PRIVACY POLICY
> This is a courtesy English translation of the Italian original. In case of any discrepancy or conflict, the Italian version prevails.
Version in force from 11 July 2026
This Policy is provided pursuant to art. 13 of Regolamento (UE) 2016/679 (the "GDPR") and of D.lgs. 196/2003 as amended by D.lgs. 101/2018 (the "Codice Privacy" / Italian Privacy Code). It describes how the personal data of Users of the Splax Platform (mobile app and web version splax.io, as well as the showcase website splax.app) are collected and processed.
1. DATA CONTROLLER AND CONTACTS
- Owner: Tomas Garulli — owner of the family sole proprietorship pursuant to art. 230-bis of the Italian Civil Code.
- Tax Code (Codice Fiscale): GRLTMS69P24G337G
- VAT number (Partita IVA): 02281470340
- ATECO Code (Codice ATECO): 62.01.00 (Production of software not connected with publishing)
- Registered office: Strada Tamborino 4, 43024 Bazzano (Parma), Italy
- Family collaborator: Lorenzo Garulli (CF: GRLLNZ98L22G337J)
- E-mail for privacy requests and data subject rights: support@splax.app
2. DATA PROTECTION OFFICER (DPO)
The Owner has not appointed a Data Protection Officer, as the mandatory conditions set out in art. 37 GDPR do not currently apply. Communications concerning data protection and the exercise of rights must be addressed directly to the Owner at support@splax.app.
The Owner reserves the right to appoint a DPO where necessary as the service evolves; any such appointment will be communicated by updating this Policy.
3. CATEGORIES OF PERSONAL DATA PROCESSED
Depending on the functionalities used, Splax processes the following categories of data:
Identification and personal details
- Name, surname, username
- Date of birth (to verify the minimum age of 18)
- Tax Code (for Users acting as team president, legal representative of an association, or for FIGT membership requirements)
- VAT number, company name, REA number (for "Shop", "Arena", "Organization" Users)
- Identity document number and type (for the verification procedure via Stripe Identity)
Contact
- E-mail address (primary)
- Telephone number (optional / mandatory for Users verified as business)
- Postal address (residence, registered office, shipping/billing address)
- Country, region, city, postal code, approximate GPS coordinates of the location associated with the profile or events
- Social handles (Instagram, Facebook, YouTube, website) if voluntarily entered
Authentication
- Access credentials (e-mail + password, the latter stored as an irreversible hash by the authentication provider Supabase)
- Session tokens (JWT), refresh tokens, web session cookies
- Access logs (IP, user-agent, timestamp) retained by the authentication provider
Payment and billing
- Stripe identifiers (Customer ID, Connect Account ID, Subscription ID)
- RevenueCat identifiers (for Apple/Google in-app purchases)
- Payment card information: not processed directly by the Owner; it is acquired and stored solely by Stripe in a PCI-DSS certified environment; the Platform receives only the reference token and the last 4 digits/card type for display purposes.
- Payment history, amounts, status, method, order metadata
- Payout details (IBAN, bank account) of Sellers / arena managers / teams / associations, managed via Stripe Connect
- Billing information and related addresses
Identity verification (KYC)
Collected for mandatory anti-money-laundering checks when the User sets up the collection of payments (Shop, Arena, Organization, Sellers, event organizers): - Front/back image of the identity document (identity card, driving licence, passport) - Selfie / facial image for biometric comparison - Verification results
Such data are processed by Stripe, in its capacity as an independent data controller pursuant to its own agreements, and are not accessible to the Owner in original format: the Owner receives only the outcome of the verification and the necessary structured data (e.g. name, date of birth, expiry date).
Use of the service
- Uploaded content: marketplace listings (texts, photos, prices), forum posts and threads, 1-to-1 chat messages, team chats, marketplace/event transaction chats, in-app support chats with Splax staff, reviews, feedback, comments, reports, team and affiliation documents
- Platform behaviour: interactions (likes, follows, favourites), pages visited, listing views, access times, last presence ("last seen"), average response time
- BB Points and related transactions
- Statistics: number of sales, average rating, reputation
- Feature Usage (features used) for maintenance and improvement purposes
Device and diagnostics
- App installation identifier
- Device type, model, operating system, app version, language, time zone
- Push notification token (Firebase Cloud Messaging – FCM)
- Crash / error data transmitted to Firebase Crashlytics for diagnostic purposes
- IP address (in the backend and provider logs)
- Advertising identifiers transmitted to Google AdMob: IDFA (Identifier for Advertisers) on iOS, AAID (Android Advertising ID) on Android. The User can limit/reset such identifiers from the operating system settings. On iOS the identifier is transmitted only upon explicit consent through the ATT (App Tracking Transparency) prompt.
