Etna+

Privacy Policy

Last updated: 2026-03-21

1. Data controller

This notice covers the Etna+ digital service published on etnahq.app and its related mobile applications. The controller is the entity operating the service and responding through the official contact channels shown on this page and in the service's commercial or contractual materials.

The dedicated privacy contact is privacy@etnahq.app. Unless a separate DPO is publicly announced, privacy requests are handled directly by the controller.

2. Scope and data subject categories

This notice covers three main data subject groups:

  • Public website visitors consulting informational pages and contacting Etna+ by email.
  • Consumer app users using local services, news, podcasts, wallet, followed cities, notifications and offline features.
  • Administrative users and backoffice operators, including admin access, audit logs, passkeys and operational tracking services for monitored manifestations.

3. Data processed for the public website

  • Standard technical navigation data transmitted by browsers and web servers, such as IP address, user-agent, timestamps and HTTP requests.
  • Data voluntarily included in messages sent to official contact addresses.

The public website is used to present the service, publish legal documentation and collect contact requests. Main legal bases are pre-contractual steps requested by the user, the controller's legitimate interest in security and technical operation, and compliance with applicable legal obligations.

As of the latest update, the public website does not use profiling cookies, web analytics or other non-essential cookies; this is why no cookie banner is displayed. If non-essential tools are added in the future, a separate cookie policy and consent flow will be introduced before release.

4. Data processed for the consumer app

The Etna+ app mainly processes the following categories of data:

  • Local preferences stored on the device, including followed cities, language, theme, download or offline settings, widget preferences and radio preferences.
  • Local data stored in app databases or storage, such as wallet cards, news bookmarks, podcast subscriptions, episode bookmarks and podcast downloads.
  • Location data if the user enables the relevant permission for nearby services, city selection or contextual experiences.
  • Push notification tokens or permissions used to deliver city or service updates.
  • Mobile diagnostics and analytics data only if the user explicitly enables the dedicated switches in the in-app privacy center.

The app does not currently expose a persistent consumer backend account. For this reason, there is no self-service delete-account flow: the controls made available to users focus on local data deletion, OS permission revocation and consent management.

5. Purposes and legal bases for the consumer app

  • Delivering requested content and features, including news, podcasts, wallet, maps and local services: performance of the requested service.
  • Local storage of preferences, cache, bookmarks, wallet data and offline downloads: performance of the requested service and user choice.
  • Location and push notifications: consent or authorization granted through the operating system, requested only when relevant.
  • Analytics and crash reporting through Firebase Analytics and Firebase Crashlytics: separate explicit consent, proposed as active in the initial consent screen and applied only after confirmation.
  • Security, abuse prevention and technical continuity: legitimate interest of the controller.

6. Device permissions and user controls

The app only requests sensitive permissions in context:

  • Location for geo-aware features and contextual services.
  • Notifications for push alerts related to followed cities or services.
  • Camera for wallet code scanning when the user chooses that feature.

The in-app privacy center links to this notice, lets users contact the controller, enable or revoke analytics and crash reporting, and clear cache, downloads, bookmarks, podcast library data, local wallet data and personalization settings. Device permissions remain revocable at any time through the operating system settings.

7. Data processed for the admin area and operational tracking

For administrative users, operators and tracking clients, the service may process:

  • Administrative email addresses, password hashes, account status, MFA data, OTP secrets, passkeys, global roles and city-scoped roles.
  • Admin sessions with token hashes, expiry, IP address, user-agent and last-used timestamps.
  • Administrative audit logs with email, action, affected resource, technical metadata, IP and user-agent.
  • Operational tracking data for monitored manifestations, including GPS coordinates, accuracy, speed, battery state, heartbeat data and iOS live activity tokens.

These processing activities support authentication, authorization, auditability, editorial operations and monitored-event operations. Relevant legal bases are the performance of the professional or contractual relationship, the controller's legitimate interest in security and operations, and, where applicable, compliance with legal obligations.

8. Data retention

Retention is handled differently for local device data and server-side operational data.

  • Local consumer data such as cache, bookmarks, wallet entries, downloads and preferences remain on the device until cleared by the user, reset by the app or removed through uninstall.
  • Push permissions and notification topics remain active until the user revokes permission, changes settings or reinstalls the app or device.
  • Analytics and crash data, when enabled, follow the retention configuration applied in Firebase services and related operational consoles.
  • Admin sessions have a limited technical validity window, while their related records and audit logs may be retained longer for security and traceability.
  • Operational tracking and live activity data are retained for the time needed to run the monitored service and perform follow-up operational checks, unless longer retention is required for security or audit reasons.

Detailed retention choices are also tracked in the service's internal governance documentation and may evolve with technical or regulatory changes.

9. Recipients, providers and transfers

Data may be processed by authorized staff and technical providers acting as processors or sub-processors where needed to operate the service.

  • Infrastructure, hosting, database, networking and content delivery providers.
  • Google Firebase for push notifications and, only in case of opt-in, for analytics and crash reporting.
  • Email, security, logging and app distribution providers.

Some providers may operate outside the EEA. When this happens, transfers rely on appropriate safeguards such as standard contractual clauses, adequacy decisions or other mechanisms permitted by the GDPR.

10. Data subject rights

Data subjects may exercise, where applicable, the rights of access, rectification, erasure, restriction, objection, portability and complaint to the competent supervisory authority.

Privacy requests can be sent to privacy@etnahq.app. To help processing, requests should ideally mention the platform used, the relevant context and, where applicable, the city or service involved.

11. Automated decisions and policy updates

As of the latest update, the consumer service does not perform solely automated decisions producing legal or similarly significant effects on users. This notice may be updated over time to reflect service, provider or legal changes. Updated versions are published on this page with the latest revision date.