Stemma Exsurge Domine EXSURGE DOMINE Fondazione · ETS
Privacy notice

Privacy Policy


Pursuant to Articles 13–14 of Regulation (EU) 2016/679 (GDPR).

This notice describes how the personal data of users browsing the website www.exsurgedomine.org (the «Site») is processed, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 («GDPR») and Legislative Decree 196/2003 («Italian Data Protection Code»). The notice applies only to the Site and not to any other websites that may be reached via links contained in it.

1. Data Controller

The Data Controller is Fondazione Exsurge Domine ETS, with registered office at Via Oderisi da Gubbio 266, 00146 Roma — tax code (codice fiscale) 96584230583, in the person of its legal representative Don Michael Leoni. To exercise your rights (Arts. 15–22 GDPR) and for any request concerning personal data, you may write to: info@exsurgedomine.org. No Data Protection Officer (DPO) has been appointed, as there is no obligation to do so under Art. 37 GDPR.

2. Categories of data processed

2.1 Browsing data

In the course of ordinary operation, the computer systems that operate the Site acquire certain data whose transmission is implicit in the use of Internet communication protocols (e.g. IP address, browser and device type, operating system, date and time of the request, pages visited). This data is used solely to deliver the Site, ensure its security and prevent abuse, and is processed only for the time strictly necessary. The Site is generated as a set of static pages and served through a content delivery network (CDN): there is no application or database queried on each request.

2.2 Statistical data (audience measurement)

The Site uses Umami, a cookieless analytics tool hosted on infrastructure attributable to the Controller, to understand in aggregate and anonymous form how the Site is used. As a matter of caution, and unlike a simple technical counter, the statistical tool is activated only upon consent given through the banner (the «statistics» category); in the absence of consent it is not loaded. Umami does not use persistent identifiers, does not allow the user's identity to be traced, and does not retain the IP address in identifiable form. Details are provided in the Cookie Policy.

2.3 Newsletter subscription

Anyone who subscribes to the newsletter provides their email address (together with their preferred language and an indication of the referring page). Subscription takes place by double confirmation (double opt-in): a verification email is sent and the address is activated only after the user clicks the confirmation link. This data is retained for the purpose of managing mailings, and every newsletter issue contains an unsubscribe link that may be used at any time. It is also possible to unsubscribe from the dedicated page of the Site.

2.4 Requests for Mass intentions

The «Mass Intentions» form allows users to request the celebration of Holy Masses. The data entered in the form is collected: first and last name, email address, chosen form of offering, purpose of the offering (for the living / in suffrage of the deceased) and the text of the intention. This data is sent by email to the Foundation's Secretariat to process the request and is not kept in an archive on the Site beyond what is necessary to handle the request itself. Users are asked not to include unnecessary personal data in the text.

2.5 Contact

If a user voluntarily contacts the Foundation by email (the addresses are listed on the Contact page), the data contained in the communication is processed solely for the purpose of providing a response.

2.6 Donations

The Site offers several ways to give support: card donation via Stripe, bank transfer (IBAN) and 5×1000 (Italian tax designation). The Foundation does not collect or process payment card data on the Site: card donations are handled directly by Stripe, which is an independent controller for that processing under its own privacy notice. A bank transfer entails processing of banking data by the credit institution; for the 5×1000, the donor states only the Foundation's tax code in their own tax return.

2.7 Restricted area (collaborators)

The Site has a restricted area /admin, accessible only to authorised collaborators by means of an access key (passkey/WebAuthn) and a technical session cookie. It is not accessible to the public.

2.8 Cookies and third-party tools

For cookies and third-party content (e.g. any embedded videos), please refer to the Cookie Policy.

