Legal Notice and Privacy Policy

Data controller

The data controller is eurokleis s.r.l., with registered office at Via dei Monti della Farnesina, 77 — 00135 Rome. For any request regarding personal data protection, please write to privacy@eurokleis.com.

Type of data collected

During navigation on the Websites, technical data transmitted by browsers (IP address, user agent, pages visited, date and time of request) are automatically collected. Such data are used exclusively in aggregate and anonymous form for security and diagnostic purposes.

Personal data voluntarily provided by the user — for example through the contact form — are processed solely to respond to the request and are not used for further purposes.

Anti-Spam Proof-of-Work measure

The contact form is protected by a computational proof-of-work anti-spam measure that runs entirely in the user's browser. The SHA-256 calculation verifies that the request originates from a real client before being forwarded. The protection operates with these characteristics:

• Client-side execution: the SHA-256 calculation runs entirely in the user's browser.
• No cookies, no fingerprinting, no tracking.
• No communication with third-party servers during verification.
• Token generated client-side and verified server-side.

The proof-of-work measure is a technical anti-spam filter and does not constitute automated processing intended to produce legal effects on the data subject pursuant to Article 22 of Regulation (EU) 2016/679.

Cookies and similar technologies

The Websites do not use technical session cookies, profiling cookies or third-party analytics tools. There is therefore no cookie consent banner, as there is nothing to consent to.

Purposes of processing

Personal data provided through the contact form are processed solely to respond to the user's request and to manage the resulting communication. Navigation data (in aggregate form) are used for IT security purposes and technical traffic analysis.

For requests submitted through the contact form, processing is based on the legitimate interest of the Controller in efficiently responding to communications from website users (Article 6(1)(f) of Regulation (EU) 2016/679); the Controller has carried out a balancing test between this interest and the rights of data subjects, finding that the interest in processing prevails. For sending informational communications about services, events and editorial content, the legal basis is the data subject's express consent (Article 6(1)(a)), which can be withdrawn at any time. Legal obligations of the Controller (Article 6(1)(c)) also apply for the retention of fiscal, civil and anti-money-laundering documentation.

Provision of the data requested by the form (first name, last name, email, area of interest, message) is optional, but necessary in order to process and respond to the user's request. Failure to provide the data prevents the Controller from handling the request. Data related to marketing consent is optional: providing or refusing it has no consequences on the response to the main request.

Communication and transfer of data

Data collected through the contact form is not communicated to third parties, save for specific legal obligations. It may be processed by internal authorised staff (IT managers) and by technical service providers appointed as external data processors pursuant to Article 28 of Regulation (EU) 2016/679. In particular, the email delivery service is operated by Mailgun (Sinch Email AB), whose Data Processing Agreement (DPA) ↗ is publicly available and applies to the service relationship. Messages are transmitted through servers located within the European Economic Area (api.eu.mailgun.net endpoint). Any sub-processors used by Mailgun (e.g. cloud infrastructure providers) are covered by Standard Contractual Clauses pursuant to Article 46 of Regulation (EU) 2016/679. No further transfers of personal data take place outside the European Economic Area.

Data subject rights

The user has the right to access, rectify, erase or restrict the processing of their data, receive it in a structured format (portability), object to processing and lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali). Consent given for receiving informational communications may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal, pursuant to Article 7(3) of Regulation (EU) 2016/679. Withdrawal can be exercised by writing to privacy@eurokleis.com or by using the unsubscribe link present in every communication.

To exercise these rights, please contact the Data Controller by writing to privacy@eurokleis.com.

Data retention period

Data collected through the contact form is retained for 24 months from the date of submission, unless the request results in a contractual relationship: in that case, the retention periods provided by civil and tax legislation apply (10 years from the end of the relationship).

Data of those who consent to informational communications is retained until consent is withdrawn, in any case for no longer than 36 months from the last active contact.

Technical navigation logs (HTTP requests collected by the web server in aggregated form) are retained for the time strictly necessary for IT security purposes and for the investigation of possible service abuse, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 (legitimate interest of the Controller in protecting its infrastructure).

On the email provider's systems (Mailgun), the body of transmitted messages is retained for a maximum of 7 days (for re-delivery purposes), while transmission metadata (sender, recipient, subject, origin IP address) is retained for a maximum of 30 days, in accordance with the provider's official policies.