Privacy Policy

Resinaro currently operates as a small UK-based service run by an individual. For the purposes of UK data protection law, Resinaro is the data controller for personal data collected via the site, forms, WhatsApp and email.

• Controller: Resinaro, based in the United Kingdom.
• Contact for privacy matters: resinaro@proton.me

This policy covers personal data processed when you:

• browse our website and read our content;
• submit forms for support (e.g. passport or consular appointment help, AIRE and bureaucracy support, general enquiries, volunteer interest);
• contact us via email or WhatsApp Business;
• appear in our city guides and business listings.

It does not cover third-party websites or services (for example Google Maps, government booking portals or social networks) that we link to. Those have their own privacy policies.

“Personal data” means information about an identified or identifiable person. “Processing” means any operation on personal data (collecting, storing, using, sharing, deleting). “UK GDPR” refers to the UK General Data Protection Regulation and the Data Protection Act 2018.

• Basic contact details: name, email address and, if you provide it, phone number or WhatsApp contact.
• Service information for consular / bureaucracy help: details needed to handle your request such as date of birth, current UK address, proof-of-address details, height, eye colour, information on whether you are already registered with AIRE and copies or photos of official documents (for example an expired Italian passport or ID card). We ask you to share only what is necessary.
• Volunteer / community information: information about your interests, skills and availability if you submit a volunteer form.
• Directory information: public-facing information about local businesses and places (e.g. name, category, address, opening hours, links to Google Maps and websites).
• Payment information: payments are processed by Stripe. We receive payment confirmations and basic billing information (name, email, amount, time, last 4 digits of card where applicable) but we do not store full card numbers on our own systems.
• Communications content: messages you send us by email or WhatsApp Business and our replies.
• Technical data: device type, IP address, browser-type information and pages viewed, captured via hosting logs and Vercel Analytics. This is used in aggregate to keep the site running and improve content.

We do not intentionally collect or request information about your health, religion, political opinions, trade union membership, criminal record or similar special categories. We ask you not to include such information in documents or messages unless it is strictly necessary for the service you are asking us to perform.

In practice, copies of official identity documents may incidentally contain sensitive details (for example if an ID reveals religious or biometric information). Where this happens, we process such information only to the minimum extent needed to deliver the service you requested and apply additional safeguards described in this policy.

• Directly from you via our website forms (which send data to Google Sheets through a Google Apps Script) and via email or WhatsApp Business.
• From your device through cookies and analytics (see section 9), mainly via our hosting provider Vercel and its analytics.
• From publicly available sources (for example business websites, Google Maps entries or official registers) when we build or update city guides and business listings.

• Providing services: to process your request (for example preparing information needed for consular appointments, AIRE-related support or other bureaucracy assistance), respond to your messages and deliver the services you have purchased.
• Operating the site and directories: to publish and maintain city guides, directory listings and other informational content.
• Communications: to send you service-related messages and, where you have opted in, low-volume updates or newsletter-style content that you can unsubscribe from at any time.
• Payments and accounting: to handle Stripe payments and keep the records we need for accounting and tax.
• Safety and abuse prevention: to monitor basic logs, detect misuse or attempted fraud and protect the security of our systems and users.
• Legal compliance and defence: to comply with legal obligations, respond to lawful requests, and establish or defend legal claims if necessary.

• Contract (Article 6(1)(b) UK GDPR): most of our processing of your service data (for example to help you with a passport-related request or to answer a question you send us) is necessary to perform a contract or to take steps at your request before entering into a contract.
• Consent (Article 6(1)(a)): we rely on your consent for optional communications (for example newsletter-style updates), for any non-essential cookies and when you voluntarily choose to send us information that may include special-category data. You can withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)): we rely on legitimate interests to operate a secure and useful website, publish city guides and business listings, keep basic analytics and logs, and defend our rights. When we do this, we balance our interests against your rights and expectations.
• Legal obligation (Article 6(1)(c)): we process certain data to comply with legal obligations, especially in relation to tax and accounting records or responding to lawful requests from authorities.

Our site currently provides editorial city guides and business listings. At the moment we:

• do not sell ad placements;
• do not run a lead-generation or “contact this business” form;
• do not forward enquiries directly to businesses on your behalf.

Listings generally link out to public information such as a business’s website or Google Maps profile. If you click through and contact a business directly, they will act as an independent data controller under their own privacy policy.

In the future, we may introduce paid listings or an advertiser portal. If we do so, we will:

• update this privacy policy before such features go live;
• put written data protection terms in place with those businesses that receive leads through Resinaro; and
• clearly label any sponsored placements so you know when a business has paid to appear.

We use a small number of cookies and similar technologies to keep the site running and understand aggregate usage. At the time of this update we do not deploy advertising pixels (such as Meta or TikTok) on resinaro.com.

• Essential cookies and local storage: used for core site functionality and security. These are strictly necessary and cannot realistically be turned off without breaking the site.
• Analytics: Vercel Analytics and hosting logs may record information such as page views, approximate location derived from IP, and device/browser type. We use these in aggregate to improve content and performance.

For more detail or if we add additional tools in future, see our Cookies Policy.

We share personal data with trusted providers who help us run our services, under contracts that limit their ability to use the data for anything other than our instructions. Typical providers include: hosting and CDN (Vercel), email (ProtonMail), storage and documents (Google Drive and Google Sheets), payment processing (Stripe), website analytics (Vercel Analytics) and security/anti-abuse tools provided by our hosting platform. We do not permit these providers to use your personal data for their own direct marketing.

Some of our providers are based outside the UK/EEA or store data in multiple regions (for example Google, Vercel, Stripe and Proton). When personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as adequacy regulations, Standard Contractual Clauses and the UK addendum where required by law, together with technical and organisational measures to protect the data.

We keep personal data only for as long as reasonably necessary for the purposes described in this policy or to meet legal, accounting or reporting requirements. In practice:

• Operational documents (such as copies of passports or ID cards used for a specific consular-related service) are usually deleted shortly after the service is completed. We aim to remove these within a reasonable period once the task is finished and there is no ongoing dispute or follow-up.
• Emails, WhatsApp conversations and form submissions may be retained for reference, repeat requests and record-keeping for a number of years, typically up to 3 years, unless a longer period is required for legal reasons.
• Payment and accounting records are normally kept for up to 6 years to comply with tax and accounting obligations.

If you ask us to delete your data, we will review your request and remove information where we are not legally required to keep it (see sections 14 and 15).

• Use of reputable providers (Vercel, Google, Proton, Stripe) with industry-standard security.
• Encryption in transit (HTTPS) for data between your browser and our site and between us and most providers.
• Access to email, cloud storage and admin tools protected with strong passwords and two-factor authentication, and stored on devices with disk encryption and screen lock.
• Limited access: at the time of writing, only the core operator of Resinaro has access to personal data for service delivery and support.

No system is 100% secure. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will assess the situation promptly and notify the relevant authority and affected individuals where the law requires it.

• Access: to obtain a copy of your personal data and information about how we use it.
• Rectification: to correct inaccurate or incomplete data.
• Erasure: to request deletion of your data in certain circumstances (for example where it is no longer needed for the original purpose and we have no legal reason to keep it).
• Restriction: to ask us to limit processing in some situations (for example while we verify accuracy or handle an objection).
• Objection: to object to processing based on legitimate interests, and to object at any time to the use of your data for direct marketing.
• Portability: to receive certain data in a structured, commonly used format and have it transmitted to another controller, where technically feasible.
• Withdraw consent: where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

To exercise your rights, email resinaro@proton.me with the subject line “Data Request” and explain what you would like us to do. We may need to request additional information to verify your identity. We aim to respond within one month. For complex or numerous requests, we may extend this period by up to two further months as permitted by law and will inform you if this happens.

Our services and website are primarily aimed at adults. We do not knowingly enter into direct contracts with children or provide services directly to individuals under 18 without a parent or guardian involved.

In some cases, a parent or guardian may ask us to assist with a consular-related process for a child (for example, passport renewal for a minor). In those situations:

• we expect the parent or legal guardian to be the main point of contact and contracting party; and
• we do not intentionally communicate directly with the child other than in the presence or under the supervision of the parent or guardian.

If you believe a child has provided us with personal data without appropriate consent, please contact us and we will review and delete the information where appropriate.

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use basic analytics to understand which pages are most popular or which cities generate the most interest, but these insights do not involve automated decisions about individual users.

Our content may include links to third-party websites or services such as Google Maps, government portals, booking systems or social media platforms. We do not control those sites or how they handle your personal data, and this privacy policy does not apply to them. You should review their privacy policies before submitting any personal data.

We publish city guides and business listings that are mainly based on publicly available information (for example a business’s own website or Google Maps listing). If you represent a business and want us to update or remove a listing about you, contact us at resinaro@proton.me. We may ask you to verify your connection to the business before we make changes.

Any community contributions in the future (such as reviews, Q&A or event submissions) will be the responsibility of the users who submit them. We may moderate or remove content that appears unlawful, abusive, defamatory or otherwise in breach of our Terms of Service, and will respond to valid takedown requests.

We do not sell personal data. We share data only with service providers acting on our behalf and, where applicable, with other parties as described in this policy (for example when you click through to a third-party site or contact a business directly).

We may update this privacy policy from time to time to reflect changes to our services, technology or legal requirements. The “Last updated” date at the top of this page shows the current version. For material changes, we will take reasonable steps to draw your attention to the update (for example by highlighting it on this page).

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.

Email: resinaro@proton.me
Mailing location: Resinaro, United Kingdom

• This policy is intended to explain how we process personal data and does not by itself create contractual rights. Any services are governed by our Terms of Service.
• If any part of this policy conflicts with mandatory data protection law, the law will prevail to the extent of the conflict.
• As Resinaro grows, we may form a separate legal entity (for example a limited company). In that case we will update this policy to name the new controller and, where relevant, put written data processing terms in place with business customers.