Minors "affiliated through a team"
As described in the Terms (Sections 5.3 and 20.3), minors cannot create an Account. However, the Platform may process the personal details of underage athletes entered by the team they belong to for the purposes of FIGT affiliation and insurance: - Name, surname, date of birth of the minor - Membership/card number - Legal guardian's data (name, surname, tax code, contacts) - Any internal organizational flags
The guardian's consent is collected by the team (paper form external to the Platform) and the team is responsible for it. The Owner acts as a processor pursuant to art. 28 GDPR on behalf of the team, in relation to such data, under the terms of a framework agreement applicable to all registered teams.
Special and judicial data (art. 9 GDPR)
The Owner does not intentionally request the processing of data belonging to special categories (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, sex life or sexual orientation).
The Stripe Identity procedure entails the acquisition of a facial image for comparison purposes: such processing is not considered "biometric data" pursuant to art. 9 GDPR insofar as it is used only to verify the declared identity and not for subsequent biometric identification. Should the User not wish to provide such data, they may waive the features that require them (e.g. receiving payments as a Seller/organizer).
The Owner does not collect judicial data. In the event of reports to the Authorities (Section 9 of the Terms), the Owner may transmit published content and identification data within the limits of the law, without this constituting a systematic processing of judicial data.
Advertising interaction data
- Number of daily views of rewarded advertising videos ("rewarded ad") by the User, retained for anti-abuse purposes and to apply the maximum limit of 5 videos/day provided by the BB Points program
- View and click events on native ads published in the marketplace and forum lists (collected and managed by Google AdMob / AdSense as independent controllers)
- BB Points balance and related transaction history
- Country of residence declared by the User (ISO-2 code), used for the provision of the Marketplace, reserved solely for residents in Italy (Section 20)
4. PURPOSES OF PROCESSING AND LEGAL BASES
The Owner processes Users' personal data solely for specified, explicit and legitimate purposes, identifying for each processing operation a legal basis pursuant to art. 6 GDPR. In particular, the processing may be based, depending on the case, on the performance of the contract or of pre-contractual measures requested by the User, on the fulfilment of legal obligations, on the data subject's consent, or on the legitimate interest of the Owner or of third parties, subject to balancing against the fundamental rights and freedoms of the data subjects.
The creation and management of the Account, as well as the provision of the functionalities requested by the User — including content, marketplace, events, bookings, chats, forum and team management — entail the processing of identification, contact, authentication and service-use data. Such processing is necessary to enable access to the Platform and the performance of the services requested by the User and is based on art. 6(1)(b) GDPR.
Data relating to payments, billing, transactional identifiers and, where applicable, payout details are processed to manage payments, escrow, transactions, refunds, receipts, invoices and tax obligations. The processing is necessary both for the performance of the contractual relationship with the User and to comply with legal obligations in tax, accounting, anti-money-laundering and anti-fraud matters, pursuant to art. 6(1)(b) and (c) GDPR.
For Users who intend to sell goods, receive payments, manage arenas, organize events or otherwise use functions involving collections, data necessary for identity verification and KYC procedures via Stripe Identity may be processed, such as personal details, identity document, facial image for comparison and verification result. Such processing is based on the performance of the contract, insofar as the verification is necessary to enable the relevant functions, as well as on the fulfilment of applicable legal obligations concerning identification, fraud prevention, anti-money-laundering and payment management, pursuant to art. 6(1)(b) and (c) GDPR.
Push notifications relating to the operation of the service, such as updates on orders, chat messages, events, bookings and operational communications, require the processing of the notification token and information relating to the notified event. Such notifications are sent only where the User has given the relevant consent through the operating system or application permissions, consent that is always revocable from the device or app settings, pursuant to art. 6(1)(a) GDPR.
The User's e-mail address is processed for sending transactional and service communications, such as registration confirmation, password reset, receipts, order updates and communications strictly connected with the use of the Platform. Such processing is necessary for the performance of the contract pursuant to art. 6(1)(b) GDPR. By contrast, the sending of newsletters and the Owner's promotional communications takes place only upon the User's specific, free and revocable consent, pursuant to art. 6(1)(a) GDPR.
