Privacy policy - OpenGate WEBAPP

Privacy Policy - OpenGate WEBAPP

Last update: 31.07.2025

In compliance with the European Regulation on the protection of personal data EU 2016/679 (GDPR), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and where applicable the California Consumer Privacy Act (CCPA), this Privacy Policy explains how personal data are processed through the OpenGate Platform. The definitions of the terms used in this Privacy Policy correspond to those used in the OpenGate XR Platform, available at the following link. and the technical integrations for the OpenGate XR Mixed Reality app.

This Privacy Policy applies to:

  • all processing of personal data carried out through the OpenGate WebApp (https://app.themetagate.it), a browser-based platform for Creator Account management, media Asset uploads, Assistant AI configuration, and digital Content administration,
  • the native Meta Quest application for Meta Quest 3/3s headsets distributed via the Meta App Store to create and enjoy mixed reality immersive experiences, and
  • the multiplayer modes, through the use of Multiplayer Sessions created by Creators and accessible via access codes.

The WebApp serves as the central hub for connecting and managing data across all connected interaction modes, allowing Users to authenticate, upload Digital Content, choose standard Avatars, generate an Assistant AI, and carry personal Assets and configurations across different platforms.

1. DATA CONTROLLER AND DPO

The data controller is Metagate S.r.l., VAT no. 12525640962, with registered office at Via Giosuè Carducci 32 - 20123 Milano (MI) and operational headquarters at Via Gallarate 112 - 20151 Milano (MI), Italy.

Available contacts are:

The Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, who can be contacted at dpo@themetagate.it for any matter related to personal data processing, the exercise of Data Subjects’ rights, and regulatory compliance.

2. USER CATEGORIES

The OpenGate Platform distinguishes two user categories with different levels of access and functionality:

  • the Creator Users are adults (18+) who create a registered Account with email and password credentials to access the full functionality of the Platform. Creators can upload custom Assets, configure an Assistant AI with Knowledge Bases derived from documents, choose 3D Avatars, manage complete Virtual Scenes, and create multiplayer rooms with access codes for Multiplayer Sessions. Access requires a Subscription managed via Meta;
  • the Consumer Users access Multiplayer Sessions opened by Creators via a room code using only the headset’s native Meta Account, with no need to register on MetaGate systems. They can use the standard Assets provided by the Platform in freemium mode but cannot access cloud Assets or standard Avatars until they register as Creators by subscribing.

3. DATA COLLECTED

Personal data are collected to provide the services available on the OpenGate Platform. Collection takes place both directly through the completion of registration forms and automatically while using the Meta Quest Application.

3.1 Data provided directly by Creator Users. During registration, the email address is collected and used as the unique identifier for the Account and for service communications, the password is managed in encrypted form through a secure authentication system, and the date of birth is collected to confirm the user is of legal age.

User preferences are also collected, including marketing consent indicated by an optional checkbox during registration for sending promotional communications (freely changeable in the Account settings at any time), and interface preferences such as customized WebApp usage settings (language, UI configurations).

Creator Users can voluntarily upload Digital Content; formats and limits are stated in the Terms and Conditions. Files are stored on secure cloud infrastructure and dynamically loaded by the Quest Application simultaneously, without needing to keep them locally on the device.

For platform personalization, the following are collected:

  • selected 3D Avatar models,
  • Assistant AI configurations including a custom name, system instructions defined by the User, and predefined safety rules automatically applied to prevent inappropriate content,
  • Knowledge Bases derived from documents and information uploaded by the User and processed via AI services to build the Assistant’s specific knowledge base,
  • conversations represented by the text of interactions with the Assistant AI subject to automatic retention (voice conversations are first transcribed and then sent as text), and
  • conversational memory, as an optional feature disabled by default in Multiplayer Sessions and enabled only with the Creator User’s explicit consent via a dedicated checkbox in settings.

