ITEN
Privacy Terms Cookie

PRIVACY POLICY

> This is a courtesy English translation of the Italian original. In case of any discrepancy or conflict, the Italian version prevails.

Version in force from 11 July 2026

This Policy is provided pursuant to art. 13 of Regolamento (UE) 2016/679 (the "GDPR") and of D.lgs. 196/2003 as amended by D.lgs. 101/2018 (the "Codice Privacy" / Italian Privacy Code). It describes how the personal data of Users of the Splax Platform (mobile app and web version splax.io, as well as the showcase website splax.app) are collected and processed.

1. DATA CONTROLLER AND CONTACTS

2. DATA PROTECTION OFFICER (DPO)

The Owner has not appointed a Data Protection Officer, as the mandatory conditions set out in art. 37 GDPR do not currently apply. Communications concerning data protection and the exercise of rights must be addressed directly to the Owner at support@splax.app.

The Owner reserves the right to appoint a DPO where necessary as the service evolves; any such appointment will be communicated by updating this Policy.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Depending on the functionalities used, Splax processes the following categories of data:

Identification and personal details

Contact

Authentication

Payment and billing

Identity verification (KYC)

Collected for mandatory anti-money-laundering checks when the User sets up the collection of payments (Shop, Arena, Organization, Sellers, event organizers): - Front/back image of the identity document (identity card, driving licence, passport) - Selfie / facial image for biometric comparison - Verification results

Such data are processed by Stripe, in its capacity as an independent data controller pursuant to its own agreements, and are not accessible to the Owner in original format: the Owner receives only the outcome of the verification and the necessary structured data (e.g. name, date of birth, expiry date).

Use of the service

Device and diagnostics

Minors "affiliated through a team"

As described in the Terms (Sections 5.3 and 20.3), minors cannot create an Account. However, the Platform may process the personal details of underage athletes entered by the team they belong to for the purposes of FIGT affiliation and insurance: - Name, surname, date of birth of the minor - Membership/card number - Legal guardian's data (name, surname, tax code, contacts) - Any internal organizational flags

The guardian's consent is collected by the team (paper form external to the Platform) and the team is responsible for it. The Owner acts as a processor pursuant to art. 28 GDPR on behalf of the team, in relation to such data, under the terms of a framework agreement applicable to all registered teams.

Special and judicial data (art. 9 GDPR)

The Owner does not intentionally request the processing of data belonging to special categories (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, sex life or sexual orientation).

The Stripe Identity procedure entails the acquisition of a facial image for comparison purposes: such processing is not considered "biometric data" pursuant to art. 9 GDPR insofar as it is used only to verify the declared identity and not for subsequent biometric identification. Should the User not wish to provide such data, they may waive the features that require them (e.g. receiving payments as a Seller/organizer).

The Owner does not collect judicial data. In the event of reports to the Authorities (Section 9 of the Terms), the Owner may transmit published content and identification data within the limits of the law, without this constituting a systematic processing of judicial data.

Advertising interaction data

4. PURPOSES OF PROCESSING AND LEGAL BASES

The Owner processes Users' personal data solely for specified, explicit and legitimate purposes, identifying for each processing operation a legal basis pursuant to art. 6 GDPR. In particular, the processing may be based, depending on the case, on the performance of the contract or of pre-contractual measures requested by the User, on the fulfilment of legal obligations, on the data subject's consent, or on the legitimate interest of the Owner or of third parties, subject to balancing against the fundamental rights and freedoms of the data subjects.

The creation and management of the Account, as well as the provision of the functionalities requested by the User — including content, marketplace, events, bookings, chats, forum and team management — entail the processing of identification, contact, authentication and service-use data. Such processing is necessary to enable access to the Platform and the performance of the services requested by the User and is based on art. 6(1)(b) GDPR.

Data relating to payments, billing, transactional identifiers and, where applicable, payout details are processed to manage payments, escrow, transactions, refunds, receipts, invoices and tax obligations. The processing is necessary both for the performance of the contractual relationship with the User and to comply with legal obligations in tax, accounting, anti-money-laundering and anti-fraud matters, pursuant to art. 6(1)(b) and (c) GDPR.