The Owner processes service-use data, IP addresses, logs, diagnostic data, payment information and other relevant technical elements to prevent fraud, abuse, unauthorized access, service manipulation, breaches of the Terms and unlawful or harmful conduct towards the Platform and Users. Such processing is based on the Owner's legitimate interest in the security, integrity and reliability of the service and in the protection of Users, pursuant to art. 6(1)(f) GDPR, without prejudice to the balancing against the rights and freedoms of the data subjects.
User-generated content, reports, logs and related information may be processed for moderation purposes, management of reports, countering unlawful content or content contrary to the Terms, and fulfilment of the obligations set out in the Digital Services Act and applicable legislation. The legal basis consists, depending on the case, of the fulfilment of legal obligations and of the Owner's legitimate interest in maintaining a secure and compliant digital environment, pursuant to art. 6(1)(c) and (f) GDPR.
Usage data may also be processed, including in pseudonymized or aggregated form, to produce internal non-individual statistics, monitor the operation of the Platform, understand the use of functionalities, improve the service and resolve technical malfunctions, including crash and diagnostic data transmitted via Crashlytics. Such processing is based on the Owner's legitimate interest in the maintenance, security, evolution and improvement of the Platform, pursuant to art. 6(1)(f) GDPR.
When the User enables location-based functionalities, such as maps, events, places or arena search, GPS coordinates or location data may be processed. The processing takes place exclusively within the limits of the permissions granted by the User through the operating system or the application and is based on the data subject's consent, revocable at any time, pursuant to art. 6(1)(a) GDPR.
The Owner may process all relevant categories of data, within the limits of necessity and proportionality, to comply with legal obligations, retain mandatory documentation, respond to requests from the Authorities, cooperate with competent public authorities, prevent or ascertain unlawful acts and protect its rights in out-of-court or judicial proceedings. Such processing is based on art. 6(1)(c) GDPR, where required by law, and on art. 6(1)(f) GDPR, where necessary for the establishment, exercise or defence of a right.
For functionalities relating to FIGT membership, affiliations and sports insurance coverage, the Owner may process personal details, contact, payment data and documents necessary for membership, affiliation, team management and transmission to the competent bodies. The processing is necessary for the performance of the services requested, for the fulfilment of legal or regulatory obligations in the sports field and, where relevant, for the legitimate interest in the proper management of the relationship with teams, associations and the federation, pursuant to art. 6(1)(b), (c) and (f) GDPR.
The data of minors "affiliated through a team", who are not enabled to create an Account independently, may be processed exclusively within the limits necessary for the affiliation, membership, insurance coverage and administrative management of the team or association. In this context, Splax operates within the limits of the role described in this Policy and in the applicable agreements with the team, while the collection of the guardian's consent or authorization remains the responsibility of the team as indicated in Section 3. The legal basis is identified in the performance of the contractual or associative relationship managed by the team or federation with the guardian and in any related legal or regulatory obligations.
In relation to the DAC7 legislation, the Owner processes the identification, tax, residence, banking and transactional data of Reporting Sellers, including quarterly consideration, number of transactions and fees, in order to carry out the required verifications, prepare the annual reporting and transmit the data to the Italian Revenue Agency (Agenzia delle Entrate) within the legal deadlines. Such processing is necessary to comply with a legal obligation to which the Owner is subject pursuant to D.lgs. 32/2023 and is based on art. 6(1)(c) GDPR; the User cannot object to the reporting where the regulatory conditions are met.
The Platform may display third-party advertisements via Google AdMob on the mobile app and Google AdSense on the web, including through native ads in the marketplace and forum lists and optional "rewarded" advertising videos that the User may choose to view to obtain BB Points. For contextual ads and for the economic support of the free service, the processing is based on the Owner's legitimate interest in the operation and sustainability of the Platform, pursuant to art. 6(1)(f) GDPR. For personalized ads, advertising identifiers, profiling cookies and non-technical tracking, the processing takes place only upon the User's consent, collected through the ATT prompt on iOS, the relevant permissions on Android or a banner/CMP on the web, pursuant to art. 6(1)(a) GDPR.
The verification of the User's declared country of residence is carried out to allow or deny access to the Marketplace functionalities, reserved solely for residents in Italy on account of the national legislation applicable to the sale, holding and shipment of airsoft replicas, paintball markers and accessories subject to special regulation. Such processing is necessary for the performance of the contract and for the fulfilment of legal or regulatory obligations, pursuant to art. 6(1)(b) and (c) GDPR.
