Privacy Policy

1. Definitions

Personal Data

Any information relating to an identified or identifiable natural person (e.g., name, email, IP address).

Data Subject

The natural person to whom the data refers.

Data Controller

The entity that determines the purposes and means of processing personal data.

Data Processor

External entity that processes personal data on behalf of the Controller, following contractual appointment pursuant to Art. 28 GDPR.

Browsing Data

Information automatically collected by computer systems through Internet communication protocols (e.g., IP address, technical logs).

Contact Form

Website functionality that allows sending information requests to the Controller.

Technical Cookies

Cookies necessary for the operation and security of the Website.

2. Data Controller

Data Protection Officer (DPO): The Controller has not appointed a DPO, as the legal requirements do not apply.

3. Types of Data Processed and Purposes

3.1. Browsing data

During browsing, some technical data is automatically collected, including:

• IP address
• request time
• pages visited
• browser and operating system information
• technical logs related to security and firewall (e.g., bot blocking, DDoS mitigation)

This data is used to:

• enable Website navigation
• monitor proper functioning and performance
• prevent unauthorized access or malicious activities
• comply with any judicial authority requests

Legal basis: legitimate interest of the Controller in the security and functionality of the Website (Art. 6, par. 1, lett. f GDPR). This interest is balanced and does not override the rights and freedoms of the Data Subject, as the processing concerns only necessary technical data retained for very short periods.

Browsing data is retained for a period between 7 and 30 days.

3.2. Data voluntarily provided through the contact form

Through the contact form, users can send communications to the Controller. The data collected includes:

• first and last name
• email address
• phone number
• message content
• any additional information entered in the free text field

Processing purposes

• respond to requests sent by the Data Subject
• provide information or assistance
• establish any pre-contractual or contractual relationships

Legal basis

• execution of pre-contractual or contractual measures requested by the Data Subject (Art. 6, lett. b GDPR)
• legal obligations that may apply (Art. 6, lett. c GDPR)

Mandatory nature of data provision

Providing data is optional. However, failure to enter data marked as mandatory prevents the Controller from responding to the request or providing the requested information.

4. Processing Methods

Processing is carried out using computer and telematic tools, in compliance with adequate technical and organizational measures (Art. 32 GDPR), aimed at ensuring:

• security
• confidentiality
• integrity
• availability of personal data

No automated decision-making processes or profiling activities are carried out.

5. Retention Period

Data sent through contact form

• retained for the time necessary to provide a response;
• if a professional relationship is established, retained for the duration of the relationship and subsequently for 10 years for civil and tax obligations.

Technical logs and browsing data

• generally retained for 7–30 days, except for further retention in case of investigations into illegal activities.

At the end of the retention period, data is deleted or anonymized.

6. Service Providers and Extra-EU Transfers

6.1. Cloudflare, Inc. (USA)

The Website uses services from Cloudflare, Inc. (USA) for:

• Content Delivery Network (CDN)
• application firewall and DDoS protection
• caching and traffic optimization
• distribution of static content through Cloudflare Pages
• application security and attack mitigation

In delivering the Website's static content (HTML, CSS, JavaScript, images) through Cloudflare Pages, as well as managing traffic and protection features, Cloudflare automatically processes some technical data, including:

• IP address
• request date and time
• browser and operating system information
• security parameters
• firewall and bot-management logs (e.g., __cf_bm)

This data is necessary to ensure content distribution, Website security, DDoS attack mitigation, and proper infrastructure functioning.

Personal data transfers to non-EU countries

Since Cloudflare is a US company, some processing may involve the transfer of personal data to the United States or other third countries where Cloudflare or its subsidiaries operate.

The transfer is based on Standard Contractual Clauses (SCCs) approved by the European Commission (Arts. 46 and 47 GDPR), supplemented by technical and organizational measures compliant with EDPB Guidelines 01/2020, including:

• minimization and pseudonymization of IP addresses and logs
• end-to-end encryption of communications (HTTPS/TLS)
• reduction of technical log retention times
• data center location primarily in the European Union
• strict access controls and logical segregation of information
• inability for Cloudflare to use data for purposes other than security and service delivery

These measures ensure a level of protection substantially equivalent to that provided by the GDPR.

More information

For further details on Cloudflare's processing practices and adopted measures, please visit:

• https://www.cloudflare.com/privacypolicy/
• https://www.cloudflare.com/trust-center/privacy/

6.2. Infomaniak Network SA (Switzerland)

The Controller uses Infomaniak for:

• DNS and hosting services
• email management
• document management and storage

Switzerland is recognized as an adequate country pursuant to Art. 45 GDPR.

Infomaniak Privacy Policy: https://www.infomaniak.com/en/legal/confidentiality-policy

7. Data Recipients

Personal data may be communicated to the following categories of recipients:

a) Data Processors (Art. 28 GDPR)

Entities that process personal data on behalf of the Controller, following appointment compliant with Art. 28 GDPR. These include:

• technical providers necessary for Website operation
• Cloudflare and Infomaniak (hosting, security, email, document storage)
• collaborators and consultants who process data on behalf of the Controller

An updated list of Processors is available upon request via email.

b) Independent Controllers

In certain specific circumstances, data may be communicated to entities operating as independent controllers, such as:

• public or judicial authorities
• professional consultants (legal, tax, accounting)

c) No Dissemination

Personal data is not disseminated.

8. Cookies and Tracking Technologies

The Website uses only technical cookies, necessary for:

• ensuring security and DDoS mitigation
• optimizing network traffic
• enabling proper page functioning

The Website does not use:

• profiling cookies
• third-party cookies
• analytics tools (Google Analytics, Matomo, advertising pixels)

Since no non-technical cookies are present, a consent banner is not required.

In case of future changes, the Controller will update this policy and, if necessary, implement a consent management system.

9. Data Subject Rights

The Data Subject may exercise at any time the rights provided by Arts. 15–22 GDPR:

• access - obtain confirmation of the existence of personal data and receive a copy
• rectification - correct inaccurate or incomplete data
• erasure - obtain data deletion (right to be forgotten)
• restriction - restrict processing in certain circumstances
• objection - object to processing for legitimate reasons
• portability - receive data in structured format and transmit it to another controller

The Data Subject may also file a complaint with:

• the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), or
• the supervisory authority of the Member State where they habitually reside.

Withdrawal of consent: if in the future processing is based on consent, the Data Subject may withdraw it at any time, without prejudice to the lawfulness of processing prior to withdrawal.

10. Security Measures

The Controller adopts adequate technical and organizational measures, including:

• encryption of communications via HTTPS/TLS
• firewall and intrusion prevention systems
• anti-DDoS protections
• controlled and limited access
• backup and monitoring procedures

11. Changes and Updates

This policy may be updated for:

• regulatory changes
• technological variations
• changes in processing activities

The updated version will be published on this page.