Privacy Policy
Last updated: May 2026
1. Introduction and Identity of the Data Controller
This Privacy Policy ("Policy") describes how Ainuvia ("we", "us" or "our"), operated by [Company Name], with registered office at [Address], VAT No. [XX] ("Data Controller"), collects, uses, discloses and otherwise processes personal data when you visit ainuvia.com (the "Site") or use our services.
This Policy is issued pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – "GDPR"), Legislative Decree no. 196/2003 (Italian Personal Data Protection Code) as amended by Legislative Decree no. 101/2018, and all other applicable national and EU data protection legislation.
Please read this Policy carefully before providing your personal data. By accessing or using the Site you acknowledge that you have read and understood this Policy.
2. Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, Ainuvia has designated a Data Protection Officer ("DPO"). You may contact the DPO at privacy@ainuvia.com or by post to the registered office address indicated above, marked "For the attention of the Data Protection Officer".
3. Categories of Personal Data We Collect
a) Data you provide voluntarily:
- Email address (provided via the early-access registration form or contact form)
- Name and surname (if voluntarily provided)
- Professional role and company name (if voluntarily provided)
- Content of communications sent through the contact form or by email
b) Data collected automatically when you browse the Site:
- IP address (anonymised or pseudonymised where technically feasible)
- Browser type and version, operating system and device type
- Referring URL and exit URL
- Pages visited, time spent on each page, and navigation path
- Country and region of access (derived from IP address; never precise geolocation)
- Cookie identifiers (subject to your consent — see our Cookie Policy)
- Date and time of each access
c) Data received from third parties:
- Aggregated and anonymised analytics data from Google Analytics 4 (only where you have consented to analytical cookies)
4. Purposes of Processing and Legal Basis
The table below sets out each purpose for which we process personal data, together with the corresponding legal basis under Article 6 of the GDPR.
| Purpose | Legal basis | Details |
|---|---|---|
| Early-access waitlist and product updates | Art. 6(1)(a) GDPR — Consent | You expressly subscribed to be notified of our product launch and updates. You may withdraw consent at any time (see Section 8). |
| Responding to enquiries and contact-form submissions | Art. 6(1)(b) GDPR — Pre-contractual measures | Processing is necessary to respond to your specific request prior to entering into a contract. |
| Statistical analysis of Site traffic | Art. 6(1)(a) GDPR — Consent | Carried out solely where you have accepted analytical cookies. You may withdraw consent at any time via Cookie Settings. |
| Site security, fraud prevention and abuse detection | Art. 6(1)(f) GDPR — Legitimate interest | Our legitimate interest is to protect the Site and its users from cyberattacks, malicious bots and fraudulent activity. |
| Compliance with legal obligations | Art. 6(1)(c) GDPR — Legal obligation | Processing necessary to comply with applicable national and EU law (e.g., tax, accounting obligations). |
| Improvement of the Site and our services | Art. 6(1)(f) GDPR — Legitimate interest | We analyse aggregated, anonymised navigation data to improve usability and content. No individual profiling is performed. |
5. Data Retention Periods
We retain personal data only for as long as necessary to fulfil the stated purpose and, in any case, no longer than permitted by applicable law:
- Email address and registration data: until you request erasure, or 36 months from your last active interaction with Ainuvia, whichever is earlier.
- Contact-form communications: 24 months from the date of receipt.
- Server access logs: 12 months, after which they are automatically purged.
- Google Analytics 4 data: up to 26 months on Google's servers (subject to your consent, which may be withdrawn at any time).
- Records of consent: 5 years from the date consent was given, to demonstrate compliance with Art. 7 GDPR.
- Data processed to comply with legal obligations: for the periods required by applicable law.
Upon expiry of the applicable retention period, personal data are securely deleted or irreversibly anonymised in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR).
6. Recipients and Categories of Recipients
a) Data processors appointed pursuant to Art. 28 GDPR: We share personal data with the following service providers, each bound by contractual obligations ensuring compliance with applicable data protection law:
- Google LLC (Google Analytics 4, Google Workspace, Google Sheets) — established in the United States.
