Vora Privacy Policy

Version: 3.2.1 Effective Date: 13 May 2026 Last Updated: 26 May 2026 Authoritative Language: Italian. Courtesy English translation at privacy-policy.it.md. In case of conflict the Italian version prevails.

Notice provided under Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 30 June 2003 no. 196 ("Italian Privacy Code") as amended by Legislative Decree 10 August 2018 no. 101, and - for data subjects resident in third jurisdictions - under the equivalent laws (UK GDPR + DPA 2018, Swiss FADP, Brazilian LGPD, California CCPA/CPRA, Canadian PIPEDA, Australian Privacy Act 1988, etc.).

Preamble - the Company is Italian, the Platform is Global

Vora S.r.l. is an Italian-law company with registered office in Italy. The Vora Platform is, however, technically accessible globally and processes personal data of data subjects resident in numerous jurisdictions. This notice adopts an Italian-prevailing posture (authoritative Italian language, GDPR Articles 13-14 as base schema) but recognises and applies the additional rights provided by the laws applicable in the country of habitual residence of each data subject. See §§ 7, 8 below.

Per-region data-residency posture (summary):

Data-subject region	Primary hosting	Cross-region transfers	Transfer mechanism
EU / EEA	AWS eu-west-1 (Ireland)	Limited US operational access (Resend, Google OAuth, edge CDN)	EU SCC 2021/914 Module 3 + DPF where applicable
United Kingdom	AWS eu-west-1 (Ireland)	Same as EU	UK IDTA B1.0 + EU SCC
Switzerland	AWS eu-west-1 (Ireland)	Same as EU	EU SCC adapted for FADP
US (California and other states)	AWS eu-west-1 (Ireland)	EU→US transfer with SCC	SCC + no CCPA "sale/share"
Brazil	AWS eu-west-1 (Ireland)	Extra-BR transfer	LGPD Article 33 specific clauses
Other jurisdictions	AWS eu-west-1 (Ireland)	Case-by-case	Local mechanism + EU SCC as baseline

1. Controller Identity and Contacts

Vora S.r.l. Registered office: Viale Certosa 218, 20156 Milan (MI), Italy Tax Code / VAT: IT14762180967 REA: Milan (registration pending) Privacy email: privacy@voiceofthenewera.com PEC: available in the Companies' Register

The Company has not appointed a Data Protection Officer (DPO) under Article 37 GDPR, not falling within the mandatory cases. Voluntary appointment remains available upon reasoned request.

EU / UK / Brazil representatives. Absent a formal duty to appoint representatives under Articles 27 GDPR / UK GDPR / LGPD (assessed case by case), the Company as an EU-established company designates itself as the point of contact; for requests from UK, Brazilian or other third-jurisdiction data subjects, the contact point is privacy@voiceofthenewera.com.

2. Roles - the Company as Controller, Processor, or Co-Controller

The Vora Platform operates on a dual-role structure, under both GDPR and the equivalent laws (UK GDPR; LGPD - controlador/operador; CCPA - business/service provider; PIPEDA - organisation/third-party-processor; etc.):

2.1 The Company is independent controller (Article 4(7) GDPR; LGPD controlador; CCPA business; PIPEDA organisation) of the following processing:

a) account data of customer organisations' representatives (first name, last name, email, hashed password) for registration, authentication, and contract-relationship management purposes;

b) billing data of customer organisations (company name, VAT, address, tokenised payment data) for contract performance and tax-compliance purposes;

c) security and technical audit logs (IP addresses, login timestamps, user-agents, system events) for IT security, fraud prevention, abuse investigation purposes;

d) End-User account data (email, hashed password, optionally name) for personal authentication and preferences management, regardless of the specific initiative joined.

