Privacy Policy
Last updated: May 2026
This Privacy Policy explains how BoreaTech collects, uses, and protects personal data when you visit our website or interact with our services. We are committed to processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Italian data protection legislation.
1. Data Controller
The data controller responsible for your personal data is:
BoreaTech
Email: [email protected]
2. What We Collect
We may collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Contact information | Name, email address, message subject, and message content (which may contain any further personal data you choose to include) | Contact form submission |
| Technical data | IP address, browser type, device info, pages visited | Automatic collection via server logs |
| Usage data | Aggregate visit statistics, referral source | Automatic collection (Cloudflare Web Analytics) |
We do not collect special categories of personal data (e.g., health, biometric, or political data).
3. How We Use Data
We process your personal data for the following purposes:
- Responding to inquiries: to reply to messages submitted through our contact form.
- Website operation and security: to serve, secure, and improve our website, including rate-limiting and abuse prevention, which involves temporarily storing your IP address.
- Legal compliance: to meet our legal and regulatory obligations.
4. Legal Basis (GDPR Art. 6)
We rely on the following legal bases for processing your personal data:
| Purpose | Legal Basis | GDPR Reference |
|---|---|---|
| Responding to contact form inquiries | Legitimate interest | Art. 6(1)(f) |
| Website security and operation | Legitimate interest | Art. 6(1)(f) |
| Legal compliance | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 7).
5. Data Sharing
We do not sell your personal data. We share data only with the following processors, each bound by a Data Processing Agreement:
| Processor | Purpose | Safeguards |
|---|---|---|
| Cloudflare, Inc. | Website hosting, CDN, DDoS protection, email routing (Cloudflare Email Routing), and cookieless analytics (Cloudflare Web Analytics) | EU Standard Contractual Clauses (SCCs) |
| Resend, Inc. | Transactional email delivery of contact form submissions | EU Standard Contractual Clauses (SCCs) |
| Google LLC (Google Workspace / Gmail) | Email mailbox: receipt and storage of correspondence sent to our address | EU Standard Contractual Clauses (SCCs) |
We may also disclose data where required by law, regulation, or lawful request by public authorities.
6. Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy:
- Contact form data: retained for up to 12 months after the last communication, unless a longer retention period is required by law.
- Technical/server logs: retained for up to 90 days.
- Rate-limiting data (IP address): stored by Cloudflare for up to 1 hour, then automatically deleted.
When data is no longer needed, it is securely deleted or anonymised.
7. Your Rights
Under the GDPR (Articles 15-21), you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy.
- Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): restrict the processing of your data under certain conditions.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest, including direct marketing.
To exercise any of these rights, contact us at [email protected]. We will respond without undue delay and within one month of receiving your request, as required by Article 12(3) GDPR.
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
8. Cookies and Analytics
Our website uses only strictly necessary, first-party cookies required for basic site functionality (e.g., Cloudflare security cookies). We do not use advertising cookies or third-party tracking cookies.
We use Cloudflare Web Analytics to understand aggregate traffic to our site (for example, total visits, page views, and referral sources). It is privacy-first and cookieless: it sets no cookies, does not use fingerprinting, does not track you across other websites, and does not collect or sell personal data. Because it stores no information on your device, it does not require consent under the ePrivacy Directive.
Because these cookies are strictly necessary for the operation of the site, they do not require consent under GDPR and the ePrivacy Directive. If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism before deployment.
The following Cloudflare cookies may be set when you visit our website:
| Cookie | Purpose | Duration |
|---|---|---|
__cf_bm |
Bot detection and management | 30 minutes |
cf_clearance |
Security challenge verification | Session |
__cflb |
Load balancing | Session |
9. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS/TLS encryption for all data in transit.
- Cloudflare DDoS protection and Web Application Firewall.
- Access controls limiting who can view submitted contact data.
While no system is completely secure, we continuously review and improve our security practices.
10. Children’s Privacy
Our website is intended for business professionals aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from someone under 18, we will delete it promptly.
11. International Transfers
Some of our processors (Cloudflare, Resend, and Google) may transfer personal data outside the European Economic Area (EEA), primarily to the United States. Where such transfers occur, they are protected by:
- EU Standard Contractual Clauses (SCCs): as adopted by the European Commission, ensuring an adequate level of data protection.
- Supplementary measures: including encryption in transit and at rest, as appropriate.
You may request a copy of the applicable safeguards by contacting us at [email protected].
12. Contact & Complaints
For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:
BoreaTech
Email: [email protected]
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian supervisory authority:
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Rome, Italy
Website: www.garanteprivacy.it