Privacy Policy

Privacy and Cookie Policy are available in English only. For translations contact [email protected].

Last updated: June 2026 — drafted in accordance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended.

1. Data Controller

The data controller for omniachart.com and app.omniachart.com is Davide Bondavalli, Italy. For any privacy-related request, contact [email protected].

Full legal entity details (registered business name, VAT number, registered address) will be published here upon incorporation, expected during Q3 2026.

2. Categories of personal data processed

3. Legal basis (GDPR art. 6)

PurposeLegal basis
Provide and maintain the charting service to registered usersart. 6(1)(b) — performance of contract
Process subscription paymentsart. 6(1)(b) — performance of contract
Send transactional/service emails (e.g. password reset, billing receipts)art. 6(1)(b) — performance of contract
Newsletter and purchased-guide deliveryart. 6(1)(a) — explicit consent (collected at signup/purchase)
Security logging, fraud prevention, anti-abuseart. 6(1)(f) — legitimate interest (security of the service)
Analytics & performance measurement (Google Analytics 4)art. 6(1)(a) — consent via cookie banner
Compliance with legal obligations (e.g. tax records for purchases)art. 6(1)(c) — legal obligation

4. Sub-processors

We rely on the following sub-processors to operate the service. Each is bound by a Data Processing Agreement and processes data only on our instructions.

ProviderPurposeRegionData shared
Cloudflare (Pages, Workers, CDN, KV)Website, blog hosting, edge cache, request routingGlobal edge (EU PoPs prioritised for EU users)IP, user-agent, request metadata
StripePayment processing for subscriptions and guidesUSA (with EU-US Data Privacy Framework + SCCs)Email, billing details, card data (never seen by us)
ResendTransactional email deliveryEUEmail address, message content
Anthropic (Claude API)Server-side blog article generationUSA (Standard Contractual Clauses)No personal user data — only article prompts
Google Analytics 4Analytics (only after consent)EU collection, US transfer under DPF + SCCsIP (anonymised), event metadata, pseudonymous client ID
TelegramInternal admin notifications about new blog postsGlobalNo user data — only operational alerts
IubendaCookie banner and consent recordEUConsent metadata (timestamp, scope)
Google Fonts (policy)Loading of Inter and JetBrains Mono webfonts from fonts.googleapis.com / fonts.gstatic.comUSA (EU-US DPF + SCCs)IP, user-agent (when the browser requests the font file)
jsDelivr (policy)Open-source CDN serving PokéAPI sprite images in the homepage constellationGlobal edge (operated by Prospect One sp. z o.o., EU)IP, user-agent
CoinGecko (policy)Crypto asset icons (coin-images.coingecko.com) on homepage and blog cardsSingapore / Global edgeIP, user-agent
Iconify (policy)On-demand icon SVGs (api.iconify.design) — Material Design, Noto, TwemojiGlobal edge (Cloudflare-backed)IP, user-agent
FlagCDN (policy)Country flag images (flagcdn.com) used in the language switcherGlobal edgeIP, user-agent
Clearbit Logo API (policy)Brand logos for asset tags on homepage (logo.clearbit.com)USA (SCCs)IP, user-agent, queried brand domain
PokemonTCG.io (policy)Pokémon card images (images.pokemontcg.io) in homepage and blog contentUSAIP, user-agent
YGOProDeck (policy)Yu-Gi-Oh! card images (images.ygoprodeck.com) in homepage contentUSAIP, user-agent
Scryfall (policy)Magic: The Gathering card data API (api.scryfall.com)USAIP, user-agent
YouTube / Google (policy)Product demo video embed (when activated)USA (EU-US DPF + SCCs)IP, user-agent, watch interaction; cookies blocked until consent

For the image and font CDNs above, the only data the provider sees is the standard HTTP request metadata (your IP address and user-agent) that any browser sends when loading a resource. None of these embeds set cross-site tracking cookies in our usage pattern.

We do not sell personal data and do not share it with third parties for marketing purposes.

5. International data transfers

Some sub-processors (Stripe, Anthropic, Google) may transfer data to the United States. Such transfers are protected by either the EU-US Data Privacy Framework (where the provider is self-certified) or Standard Contractual Clauses approved by the European Commission, providing safeguards equivalent to GDPR.

6. Retention

7. Your rights (GDPR art. 15-22)

You have the right to:

To exercise any right, email [email protected]. We respond within 30 days (extendable to 90 in complex cases, with notice).

8. Cookies

OmniaChart uses essential cookies for authentication and session management, plus optional analytics cookies (Google Analytics 4) loaded only after consent via the cookie banner. Full details — including provider, duration, and purpose — are in our Cookie Policy. You can change your preferences at any time via the "Preferenze cookie" link in the footer.

9. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.2+ for all traffic, bcrypt-hashed passwords, restricted access to production systems, regular dependency updates. No method is 100% secure; in the event of a personal data breach affecting your rights, we will notify the supervisory authority within 72 hours and, where required, you directly.

10. Children

OmniaChart is not directed at minors under 16. We do not knowingly collect data from children. If you believe a minor has provided us with personal data, contact [email protected] and we will delete it.

11. Changes to this policy

We may update this policy to reflect changes in our service or in applicable law. The "Last updated" date at the top is authoritative; substantive changes will be notified via email to registered users or via banner on the site.

12. Contact

Privacy questions and rights requests: [email protected]

For complaints, you may also contact the Italian Garante Privacy at garanteprivacy.it.