Legal · Privacy

Privacy Policy

Last updated: November 13, 2025Version: 2.0Applies to: miutifin.com & /esco

1. Summary in plain language

Before the formal version: this is what actually happens.

If you join the waitlist, we keep your email so we can approve you and write to you when there's a spot.
If you write us through the contact form, we keep your name, email and message so we can reply.
If you become a member, we keep your account details, your taste preferences, and the things you save — to write personalized journeys for you.
We use a small number of trusted services (Supabase for hosting, Plausible for analytics). We do not sell your data, run ads, or share it with marketers.
You can ask us to see or delete your data anytime. We answer within 30 days.

The rest of this page is the legal version of the above.

2. Data controller

The data controller of your personal data is Miutifin, the entity operating miutifin.com and its sub-services, including ESCO (miutifin.com/esco).

For any privacy-related question or request, contact miutifin.ask@gmail.com.

3. Data we collect

We collect different categories of data depending on how you interact with us. We never collect more than what we need for a specific purpose.

3.1 If you contact the agency

When you submit the contact form on miutifin.com:

Your name (required)
Your email address (required)
Your company (optional)
The message you send us
The date of your submission

3.2 If you join the ESCO waitlist

Your email address (required)
Your full name and phone, if you provide them (optional)
The source of your sign-up (which page or campaign)
The date of your application

3.3 If you subscribe to the newsletter

Your email address
Optionally, your phone number

3.4 If you become an ESCO member

When you complete registration after invitation, we collect:

Authentication data: email, password (stored as hashed, never in plain text), session tokens
Profile: username, nickname, avatar (optional), short bio (optional), city, birthday (optional)
Taste preferences: preferred categories, music interests, price tier, day/night preference, dresscode
Activity: places you save, events you attend, ratings you give, journeys you compose

Your preferences and activity are what allow ESCO to write personalized journeys. We need this data for the service to work.

3.5 Technical data (everyone)

Device & browser: type, version, language
IP address: kept temporarily for security purposes (rate limiting, fraud prevention)
Anonymous usage analytics: aggregated page views and interactions, with no personal identifiers (via Plausible — see §11)

3.6 Aggregate statistics

The landing pages display real numbers — total members, active cities, new sign-ups this week. These are aggregate counts from our database; no individual user is identifiable from them.

4. Why we use your data

We process data for these specific purposes:

Operating the service

Provide the platform, manage your account, write journeys, save your preferences, allow you to invite others.

Responding to you

Reply to contact form submissions, manage waitlist approvals, send invitation codes.

Improving the product

Understand aggregate usage to improve features. No individual tracking.

Security

Detect abuse, prevent fraud, protect the network. IP addresses and rate-limit metadata are used here.

Legal compliance

Comply with applicable laws and respond to lawful requests by competent authorities.

5. Legal basis (GDPR, Art. 6)

We need a legal ground for every processing activity. Here is the map:

Activity	Legal basis
Contact form (agency)	Pre-contractual measures (Art. 6.1.b)
Waitlist sign-up	Consent (Art. 6.1.a)
Newsletter	Consent (Art. 6.1.a)
Account & member features	Contract performance (Art. 6.1.b)
Security & abuse prevention	Legitimate interest (Art. 6.1.f)
Aggregate analytics	Legitimate interest (Art. 6.1.f)
Legal compliance	Legal obligation (Art. 6.1.c)

Where the basis is consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

7. International data transfers

Our primary data infrastructure is located in the European Union. Some processors (notably AI providers) may operate outside the EU. In such cases, transfers are protected by:

Standard Contractual Clauses (SCC) approved by the European Commission
Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework)
Additional technical safeguards (encryption, minimization, no training on inputs)

8. How long we keep your data

We keep data only for as long as it is needed:

Data	Retention
Contact form messages	24 months after last contact
Waitlist entries (not approved)	18 months, then deleted
Active member accounts	For the lifetime of your account + 30 days after deletion
Newsletter subscribers	Until you unsubscribe
IP addresses (security logs)	90 days
Aggregate analytics	Indefinitely (no personal data)

When you ask us to delete your data, we do so within 30 days, except where law requires us to keep specific records longer (e.g. tax invoices).

9. Security

We protect personal data with technical and organizational measures appropriate to the risk:

Encryption in transit (TLS 1.2+) and at rest
Passwords stored as bcrypt hashes, never in plain text
Row-level security on every database table — only the data owner can access their own records
Leaked-password protection against breached credential databases (HaveIBeenPwned)
Strict access controls for our team — only those who need access have it
Regular security reviews and dependency updates

No system is 100% secure. If we ever detect a breach affecting your data, we will notify you and the competent supervisory authority within 72 hours, as required by GDPR Art. 33–34.

10. Your rights

Under GDPR and applicable law, you have the following rights:

Access — get a copy of the data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — ask us to delete your data
Restriction — limit how we process it
Portability — receive your data in a portable format
Objection — object to processing based on legitimate interest
Withdraw consent — at any time, without affecting prior lawful processing
Complaint — file a complaint with your national data protection authority (in Italy: Garante per la Protezione dei Dati Personali)

To exercise any of these rights, email miutifin.ask@gmail.com. We respond within 30 days. There is no charge unless the request is manifestly unfounded or excessive.

11. Cookies & analytics

We use the minimum number of cookies necessary to operate the platform:

Authentication: to keep you signed in (Supabase session cookies)
Locale: to remember your language preference (it / en)
CSRF protection: security tokens for form submissions

We do not use advertising cookies, retargeting cookies, or third-party tracking cookies. Our analytics provider (Plausible) is cookieless by design.

For the full cookie list, see our Cookie Policy.

12. Children

Our platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it immediately.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active members by email at least 14 days in advance. The "Last updated" date and version number at the top of this page indicate the latest revision.

14. Contact

Privacy contact

For any privacy-related question or request:

miutifin.ask@gmail.com

We aim to respond within 24 hours, and always within the 30 days required by GDPR.

This Privacy Policy is provided in English for international clarity. If you need a translation in Italian or another language, please contact us.