Privacy notice (art. 13 Reg. EU 2016/679)
Last updated: 24 March 2026
1. Data controller
Valerio Zappone Via Colle Prato Rinaldo 8a, 00030 San Cesareo (RM), Italy Email: support.muovilazio@webizio.it
2. Personal data collected
- Email: collected via point-of-sale reporting forms and newsletter sign-up
- Navigation data: collected in anonymous and aggregated form via Umami Analytics (no cookies, no identifying data)
- Geolocation data: approximate location (only if the user grants it voluntarily) to sort results by proximity
- Google Maps data: address and coordinates of businesses reported via the Google Places API
- Merchant account data: email, name and Google identifier, collected via Google OAuth authentication at registration time
- Business data: name, address, phone, opening hours, point-of-sale photos, entered by the merchant during registration
- Session data: technical session cookies managed via Supabase Auth, required for the merchant restricted area to work
3. Purposes and legal basis
a) Newsletter and updates — Basis: explicit consent (art. 6.1.a GDPR). Purpose: send updates about new points of sale and service news. Consent is freely given, specific and revocable at any time.
b) Point-of-sale reports — Basis: legitimate interest (art. 6.1.f GDPR) to store the report. Sending email communications to the reporter happens only with prior explicit consent (art. 6.1.a).
c) Analytics — Basis: legitimate interest (art. 6.1.f GDPR). Purpose: aggregated traffic analysis. Data is fully anonymised and does not allow user identification.
d) Merchant account registration and management — Basis: pre-contractual and contractual measures (art. 6.1.b GDPR). Purpose: enable merchants to register and manage their point of sale on the platform.
4. Data recipients
Data may be shared with:
- Vercel Inc. (USA) — hosting and CDN, adheres to the EU-US Data Privacy Framework
- Supabase Inc. — PostgreSQL database, servers in the EU (Ireland)
- Google LLC (USA) — Google Maps Platform API and OAuth authentication for merchants, adheres to the EU-US Data Privacy Framework
- Resend Inc. (USA) — transactional email service, adheres to the EU-US Data Privacy Framework
- Umami — open-source self-hosted analytics, fully anonymised data. No data is transferred to third parties.
5. Transfers outside the EU
Some providers are based in the USA. Transfers are lawful under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023).
6. Retention periods
- Point-of-sale reports: 12 months from the closing/handling of the report
- Newsletter data: kept until consent is withdrawn (opt-out), plus a further 12 months as proof of the consent given
- Navigation data: anonymised, no time limit
- Merchant account data: kept for the duration of the account. On deletion, data is removed within 30 days, except for data required by legal obligations.
7. Data subject rights
Under arts. 15-22 GDPR, the user has the right to:
- Access their personal data
- Have inaccurate data corrected
- Have data erased (right to be forgotten)
- Restrict processing
- Obtain data portability
- Object to processing
- Withdraw consent at any time
To exercise these rights, write to: support.muovilazio@webizio.it
You may also lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
8. Cookies
Muovi Lazio uses only technical cookies necessary for the site to function:
- Session cookies (Supabase Auth): required for merchant area authentication. Duration: browser session.
No profiling, advertising or third-party cookies are used. Technical cookies do not require consent under art. 122 of the Italian Privacy Code (Legislative Decree 196/2003).
9. Changes
The Controller reserves the right to amend this notice. The latest version is always available on this page.