Privacy Notice

How we handle your data.

Last update: 7 May 2026 · Pursuant to EU Reg. 2016/679 (GDPR) and Italian Legislative Decree 196/2003

1. Data controller

Eleonora Brilli
Sole proprietorship
Registered office
Via Padre Giovanni Battista Martini 12/A — 20131 Milan (MI), Italy
VAT
10801540963
Email

No Data Protection Officer (DPO) has been appointed since the conditions requiring designation do not apply (Art. 37 GDPR). For any data-protection request please write to the address above.

2. Data we collect

The landing page mida.club only collects the data you voluntarily provide by completing the beta sign-up form. Specifically:

Step 1 — email only

Step 2 — profile completion

We do not collect any data falling under special categories under Art. 9 GDPR (health, biometric, etc.). Any information about skin type or cosmetic routine handled in the future app is not part of this landing-page collection.

3. Purposes and legal bases

PurposeLegal basisRetention
Manage your enrolment in the Mida private beta program and contact you with the beta invite Pre-contractual measures at your request — Art. 6 §1 (b) GDPR Up to 24 months from sign-up, unless earlier deletion is requested
Service-related communications about the beta (invite, download instructions, fixes, service notices) Pre-contractual measures — Art. 6 §1 (b) GDPR Throughout the beta program + 12 months thereafter
Promotional communications about Mida (newsletter, launch, offers) — only if you ticked the marketing flag Explicit consent — Art. 6 §1 (a) GDPR. Withdrawable at any time. Until consent is withdrawn
IT security, fraud and abuse prevention (e.g. automated sign-ups) Legitimate interest of the Controller — Art. 6 §1 (f) GDPR 6 months (logs)
Statutory compliance (authority requests, litigation) Legal obligation — Art. 6 §1 (c) GDPR As required by applicable law

Note on the marketing flag: we currently use it only for transactional beta communications (invite, instructions). The flag is therefore conservative: even with consent, you will not receive promotional newsletters until Mida launches publicly. When the service is operational you will receive prior notice and may object.

4. Processing methods

Data is processed with electronic tools, mostly automated, applying technical and organisational security measures appropriate to the risk (TLS encryption in transit, restricted database access, scoped-token authentication, logs and audit). We do not perform profiling or automated decision-making producing legal effects on you (Art. 22 GDPR).

5. Recipients

Your data may be accessible to the third parties listed below, each appointed Data Processor under Art. 28 GDPR (or independent Controller where applicable):

ProviderFunctionLocation
Google Cloud EMEA Ltd / Google LLCHosting (Cloud Run, Artifact Registry, Secret Manager)United States — region us-central1 (Iowa)
Supabase Inc.Managed PostgreSQL database (storage of all collected fields)United States
Monogram CMS Inc. (Directus self-hosted)Open-source CMS software running on the Google Cloud infrastructure listed above
Google Ireland LtdGoogle Workspace — @mida.club mailboxes and intake of GDPR requestsIreland (EU) with international sub-processors
Google LLC (Google Fonts)Typographic font CDN. Google may receive your IP when the page loadsUnited States
OVH SASDomain registrar of mida.club (no access to sign-up data)France (EU)
TikTok Technology Limited / TikTok Inc.Advertising pixel for campaign measurement and retargeting — active only with your prior marketing consentIreland (EU) and United States

Your data is not sold or transferred to third parties for commercial purposes.

6. Transfers outside the EU

Part of the technical infrastructure (Google Cloud Run and Supabase database) is located in the United States. Such transfer is based on the following safeguards:

You can request a copy of the standard contractual clauses by writing to .

7. Your rights

Pursuant to Articles 15–22 GDPR you may at any time, free of charge:

To exercise your rights, write to . We will respond within 30 days; in complex cases the deadline may be extended by a further two months (Art. 12 §3 GDPR).

8. Lodging a complaint

If you believe the processing of your data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or with the supervisory authority of your usual place of residence in the EU.

9. Cookies and tracking

For normal browsing the site uses only functional technical cookies (language and storage of your consent choice). TikTok profiling cookies are installed only if you consent to marketing by ticking the relevant box in the sign-up form; you can withdraw your consent at any time (Art. 7 §3 GDPR) by clearing the cookies from your browser or writing to us. For details on third-party services see the Cookie Policy.

10. Changes to this notice

This notice may be updated. The date of the last revision is shown above. Material changes will be communicated by email.