Privacy policy - OpenGate WEBAPP

Informativa sulla Privacy - OpenGate WEBAPP

Last update: 21.05.2025

This Privacy Policy is issued by Metagate S.r.l., with operational headquarters at Via Gallarate 112 - 20151 Milan and registered office at Via Giosuè Carducci 32 - 20123 Milan, in its capacity as Data Controller under EU Regulation 2016/679 (General Data Protection Regulation, or “GDPR”) and, where applicable, the California Consumer Privacy Act (“CCPA”).

1. Scope

This policy applies to all data processing performed through:

The Metagate WebApp at https://app.themetagate.it

Applications on Meta Quest, including:

Experiences and games connected through the WebApp can be distributed across:

  1. Meta
  2. Over the Reality
  3. Spatial
  4. Decentraland
  5. The Sandbox

🧩 Important: The WebApp functions as a central connector and data management hub for all the above experiences. It allows users to authenticate, upload content, link their wallet, create avatars, generate AI assistants, and transport digital assets and personal configurations seamlessly across platforms.

2. Types of Data Collected

a) Registration and Access

  • Email address
  • OAuth login credentials (Google, Facebook, Discord)
  • Age confirmation (mandatory checkbox for users aged 18+)
  • Marketing consent (required for platform use + optional for promotional content)

b) Wallet & Blockchain

  • Only public wallet addresses connection (e.g., MetaMask, WalletConnect)
  • No private key access, no login via wallet, no smartcontracts enabled
  • Used exclusively to retrieve and display/tokengate owned NFTs across experiences

c) User-Generated Content

  • Files: .png, .jpg, .glb, .fbx, .pdf, .mp3, .mp4 (saved on Supabase service)
  • Avatar models and metadata via Ready Player Me
  • Assistant settings and conversation data via OpenAI GPT (Assistant ID, memory status, threads)

d) Experience Tracking (Mixed Reality)

  • Interaction times, object placement, spatial activity logs
  • Data is anonymous and aggregated
  • No biometric data is collected

3. Purpose of Processing

Your personal data is used for:

  • Creating and managing a unique cross-platform profile
  • Uploading and rendering digital assets in real and virtual environments
  • Creating custom avatars and AI assistants
  • Tracking and improving user experience anonymously
  • Sending promotional communications (only with explicit consent)
  • Displaying relevant NFTs owned and chosen by the user in multiple metaverse platforms
  • Enabling future monetization models for anonymous usage data only

4. Lawful Basis

Processing is carried out in compliance with:

  • Your consent (Art. 6.1.a GDPR)
  • Contractual necessity (Art. 6.1.b GDPR)
  • Legal obligation (Art. 6.1.c GDPR)
  • Legitimate interest, carefully balanced against your rights (Art. 6.1.f GDPR)

Under the CCPA, users may request access, deletion, and correction of their Personal Information.

5. Data Retention

  • WebApp user data is retained for up to 24 months of inactivity
  • Data from connected games and experiences is retained for up to 24 months
  • Upon account deletion, all personal data is removed. Anonymous tracking data may be retained for analytical purposes

6. Data Security and Management

We employ strong security measures:

  • Encrypted Supabase database (in-transit and at-rest)
  • Secure OAuth login only (no password storage)
  • User-specific Row Level Security (RLS) on all tables
  • PDF and file storage access limited to owner
  • Regular encrypted backups
  • Incident response plan with 72-hour user and authority notification

7. Data Sharing and Transfers

We do not sell or share personal data for commercial purposes.

Data may be shared with:

  • Supabase (cloud database and storage)
  • OpenAI (for AI assistant generation)
  • Ready Player Me (via embedded iframe for avatar creation)
  • Stripe (only for future subscription payments)
  • Meta / Discord / Google only during login via OAuth

Data transfers outside the EEA are protected by Standard Contractual Clauses (SCC) or equivalent safeguards.

8. Cookies

The WebApp uses cookies as follows:

Type Purpose Mandatory
Session Cookies Maintain login and navigation state Yes
Consent Cookies Store user consent preferences Yes
Analytics Cookies Track session duration, click interactions (aggregated & anonymous) Optional (disabled by default)

Users can review and manage cookies via the cookie banner and settings on first access.

9. User Rights

Under GDPR and CCPA, users can:

  • Request access to their personal data
  • Rectify or delete their data (also AI avatar knowledge deletable)
  • Revoke consent at any time
  • Limit or oppose certain types of processing
  • Request data portability (in readable formats)
  • Lodge complaints with a supervisory authority

➡️ Requests should be sent to: dpo@themetagate.it

10. Age Requirement

The Metagate WebApp and connected experiences are intended only for users aged 18 and above.
During registration, users must explicitly confirm their age.

11. Minors and Parents

We do not knowingly collect data from children under 18.
If you are a parent or guardian and believe your child has used our service, contact us at dpo@themetagate.it to request data removal.

12. Sale of Personal Information

Under the California CCPA, Metagate declares:

  • Categories of Personal Information Sold: None
  • Monetization only applies to anonymized tracking data within MR experiences

13. Data Protection Officer (DPO)

Marco Pizzini is designated as Metagate’s Data Protection Officer.
He ensures regulatory compliance and acts as contact for privacy-related matters.
📧 Email: dpo@themetagate.it

14. Changes and Updates

We may update this Privacy Policy periodically.
Users will be informed through: