Privacy Policy
Last updated: 07/03/2026
Notice provided pursuant to Article 13 of EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (the Italian Privacy Code).
§1Data Controller
The controller of the processing of personal data is EVVIVA GROUP S.r.l. a socio unico, with registered office at Via Torino, 2, 20123 Milano (MI), Italy.
To exercise the rights set out in §8 or for any data protection request, the official channel is the contact form on the website. We do not publish ordinary email addresses in order to avoid automated spam; communications sent through the form are channelled internally to the relevant contact person within 48 working hours.
§2Data Protection Officer (DPO)
EVVIVA GROUP S.r.l. a socio unico has not appointed a Data Protection Officer (DPO) because the conditions making this mandatory under Article 37 GDPR do not apply (no core activity involving systematic large-scale monitoring, nor large-scale processing of special categories of data under Article 9).
Privacy requests from data subjects are handled directly by the controller through the contact form on the website.
§3Categories of data processed
We process the following categories of data:
- Contact form / quote request: first name, last name, email address, company name (optional), business sector, free-text message, source of the request.
- AI chatbot: text conversation, IP address (subject to cookie consent), message timestamps. Maximum retention of 90 days, followed by anonymisation or deletion.
- Analytics and browsing statistics: anonymised IP address, device and browser type, pages visited, session duration, referrer. Collection is activated only upon prior cookie consent (see Cookie Policy).
- Tax and accounting data (clients only): company name, VAT number, tax code, billing address, payment data. Managed through certified external providers (Stripe, PayPal); no sensitive data remains on our servers.
§4Purposes and legal bases
The legal bases for processing are:
- Responding to commercial requests and providing the service: performance of pre-contractual and contractual measures (Article 6.1.b GDPR).
- Analysis of aggregated browsing behaviour via analytics: consent of the data subject (Article 6.1.a GDPR), revocable at any time from the cookie preferences.
- Tax, accounting and invoicing obligations for clients: legal obligation (Article 6.1.c GDPR, Article 2220 of the Italian Civil Code).
- Legal defence and complaint management: legitimate interest of the controller (Article 6.1.f GDPR).
§5Data recipients and third-party providers
Personal data is accessible to:
- EVVIVA GROUP S.r.l. a socio unico and authorised employees/collaborators, specifically instructed pursuant to Article 29 GDPR.
- External technical providers appointed as Data Processors pursuant to Article 28 GDPR:
- Amazon Web Services EMEA SARL — transactional email infrastructure (SES), region
eu-south-1(Milan). Data processed exclusively within the European Union. - Odoo SA (Belgium) — cloud CRM platform for managing leads and clients. EU hosting.
- Anthropic PBC — processing of AI chatbot messages. EU endpoint activated where available; non-EU transfers governed by the European Commission's Standard Contractual Clauses (SCC).
- IONOS SE — hosting of the application server (VPS), region Italy.
- Google Ireland Limited — Google Analytics 4, activated only upon prior cookie consent.
- Amazon Web Services EMEA SARL — transactional email infrastructure (SES), region
- Non-EU operational team: part of the technical project work is carried out by collaborators based in India. This team works exclusively on project assets (code, design, editorial content) and has no access to the personal data of leads and clients: they are never forwarded emails, contact requests, chatbot conversations or billing data.
§6Non-EU transfers
For the personal data of leads and clients no non-EU transfers take place: the CRM storage (Odoo), the transactional emails (AWS SES eu-south-1) and the hosting (IONOS Italy) are all located within the European Economic Area.
The only processing that may temporarily involve a non-EU transfer is the processing of chatbot conversations through Anthropic PBC (USA) when the EU endpoint is not applicable: in such case the transfer is governed by the European Commission's Standard Contractual Clauses (SCC) and by further appropriate technical measures.
§7Retention periods
- Unconverted leads from the contact form: 24 months from the last contact, then automatic deletion.
- Active clients: duration of the relationship + 10 years from termination (document retention obligations under Article 2220 of the Italian Civil Code and tax legislation).
- Chatbot conversations: 90 days, then anonymisation or deletion.
- Google Analytics 4 data: 14 months (standard GA4 configuration), with anonymised IP.
- Server security logs: 12 months, pursuant to the measure of the Garante (the Italian Data Protection Authority) on system administrators (27 November 2008).
§8Rights of the data subject
Pursuant to Articles 15-22 of the GDPR you have the right to:
- Access your personal data (Article 15).
- Obtain rectification of inaccurate data (Article 16).
- Request erasure (the "right to be forgotten", Article 17).
- Restrict processing (Article 18).
- Receive your data in a portable format (Article 20).
- Object to processing (Article 21).
- Not be subject to automated decisions with legal effects (Article 22).
To exercise these rights, send your request via the contact form specifying the subject (e.g. "exercise of rights under Article 15 GDPR"). We respond within 30 days, free of charge except for manifestly unfounded or excessive requests.
§9Complaint to the Garante
If you believe that the processing of your personal data infringes the applicable legislation, you have the right to lodge a complaint with the Garante per la protezione dei dati personali (the Italian Data Protection Authority) (garanteprivacy.it) or with any other competent supervisory authority pursuant to Article 77 GDPR.
§10Minors
The website and services are not directed at children under the age of 16; we do not knowingly collect personal data of minors. If a parent or guardian believes that a minor has provided us with personal data, they may request its immediate deletion via the contact form.
§11Changes to this notice
This notice may be updated at any time for regulatory adjustments, changes in services or contractual amendments. The date at the top shows the latest revision. We encourage you to consult this page periodically.