← Back to Home

Privacy Policy
& Legal Notice

Last updated: March 2026

1. Data Controller

By browsing and using the services offered on this website, data relating to identified or identifiable natural persons may be processed.

  • Data Controller: Luca Scaruffi
  • Registered Office: Via Pramaggiorino 12, Castelnovo ne' Monti (RE) 42035, Italy
  • VAT Number: 03130120359
  • Contact Email: Email

This notice is drafted in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Personal Data Protection Code), as amended by Legislative Decree 101/2018.

2. Types of Data Collected and Purposes

Data voluntarily provided by the user

The optional, explicit, and voluntary sending of messages through the contact form or to the addresses shown on this site involves the subsequent acquisition of the sender's address (necessary to respond to requests), as well as any other personal data (such as first and last name) included in the communication.

Such data will be used exclusively to respond to user requests (e.g., service information, quote requests) and will not be shared with third parties for marketing purposes without explicit consent.

Browsing data

The IT systems and software procedures used to operate this site acquire, during their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols (e.g., IP addresses, browser type, operating system). These data are used solely to obtain anonymous statistical information about site usage and to verify correct operation.

Security and anti-abuse data

To protect the contact form from spam and automated abuse, the system processes technical security data such as IP address (or, when unavailable, a reduced user-agent identifier), request timestamp, and outcomes of validation and rate-limiting checks. These data are processed exclusively for security, fraud prevention, and service continuity.

3. Legal Basis for Processing

The Data Controller processes personal data relating to the User if one of the following conditions applies:

  • The User has given consent for one or more specific purposes (e.g., sending a message through the contact form - Art. 6(1)(a)).
  • Processing is necessary for the performance of a contract with the User or to take pre-contractual steps (Art. 6(1)(b)), such as preparing a collaboration proposal or a quote.
  • Processing is necessary for the legitimate interests pursued by the controller (Art. 6(1)(f)), such as managing incoming communications and ensuring site security.

4. Recipients, Processing Location, and International Transfers

Data processing is carried out using IT and telematic tools, with methods strictly related to the stated purposes and, in any case, in a way that ensures data security and confidentiality in compliance with the GDPR (Regulation (EU) 2016/679).

Personal data may be processed by trusted service providers acting as processors (where applicable under Art. 28 GDPR), including:

  • Vercel: hosting infrastructure, runtime, and technical platform logs.
  • Upstash: Redis infrastructure used for contact-form anti-abuse rate limiting.
  • Resend: transactional email delivery for contact-form messages.

Where possible, EU regions are preferred for data localization. Depending on infrastructure and routing, some data may still be processed outside the EEA (including the United States). In such cases, transfers rely on applicable safeguards, including European Commission adequacy decisions (such as the EU-U.S. Data Privacy Framework) and/or Standard Contractual Clauses (SCCs).

The site is hosted on secure infrastructure and implements SSL certificates (HTTPS) for encrypted data transmission. No profiling techniques or automated decision-making processes are used.

Official references: Vercel Privacy Policy, Vercel DPA, Vercel Compliance, Upstash Compliance, Upstash DPA, Resend GDPR.

5. Data Retention Period

Personal Data are processed and stored for the time required by the purposes for which they were collected.

  • Personal Data submitted through the contact form are retained for the time needed to handle the request and any related pre-contractual follow-up.
  • Anti-abuse rate-limiting counters are stored with short automatic expiry windows aligned with the implemented security rules (30 seconds, 10 minutes, and 24 hours).
  • Technical and security logs are retained for a limited period according to provider configuration and only for security monitoring, abuse prevention, and incident handling.
  • When no longer necessary, data are deleted or anonymized where applicable.

6. User Rights

At any time, the user may exercise their rights under Articles 15 and following of Regulation (EU) 2016/679 (GDPR), including:

  • Withdraw consent at any time.
  • Object to the processing of your Data when it is based on legal grounds other than consent.
  • Access your Data and receive a copy.
  • Verify accuracy and request correction of your Data.
  • Obtain restriction of processing.
  • Obtain deletion or removal of Data (Right to be Forgotten).
  • Receive your Data in a structured format and have them transferred to another controller (data portability).
  • Lodge a complaint with the supervisory authority (Italian Data Protection Authority - www.garanteprivacy.it).

Requests should be addressed to the Data Controller by writing to the following email address: Email.

Cookie Policy

This website does not use profiling or tracking cookies (such as Google Analytics, Meta Pixel, etc.) for advertising purposes or invasive behavioral analysis.

Only Technical Cookies strictly necessary to ensure normal browsing and proper website functionality are used (e.g., load balancing, security, caching preferences). Under EU directives and Italian law, these cookies do not require prior user consent through a blocking banner.

By continuing to browse, the user implicitly accepts the use of these essential cookies required for proper technical operation of the interface.