To ensure creations persist between sessions, elements related to the following are saved:

  • Virtual Scenes including the positions, rotations, and scales of objects in virtual environments,
  • custom audio settings (volumes, sound effects),
  • visual filters applied to Scenes,
  • hand-tracking and microphone configurations when expressly saved by the User,
  • Scene names and file references for real-time loading,
  • index of materials and textures selected for digital frames,
  • complete list of created objects with related metadata (index, URL, name, file type, active state, 3D properties, scale, position, rotation).

The system also allows connecting Web3 wallets (MetaMask, WalletConnect) for the sole purpose of displaying owned NFT Assets. No access is made to users’ private keys, no wallet is used for direct operations, and no smart contracts are executed. Data are used exclusively to retrieve and display NFTs owned by the User through the Platform.

You can also connect a Google or Facebook account for OAuth login; please refer to those services’ external privacy notices for their respective policies.

3.2 Data automatically collected by Meta Quest. While using the native Application for Meta Quest headsets, data are automatically collected via Meta Platforms subject to the Meta privacy policy, including:

  • Meta Account ID,
  • display name and username,
  • profile image and standard Meta Avatar,
  • age group for automatic age verification, and
  • mandatory permissions requested through Meta’s native system at first launch (microphone for voice interactions with the Assistant AI, spatial audio for three-dimensional immersive experiences, headset mapping for accurate placement of virtual objects in physical space).

These data are managed directly by Meta Platforms, and MetaGate accesses them via Meta native APIs solely for the purpose of providing the service described in this Privacy Policy.

3.3 Data processed locally on the device. Hand tracking to enable natural interactions with 2D and 3D objects is processed entirely locally on the Meta Quest device. No biometric hand data are transmitted to MetaGate servers or stored permanently.

Data mapping of the surrounding physical space are used by the headset to correctly place virtual objects but remain confined within the local Meta ecosystem without transmission to external MetaGate servers.

3.4 Multiplayer session data. During real-time Multiplayer Sessions, room data are collected including Users’ positions in the shared virtual space, real-time interactions with virtual objects (movements, rotations, activations), and the state of shared Scenes during active sessions. Changes made to the scene during a multiplayer session are temporary unless saved in the system.

3.5 Cookies and browsing data. The OpenGate WebApp uses browser storage technologies to ensure proper service operation and secure authentication of Creator Users.

Cookies are small text files that websites send to the User’s device, where they are stored to be sent back to the same sites upon the next visit. The WebApp https://app.themetagate.it does not set first-party HTTP cookies for the core operation of the service, instead using the Web Storage API (localStorage) to manage authenticated sessions. No profiling or tracking cookies are used for advertising or analytics purposes.

The Platform uses only the browser’s localStorage for authentication and session management via Supabase, storing encrypted session tokens and OAuth verification codes for a variable duration until logout or manual revocation (legal basis Art. 6.1.b GDPR - contract performance). The Supabase database is hosted on European cloud infrastructure, with no extra-EU data transfers for authentication functions.

The Platform also integrates third-party services that may install their own necessary technical cookies:

  • Supabase and its CDN providers (including Cloudflare) for security, performance, and protection against automated attacks;

  • Google Sign-In for OAuth 2.0 authentication if the User chooses this login method on the webapp;

Any data transfers to non-EU providers take place in compliance with the safeguards provided for in Chapter V of the GDPR.

Since the WebApp uses only strictly necessary technical storage for service operation without analytics or marketing cookies, prior consent is not required under Art. 122 paragraph 1 of the Italian Privacy Code. Users are informed via a banner displayed at first access. Manually clearing localStorage via browser settings will result in automatic logout and the need to re-authenticate.

3.6 Browsing data and analytics. In addition to personal data provided directly by Users, when connecting to the WebApp the IT systems automatically acquire via the web browser further information whose transmission is implicit in the use of Internet communication protocols. This information includes IP address, type and version of the browser used, device operating system, device parameters (screen resolution, language set), date and time of page visits, pages visited and navigation paths, and the referring page.

