LG · PRIVACY

Privacy Policy

Last updated:

1. Data Controller

This website (mirkocazzolla.it) is operated by Mirko Cazzolla (CZZMRK90L09C78W), acting as Data Controller under Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

Registered office: Via Filomeno Consiglio 4, 72100 Brindisi

For any privacy-related request or inquiry, you can contact me directly at: info@mirkocazzolla.it

Data Protection Officer (DPO)

I have not appointed a DPO, as the mandatory conditions under Art. 37(1) GDPR do not apply: I am not a public authority, I do not carry out systematic large-scale monitoring of data subjects, and I do not process special categories of data (Art. 9) or data relating to criminal convictions (Art. 10) on a large scale as a core activity.

2. What data I process and why

2a. Analytics - Umami Cloud (EU region)

Only if you give explicit consent via the cookie banner, this site loads Umami Analytics, provided by Umami Software Inc. through its cloud infrastructure with EU data residency (Germany region - eu.umami.is).

Data collected:

  • Page URL and referrer
  • Browser type and operating system
  • Screen resolution and device category
  • Country of origin (derived from the IP address - the IP itself is not stored)
  • Pseudonymized session identifier generated server-side

Umami does not use advertising cookies, does not create cross-site tracking profiles, and does not share data with third parties for marketing purposes.

  • Legal basis: Consent (Art. 6(1)(a) GDPR)
  • Retention: 13 months from collection, then aggregated into non-attributable form
  • Location: Germany (EU) - no extra-EU transfer

2b. Contact Form - Forminit

When you submit the contact form, your message is processed by Forminit (UXPLUS LTD, United Kingdom) and delivered to my email inbox. Data is hosted on AWS servers in Ireland (EU).

Data collected: name, email address, engagement type, timeline, message content.

Purpose: to respond to your inquiry and, where appropriate, to start a professional relationship.

Legal basis:

  • Performance of pre-contractual measures taken at the data subject's request (Art. 6(1)(b) GDPR);
  • Legitimate interest (Art. 6(1)(f) GDPR) in archiving received communications for the purposes of managing professional relationships and defence in any disputes, should your request not lead to a contract.

Retention:

  • Inquiries that do not lead to a contract: 12 months from receipt;
  • Inquiries leading to a professional relationship: duration of the engagement + 10 years (under Italian Civil Code Art. 2220 and Presidential Decree 600/1973 Art. 22 for tax and civil law obligations).

Provision of data: optional. Refusing to provide the required fields makes it impossible to respond.

Transfers: the United Kingdom benefits from an EU adequacy decision (Commission Decision 2021/1772); data is nonetheless stored on servers within the EU (Ireland).

2c. Hosting - Firebase / Google

This site is hosted on Firebase Hosting (Google LLC, USA). Firebase retains standard server access logs (IP address, requested URL, timestamp, HTTP status code, User-Agent) for security and operational purposes.

  • Purpose: ensure availability, performance and security of the site.
  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in IT security.
  • Retention: 6-12 months for operational logs; security logs only for the time required by the investigation.
  • Extra-EU transfer: yes - see Section 4.

3. Summary table

Processing Legal basis Retention Consent Extra-EU
Umami Analytics Art. 6(1)(a) (consent) 13 months Yes No (EU)
Contact form (Forminit) Art. 6(1)(b) + 6(1)(f) 12 months / engagement + 10 years No No (EU/UK)
Firebase Hosting Art. 6(1)(f) (legitimate interest) 6-12 months No Yes (USA)

4. Extra-EU data transfers

Some providers are established in the United States. To ensure a level of protection equivalent to that of the European Union, in accordance with Art. 44-46 GDPR, the following safeguards are in place:

  • Google LLC (Firebase Hosting): EU-U.S. Data Privacy Framework (EU adequacy decision 2023/1795); in addition, Standard Contractual Clauses (Commission Decision 2021/914) for residual cases not covered by the DPF.
  • Umami Software Inc. (US parent company): no actual transfer takes place - data remains in the EU (Germany) region of Umami Cloud.
  • Forminit / UXPLUS LTD (United Kingdom): EU adequacy decision 2021/1772; data is stored on AWS servers in the EU (Ireland).

You may request a copy of the safeguards adopted (including SCCs) by writing to info@mirkocazzolla.it.

5. Recipients and Data Processors

Your data may be communicated to the following parties, each acting as Data Processor under Art. 28 GDPR pursuant to a dedicated Data Processing Agreement (DPA):

  • Google LLC / Google Ireland Ltd. - Firebase Hosting (Firebase Data Processing and Security Terms)
  • Umami Software Inc. - Umami Analytics (only after consent)
  • UXPLUS LTD (Forminit) - Contact form processing (DPA + UK GDPR)

Data is never sold or transferred to third parties for commercial or marketing purposes.

6. Cookies & Local Storage

This site does not set profiling cookies. It uses browser localStorage for functional preferences and, if you accept analytics, Umami may set one or more session cookies.

For a full breakdown of all cookies and localStorage entries, see the dedicated Cookie Policy.

7. Your Rights

Under Art. 15-22 GDPR you have the right to:

  • Access (Art. 15) - obtain confirmation of processing and a copy of your data;
  • Rectification (Art. 16) - correct inaccurate or incomplete data;
  • Erasure / right to be forgotten (Art. 17);
  • Restriction (Art. 18) - request suspension of processing;
  • Portability (Art. 20) - receive your data in a structured format;
  • Object (Art. 21) - object to processing based on legitimate interest;
  • Withdraw consent (Art. 7(3)) - at any time, without affecting prior lawful processing. You can withdraw analytics consent via the Cookie settings link in the footer.

To exercise your rights, write to info@mirkocazzolla.it. I will respond within 30 days (Art. 12(3) GDPR), extendable by a further 60 days in case of particular complexity. Exercise is free of charge, except for manifestly unfounded or excessive requests.

Right to lodge a complaint with the Supervisory Authority

If you believe the processing of your data infringes the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (Art. 77 GDPR): www.garanteprivacy.it - Piazza Venezia 11, 00187 Rome - email: protocollo@gpdp.it - PEC: protocollo@pec.gpdp.it.

8. Automated decision-making and profiling

I do not use automated decision-making, including profiling, under Art. 22 GDPR.

9. Minors

This site is not intended for minors under 14 years of age (threshold set by Art. 2-quinquies of the Italian Privacy Code). I do not knowingly collect data from minors. If you become aware that a minor has provided data through this site, please contact me and I will arrange for its deletion.

10. Data security

I implement appropriate technical and organisational measures under Art. 32 GDPR: HTTPS connections with TLS 1.2+, access protected by two-factor authentication, regular backups, selection of providers certified SOC 2 / ISO 27001 where available, application of the principle of least privilege.

11. Changes to This Policy

This policy may be updated to reflect regulatory, technical or organisational changes. For material changes, you will be notified via a visible notice on the site. For changes affecting consent-based processing, I will request a new explicit consent.

12. Contact

For any privacy-related inquiry, to exercise your GDPR rights, or to request a copy of the safeguards adopted for extra-EU transfers:

info@mirkocazzolla.it