This notice describes how the personal data of users browsing the website www.exsurgedomine.org (the «Site») is processed, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 («GDPR») and Legislative Decree 196/2003 («Italian Data Protection Code»). The notice applies only to the Site and not to any other websites that may be reached via links contained in it.
1. Data Controller
The Data Controller is Fondazione Exsurge Domine ETS, with registered office at Via Oderisi da Gubbio 266, 00146 Roma — tax code (codice fiscale) 96584230583, in the person of its legal representative Don Michael Leoni. To exercise your rights (Arts. 15–22 GDPR) and for any request concerning personal data, you may write to: info@exsurgedomine.org. No Data Protection Officer (DPO) has been appointed, as there is no obligation to do so under Art. 37 GDPR.
2. Categories of data processed
2.1 Browsing data
In the course of ordinary operation, the computer systems that operate the Site acquire certain data whose transmission is implicit in the use of Internet communication protocols (e.g. IP address, browser and device type, operating system, date and time of the request, pages visited). This data is used solely to deliver the Site, ensure its security and prevent abuse, and is processed only for the time strictly necessary. The Site is generated as a set of static pages and served through a content delivery network (CDN): there is no application or database queried on each request.
2.2 Statistical data (audience measurement)
The Site uses Umami, a cookieless analytics tool hosted on infrastructure attributable to the Controller, to understand in aggregate and anonymous form how the Site is used. As a matter of caution, and unlike a simple technical counter, the statistical tool is activated only upon consent given through the banner (the «statistics» category); in the absence of consent it is not loaded. Umami does not use persistent identifiers, does not allow the user's identity to be traced, and does not retain the IP address in identifiable form. Details are provided in the Cookie Policy.
2.3 Newsletter subscription
Anyone who subscribes to the newsletter provides their email address (together with their preferred language and an indication of the referring page). Subscription takes place by double confirmation (double opt-in): a verification email is sent and the address is activated only after the user clicks the confirmation link. This data is retained for the purpose of managing mailings, and every newsletter issue contains an unsubscribe link that may be used at any time. It is also possible to unsubscribe from the dedicated page of the Site.
2.4 Requests for Mass intentions
The «Mass Intentions» form allows users to request the celebration of Holy Masses. The data entered in the form is collected: first and last name, email address, chosen form of offering, purpose of the offering (for the living / in suffrage of the deceased) and the text of the intention. This data is sent by email to the Foundation's Secretariat to process the request and is not kept in an archive on the Site beyond what is necessary to handle the request itself. Users are asked not to include unnecessary personal data in the text.
2.5 Contact
If a user voluntarily contacts the Foundation by email (the addresses are listed on the Contact page), the data contained in the communication is processed solely for the purpose of providing a response.
2.6 Donations
The Site offers several ways to give support: card donation via Stripe, bank transfer (IBAN) and 5×1000 (Italian tax designation). The Foundation does not collect or process payment card data on the Site: card donations are handled directly by Stripe, which is an independent controller for that processing under its own privacy notice. A bank transfer entails processing of banking data by the credit institution; for the 5×1000, the donor states only the Foundation's tax code in their own tax return.
2.7 Restricted area (collaborators)
The Site has a restricted area /admin, accessible only to authorised collaborators by means of an access key (passkey/WebAuthn) and a technical session cookie. It is not accessible to the public.
2.8 Cookies and third-party tools
For cookies and third-party content (e.g. any embedded videos), please refer to the Cookie Policy.