Fully anonymized analytics data are also collected by both the WebApp and the Quest Application, containing aggregate metrics on session time, Asset usage by type, and User interface performance, without any identifying references to Users.

To ensure Platform security and enable prompt detection of unauthorized access attempts or malicious activity, technical logs are recorded regarding authentication events (successful logins and failed attempts), system errors and application malfunctions, administrative access to the backend, and critical operations on data. These logs may include IP addresses, timestamps, User identifiers, and actions taken. Retention is limited to what is necessary for security and debugging purposes.

3.7 Data NOT collected. MetaGate does not collect biometric data such as fingerprints, facial recognition, iris scans, or voiceprints for identification. Hand tracking is processed locally on the device without server transmission.

The Platform is not designed to intentionally collect data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, data concerning health or sex life. Users are asked not to voluntarily enter such information.

OpenGate is intended exclusively for adult Users; therefore, data of persons under 18 are not knowingly collected. If a parent or guardian believes that a minor has used the service, they can contact dpo@themetagate.it to request data removal.

4. PURPOSES OF PROCESSING, LEGAL BASES, AND RETENTION

Data are processed for the purposes, legal bases, and retention periods indicated below and are handled according to the principles of fairness, lawfulness, transparency, minimization, and protection of confidentiality and Data Subjects’ rights in accordance with the GDPR.


PURPOSE

LEGAL BASIS

RETENTION

Service provision - Provision of the OpenGate Platform in freemium and premium modes, including Account management, authentication, storage and use of uploaded Assets, persistence of Virtual Scenes, distribution of the Meta Quest Application, and bidirectional WebApp–headset synchronization.

Contract performance (Art. 6.1.b GDPR) - Processing is necessary to provide the services requested by the User.

36 months from the User’s last activity for main database data (profile, Assets, AI configurations). 24 months of inactivity for Virtual Scene data saved on Unity Cloud Save. Early deletion available independently via Account settings.

Basic personalization - Assistant AI configuration with Knowledge Base from documents, personalized system instructions, choice of 3D Avatars (up to 6), personalization of Virtual Scenes according to User preferences.

Contract performance (Art. 6.1.b GDPR) - Functionality is an integral part of the contracted service.

36 months from last activity. 24 months for Scene data. Instant Avatar reset available at any time.

Advanced personalization (AI Memory) - Enabling persistent Assistant AI memory for ongoing cross-session conversations with retention of prior context.

Explicit User consent (Art. 6.1.a GDPR) - Optional feature disabled by default in multiplayer, enabled only with a dedicated flag.

60 days from thread inactivity (automatic deletion by the AI provider). Memory deactivation and instant reset available at any time via settings.

Social and multiplayer features - Real-time synchronized Multiplayer Sessions enabling simultaneous collaboration by multiple Users in the same virtual spaces, sharing creations, and interactions via standard Avatars.

Contract performance (Art. 6.1.b GDPR) - Functionality is an integral part of the requested service.

Immediate automatic deletion at the end of the session for multiplayer runtime data. No permanent retention.

Voice interactions - Enabling voice interactions with the Assistant AI via speech-to-text transcription and text-to-speech synthesis for audio responses, immersive spatial audio functionality in the virtual environment.

Consent (Art. 6.1.a GDPR) - Mandatory permissions requested via Meta’s native system to access the Application. Without these permissions the app is not accessible.

Transit without permanent retention by the transcription service. Resulting textual conversations are subject to standard retention (60 days of thread inactivity).

Service improvement - Optimization of technical performance, Platform stability, and user experience through the collection and analysis of fully anonymized analytics data.

Legitimate interest of the Controller (Art. 6.1.f GDPR) - Interest balanced against User rights. Data are fully anonymous and aggregated.

No specific time limit (re-identification impossible). Data are stored in anonymous aggregate form.

System security and protection - Protecting Platform integrity, preventing abuse and malicious activity, safeguarding User data through logging of critical events, monitoring of administrative access, anomaly detection.

Legitimate interest of the Controller (Art. 6.1.f GDPR) - Necessary for the security of the service and Users.

