we will comply within 30 days, subject to legal retention requirements.
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
• Right to data portability: You can request your data in a structured, machine-readable format.
• Right to object: You can object to our processing of your data based on legitimate interests.

To exercise any of these rights, please contact us at asdacrobatikayoga@gmail.com

Data Security

We take data security seriously and implement appropriate technical and organizational measures:

• Personal data is stored in access-controlled systems, including separate services for database records, uploaded documents, and authentication support data
• Payment cards are handled by Stripe and are not stored on our website
• We use transport security, short-lived tokens, and other appropriate technical measures to reduce unauthorized access and exposure
• Access to personal data is restricted to authorized personnel and service providers who need it to operate the festival

Third-Party Services

We use the following third-party services to operate the website, registrations, participant and admin access, and essential communications:

• Stripe: For checkout, payment processing, refunds, and payment-status reconciliation.
• Resend: For transactional emails and related delivery-status webhooks.
• Cloudflare: For website hosting, database infrastructure, KV-backed auth and security features, secure document storage in R2, queues, and infrastructure or security logging.
• Google Maps / Places: For address and birth-town autocomplete in the registration form when you choose to use those suggestions.

We use these providers only where needed to deliver the related service, and we rely on their documented security and data-protection commitments together with our own contractual, organizational, and technical safeguards where applicable.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Right to Complain

If you believe we have not handled your data properly or have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority. In Italy, this is the Garante per la Protezione dei Dati Personali