Privacy and Cookie Policy

1.1. The Controller of the personal data of Users of the In Memorio portal is the Portal Operator.

1.2. The Controller can be contacted via the contact form available on the Portal site or via email.

1.3. The Controller has appointed a Data Protection Officer (DPO), who can be contacted for all matters relating to the processing of personal data.

2.1. Personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the current provisions of Italian law.

2.2. The legal bases for data processing include: the consent of the User (Art. 6(1)(a) GDPR), the performance of a contract (Art. 6(1)(b) GDPR), compliance with a legal obligation (Art. 6(1)(c) GDPR), and the legitimate interest of the Controller (Art. 6(1)(f) GDPR).

3.1. The following personal data are collected within the Portal:

• Account data: email address, display name, password (stored in encrypted form),
• Memorial profile data: first and last name of the deceased, dates, biography, photos, memories,
• Transactional data: information on purchased Premium services (processed by the external payment provider),
• Technical data: IP address, browser type, operating system, event logs.

3.2. Purposes of personal data processing:

• provision of electronic services,
• creation and management of the User account,
• processing payments for Premium services,
• communication with the User,
• guaranteeing Portal security and content moderation,
• statistical analysis and improvement of service quality,
• establishment, exercise, or defense of legal claims.

4.1. The Portal uses cookies to ensure site functionality, improve service quality, and analyze traffic.

4.2. Types of cookies used:

• Necessary (Essential): required for the correct functioning of the Portal, including session authentication and security. These cannot be disabled.
• Analytics: help us understand how Users use the Portal, allowing us to improve its functionality. These are optional.
• Functional: allow us to remember settings and preferences selected by the User. These are optional.

4.3. The User has the right to manage cookies at any time through their browser settings and through the cookie consent panel available on the site.

4.4. Restricting the use of cookies may affect the Portal's functionality.

5.1. Personal data of Users may be transmitted to entities that process data on behalf of the Controller, in particular:

• hosting and cloud service providers,
• electronic payment service providers,
• analytical service providers,
• entities providing technical support services.

5.2. The Controller may transfer personal data outside the European Economic Area (EEA) only on the basis of adequate legal safeguards, such as standard contractual clauses or adequacy decisions of the European Commission.

6.1. Under the GDPR, the User has the following rights:

• Right of access to their personal data,
• Right to rectification of inaccurate or incomplete data,
• Right to erasure (“right to be forgotten”) — subject to the Controller's legal obligations,
• Right to restriction of processing of data,
• Right to data portability to another controller,
• Right to object to processing based on legitimate interest,
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal,
• Right to lodge a complaint with the Data Protection Authority or other competent supervisory authority.

6.2. To exercise these rights, the User must contact the Controller via the contact details provided in § 1.

6.3. The Controller handles User requests promptly, within one month of receipt. In case of complex requests, this period may be extended by two further months, following communication to the User.

7.1. Personal data are kept for the period necessary to achieve the purposes indicated in this Policy, and in particular:

• account data — until the account is deleted by the User or upon request for deletion,
• memorial profile data — for the duration of the profile, unless the User requests its erasure,
• transactional data — for the period required by tax regulations (10 years in Italy),
• technical data and logs — for a period of 30 days, unless prolonged retention is necessary for security reasons.

8.1. The Controller adopts appropriate technical and organizational measures to ensure the protection of the personal data processed, including connection encryption (SSL/TLS), authentication and authorization mechanisms, and regular backups.

8.2. User passwords are stored in encrypted form using modern cryptographic algorithms.

8.3. The Controller does not sell or share Users' personal data with third parties for marketing purposes without the User's express consent.

9.1. The Controller reserves the right to make changes to this Privacy Policy. Changes come into effect from the date of publication on the Portal.

9.2. Users will be informed of substantial changes via email or through a notice on the Portal.

9.3. Use of the Portal after the introduction of changes implies acceptance of the new version of the Privacy Policy.