2.2 The Company is data processor (Articles 4(8) and 28 GDPR; LGPD operador; CCPA service provider; UK GDPR processor; PIPEDA processor) of the data that Customer Organisations collect, process and store in their spaces on the Platform as controllers:

a) the content of submitted ideas, cast votes, and End-User comments in the Customer space;

b) participant identities collected by the Customer Organisation for purposes connected to its initiative (e.g., mailing lists, profiling for prize delivery);

c) reward and prize data attributed by the Customer Organisation to participants.

"Processing on behalf of" is governed by the DPA (Data Processing Agreement) signed with each customer organisation: dpa.en.md, with the SCC Annex dpa-annex-sccs.en.md for international transfers.

2.3 The Company and the Customer Organisation may be co-controllers (Article 26 GDPR; co-controllers in the equivalent jurisdictions) in limited cases, e.g., when the Space Owner activates the opt-in voter-identity-sharing feature (field Vote.share_identity_with_org). In such case, the user has given explicit consent to disclose their identity to the promoter; recording of such consent and management of the "share → revoke" flow are jointly operated by the Company and the promoter. The split of responsibilities is described in dpa.en.md § 4.

3. Categories of Data Processed

Category	Examples	Source	Purpose
Account data	email, password (hashed with bcrypt/argon2), optional name	User-provided or via Google OAuth	Authentication, account management
Profile data	language preferences, profile picture (opt-in), XP badges	User-provided	Personalisation
Interaction data	votes cast, ideas submitted, comments, challenge participation	Generated by use	Service delivery, blockchain audit
Technical data	IP address, user-agent, session cookies, system logs	Automatically generated during navigation	Security, fraud prevention, compliance
Billing data (B2B Customer only)	company name, VAT, address, payment tokens	Customer-provided	Tax and accounting compliance
Image data (opt-in)	photos attached to ideas, user avatars	User-uploaded	Service delivery. Encrypted at-rest in PostgreSQL BYTEA with application-layer AES-256-GCM before writing.
Blockchain-certified vote data	keccak256 cryptographic hash, timestamp, proposal identifier	Generated on vote	Immutable audit log and verifiability. No direct personal data is written on-chain. See § 5.3.
Identity-sharing data (opt-in)	voter name, email shared with the promoter at the moment of voting	Upon explicit consent under Article 7 GDPR / Article 8 LGPD / equivalents	Vote-to-voter traceability for the promoter
Social-media and promotional data (opt-in)	social-media handles or URLs, public profile name, submitted idea title and images featured on the Company's own channels	User-provided (space Settings for Customers; profile for participants)	Promotion of the Platform, spaces and Idea Challenges on the Company's official social-media channels. Legal basis: consent (participants) or contract/legitimate interest (Customer representatives). See Section 4.

The Company does not process special categories of data under Article 9 GDPR (health, biometric, sexual-orientation data, etc.) - nor sensitive personal information CCPA, nor dados pessoais sensíveis LGPD - within standard Service delivery. Should a Customer organisation decide to collect such data through its own space, the Customer assumes full controller responsibility.

4. Purposes and Legal Bases

Purpose	GDPR legal basis (Art. 6)	Equivalent basis in other jurisdictions	Retention
Performance of the Service contract (account, space management, vote)	Art. 6(1)(b) - contract performance	LGPD Art. 7-V; CCPA - business purpose	Term of contract + 10 years for tax obligations (Art. 2220 ICC)
Compliance with tax, accounting, anti-money-laundering obligations	Art. 6(1)(c) - legal obligation	LGPD Art. 7-II; CCPA - legal obligation	10 years
IT security, abuse prevention, audit	Art. 6(1)(f) - legitimate interest	LGPD Art. 7-IX; CCPA - business purpose security	12 months (generic logs); 24 months (security events)
Direct marketing on similar products (B2B)	Art. 6(1)(f) - legitimate interest under Rec. 47 GDPR	LGPD Art. 7-IX; CCPA - opt-out right applicable	Until objection (opt-out)
Newsletter, promotional communications (B2C)	Art. 6(1)(a) - consent	LGPD Art. 7-I; CCPA - consent where required	Until revocation
Blockchain vote audit log	Art. 6(1)(b) and (f)	LGPD Art. 7-V and 7-IX	Indefinite (on-chain hash) - see § 5
Voter identity sharing with promoter (opt-in)	Art. 6(1)(a) - explicit consent	LGPD Art. 7-I + Art. 8; CCPA opt-in consent for sharing (where qualified)	Until revocation; consent record archived 10 years
Promotional use of social handles and submitted content on the Company's own social-media channels	Art. 6(1)(a) consent (participants); Art. 6(1)(b)/(f) contract or legitimate interest (Customer organisation accounts). Image use also under Artt. 96-97 L. 633/1941 and Art. 10 ICC.	LGPD Art. 7-I (consent) / Art. 7-IX; CCPA consent where required	Until withdrawal of consent or removal of the links; published third-party posts remain subject to the relevant platform