Finally, the data relating to the BB Points loyalty program, such as balance, transaction history, accrual or spending actions, daily limits, generation and use of QR codes or alternative codes at affiliated businesses, are processed to enable the provision and management of the program itself. Such processing is necessary for the performance of the service requested by the User and is based on art. 6(1)(b) GDPR; the anti-fraud or anti-abuse counts connected with the program may also be based on the Owner's legitimate interest in preventing improper use of the Platform, pursuant to art. 6(1)(f) GDPR.
No personal data is processed for purposes other than those indicated above, unless the Owner informs the User in advance and identifies a suitable legal basis. Where a new purpose requires the data subject's consent, the processing will be initiated only after obtaining such consent, which may be revoked at any time.
With reference to the data processed for DAC7 purposes, the reporting to the Italian Revenue Agency (Agenzia delle Entrate) and any subsequent exchange with the tax authorities of other Member States of the European Union take place exclusively in the cases and within the limits provided by the applicable legislation. Such data are retained for the period indicated in Section 11 and the Seller cannot object to the relevant reporting when it constitutes the fulfilment of a legal obligation.
5. DATA OF MINORS
The Platform is reserved for Users of legal age. During registration the date of birth is requested and, should an age below 18 result, the creation of the Account is prevented.
Should the Owner ascertain that an Account has been created by a minor in breach of this Policy and of the Terms, it will suspend or delete it and proceed to delete the relevant personal data, save for what must be retained by legal obligation or for the protection of its rights.
The processing of the data of minors "affiliated through a team" remains in force, limited to the purposes of affiliation, membership, insurance coverage and administrative management indicated in Section 3. The legal guardian may request rectification or deletion of the data through the team they belong to or directly from the Owner.
6. METHODS OF COLLECTION
The data are collected:
- Directly from the data subject during registration, Account configuration, use of the service, uploading of content and payment;
- Automatically by the system through the Platform's technology (logs, technical cookies, tokens, diagnostics);
- From third parties: (a) from Stripe in relation to the outcome of identity verification and payment operations; (b) from Apple/Google/RevenueCat in relation to in-app purchases; (c) from couriers (Packlink — general marketplace listings; SendCloud → BRT for airsoft replicas and paintball markers, under a specific Splax↔BRT contract that allows the acceptance of such product category) in relation to shipment tracking; (d) from the team/association for the data of affiliated minors; (e) from Google AdMob/AdSense in aggregated form, in relation to ad delivery metrics.
7. CATEGORIES OF RECIPIENTS
The data may be communicated to:
- Other Users of the Platform, limited to the data published as such (public profile, listings, forum posts, reviews) or strictly necessary for a transaction (name, shipping address during the order phase between Seller/Buyer);
- Service providers acting as processors pursuant to art. 28 GDPR (sub-processors), for activities instrumental to the Platform (hosting, authentication, payments, notifications, maps, shipments, automated moderation, translation, support) — list in Section 8;
- Stripe in its capacity as an independent controller for payment and identity verification activities (in addition to the technical role of sub-processor for certain data);
- Apple and Google in their capacity as independent controllers for the processing of in-app purchases;
- FIGT and the partner insurance body (ACSI or other) in their capacity as distinct controllers, for the data strictly functional to affiliation, membership and the insurance policy;
- Public authorities (law enforcement, judicial authority, data protection authority, tax authorities) where the communication is required by law or by a measure;
- Professional advisors of the Owner (accountant, lawyer) within the limits of what is necessary for ordinary management.
8. LIST OF PROVIDERS AND SUB-PROCESSORS
The Owner makes use of providers and sub-processors that provide services of technological infrastructure, payment, shipment, advertising, translation, geocoding/maps, sports affiliation and insurance coverage. The list is kept up to date and may evolve over time; any significant changes will be communicated by updating this Policy and, where appropriate, by notice via email or in-app.
The main providers include:
providers of hosting, database, authentication and file storage (EU);
providers of payment services and in-app purchase management (EU/USA);
providers of shipment and tracking services (EU);
providers of online advertising services and campaign measurement (EU/USA);
providers of machine translation, geocoding and maps services (EU/USA/UK);
- sports federations and insurance bodies for affiliation, membership and policy management (Italy, EU).
For each of these entities, depending on the case, personal details, contact data, payment data, shipment-related data, technical and app/site-usage identifiers are processed, within the limits necessary for the provision of the services.
8-bis Always up-to-date list of sub-processors
The list of sub-processors is kept up to date by the Owner and corresponds to the providers indicated in this Section 8. Any significant changes (addition or replacement of a sub-processor) will be communicated by updating the Policy and, where the impact on the User is significant, by notice via email or in-app notice.
8-ter Communication to tax authorities (DAC7)
As indicated in purpose 15 of Section 4, the Owner transmits annually to the Italian Revenue Agency (Agenzia delle Entrate) the data of Reporting Sellers. The Agency may, in turn, transmit such data to the competent tax authorities of other EU Member States, in the cases provided by Direttiva (UE) 2021/514. The transmission takes place in fulfilment of a legal obligation and does not require the consent of the data subjects.
9. TRANSFERS OF DATA OUTSIDE THE EU
Some providers (in particular Stripe, RevenueCat, Mapbox and companies of the Google/Apple group) may also process data outside the European Union, predominantly in the United States. In such cases, the Owner ensures, within the limits of its contractual availability, the adoption of adequate safeguards pursuant to arts. 44 et seq. GDPR, specifically:
- Standard Contractual Clauses ("SCC") adopted by the European Commission pursuant to Decisione (UE) 2021/914;
- Any applicable adequacy decisions (e.g. EU-US Data Privacy Framework, if the provider is certified and the decision is in force);
- Supplementary technical and organizational measures where necessary as a result of a Transfer Impact Assessment.
The User may request from the Owner a copy or evidence of the safeguards adopted by writing to support@splax.app
10. PROFILING, AUTOMATED DECISIONS AND AUTOMATED MODERATION
The Owner does not directly carry out advertising profiling activities nor sell data to third parties. Any suggestions of content internal to the Platform (listings, events, "nearby" arenas) are based on technical criteria (declared location, category, expressed preferences) and do not constitute profiling within the meaning of art. 22 GDPR.
However, the Platform displays third-party advertisements via Google AdMob (mobile app) and Google AdSense (web). Such services, in their capacity as independent data controllers, may use advertising identifiers and cookies to personalize ads. The User can limit/deactivate personalization:
- iOS: by refusing the App Tracking Transparency prompt or from the system settings → Privacy and Security → Tracking;
- Android: from Google settings → Ads → "Reset advertising ID" / "Opt out of personalized ads";
- Web: by revoking consent from the cookie banner (CMP) on first access or subsequently via the "Manage consent" item in the footer; alternatively by visiting https://adssettings.google.com.
In the event of lack of consent/limitation, ads will continue to be displayed but in "contextual" (non-personalized) mode, generating lower revenue for the Owner but with less data collection. See Section 17 for details.
Some technical processes operate in an automated manner without immediate human intervention, including:
- Automatic release of escrow after 48 (forty-eight) hours from delivery without actions by the Buyer;
- Auto-resolution of disputes in the event of failure by the Seller to respond;
- Anti-abuse filters on reported content;
- Stripe Identity assessment of the authenticity of the document (managed by Stripe).
The User has the right to contest the outcome of such automated processes, obtain human review and assert their own point of view, by writing to support@splax.app.
11. DATA RETENTION
The data are retained for the time strictly necessary for the purposes and in any event:
| Category | Retention period |
|---|---|
| Active profile data (Account) | For the entire duration of the Account, save for a deletion request |
| Data of an Account deleted by the User | Complete deletion within 30 (thirty) days of the request (grace period for reconsideration), save for legal retention obligations |
| Access and security logs | Up to 12 (twelve) months |
| Payment data and tax documents (invoices, receipts, collections) | 10 years pursuant to art. 2220 of the Italian Civil Code and Italian tax legislation |
| Data collected for DAC7 purposes (Seller identifiers, quarterly consideration, fees) | 10 years from the end of the reference year (art. 6 D.lgs. 32/2023) |
| Identity verification documents (Stripe Identity) | Processed by Stripe according to the timeframes established by Stripe itself in fulfilment of KYC/AML obligations (typically 5–10 years) |
| 1-to-1 and team chat messages | For the entire duration of the Account; the sender and recipient may delete them individually within the technical limits of the Platform |
| Marketplace listings | Until closure/removal; the associated orders remain in the history |
| Marketplace orders and disputes | 10 years from conclusion (tax obligations and legal defence) |
| Data relating to events, arena bookings, FIGT affiliations | For the duration of the service + 10 years for tax documents |
| Data of minors "affiliated through a team" | Until deletion requested by the team/guardian, or expiry of the affiliation + archiving period required by FIGT |
| Cookies | See the Cookie Policy |
| Reports and related documentation (DSA) | At least 6 months from resolution, up to 5 years for reports of unlawful acts |
At the end of the retention periods, the data are deleted or anonymized.