- Vercel Inc. (website hosting and infrastructure) — established in the United States.
- Calendly LLC (appointment-scheduling service) — established in the United States.
b) Competent public authorities: We may disclose personal data to judicial, supervisory or law enforcement authorities where required by applicable law, regulation or binding judicial order.
c) No sale of personal data: We do not sell, rent, exchange or otherwise transfer personal data to third parties for their own commercial or marketing purposes.
7. International Data Transfers
Some of our service providers are established outside the European Economic Area ("EEA"). Any transfer of personal data to a third country is effected on one of the following legal bases:
- Adequacy decision (Art. 45 GDPR): where the European Commission has determined that the destination country ensures an adequate level of data protection — as in the case of transfers to the United States under the EU–US Data Privacy Framework.
- Standard Contractual Clauses (Art. 46(2)(c) GDPR): where no adequacy decision exists, transfers are governed by Standard Contractual Clauses adopted by the European Commission, supplemented, where necessary, by additional technical and organisational safeguards.
You may request a copy of the safeguards in place for international transfers by contacting us at privacy@ainuvia.com.
8. Your Rights Under the GDPR
Pursuant to Articles 15–22 of the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15): You may request confirmation of whether we process your personal data and, if so, obtain a copy together with supplementary information on the processing.
- Right to rectification (Art. 16): You may request the correction of inaccurate personal data and the completion of incomplete personal data.
- Right to erasure / ‘right to be forgotten’ (Art. 17): You may request the deletion of your personal data where one of the grounds set out in Art. 17 applies (e.g., data no longer necessary for the original purpose, or consent withdrawn and no other legal basis exists).
- Right to restriction of processing (Art. 18): You may request that processing be restricted in certain defined circumstances (e.g., where you contest the accuracy of the data).
- Right to data portability (Art. 20): You may receive your personal data in a structured, commonly used and machine-readable format and, where technically feasible, request their direct transmission to another controller.
- Right to object (Art. 21): You may object at any time to processing based on our legitimate interests. You also have an unconditional right to object to processing for direct marketing purposes.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
- Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. We hereby confirm that we do not engage in such automated decision-making.
Right to lodge a complaint: If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Italy: Garante per la Protezione dei Dati Personali — garante@gpdp.it. You may also lodge a complaint with the supervisory authority of your EU/EEA Member State of habitual residence, place of work or place of the alleged infringement.
9. Security Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include:
- Encryption of all data in transit using TLS 1.2 or higher
- Access controls and the principle of least privilege for all staff and service providers
- Regular vulnerability assessments and penetration testing
- Audit logging of access to systems containing personal data
- Documented procedures for detecting, reporting and investigating personal data breaches in accordance with Arts. 33–34 GDPR
While we take reasonable and proportionate steps to protect your personal data, no method of transmission over the internet or electronic storage is entirely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR.
10. Cookies and Similar Technologies
We use cookies and similar tracking technologies on the Site. For a complete inventory of cookies used, together with their providers, duration, purpose and instructions on how to manage or withdraw your consent, please refer to our Cookie Policy.
11. Links to Third-Party Websites
The Site may contain hyperlinks to third-party websites over which we exercise no control. This Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party sites you visit before providing any personal data.
12. Children's Privacy
The Site and our services are not directed to, and we do not knowingly collect personal data from, individuals under the age of 16. If we become aware that we have collected personal data from a child under 16 without verified parental or guardian consent, we will take prompt steps to delete that information. If you believe that a child has provided us with personal data, please contact us at privacy@ainuvia.com.
13. Changes to this Privacy Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors. Material changes will be communicated by posting the updated Policy on the Site with a revised "Last updated" date. Where required by applicable law, we will seek your renewed consent before implementing material changes. We encourage you to review this Policy periodically.
14. Contact Us
For any questions, concerns or requests relating to this Policy or to the processing of your personal data, please contact: