Privacy Policy

Last updated: April 21, 2026

This Privacy Policy explains how IMPACT SRL collects, uses and protects the personal data of users of guitarscientist.com (the "Service").

This is the essential version that covers the mandatory GDPR art. 13 information. A fuller privacy notice will follow and replace this one in the coming weeks.

---

1. Data Controller

IMPACT SRL Via G.E. di Velo n. 95, 36100 Vicenza (VI), Italy VAT: 04548760240 · REA: VI-412310 General email: jay@guitarscientist.com PEC (legal/formal communications): impactsrl24@pec.it

2. What data we collect

Depending on how you use the Service:

• Account data: email address, password (hashed), username, optional profile information (bio, country, social links, profile picture).
• Content: diagrams you create, comments, bookmarks, follows, votes, and associated metadata (timestamps, visibility settings).
• Payment data: if you purchase a Membership or add-on pack, transactional metadata and invoicing information (billing name, billing address, VAT ID if applicable). Payment card details are handled exclusively by PayPal and never reach our servers.
• Technical data: IP address, browser user-agent, last login time, session cookies, minimal usage analytics (see §5).

3. Legal bases for processing

• Contract (GDPR art. 6.1.b) — to deliver the Service you signed up for.
• Legal obligation (art. 6.1.c) — for fiscal invoicing, fraud prevention, responding to lawful authority requests.
• Legitimate interest (art. 6.1.f) — for product analytics, abuse prevention, security.
• Consent (art. 6.1.a) — where explicitly requested (e.g. marketing emails, which you can opt out of at any time).

4. Data retention

• Account data: kept while the Account is active. Deleted immediately upon Account cancellation, save for backups retained up to 90 days for technical and security reasons.
• Public Content (diagrams, comments): retained even after Account cancellation, with author anonymised to "Deleted user" for community integrity (see Terms of Use §10).
• Fiscal/invoice records: retained for 10 years as required by Italian tax law.
• Technical logs: up to 12 months.

5. Third parties we share data with

To run the Service we rely on the following providers, each acting as a data processor or independent controller for their own services:

• PayPal (Ireland/USA) — payment processing.
• Mailjet (France) — transactional email delivery (signup confirmation, password reset, notifications).
• PostHog (EU region) — product analytics (aggregate usage patterns). No third-party advertising.
• FattureInCloud (Italy) — issuance of tax documents and invoices.
• YouTube (Google, USA) — embedded video playback within diagrams (if a User embeds a YouTube video).
• Public CDNs (jsDelivr, Cloudflare) — delivery of static resources; IP addresses are logged by the CDN provider.

Each provider is bound by its own terms and, where applicable, by a Data Processing Agreement.

6. International transfers

Some providers are outside the EU/EEA (e.g. PayPal, YouTube). Transfers are covered by Standard Contractual Clauses or equivalent GDPR-compliant mechanisms.

7. Your rights (GDPR)

You have the right to:

• Access the data we hold about you.
• Rectify incorrect or incomplete data.
• Erasure ("right to be forgotten"), subject to legal retention obligations and the exceptions of GDPR art. 17.3 for public content (see Terms of Use §10).
• Portability of data you provided us.
• Restrict or object to processing based on legitimate interest.
• Withdraw consent where consent is the legal basis.
• Lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali — garanteprivacy.it).

To exercise any of these rights, email jay@guitarscientist.com. We'll respond within 30 days.

8. Cookies

The Service uses essential cookies only (session management, CSRF protection, authentication). No third-party advertising or cross-site tracking cookies are set.

Any future change to this (e.g. addition of non-essential analytics cookies) will be accompanied by a consent banner and an update to this notice.

9. Security

Account passwords are stored hashed (bcrypt). Traffic is served over HTTPS. Backups are encrypted at rest. No system is perfectly secure: you are responsible for keeping your credentials safe and notifying us promptly of any suspected breach.

10. Data about minors

The Service is intended for users aged 18 or older. We do not knowingly collect data from minors. If you become aware that a minor has created an Account, please notify us and we will delete the Account and the associated personal data.

11. Changes to this Policy

We may update this Privacy Policy over time. Material changes will be notified by email and by a notice on the Service at least 30 days before they take effect.

12. Contact

• General email: jay@guitarscientist.com
• PEC (legal/formal): impactsrl24@pec.it
• Postal address: IMPACT SRL, Via G.E. di Velo n. 95, 36100 Vicenza (VI), Italy