Privacy Policy
HEX Event Organizer
Last updated: 28 March 2026
1. Data Controller
The Data Controller of personal data collected through the web application HEX ("HEX" or "the Service"), accessible at https://hex.icemaze.it, is:
Matteo Sasso
Sesto San Giovanni (MI), Italia
Email: matteo.sasso+hex@gmail.com
Pursuant to Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code) and the Swiss Federal Act on Data Protection (FADP/nDSG), this notice describes how users' personal data are processed.
2. Personal Data Collected
2.1 Data provided directly by the user
When you create an account via Google Login, we collect:
- Full name and email address associated with your Google account.
- Google profile photo (if available, automatically imported on first access).
When you use the Service, you may also provide:
- Companion names: manually entered to add family members or guests to an event.
- Event content: titles, descriptions, links and images related to events and activities you create.
2.2 Data collected automatically
The Service collects usage data in a limited and proportionate manner:
- User identifier (user_id) and feature usage: recorded server-side for Service improvement purposes.
- IP address of each request: recorded server-side to identify and prevent abuse, and to identify and resolve operational issues.
The Service does NOT collect:
- Geolocation data.
- Device identifiers or browser fingerprints.
- Cross-device or cross-site tracking data.
2.3 Data NOT collected
The Service does not use profiling cookies, does not perform advertising tracking and does not collect special categories of personal data (sensitive data) within the meaning of Art. 9 GDPR.
3. Purposes and Legal Bases for Processing
| Purpose | Data processed | Legal basis |
|---|---|---|
| Creation and management of user account | Name, email, profile photo (from Google) | Performance of contract (Art. 6(1)(b) GDPR) |
| Service operation (event creation, participation management, email notifications) | Name, email, companion names, event content | Performance of contract (Art. 6(1)(b) GDPR) |
| Visibility of participants within events | Names of users and companions | Performance of contract (Art. 6(1)(b) GDPR) |
| Usage analysis and Service improvement | user_id, feature usage data | Legitimate interest (Art. 6(1)(f) GDPR) |
| Automated content moderation | Titles, descriptions, images of activities | Legitimate interest (Art. 6(1)(f) GDPR) |
| Security and abuse prevention | user_id, error logs | Legitimate interest (Art. 6(1)(f) GDPR) |
Legitimate interest: where processing is based on the Controller's legitimate interest, this has been balanced against the rights and freedoms of data subjects. You have the right to object to such processing at any time (see Section 8).
4. Data Visibility Among Users
HEX is a collaborative event organising service. For it to function:
- Your name is visible to other participants of the events you join.
- The names of guests you add to an event are public if the event is public, or visible to all participants of that event if the event is private.
- Event and activity content (titles, descriptions, images) are public if the event is public, or visible to all participants of that event if the event is private.
The user undertakes to inform third parties (guests) about the processing of their data on HEX and, where necessary, to obtain their consent before entering their information.
5. Automated Content Moderation
To ensure a safe environment, the Service uses an automated moderation system based on artificial intelligence provided by a third-party provider (OpenAI). Content sent for moderation includes only titles, descriptions and images of activities created by users, and does not contain directly identifying data (such as name or email). Processing takes place on the basis of the Controller's legitimate interest in preventing abuse and the legal obligation to remove illegal content.
6. Sharing of Data with Third Parties
Personal data are not sold, transferred or shared with third parties for marketing purposes. The following service providers process data on behalf of the Controller, as Data Processors:
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Google Ireland Ltd. | Authentication (OAuth) | Name, email, profile photo | EU/EEA |
| Amazon Web Services (AWS) | Email sending (SES) | Recipient email address | EU (Ireland) |
| AlphaVPS (Sofia, Bulgaria) | Server hosting | All Service data | EU (Bulgaria) |
| OpenAI, Inc. | Content moderation | Titles, descriptions, images (no identifying data) | USA * |
* OpenAI processes content under its Data Processing Addendum. Since data sent to OpenAI does not include directly identifying information, the risk to data subjects' rights and freedoms is minimal. Transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
7. Data Transfers Outside the EEA/Switzerland
Personal data are stored on servers located in the European Union (Bulgaria). Data transfers to third countries occur only to OpenAI (USA), limited to non-identifying content, and on the basis of Standard Contractual Clauses approved by the European Commission. For Google and AWS services, data are processed within the European Economic Area.
8. Your Rights
Under the GDPR (Arts. 15-22), the Italian Privacy Code and the Swiss FADP, you have the right to:
- Access: obtain confirmation of processing and a copy of your personal data.
- Rectification: request the correction of inaccurate or incomplete data.
- Erasure ('right to be forgotten'): request the deletion of your personal data. In case of account deletion, your name and companion names will be replaced with generic text to preserve the historical structure of events.
- Restriction: request the restriction of processing in certain cases.
- Portability: receive your data in a structured, commonly used and machine-readable format.
- Objection: object to processing based on legitimate interest, including usage analysis.
- Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal.
To exercise your rights, contact the Controller at: matteo.sasso+hex@gmail.com
The Controller will respond within 30 days of receiving the request, extendable by a further 60 days in case of complexity.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority:
- Italy: Garante per la protezione dei dati personali – www.garanteprivacy.it
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) – www.edoeb.admin.ch
10. Minors
The Service is intended for users aged 14 or over (or any different age required by the law of the user's country of residence), in accordance with Art. 2-quinquies of the Italian Privacy Code (Legislative Decree 101/2018). Users under the age of 14 may not create an account.
Minors' names may be entered as companions exclusively by the parent or legal guardian who holds the account. By entering the name of a minor, the parent/guardian confirms that they have the authority to do so and consents to the processing within the scope of the Service.
11. Data Retention
Personal data are retained for the time necessary for the purposes for which they were collected:
- Account data: retained until the user deletes the account.
- Usage data (analytics): retained in aggregate form. You may request their deletion at any time.
- Error logs: retained for a maximum of 90 days, then automatically deleted.
- Audit logs (moderation): retained for a maximum of 12 months for security purposes.
12. Data Security
The Controller adopts appropriate technical and organisational measures to protect personal data, including: encrypted communications via HTTPS/TLS, authenticated access via OAuth 2.0, CSRF protection on endpoints, and encrypted data storage on servers located in the European Union.
13. Changes to This Notice
The Controller reserves the right to update this notice. In the event of substantial changes, users will be notified via an in-app notice. The date of the last update is indicated at the top of this document.
14. Contact
For any questions regarding this notice or the processing of your personal data, you may contact the Controller at: matteo.sasso+hex@gmail.com
Back to Home