Privacy Policy
1. About this Policy
This Privacy Policy explains how Rinoova S.r.L. ("Rinoova", "we", "us") processes personal data through the Rifesta service (the "Service"), available at rifesta.com and related subdomains. It applies to event organizers, their guests, and visitors to our websites. Terms such as "personal data", "processing", "controller" and "processor" have the meaning given by Regulation (EU) 2016/679 ("GDPR").
2. Data Controller
Rinoova S.r.L., VAT no. IT18432621003, registered office: Via Jacopo della Quercia 32, 00155 Roma (RM), Italy. Privacy contact: legal@rinoova.com.
Rinoova has not appointed a Data Protection Officer, as it is not required to do so under Article 37 GDPR; privacy enquiries are handled at the contact above.
3. Our two roles: Controller and Processor
Rinoova acts in two distinct capacities:
- As a data controller for account and authentication data, billing data, security and audit logs, website analytics and direct communications. This Policy governs that processing.
- As a data processor for the event content (photos, videos and related metadata) that guests upload to an event. For that content the event organizer is the data controller; Rinoova processes it solely on the organizer's documented instructions under a Data Processing Agreement (see /dpa). Guests should also refer to the privacy information provided by the organizer of their event.
4. Personal data we process
- Account data: name, email address, hashed password, email-verification and consent records, language preference.
- Authentication data: if you sign in with Google, Meta (Facebook) or Apple, we receive your email, name and a provider account identifier; we also keep session and device records.
- Event content: photos, videos and their embedded metadata (e.g. EXIF capture time and, where present, device or location data). This content may depict identifiable individuals.
- Billing data: for paid plans, subscription and payment status. Card details are handled directly by Stripe and are not stored by Rinoova.
- Usage and technical data: IP address, device and browser information, application logs, security events and aggregated technical metrics.
- Cookie data: see our Cookie Policy.
We do not deliberately collect special categories of data. Photographs may incidentally reveal such information; we process them only to the extent necessary to provide the Service.
5. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service, manage your account | Performance of a contract |
| Process payments and manage subscriptions | Performance of a contract |
| Security, abuse prevention, audit logging, service improvement | Legitimate interest |
| Analytics and other non-essential cookies | Consent |
| Compliance with legal obligations (accounting, lawful requests) | Legal obligation |
| Marketing communications, where you opt in | Consent |
You may withdraw consent at any time, without affecting the lawfulness of processing carried out beforehand.
6. Cookies and analytics
We use a minimal set of cookies. Non-essential analytics cookies (Google Analytics 4) are loaded only after you give consent through our cookie banner. Full details, including cookie names and durations, are in our Cookie Policy.
7. Recipients and sub-processors
We share personal data only with service providers that process it on our behalf, under contract and with appropriate safeguards:
| Provider | Role | Data | Location |
|---|---|---|---|
| Cloudflare R2 | Media object storage | Event content | EU region |
| OVHcloud | Hosting, compute and database | All application data | European Union (EEA) |
| Stripe | Payments and billing | Billing data | Ireland / USA |
| Google (Google Workspace) | Transactional email delivery | Email address, message content | EU / USA |
| Google LLC — Google Analytics 4 | Website analytics | Cookie and usage data, pseudonymous identifiers | USA |
| Google LLC — Google Photos | Optional photo export, activated by the organizer | Event content | USA |
| Google / Meta / Apple | OAuth sign-in, only if you use it | Email, name, account identifier | USA |
We do not sell personal data and do not share it for behavioural advertising.
8. International transfers
Some recipients are located outside the EEA, notably Google LLC in the United States. Such transfers are protected by the European Commission's Standard Contractual Clauses and, where applicable, by the recipient's certification under the EU-US Data Privacy Framework. You can request a copy of the relevant safeguards by writing to legal@rinoova.com.
9. Retention
- Account data: kept while your account is active; deleted or anonymised after an account-deletion request.
- Event content: retained for the period set by the organizer's plan — 30, 180 or 365 days after the event — then deleted. Upload originals are transitory and removed shortly after processing or synchronisation.
- Security and audit logs: personal identifiers (email, IP, user agent) are redacted after 24 months; consent records are kept as long as needed to evidence compliance.
- Backups: deleted data may persist in encrypted backups for a limited period before rotation.
10. Your rights (EEA / UK)
You have the right to access, rectify, erase, restrict and port your personal data, to object to processing based on legitimate interest, and to withdraw consent. You can exercise the most common rights directly from your account (data export, marketing preferences) or by writing to legal@rinoova.com. We respond within one month, extendable by two further months for complex requests.
You also have the right to lodge a complaint with a supervisory authority — in Italy, the Garante per la protezione dei dati personali (www.garanteprivacy.it). For event content, please address access and erasure requests to the relevant event organizer, who is the controller of that content.
11. Notice to California residents (CCPA / CPRA)
If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, to delete it, to correct it, and to opt out of its "sale" or "sharing".
We do not knowingly sell or share the personal information of consumers under 16 years of age. We will not discriminate against you for exercising your rights. Requests, including those submitted by an authorized agent, can be made at legal@rinoova.com; we verify requests against your account information.
12. Automated decision-making
We do not carry out automated decision-making or profiling that produces legal effects, or similarly significant effects, concerning you.
13. Security
We apply appropriate technical and organizational measures, including encryption in transit, tenant isolation at database level (row-level security), hashed passwords, encrypted storage of third-party tokens, an immutable audit log and least-privilege access. No system is completely secure; in the event of a personal data breach we act in accordance with Articles 33-34 GDPR.
14. Minors
The Service is not directed to children, and accounts must not be created for minors below the applicable age of digital consent. Photographs taken at events may depict minors: the event organizer is responsible for having an appropriate legal basis to upload such images, and every uploader warrants that they hold the necessary rights and permissions (see the Terms of Service).
15. Changes to this Policy
We may update this Policy. Material changes are notified at least 30 days in advance and the document version is updated; where a change affects registered users, you may be asked to acknowledge or re-accept it before continuing to use the Service.
16. Contact
Rinoova S.r.L. — legal@rinoova.com. Security matters: rifesta@rinoova.com.
The English and Italian versions of this Policy are authoritative; versions in other languages are provided for convenience and, in case of discrepancy, the English version prevails.