Privacy Policy

Version 1.1 — Last updated: 18 April 2026

This policy explains how we process personal data of people who use:

• the consumer app Ritorna (iOS, and web version at ritorna.app)
• the merchant app Ritorna Store (iOS, and web version)
• the website ritorna.io and the platform ritorna.app
• related services (together, the "Services")

Written pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and the Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code).

If you are under 16, or you disagree with what is described here, do not use the Services.

1. Data controller

Michele Rossini — natural person, acting in a professional capacity

• Email for any request: info@ritorna.io
• Postal address: available on written request to info@ritorna.io

Ritorna is not yet incorporated as a company. Mr. Rossini acts as Data Controller in his capacity as a natural person. Once Ritorna is incorporated, this policy will be updated to reflect the new controlling entity, with advance public notice to users.

No Data Protection Officer (DPO) has been appointed: the mandatory designation criteria (art. 37 GDPR) are not met given the scale and nature of processing.

For merchants: joint-controllership arrangements for data about customers who visit your venue are governed separately by the DPA attached to the Merchant Agreement. See also §14.

2. What data we collect

2.1 Data you provide directly

Customers (Ritorna app):

• Name and surname, email, password (stored hashed)
• Date of birth (optional; only used if you activate birthday benefits)
• Phone number (optional)
• General dietary preferences and allergens (optional; declared as preferences, not health data)
• Notification and communication preferences

Merchants (Ritorna Store app):

• Name and surname of the reference person
• Business email
• Role (owner, manager, staff)
• Business details: legal name, address, hours, category
• Fiscal information for invoicing (where applicable)

2.2 Data generated through use

• Unique identifier (personal QR code)
• Scans and stamps: date, time, venue, who scanned
• Rewards redeemed
• Favorite venues
• App usage history

2.3 Technical data collected automatically

• Device type, operating system, app version
• IP address (for security and abuse prevention)
• Anonymized technical logs (crashes, errors, performance)
• iOS advertising identifiers (IDFA) only if you consent via App Tracking Transparency — we do not currently use them

2.4 Location

Location is used only if you grant iOS permission. It serves to show nearby venues and sort them by distance. We do not store your location on our servers: it is processed in real time on your device to calculate distances.

2.5 Camera

The app uses your device camera only to:

• Scan the venue's QR code (customer app)
• Scan the customer's QR code (store app)

No photos or videos are saved. The camera activates only when you open the scanning feature.

2.6 Special categories of data

We do not deliberately collect special categories under art. 9 GDPR (health data, biometric data, origin, political opinions, etc.).

"Dietary preferences and allergens" are treated as personal preferences, not health data. Only you see them; they are shared with a merchant only if you choose to do so (for example, to alert staff of an allergy when ordering). If you prefer, you can leave these fields blank.

2.7 Mapping to Apple Privacy categories

For App Store transparency, the data we process maps to Apple's standard categories as follows:

None of this data is used for cross-app tracking under ATT.

3. Why we process data and on what legal basis

For each purpose, the legal basis (art. 6 GDPR):

3.1 Service delivery — basis: contract performance, art. 6(1)(b)

• Create and manage your account
• Issue your personal QR code
• Record stamps and rewards
• Operate the loyalty programs you join
• Customer support

3.2 Legal obligations — basis: art. 6(1)(c)

• Invoicing (for merchants)
• Data retention required by applicable laws
• Responding to authority requests

3.3 Service communications — basis: contract performance

Essential technical emails:

• Registration confirmation
• Password reset
• Notifications of stamps earned or rewards available
• Changes to this policy or the Terms

These communications cannot be turned off without closing your account, because they are essential for the Service to function.

3.4 Marketing communications — basis: consent, art. 6(1)(a)

Only with your explicit consent do we send:

• Ritorna newsletter: platform news, new venues, features
• Promotions from participating venues: offers from venues near you or matching your interests, including merchants other than those where you already have stamps

The consent:

• is requested through separate, un-pre-checked boxes at registration
• is specific for each category (you can agree to one and refuse the other)
• can be withdrawn at any time from app settings or the unsubscribe link in every email
• is recorded in an immutable audit trail (when you consented, which version of the policy, through which channel)

Withdrawal does not affect the lawfulness of processing before withdrawal.

3.5 Aggregated analytics — basis: legitimate interest, art. 6(1)(f)

We use aggregated and pseudonymized data to:

• understand how the platform is used
• improve the Services
• provide merchants with anonymized statistics about their venue (busy hours, returning customer rate, weekly distribution)

Our legitimate interest: improving the Services and delivering value to merchant partners. We have assessed that this interest does not override your rights, because we work with aggregated or pseudonymized data that does not identify you.

You have the right to object to this processing (art. 21 GDPR): write to info@ritorna.io.

3.6 Abuse prevention — basis: legitimate interest, art. 6(1)(f)

We monitor unusual patterns (scans in rapid succession, multiple accounts from the same device) to prevent abuse of the loyalty program.

