Last updated: 23/02/2026
1. Data Controller
The Data Controller is: FESTA GALATTICA PER AUTOSTOPPISTI SPIRITUALI ETS – APS
Registered office: Via Dante 9, 26011 Casalbuttano ed Uniti (CR), Italy
VAT number: 01789000195
Privacy contact email: festagalattica@gmail.com
The Data Controller has not appointed a DPO (Data Protection Officer).
2. Types of data processed
Depending on how the Website is used, we may process the following data:
Contact data: email address (for waitlist/newsletter sign-up), as well as any other information voluntarily provided by the user through the forms.
Purchase-related data (when ticket sales are activated): first name, last name, email address, billing address, tax code/VAT number where required for tax compliance purposes, and order details. Payment data (such as card details) are not stored by the Data Controller when processed by external providers (such as Stripe/PayPal).
Technical data: technical logs and information necessary for the functioning and security of the Website (such as IP address, user agent, date/time of requests), strictly within what is necessary.
We do not process special categories of personal data (such as health data) through the Website’s standard forms.
3. Purposes of processing and legal bases
We process personal data for the following purposes:
A) Responding to requests sent through the contact forms
Purpose: handling requests and communicating with the user.
Legal basis: performance of pre-contractual/contractual measures or the legitimate interest in managing requests.
Provision of data: optional, but necessary in order to receive a response.
B) Waitlist / Newsletter (Mailchimp) + communications including partner/sponsor content
Purpose: sending updates about Festa Galattica, organizational communications, news, and promotional content, including communications relating to partners and sponsors.
Legal basis: consent (Art. 6(1)(a) GDPR).
Method: double opt-in.
Withdrawal of consent: at any time through the “unsubscribe” link included in every email or by writing to festagalattica@gmail.com.
C) Ticket sales and administrative/tax compliance (when WooCommerce is active)
Purpose: order management, issuance of receipts/invoices, customer support, fraud prevention, and dispute management.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR), compliance with a legal obligation (Art. 6(1)(c) GDPR), and legitimate interest (Art. 6(1)(f) GDPR) for security and abuse prevention purposes.
D) Website security and operation
Purpose: ensuring the proper functioning and security of the Website, and preventing unauthorized access and abuse.
Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).
4. Minors
The Website and related services (including any sales, if activated) are intended for users aged 18 or over.
We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, please contact us so that we can delete it.
5. Methods of processing
Data are processed using electronic tools and appropriate technical and organizational measures designed to ensure the security, integrity, and confidentiality of the data.
6. Data retention
Contact requests: for the time necessary to handle the request and for any administrative or legal defense purposes.
Newsletter / waitlist: until consent is withdrawn (unsubscribe) or a deletion request is received.
Orders and invoicing (when active): for the period required under applicable civil and tax laws.
Security logs: for limited periods proportionate to security purposes.
7. Data recipients and service providers (data processors)
Data may be processed by service providers acting either as data processors or as independent data controllers, including:
Hosting / Infrastructure: Amazon Web Services (AWS) for Website hosting and infrastructure.
Email marketing: Mailchimp (The Rocket Science Group LLC / Intuit) for newsletter and mailing list management.
E-commerce and payments (when active): WooCommerce (WordPress platform and plugins); Stripe and PayPal as payment providers (independent data controllers with regard to payment data).
In addition, data may be accessible to authorized personnel (staff), strictly within the scope of their duties.
8. Transfers outside the EU
Some providers (such as Mailchimp, AWS, Stripe, and PayPal) may involve the transfer of personal data to countries outside the EEA (for example, the United States).
In such cases, the transfer takes place on the basis of safeguards provided for under the GDPR (such as Adequacy Decisions, where applicable, and/or Standard Contractual Clauses together with supplementary measures where required).
9. Data subject rights
You may exercise the rights provided under Articles 15–22 of the GDPR, including the right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise your rights, please contact: festagalattica@gmail.com
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).