PRIVACY POLICY

1. Data Controller

1.1. The Data Controller for the purposes of this Privacy Policy is the organizing team ("the Partnership," "we," "us," or "our"), operating as the Badia RE.NAISSANCE.

1.2. The Partnership is responsible for determining the purposes and means of processing personal data in connection with the Residency application process, event management, and related communications.

2. Categories of Personal Data Collected

We collect and process the following categories of personal data, limited to what is strictly necessary for the stated purposes:

2.1. Identity & Contact Data

• Full legal name, title, and preferred name
• Email address and telephone number
• Passport or government-issued identification details (as required by Italian hospitality law)
• Country of residence and nationality
• Emergency contact information

2.2. Application & Selection Data

• Professional background, biography, and areas of expertise as submitted during application
• Responses provided during the Curator Interview (audio transcriptions and written answers)
• Photographs captured during the interview process
• AI-generated assessment scores and evaluation notes used in the selection process
• Application submission timestamps and interaction data

2.3. Special Category Data (Sensitive Data)

With your explicit consent, we may collect:

• Dietary restrictions and food allergies (for meal preparation and safety)
• Health conditions, physical limitations, or medical considerations relevant to participation in somatic practices
• Accessibility requirements

Special category data is processed solely on the basis of your explicit consent (Article 9(2)(a) GDPR) and for the protection of your vital interests (Article 9(2)(c) GDPR). You may withdraw consent for the processing of special category data at any time.

2.4. Financial Data

• Payment transaction identifiers and confirmation records
• Billing address and payment method type (last four digits only)

Full payment card details are processed exclusively by our payment processor, Airwallex, and are never stored on our systems. Please refer to Airwallex's privacy policy for details on their data handling practices.

2.5. Technical & Usage Data

• IP address and approximate geolocation (country/region level)
• Browser type, version, and operating system
• Pages visited, session duration, and navigation patterns
• Device identifiers and screen resolution
• Referring URL and access timestamps

3. Methods of Data Collection

We collect personal data through the following methods:

• Direct submission: Information you voluntarily provide when completing the application form, participating in the Curator Interview, or communicating with us via email or the website contact form.
• Automated collection: Technical data collected automatically through cookies, server logs, and analytics tools when you access and navigate our website.
• AI-assisted processing: During the Curator Interview, your spoken responses are transcribed and analyzed using artificial intelligence systems to generate assessment scores. Photographs taken during the interview are processed for identity verification and cohort documentation purposes.
• Third-party sources: Payment confirmation data received from our payment processor (Airwallex).

4. Legal Basis for Processing

We process your personal data on the following legal bases as defined under Article 6 GDPR:

• Performance of a Contract (Article 6(1)(b)): Processing necessary for the performance of the residency agreement, including application evaluation, payment processing, travel coordination, dietary and accommodation arrangements, and event administration.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with Italian hospitality law, including the mandatory "Alloggiati" guest registration and reporting to Italian police authorities (Questura), Italian tax and accounting obligations, and anti-money laundering regulations where applicable.
• Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent, including the use of your image in promotional and marketing materials, the collection and processing of special category (health/dietary) data, and receipt of non-essential communications and marketing correspondence.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for purposes of our legitimate interests, provided such interests are not overridden by your fundamental rights and freedoms. This includes website security, fraud prevention, and abuse detection, analytics to improve our services and user experience, and establishment, exercise, or defense of legal claims.

5. Purpose of Processing

Your personal data is processed for the following specific purposes:

• Evaluating and processing your application for the Residency
• Conducting and scoring the Curator Interview using AI-assisted analysis
• Communicating with you regarding your application status, acceptance, and event logistics
• Processing and verifying payment transactions
• Preparing personalized dining, accommodation, and program arrangements
• Complying with Italian legal requirements for guest registration and reporting
• Administering and documenting the Residency event
• Producing archival and promotional materials (with consent)
• Maintaining website security, preventing fraud, and ensuring service availability
• Improving our services, website, and application process through analytics
• Responding to your inquiries, complaints, or requests

