Privacy Policy
Last updated May 4, 2026 — compliant with EU Regulation 2016/679 (GDPR)
1. Data Controller
The data controller is logika.studio, based in Italy. Privacy contact: info@logikastudio.it.
2. Categories of Data Collected
2.1 General contact form (/contact)
Name, email, text message, browser language, optional UTM parameters (utm_source/medium/campaign), referrer URL, landing page, submission timestamp. Optional: consent to receive marketing email.
2.2 Trading NDA form (/contact/trading)
Name, email, professional profile (trading room / fund / private), AUM range, text message, consent to confidential processing, optional marketing consent. Processed under enhanced confidentiality.
2.3 Browsing data
IP address (partial, anonymized server-side by Vercel Web Analytics), browser technical info (user-agent, language), pages visited, session duration, country-level approximate geolocation. Collected via analytics cookies only with explicit consent (see Cookie Policy).
2.4 Lead management events (internal CDP)
Timeline of lead status updates (creation, profile edits, status change, email sync), with timestamp and admin operator id. Internal data, not shared with third parties.
3. Purposes and Legal Basis
| Purpose | Legal Basis (GDPR art. 6) |
|---|---|
| Responding to contact requests | Pre-contractual measures (art. 6.1.b) |
| Trading NDA request handling | Pre-contractual measures + legitimate interest (art. 6.1.b/f) |
| Marketing email / newsletter | Explicit consent (art. 6.1.a) |
| Aggregated analytics (Google Analytics) | Explicit consent (art. 6.1.a) |
| Technical performance (Vercel Speed Insights) | Legitimate interest (art. 6.1.f) — anonymous aggregated data |
| Security and abuse prevention | Legitimate interest (art. 6.1.f) |
| Legal and tax obligations | Legal obligation (art. 6.1.c) |
4. Recipients and Sub-processors
Data may be processed by trusted service providers (sub-processors under GDPR art. 28). Current list:
| Provider | Role | Location |
|---|---|---|
| Vercel Inc. | Hosting + Web Analytics + Speed Insights | USA (DPF + SCC) |
| Supabase Inc. | Lead database and admin authentication | EU (eu-central-1) |
| Resend Inc. | Transactional email and newsletter (audience) | USA (DPF + SCC) |
| Google Ireland Ltd. | Tag Manager, Analytics 4, Search Console | EU/USA (DPF + SCC) |
| Cal.com Inc. | Call booking widget | USA (DPF + SCC) |
| Aruba S.p.A. | Email service @logikastudio.it | Italy (EU) |
5. Transfers Outside the EU
Some sub-processors (Vercel, Resend, Google, Cal.com) are based in the United States. Such transfers rely on European Commission Standard Contractual Clauses (SCC) and/or adherence to the EU-U.S. Data Privacy Framework (DPF), ensuring an adequate level of protection equivalent to the EU under GDPR art. 46.
6. Retention Period
| Data category | Period |
|---|---|
| Lead from contact form (no follow-up) | 24 months from last interaction |
| Trading NDA lead (with commercial follow-up) | 5 years (contractual and tax requirements) |
| Newsletter subscription / marketing consent | Until consent revocation (unsubscribe) |
| Lead timeline events (internal audit) | 24 months |
| Technical and security logs | 12 months |
| Aggregated analytics (GA4, Vercel) | 26 months (GA4 default) / 30 days (Vercel) |
| Accounting and tax records | 10 years (legal obligation) |
7. Marketing Email — Consent and Withdrawal
Promotional email is sent only with explicit prior consent ticked by the data subject (opt-in checkbox in public forms or explicit newsletter subscription). Consent is recorded with timestamp in the database via the consent_marketing_at field.
Newsletter delivery cadence
Subscribers to the Logika.studio newsletter receive:
- 1 email per week — curated weekly digest with the latest articles and content on AI, software and quant finance
- Once a month, in addition to that week's weekly digest, a monthly recap digest is sent with the most relevant content of the month
Estimated average frequency: ~5 emails/month (4 weekly digests + 1 additional monthly digest). No off-cadence promotional sends.
