This notice describes how Quota 4000 (the "Site") collects, uses and protects users' personal data, in compliance with EU Regulation 2016/679 (GDPR) and applicable Italian law.
1. DATA CONTROLLER
The data controller is Amedeo Guffanti. Contact: quota4000privacy@gmail.com.
2. DATA COLLECTED
- Registration data: name, email, avatar (via Google/Meta OAuth)
- Booking data: name, email, phone, preferences
- Reviews: text and multi-dimensional ratings
- School messages: content sent via contact forms
- Technical data: IP, user-agent, technical cookies
- Cookie consent log: anonymous identifier (UUID), daily-rotating hash of IP (SHA-256, non-reversible), consent categories chosen, language, user-agent, policy version and timestamp. Retained as proof of consent under GDPR art. 7 §1.
3. PURPOSES
- Manage registration, login and personal area
- Process bookings and forward them to selected schools
- Publish reviews (after moderation) and aggregate school ratings
- Send messages to schools for direct requests
- Send editorial communications (newsletter) only with explicit consent
- Send commercial, marketing and CRM communications (only with explicit consent collected via booking and contact forms)
- Comply with legal and security obligations
4. LEGAL BASIS
Processing is based on: contract performance or pre-contractual measures (bookings — GDPR art. 6 §1 (b)), explicit consent (newsletter, reviews, marketing/CRM — GDPR art. 6 §1 (a)), legitimate interest (security, anti-fraud — GDPR art. 6 §1 (f)) or legal obligations.
For CRM and marketing: consent is collected via optional checkboxes in booking and contact forms. Refusing marketing consent does not affect booking fulfilment.
5. DATA RETENTION
- User account: until deletion requested by the user
- Bookings: 24 months from creation
- Reviews: no expiration (may be anonymized on request)
- Verification photos: maximum 30 days, then auto-deleted
- School messages: 12 months
- Marketing/CRM consents: until withdrawal by the user; proof of consent (timestamp, policy version, IP hash) is kept for 24 months after withdrawal
- Cookie consent log: 24 months from last change, as documentary proof of consent
6. RECIPIENTS
Data may be shared with:
- Skydiving schools receiving bookings and messages
- Technical providers: Vercel, Supabase (EU), Sanity, Resend, Anthropic
- Authorities when required by law
7. NON-EU TRANSFERS
Some providers (Anthropic, Resend) are based outside the EU. Transfer is ensured via EU Standard Contractual Clauses.
8. USER RIGHTS
You have rights to: access, rectification, erasure, restriction, portability, objection, withdrawal of consent. Write to quota4000privacy@gmail.com.
For quick account deletion: data-deletion.
9. COOKIES
The Site uses technical cookies (necessary for operation) and, only with explicit consent, analytics and marketing cookies. On arrival, a banner lets you accept, reject or customize by category.
We implement Google Consent Mode v2 with default state denied: no analytics or marketing cookie fires before your choice. Proof of consent is retained in the consent_logs table, using a daily-rotating hash of the IP (non-reversible) and an anonymous identifier.
For detailed descriptions of individual cookies, durations and purposes, see the Cookie Policy. You can change your preferences at any time via the "Cookie settings" link in the footer (GDPR art. 7 §3 — withdrawal as easy as giving consent).
10. COMPLAINTS
You have the right to complain to the Italian Data Protection Authority (garanteprivacy.it).
11. CHANGES
This notice may be updated. Last update date is shown at the top.
12. SPECIFIC CONSENTS COLLECTED IN FORMS
When you fill out a form on the Site (e.g. tandem booking) we collect two distinct, granular consents:
- Privacy policy acknowledgment (mandatory): confirms you have read this document. Required to fulfil the booking request (legal basis: GDPR art. 6 §1 (b) — contract performance / pre-contractual measures). Without it we cannot process the request.
- Consent to commercial, marketing and CRM contact (optional): allows us to contact you for future promotional communications and Customer Relationship Management initiatives (legal basis: GDPR art. 6 §1 (a) — explicit consent). You can withdraw at any time by writing to quota4000privacy@gmail.com; refusal does not affect the booking.
For each consent we keep, as documentary proof (GDPR art. 7 §1): UTC timestamp, version of this policy accepted, daily-rotating IP hash (SHA-256, non-reversible), user agent. Withdrawal of marketing/CRM consent is as easy as giving it (GDPR art. 7 §3).