3. Purposes and legal bases of processing

PurposeLegal basis (Art. 6 GDPR)
Delivery and operation of the SiteLegitimate interest (Art. 6.1.f)
Site security and abuse preventionLegitimate interest (Art. 6.1.f)
Aggregate and anonymous statistics (Umami)Consent (Art. 6.1.a) given via banner
Managing newsletter subscription and deliveryConsent (Art. 6.1.a), revocable by unsubscribing
Handling requests for Mass intentionsPerformance of measures requested by the data subject / legitimate interest in providing a response (Art. 6.1.b/f)
Responding to contact requestsLegitimate interest in providing a response (Art. 6.1.f)
Managing donations and related obligationsPerformance of a contract/legal obligations (Art. 6.1.b/c); payment data held by the payment providers
Playback of any embedded videos (upon click/consent)Consent (Art. 6.1.a)

Providing browsing data is necessary for the Site to function; providing data through the forms and tools subject to consent is optional, and declining does not affect access to the Site's content.

4. Manner of processing

Data is processed by computerised means, using procedures strictly related to the purposes indicated above and with adequate security measures (Art. 32 GDPR). No automated decision-making or profiling within the meaning of Art. 22 GDPR is carried out.

5. Recipients of the data and data processors

Data may be processed, on the Controller's behalf, by third parties that provide the technical services necessary for the Site to function, appointed as Data Processors under Art. 28 GDPR where applicable:

ProviderRole / serviceLocation
Vercel Inc.Site hosting, CDN, technical logsUSA
Cloudflare, Inc.Storage and delivery of static content (images, cover images, files) and network servicesUSA
Upstash, Inc.Database (newsletter subscribers, consent log, restricted-area sessions)EU/USA
Amazon Web Services EMEA SARL (Amazon SES)Sending emails (subscription confirmation, newsletter, form notifications)EU (Ireland)
Stripe Payments Europe, Ltd.Card donations (independent controller for payment data)EU
Google Ireland Ltd.Playback of any embedded YouTube videos, only upon consent/clickEU/USA

Fonts and images are hosted by the Controller (self-hosting): until the user gives consent to the statistical tools or activates any third-party content, the Site does not send data to third parties for those purposes. Data is not disclosed or transferred to third parties for marketing purposes.

6. Transfer of data outside the EU

Some providers are based, or have infrastructure, outside the European Economic Area, in particular in the United States. Such transfers take place in compliance with Arts. 44–49 GDPR, on the basis of appropriate safeguards such as adherence to the EU–U.S. Data Privacy Framework and/or the Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the safeguards may be requested by writing to the Controller.

7. Retention period

CategoryRetention
Browsing data and technical logsTime strictly necessary; the hosting provider's logs remain available only for a short period and are not retained long-term by the Controller
Aggregate/anonymous statisticsAnonymous data, not attributable to the user
Email address for the newsletterUntil unsubscription or withdrawal of consent
Mass intention requests / contact messagesTime necessary to handle the request and for any administrative or defensive needs
Consent log (cookies)For the time required by the accountability principle (typically until withdrawal, plus statutory retention periods)
Restricted-area data (collaborators)Duration of the collaboration relationship

8. Rights of the data subject (Arts. 15–22 GDPR)

The data subject has the right to: obtain access to their own data (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); portability (Art. 20); object to processing based on legitimate interest (Art. 21); withdraw consent at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal (Art. 7.3). These rights may be exercised by writing to info@exsurgedomine.org; the Controller will respond without undue delay and in any event within one month.

9. Minors

The Site and its content are not specifically directed at minors. The Controller does not knowingly collect data from minors under 14 years of age (the age of digital consent in Italy under Art. 8 GDPR and Art. 2-quinquies of the Italian Data Protection Code) without the consent of the person exercising parental responsibility. A parent or guardian who believes that a minor has provided data without the required consent may contact the Controller to request its erasure.

10. Complaint to the Supervisory Authority

Without prejudice to any other remedy, a data subject who believes that processing is carried out in breach of the GDPR may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (garanteprivacy.it) or with the supervisory authority of their State of residence.

11. Changes to this notice

The Controller may update this notice to reflect changes in the law or in the Site. The version in force is the one published on this page.

Last updated: 4 July 2026.