This Privacy Policy describes how Homelabz - Crafting Digital ("we", "us", or "our") collects, uses, and protects your personal data when you visit and interact with this website, in accordance with the EU General Data Protection Regulation (GDPR - Regulation 2016/679) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
1. Data Controller
The Data Controller responsible for your personal data is:
You may contact the Data Controller at any time using the details above for any questions regarding the processing of your personal data.
2. Types of Data Collected
We collect personal data in the following contexts:
2.1 Comments
When you submit a comment on a blog post, we collect:
Display name
Email address
Comment text
IP address (for anti-abuse purposes)
Comments are subject to moderation before publication. Your email address is never displayed publicly.
2.2 Restaurant Bookings
When you make a restaurant booking, we collect:
Full name
Email address
Phone number
Date, time, and party size
Optional notes
2.3 Reviews
When you submit a review, we collect:
Author name
Email address
Rating (1-5)
Review text
Reviews are subject to moderation before publication.
2.4 Newsletter
When you subscribe to our newsletter, we collect:
Email address
We use a double opt-in process: you must confirm your subscription by clicking a link sent to your email address. You can unsubscribe at any time using the link provided in every newsletter email.
2.5 Reactions
When you react to a blog post (like, insightful, celebrate), we store:
An anonymized hash of your IP address
The reaction type
This data is used solely to prevent duplicate reactions and cannot be used to identify you personally.
2.6 Authentication (Admin Users)
If you are an administrative user, we store your login credentials (email and password hash) and session data. Optional OAuth login via GitHub or Google may be enabled, in which case we receive your name, email, and profile image from the OAuth provider.
3. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6 of the GDPR:
Performance of a contract (Art. 6(1)(b)): processing restaurant bookings you have requested
Legitimate interest (Art. 6(1)(f)): anti-abuse measures (IP hashing for reactions, IP logging for comments), website security, and cookieless analytics (Matomo Analytics in cookieless mode — no personal data collected, no cookies set)
You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
4. Cookies and Local Storage
This website uses only the following cookie:
authjs.session-token: A technical session cookie required for authenticated (admin) users to log in and manage the site. This is a strictly necessary cookie and does not require consent under the ePrivacy Directive.
We also use localStorage (browser-side storage, not cookies) for:
cookie_consent: Remembers whether you have acknowledged the cookie banner
maps_consent: Remembers whether you have consented to loading Google Maps embeds
We use Matomo Analytics in cookieless mode for anonymous, aggregate website statistics. Matomo is configured without cookies, does not collect personal data, and does not track users across websites. No profiling, advertising, or tracking cookies are used. For more details, please see our Cookie Policy.
5. Third-Party Services
We use the following third-party services that may process your data:
5.1 Cloudflare
This website is served through Cloudflare, which acts as a reverse proxy and CDN. Cloudflare may process technical data such as your IP address, browser user agent, and request metadata to provide its services (DDoS protection, performance optimization). Cloudflare processes this data as a data processor on our behalf. For details, see Cloudflare's Privacy Policy (https://www.cloudflare.com/privacypolicy/).
5.2 Matomo Analytics (Hosted on PikaPods)
We use Matomo Analytics, a privacy-focused open-source web analytics platform, hosted on PikaPods (EU region). Matomo is configured in cookieless mode and does not collect personal data (no IP addresses stored, no browser fingerprinting), and does not track users across websites or sessions. All data is aggregated and anonymous. No data is shared with third parties. Analytics requests are proxied through our own domain for reliability. For details, see Matomo's Privacy Policy (https://matomo.org/privacy-policy/).
5.3 Google Maps (Optional)
Our restaurant information page may include an embedded Google Maps widget. This embed is loaded only after you provide explicit consent. When loaded, Google may collect data including your IP address and usage data. See Google's Privacy Policy (https://policies.google.com/privacy).
5.4 YouTube (No-Cookie Embeds)
Blog posts may contain embedded YouTube videos. We use the privacy-enhanced mode (youtube-nocookie.com), which does not set cookies until you actively play a video. See Google's Privacy Policy (https://policies.google.com/privacy).
5.5 OAuth Providers (Optional)
If enabled, admin users may log in using GitHub or Google OAuth. During this process, the respective provider shares your name, email address, and profile image with us. We do not share any data back with these providers. See:
Google Privacy Policy: https://policies.google.com/privacy
6. Data Retention
Comments: retained as long as the related blog post is published, or until you request deletion
Bookings: retained for 12 months after the booking date, then deleted
Reviews: retained as long as the review is published, or until you request deletion
Newsletter subscriptions: retained until you unsubscribe
Reaction hashes: retained as long as the related post exists (anonymized, non-identifiable)
Admin accounts: retained as long as the account is active
Session data: automatically expires and is deleted periodically
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
HTTPS encryption for all data in transit
Password hashing using bcrypt
TOTP-based two-factor authentication for admin accounts
Rate limiting on sensitive endpoints
CSRF protection via session tokens
Content Security Policy (CSP) headers
8. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15): You may request a copy of the personal data we hold about you
Right to rectification (Art. 16): You may request correction of inaccurate personal data
Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten")
Right to restriction of processing (Art. 18): You may request that we limit how we use your data
Right to data portability (Art. 20): You may request your data in a structured, machine-readable format
Right to object (Art. 21): You may object to processing based on legitimate interest
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
9. How to Exercise Your Rights
To exercise any of the above rights, please contact us at: [email protected]
We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.
10. Complaints
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.