3. Purposes and legal bases of processing
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Delivery and operation of the Site | Legitimate interest (Art. 6.1.f) |
| Site security and abuse prevention | Legitimate interest (Art. 6.1.f) |
| Aggregate and anonymous statistics (Umami) | Consent (Art. 6.1.a) given via banner |
| Managing newsletter subscription and delivery | Consent (Art. 6.1.a), revocable by unsubscribing |
| Handling requests for Mass intentions | Performance of measures requested by the data subject / legitimate interest in providing a response (Art. 6.1.b/f) |
| Responding to contact requests | Legitimate interest in providing a response (Art. 6.1.f) |
| Managing donations and related obligations | Performance of a contract/legal obligations (Art. 6.1.b/c); payment data held by the payment providers |
| Playback of any embedded videos (upon click/consent) | Consent (Art. 6.1.a) |
Providing browsing data is necessary for the Site to function; providing data through the forms and tools subject to consent is optional, and declining does not affect access to the Site's content.
4. Manner of processing
Data is processed by computerised means, using procedures strictly related to the purposes indicated above and with adequate security measures (Art. 32 GDPR). No automated decision-making or profiling within the meaning of Art. 22 GDPR is carried out.
5. Recipients of the data and data processors
Data may be processed, on the Controller's behalf, by third parties that provide the technical services necessary for the Site to function, appointed as Data Processors under Art. 28 GDPR where applicable:
| Provider | Role / service | Location |
|---|---|---|
| Vercel Inc. | Site hosting, CDN, technical logs | USA |
| Cloudflare, Inc. | Storage and delivery of static content (images, cover images, files) and network services | USA |
| Upstash, Inc. | Database (newsletter subscribers, consent log, restricted-area sessions) | EU/USA |
| Amazon Web Services EMEA SARL (Amazon SES) | Sending emails (subscription confirmation, newsletter, form notifications) | EU (Ireland) |
| Stripe Payments Europe, Ltd. | Card donations (independent controller for payment data) | EU |
| Google Ireland Ltd. | Playback of any embedded YouTube videos, only upon consent/click | EU/USA |
Fonts and images are hosted by the Controller (self-hosting): until the user gives consent to the statistical tools or activates any third-party content, the Site does not send data to third parties for those purposes. Data is not disclosed or transferred to third parties for marketing purposes.
6. Transfer of data outside the EU
Some providers are based, or have infrastructure, outside the European Economic Area, in particular in the United States. Such transfers take place in compliance with Arts. 44–49 GDPR, on the basis of appropriate safeguards such as adherence to the EU–U.S. Data Privacy Framework and/or the Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the safeguards may be requested by writing to the Controller.
7. Retention period
| Category | Retention |
|---|---|
| Browsing data and technical logs | Time strictly necessary; the hosting provider's logs remain available only for a short period and are not retained long-term by the Controller |
| Aggregate/anonymous statistics | Anonymous data, not attributable to the user |
| Email address for the newsletter | Until unsubscription or withdrawal of consent |
| Mass intention requests / contact messages | Time necessary to handle the request and for any administrative or defensive needs |
| Consent log (cookies) | For the time required by the accountability principle (typically until withdrawal, plus statutory retention periods) |
| Restricted-area data (collaborators) | Duration of the collaboration relationship |
8. Rights of the data subject (Arts. 15–22 GDPR)
The data subject has the right to: obtain access to their own data (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); portability (Art. 20); object to processing based on legitimate interest (Art. 21); withdraw consent at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal (Art. 7.3). These rights may be exercised by writing to info@exsurgedomine.org; the Controller will respond without undue delay and in any event within one month.
9. Minors
The Site and its content are not specifically directed at minors. The Controller does not knowingly collect data from minors under 14 years of age (the age of digital consent in Italy under Art. 8 GDPR and Art. 2-quinquies of the Italian Data Protection Code) without the consent of the person exercising parental responsibility. A parent or guardian who believes that a minor has provided data without the required consent may contact the Controller to request its erasure.
10. Complaint to the Supervisory Authority
Without prejudice to any other remedy, a data subject who believes that processing is carried out in breach of the GDPR may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (garanteprivacy.it) or with the supervisory authority of their State of residence.
11. Changes to this notice
The Controller may update this notice to reflect changes in the law or in the Site. The version in force is the one published on this page.
Last updated: 4 July 2026.