1. Data Controller

The Data Controller is Stefano Videsott, domiciled in Trento (TN), Italy.
Contact email: [email protected]

2. Data Collected and Purposes

• Data provided voluntarily (Contact Form): When you fill out the contact form, we collect your Name, Email address, and the content of your Message. This data is used exclusively to respond to your contact request and for no other purpose. The legal basis is your explicit consent (Art. 6(1)(a) GDPR), given by checking the consent box before submitting the form. You may withdraw your consent at any time by contacting the Data Controller; this will not affect the lawfulness of any processing carried out before withdrawal.
• Navigation data and Security: During navigation, the computer systems responsible for operating the site acquire certain data (e.g., anonymized IP addresses, user agents) whose transmission is implicit in the use of Internet protocols. This data serves solely to ensure site security and block cyber attacks or bots.

3. Technical and Analytics Tools

This site is built to maximize user privacy and does not use advertising profiling services. However, it relies on essential technical services:

• Cloudflare (Reverse Proxy & CDN): All traffic between visitors and this site passes through Cloudflare's network before reaching the origin server. As a full reverse proxy, Cloudflare processes request-level data — including IP addresses, HTTP headers, and requested URLs — to perform DDoS mitigation, bot detection, and content delivery. Cloudflare acts as a Data Processor on behalf of the Controller pursuant to Art. 28 GDPR. Cloudflare, Inc. is also used to serve Font Awesome icon assets via its public CDN (cdnjs.cloudflare.com), which involves an equivalent connection from the visitor's browser.
• Cloudflare Turnstile: An anti-spam verification system integrated into the contact form. It verifies that the user is human without using tracking cookies.
• Cloudflare Web Analytics: A natively cookie-less and anonymized visit measurement system, which does not track the user across different websites.
• Sentry: Platform for monitoring server technical errors. It collects technical diagnostic data (error logs, stack traces, and request metadata such as URL paths and HTTP methods) in the event of a site error to allow for its correction. The Sentry SDK is configured with send_default_pii=False, which explicitly prevents personal data such as visitor IP addresses and user agents from being included in error reports.
• Umami Analytics: We use a self-hosted instance of Umami (at umami.stefanovidesott.com) to analyze website traffic. Umami is a privacy-focused open-source solution: it does not use cookies, does not collect personal data (IP addresses are cryptographically anonymized), and statistical data remains the exclusive property of the Data Controller, without being shared with third parties.
• Google Fonts: Web fonts (Roboto, Montserrat) are loaded directly from Google's servers (fonts.googleapis.com, fonts.gstatic.com). Each page load causes the visitor's browser to establish a direct connection to Google LLC (USA), which transmits the visitor's IP address to Google. Google LLC participates in the EU-U.S. Data Privacy Framework (Art. 45 GDPR adequacy decision), which provides an adequate level of protection for this transfer. For details, see Google's Privacy Policy.

4. Cookie Policy (Technical Cookies Only)

This site does not use profiling or marketing cookies. We do not use tools like Google Analytics or Meta Pixel.

The following Strictly Necessary Technical Cookies may be present:

Cloudflare Security Cookies: As an inherent function of the Cloudflare reverse proxy, the following cookies may be set at the network edge, independently of this site's application code:

• __cf_bm — Cloudflare Bot Management. A short-lived cookie (30-minute expiry) used to distinguish human visitors from automated bots. It does not track users across sites.
• cf_clearance — Set only if a visitor successfully completes a security challenge. It records the challenge pass to avoid repeating it on subsequent requests. It does not contain personal data beyond a session token.

Since none of the above cookies are used for profiling or commercial tracking purposes, current legislation does not require a prior consent banner.

The theme key stored in the browser's localStorage (not a cookie) records only the visitor's chosen colour theme (light/dark). It contains no personal data and never leaves the device.

5. Data Retention

Emails received via the contact form are retained in the Data Controller's email inbox for a maximum period of 12 months from receipt, unless the subject matter of the request requires a longer retention period (e.g. an ongoing professional engagement), in which case data is kept only for the duration strictly necessary. They are not added to any newsletter or marketing database without explicit consent.

In the event of a technical failure in email delivery, the submitter's Name and Email address may be temporarily recorded in the application's server logs (container stdout). These logs are rotated and permanently deleted within 30 days.

Anonymized, aggregate analytics data collected by Umami and Cloudflare Web Analytics (containing no personal data) is retained indefinitely for statistical purposes.

7. International Data Transfers

Some of the technical services described in Section 3 are operated by companies based outside the European Economic Area (EEA), principally in the United States of America. Where such transfers occur, the following safeguards are in place:

Cloudflare, Inc. (USA) — acts as a Data Processor for CDN/proxy services, Turnstile CAPTCHA, and Web Analytics. Cloudflare is certified under the EU-U.S. Data Privacy Framework (Commission Adequacy Decision of 10 July 2023, Art. 45 GDPR), which provides a legally adequate basis for the transfer.

Google LLC (USA) — processes visitor IP addresses to serve Google Fonts. Google LLC is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR adequacy decision).

Functional Software, Inc. / Sentry (USA) — processes technical error data (no personal data, as detailed in Section 3). Transfers are covered by Standard Contractual Clauses (Art. 46(2)(c) GDPR) incorporated in Sentry's Data Processing Addendum.

No other personal data is transferred outside the EEA. All other infrastructure (web server, database, analytics) is self-hosted within the European Union.

6. User Rights

Under Articles 15 and following of the GDPR, you have the right to request access to your personal data at any time, its rectification, deletion, restriction of processing, and — where consent is the legal basis — its portability and withdrawal of consent. You also have the right to lodge a complaint with the competent supervisory authority: in Italy, the Garante per la protezione dei dati personali (www.garanteprivacy.it). To exercise your rights directly with the Data Controller, send an email to [email protected].