You can withdraw consent at any time:
- By clicking the «Unsubscribe» link in any marketing email
- By emailing info@logikastudio.it
Withdrawal does not affect the lawfulness of processing carried out before the withdrawal itself.
8. Your Rights
Under GDPR articles 15-22 you have the right to:
- Access your personal data and information about processing
- Rectification of inaccurate or incomplete data
- Erasure (right to be forgotten) when no other legal basis applies
- Restriction of processing in specific cases
- Portability in a structured, machine-readable format (JSON/CSV)
- Object to processing based on legitimate interest
- File a complaint with the Italian Data Protection Authority (garanteprivacy.it)
To exercise your rights write to info@logikastudio.it. We respond within 30 days from receipt.
9. Security Measures
Data is protected via in-transit encryption (TLS 1.3) and at-rest encryption (AES-256 server-side at Supabase), role-based access controls (Supabase RLS + admin authentication), audit logs of lead operations, credential isolation via encrypted environment variables. Daily database backups retained for 7 days.
10. Cookies
For details on technical and third-party cookies used, legal basis, and how to manage preferences, please see our Cookie Policy.
10-bis. Cross-posting on LinkedIn
Editorial content published on the Logika.studio blog may be manually re-published by founder Luigi Garone on his personal LinkedIn profile as an editorial distribution channel. Publishing is always manual and individual: no cron, no automatic trigger, no bulk publishing.
No user, contact, or lead data is shared with LinkedIn as part of this functionality: the LinkedIn post contains only the article text, optional cover image, and the link to the blog (with standard UTM parameters for internal analytics attribution).
LinkedIn's privacy notice (autonomous data controller for engagement data on the published post) is available at linkedin.com/legal/privacy-policy.
10-ter. B2B Outbound Email (legitimate interest)
Logika.studio sends commercial emails to Italian companies (B2B) to introduce its services in software development, automation, marketing and AI. These communications are sent on the basis of legitimate commercial interest pursuant to Article 6(1)(f) of the GDPR (EU Regulation 2016/679), in line with the guidance of the Italian Data Protection Authority (Garante Privacy) on B2B email marketing toward business addresses.
Categories of data processed: company name, VAT number, sector of activity (ATECO code), legal/operating address, company website, business email address (typically a generic role-based address such as info@ or commerciale@; occasionally a personal name if obtained from public sources), optional name/surname of a commercial contact.
Data sources (all public or B2B):
- Registroimprese.it / Italian Chamber of Commerce (open data filtered by ATECO + company size)
- PagineGialle, Cylex, Europages (public business directories)
- Trade associations (e.g. Assolombarda, AMA, Fiderconsult — publicly accessible member lists)
- LinkedIn Sales Navigator (manual search, in compliance with platform Terms of Service)
Dedicated sender: outbound emails are sent from the dedicated subdomain studio.logikastudio.it (separated from transactional channels and inbound newsletter) via a dedicated Resend account. The sender is luigi@studio.logikastudio.it; replies are received at luigi@logikastudio.it.
Data subject rights:
- Immediate one-click opt-out: every outbound email contains an HMAC-signed unsubscribe link. A single click registers the address in our permanent suppression list and blocks any future outbound contact (cascade applied in real-time, including any active automated sequences).
- Full deletion: by writing to info@logikastudio.it you can request complete removal of your data from all our systems (outbound prospects, marketing leads, including the suppression list). Response within 30 days.
- Right to object: you may object to processing under Article 21 GDPR at any time without need for justification, by writing to the address above.
Retention: data of non-converted outbound prospects are retained for a maximum of 24 months from the last contact, then automatically deleted. Addresses on the suppression list are retained indefinitely (in minimal form: email + reason only) to ensure compliance with the opt-out request even in case of future re-import from new sources.
Technical and organisational safeguards: strict volume caps (max 5/day during warm-up, max 15/day at steady state), sending only during Italian business hours (Tue/Wed/Thu morning/afternoon), automatic pausing on bounce or complaint thresholds above provider AUP limits, full audit log of every send/open/click/unsubscribe consultable internally.
11. Changes to this Privacy Policy
This Privacy Policy may be updated due to legal or operational changes. The last update date is shown at the top of the page. Previous versions are available on request.