For Users who intend to sell goods, receive payments, manage arenas, organize events or otherwise use functions involving collections, data necessary for identity verification and KYC procedures via Stripe Identity may be processed, such as personal details, identity document, facial image for comparison and verification result. Such processing is based on the performance of the contract, insofar as the verification is necessary to enable the relevant functions, as well as on the fulfilment of applicable legal obligations concerning identification, fraud prevention, anti-money-laundering and payment management, pursuant to art. 6(1)(b) and (c) GDPR.

Push notifications relating to the operation of the service, such as updates on orders, chat messages, events, bookings and operational communications, require the processing of the notification token and information relating to the notified event. Such notifications are sent only where the User has given the relevant consent through the operating system or application permissions, consent that is always revocable from the device or app settings, pursuant to art. 6(1)(a) GDPR.

The User's e-mail address is processed for sending transactional and service communications, such as registration confirmation, password reset, receipts, order updates and communications strictly connected with the use of the Platform. Such processing is necessary for the performance of the contract pursuant to art. 6(1)(b) GDPR. By contrast, the sending of newsletters and the Owner's promotional communications takes place only upon the User's specific, free and revocable consent, pursuant to art. 6(1)(a) GDPR.

The Owner processes service-use data, IP addresses, logs, diagnostic data, payment information and other relevant technical elements to prevent fraud, abuse, unauthorized access, service manipulation, breaches of the Terms and unlawful or harmful conduct towards the Platform and Users. Such processing is based on the Owner's legitimate interest in the security, integrity and reliability of the service and in the protection of Users, pursuant to art. 6(1)(f) GDPR, without prejudice to the balancing against the rights and freedoms of the data subjects.

User-generated content, reports, logs and related information may be processed for moderation purposes, management of reports, countering unlawful content or content contrary to the Terms, and fulfilment of the obligations set out in the Digital Services Act and applicable legislation. The legal basis consists, depending on the case, of the fulfilment of legal obligations and of the Owner's legitimate interest in maintaining a secure and compliant digital environment, pursuant to art. 6(1)(c) and (f) GDPR.

Usage data may also be processed, including in pseudonymized or aggregated form, to produce internal non-individual statistics, monitor the operation of the Platform, understand the use of functionalities, improve the service and resolve technical malfunctions, including crash and diagnostic data transmitted via Crashlytics. Such processing is based on the Owner's legitimate interest in the maintenance, security, evolution and improvement of the Platform, pursuant to art. 6(1)(f) GDPR.

When the User enables location-based functionalities, such as maps, events, places or arena search, GPS coordinates or location data may be processed. The processing takes place exclusively within the limits of the permissions granted by the User through the operating system or the application and is based on the data subject's consent, revocable at any time, pursuant to art. 6(1)(a) GDPR.

The Owner may process all relevant categories of data, within the limits of necessity and proportionality, to comply with legal obligations, retain mandatory documentation, respond to requests from the Authorities, cooperate with competent public authorities, prevent or ascertain unlawful acts and protect its rights in out-of-court or judicial proceedings. Such processing is based on art. 6(1)(c) GDPR, where required by law, and on art. 6(1)(f) GDPR, where necessary for the establishment, exercise or defence of a right.

For functionalities relating to FIGT membership, affiliations and sports insurance coverage, the Owner may process personal details, contact, payment data and documents necessary for membership, affiliation, team management and transmission to the competent bodies. The processing is necessary for the performance of the services requested, for the fulfilment of legal or regulatory obligations in the sports field and, where relevant, for the legitimate interest in the proper management of the relationship with teams, associations and the federation, pursuant to art. 6(1)(b), (c) and (f) GDPR.

The data of minors "affiliated through a team", who are not enabled to create an Account independently, may be processed exclusively within the limits necessary for the affiliation, membership, insurance coverage and administrative management of the team or association. In this context, Splax operates within the limits of the role described in this Policy and in the applicable agreements with the team, while the collection of the guardian's consent or authorization remains the responsibility of the team as indicated in Section 3. The legal basis is identified in the performance of the contractual or associative relationship managed by the team or federation with the guardian and in any related legal or regulatory obligations.

In relation to the DAC7 legislation, the Owner processes the identification, tax, residence, banking and transactional data of Reporting Sellers, including quarterly consideration, number of transactions and fees, in order to carry out the required verifications, prepare the annual reporting and transmit the data to the Italian Revenue Agency (Agenzia delle Entrate) within the legal deadlines. Such processing is necessary to comply with a legal obligation to which the Owner is subject pursuant to D.lgs. 32/2023 and is based on art. 6(1)(c) GDPR; the User cannot object to the reporting where the regulatory conditions are met.