12. DATA SUBJECT RIGHTS
The User may exercise, at any time, the rights recognized by arts. 15–22 of Regolamento (UE) 2016/679, including in particular:
- right of access to their personal data;
- right of rectification of inaccurate data and completion of incomplete data;
- right to erasure of data ("right to be forgotten"), within the limits provided by law;
- right to restriction of processing;
- right to portability of the data provided, in a structured and commonly used format;
- right to object to processing based on the Owner's legitimate interest and to processing for direct marketing purposes;
- right not to be subject to solely automated decisions producing legal effects or significantly affecting them.
The User also has the right to revoke at any time any consent given, without prejudice to the lawfulness of the processing carried out before the revocation, and the right to lodge a complaint with the Italian Data Protection Authority (Garante), pursuant to art. 77 GDPR.
13. HOW TO EXERCISE RIGHTS
The User may exercise their rights:
- Through the account management functions present in the app (profile editing, Account deletion, data export where available);
- By writing to support@splax.app indicating "Privacy Request – [type of request]" in the subject. The Owner will respond without undue delay and in any event within 30 days (extendable by a further 60 in complex cases with reasoned notice, pursuant to art. 12.3 GDPR).
The exercise of rights is free of charge, save for manifestly unfounded, excessive or repetitive requests, for which the Owner may request a reasonable contribution or refuse the request with reasons.
To verify the identity of the requester, the Owner may request additional information, within the limits of what is strictly necessary.
14. COMPLAINT TO THE SUPERVISORY AUTHORITY
The User may lodge a complaint with the Italian Data Protection Authority (Garante):
- Website: https://www.gpdp.it
- Piazza Venezia 11, 00187 Roma
- E-mail: garante@gpdp.it – PEC: protocollo@pec.gpdp.it
Users residing in other EU Member States may address the respective national supervisory Authority.
15. SECURITY OF PROCESSING
The Owner has adopted technical and organizational measures reasonably adequate to the risk, in particular:
- Encryption in transit (TLS 1.2+) of the data exchanged between app and backend;
- Role-based access controls (RLS – Row Level Security) on the database;
- Session tokens with expiry and rotation;
- Storage of passwords by means of an irreversible hash managed by the authentication provider Supabase;
- No retention of payment card data by the Owner (delegated to Stripe – PCI-DSS environment);
- Security logs and monitoring of administrator activities (admin_logs);
- Environment segregation and credential management policies;
- Training of the personnel involved.
In the event of a personal data breach ("data breach"), the Owner undertakes to notify it to the Italian Data Protection Authority (Garante) within 72 hours where the conditions are met (art. 33 GDPR) and to inform the data subjects in the cases provided by art. 34 GDPR.
16. COOKIES AND SIMILAR TECHNOLOGIES
The mobile application uses exclusively technical mechanisms (SharedPreferences/Keychain) comparable to technical cookies necessary for operation.
The web version (splax.io) and the showcase website (splax.app) use cookies, as described in the Cookie Policy available on the same Sites and integrated into this Policy. The final URL of the Cookie Policy will be published at the time of deployment of the website.
17. THIRD-PARTY ADVERTISING (GOOGLE ADMOB AND GOOGLE ADSENSE)
The Platform is offered free of charge to Users. To finance its development and management costs, Splax displays advertisements provided by:
- Google AdMob (Google Ireland Limited) on the iOS and Android mobile app: native ads inserted in the marketplace and forum lists (every 6 items) and optional advertising videos ("rewarded") in the BB Points section;
- Google AdSense (Google Ireland Limited) on the website splax.app/splax.io: display and native ads.
In the future the Owner may add further advertising networks under a "mediation" regime (e.g. Meta Audience Network), communicating this by prior update of this Policy.
AdMob and AdSense, in their capacity as independent data controllers, may collect:
- Device advertising identifiers: IDFA (iOS) or AAID (Android), transmitted only upon the User's consent to the ATT prompt on iOS or to the "personalized ads" authorization on Android;
- IP address (for approximate geolocation at national/regional level);
- Technical and profiling cookies on the web;
- Device model, operating system, language, time zone;
- View and click events on ads, dwell time, frequency.