The system automatically flags suspicious situations. The final decision (block or allow a scan, grant or deny a stamp) remains reviewable: venue staff can manually authorize through a documented override function.

We keep for 24 months a hash index of identifiers of users who deleted their account, with the sole purpose of preventing the same user from creating multiple accounts to repeatedly claim welcome bonuses. We have carried out an internal legitimate interest assessment balancing fraud prevention vs. the right to erasure.

If you believe this retention harms your rights, write to info@ritorna.io: we will assess your case and may remove your hash from the index where no concrete risk indicators exist.

3.7 Security — basis: legitimate interest

• Protect accounts from unauthorized access
• Investigate security incidents
• Enforce our internal policies

4. What merchants see

Merchant partners access only limited data necessary to operate their loyalty program.

By default they see:

• Masked name (e.g., "Marco R***i" instead of "Marco Rossini")
• Masked email (e.g., "ma****co@example.com")
• Number of stamps at their venue
• Visit history at their venue (date, reward redeemed)
• Role in the loyalty program (new, recurring, premium)

Only with your explicit consent:

• Full name
• Date of birth (for birthday greetings or benefits)
• Dietary preferences or allergens (if you want to alert staff)

They never see:

• Activity at other participating venues
• Real-time location
• Full contact details without consent

Merchants act as joint controllers for data concerning customers at their specific venue, limited to what the merchant dashboard displays. Respective responsibilities are set out in the DPA annexed to the Merchant Agreement. See also §14.

5. Who we share data with

5.1 Data processors

Process data on our behalf, under binding instructions, pursuant to art. 28 GDPR:

The list of providers may change. An up-to-date version is available by writing to info@ritorna.io. If we add new providers with substantial data processing, we will notify you at least 30 days in advance.

All providers are bound by Data Processing Agreements and apply security measures compatible with GDPR.

5.2 Other merchants

As described in §4, limited to data of customers who interact with their venue.

5.3 Authorities

Judicial, administrative or police authorities, only where required by law.

5.4 Non-EU transfers

Some providers (Google, Apple, Cloudflare) are based in or transfer data to the USA. These transfers occur under:

• Standard Contractual Clauses (SCC) approved by the European Commission
• EU-US Data Privacy Framework for certified providers
• Supplementary technical measures (encryption in transit and at rest)

You can request a copy of the safeguards by writing to info@ritorna.io.

6. How long we keep data

Upon account deletion:

• identifying data (name, email, phone) is anonymized within 30 days
• aggregated anonymous data may be retained for statistical analysis
• the hash index in the deletion blocklist is retained for 24 months for the reasons in §3.6

7. Your rights (arts. 15-22 GDPR)

You can exercise the following rights at any time:

7.1 Access (art. 15)

Request confirmation of processing and receive a copy of your data.

7.2 Rectification (art. 16)

Correct inaccurate data. From the app you can directly edit your name, email, phone, preferences.

7.3 Erasure / right to be forgotten (art. 17)

Simplest way: Profile → Settings → Delete Account. Deletion starts immediately.

Alternative: write to info@ritorna.io.

Response within 30 days. Exceptions: fiscal data and security logs we must keep for legal obligations, and the deletion blocklist hash index (see §3.6 and §6) — on which you can still object case by case.

7.4 Restriction (art. 18)

Request "suspension" of processing in specific situations (e.g., you are contesting the accuracy of data).

7.5 Portability (art. 20)

Receive your data in a structured format (JSON), and request direct transfer to another controller.

7.6 Objection (art. 21)

Object to processing based on legitimate interest (aggregated analytics, abuse prevention, security).

7.7 Withdrawal of consent (art. 7)

Withdraw consent to marketing communications:

• from the app: Settings → Notifications → disable the category
• from emails: "unsubscribe" link at the bottom of each message

Withdrawal does not affect the lawfulness of processing before withdrawal.

7.8 Complaint to the Garante (art. 77)

If you believe processing violates GDPR, you can file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali):

• Web: www.garanteprivacy.it
• Email: protocollo@gpdp.it
• Certified email (PEC): protocollo@pec.gpdp.it
• Address: Piazza Venezia 11, 00187 Roma, Italy

You may also file a complaint with the data protection authority in your EU country of residence.

7.9 How to exercise your rights

Primary channel: info@ritorna.io, with subject line "GDPR Privacy Request".

Identity verification: we may ask you to confirm your identity (e.g., login from your account, or ID document if the request is made from outside the account) to avoid releasing data to an impostor.

Timing: 30 days from receipt of the request, extendable by up to 60 additional days for complex cases (art. 12(3) GDPR), with reasoned notice.

Free of charge: exercising rights is free. Only for manifestly unfounded or repeated requests may we apply a fee proportionate to costs, as permitted by art. 12(5) GDPR.

8. Minors

The Services are intended for users at least 16 years old.

How we verify age:

• At registration, you must confirm you are at least 16 years old
• We rely on your self-declaration
• If we receive credible information that a user is under 16 (e.g., a parent's notification), we delete the account within 30 days

Parents or guardians: if you believe a minor under 16 in your care has created an account, write to info@ritorna.io including the account email. We will delete the account and all associated data within 30 days.

Why 16 and not 14: Article 2-quinquies of the Italian Privacy Code allows autonomous consent from 14 years old. We chose the higher threshold (16 years old, aligned with the GDPR default) for operational simplicity and to reduce the risk of error in processing adolescents' data. If you are 14-15 and would like to use Ritorna, we would need to implement a verifiable parental consent mechanism — not currently implemented.

9. Data security

We apply technical and organizational measures proportionate to the risks.

Active technical measures

• Encryption in transit: HTTPS/TLS 1.3 on all communications
• Encryption at rest: database encrypted (AES-256 via Supabase)
• Passwords: salted hashes (bcrypt algorithm)
• Authentication: OAuth providers (Apple, Google) in addition to email/password with mandatory verification
• Session tokens: signed with asymmetric keys (ES256), with expiration and rotation
• Daily backups encrypted, stored in the EU
• Immutable audit log for critical operations (stamps, redemptions, overrides)

Roadmap (not yet active)

• Multi-factor authentication (2FA) for merchant accounts
• Periodic penetration testing by external provider

Organizational measures

• Data access limited to personnel who genuinely need it
• Data protection training for those who handle personal data
• Security incident response procedure

Data breaches

In case of a breach posing risk to your rights:

• we notify the Garante within 72 hours of discovery (art. 33 GDPR)
• if the risk is high, we also notify you directly (art. 34 GDPR), by email to your account address or in-app notice
• the notification will describe the nature of the breach, data involved, measures taken, and your protective advice

10. Automated decision-making

We do not carry out fully automated decisions producing significant legal effects (art. 22 GDPR).

The system flags suspicious patterns (rapid scans, multiple accounts), but the final decision is reviewable:

• venue staff can manually authorize a blocked scan (documented override)
• you can contest a decision by writing to info@ritorna.io

Suggestions of nearby venues and redeemable rewards are based on location, favorites, and history. These do not constitute profiling in the strict GDPR sense.

11. Cookies and storage technologies

On the web (ritorna.io and ritorna.app)

We use exclusively strictly necessary technical cookies for:

• maintaining login session
• CSRF protection
• language preference

We do not use:

• profiling cookies
• Google Analytics or other third-party analytics tools
• tracking pixels (Meta, Google Ads, TikTok, etc.)
• advertising cookies

This policy satisfies the information obligation under art. 122 of the Italian Privacy Code and the Garante's cookie guidelines of 10 June 2021. Because we use only technical cookies, we do not request prior consent.

If we introduce analytics or profiling tools in the future, we will update this policy and implement a consent banner compliant with ePrivacy rules, with accept/reject options at the same hierarchical level.

In the app

The app stores locally on your device (not cookies, but native storage):

• encrypted session token
• user preferences
• content cache for offline use

To delete: uninstall the app or use "Clear data" in system settings.

12. Changes to this policy

We update this document if:

• the Services change
• applicable regulations change
• we improve clarity

For substantive changes:

• we publish the updated version at ritorna.io/privacy
• if you have an account, we notify you by email at least 30 days before the effective date
• an in-app notice appears

The "last updated" date at the top of the page indicates when it was last revised.

13. Contacts

For any privacy question or request:

• Email: info@ritorna.io
• Recommended subject: "GDPR Privacy Request"

We will respond within 30 days, as required by art. 12 GDPR.

14. Notes specific to merchants

In addition to the general rules above, the following applies to participating merchants.

14.1 Joint controllership

You are a joint controller with Ritorna for data concerning customers who visit your venue and use the loyalty program. The allocation of responsibilities is set out in the DPA you sign upon merchant enrollment.

14.2 Your GDPR responsibilities as a merchant

• Inform your customers that, by joining your loyalty program, their data is processed by you and by Ritorna (e.g., through signage at the register or a notice on your website)
• Handle GDPR requests that come directly from your customers — you can forward them to Ritorna for assistance
• Do not use customer data for purposes other than the loyalty program without their consent
• Respect masking rules: do not attempt to derive a customer's full name beyond what the app displays

14.3 Your data as a merchant

As a natural person representing a business, your data (name, email, role) is processed by Ritorna as Controller. All rights in §7 apply.

14.4 Fiscal data

Fiscal data needed for invoicing is retained for 10 years as required by civil/fiscal law.

The Italian version of this policy is available at ritorna.io/privacy. In case of interpretive divergence, the Italian version prevails (as this is the language of the jurisdiction where Ritorna operates).

Document drafted internally. We recommend review by a lawyer specialized in data protection before first publication.