Legal
Privacy Policy
This Privacy Policy explains how ER Democracy Bologna collects, uses, stores, protects, and shares personal data in connection with account registration, authentication, consultations, assessments, participation, platform administration, and related services.
1. Introduction
ER Democracy Bologna is committed to protecting personal data and processing it lawfully, fairly, and transparently. This Privacy Policy describes what information may be collected through the platform, why it is processed, how long it may be retained, and the rights available to users under applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.
2. Data controller and scope
This policy applies to personal data processed through the ER Democracy Bologna platform in relation to account access, consultation participation, assessment functionality, administrative review, audit logging, and security controls. It applies to both public-facing and authenticated areas of the platform.
3. Categories of data we collect
We may collect and process account information such as full name, email address, user role, account status, email verification status, and the date on which legal terms were accepted during registration.
We may also process authentication and security information such as encrypted password data, refresh tokens, verification tokens, password reset tokens, login timestamps, failed login counts, account lock status, and related security event logs.
Where platform features require it, we may process consultation and participation data such as submitted votes, selected options, weighting inputs, self-assessment scores, and consultation-related activity needed to calculate results and maintain the integrity of the system.
For assessment-based participation, we may process profile and contextual data such as age range, gender, city, region, country, stakeholder role, background category, experience level, and relationship to area where such data is submitted by the user as part of assessment functionality.
We may also process technical and service information, including IP address, browser or device-related information, and request metadata where necessary for security, fraud prevention, audit, and system maintenance purposes.
4. How we use personal data
Personal data is processed to create and manage user accounts, authenticate users securely, verify email addresses, send password reset messages, manage consultations, record participation, compute voting results, apply visibility settings, administer the platform, support auditability, respond to user requests, and protect the platform against misuse, unauthorized access, and fraud.
Data may also be used to generate aggregated analytics and breakdowns related to participation, provided that public-facing displays are configured to avoid exposing personal information more broadly than intended by the platform's visibility controls and administrative permissions.
5. Legal bases for processing
Depending on the specific processing activity, personal data may be processed on one or more of the following legal bases:
Performance of a contract: to create and manage accounts, provide authentication, enable platform access, and operate consultation participation features.
Legitimate interests: to protect the platform, prevent abuse, maintain audit logs, secure accounts, and ensure the reliability and integrity of services.
Legal obligation: where retention, disclosure, or other processing is required by applicable law or lawful authority.
Consent: where consent is specifically requested and relied upon for a distinct activity under applicable law.
6. Authentication, cookies, and security controls
The platform uses security-focused authentication controls, including hashed passwords, token-based authentication, refresh token cookies, account lock controls, input validation, and related security protections. Authentication cookies used to keep users signed in or to secure access are treated as essential platform cookies required for the service to function.
Additional details about cookie use can be found in the platform Cookie Policy.
7. Email communications
Email addresses may be used for registration confirmation, email verification, password reset flows, account security notices, and other essential service communications. These communications are used for operational and security purposes and are not required to include marketing consent in order to deliver core account and service functions.
8. Consultation and assessment data visibility
Consultation participation and assessment-related data may be used to calculate raw or weighted results, participation summaries, and demographic or contextual breakdowns where such functionality is enabled. Public visibility of results and analytics is controlled by consultation display settings and administrative permissions.
Personal information is not intended to be published directly in public consultation results. Internal administrative access is restricted by authentication, permissions, and role-based access controls.
9. Sharing of personal data
Personal data may be processed by service providers that support the technical operation of the platform, such as hosting, infrastructure, database, and transactional email providers. Such processing is limited to what is necessary for service delivery, security, and maintenance.
We do not sell personal data. Data may also be disclosed where required by law, regulation, legal process, or lawful governmental request.
10. International transfers
Where infrastructure or service providers process data outside the jurisdiction in which it was collected, such transfers should be subject to appropriate safeguards required by applicable law, including contractual or organizational protections where relevant.
11. Data retention
We retain personal data only for as long as necessary to provide the platform, maintain consultation records, support legitimate administrative and audit needs, enforce security controls, resolve disputes, meet legal obligations, and preserve records required for system integrity.
Retention periods may differ depending on the type of data, including account records, consultation submissions, security logs, password reset and verification records, and audit entries.
12. Security measures
The platform applies technical and organizational safeguards to protect personal data, including access controls, password hashing, token-based session handling, request validation, account lock controls, audit logging, and other security-conscious design and operational measures appropriate to the service.
13. Your rights
Subject to applicable law, users may have the right to request access to personal data, correction of inaccurate data, deletion of data, restriction of processing, objection to certain processing, and data portability. Rights may be limited where continued processing is necessary for legal compliance, security, audit, fraud prevention, or the establishment, exercise, or defense of legal claims.
The platform may also provide account-related tools or request flows for access and deletion where implemented.
14. Children's data
The platform is not intended for unlawful or unauthorized use by individuals who are not permitted to use the service under applicable law. Where age-related restrictions apply, users should access the platform only where legally permitted.
15. Updates to this policy
This Privacy Policy may be updated from time to time to reflect legal, technical, or operational changes. The latest version will be published on this page with the updated wording applying from the time of publication unless a different effective date is stated.
16. Contact
For privacy-related questions, data rights requests, or concerns, please use the platform contact page or the designated administrative contact channel made available by ER Democracy Bologna.