Privacy policy - OpenGate WEBAPP

Privacy Policy - OpenGate WEBAPP

Last update: 31.07.2025

This Privacy Policy is emesso by Metagate S.r.l., with operational headquarters at Street Gallarate 112 - 20151 Milan and registered office at Street Joshua Carducci 32 - 20123 Milan, in its capacity as Data Controller under EU Regulation 2016/679 (General Data Protection Regulation, or “GDPR”) and, dove applicable, the California Consumer Privacy Act ("CCPA”).

1. Scope

This policy applies to all data processing performed through:

The Metagate WebApp at https://app.themetagate.it

Applications on Meta Quest, including:

Experiences and games connected through the WebApp can be distributed across:

  1. Meta
  2. Over the Reality
  3. Spatial
  4. Decentraland
  5. The Sandbox

🧩 Important: The WebApp functions as to central connector and data management hub for all the above experiences. It allows users to authenticate, upload content, link their wallet, create avatars, generate AI assistants, and transport digital assets and personal configurations seamlessly across platforms.

2. Types of Data Collected

a) Registration and Access

  • Email address
  • OAuth login credentials (Google, Facebook, Discord)
  • Age confirmation (mandatory checkbox for users aged 18+
  • Marketing consent (required for platform use + optional for promotional content)

b) Wallet & Blockchain

  • Only public wallet addresses connection (e.g., MetaMask, WalletConnect)
  • No private key access, no login via wallet, no smartcontracts enabled
  • Used exclusively to retrieve and display/tokengate owned NFTs across experiences

c) User-Generated Content

  • Files: .png, .jpg, .glb, .fbx, .pdf, .mp3, .mp4 (saved on Supabase service)
  • Avatar models and metadata via Ready Player Me
  • Assistant settings and conversation data via OpenAI GPT (Assistant ID, memory status, threads)

d) Experience Tracking (Mixed Reality)

  • Interaction times, object placement, spatial activity logs
  • Data is anonymous and aggregated
  • No biometric data is collected

3. Purpose of Processing

Your personal data is used for:

  • Creating and managing a unique cross-platform profile
  • Uploading and rendering digital assets in real and virtual environments
  • Creating custom avatars and AI assistants
  • Tracking and improving user experience anonymously
  • Sending promotional communications (only with explicit consent)
  • Displaying relevant NFTs owned and chosen by the user in multiple metaverse platforms
  • Enabling future monetization models for anonymous usage data only

4. Lawful Basis

Processing is carried out in compliance with:

  • Your consent (Art. 6.1.a GDPR)
  • Contractual necessity (Art. 6.1.b GDPR)
  • Legal obligation (Art. 6.1.c GDPR)
  • Legitimate interest, carefully balanced against tuo rights (Art. 6.1.f GDPR)

Under the CCPA, users may request access, deletion, and correction of their Personal Information.

5. Data Retention

  • WebApp user data is retained for up to 24 months of inactivity
  • Data from connected games and experiences is retained for up to 24 months
  • Upon account deletion, all personal data is removed. Anonymous tracking data may be retained for analytical purposes

6. Data Security and Management

We employ strong security measures:

  • Encrypted Supabase database (in-transit and at-rest)
  • Secure OAuth login only (no password storage)
  • User-specific Row Level Security (RLS) on all tables
  • PDF and file storage access limited to owner
  • Regular encrypted backups
  • Incident response plan with 72-hour user and authority notification

7. Data Sharing and Transfers

We do not sell or share personal data for commercial purposes.

Data may be shared with:

  • Supabase (cloud database and storage)
  • OpenAI (for AI assistant generation)
  • Ready Player Me (via embedded iframe for avatar creation)
  • Stripe (only for future subscription payments)
  • Meta / Discord / Google only during login via OAuth

Data transfers outside the EEA are protected by Standard Contractual Clauses (SCC) or equivalent safeguards.

8. Cookies

The WebApp uses cookies as follows:

Type Purpose Mandatory
Session Cookies Maintain login and navigation state Yes
Consent Cookies Store user consent preferences Yes
Analytics Cookies Track session duration, click interactions (aggregated & anonymous) Optional (disabled by default)

Users can review and manage cookies via the cookie banner and settings on first access.

9. User Rights

Under GDPR and CCPA, users can:

  • Request access to their personal data
  • Rectify or delete their data (also AI avatar knowledge deletable)
  • Revoke consent at any time
  • Limit or oppose certain types of processing
  • Request data portability (in readable formats)
  • Lodge complaints with a supervisory authority

➡️ Requests dovrebbe be sent to: dpo@themetagate.it

10. Age Requirement

The Metagate WebApp and connected experiences are intended only for users aged 18 and above.
During registration, users must explicitly confirm loro age.

11. Minors and Parents

We do not knowingly collect data from children under 18.
If you are to parent or guardian and believe tuo child has used our service, contact us at dpo@themetagate.it to request data removal.

12. Sale of Personal Information

Under the California CCPA, Metagate declares:

  • Categories of Personal Information Sold: None
  • Monetization only applies to anonymized tracking data entro MR experiences

13. Use of Third-Party AI Services (Large Language Models)

L'app Metagate integra un assistente conversazionale alimentato da un fornitore terzo di Large Language Model (LLM) (ad esempio, OpenAI) per elaborare e generare risposte durante alcune interazioni nell'app.

  • Data Shared: Only the text or voice input provided by the user during the assistant interaction is sent to the LLM service. No personal identifiers or sensitive data are shared unless voluntarily included by the user in the request.
  • Purpose: Data is transmitted solely to provide real-time responses, improve user experience, and deliver the requested functionality within the app.
  • Data Handling:
    • Data is sent via secure, encrypted channels (HTTPS).
    • The LLM provider is contractually prohibited from using, reselling, or training on Metagate user data beyond what is necessary to deliver the requested response.
    • Metagate does not perform any long-term storage or profiling using LLM data beyond session processing.
  • User Control: Users can request deletion of any associated interaction data by contacting the DPO at dpo@themetagate.it.
  • Policy Compliance: All data sharing with the LLM provider adheres to Section 6.2 of the Developer Data Use Policy, ensuring data is used strictly for app functionality and not for advertising, resale, or unrelated purposes.

14. Data Protection Officer (DPO)

DPO ensures regulatory compliance and acts as contact for privacy-related matters.
📧 Email: dpo@themetagate.it

15. Changes and Updates

We may update this Privacy Policy periodically.
Users will be informed through: