Privacy Policy
Last updated: 2026-06-24
This Privacy Notice describes how Omnes S.r.l.s. and Pub New Dream S.r.l., acting as joint controllers under art. 26 of Regulation (EU) 2016/679 (“GDPR”), process the personal data of users visiting the website https://dreamapp.cloud (the “Site”) and using the DreamApp platform. It is drawn up in compliance with GDPR and Italian Legislative Decree 196/2003 as amended (“Privacy Code”).
1. Joint controllers
DreamApp is a platform built jointly by the following companies, acting as joint controllers under art. 26 GDPR:
- OMNES S.R.L.S. (joint controller)
- Additional registration details available on written request via the shared privacy contact channel listed below.
- PUB NEW DREAM S.R.L. (joint controller and Site publisher)
- Registered office: Viale della Resistenza 138, 63837 Falerone (FM), Italia
- VAT / Tax code: 02540950447
- Certified email (PEC): pubnewdreamsrl@pec.it
The joint controllers have transparently allocated their respective data-protection responsibilities through a joint-controllership arrangement under art. 26.1 GDPR, whose essential content is summarised in this notice. The data subject may approach either controller to exercise their rights.
Single point of contact for privacy requests, exercise of rights and consent withdrawal: support@omnes.cloud. Requests received at this address are handled jointly by both controllers and answered within 30 days.
No Data Protection Officer (DPO) has been appointed since the conditions of art. 37 GDPR are not met. For any matter relating to data processing the data subject can write to the single point of contact listed above.
2. Essence of the joint-controllership arrangement (art. 26.2 GDPR)
- Purposes and means of processing are jointly determined by the controllers for the purposes set out in §4.
- Pub New Dream S.r.l. is the Site publisher and is responsible for operationally running the DreamApp platform on the partner-venue side.
- Omnes S.r.l.s. is the technology provider of the DreamApp platform and is responsible for infrastructure, security, development life-cycle and the appointment of art. 28 GDPR processors (cloud, hosting, newsletter, analytics).
- Both controllers independently process the contacts collected to answer commercial requests, send joint marketing communications (DreamApp newsletter) and manage the relationship with prospects and customers.
- The data subject may exercise their rights against either controller by writing to the single point of contact support@omnes.cloud. This paragraph constitutes the “essence of the arrangement” made available to the data subject under art. 26.2 GDPR. The full text of the arrangement is available upon request.
3. Categories of data processed
The joint controllers may collect and process the following categories of personal data:
- Browsing data: IP address, browser type and version, operating system, visited pages, request date and time, referrer, technical session data — collected in aggregated or pseudonymised form for technical and statistical purposes.
- Data voluntarily provided via contact forms (including campaign forms such as the /campaign/wmf-2026-bologna landing): full name, email address, optional phone number, message content, optional newsletter opt-in, and campaign parameters (qr_id, utm_source, utm_medium, utm_campaign, utm_content) used to attribute the lead source.
- Cookies and online identifiers: see the Cookie Policy for full details.
No special categories of data under art. 9 GDPR are collected. The controllers do not carry out solely automated decision-making producing legal effects on the data subject (art. 22 GDPR).
4. Purposes and legal basis
| Purpose | Legal basis (art. 6 GDPR) | Nature of the disclosure |
|---|---|---|
| Site delivery, security and fraud prevention | Controllers' legitimate interest (art. 6.1.f) and legal obligations (art. 6.1.c) | Necessary to use the Site |
| Handling requests submitted via contact forms (incl. WMF 2026 campaign) | Pre-contractual measures at the data subject's request (art. 6.1.b) | Required to receive an answer |
| DreamApp newsletter sign-up, with marketing communications sent both by Omnes S.r.l.s. and Pub New Dream S.r.l. about platform products, events, promotions and commercial initiatives | Explicit consent (art. 6.1.a) | Optional, revocable at any time |
| Campaign attribution (qr_id, UTM parameters) to measure marketing effectiveness | Controllers' legitimate interest (art. 6.1.f) | Automatically captured from URL params, objection allowed |
| Cookies and profiling technologies (analytics, marketing, session statistics) | Explicit consent (art. 6.1.a) | Optional, managed via the cookie banner |
| Legal defence and compliance with legal obligations | Legitimate interest (art. 6.1.f) and legal obligations (art. 6.1.c) | Required for compliance |
5. Processing methods
Processing is carried out using automated tools and with technical and organisational measures suitable to guarantee the security, integrity and confidentiality of the data, in compliance with art. 25 and 32 GDPR. Access to the data is restricted to authorised personnel of each controller and to external processors appointed under art. 28 GDPR. Measures in place include rate-limiting on public forms, anti-bot honeypot, minimal access logs, and segregation of application secrets via the cloud provider's secret manager.