Where you provide social-media links (in space Settings, for Customer organisations, or in your participant profile) and, for participants, give the specific opt-in permission described in the End-User Terms Article 3.5, the Company and the organisation running the relevant Idea Challenge or space (the "Promoter") may mention, tag, link and feature your handle, name, submitted idea title and images on the Company's and the Promoter's own official social-media channels, to promote the Platform and the relevant space or Idea Challenge. For participants this processing is based on consent and may be withdrawn at any time by removing your links or writing to privacy@voiceofthenewera.com; withdrawal operates for the future only. When the Company publishes such content on third-party platforms (for example Instagram, TikTok, X/Twitter, YouTube, Facebook), those platforms act as independent controllers of the data they receive under their own privacy policies.

5. Specific Processing - Blockchain and Immutability

5.1 The Company certifies every vote on a public blockchain network (Base L2 for Starter/Growth/Pro; Ethereum Mainnet for Enterprise plans).

5.2 Only a cryptographic digest (keccak256) is written to the distributed ledger together with the timestamp and proposal identifier; no direct personal data of the user is written on-chain.

5.3 Qualification of on-chain hash as non-personal data. Consistently with the practice of the Italian Data Protection Authority (in particular 2019 FAQ on blockchain-GDPR integration), with the European Data Protection Board (EDPB) guidance and with the working paper of several national regulators (CNIL 2018 note on blockchain), the Company qualifies the irreversible keccak256 cryptographic hash written on-chain as non-personal data within the meaning of Article 4(1) GDPR, by virtue of the technical impossibility of re-identification without access to off-chain linkage data.

5.4 Exercise of the right to erasure (Article 17 GDPR and equivalents). The on-chain record is by its nature immutable: it is technically impossible to delete or modify. The Company exercises the right to erasure by rendering inaccessible and deleting the off-chain linkage data (user identifier and vote metadata stored in the PostgreSQL database); the on-chain hash, devoid of direct identifiers, loses representativeness as to an identifiable person. This approach is consistent with Italian DPA, EDPB and international best-practice guidance on GDPR-blockchain interaction. (N.B.: external opinion from an Italian privacy boutique requested on confirmation of this qualification before public v3.1 release - see Phase 9 of the rollout plan.)

5.5 At-rest encryption of images. Images uploaded by users are stored within the PostgreSQL database as BYTEA with application-layer AES-256-GCM encryption before writing, with master key IMAGE_ENCRYPTION_MASTER_KEY held in AWS SSM Parameter Store SecureString. Image deletion entails deletion of the encrypted tuple; the key does not allow post-deletion decryption.

5.6 The Company retains, off-chain, the linkages between vote, user and proposal for the time necessary for verifiability. On-chain vote deletion is technically impossible but operationally irrelevant once off-chain identifiers are deleted.