The purposes of such processing are described in Google's policies: https://policies.google.com/technologies/ads.
In the BB Points section the User finds an optional banner "Watch a video, get X BB Points". The User freely chooses whether to activate the function. The limit is 5 (five) videos per day per profile. The consumption of an advertising video entails:
- the execution of an AdRequest to Google AdMob;
- the transmission of the data indicated at point 17.2;
- at the end of the viewing, the automatic crediting of the configured value of BB Points to the User's balance (currently 5 BB Points per video).
The Owner does not receive from AdMob the identity of the advertiser displayed, but only the confirmation of the "reward earned" event for the calculation of the score.
The Owner does not check in advance the individual ads published, which are selected in real time by Google's auction. Any non-compliant ads may be reported to Google (link present next to each ad) or to the Owner at support@splax.app.
See Section 10.1 for the methods of limiting personalized ads. The User who prefers a completely ad-free experience may consider the possible "Premium ad-free" plan if made available by the Owner in the future.
18. BB POINTS LOYALTY PROGRAM
"BB Points" are loyalty points accumulated by Users by performing actions on the Platform (e.g. participation in events, reviews, viewing of optional advertising videos, daily login). The complete list of actions and their value is published in the BB Points screen of the app/site, and is configurable server-side without code changes.
At the time of the last update of this Policy: 1,500 BB Points = €5 discount. The actual values are stored in the bb_points_config table of the backend and may be modified over time; the version in force is always the one displayed in the BB Points screen of the app.
The discount may be applied:
- In app: during a purchase on the marketplace, arena booking or registration for a paid event that accepts BB Points, the discount is automatic;
- Outside the app: at affiliated shops/arenas that decide to accept the program. Redemption takes place by showing the personal QR Code (or the alternative code BB-XXXXXXXXXX) to the merchant. The acceptance of payment with BB Points outside the app is at the sole discretion of the individual merchant.
Points balance, transaction history (date, action, amount, reason), daily counts for the calculation of limits (e.g. maximum 5 advertising videos per day). Such data are retained for the duration of the User's Account and are visible to the User in the "History" section of the BB Points screen.
The Owner may suspend or reset the BB Points balance in the event of fraudulent accrual (e.g. multiple accounts, automated tools, use of emulators for ads). See the Terms for details.
19. FIGT AFFILIATION CERTIFICATES
For teams duly affiliated with the Federazione Italiana Giochi Tattici (FIGT), the Owner automatically generates, upon confirmation of the affiliation payment, an affiliation certificate in DOCX/PDF format containing the team's data (name, FIGT affiliate code, sports year, regional committee of membership, active insurance policies). The certificate is signed by the FIGT President.
The file is saved on Supabase Storage in a private bucket (figt-certificates), accessible only:
- to the team owner (read access, via temporary signed URL);
- to the staff members of the FIGT association (admin, secretariat, presidency).
The policies cited in the certificate (RCT, Accident, any Legal Protection) are read at the time of generation from the figt_insurance_policies table, which the Owner updates periodically in coordination with FIGT/ACSI without this entailing automatic regeneration of the certificates already issued.
The certificates are retained for 10 (ten) years from the date of issue, to allow historical reconstructions and federal compliance.
20. GEOGRAPHIC RESTRICTION OF THE MARKETPLACE (ITALY ONLY)
The Platform's Marketplace is reserved for Users residing in Italy.
The restriction is functional to compliance with Italian legislation on the holding, transfer and shipment of airsoft replicas, paintball markers, accessories and tactical clothing (in particular D.lgs. 204/2010 and subsequent amendments), which imposes specific constraints on national territory. Such restriction is not discriminatory pursuant to Regolamento (UE) 2018/302 (Geo-blocking) as it is justified by prohibitions provided by Union law and the national legal order for categories of goods subject to special regulation.
A User who updates their declared country of residence will see the Marketplace functions activate/deactivate automatically. The Owner may request additional documentation in the event of doubts about the actual residence.
21. CHANGES TO THE POLICY
The Owner reserves the right to update this Policy should changes occur to the service, to the providers used, to the processing methods or to the applicable legislation. In the event of substantial changes, the Owner will notify Users by means of in-app notification or e-mail. The date of the last update is indicated at the beginning of the document.