IT Regulatory Spark

LEGAL

Privacy Policy

Last updated: June 2025 · Versione italiana

1. Data Controller

Alberto Scarpa
Email: [email protected]
Website: www.albertoscarpa.com

2. Personal data collected

This website collects personal data exclusively on a voluntary basis through the forms available on the site:

  • Contact form: name, email address, free-text message.
  • Regulatory Spark form: name, email address, industry/role, description of the query.
  • CRA Assessment tool: email address (to receive the report).
  • Book waitlist: email address.
  • Technical data: IP address, user agent, pages visited — collected in aggregate and anonymised form via Google Analytics 4 only after explicit consent.

This website does not collect special categories of personal data (health, political, biometric data, etc.).

3. Purposes and legal bases for processing

Purpose Legal basis
Responding to contact requests Pre-contractual measures (Art. 6(1)(b) GDPR)
Delivering the Regulatory Spark service Pre-contractual measures (Art. 6(1)(b) GDPR)
Sending the CRA Assessment report by email Consent (Art. 6(1)(a) GDPR)
Managing the book waitlist Consent (Art. 6(1)(a) GDPR)
Traffic statistics (GA4) Consent (Art. 6(1)(a) GDPR)

4. Processors (sub-processors)

To deliver the service I rely on the following providers, appointed as data processors under Art. 28 GDPR:

  • Brevo SAS (55 rue d'Amsterdam, Paris, France) — sending transactional emails generated by the forms. Brevo privacy policy.
  • Cloudflare, Inc. (San Francisco, USA) — website hosting, CDN, bot protection via Turnstile. Extra-EU transfers are covered by Standard Contractual Clauses. Cloudflare privacy policy.
  • Google LLC (Mountain View, USA) — traffic analytics via Google Analytics 4, activated only after explicit consent. Extra-EU transfers are covered by Standard Contractual Clauses. Google privacy policy.
  • Usercentrics A/S (Copenhagen, Denmark) — cookie consent management via Cookiebot. Cookiebot privacy policy.

5. International transfers

Cloudflare and Google LLC are based in the United States. Transfers are carried out on the basis of the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914/EU), which provide appropriate safeguards under Art. 46 GDPR.

6. Retention periods

  • Contact form data: retained for the time necessary to fulfil the request and in any case no longer than 24 months.
  • Waitlist and CRA report emails: retained until consent is withdrawn or the campaign is closed.
  • Analytics data (GA4): aggregated and anonymous, retained according to GA4 default settings (14 months).

7. Your rights

Under Arts. 15–22 GDPR you have the right to:

  • access your personal data;
  • rectify inaccurate or incomplete data;
  • obtain erasure ("right to be forgotten");
  • restrict processing;
  • object to processing based on legitimate interest;
  • receive your data in a structured format (portability), where applicable;
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise your rights, write to [email protected]. I will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority — in Italy: Garante per la protezione dei dati personali.

8. Cookies and tracking technologies

For details on the cookies used, please see the Cookie Policy.

9. Changes to this policy

Any updates will be published on this page with the revision date. We invite you to check this page periodically.