6. Data Sharing & Recipients

6.1. We may share your personal data with the following categories of recipients, only to the extent necessary for the stated purposes:

• Payment Processor (Airwallex): For the secure processing of payment transactions. Airwallex operates as an independent data controller for payment data.
• Email Service Provider (Resend): For the delivery of transactional and informational email communications.
• Cloud Infrastructure Provider (Supabase/AWS): For secure data storage, database management, and authentication services.
• Curatorial Team: Members of the Partnership and designated facilitators involved in application evaluation and event coordination.
• Venue Management: Guest names, dietary requirements, and accommodation needs necessary for hospitality services at the private estate.
• Italian Authorities: Passport and identity data as required by the "Alloggiati" reporting obligation under Italian law (Article 109 of the Consolidated Text of Public Security Laws).
• Legal and Professional Advisors: When necessary for the establishment, exercise, or defense of legal claims.

6.2. We do not sell, rent, lease, or trade your personal data to any third party.

6.3. All third-party service providers are bound by data processing agreements that ensure compliance with GDPR and provide appropriate safeguards for your personal data.

7. International Data Transfers

7.1. Your personal data may be transferred to, stored in, and processed in countries outside the European Economic Area ("EEA"), including the United States and other jurisdictions where our service providers operate.

7.2. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Transfers to countries recognized by the European Commission as providing an adequate level of data protection (Adequacy Decisions).
• Standard Contractual Clauses ("SCCs") as adopted by the European Commission pursuant to Article 46(2)(c) GDPR.
• Binding Corporate Rules where applicable.

7.3. You may request information regarding the specific safeguards applied to the transfer of your data by contacting us at the address provided in Section 1.

8. Data Retention

8.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods are as follows:

• Application data (unsuccessful applicants): Twelve (12) months from the date of the final decision, after which it is securely deleted unless consent is given to retain it for future Residency cycles.
• Participant data (accepted Participants): Twenty-four (24) months following the conclusion of the June 2026 Residency, to facilitate the three-retreat series cycle and address any post-event matters. Data may be retained longer with consent for future Residency invitations.
• Financial and transaction records: Ten (10) years as required by Italian tax and accounting legislation (DPR 600/1973 and DPR 633/1972).
• Italian "Alloggiati" records: As required by Italian public security law; typically retained by authorities indefinitely.
• Technical and usage data: Twelve (12) months from the date of collection, unless required for security investigations.
• Marketing consent records: For the duration of consent plus twelve (12) months following withdrawal, as evidence of lawful processing.

8.2. Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized. You may request earlier deletion subject to the provisions of Section 9.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights with respect to your personal data. These rights are not absolute and may be subject to limitations as provided by applicable law:

• Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, to request access to the data together with information regarding the purposes, categories, recipients, retention period, and your rights.
• Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete data without undue delay.
• Right to Erasure (Article 17): You have the right to request the deletion of your personal data where the data is no longer necessary for the purpose for which it was collected, you withdraw consent and there is no other legal basis, the data has been unlawfully processed, or erasure is required for compliance with a legal obligation. This right is subject to exceptions, including where processing is necessary for compliance with Italian legal obligations or for the establishment, exercise, or defense of legal claims.
• Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing where you contest the accuracy of the data, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
• Right Not to be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. See Section 11 for details on our use of automated processing.

To exercise any of these rights, please submit your request to support@re-naissance.love. We will respond to all legitimate requests within one (1) month. In complex cases, this period may be extended by a further two (2) months, in which case we will inform you of the extension and the reasons therefor.

We may request proof of identity before processing your request to prevent unauthorized access to personal data.

10. Cookies & Tracking Technologies

10.1. Our website uses cookies and similar tracking technologies to enhance your experience, provide secure authentication, and understand how our website is used. The following categories of cookies are employed:

• Strictly Necessary Cookies: Essential for the operation of the website, including user authentication, session management, and security features. These cookies cannot be disabled without impairing core functionality.
• Functional Cookies: Used to remember your preferences, language settings, and form data to improve usability.
• Analytics Cookies: Used to collect anonymized and aggregated information about website usage patterns, page views, and navigation behavior to help us improve our services.

