Legal · Privacy
Privacy Policy
How Gesta Carta collects, uses and protects your personal data, in line with Regulation (EU) 2016/679 (GDPR).
Last updated · 2026-06-21
Note: this text is a template to be reviewed by legal counsel before launch. It is not yet a final policy and is not legal advice.
Who we are · data controller
Gesta Carta is an AI-assisted geopolitical cartography tool, part of the Gesta project. The data controller is the entity operating gestacarta.eu.
For any matter concerning your personal data, you can write to privacy@gestacarta.eu.
What data we collect
We only collect the data needed to provide the service:
- ·Account data: the email address you use to register and sign in.
- ·Your content: the projects, cartographic documents (DSL) and maps you create in the Studio.
- ·AI-generation usage: usage metrics and credits consumed, to meter consumption and enforce plan limits.
- ·Session cookie: a technical cookie to keep you signed in. No tracking or advertising cookies.
Why & legal basis
We process account data and your content to perform our service contract with you (Art. 6.1.b GDPR): without them we cannot provide the Studio.
We process usage metrics and credits on the basis of our legitimate interest in running, metering and protecting the service (Art. 6.1.f), and for billing when you subscribe to a paid plan (Art. 6.1.b). The session cookie is strictly necessary to operate.
Processors & sub-processors
To run the service we rely on selected providers acting as processors:
- ·Cloud hosting: to host the application and store your documents.
- ·AI model provider: to process map generation and editing requests.
- ·Payment processor: to handle subscriptions, when paid plans are active.
- ·Email delivery service: for transactional email (confirmations, resets, account notices).
Cookies
We use a single, strictly technical session cookie to keep you authenticated. We do not use tracking, profiling or advertising cookies, and we do not share data with ad networks.
Data retention
We keep account data and your content for as long as your account is active. On account deletion, we delete or anonymise personal data within a reasonable timeframe, except where retention is required by law (e.g. billing records).
Your rights
Under the GDPR you have the right to:
- ·Access: obtain a copy of your personal data.
- ·Rectification: correct inaccurate or incomplete data.
- ·Erasure: request deletion of your data (“right to be forgotten”).
- ·Portability: receive your data in a structured, machine-readable format.
- ·Objection: object to certain processing based on legitimate interest.
- ·Complaint: lodge a complaint with the competent supervisory authority (in Italy, the Garante per la protezione dei dati personali).
How to exercise your rights
Write to privacy@gestacarta.eu stating your request. We respond without undue delay and within statutory time limits.
International transfers
Some providers may process data outside the European Economic Area. Where they do, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses.
Security
We apply reasonable technical and organisational measures to protect data: encryption in transit, access control and least-privilege. No system, however, is 100% secure.
Changes to this policy
We may update this policy. For material changes we will give notice and update the date at the top. Continued use of the service after changes implies acceptance.
Contact
For any privacy question: privacy@gestacarta.eu.