Skip to main content

Legal document

Personal data processing notice

Updated 1 June 2026.

Data controller

The data controller is Cortalis S.r.l. Società Unipersonale, with registered office at Via Alcide de Gasperi 4/A, 37013 Caprino Veronese (VR), Italy.

Certified email (PEC) · [email protected]

Data Protection Officer (DPO) · not mandatory pursuant to art. 37 of EU Regulation 2016/679. Requests regarding personal data may be addressed to the data controller through the certified email indicated above.

Categories of personal data processed

Cortalis processes the following categories of personal data:

  • Browsing data · IP address (anonymised), browser, operating system, pages visited, date and time of access.
  • Essential technical cookies · required for the website to function (session, language preference).
  • Contact data · email or certified email (PEC) address, if the user chooses to write to Cortalis.
  • Contact form data · surname, first name, company, email, telephone and the information about the asset or project submitted through the contact form.

Purposes and legal basis

Processing is carried out for the following purposes, based on the corresponding legal bases under art. 6 GDPR:

  • Technical management and security of the website — legitimate interest of the controller (art. 6.1.f GDPR).
  • Response to contact requests — pre-contractual measures (art. 6.1.b GDPR).
  • Compliance with legal obligations — legal obligation (art. 6.1.c GDPR).

Retention period

Browsing data is retained for a period not exceeding 12 months. Contact data is retained for as long as necessary to respond to the request and for a further 24 months for documentary archiving purposes, unless legal obligations impose longer periods.

Recipients, sub-processors and transfers

Data may be processed on behalf of Cortalis by providers of technical services appointed as data processors pursuant to art. 28 GDPR:

  • Cloudflare, Inc. — website hosting (Cloudflare Pages) and anti-spam protection of the contact form via Cloudflare Turnstile, which processes the IP address and technical browser signals to distinguish human visitors from automated traffic. See the Cloudflare Turnstile Privacy Addendum.
  • Resend — transactional delivery of contact-form submissions to Cortalis, with infrastructure located in the European Union.
  • Google Ireland Limited — audience measurement via Google Analytics 4, activated only with your consent (see the cookie policy).

Where a provider transfers data outside the European Economic Area (for example Google, for consent-based analytics), the transfer is governed by the European Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Rights of the data subject

The data subject may exercise at any time the rights set out in articles 15 to 22 GDPR:

  • Right of access (art. 15 GDPR)
  • Right to rectification (art. 16 GDPR)
  • Right to erasure (art. 17 GDPR)
  • Right to restriction of processing (art. 18 GDPR)
  • Right to data portability (art. 20 GDPR)
  • Right to object (art. 21 GDPR)
  • Right not to be subject to automated decisions (art. 22 GDPR)

Requests must be sent to the certified email address indicated above. Cortalis will respond within the timeframe set out in art. 12 GDPR.

Complaint to the supervisory authority

The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) — Piazza Venezia 11 · 00187 Rome · www.garanteprivacy.it, pursuant to art. 77 GDPR. Data subjects resident in another EU/EEA Member State may also lodge a complaint with their local supervisory authority.