6. Recipients and Sub-Processors

Personal data may be communicated to:

Sub-processors (Article 28(2) GDPR and equivalents), authorised by contract:

Sub-processor	Processing	Registered office	Technical location	Transfer mechanism (see § 7)
Amazon Web Services EMEA SARL / AWS Inc.	Compute (AWS App Runner, AWS Lambda) - Vora backend	Luxembourg / USA	AWS EU-West-1 (Ireland) primary; US operational access via support and SCC	AWS DPA + EU SCC 2021/914 Module 3 + AWS Supplementary Addendum + EU-US DPF certification
Amazon Web Services EMEA SARL / AWS Inc.	Managed database Aurora Serverless v2 PostgreSQL	Luxembourg / USA	EU-West-1 (Ireland)	Same
Amazon Web Services EMEA SARL / AWS Inc.	Amazon S3 storage + CloudFront CDN (public assets, no PII)	Luxembourg / USA	EU (S3 EU-West-1) + global edges for public assets	Same; edge CDN processes only non-personal data
Amazon Web Services EMEA SARL / AWS Inc.	Secrets management (SSM Parameter Store SecureString)	Luxembourg / USA	AWS EU-West-1	Same
Resend Inc.	Delivery of transactional emails (welcome, reset password, reward notifications)	United States (Delaware)	USA - EU region delivery to be verified at publish time	EU SCC 2021/914 Module 3 + UK IDTA B1.0 for UK customers + Swiss-FADP SCC for CH customers + EU-US DPF status verification (see note below table)
Google Ireland Ltd. + Google LLC	"Sign in with Google" authentication (OAuth 2.0) - token delivery, no profiling	Ireland + USA	EU-bound where technically possible + USA	EU SCC 2021/914 + EU-US DPF certification of Google LLC
Anthropic PBC (if AI features active)	Third-party AI models for proposal summarisation and editorial support	United States	USA	EU SCC 2021/914 Module 3 + Anthropic DPA
Notaries and chamber-of-commerce officials (CCIAA)	Only upon activation by the Italian customer, for contest rules and closing-of-operations notarial deeds	Italy	Italy	Public official, not sub-processor strictly speaking

Note - DPF status verification. The EU-US Data Privacy Framework status of Resend Inc. is manually verified at https://www.dataprivacyframework.gov/list at the time of publication of this notice. Where Resend is not DPF-certified at the verification date, EU SCC 2021/914 Module 3 alone constitutes a legally sufficient transfer mechanism; DPF is an additional layer of protection where available.

The Company publishes and keeps an up-to-date list of sub-processors at voiceofthenewera.com/subprocessors.html (under preparation). Customer organisations are notified of any new sub-processor with at least 30 days' advance notice and may object within 15 days under the DPA.

Independent controllers:

The Company's legal, tax, accounting and audit advisers, where necessary;
judicial, police or supervisory authorities of any relevant jurisdiction (MIMIT, AGCM, Italian DPA, AdE, GdF in Italy; FTC, IRS, State AGs in the US; ICO, ASA, Gambling Commission in the UK; CNIL in France; ANPD in Brazil; etc.) upon legitimate request;
acquirers of Vora S.r.l. in M&A transactions, subject to NDA and with prior notice to the user where technically possible.
third-party social-media platforms (e.g. Meta, TikTok, X, Google/YouTube) when the Company publishes promotional content mentioning or tagging you on its own channels, acting as independent controllers under their own policies;

(Internal note 2026-06-12: drafted + AI-assisted in-house compliance review; NOT reviewed by independent legal counsel - avvocato review recommended before scaling the program or processing real EU customer lead data at volume)

Referral partners (optional). If you sign up using a Vora partner's referral link and you tick the optional "share my details" box, we share your name, email and company name with that partner. The partner is an independent data controller: it uses your details to contact you about its own Vora-related services. The lawful basis for this disclosure is your consent (Art. 6(1)(a) GDPR). The partner may be located outside the EEA; where it is, we rely on an adequacy decision or the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), and on your transfer consent (Art. 49(1)(a)). We share only if you opt in; sharing is never a condition of any discount. You can withdraw at any time (account settings or privacy@voiceofthenewera.com); we stop sharing immediately and instruct the partner to stop processing and delete your data. Withdrawal does not affect sharing already made. We keep a record of your consent and its withdrawal for accountability (Art. 5(2), Art. 7(1) GDPR). The partner must give you its own privacy notice (Art. 14 GDPR) and an unsubscribe option in its messages.

7. International Personal Data Transfers - By Jurisdiction

The Company configures its systems so that primary processing occurs within the European Economic Area (AWS EU-West-1, Ireland). Extra-EU/EEA transfers are limited and governed as follows, based on the data subject's origin jurisdiction:

7.1 General minimisation rule

All main sub-processors (AWS, Google) are contractually bound to host the Company data primarily within the European Economic Area. Extra-EU transfers prove technically necessary only for: (a) Resend Inc. for email delivery; (b) Google OAuth for the authentication flow; (c) Anthropic PBC for AI services where active; (d) CloudFront global edge CDN for public assets without PII; (e) any AWS operational support access from the US under SCC.

7.2 Data subjects resident in EU / EEA

The Standard Contractual Clauses of the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module 3 (processor-to-processor) apply for flows the Company → sub-processors. A copy of the SCCs is available upon request at privacy@voiceofthenewera.com. The SCCs are accompanied by a Transfer Impact Assessment (TIA) compliant with CJEU judgment C-311/18 ("Schrems II") and the supplementary technical measures set out in § 10.

7.3 Data subjects resident in the United Kingdom

The UK International Data Transfer Addendum (IDTA) B1.0 issued on 21 March 2022 by the Information Commissioner's Office (ICO) under section 119A of the Data Protection Act 2018 applies, as an addendum to the EU SCCs under § 7.2. For flows the Company → US sub-processor, the "UK Extension to the EU-US Data Privacy Framework" applies as an alternative where the sub-processor is DPF-certified.

7.4 Data subjects resident in Switzerland

The EU SCCs 2021/914 as adapted for Switzerland under the declaration of the Federal Data Protection and Information Commissioner (FDPIC) of 27 August 2021 and revFADP (revised Federal Act on Data Protection) of 25 September 2020 apply.

7.5 Data subjects resident in Brazil (LGPD)

Specific contractual clauses under Article 33 of Lei 13.709/2018 (LGPD) apply, as integrated into EU SCCs 2021/914 with Brazilian adaptation. LGPD data-subject rights under Article 18 LGPD are exercisable by writing to privacy@voiceofthenewera.com; the national reference authority is the Autoridade Nacional de Proteção de Dados (ANPD - gov.br/anpd).

7.6 Data subjects resident in California (CCPA / CPRA)

The Company does NOT sell your personal information for money. The Company does not, and has not in the 12 months preceding this notice, sold personal information for monetary consideration within the meaning of Cal. Civ. Code § 1798.140(ad) ("sell").

The Company "shares" personal information in one limited, opt-in case. If you sign up through a referral partner and tick the optional "share my details" box (see § 6, Referral partners), the Company discloses your name, email and company name to that partner so the partner can market its own Vora-related services to you. Under the CPRA this disclosure for the partner's cross-context / third-party-controller outreach qualifies as a "share" (and may be treated as a "sale") within the meaning of Cal. Civ. Code § 1798.140(ad)-(ah). This only happens where you have affirmatively opted in; the Company does not otherwise sell or share personal information. Accordingly:

a) Do Not Sell or Share My Personal Information. You can opt out of, or withdraw, this referral-partner sharing at any time. The Company honors a "Do Not Sell or Share My Personal Information" request: use your account settings toggle, follow the footer link at voiceofthenewera.com/ccpa-rights.html, or write to privacy@voiceofthenewera.com. The Company also honors recognised browser/global opt-out signals (e.g. GPC) for California residents. Because the referral-partner sharing is off by default and opt-in only, you are never shared unless you choose to be; an opt-out simply confirms or restores the default of no sharing.

