Privacy Policy

1. Data Controller
AFFLU S.r.l., with registered office at Piazza Santiago del Cile n. 8, 00197 Rome (RM), Italy, VAT no. 18294811007, e-mail: privacy@afflu.eu, acting through its legal representative pro tempore (the “Controller”), is the Data Controller of the personal data collected through its showcase website (the “Website”).

2. Personal Data Collected
While browsing the Website and using the contact services, the following categories of personal data may be collected:
a) Data voluntarily provided by the user
By filling in the contact form available on the Website, the user voluntarily provides personal data such as first name, last name, e-mail address, professional role (job title) and the content of the message sent. Such data may also be processed if the user contacts AFFLU S.r.l. directly via the e-mail addresses published on the Website.
The provision of data is optional; however, failure to provide the data marked as mandatory (such as first name, last name, e-mail address and message) will make it impossible to submit the request or receive a reply.
b) Browsing data
The computer systems and software procedures used to operate the Website acquire, during their normal operation, certain technical data whose transmission is implicit in the use of Internet communication protocols. Such data include, by way of example, IP addresses, information about the browser and device used, time of the request and parameters relating to the user’s operating system.
Such data:
• are not collected to be associated with identified individuals;
• are processed in aggregated and anonymised form;
• are used exclusively for statistical purposes, monitoring the proper functioning of the Website and ensuring its security.
c) Cookie-less statistical analytics tools
The Website uses Vercel Web Analytics, a statistical analytics service integrated into the hosting platform.
This service:
• does not use cookies or persistent tracking technologies;
• does not allow the direct or indirect identification of users;
• uses a temporary technical identifier, valid exclusively for a single day and automatically regenerated;
• collects data solely in aggregated and anonymised form (for example, pages visited, approximate geographic location, type of device or browser).
The use of Vercel Web Analytics does not require the user’s consent, as it is comparable to low-impact statistical analysis tools aimed exclusively at improving the performance and content of the Website.
d) Cookies and similar technologies
The Website uses exclusively technical cookies, which are strictly necessary for the proper functioning of the pages and services provided.
The Website does not use:
• profiling cookies;
• marketing cookies;
• advertising tracking tools;
• remarketing systems.
Further information is available in the dedicated Cookie Policy.

3. Purposes and Legal Bases of Processing
Personal data are processed for the following purposes:
a) Management of information or contact requests
Data provided by users through the contact form or via e-mail are processed in order to manage and respond to requests, and to provide the information or assistance requested.
Legal basis: performance of pre-contractual measures taken at the user’s request (Art. 6(1)(b) GDPR) and/or the Controller’s legitimate interest in managing communications with users (Art. 6(1)(f) GDPR).
b) Traffic analysis and Website improvement
Browsing data and aggregated statistical data collected through Vercel Web Analytics are used exclusively to monitor the functioning of the Website and to improve its performance, content and user experience.
Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
c) Legal obligations and protection of rights
Data may be processed to comply with legal or regulatory obligations and to protect the Controller’s rights in judicial or extrajudicial proceedings.
Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR) and/or legitimate interest of the Controller (Art. 6(1)(f) GDPR).

4. Processing Methods
Personal data are processed using predominantly electronic and IT-based tools, adopting appropriate technical and organisational security measures to prevent unauthorised access, disclosure, alteration or loss of data.
Data are processed exclusively by authorised personnel of the Controller and/or by external parties formally appointed as Data Processors pursuant to Art. 28 GDPR.

5. Data Retention
Personal data are retained for a limited period of time, proportionate to the purposes of processing and in accordance with the principles of data minimisation and storage limitation.
In particular:
• data provided through the contact form or via e-mail are retained for the time necessary to manage the request and, thereafter, for a maximum period of 24 months from the final reply, unless a contractual relationship is established;
• aggregated statistical browsing data do not allow the identification of users and are retained in accordance with the technical policies of the service providers used;
• data processed to comply with legal obligations are retained for the periods required by applicable law (for example, 10 years for accounting documentation).
Once the retention period has expired, personal data are deleted or irreversibly anonymised, unless further retention is required by law or by order of an authority.

6. Data Recipients
Personal data are not disclosed.
Within the scope of the purposes described above, data may be communicated to parties providing services instrumental to the operation of the Website and the Controller’s activities, such as:
• IT and infrastructure service providers (for example hosting, CMS and contact form management services), acting as Data Processors pursuant to Art. 28 GDPR (such as Vercel, Sanity and Netlify);
• external consultants and professionals (legal, accounting), where necessary for legal obligations or the protection of rights;
• public authorities and bodies, where required by law.

7. Data Subject Rights
Users may exercise at any time the rights provided for in Articles 15–22 GDPR, including:
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restriction of processing;
• the right to data portability;
• the right to object to processing;
• the right to withdraw consent, where applicable.
Requests may be sent to the following e-mail address: privacy@afflu.eu. The Controller will reply within the time limits provided by law.
Users also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. Transfers of Data Outside the EU
Personal data are mainly processed within the European Union. However, certain technology providers used (such as hosting and cloud infrastructure services) may have servers or personnel located outside the European Economic Area.
In such cases, data transfers take place in compliance with Chapter V GDPR, on the basis of adequacy decisions of the European Commission or through the adoption of Standard Contractual Clauses (SCCs), supplemented where necessary by additional safeguards.

9. Automated Decision-Making
The Controller does not carry out processing based on automated decision-making, including profiling, which produces legal effects concerning the user or similarly significantly affects them, pursuant to Art. 22 GDPR.

10. Links to Third-Party Websites or Services
The Website may contain links to third-party websites, platforms or services, which act as independent data controllers. The Controller is not responsible for the data processing practices adopted by such third parties and encourages users to review their respective privacy policies.

11. Amendments to this Privacy Policy
The Controller reserves the right to update this Privacy Policy over time. The updated version will be published on this page, indicating the date of the last update.
Last updated: January 2026