CRASA APS
Privacy Policy
Updated on 11 March 2026
1. Data Controller
The Data Controller is CRASA APS (Associazione di Promozione Sociale), registered in Naples, Italy.
Banking details: IBAN IT16 S050 1803 4000 0002 0000 760, Banca Popolare Etica S.c.p.a., Naples branch.
Contact: info@crasa.team
2. Legal Framework
Personal data is processed in compliance with:
- Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR);
- Italian Legislative Decree no. 196/2003 (Privacy Code);
- Italian Legislative Decree no. 101/2018 (GDPR adaptation);
- Decisions and guidelines of the Italian Data Protection Authority (Garante).
3. Data Collected
Data provided by the user:
- First and last name;
- Email address;
- Phone number (optional);
- Content of messages submitted through the contact form;
- Profile data (if registered on the platform).
Technical data collected automatically:
- IP address;
- Browser type and operating system;
- Pages visited and time of visit;
- Strictly necessary technical cookies.
4. Purposes and Legal Basis
a) Provision of platform services
Legal basis: performance of a contract (Art. 6.1.b GDPR). Data is necessary for registration, profile management, and use of services.
b) Responding to contact requests
Legal basis: legitimate interest of the Controller (Art. 6.1.f GDPR). Data is used to reply to user communications.
c) Service improvement and security
Legal basis: legitimate interest (Art. 6.1.f GDPR). Technical data is analysed to ensure security and improve functionality.
d) Marketing communications and newsletter
Legal basis: explicit consent (Art. 6.1.a GDPR). Consent may be withdrawn at any time.
5. Retention Period
- User account data: until account deletion, and in any case no longer than 3 years from last activity;
- Contact message data: 2 years from receipt;
- Technical logs: 12 months;
- Data for tax/accounting obligations: 10 years under Italian law.
6. Data Recipients
Personal data is not sold to third parties. It may be disclosed to:
- Technical service providers (hosting, email) acting as Data Processors;
- Competent authorities when required by law.
Providers outside the EU process data in compliance with GDPR through appropriate safeguards (Adequacy Decisions or Standard Contractual Clauses).
7. Cookies
Technical cookies (strictly necessary): used for the operation of the website (session, CSRF security). No consent required.
Analytical cookies: used to analyse traffic in anonymous form. Require user consent.
You can manage cookie preferences through your browser settings or via the cookie banner on the website.
8. Your Rights
Under Articles 15–22 GDPR, you have the right to:
- Access — obtain confirmation of processing and a copy of your data;
- Rectification — correct inaccurate or incomplete data;
- Erasure ("right to be forgotten") — request deletion of your data;
- Restriction — obtain restriction of processing;
- Objection — object to processing on legitimate grounds;
- Data portability — receive your data in a structured, machine-readable format;
- Withdrawal of consent — withdraw consent at any time without prejudice.
To exercise these rights, contact us at: info@crasa.team
If you believe your rights have been violated, you may lodge a complaint with the Italian Data Protection Authority (Garante) at www.garanteprivacy.it.
9. Data Security
CRASA APS implements appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction, or disclosure, in accordance with Art. 32 GDPR. Data is transmitted via HTTPS and stored on protected servers.
10. Changes to This Policy
CRASA APS reserves the right to update this Privacy Policy. Material changes will be communicated to registered users by email. The latest version will always be available on this page with the date of last update.
Data Protection Officer (DPO)
For any privacy-related matters: info@crasa.team