12–24 months for technical logs as required by security needs and best practices. Retention may be extended in case of security incident investigations.

Marketing and promotional communications - Sending marketing communications about new features, Platform updates, special offers, events, and MetaGate service news via email.

Consent (Art. 6.1.a GDPR) - Optional checkbox during registration, freely changeable in Account settings. Revocation possible at any time via the unsubscribe link in emails.

Until the Data Subject withdraws consent or, in any case, in the event of an extended period of profile inactivity.

Legal obligations - Fulfilling obligations under laws, regulations, EU rules, and tax and accounting obligations to which the Controller is subject.

Compliance with a legal obligation (Art. 6.1.c GDPR).

According to the terms set by the specific applicable regulations, typically 10 years for tax and accounting obligations.


If the Data Subject refuses to provide consent for personal data processing for marketing purposes, the only consequence will be the Controller’s inability to send promotional communications; access to the Platform’s core services will not be affected.

5. DATA SECURITY

To ensure the integrity and security of Users’ personal data, Metagate adopts strict technical and organizational measures in accordance with Art. 32 GDPR, appropriate to the assessed level of risk.

The Controller implements technical security measures including advanced encryption for all communications between the WebApp, the Meta Quest Application, and backend cloud services, ensuring encryption of data in transit and at rest.

Continuous security monitoring is carried out through critical event logging, automatic alerting for real-time detection of unauthorized access attempts and anomalies, service status monitoring dashboards, and detection systems integrated into cloud services. Uploaded Content is protected through automatic scanning systems, runtime storage and loading as rendering (no direct execution), and isolation of User sessions.

Data hosting and storage are provided by enterprise-grade vendors selected for their security guarantees certified by international standards (ISO 27001, SOC 2 Type II, equivalent certifications). All vendors are contractually bound by Data Processing Agreements (DPAs) under Art. 28 GDPR defining instructions, security guarantees, operating procedures, and incident notification obligations.

For security reasons, the specific technical details of the measures implemented (cryptographic protocols, security configurations, network architectures, detailed operating procedures) are available upon written request to dpo@themetagate.it for Users who need specific insights for compliance assessments or security audits.

In the event of a personal data breach that poses a risk to the rights and freedoms of Data Subjects, MetaGate will notify the competent Supervisory Authority (Italian Data Protection Authority) within 72 hours of discovering the breach in accordance with Art. 33 GDPR, will communicate to affected Data Subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR), will document all security incidents in the breach register maintained under the GDPR, and will conduct internal investigations to determine causes, impacts, and necessary corrective actions.

6. DATA RETENTION

Processed data will be stored for no longer than necessary to achieve the purposes for which they were collected (“storage limitation principle” under Art. 5.1.e GDPR), according to the periods indicated in the purposes table.

The main retention periods include:

  • Account and Asset data: 36 months from the User’s last activity;

  • Virtual Scene data (Unity Cloud Save): 24 months of inactivity;

  • AI conversations: 60 days from thread inactivity (automatic deletion);

  • multiplayer data: immediate automatic deletion at the end of the session;

  • standard Avatars: full User control with instant reset available;

  • anonymous analytics: no limit (re-identification impossible);

  • security technical logs: 12–24 months according to operational needs.

However, Data may be processed for a period longer than that indicated in the table if an act interrupting or suspending the limitation period occurs which justifies extending the data retention, or if the Data are used to establish, exercise, or defend a right of the Controller in court.

Checks on the obsolescence of stored data are performed periodically through automated processes and manual reviews. At the end of the retention period, personal data will be permanently and irreversibly deleted, or fully anonymized using irreversible anonymization techniques.

Creator Users can request early deletion of their data at any time via features available in the WebApp Account settings (“Delete Account” button available in the My Data section). For specific requests, Users can contact dpo@themetagate.it.

7. CATEGORIES OF RECIPIENTS WHO MAY RECEIVE THE DATA

Data may be communicated for the purposes described above to the following categories of recipients.