The Platform may display third-party advertisements via Google AdMob on the mobile app and Google AdSense on the web, including through native ads in the marketplace and forum lists and optional "rewarded" advertising videos that the User may choose to view to obtain BB Points. For contextual ads and for the economic support of the free service, the processing is based on the Owner's legitimate interest in the operation and sustainability of the Platform, pursuant to art. 6(1)(f) GDPR. For personalized ads, advertising identifiers, profiling cookies and non-technical tracking, the processing takes place only upon the User's consent, collected through the ATT prompt on iOS, the relevant permissions on Android or a banner/CMP on the web, pursuant to art. 6(1)(a) GDPR.

The verification of the User's declared country of residence is carried out to allow or deny access to the Marketplace functionalities, reserved solely for residents in Italy on account of the national legislation applicable to the sale, holding and shipment of airsoft replicas, paintball markers and accessories subject to special regulation. Such processing is necessary for the performance of the contract and for the fulfilment of legal or regulatory obligations, pursuant to art. 6(1)(b) and (c) GDPR.

Finally, the data relating to the BB Points loyalty program, such as balance, transaction history, accrual or spending actions, daily limits, generation and use of QR codes or alternative codes at affiliated businesses, are processed to enable the provision and management of the program itself. Such processing is necessary for the performance of the service requested by the User and is based on art. 6(1)(b) GDPR; the anti-fraud or anti-abuse counts connected with the program may also be based on the Owner's legitimate interest in preventing improper use of the Platform, pursuant to art. 6(1)(f) GDPR.

No personal data is processed for purposes other than those indicated above, unless the Owner informs the User in advance and identifies a suitable legal basis. Where a new purpose requires the data subject's consent, the processing will be initiated only after obtaining such consent, which may be revoked at any time.

With reference to the data processed for DAC7 purposes, the reporting to the Italian Revenue Agency (Agenzia delle Entrate) and any subsequent exchange with the tax authorities of other Member States of the European Union take place exclusively in the cases and within the limits provided by the applicable legislation. Such data are retained for the period indicated in Section 11 and the Seller cannot object to the relevant reporting when it constitutes the fulfilment of a legal obligation.

5. DATA OF MINORS

The Platform is reserved for Users of legal age. During registration the date of birth is requested and, should an age below 18 result, the creation of the Account is prevented.

Should the Owner ascertain that an Account has been created by a minor in breach of this Policy and of the Terms, it will suspend or delete it and proceed to delete the relevant personal data, save for what must be retained by legal obligation or for the protection of its rights.

The processing of the data of minors "affiliated through a team" remains in force, limited to the purposes of affiliation, membership, insurance coverage and administrative management indicated in Section 3. The legal guardian may request rectification or deletion of the data through the team they belong to or directly from the Owner.

6. METHODS OF COLLECTION

The data are collected:

7. CATEGORIES OF RECIPIENTS

The data may be communicated to:

8. LIST OF PROVIDERS AND SUB-PROCESSORS

The Owner makes use of providers and sub-processors that provide services of technological infrastructure, payment, shipment, advertising, translation, geocoding/maps, sports affiliation and insurance coverage. The list is kept up to date and may evolve over time; any significant changes will be communicated by updating this Policy and, where appropriate, by notice via email or in-app.

The main providers include:

providers of hosting, database, authentication and file storage (EU);

providers of payment services and in-app purchase management (EU/USA);

providers of shipment and tracking services (EU);

providers of online advertising services and campaign measurement (EU/USA);

providers of machine translation, geocoding and maps services (EU/USA/UK);

For each of these entities, depending on the case, personal details, contact data, payment data, shipment-related data, technical and app/site-usage identifiers are processed, within the limits necessary for the provision of the services.

8-bis Always up-to-date list of sub-processors

The list of sub-processors is kept up to date by the Owner and corresponds to the providers indicated in this Section 8. Any significant changes (addition or replacement of a sub-processor) will be communicated by updating the Policy and, where the impact on the User is significant, by notice via email or in-app notice.

8-ter Communication to tax authorities (DAC7)

As indicated in purpose 15 of Section 4, the Owner transmits annually to the Italian Revenue Agency (Agenzia delle Entrate) the data of Reporting Sellers. The Agency may, in turn, transmit such data to the competent tax authorities of other EU Member States, in the cases provided by Direttiva (UE) 2021/514. The transmission takes place in fulfilment of a legal obligation and does not require the consent of the data subjects.

