Privacy Policy

This Privacy Policy describes how LA MARCA DAVIDE (hereinafter, the «Controller» or «we») collects, processes, stores, and protects personal data through the website davidelamarca.com (hereinafter, the «Website») in accordance with the EU Regulation 2016/679 (hereinafter, «GDPR») and applicable national law. Using the Website implies acceptance of the terms in this Policy. If you do not accept them, please do not use the Website.

• LA MARCA DAVIDE
• VAT: 02804090039
• Website: davidelamarca.com
• Email: [email protected]

Project requests must be submitted exclusively via the dedicated form available at the contact page. For any questions regarding this Privacy Policy or the exercise of rights, please contact the above references. No Data Protection Officer (DPO) has been appointed.

For the purposes of this Privacy Policy, the following definitions apply:

• Personal data: any information relating to an identified or identifiable natural person;
• Data subject/User: the natural person to whom the personal data relates;
• Processing: any operation or set of operations performed on personal data;
• Data controller: the natural or legal person who determines the purposes and means of the processing;
• Data processor: the natural or legal person who processes data on behalf of the controller;
• Tracker/Cookie/localStorage: tools that allow information to be stored on the User's device.

• Data voluntarily provided by the User (via form): first and last name (mandatory); email address (mandatory); company name (optional); phone number (optional); project details and specifications (e.g., budget, type, reference links).
• Automatically collected data (Usage Data): technical navigation and communication data (IP address, device and browser type, visited pages, requested URIs, response times, HTTP status code, etc.); system logs and diagnostics.

No special categories of data (sensitive data) are collected through the Website.

Personal Data are processed for the following purposes with the corresponding legal bases:

• Handling requests submitted via the contact form – purpose: evaluation and possible response to inquiries or requests for quotes; legal basis: pre-contractual measures requested by the Data Subject (Art. 6, par. 1, lett. b GDPR) and, if applicable, legitimate interest to engage in collaboration opportunities (Art. 6, par. 1, lett. f GDPR).
• Execution and management of contractual relationships – purpose: contract performance and related obligations; legal basis: contract execution (Art. 6, par. 1, lett. b GDPR).
• Accounting and tax record-keeping – purpose: compliance with legal obligations; legal basis: fulfillment of legal obligations (Art. 6, par. 1, lett. c GDPR).
• Ensuring security and abuse prevention – purpose: protection of the Website and the Controller's interests; legal basis: legitimate interest of the Controller (Art. 6, par. 1, lett. f GDPR).
• Aggregate traffic analysis – purpose: analyzing Website usage in an anonymous and non-intrusive manner; legal basis: legitimate interest of the Controller (Art. 6, par. 1, lett. f GDPR).

Data will not be subject to automated profiling nor sold or shared with third parties for commercial purposes.

Processing is carried out using manual, IT, and telematic tools, strictly linked to the purposes indicated, and with technical and organizational measures to ensure data security, confidentiality, and integrity. Access to Data is limited to authorized personnel and external processors appointed by the Controller. Data are processed according to principles of minimization, purpose limitation, and limited retention time.

To carry out the activities related to the above purposes, the Controller uses the following third-party providers and services (role indicated):

• Web3Forms: technical management of the contact form; submissions are forwarded via email to the Controller; Web3Forms states that it does not permanently store submissions and periodically deletes logs. See Web3Forms Privacy Policy.
• Cloudflare: protection services (WAF), CDN, partial hosting, and aggregate traffic analysis through Cloudflare Web Analytics, used in a way that does not employ personal tracking cookies. See Cloudflare Privacy Policy.
• Zoho: management of the professional email account where submissions are received. See Zoho Privacy Policy.

The services listed in this document may involve transferring Data to third countries. Where transfers outside the European Union occur, the Controller adopts adequate safeguards (such as standard contractual clauses approved by the European Commission, SCCs, or other recognized guarantees) to ensure a level of protection substantially equivalent to GDPR. Copies of these safeguards are available upon request.

Personal Data will be retained for as long as necessary to fulfill the purposes for which they were collected and, in any case, within the limits and periods provided by applicable law:

• Data submitted via form (unconverted leads): retained for handling requests and follow-ups for a period not exceeding 12 months from the last interaction, unless the Data Subject consents to a longer duration or legal obligations dictate otherwise.
• Data related to contracts/projects: retained for the duration of the contractual relationship and subsequently for the period necessary to fulfill legal and tax obligations.
• System logs and security data: retained for the duration necessary for security and diagnostics, usually no more than 12 months, unless investigative needs or legal obligations apply.
• Anonymized statistical data: retained in aggregated, non-identifiable form indefinitely.

After the retention period, Data will be deleted or irreversibly anonymized.

The Website uses exclusively:

• Cloudflare Web Analytics, a traffic analysis system that does not use personal tracking cookies and provides aggregated, non-identifiable data;
• Browser localStorage solely for saving the user's theme preference (light/dark mode).

No other profiling or third-party tracking tools are used. If additional cookies or trackers are introduced in the future, a specific notice will be provided, and consent will be requested when required by law.

The Controller adopts appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Measures include using secure protocols (HTTPS), firewalls and protections provided by Cloudflare, access control, and backups. In case of a security breach that may pose a risk to the rights and freedoms of Data Subjects, the Controller will take notification measures as required by GDPR, including notification to the supervisory authority and, if necessary, to Data Subjects.

Data may be shared only with parties necessary for the purposes described above (service providers, consultants, competent authorities when required by law). Data are not disclosed or transferred to third parties for commercial purposes.

Data Subjects may exercise at any time the rights under Articles 15-22 of the GDPR, including: access, rectification, erasure (right to be forgotten), restriction of processing, objection, data portability, and withdrawal of consent (where processing is based on consent).

Such rights may be exercised by submitting a written request to [email protected]. Requests will be processed within the terms and conditions established by GDPR. The Controller may request reasonable information to verify the identity of the Data Subject if necessary to protect rights and security; except for exceptional cases, identity documents are not required for ordinary requests.

In case of disputes regarding the processing of personal data, the Data Subject also has the right to lodge a complaint with the Data Protection Authority.

Requests regarding rights may be submitted free of charge. If a request is manifestly unfounded or excessive, the Controller may charge a reasonable fee or refuse to act, in accordance with GDPR. After exercising rights, the Controller will inform any recipients to whom Data were communicated if necessary and not disproportionate.

Personal Data may be used for establishing, exercising, or defending a legal right in court or administrative proceedings and for compliance with legal obligations.

The Website is not directed at minors, and we do not knowingly collect personal data from individuals under 16 years of age. If we become aware of data from a minor under 16 without parental or guardian consent, we will take steps to delete such data. Minors or their parents/guardians may request deletion of data by contacting [email protected].

The Controller reserves the right to modify or update this Privacy Policy. Any substantial changes will be published on this page with the update date. Users are advised to check this page periodically for changes.