  • Employees and collaborators of MetaGate S.r.l., as persons authorized to process data under Art. 29 GDPR, act on the basis of specific instructions received regarding the purposes and methods of data processing. Authorized personnel include the technical team for Platform development and maintenance, administrative staff for Subscription management and User support, and customer care staff for email assistance. All authorized persons are bound by confidentiality obligations and have access only to the data strictly necessary to perform their duties (the “need to know” principle).
  • MetaGate uses third-party companies that provide essential outsourced services. These vendors process personal data as Processors under Art. 28 GDPR and operate solely on the basis of the Controller’s documented instructions. The main categories of services provided by these Processors include cloud services for databases and storage, conversational artificial intelligence, persistence of Virtual Scenes, multiplayer networking, integration with Meta Quest headsets, speech transcription and synthesis, aggregated analytics, and Subscription management. The same security guarantees as those provided by the Controller are imposed on the Processors through Data Processing Agreements (DPAs) that define specific instructions, technical and organizational security measures, incident notification obligations, audit procedures, and clauses for extra-EU transfers.

The full, up-to-date list of Processors, including company names, server locations, specific security guarantees, details on Data Processing Agreements, and any sub-processors used, is available upon written request to dpo@themetagate.it for Users who need this information for compliance assessments or internal audits.

  • Data may be communicated to supervisory bodies, judicial authorities, law enforcement, the Data Protection Authority, and tax and revenue authorities in cases provided for by applicable law or upon a legitimate request to fulfill legal obligations or to investigate criminal offenses.
  • Any third parties expressly indicated to the User at the time specific consent is collected for data sharing (not currently envisaged) may receive Data.

MetaGate does not sell, transfer, rent, or trade Users’ personal data to third parties for commercial, advertising, or direct marketing purposes. Under the California CCPA, MetaGate declares that no category of Personal Information is sold.

8. TRANSFER OF PERSONAL DATA OUTSIDE THE EU

Data are processed primarily on servers located within the European Union. However, some of the cloud services used by the Platform may involve transfers of personal data to third countries outside the European Economic Area, in particular to the United States of America (some AI providers, cloud infrastructure services, technology platforms) and other third countries (vendors with globally distributed infrastructures may involve transfers to non-EU regions depending on technical configurations).

For all extra-EU transfers, the Controller ensures appropriate safeguards to guarantee full protection of personal data in accordance with Chapter V of the GDPR, through Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914 imposing GDPR-equivalent protection obligations on extra-EU vendors, the EU–US Data Privacy Framework (DPF) for transfers to US providers certified under the framework that provides a level of protection recognized as adequate by the European Commission, and Adequacy Decisions for transfers to countries recognized by the European Commission as providing an adequate level of protection.

A detailed list of the countries to which transfers occur, the specific safeguards for each provider, and the relevant contractual documentation is available on request at dpo@themetagate.it.

9. USE OF ARTIFICIAL INTELLIGENCE SERVICES

The OpenGate Platform integrates conversational Assistants based on large language models (LLMs) to offer fully customizable AI experiences to Users. The artificial intelligence services are provided by specialized companies acting as Processors under Art. 28 GDPR on behalf of MetaGate.

When Creator Users actively use AI features, only textual inputs typed during conversations, transcriptions of voice inputs, documents uploaded to create custom Knowledge Bases, instructions to determine the Assistant’s behavior, and automatically applied safety rules are transmitted to the specialized providers. MetaGate does not transmit personal identifiers such as first name, last name, email, or IP address, unless the User voluntarily includes them in the conversation text.

Data are processed exclusively to provide real-time conversational responses, query the custom Knowledge Base, maintain consistency during the session, and enable cross-session memory if explicitly activated by the User.

All data are transmitted via encrypted connections, and AI providers are contractually bound not to use data to train or improve their own models, nor to resell or share them. Conversations are automatically deleted after 60 days of inactivity, and MetaGate implements manual deletion procedures upon request.