6. Retention periods
- Server logs: kept for the time strictly required for technical and security purposes, in any case no longer than 12 months, unless an offence or ongoing dispute is detected.
- Contact / campaign form data: kept until completion of the request and for a maximum of 24 months thereafter, solely for legal defence purposes. Campaign parameters (qr_id, UTM) inherit the same retention as the lead they relate to.
- DreamApp newsletter: contact data is kept until consent is withdrawn, which can be done at any time via the unsubscribe link in every email or by writing to support@omnes.cloud. Withdrawal stops the sending by both controllers.
- Cookies: see the durations indicated in the Cookie Policy.
7. Recipients of the data
Data may be disclosed to the following entities, acting as processors under art. 28 GDPR or as independent controllers:
- Vercel Inc. (Site hosting) — 440 N Barranca Ave #4133, Covina, CA 91723, USA. Extra-EU transfer covered by the European Commission's Standard Contractual Clauses (SCC) and by Vercel's DPA.
- Mailjet SAS (Sinch group) — newsletter dispatch and contact list management, EU servers. Primary provider.
- Sendinblue / Brevo SAS — newsletter contact management, headquartered in France (EU). Fallback / legacy lists.
- Amazon Web Services EMEA SARL — Simple Email Service (SES): sending transactional emails triggered by contact forms.
- Google Ireland Ltd. — Google Analytics 4 for aggregated browsing statistics (subject to cookie consent). Any USA transfer is covered by SCC and the EU-US DPF.
- Meta Platforms Ireland Ltd. — Meta Pixel for ad campaign measurement (subject to cookie consent). Any USA transfer is covered by SCC and the EU-US DPF.
- Microsoft Ireland Operations Ltd. — Microsoft Clarity for session behaviour analytics (subject to cookie consent). Any USA transfer is covered by SCC and the EU-US DPF.
- Technical, tax and legal consultants appointed by each controller, only where strictly necessary.
- Judicial authorities, supervisory bodies and public agencies, where required by law.
Data is not disseminated or sold to third parties for their own commercial purposes other than those declared.
8. Extra-EU transfers
Some processors (notably Vercel, Google, Meta and Microsoft) are located in the United States or may transfer data outside the European Economic Area. Such transfers take place on the basis of:
- Standard Contractual Clauses (SCC) adopted by the European Commission under Decision 2021/914;
- adherence to the EU-US Data Privacy Framework (DPF), where applicable;
- supplementary technical and organisational measures in light of the Schrems II ruling (C-311/18).
9. Data subject rights
At any time, the data subject may exercise the rights granted by art. 15-22 GDPR against either of the joint controllers:
- right of access (art. 15);
- right to rectification (art. 16);
- right to erasure (“right to be forgotten”, art. 17);
- right to restriction of processing (art. 18);
- right to data portability (art. 20);
- right to object, including for direct marketing (art. 21);
- right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (art. 7.3);
- right not to be subject to automated decision-making, including profiling, producing legal effects (art. 22).
To exercise these rights it is enough to write to the single point of contact support@omnes.cloud. Alternatively, you can reach Pub New Dream S.r.l. via certified email at pubnewdreamsrl@pec.it. The joint controllers will reply jointly without undue delay and in any case within 30 days of the request (art. 12.3 GDPR).
10. Complaint to the supervisory authority
Without prejudice to any other administrative or judicial remedy, a data subject who believes the processing of their personal data infringes the GDPR has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or with the supervisory authority of their Member State of residence, work or place of the alleged infringement (art. 77 GDPR).
11. Changes to this Privacy Notice
The joint controllers reserve the right to amend this Notice at any time, by publishing the updated version on the Site. We recommend checking this page regularly for the current version. The last update date is shown at the top of the document.