9. TRANSFERS OF DATA OUTSIDE THE EU

Some providers (in particular Stripe, RevenueCat, Mapbox and companies of the Google/Apple group) may also process data outside the European Union, predominantly in the United States. In such cases, the Owner ensures, within the limits of its contractual availability, the adoption of adequate safeguards pursuant to arts. 44 et seq. GDPR, specifically:

The User may request from the Owner a copy or evidence of the safeguards adopted by writing to support@splax.app

10. PROFILING, AUTOMATED DECISIONS AND AUTOMATED MODERATION

The Owner does not directly carry out advertising profiling activities nor sell data to third parties. Any suggestions of content internal to the Platform (listings, events, "nearby" arenas) are based on technical criteria (declared location, category, expressed preferences) and do not constitute profiling within the meaning of art. 22 GDPR.

However, the Platform displays third-party advertisements via Google AdMob (mobile app) and Google AdSense (web). Such services, in their capacity as independent data controllers, may use advertising identifiers and cookies to personalize ads. The User can limit/deactivate personalization:

In the event of lack of consent/limitation, ads will continue to be displayed but in "contextual" (non-personalized) mode, generating lower revenue for the Owner but with less data collection. See Section 17 for details.

Some technical processes operate in an automated manner without immediate human intervention, including:

The User has the right to contest the outcome of such automated processes, obtain human review and assert their own point of view, by writing to support@splax.app.

11. DATA RETENTION

The data are retained for the time strictly necessary for the purposes and in any event:

CategoryRetention period
Active profile data (Account)For the entire duration of the Account, save for a deletion request
Data of an Account deleted by the UserComplete deletion within 30 (thirty) days of the request (grace period for reconsideration), save for legal retention obligations
Access and security logsUp to 12 (twelve) months
Payment data and tax documents (invoices, receipts, collections)10 years pursuant to art. 2220 of the Italian Civil Code and Italian tax legislation
Data collected for DAC7 purposes (Seller identifiers, quarterly consideration, fees)10 years from the end of the reference year (art. 6 D.lgs. 32/2023)
Identity verification documents (Stripe Identity)Processed by Stripe according to the timeframes established by Stripe itself in fulfilment of KYC/AML obligations (typically 5–10 years)
1-to-1 and team chat messagesFor the entire duration of the Account; the sender and recipient may delete them individually within the technical limits of the Platform
Marketplace listingsUntil closure/removal; the associated orders remain in the history
Marketplace orders and disputes10 years from conclusion (tax obligations and legal defence)
Data relating to events, arena bookings, FIGT affiliationsFor the duration of the service + 10 years for tax documents
Data of minors "affiliated through a team"Until deletion requested by the team/guardian, or expiry of the affiliation + archiving period required by FIGT
CookiesSee the Cookie Policy
Reports and related documentation (DSA)At least 6 months from resolution, up to 5 years for reports of unlawful acts

At the end of the retention periods, the data are deleted or anonymized.

12. DATA SUBJECT RIGHTS

The User may exercise, at any time, the rights recognized by arts. 15–22 of Regolamento (UE) 2016/679, including in particular:

The User also has the right to revoke at any time any consent given, without prejudice to the lawfulness of the processing carried out before the revocation, and the right to lodge a complaint with the Italian Data Protection Authority (Garante), pursuant to art. 77 GDPR.

13. HOW TO EXERCISE RIGHTS

The User may exercise their rights:

The exercise of rights is free of charge, save for manifestly unfounded, excessive or repetitive requests, for which the Owner may request a reasonable contribution or refuse the request with reasons.

To verify the identity of the requester, the Owner may request additional information, within the limits of what is strictly necessary.

14. COMPLAINT TO THE SUPERVISORY AUTHORITY

The User may lodge a complaint with the Italian Data Protection Authority (Garante):

Users residing in other EU Member States may address the respective national supervisory Authority.

15. SECURITY OF PROCESSING

The Owner has adopted technical and organizational measures reasonably adequate to the risk, in particular:

In the event of a personal data breach ("data breach"), the Owner undertakes to notify it to the Italian Data Protection Authority (Garante) within 72 hours where the conditions are met (art. 33 GDPR) and to inform the data subjects in the cases provided by art. 34 GDPR.

