Privacy notice for the official mobile app

Privacy Policy - Time in Jazz App

This notice describes the processing of personal data carried out through the official Time in Jazz mobile app and related digital services, including authentication, push notifications, personalised features and supporting infrastructure services.

Policy version

2026.4

Effective date

10 April 2026

Last updated

10 April 2026

Final canonical URL

https://time-in-jazz-85b829795596.herokuapp.com/en/privacy-app

1. Data Controller

The Data Controller is Associazione culturale Time in Jazz, Via Umberto I, 37 - 07022 Berchidda (SS), Italy, Tax Code 90004730900, VAT 01812780904.

Privacy requests can be sent to segreteria@timeinjazz.it.

2. Categories of personal data

minimum account data, such as name and email address;
authentication and session data;
saved items, favourites, reviews and post-event feedback voluntarily submitted by the user;
pseudonymous app-usage data, such as opened screens and key feature interactions, used for aggregate statistics;
notification preferences, FCM/APNs delivery tokens, app-generated device identifiers and the minimum metadata required to link a device to push delivery, if enabled;
technical identity data provided by Google and Apple sign-in, when enabled;
technical data strictly required to render integrated maps and to handle cartographic requests sent to Google Maps Platform when that feature is active;
technical logs required for security, service continuity and abuse prevention.

3. Purposes and legal bases

app delivery, authentication, favourite saving, review/feedback collection and profile management: performance of requested services and pre-contractual measures;
operational or editorial push notifications requested by the user: user consent where required and device settings;
marketing emails: separate, optional and revocable consent;
displaying integrated venue maps and supporting logistics and navigation within the festival experience: performance of the requested service;
aggregate or pseudonymised usage statistics, aimed at improving the service, understanding the most used sections and evaluating interest in features such as favourites and reviews: legitimate interest of the Controller, with data minimisation measures and without individual commercial profiling;
security, technical management, abuse prevention and service protection: legitimate interest of the Controller.

Marketing consent is optional and separate from acceptance of this Privacy Policy.

4. Access and third-party services

The final version of the app may integrate third-party services needed for delivery and functionality. Depending on the actual setup, the project may use:

Heroku or equivalent platforms for backend hosting and app services;
PostgreSQL for app and user-profile databases;
Firebase Cloud Messaging, including mobile push delivery services and related technical tokens;
Apple Push Notification service (APNs) for notification delivery on iOS devices;
Google Sign-In and Sign in with Apple for third-party authentication;
Google Maps Platform for integrated venue maps, cartographic display and related technical requests;
AWS S3 or equivalent services for media, files and storage;
Apple App Store and Google Play for distribution, updates and ecosystem services.

5. Push notifications

Push notifications are only sent if enabled by the user. Related processing may include device tokens, notification preferences and the minimum technical data needed to deliver messages through providers such as Firebase Cloud Messaging and APNs.

6. Google and Apple sign-in

When available, Google and Apple sign-in may provide identification and contact data required to create or complete a user profile, in accordance with the choices made by the user with that provider.

7. Recipients and processors

Personal data may be processed by technical suppliers acting on behalf of the Controller as processors, or in certain cases as independent controllers in relation to their own ecosystem services. These parties may include cloud, database, notification, authentication, storage and distribution providers, depending on the final configuration.

8. International transfers

Some technology providers may involve data processing or access outside the European Economic Area. Where applicable, the Controller adopts or relies on the safeguards required by law, including adequacy decisions, standard contractual clauses or equivalent mechanisms made available by the providers involved.

9. Retention

account data: for the duration of the user relationship and the following technical period required by law or service protection needs;
session and security data: for periods proportionate to security, diagnostics and service continuity;
saved items, reviews and preferences: until account deletion or user request, unless longer retention is required by law;
pseudonymous analytics events and aggregate usage data: for the period strictly necessary for technical and organisational analysis of the project, unless anonymised further or deleted earlier;
evidence of privacy acceptance and marketing consent: for as long as necessary to document the relevant choice.

10. Data subject rights

Users may exercise the rights provided by Articles 15 and following of the GDPR, including access, rectification, deletion, restriction, objection, portability and consent withdrawal, where applicable.

Requests may be sent to segreteria@timeinjazz.it. Users may also lodge a complaint with the competent supervisory authority.

11. Policy updates

This notice may be updated over time to reflect legal, organisational or technical changes affecting the app. Where relevant, the Controller may require users to review and accept an updated privacy version in order to continue using account-based features.