10.2. You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you before a cookie is stored. Please note that disabling or blocking certain cookies may affect the functionality of the website, including the ability to log in and complete the application process.

10.3. We do not use cookies for behavioral advertising or cross-site tracking purposes.

11. Automated Decision-Making & AI Processing

11.1. As part of the application process, the Curator Interview employs artificial intelligence systems to transcribe spoken responses, generate assessment scores, and provide evaluative insights to the Curatorial team.

11.2. No application decision is made solely on the basis of automated processing. AI-generated scores and assessments serve as one input among several considered by human members of the Curatorial team, who retain full discretion over all acceptance and rejection decisions.

11.3. You have the right to request human intervention in any decision that significantly affects you, to express your point of view, and to contest any decision. To exercise this right, please contact us at support@re-naissance.love.

11.4. AI-generated data (transcriptions, scores, assessments) is treated as personal data and is subject to the same retention, access, and deletion rights as all other categories of personal data described in this policy.

12. Italian Legal Compliance

12.1. "Alloggiati" Reporting. As the Residency takes place at a hospitality venue in Italy, the Venue is legally required to collect identification data (including passport scans) from all guests and report this information to the local Questura (police authority) within 24 hours of arrival, in accordance with Article 109 of the Consolidated Text of Public Security Laws (TULPS) and the regulations of the Italian Ministry of the Interior.

12.2. This data collection is carried out separately by the Venue upon arrival and is a mandatory legal requirement for all hospitality establishments in Italy. The Partnership facilitates this process but the Venue acts as an independent data controller for the "Alloggiati" data.

12.3. Italian Privacy Code. In addition to GDPR, our processing activities comply with the Italian Privacy Code (Legislative Decree No. 196/2003, as subsequently amended by Legislative Decree No. 101/2018), including provisions related to the processing of judicial data, health data, and the guidelines issued by the Italian Data Protection Authority (Garante per la protezione dei dati personali).

13. Data Security

13.1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, or accidental loss, in accordance with Article 32 GDPR. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms with password hashing and session management
• Role-based access controls limiting data access to authorized personnel only
• Regular security assessments and vulnerability monitoring
• Secure, audited cloud infrastructure with geographic redundancy
• Input validation and sanitization to prevent injection attacks and cross-site scripting

13.2. While we employ industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

14. Data Breach Notification

14.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Italian Data Protection Authority, Garante per la protezione dei dati personali) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR.

14.2. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR, providing a description of the breach, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

15. Children's Data

The Residency is available only to individuals aged eighteen (18) years or older. We do not knowingly collect, process, or store personal data from children or minors. If we become aware that personal data has been collected from a person under the age of eighteen without appropriate authorization, we will take immediate steps to delete such data.

16. Supervisory Authority

16.1. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. For matters related to the Residency, the competent authority is:

16.2. You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work if different from Italy, in accordance with Article 77 GDPR.

16.3. We encourage you to contact us first at support@re-naissance.love so that we may attempt to resolve your concern before you escalate to the supervisory authority.

17. Governing Law

This Privacy Policy and any disputes arising from or related to data processing shall be governed by and construed in accordance with the laws of the State of Nevada, United States, without regard to its conflict of laws provisions. Any legal proceedings shall be brought exclusively before the state or federal courts located in Clark County, Nevada.

18. Changes to This Privacy Policy

18.1. We reserve the right to update or modify this Privacy Policy at any time. Material changes will be communicated to affected individuals via email and will be reflected in the "Last Updated" date at the top of this document.

18.2. Where changes involve new purposes of processing or significantly alter the manner in which your data is handled, we will seek your renewed consent where required by applicable law.

18.3. We encourage you to review this Privacy Policy periodically to remain informed about how your personal data is protected and processed.

19. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy, GDPR compliance, the exercise of your data protection rights, or our data practices, please contact: