Privacy Policy (GDPR) — MegaMuseum Digital Heritage Portal

1) Who we are

MegaMuseum Digital Heritage Portal (“MegaMuseum”, “we”, “our”) is an independent educational and research platform providing digital cultural enrichment. The website is operated by BISOGNO POSA BISOGNO, headquartered at Via Don Bosco, 12, 06033 Cannara, Italy. For GDPR purposes, BISOGNO POSA BISOGNO is the Data Controller for the processing described in this Privacy Policy.

Mandatory disclaimer: MegaMuseum is an independent educational and research platform. We do not sell tickets or provide physical tour services. All content is for digital cultural enrichment.

2) Scope of this policy

This policy describes personal data processing on this website, including (a) essential storage used to remember your cookie preference, (b) data you submit through the contact form, and (c) standard technical data generated when you access a website (e.g., server logs). It does not apply to third-party sites you may access through links on our pages.

A security lock concept image representing privacy protection and responsible handling of user data under GDPR. — Privacy is a governance practice: clarity, minimization, and accountability.

3) Key definitions

Personal data: any information relating to an identified or identifiable natural person.
Processing: any operation performed on personal data (collection, storage, use, disclosure, etc.).
Controller: the entity determining purposes and means of processing (here: BISOGNO POSA BISOGNO).
Processor: an entity processing personal data on behalf of the controller (e.g., a hosting provider, where applicable).

4) What data we collect

4.1) Cookie preference (local storage)

The website uses an on-page consent banner to store your cookie preference decision in your browser’s local storage. This preference is stored using a key similar to mm_cookie_consent_v1 and can take values such as “essential” or “all”. This storage is used so we do not repeatedly show the consent banner after you make a choice.

Local storage is stored on your device. It is not inherently transmitted to us, but it is read by the website’s JavaScript to determine whether to display the banner. You can clear local storage through your browser settings.

4.2) Contact form data

If you submit the contact form, you may provide: name, email address, topic, message content, and confirmation that you have read the Privacy Policy. The form includes client-side validation. Depending on how the site is deployed, form submissions may be handled via email or a server endpoint configured by the operator. The purpose of this processing is to respond to your inquiry, handle correction requests, or address privacy-related rights requests.

We recommend that you avoid sending sensitive categories of data in free text unless strictly necessary. If you choose to send such data, you do so voluntarily and at your own discretion; we will handle it with appropriate care and minimization.

4.3) Technical access data (logs)

Like most websites, the hosting infrastructure may process technical data such as IP address, device/browser information, pages requested, date/time, and error logs. This data is used to maintain security, prevent abuse, and ensure reliable delivery of content. The exact log fields depend on the hosting provider configuration.

5) Purposes and legal bases (GDPR Article 6)

We process personal data only for defined purposes and on a lawful basis:

Consent (Art. 6(1)(a)): where applicable to optional storage preferences and future non-essential features.
Legitimate interests (Art. 6(1)(f)): to ensure website security, prevent abuse, and maintain service reliability (balanced against your rights).
Contract/pre-contract steps (Art. 6(1)(b)): where communication is necessary to respond to a request you initiate.
Legal obligation (Art. 6(1)(c)): where we must comply with applicable laws (e.g., handling lawful requests).

Where we rely on legitimate interests, we assess necessity and proportionality, and we limit data use to what is required for security and operations.

6) Cookies, local storage, and similar technologies

The site uses a glassmorphism consent banner to manage your cookie preference. The current implementation focuses on essential preference storage. We do not embed third-party tracking scripts as a technical requirement of this site’s baseline function. If optional tools are added in the future, they should be documented here and made subject to appropriate consent logic.

How to manage your preferences: you can re-open or reset preferences by clearing local storage for this site in your browser. You can also block or restrict storage through browser privacy settings; note that doing so may cause the banner to reappear.

7) Sharing and disclosure

We do not sell personal data. We may share personal data only as necessary for the purposes described:

Hosting and infrastructure providers: to deliver website content and operate the service.
Security and abuse prevention: where required to protect the website and users.
Legal requirements: where disclosure is required by law or valid legal process.

Where processors are used, they are expected to process data under appropriate contractual terms.

8) International transfers

Depending on hosting and third-party content delivery, personal data (especially technical access data) may be processed in countries outside the European Economic Area. When international transfers occur, we aim to rely on appropriate safeguards such as adequacy decisions or standard contractual clauses, where required.

9) Data retention

We retain personal data only as long as necessary for the stated purposes:

Cookie preference: stored on your device until you clear it or it is overwritten by a new choice.
Contact messages: retained for the period necessary to respond and maintain an audit trail for corrections or legal compliance, then deleted or anonymized where appropriate.
Technical logs: retained for security and operational periods determined by hosting configuration and best practices, then rotated/deleted.

10) Your rights (GDPR)

Subject to the conditions and exceptions in GDPR, you may have the following rights:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21) where processing is based on legitimate interests
Right to withdraw consent (where consent is the basis), without affecting lawfulness before withdrawal

To exercise rights, contact the controller using the Contact page. Include sufficient information to allow us to identify your request and respond securely.

11) Children’s privacy

The Platform is intended for general audiences interested in cultural learning. We do not knowingly solicit personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to address the situation.

12) Security measures

We implement reasonable technical and organizational measures to protect personal data, including minimization, access controls, and operational monitoring. No method of transmission or storage is completely secure, but we aim to reduce risk and respond appropriately to incidents.

13) Images and media

This site is designed to work offline by using locally bundled visual assets. If the site is deployed with optional external media in the future, this policy should be updated to reflect the source and any resulting third‑party requests.

14) Changes to this policy

We may update this Privacy Policy to reflect operational changes, legal requirements, or improved clarity. The “Last updated” date below indicates the current version. Significant changes should be communicated in a transparent manner on the site.

15) Contact the controller

Data Controller: BISOGNO POSA BISOGNO
Address: Via Don Bosco, 12, 06033 Cannara, Italy
Use the Contact page for privacy requests and inquiries.

Last updated: 2026-04-13