PRIVACY & COOKIE POLICY

Foiling Week — foilingweek.com

Effective Date: 26 May 2026

Last Updated: 26 May 2026

1. Introduction and Scope

Welcome to Foiling Week. This website (foilingweek.com and its subdomains, hereinafter the ‘Application’) is jointly operated by Associazione Culturale Sportiva TFW and We Are Foiling (‘FoilingWeek’, ‘we’, ‘us’, ‘our’), both located at Corso di Porta Romana, 63, 20122 – Milano – Italia.

This Privacy & Cookie Policy (‘Policy’) explains how we collect, use, store, disclose, and protect your personal information when you use the Application or interact with our services — including event registration, media content, newsletter subscriptions, and future e-commerce functionality.

By using the Application, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will obtain your consent before processing your data.

This privacy statement has been prepared in accordance with Art. 13/14 of Regulation (EU) 2016/679 (GDPR) and applicable Italian data protection legislation (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018). It relates solely to this Application unless otherwise stated.

2. Owner and Data Controller

Joint Controllers Associazione Culturale Sportiva TFW and We Are Foiling. Corso di Porta Romana, 63, 20122 – Milano – Italia

Primary contact for data protection matters: info@wearefoiling.com

2.1 Joint-Controller Arrangement Associazione Culturale Sportiva TFW and We Are Foiling act as Joint Controllers as they jointly determine the purposes and means of processing your Personal Data.

In accordance with Article 26 of the GDPR, they have entered into an arrangement which outlines their respective responsibilities. The essence of this arrangement is as follows:

• Responsibilities: Both entities are jointly responsible for ensuring compliance with GDPR principles. We Are Foiling f primarily manages the technical and operational aspects of the Application, including e-commerce and marketing, while Associazione Culturale Sportiva TFW oversees event organisation and community engagement.
• Point of Contact: For your convenience, the primary point of contact for all data protection queries and for exercising your rights is info@wearefoiling.com. However, you may exercise your rights in respect of and against either of the Joint Controllers.

3. Definitions

For the purposes of this Policy, the following definitions apply:

• Personal Data (or Data): Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
• Usage Data: Information collected automatically through this Application (or third-party services employed in it), which can include: IP addresses or domain names of the computers used by Users, URI addresses, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer, the country of origin, the features of the browser and operating system, time details per visit, the path followed within the Application, and other parameters about the device operating system and the User’s IT environment.
• User: The individual using this Application who, unless otherwise specified, coincides with the Data Subject.
• Data Subject: The natural person to whom the Personal Data refers.
• Data Processor: The natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
• Data Controller (or Owner): The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller is the Owner of this Application.
• This Application: The means by which the Personal Data of the User is collected and processed — being foilingweek.com and its subdomains.
• Service: The service provided by this Application as described in the relative terms and on this site.
• Cookie: Cookies are Trackers consisting of small sets of data stored in the User’s browser.
• Tracker: Any technology — e.g. Cookies, unique identifiers, web beacons, embedded scripts, e-tags, and fingerprinting — that enables the tracking of Users, for example by accessing or storing information on the User’s device.
• European Union (or EU): Unless otherwise specified, all references to the European Union include all current member states of the European Union and the European Economic Area.

4. Types of Data Collected

Among the types of Personal Data that this Application collects, by itself or through third parties, there are: Trackers, Usage Data, and the data listed below. Complete details on each type of Personal Data collected are provided in the dedicated sections of this Policy or by specific explanation texts displayed prior to Data collection.

Personal Data may be freely provided by the User, or, in the case of Usage Data, collected automatically when using this Application. Unless specified otherwise, all Data requested by this Application is mandatory, and failure to provide it may make it impossible for this Application to provide its services. Users uncertain about which Personal Data is mandatory are welcome to contact the Owner. In compliance with Article 14 of the GDPR, where Personal Data is not obtained directly from the User, we will provide information on the source from which the data originates.

Users are responsible for any third-party Personal Data obtained, published, or shared through this Application, and confirm they have obtained the third party’s consent to provide such Data to the Owner.

4.1 Data Provided Directly by Users

• Name, surname, date and place of birth, email address, password — when registering via the Registration Form
• Sailing class, experience level, preferred disciplines — when registering for racing events or performance clinics
• Billing address, payment details (processed by third-party processors), order history — when purchasing via e-commerce (future functionality)
• User-generated content such as comments, enquiry messages, or testimonials
• Press accreditation details — when applying for media access
• Facebook account data (Basic information and Email) — when connecting via Facebook login (see Section 7.2)

4.2 Data Collected Automatically

• IP address, browser type and version, operating system, referring URL
• Pages viewed, time spent on each page, links clicked, path followed within the Application
• URI addresses, method and time of requests to the server, server response codes
• Device identifiers and browser fingerprints
• Data collected via Cookies and similar Trackers (see Section 8)

4.3 Data from Third-Party Services

• Social media profile data (Basic information and Email) via Facebook or Google OAuth
• Analytics data collected by Google Analytics on behalf of the Owner
• Payment verification data from payment processors (e-commerce, future functionality)
• Race registration data from partner event management platforms (e.g., Fraglia Vela Malcesine)

5. Purposes and Detailed Information on Processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as for the following specific purposes: Analytics, Access to third-party accounts, Interaction with external social networks and platforms, and Registration and authentication.

