1. Data Controller
GRAM di Macis Raffaele, located at Via Fontana Nuova n° 7A, IT-09033, Decimomannu CA,e-mail: r.macis@gram.it
PEC: gram@mypec.eu
as Data Controller, informs the users of the Craft-World service about the processing of their personal data.
2. Types of data collected
• Registration data: e-mail address, username (real or fictitious), password (stored in encrypted form and not retrievable).• Unique identifier (UUID): automatically associated with the account.
• Usage data: in-world activities (e.g., time spent, objects created, messages sent and received, group membership).
• Technical connection data: IP address, approximate country location, and type of viewer used (retained for 30 days).
3. Purpose and legal basis of processing
The data are processed to:• Provide access to and use of the virtual world (legal basis: performance of a contract – art. 6.1.b GDPR);
• Manage technical support and credential recovery (legal basis: performance of a contract – art. 6.1.b GDPR);
• Send communications about events or initiatives (only with prior consent – art. 6.1.a GDPR);
• Ensure the security and technical management of the service (legal basis: legitimate interest – art. 6.1.f GDPR).
No profiling of users is carried out.
4. Processing methods and storage
The data are processed using IT tools on servers within the European Union and are stored:• for the entire duration of the account and deleted upon request of the data subject;
• for a maximum of 30 days, limited to connection data (IP, viewer, location).
5. Use of Hypergrid and transfer to third parties
When the user accesses external virtual worlds via Hypergrid technology, the servers of such worlds may detect and store personal information such as:• Avatar name and Craft-World account UUID
• IP address and other technical connection data
Upon first access to an external world, the user may be required to accept that world’s policy; in this case, the account UUID, associated with the avatar name, may be stored for future accesses. The user must be aware that data processed by external servers are not managed by Craft-World and are subject to the privacy policy of such third parties.
6. Rights of the data subject
The user may exercise the rights of access, rectification, deletion, restriction, or objection to the processing of their data as provided by Articles 15 and following of the GDPR, except for data retained for legal or accounting obligations. These rights may be exercised by writing to:• e-mail: r.macis@gram.it
• PEC: gram@mypec.eu
7. Consequences of account deletion
Deleting the account will result in the deletion of e-mail, password, avatar name, and UUID. It will no longer be possible to associate created objects with the creator's identity, making it impossible to guarantee copyright.8. Processing of data for billing and paid orders
Purpose of processing:Personal data collected when ordering a paid service for Craft-World are processed to:
• Issue the invoice
• Manage the payment
• Handle any complaints and technical support
Legal basis:
Art. 6, lett. b) and c) GDPR (performance of a contract and legal obligations).
Data processed:
First name, last name, address, e-mail, tax code, payment method, and other data necessary for invoicing.
Storage:
Accounting obligations require data to be kept for 5 years from the date of the last invoice.
Access and disclosure:
Data are processed exclusively by the controller and their collaborators; they will not be disclosed to third parties except as required by law.
Rights of the data subject:
Access, rectification, deletion, restriction of processing, objection, and data portability pursuant to Articles 15-22 GDPR, except for data subject to accounting obligations, which cannot be deleted before the end of the retention period.