16. COOKIES AND SIMILAR TECHNOLOGIES

The mobile application uses exclusively technical mechanisms (SharedPreferences/Keychain) comparable to technical cookies necessary for operation.

The web version (splax.io) and the showcase website (splax.app) use cookies, as described in the Cookie Policy available on the same Sites and integrated into this Policy. The final URL of the Cookie Policy will be published at the time of deployment of the website.

17. THIRD-PARTY ADVERTISING (GOOGLE ADMOB AND GOOGLE ADSENSE)

The Platform is offered free of charge to Users. To finance its development and management costs, Splax displays advertisements provided by:

In the future the Owner may add further advertising networks under a "mediation" regime (e.g. Meta Audience Network), communicating this by prior update of this Policy.

AdMob and AdSense, in their capacity as independent data controllers, may collect:

The purposes of such processing are described in Google's policies: https://policies.google.com/technologies/ads.

In the BB Points section the User finds an optional banner "Watch a video, get X BB Points". The User freely chooses whether to activate the function. The limit is 5 (five) videos per day per profile. The consumption of an advertising video entails:

The Owner does not receive from AdMob the identity of the advertiser displayed, but only the confirmation of the "reward earned" event for the calculation of the score.

The Owner does not check in advance the individual ads published, which are selected in real time by Google's auction. Any non-compliant ads may be reported to Google (link present next to each ad) or to the Owner at support@splax.app.

See Section 10.1 for the methods of limiting personalized ads. The User who prefers a completely ad-free experience may consider the possible "Premium ad-free" plan if made available by the Owner in the future.

18. BB POINTS LOYALTY PROGRAM

"BB Points" are loyalty points accumulated by Users by performing actions on the Platform (e.g. participation in events, reviews, viewing of optional advertising videos, daily login). The complete list of actions and their value is published in the BB Points screen of the app/site, and is configurable server-side without code changes.

At the time of the last update of this Policy: 1,500 BB Points = €5 discount. The actual values are stored in the bb_points_config table of the backend and may be modified over time; the version in force is always the one displayed in the BB Points screen of the app.

The discount may be applied:

Points balance, transaction history (date, action, amount, reason), daily counts for the calculation of limits (e.g. maximum 5 advertising videos per day). Such data are retained for the duration of the User's Account and are visible to the User in the "History" section of the BB Points screen.

The Owner may suspend or reset the BB Points balance in the event of fraudulent accrual (e.g. multiple accounts, automated tools, use of emulators for ads). See the Terms for details.

19. FIGT AFFILIATION CERTIFICATES

For teams duly affiliated with the Federazione Italiana Giochi Tattici (FIGT), the Owner automatically generates, upon confirmation of the affiliation payment, an affiliation certificate in DOCX/PDF format containing the team's data (name, FIGT affiliate code, sports year, regional committee of membership, active insurance policies). The certificate is signed by the FIGT President.

The file is saved on Supabase Storage in a private bucket (figt-certificates), accessible only:

The policies cited in the certificate (RCT, Accident, any Legal Protection) are read at the time of generation from the figt_insurance_policies table, which the Owner updates periodically in coordination with FIGT/ACSI without this entailing automatic regeneration of the certificates already issued.

The certificates are retained for 10 (ten) years from the date of issue, to allow historical reconstructions and federal compliance.

20. GEOGRAPHIC RESTRICTION OF THE MARKETPLACE (ITALY ONLY)

The Platform's Marketplace is reserved for Users residing in Italy.

The restriction is functional to compliance with Italian legislation on the holding, transfer and shipment of airsoft replicas, paintball markers, accessories and tactical clothing (in particular D.lgs. 204/2010 and subsequent amendments), which imposes specific constraints on national territory. Such restriction is not discriminatory pursuant to Regolamento (UE) 2018/302 (Geo-blocking) as it is justified by prohibitions provided by Union law and the national legal order for categories of goods subject to special regulation.

A User who updates their declared country of residence will see the Marketplace functions activate/deactivate automatically. The Owner may request additional documentation in the event of doubts about the actual residence.

21. CHANGES TO THE POLICY

The Owner reserves the right to update this Policy should changes occur to the service, to the providers used, to the processing methods or to the applicable legislation. In the event of substantial changes, the Owner will notify Users by means of in-app notification or e-mail. The date of the last update is indicated at the beginning of the document.