Privacy Policy
1. Data Controller
The data controller responsible for your personal data is:
Cathedral s.r.l.s
Via Casino Fondrini 6
25080 Padenghe Sul Garda (BS)
Italy
VAT Number (P.IVA): IT03939260984
Email: privacy@cathedral.technology
2. Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
- Email address - Required for account creation and communication
- Name - Your first and last name for identification
- Password - Stored in encrypted form for account security
- Display name - Optional public identifier
2.2 Profile Data
- Biography - Optional description you provide
- Avatar image - Optional profile picture
- Organization affiliations - Your membership in organizations
2.3 Idea Challenge Participation Data
- Date of birth - For age verification (16+ requirement)
- Location - City and country for challenge eligibility
- Idea submissions - Content you submit to challenges
- Votes - Your voting activity on ideas
2.4 Proposal Voting Data
- Mobile phone number - For OTP verification (stored as SHA256 hash)
- Vote choices - Your votes on proposals
- Voting power - Calculated based on token holdings
2.5 Technical Data
- IP address - For security and fraud prevention
- User agent - Browser and device information
- Access logs - Timestamps of your interactions
2.6 Payment Data
If you subscribe to Pro features, we process payment data through Stripe. We do not store your credit card details directly - they are processed by Stripe as our payment processor.
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) |
| Processing votes and idea submissions | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Purposes of Processing
We use your personal data for the following purposes:
- Service provision - To provide the Vora governance platform
- Account management - To create and manage your user account
- Voting verification - To verify your identity and eligibility to vote
- Challenge participation - To process your idea submissions and votes
- Communication - To send service-related notifications
- Security - To protect against fraud and unauthorized access
- Analytics - To understand and improve our services
- Compliance - To meet legal and regulatory requirements
5. Data Retention
We retain your personal data for as long as necessary for the purposes outlined in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Voting records | Permanently (anonymized after account deletion) |
| Idea submissions | Duration of challenge + 2 years |
| Security logs | 2 years |
| Audit logs | 1 year |
| Marketing consent records | Duration of consent + 3 years |
7. International Transfers
Some of our service providers are located outside the European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place:
| Provider | Location | Safeguard |
|---|---|---|
| Stripe | USA | Standard Contractual Clauses (SCCs) |
| AWS | EU (Ireland) | No transfer required |
| Pinata/IPFS | USA | Standard Contractual Clauses (SCCs) |
8. Your Rights
Under GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
You can request correction of inaccurate personal data.
Right to Erasure (Art. 17)
You can request deletion of your personal data, subject to legal retention requirements.
Right to Restriction (Art. 18)
You can request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20)
You can receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
You can object to processing based on legitimate interests or direct marketing.
To exercise any of these rights, please visit your account settings or contact us at privacy@cathedral.technology.
8.1 Right to Lodge a Complaint
You have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la Protezione dei Dati Personali
Website: www.garanteprivacy.it
9. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption - Data is encrypted in transit (TLS) and at rest
- Password hashing - Passwords are stored using secure hashing algorithms
- Phone number hashing - Mobile numbers are stored as SHA256 hashes
- Access controls - Role-based access with two-factor authentication
- Audit logging - All access is logged for security monitoring
- Regular security assessments - We conduct periodic security reviews
11. Children's Privacy
Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Privacy Inquiries
Email: privacy@cathedral.technology
Address: Cathedral s.r.l.s, Via Casino Fondrini 6, 25080 Padenghe Sul Garda (BS), Italy