5.1 Registration and Authentication By registering or authenticating, Users allow this Application to identify them and give them access to dedicated services. Third parties may provide registration and authentication services, allowing this Application to access some Data stored by those services. Some services listed below may also collect Personal Data for targeting and profiling purposes. Legal Basis for processing: Contract performance (Art. 6(1)(b) GDPR).

• Google OAuth (Google LLC) Google OAuth is a registration and authentication service provided by Google LLC and connected to the Google network.

• Personal Data processed: various types of Data as specified in the Google privacy policy
• Place of processing: United States — https://policies.google.com/privacy

5.2 Access to Third-Party Accounts This type of service allows this Application to access Data from your account on a third-party service and perform actions with it. These services are not activated automatically but require explicit authorisation by the User. Legal Basis for processing: Consent (Art. 6(1)(a) GDPR).

• Facebook Account Access (Meta Platforms, Inc.) This service allows this Application to connect with the User’s account on the Facebook social network, provided by Meta Platforms, Inc.

• Permissions asked: Email; Basic information
• Place of processing: United States — https://www.facebook.com/policy.php

5.3 Interaction with External Social Networks and Platforms This type of service allows interaction with social networks or other external platforms directly from the pages of this Application. The interaction and information obtained are always subject to the User’s privacy settings for each social network. This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it. It is recommended to log out from the respective services to ensure that processed data is not connected back to the User’s profile. Legal Basis for processing: Legitimate Interest (Art. 6(1)(f) GDPR) to enhance user experience and engagement, and Consent (Art. 6(1)(a) GDPR) for any associated tracking.

• Facebook Like Button and Social Widgets (Meta Platforms, Inc.) The Facebook Like button and social widgets are services allowing interaction with the Facebook social network, provided by Meta Platforms, Inc.

• Personal Data processed: Trackers; Usage Data
• Place of processing: United States — https://www.facebook.com/policy.php

5.4 Analytics The services in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behavior. Legal Basis for processing: Consent (Art. 6(1)(a) GDPR).

• Google Analytics (Google LLC) Google Analytics is a web analysis service provided by Google LLC. Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities, and to share them with other Google services. Google may use the Data collected to contextualize and personalise the ads of its own advertising network.

• Personal Data processed: Trackers; Usage Data
• Place of processing: United States — https://policies.google.com/privacy
• Opt-out: https://tools.google.com/dlpage/gaoptout

5.5 E-Commerce Data Processing (Future Functionality) When the e-commerce platform is live, the Owner will process additional data to fulfill online orders: Legal Basis for processing: Contract performance (Art. 6(1)(b) GDPR) and Legal obligation (Art. 6(1)(c) GDPR) for tax and accounting purposes.

• Order details: products purchased, quantities, prices, applied discount codes
• Payment data: processed by PCI-DSS-compliant third-party processors; full card numbers are not stored by the Owner
• Transaction history: retained for accounting and tax compliance for a minimum of 10 years under Italian law (D.P.R. 633/1972)
• Abandoned cart data: if logged in and items are left in the cart, a reminder email may be sent subject to the User’s marketing preferences

5.6 Newsletter and Marketing Communications With the User’s consent, given at registration or via opt-in, the Owner sends promotional communications about upcoming Foiling Week events, merchandise, and partner offers. Users may withdraw consent at any time via the unsubscribe link in any communication or by contacting the Owner. Legal Basis for processing: Consent (Art. 6(1)(a) GDPR).

6. Cookies and Tracking Technologies

Cookies are Trackers consisting of small sets of data stored in the User’s browser.

6.1 Managing Cookies When first visiting the Application, Users are presented with a cookie consent banner allowing acceptance of all cookies, rejection of non-essential cookies, or granular preference management. In line with best practices and to avoid ‘dark patterns’, our consent interface is designed to make rejecting non-essential cookies as easy as accepting them. Cookie preferences can also be managed through browser settings; however, disabling essential cookies may impair Application functionality.

7. The Rights of Users

Users may exercise certain rights regarding their Data processed by the Owner. In particular, Users have the right to:

• Withdraw their consent at any time…
• Object to processing of their Data…
• Object at any time, without providing any justification, to processing of their Data for direct marketing purposes
• Access their Data…
• Verify and seek rectification…
• Restrict the processing of their Data…
• Have their Personal Data deleted or otherwise removed…
• Receive their Data and have it transferred to another controller…
• Lodge a complaint with their competent data protection authority…

Any requests to exercise these rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month of receipt. The Owner is responsible for demonstrating compliance with any request or for justifying any refusal.