Museum of Synthetic Voices
Personal Data Protection

Privacy Policy

Information on the processing of personal data pursuant to EU Regulation 2016/679 (GDPR)

Last updated: March 21, 2026
01
Data Controller

Who manages your data

The data controller is Daniele Cappello, curator of the Museum of Synthetic Voices. The controller is responsible for decisions regarding the purposes and methods of data processing.

Direct contact

[email protected]

02
Legal Basis

Why we can process your data

The processing of your personal data is based on different legal grounds, depending on the specific purpose:

  • Account registration and content access
    Art. 6.1.b GDPR Performance of a contract to which the data subject is party. Registration is necessary to provide you access to the museum's reserved content.
  • Comment publishing
    Art. 6.1.b GDPR Performance of the requested service. Commenting is a feature you choose to use.
  • Support and donations (Stripe Checkout)
    Art. 6.1.b GDPR Performance of a service requested by the data subject. Payment processing is handled by the payment provider.
  • Aggregate browsing analytics (Cloudflare Web Analytics)
    Art. 6.1.f GDPR This website uses Cloudflare Web Analytics, a privacy-friendly web analytics service that does not use cookies, does not track users across sessions, and does not collect personally identifiable data. Only aggregate browsing data is processed (pages visited, country, device type, referrer). The legal basis is the legitimate interest of the Controller in improving the service.
  • Content access logs
    Art. 6.1.f GDPR Content access logs (content_access_log) are retained for a maximum of 90 days; IP addresses are anonymised after 30 days. The legal basis is the legitimate interest of the Controller in the security and proper functioning of the service.
03
Data Collected

What information we collect

We only collect data strictly necessary to provide you with the museum's services. We apply the data minimization principle required by GDPR.

  • Email address — For authentication and service communications
  • Password hash — Your password is never stored in plain text
  • Registration date — For administrative purposes
  • Expressed consents — Cookie preferences stored locally in the browser
  • Comment content — Only if you choose to use this feature
  • Support messages — Optional text attached to donations
Mandatory and optional data

Providing your email address and password is mandatory for account creation: registration is not possible without this data. The display name and donation messages are optional.

04
Purposes

How we use your data

  • Account access — Authentication and session management
  • Reserved content — Unlocking multimedia archives and premium features
  • Comment system — Allowing you to participate in discussions
  • Project support — Managing donations and receipts via Stripe
  • Personalization — Remembering your preferences (language, theme, audio)
  • Service communications — Important notifications about your account

We do not sell or share your data with third parties for commercial purposes. Data is processed exclusively for the purposes stated above.

Some technical services may process data on our behalf: Supabase (authentication and database) and Stripe (payments). We do not store card payment data.

05
Retention

How long we keep your data

Active account

Data is retained for the duration of the account

Account deletion

Complete deletion within 30 days of the request

Some data may be retained longer for legal obligations or for the protection of rights in court, in accordance with legal requirements.

06
Your Rights

What you can do with your data

GDPR guarantees you a series of rights that you can exercise at any time by contacting us at the email address provided.

Right of access

You can request a copy of all the data we have about you.

Right to rectification

You can correct or update your data at any time.

Right to erasure

You can request complete deletion of your data.

Right to portability

You can request your data in a structured, readable format.

Withdrawal of consent

You can withdraw any consent given at any time.

Right to object

You may object at any time to the processing of your personal data based on the legitimate interest of the Controller, on grounds relating to your particular situation (art. 21 GDPR).

Right to restriction

You may request the restriction of processing when you contest the accuracy of the data, the processing is unlawful, or you have exercised your right to object pending verification (art. 18 GDPR).

Complaint to authority

You can file a complaint with the Garante per la Protezione dei Dati Personali — www.garanteprivacy.it — Piazza Venezia 11, 00187 Roma.

07
Contact

How to exercise your rights

For any request regarding the processing of your personal data, you can contact us directly. We will respond within 30 days of receiving your request.

Email

[email protected]

For information about the use of cookies and tracking tools, please see our Cookie Policy.

08
Data Processors

Entities processing data on our behalf

Pursuant to art. 28 GDPR, the Controller relies on the following data processors (sub-processors) to deliver the museum's services:

  • Supabase Inc. — Database, user authentication, edge functions. User access data and user-generated content (comments, preferences) are stored and processed through the Supabase infrastructure.
  • Cloudflare Inc. — Website hosting (Cloudflare Pages), CDN, DDoS protection, privacy-friendly web analytics. Cloudflare Web Analytics does not use cookies and does not collect personally identifiable data.
  • Stripe Inc. — Payment processing and donation management. This service is currently disabled; no payment data is being collected or transmitted at this time.
  • esm.sh — CDN service for loading JavaScript libraries required for authentication functionality. It does not collect personal data beyond the IP address transmitted with the HTTP request. Infrastructure: global.

Each processor operates under a dedicated Data Processing Agreement that governs its obligations and safeguards pursuant to art. 28 GDPR.

09
International Data Transfers

Where your data is transferred

Some of the services we rely on are headquartered in the United States of America. The transfer of personal data to such third countries takes place in compliance with Chapter V of the GDPR and on the basis of the following safeguards:

Service Headquarters Function Safeguards
Supabase Inc. San Francisco, USA Database, authentication, edge functions Data Processing Agreement, SOC 2 Type II certification, EU-US Data Privacy Framework
Cloudflare Inc. San Francisco, USA CDN, hosting (Pages), DDoS protection, Web Analytics Data Processing Agreement, Standard Contractual Clauses (SCC), ISO 27001 certification
Stripe Inc. San Francisco, USA Payment processing and donations Data Processing Agreement, PCI DSS Level 1 certification, EU-US Data Privacy Framework
esm.sh Global infrastructure CDN for JavaScript libraries Technically necessary for site operation

These transfers are carried out on the basis of one or more of the following safeguards:

  • EU adequacy decisions, where applicable to the destination country.
  • Standard Contractual Clauses (SCC) pursuant to art. 46(2)(c) GDPR, as approved by the European Commission.
  • EU-US Data Privacy Framework for services whose provider is certified under that regulatory framework.
10
Data Protection Officer

Data Protection Officer (DPO)

The Data Controller is not required to appoint a Data Protection Officer (DPO) under art. 37 GDPR, as it does not carry out large-scale processing of special categories of personal data nor regular and systematic monitoring of data subjects.

For any data protection enquiries, please contact the Controller at:

Data protection contact

[email protected]

Automated decision-making and profiling

This website does not employ automated decision-making processes or profiling within the meaning of art. 22 GDPR.