Users retain full control by being able to enable conversational memory (disabled by default), completely delete history at any time, or fully disable AI features. Each Assistant AI automatically includes non-editable safety rules designed to prevent behavior manipulation, block inappropriate content, and maintain consistency with the original instructions.

Pursuant to the AI Act (Regulation EU 2024/1689), MetaGate acts as a deployer using AI systems developed by third parties without substantial modifications, complying with obligations on transparency, staff training, and proper use. Users are informed of the use of AI technologies through this Privacy Policy, feature descriptions in the WebApp during configuration, and labels visible in the conversational interface.

10. DATA SUBJECT RIGHTS

Under Arts. 15 et seq. of the GDPR and, where applicable, the CCPA, Users have the following rights:

  • Data Subjects may obtain from the Controller confirmation as to whether or not processing of personal data concerning them is taking place and, where that is the case, access to the personal data and related information. Creator Users can view all their data in real time via the User dashboard accessible from the OpenGate WebApp (the “My Data” section). To request a complete, exportable copy of the processed data, send a request to dpo@themetagate.it.
  • Data Subjects may obtain from the Controller the rectification of inaccurate personal data and the completion of incomplete personal data. Users can directly edit all profile information via the WebApp Account settings. For corrections requiring technical assistance, contact dpo@themetagate.it.
  • Data Subjects may obtain from the Controller the erasure of data when the conditions set out in Art. 17 GDPR are met. Users can proceed with self-service deletion using the Account settings (the “Delete Account” button in the My Data section) to delete individual Assets, configurations, or the entire Creator Account, or contact dpo@themetagate.it for assistance. Deletion may not be possible if retention is necessary to comply with legal obligations or to establish, exercise, or defend a right in court.
  • Data Subjects may obtain from the Controller restriction of processing in the cases provided for in Art. 18 GDPR. Users can granularly disable specific Platform features through advanced Account settings. For formal restriction requests, contact dpo@themetagate.it.
  • Data Subjects may to object at any time to the processing of their personal data based on the Controller’s legitimate interest. For marketing, consent can be withdrawn via the “unsubscribe” link in emails or via the WebApp Account settings (checkbox “I consent to receive marketing communications”). For other processing, send a reasoned request to dpo@themetagate.it.
  • Data Subjects may to receive in a structured, commonly used and machine-readable format the personal data provided to the Controller, and to transmit those data to another controller. Request a data export by emailing dpo@themetagate.it. Metagate will provide a complete, portable package within 30 days of the request.

Data Subjects may withdraw at any time consents given for processing based on Art. 6.1.a GDPR through the following channels:

  • marketing: unsubscribe link in emails or WebApp Account settings;
  • AI memory: disable via the dedicated flag in the Assistant’s settings;
  • device permissions: managed via Meta Quest system settings;
  • wallet: disconnect via the “Cancel” buttons in the Wallet Connected section.

Data Subjects may also lodge a complaint with the Data Protection Authority if they believe processing is in violation of the GDPR, by contacting the Italian Supervisory Authority.

Users residing in California have additional rights under the California Consumer Privacy Act:

  • Right to Know: to know which categories of personal information are collected, sources, and purposes;
  • Right to Delete: to request deletion of personal information;
  • Right to Correct: to request correction of inaccurate personal information;
  • Right to Opt-Out of Sale: Metagate does not sell personal information;
  • Right to Non-Discrimination: not to be discriminated against for exercising CCPA rights.

For all rights requests, Users can email dpo@themetagate.it or send a communication by post to MetaGate S.r.l., Via Gallarate 112 - 20151 Milano (MI), Italy.

11. CHANGES TO THIS NOTICE

Metagate reserves the right to modify or update this Privacy Policy at any time to reflect regulatory developments, technical changes to the Platform, or changes in the services offered.

Continued use of the service after the publication of changes implies acceptance of the new version of the Privacy Policy.

This Privacy Policy is available in Italian and English.
In the event of discrepancies, interpretative differences, or conflicts between the two versions, the Italian version shall prevail.