Privacy Policy

Last updated: May 21, 2026

This Privacy Policy describes how the website www.andreapiani.com (hereinafter "Website") collects, uses, and protects users' personal data, in compliance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679).

1. Types of Data Collected

The Controller collects the following types of personal data:

1.1 Data Provided Voluntarily by the User

When you fill out contact or quote request forms on the Website, we collect:

• Name and Surname
• Email
• Phone Number (optional)
• Company/Organization (optional)
• Project Description and other technical information provided in forms

1.2 Navigation Data (first-party server-side analytics)

During navigation, the Website automatically collects the following data through its first-party server-side endpoint /api/log-event.php (hosted on the same domain) for aggregate statistics exempt from prior consent under the Italian DPA Guidelines of 10/06/2021 §7.1:

• IP Address — never stored in clear; transformed into a SHA-256 hash with a secret server-side salt (irreversible), used only for aggregate counts of daily unique visitors
• User Agent (truncated): browser type, version, device, operating system
• Pages visited, access time, event type (page_view, whatsapp_click)
• Referrer (originating site)
• Screen size and browser language

All this data is collected in pseudonymous and aggregate form, retained for maximum 90 days on the Owner's server (automatic weekly purge) and never shared with third parties. No cookie is set for these statistics.

1.3 Cookies and Tracking Technologies

The Website uses:

• Necessary technical cookies: only cookie_consent to remember your consent preferences (12 months).
• localStorage / sessionStorage: see Cookie Policy §5 for the full list. Relevant entries include aaiPV_* (page-view dedup, session-scoped), aai_sid + aai_csrf (chat session and CSRF token, created only after the dedicated AI consent), and andreaAiHistory / andreaAiConsent / andreaAiRate (chat-related).
• Third-party analytical cookies: none currently active. If activated in the future, an explicit consent will be requested via the cookie banner.

For more details, see our Cookie Policy.

2. Purpose of Processing and Legal Basis

Purpose	Legal Basis (GDPR)	Retention Period
Respond to quote/contact requests	Performance of pre-contractual measures (Art. 6.1.b GDPR)	12 months from request
Send commercial communications/newsletter	Explicit consent (Art. 6.1.a GDPR)	Until consent withdrawal
Tax and accounting compliance	Legal obligation (Art. 6.1.c GDPR)	10 years (tax obligation)
Aggregate first-party traffic statistics (/api/log-event.php)	Legitimate interest (Art. 6.1.f GDPR) — SHA-256 pseudonymized IP, single-domain, no third parties, no profiling (Italian DPA Guidelines 10/06/2021 §7.1: consent-exempt)	90 days (weekly automated purge via cron)
Website security and abuse prevention	Legitimate interest (Art. 6.1.f GDPR)	12 months (server logs)

3. Processing Methods

Personal data is processed using IT and telematic tools, in compliance with GDPR security measures. Processing is carried out:

• ✓ With predominantly automated methods
• ✓ For the time strictly necessary for the purposes for which they were collected
• ✓ With access limited only to the Controller and authorized data processors
• ✓ Adopting adequate technical and organizational security measures (HTTPS encryption, backups, firewalls)

4. Data Communication and Disclosure

4.1 Data Recipients

Your personal data may be communicated to:

• Site hosting provider — Shared PHP/MySQL web hosting for andreapiani.com (Italy/EU)
• Formspree Inc. — Form management service (USA) — Privacy Policy
• Google LLC — Google Fonts only (USA) — Privacy Policy
• DeepSeek — Andrea AI chatbot LLM API (China) — only if you actively use the chatbot and grant the dedicated consent
• Accountant / tax consultants — Only for contractual/tax compliance

Transfers outside the EU: Some providers (Formspree, Google Fonts) are based in the USA; DeepSeek is based in China (transfer based on Art. 49.1.a explicit consent for the AI chatbot only). Transfer to USA providers occurs through:

• ✓ Standard contractual clauses approved by the European Commission
• ✓ Adequate safeguards provided by Art. 44-49 GDPR

4.2 No Public Disclosure

Your personal data will never be publicly disclosed or sold to third parties for commercial purposes.

5. Your Rights (Art. 15-22 GDPR)

As a data subject, you have the right to:

6. Data Security

The Controller adopts adequate technical and organizational security measures to protect personal data from unauthorized access, loss, destruction, or disclosure, including:

• ✓ HTTPS/SSL encryption for all communications
• ✓ Regular backups of data
• ✓ Firewalls and antivirus systems kept up to date
• ✓ Limited access to data only by authorized personnel
• ✓ Pseudonymization of data when possible

7. Cookies and Similar Technologies

The Website uses necessary technical cookies and, with prior consent, analytical cookies. For detailed information on:

• Types of cookies used
• Duration and purposes
• How to manage/disable cookies

See our Cookie Policy.

8. Minors

The Website's services are not directed at minors under 16 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, contact us for immediate deletion.

9. Changes to the Privacy Policy

This Privacy Policy may be updated periodically for regulatory compliance or service changes. Changes will be published on this page with an update of the date at the top. We invite you to regularly consult this page.

10. Contact and Complaints

← Back to Homepage