Alchimia Studio

Privacy Policy

Last updated: 3 May 2026

This Privacy Policy describes how Alchimia Studio di Marco Gasparri collects, uses, and protects the personal data of users of the alchimiastudio.ai website, in accordance with Regulation (EU) 2016/679 («GDPR») and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 («Italian Privacy Code»).

1. Data Controller

The Data Controller for personal data processing is:

  • Marco Gasparri (Alchimia Studio di Marco Gasparri)
  • Registered office: Via Cappuccini 14, 20023 Cerro Maggiore (MI), Italy
  • VAT number: IT14637340960
  • Email: info@alchimiastudio.ai

2. Data collected and purposes

The website collects personal data exclusively through the contact form available on the /contact page. No third-party analytics or profiling cookies are used.

Contact form

When a user submits a request through the contact form, the following data is processed:

  • Name (required)
  • Email address (required)
  • Organization (optional)
  • Selected area of interest (optional)
  • Message content (required)

Purposes of processing

  • Responding to the received request and providing information about the studio's services
  • Evaluating a potential professional collaboration
  • Complying with legal obligations (accounting, tax, administrative) in the event of a subsequent contractual relationship

Legal basis

  • Art. 6.1.b GDPR: performance of pre-contractual measures taken at the data subject's request
  • Art. 6.1.c GDPR: compliance with legal obligations (in the event of a subsequent contractual relationship, for accounting and tax purposes)
  • Art. 6.1.f GDPR: legitimate interest of the Data Controller in responding to requests received through the site

Mandatory nature

Providing the data marked as required (name, email, message) is necessary to receive a reply; refusal means the request cannot be processed. Other data is optional.

3. Processing methods

Data is processed with electronic and IT tools, adopting appropriate technical and organizational measures to ensure confidentiality, integrity, and availability in accordance with Art. 32 GDPR.

No automated decision-making or profiling of the data subject is carried out.

4. Data recipients (Data Processors)

To provide the service, the studio engages third-party providers appointed as Data Processors under Art. 28 GDPR. Personal data may be processed by:

Vercel Inc.: hosting, infrastructure, and aggregated analytics

Provider of the hosting platform and infrastructure on which the site runs. Based in the United States. Certified under the EU-U.S. Data Privacy Framework.

Vercel Web Analytics is also active on the same platform, used to produce aggregated visit statistics. The service does not use cookies, does not collect the IP address or persistent identifiers, and does not allow tracking users across different sites or different days. The data collected (page views, referrers, approximate geolocation, operating system, browser, and device type) is processed in anonymous, aggregated form.

Privacy policy: https://vercel.com/legal/privacy-policy

Data Processing Addendum: https://vercel.com/legal/dpa

Resend Inc.: transactional email

Provider of the email service used to forward messages received through the contact form. Based in the United States. Certified under the EU-U.S. Data Privacy Framework; transfer additionally supported by Standard Contractual Clauses (SCCs) approved by the EU Commission with Decision 2021/914.

Privacy policy: https://resend.com/legal/privacy-policy

Data Processing Addendum: https://resend.com/legal/dpa

Cloudflare Inc.: contact form anti-spam protection (Turnstile)

Provider of the Turnstile service that verifies contact form submissions come from human users rather than automated bots. The service receives the visitor's IP address and browser configuration solely to perform the verification, with no tracking or profiling. Based in the United States. Certified under the EU-U.S. Data Privacy Framework.

Privacy policy: https://www.cloudflare.com/privacypolicy/

Data Processing Addendum: https://www.cloudflare.com/cloudflare-customer-dpa/

Upstash, Inc.: technical rate limiting on the contact form

Provider of the Redis service used exclusively to limit the number of contact form submissions originating from the same IP address, as a technical anti-abuse measure. The visitor's IP address is used as a counting key over a sliding 10-minute window, after which it is automatically discarded.

Data processing location: EU region (Frankfurt, Germany, eu-central-1). No transfer of personal data outside the European Economic Area. Provider's legal entity headquartered in the United States (California).

Privacy policy: https://upstash.com/trust/privacy.pdf

Data Processing Addendum: https://upstash.com/trust/dpa.pdf

5. Transfers outside the EU

Some of the Processors listed above (Vercel, Resend) are based in the United States. Personal data transfers are carried out in accordance with Chapter V of the GDPR, through:

  • EU-U.S. Data Privacy Framework certification, for participating providers
  • Standard Contractual Clauses approved by the EU Commission with Decision 2021/914 of 4 June 2021
  • Additional appropriate technical measures: encryption in transit via TLS and at rest

6. Data retention period

  • Contact form data that does not result in a collaboration: retained for the time necessary to respond to the request and up to 12 months from receipt, subject to earlier deletion upon the data subject's request
  • Data relating to actual collaborations: retained for the duration of the relationship and for 10 years after its conclusion, to comply with accounting and tax obligations set out in the Italian Civil Code (art. 2220) and Presidential Decree 600/1973
  • IP address used for technical rate limiting on the contact form (Upstash): retained over a sliding 10-minute window, then automatically discarded
  • Technical system logs (e.g., IP addresses) other than rate limiting: retained for a maximum of 6 months for service security purposes, subject to longer retention where necessary for the establishment, exercise, or defense of legal claims

7. Data subject rights

Users have the right, under Articles 15-22 GDPR, to:

  • Access their personal data (Art. 15)
  • Request rectification (Art. 16)
  • Request erasure (Art. 17)
  • Request restriction of processing (Art. 18)
  • Obtain data portability (Art. 20)
  • Object to processing on legitimate grounds (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7.3)

How to exercise rights

To exercise these rights, users can write at any time to info@alchimiastudio.ai. A reply will be provided without undue delay and in any case within 30 days of receipt of the request, in accordance with Art. 12.3 GDPR.

8. Complaint to the Supervisory Authority

If users believe that the processing of their personal data violates applicable law, they always have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):

  • Address: Piazza Venezia 11, 00187 Rome, Italy
  • Phone: (+39) 06 69677 1
  • Email: protocollo@gpdp.it
  • Certified email (PEC): protocollo@pec.gpdp.it
  • Website: https://www.garanteprivacy.it

9. Cookies and tracking tools

For details on the cookies used, their purposes, and consent management, please refer to the Cookie Policy available at /cookie-policy.

10. Changes to this Privacy Policy

This Privacy Policy may be updated in response to regulatory developments, changes to services offered, or changes to third-party providers. Changes are published on this page with the date of the last update shown at the top of the document. Users are encouraged to review this page periodically.