1. Who we are (Data Controller)
QualeSpiaggia is a service of CAPITA srl, based in Lecce, Italy. For privacy questions, write to privacy@qualespiaggia.com.
Updated: April 25, 2026.
2. Data we collect
We collect only the data strictly necessary for the service. No advertising profiles.
- Email. When you subscribe to the newsletter, activate the Pro trial, or log in via magic link. Saved in Supabase DB (EU server).
- Google Identity (optional). If you log in with "Continue with Google", we receive email + name from your Google account. No other data.
- Payment data. Name, email, address, VAT number (for invoice) are processed directly by Stripe. We do not see or store card data. We only see: Stripe customer ID + subscription status.
- Location (optional). If you authorize it in the browser/app, to show you nearby beaches. Remains on your device, never sent to our servers.
- Beach favorites. Saved locally on your device (localStorage). Never sent to our servers.
- Anonymous analytics. Google Analytics 4 in Consent Mode v2 with analytics_storage: denied by default — thus no cookies, no user ID, anonymized IP. We only measure aggregate metrics (page view, duration).
- Anonymous beach view counts. For the badge "X people viewed it today" we only save the aggregate number of views per slug per day. No IP, no cookies, no identifiers.
3. External data processors
To provide the service, we use these processors (all GDPR-compliant):
- Vercel Inc. — hosting + edge runtime (USA, GDPR coverage via SCC).
- Supabase Inc. — email subscriber database (EU server Frankfurt).
- Resend Inc. — transactional email delivery (USA, GDPR coverage).
- Stripe, Inc. / Stripe Payments Europe Ltd. — payments (Ireland, direct GDPR).
- Google Ireland Ltd. — Analytics 4 (Consent Mode v2, analytics_storage denied) + optional OAuth login.
- OpenStreetMap Foundation — map tiles (UK).
4. Cookies and storage
| Name | Purpose | Duration |
|---|
| qs_session | Authenticated session (signed JWT) | 30 days |
| qs_consent | Cookie consent | 6 months |
| qs_oauth_state | CSRF token Google OAuth | 10 minutes |
| salento_lang | Preferred language | 1 year (localStorage) |
| salento_favorites | Beach favorites | persistent (localStorage) |
5. Legal basis and purposes
- Contract execution (art. 6.1.b GDPR) — to manage subscription, trial, Pro memberships.
- Consent (art. 6.1.a GDPR) — for the newsletter (single/double opt-in with email confirmation) and analytics when authorized.
- Legitimate interest (art. 6.1.f GDPR) — for anonymous aggregate measures (beach view counts, abuse prevention).
6. Data retention
- Email subscribers: until unsubscribed (link in every email) or deletion request.
- Stripe events (idempotency): 12 months.
- Anonymous view counts: 30 days (automatically deleted).
- Magic link tokens: 15 minutes (deleted after use or expiration).
7. Your rights (GDPR)
You have the right to: access, rectification, deletion, portability, objection, restriction of processing. To exercise them, write to privacy@qualespiaggia.com — we respond within 30 days. You have the right to complain to the Italian Privacy Authority (www.garanteprivacy.it).
Self-service deletion (right to be forgotten): every QualeSpiaggia email contains a "Delete my data" link that leads to /api/v1/erase — immediately anonymizes the account without needing to write to us. For more complex requests (data portability, rectification, objection), continue to write to privacy@qualespiaggia.com.
To cancel your Pro subscription, use the Stripe Customer Portal accessible from Stripe emails or by writing to us at privacy@qualespiaggia.com.
8. Changes
If we change something significant, we will notify you with a banner on the homepage for 30 days and via email to those subscribed to the newsletter.