b) EU → US transfers to sub-processors (Resend, Google, Anthropic) occur within "service provider" / processor relationships under Cal. Civ. Code § 1798.140(ag) and do not constitute sale or sharing; they are separate from the opt-in referral-partner sharing described above;

c) California data subjects exercise CCPA/CPRA rights (right to know, delete, correct, opt-out of sale/sharing, opt-out of automated decision-making, non-discrimination) by writing to privacy@voiceofthenewera.com or using account settings; the reference authority is the California Privacy Protection Agency (CPPA - cppa.ca.gov). Exercising the opt-out of sharing has no effect on any referral discount or on your use of the Service (no discrimination, Cal. Civ. Code § 1798.125).

7.7 Other jurisdictions

For data subjects resident in other jurisdictions (Canada - PIPEDA; Australia - Privacy Act 1988; Japan - APPI; Singapore - PDPA; South Africa - POPIA; etc.), the Company applies EU SCC 2021/914 as baseline and, where required by local law, additional adequacy mechanisms (e.g., EU adequacy decision for Japan; PIPEDA transfer assessment under PIPEDA Fair Information Principles for Canada; etc.).

8. Data Subject Rights - By Jurisdiction

The data subject may exercise at any time the rights under Articles 15-22 GDPR (for EU/EEA residents) and the equivalent rights provided by the law applicable in their country of habitual residence. Refer to the Section 7 summary in the End-User Terms end-user-tos.en.md.

Modalities of exercise: write to privacy@voiceofthenewera.com, indicating jurisdiction of residence and right invoked. The Company responds:

EU/EEA/UK data subjects: within thirty (30) days of the request, extendable by sixty (60) days in complex cases under Article 12(3) GDPR / UK GDPR;
California data subjects (CCPA): within forty-five (45) days, extendable by a further 45 days with notice to the data subject (Cal. Civ. Code § 1798.130);
Brazilian data subjects (LGPD): within fifteen (15) days of the request (LGPD Article 19);
Other jurisdictions: within the deadlines provided by the applicable law, and in any case without undue delay.

Complaint to supervisory authority: under Article 77 GDPR and equivalent provisions, the data subject may file a complaint with the competent authority of habitual residence:

Italy: Italian Data Protection Authority - Piazza Venezia 11, 00187 Roma - garante@gpdp.it - protocollo@pec.gpdp.it - www.gpdp.it;
Other EU/EEA states: equivalent national authority (CNIL France, BfDI Germany, AEPD Spain, etc.);
United Kingdom: ICO - ico.org.uk;
California: CPPA - cppa.ca.gov;
Brazil: ANPD - gov.br/anpd;
other jurisdictions: equivalent national data-protection authority.

Judicial remedy: under Article 79 GDPR and equivalent rules, the data subject may file a claim before the ordinary judicial authority of their residence (for EU/EEA consumers, Article 79(2) GDPR + Regulation 1215/2012 Articles 17-19).

9. Retention

Retention periods are indicated in the table at § 4 and structured as follows:

Active account: for the entire period of service use;
Inactive account: automatic deletion after 24 months of documented inactivity, with warning email 30 days in advance;
Accounting and tax data: 10 years under Article 2220 ICC and D.P.R. 633/1972 (for Italian Customers; for Customers in other jurisdictions, applicable tax-retention terms - e.g., 7 years in many US states, 10 years in Brazil for accounting data, 6 years in the UK under Companies Act 2006 s. 388);
Generic security logs: 12 months;
Security event logs (e.g., unauthorised-access attempts): 24 months;
Security backups: 30 days with at-rest encryption, cyclically overwritten;
Consent records (e.g., ToS acceptance, identity-sharing opt-in, Promoter Acknowledgement): for the entire duration + 10 years from revocation, in defence of the Company in any jurisdiction's litigation.

10. Security Measures (TOMs)

Summary of technical and organisational measures under Article 32 GDPR (and equivalents - LGPD Article 46, CCPA reasonable security, etc.). Full detail in the DPA.

At-rest encryption: AES-256 at AWS level (KMS-managed) for Aurora volumes and S3; application-layer AES-256-GCM for user images in PostgreSQL BYTEA (master key in SSM Parameter Store SecureString).
In-transit encryption: TLS 1.2+ mandatory on all public endpoints; modern cipher suites (ECDHE / AES-GCM / ChaCha20).
Access control: AWS IAM least-privilege; MFA mandatory for the Company administrators; network isolation (Aurora in private subnet); credentials rotated via SSM.
Audit log: structured JSON logging (structlog); CloudWatch + 90-day retention; application-level personal-data access logging.
Backup: automatic Aurora snapshots with retention; EBS volume backups via Data Lifecycle Manager (DLM); restore tested.
Resilience: multi-AZ serverless architecture; automatic Aurora failover; global CDN; rate limiting; layer-7 DDoS protection.
Application security: code review; SAST / dependency scanning; separated staging environment; dev/prod data segregation.
Personnel: contractual NDA; production-data access on "need-to-know" basis; periodic privacy + security training.

11. Data Breach Notification

In case of a personal data breach under Articles 33-34 GDPR (and equivalent provisions):

The Company notifies the competent supervisory authority within 72 hours of becoming aware, where the breach presents a risk to the rights and freedoms of natural persons; the deadlines vary by jurisdiction (UK GDPR - 72 hours; LGPD - tempo razoável generally within 2 days; CCPA - without unreasonable delay; PIPEDA - as soon as feasible; Australian Notifiable Data Breaches scheme - within 30 days with assessment);
The Company communicates the breach to the data subject without undue delay when the breach presents a high risk;
as processor for customer-organisation data, the Company notifies the Customer within 48 hours of becoming aware, providing the information necessary for the Customer-controller's authority notification.

Internal incident-response procedure: see docs/legal/incident-response-policy.md (under preparation) and docs/06-compliance/concorso-a-premi-playbook.md.

12. Cookies and Similar Technologies

The use of cookies and similar technologies is described in the separate Cookie Policy published at voiceofthenewera.com/cookie-policy.html, compliant with the Italian DPA Order of 10 June 2021 ("Cookie Guidelines"), Article 122 of Italian Legislative Decree 196/2003, and - for data subjects in other jurisdictions - with equivalent laws (ePrivacy Directive 2002/58/EC for EU; PECR 2003 for the United Kingdom; CCPA/CPRA for California - "opt-out of sale/sharing"; LGPD for Brazil).

13. Minors

The minimum age to use the Platform is that provided by the "highest applicable threshold rule" set out in End-User Terms Article 2.2 end-user-tos.en.md. In summary:

Italy: age 14 for processing consent; 18 for full contractual capacity;
EU/EEA: ages 13-16 for digital consent under GDPR Article 8 (default 16);
United Kingdom: age 13;
United States: age 13 under COPPA;
Brazil: age 18 under LGPD/CDC;
other jurisdictions: applicable local threshold.

Where the Company becomes aware of an account held by a minor in breach of the End-User Terms or COPPA, the account is suspended and the data deleted within 30 days of becoming aware. The Company does not knowingly link its advertising to an audience of minors (no targeted advertising to children).

14. Amendments to the Notice

The Company may amend this notice. Amendments are communicated by email to registered users and by publication of the new version, with at least thirty (30) days' notice before the effective date, save for amendments mandated by law with immediate effect.

15. Contacts

Privacy (GDPR, UK GDPR, LGPD, CCPA, PIPEDA, FADP requests, etc.): privacy@voiceofthenewera.com
PEC: available in the Companies' Register
General legal: legal@voiceofthenewera.com
Illegal content reports (DSA, UK OSA, NetzDG, Marco Civil): report@voiceofthenewera.com
Registered office: Vora S.r.l., Viale Certosa 218, 20156 Milan (MI), Italy

Source document in markdown: docs/legal/privacy-policy.en.md (v3.1.0 - 13 May 2026).