Privacy policy
Last updated: 2026-05-13
The 10k Wall is a small fundraising project run by Carlo Esposito (Italy). This page describes the personal data the site processes, why, on what legal basis, and what rights you have under the EU General Data Protection Regulation (GDPR) and Italian privacy law (D.Lgs. 196/2003 as amended).
Questions, deletion requests, or correction requests: privacy@aploi.de.
Data we collect
- Email address — required to process your purchase. Stripe sends the receipt to this address; we store it on the
purchasesrow alongside the cells you bought, so we can contact you if a payment problem comes up. - Optional metadata — display name, link URL, and tooltip text you supply during checkout. These are shown publicly when other visitors hover over your pixels.
- Payment data— handled by Stripe (see “Sub-processors” below). The site never sees your card number; we only retain Stripe’s session and payment-intent identifiers so we can match a payment to its pixels for refunds, disputes, and audit.
- IP address — kept in memory for the duration of the per-IP rate-limit window (60 seconds by default) on
/api/checkout. Not written to durable storage. - Bot-challenge token — Cloudflare Turnstile receives the IP and a one-time challenge token when you submit the purchase form. Cloudflare may set a short-lived cookie on the challenge subdomain (see /cookies).
Why we process it
- To fulfil your purchase and deliver the pixels you paid for (GDPR Art. 6(1)(b) — performance of a contract).
- To prevent abuse of the checkout endpoint via per-IP rate limiting and bot challenges (GDPR Art. 6(1)(f) — legitimate interests).
- To meet our tax / accounting obligations on funds raised (GDPR Art. 6(1)(c) — legal obligation).
Retention
Purchase records (email, Stripe identifiers, pixel ownership) are kept indefinitely so the wall remains visible and we can satisfy future tax / audit requests. You can ask us to delete or anonymise your record at any time (see “Your rights”); on deletion we keep the (x, y, color) cells on the wall but unlink the email and Stripe identifiers from the buyer record.
Sub-processors
- Stripe Payments Europe, Ltd. (Ireland) — payment processing. Their privacy policy: stripe.com/privacy.
- Supabase, Inc. (USA, EU regions available) — database hosting for the wall. Their privacy policy: supabase.com/privacy.
- Cloudflare, Inc. (USA) — bot-challenge (Turnstile). Their privacy policy: cloudflare.com/privacypolicy.
Personal data may therefore be transferred outside the EEA. Each sub-processor relies on Standard Contractual Clauses or an adequacy decision for those transfers.
Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent (where consent is the legal basis). Email privacy@aploi.dewith the email address you used at checkout and the action you’d like us to take. We aim to respond within 30 days (Art. 12(3) GDPR).
If you believe we’ve mishandled your data you can complain to the Italian Garante per la protezione dei dati personali or to your local supervisory authority.
Changes
Substantive changes to this policy will be reflected in the “Last updated” date at the top of the page, and where appropriate buyers will be notified by email.
See also: Terms of service · Cookies.