How we handle your data.
1. Data controller
No Data Protection Officer (DPO) has been appointed since the conditions requiring designation do not apply (Art. 37 GDPR). For any data-protection request please write to the address above.
2. Data we collect
The landing page mida.club only collects the data you voluntarily provide by completing the beta sign-up form. Specifically:
Step 1 — email only
- Email address
- Form source (for internal analytics, e.g. "hero", "footer")
- Browser user-agent and sign-up timestamp (technical security logs)
- Language chosen at sign-up (so we can email you in the right language)
Step 2 — profile completion
- First and last name
- Smartphone type (iOS / Android)
- Phone number (with international prefix) for future WhatsApp communication
- Consents: Terms of Service, Privacy Policy, optional marketing flag
- Consent acceptance timestamps
We do not collect any data falling under special categories under Art. 9 GDPR (health, biometric, etc.). Any information about skin type or cosmetic routine handled in the future app is not part of this landing-page collection.
3. Purposes and legal bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Manage your enrolment in the Mida private beta program and contact you with the beta invite | Pre-contractual measures at your request — Art. 6 §1 (b) GDPR | Up to 24 months from sign-up, unless earlier deletion is requested |
| Service-related communications about the beta (invite, download instructions, fixes, service notices) | Pre-contractual measures — Art. 6 §1 (b) GDPR | Throughout the beta program + 12 months thereafter |
| Promotional communications about Mida (newsletter, launch, offers) — only if you ticked the marketing flag | Explicit consent — Art. 6 §1 (a) GDPR. Withdrawable at any time. | Until consent is withdrawn |
| IT security, fraud and abuse prevention (e.g. automated sign-ups) | Legitimate interest of the Controller — Art. 6 §1 (f) GDPR | 6 months (logs) |
| Statutory compliance (authority requests, litigation) | Legal obligation — Art. 6 §1 (c) GDPR | As required by applicable law |
Note on the marketing flag: we currently use it only for transactional beta communications (invite, instructions). The flag is therefore conservative: even with consent, you will not receive promotional newsletters until Mida launches publicly. When the service is operational you will receive prior notice and may object.
4. Processing methods
Data is processed with electronic tools, mostly automated, applying technical and organisational security measures appropriate to the risk (TLS encryption in transit, restricted database access, scoped-token authentication, logs and audit). We do not perform profiling or automated decision-making producing legal effects on you (Art. 22 GDPR).
5. Recipients
Your data may be accessible to the third parties listed below, each appointed Data Processor under Art. 28 GDPR (or independent Controller where applicable):
| Provider | Function | Location |
|---|---|---|
| Google Cloud EMEA Ltd / Google LLC | Hosting (Cloud Run, Artifact Registry, Secret Manager) | United States — region us-central1 (Iowa) |
| Supabase Inc. | Managed PostgreSQL database (storage of all collected fields) | United States |
| Monogram CMS Inc. (Directus self-hosted) | Open-source CMS software running on the Google Cloud infrastructure listed above | — |
| Google Ireland Ltd | Google Workspace — @mida.club mailboxes and intake of GDPR requests | Ireland (EU) with international sub-processors |
| Google LLC (Google Fonts) | Typographic font CDN. Google may receive your IP when the page loads | United States |
| OVH SAS | Domain registrar of mida.club (no access to sign-up data) | France (EU) |
| TikTok Technology Limited / TikTok Inc. | Advertising pixel for campaign measurement and retargeting — active only with your prior marketing consent | Ireland (EU) and United States |
Your data is not sold or transferred to third parties for commercial purposes.
6. Transfers outside the EU
Part of the technical infrastructure (Google Cloud Run and Supabase database) is located in the United States. Such transfer is based on the following safeguards:
- EU-US Data Privacy Framework — European Commission adequacy decision of 10 July 2023 (Google LLC is certified).
- Standard Contractual Clauses (SCC) — EU Implementing Decision 2021/914 signed with Google Cloud and Supabase.
- TikTok — data collected by the advertising pixel (only with consent) may be transferred to the United States on the basis of the Standard Contractual Clauses adopted by TikTok.
- Additional technical measures: encryption at rest and in transit, minimal access controls, least-privilege principle.
You can request a copy of the standard contractual clauses by writing to info [at] mida [dot] club.
7. Your rights
Pursuant to Articles 15–22 GDPR you may at any time, free of charge:
- Access the personal data concerning you (Art. 15)
- Rectify inaccurate or outdated data (Art. 16)
- Request erasure of your data ("right to be forgotten") where retention is no longer necessary (Art. 17)
- Obtain restriction of processing (Art. 18)
- Receive your data in a structured, commonly used format (portability, Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw previously given consent at any time (Art. 7 §3)
To exercise your rights, write to info [at] mida [dot] club. We will respond within 30 days; in complex cases the deadline may be extended by a further two months (Art. 12 §3 GDPR).
8. Lodging a complaint
If you believe the processing of your data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or with the supervisory authority of your usual place of residence in the EU.
9. Cookies and tracking
For normal browsing the site uses only functional technical cookies (language and storage of your consent choice). TikTok profiling cookies are installed only if you consent to marketing by ticking the relevant box in the sign-up form; you can withdraw your consent at any time (Art. 7 §3 GDPR) by clearing the cookies from your browser or writing to us. For details on third-party services see the Cookie Policy.
10. Changes to this notice
This notice may be updated. The date of the last revision is shown above. Material changes will be communicated by email.