1. Data Controller

The Data Controller is:
Ivan Maria Spadacenta
Via Ricasoli 19, Rome – Italy
Email: ivan@spadacenta.com

The Controller also acts as the Data Protection Officer (DPO).

2. Data We Collect

We only collect the data strictly necessary to operate OurChildSpace:

• name and surname;
• email address;
• hashed passwords (bcrypt/argon2);
• photos and videos uploaded by users;
• profile settings and preferences;
• security logs and technical data (IP, user agent, system logs);
• data generated for security and maintenance.

We use an internal analytics system that processes aggregated statistics in full GDPR compliance, without transferring data to third parties.

3. Purposes of Processing

We use data to:

• provide the service (create Childspaces, upload and share content, manage members);
• ensure platform security and prevent abuse;
• perform technical maintenance;
• produce internal analytics to improve the service.

We never sell or transfer personal data to third parties for advertising purposes.

4. Legal Basis

The processing is based on:

• Art. 6(1)(b) GDPR – contractual necessity;
• Art. 6(1)(c) GDPR – legal obligations;
• Art. 6(1)(f) GDPR – legitimate interest (security and fraud prevention).

5. Data Retention

Data is retained only for as long as necessary to provide the service. When an account is deleted, all data and content are immediately removed.

Backups stored in the EU are protected with at rest encryption.

6. What “at rest encryption” means

At rest encryption protects data while it is stored on servers, databases, or backup systems. Even if storage is accessed without authorization, encrypted data remains unreadable without the proper cryptographic keys.

7. Where Data Is Stored

All data is stored on servers located within the European Union.

The production database and all backups use at rest encryption.

Transactional emails are sent through a GDPR-compliant service.

8. Content Sharing

• Content is visible only to people authorized by the user.
• It is never public nor indexed by search engines.
• OurChildSpace does not perform automatic sharing.

9. Processing of Children’s Data

Parents and Childspace administrators are responsible for providing consent for processing data related to minors.

Children may register only if permitted by their country’s legislation and age requirements.

A combination of automated and manual checks ensures compliance with platform rules.

10. Data Security

We implement technical and organizational measures such as:

• HTTPS secure connections;
• hashed passwords (bcrypt/argon2);
• role-based access control (RBAC);
• database encryption at rest;
• encrypted backups;
• security log monitoring.

11. User Rights

Users may:

• delete uploaded content;
• request account deletion;
• change their email address;
• request the removal of content related to minors.

Data portability is not currently available.

Contact: ivan@spadacenta.com

12. Complaints

Users may file a complaint with the Italian Data Protection Authority or their national supervisory authority.

13. Updates

This policy may be updated for technical or legal reasons. Significant changes will be communicated to users.