Privacy Policy

Last updated: April 15, 2026

1. Data controller

Vadora is a pre-launch project (Italian-native AI travel planner) run personally by Alberto Nitto (Italy). Vadora S.r.l. will be incorporated after product validation; we will update this policy when that happens.

Contact for any personal data request: alberto.nitto0@gmail.com.

2. Data we process

  • Email address: when you join the waitlist or a user interview.
  • Pseudonymous usage data (pages viewed, device, referrer, site interactions) collected via PostHog in anonymized form. We do not use these to identify individual users.
  • Consent preferences for the cookie banner (choice on non-essential cookies), stored in a technical cookie on your device.
  • Content you send us: emails you send (support requests, waitlist replies, interview sign-ups).

We do not process special-category data (health, orientation, beliefs) and we never read your emails, calendar or third-party accounts.

3. Purpose and legal basis

  • Manage the waitlist and product communications (beta launch invites, updates, post-pivot re-qualification). Legal basis: explicit consent (art. 6.1.a GDPR) given at sign-up.
  • Improve the landing and product through aggregated pseudonymous analytics. Legal basis: legitimate interest (art. 6.1.f GDPR) in site improvement, balanced by data minimization and opt-in for non-essential cookies.
  • Run user research interviews (45 min, €20 Amazon voucher). Legal basis: separate explicit consent (dedicated opt-in on the interview form).
  • Comply with legal obligations (e.g. authority requests, post-SRL accounting). Legal basis: legal obligation (art. 6.1.c GDPR).

We do not perform profiling or automated decision-making producing legal effects on you.

4. Retention

  • Waitlist email: kept while you remain subscribed, plus 30 days after deletion request for operational and security-log reasons.
  • PostHog analytics data: 12 months, then auto-deleted or irreversibly aggregated.
  • Cookie consent: 12 months from your choice, after which the banner reappears.
  • Email correspondence: 24 months for support management and interview documentation, then deleted.

5. Data processors

We rely on vendors who process data on our behalf under a DPA:

  • Supabase — waitlist database hosting, Frankfurt region (EU). GDPR-compliant DPA in place.
  • PostHog — pseudonymous analytics, US Cloud. Extra-EU data transfer under Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Cloudflare — CDN, DNS and site hosting, EU edge prioritized. SCCs for any extra-EU caching.
  • Sentry — technical error monitoring, EU self-hosted or US SaaS with SCCs.

We do not sell, share, or use your data for third-party targeted advertising.

6. Cookies

  • Essential: cookie saving your choice on the banner. No consent required (art. 122 Italian Privacy Code).
  • Analytics (PostHog): loaded only after your explicit opt-in. You can withdraw consent any time via the "Cookie" link in the footer.
  • No third-party advertising or profiling cookies.

7. Your rights

Under articles 15-22 GDPR you have the right to:

  • access your data and receive a copy,
  • rectify inaccurate data,
  • delete data ("right to be forgotten"),
  • restrict processing,
  • object to processing based on legitimate interest,
  • receive data in a portable format (email CSV/JSON),
  • withdraw consent at any time without affecting lawfulness of past processing.

To exercise these rights write to alberto.nitto0@gmail.com. We respond within 30 days. If you believe processing violates the law, you may lodge a complaint with the Italian Data Protection Authority (Garante Privacy).

8. Security

We apply proportionate technical and organizational measures: TLS everywhere, minimum scoped API keys, per-environment isolation, encrypted backups, access revoked on turnover, principle of data minimization.

9. Updates

This policy may change when Vadora moves from personal project to S.r.l., or when we introduce new processing activities. We will notify you by email for material changes to consent-based processing. The current version is always available on this page with the last-updated date at the top.

← Back to homepage