Last updated: July 5, 2026

Privacy Policy

Under Article 13 of Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by 101/2018. This notice explains how we process the personal data of people who visit and use this site.

This is a courtesy translation. The Italian version of this notice prevails in case of any discrepancy.

1. Data controller

ControllerSerafini Marco (Novrith)
AddressVia della Moscova 13, 20121 Milan (MI), Italy
VATIT04028670125
Privacy contactprivacy@novrith.com
Privacy referentMarco Serafini
DPONot appointed, not required under Art. 37 GDPR

For any request about how we handle your data, or to exercise your rights, write to privacy@novrith.com.

2. Personal data we process

  • Contact and identity data: first name, last name, work email and phone number you provide when you fill in the contact form.
  • Message content: what you write in the contact form.
  • Booking data: name, email, timezone, optional phone and any answers to booking questions, when you book a discovery call through the Cal.com widget.
  • Navigation and technical logs: IP address, browser and operating system, pages visited, date, time and duration of the visit, and referring URL, collected automatically by the server and network logs of our host.
  • Campaign source data: any UTM parameters present in the URL when you submit a form, which help us understand which channel you came from.
  • Aggregate, non-identifying statistics: visit counts not attributable to an identifiable person, collected through Vercel Web Analytics without cookies and without any persistent identifier.
We do not process special categories of data (Art. 9 GDPR) or data on criminal convictions or offenses (Art. 10 GDPR). We only ask for data that is necessary for the purposes described here. Providing this data is optional but necessary to act on your request: without it we cannot reply to you or manage a booking. This site and our services are aimed at a professional audience and are not directed at minors; we do not knowingly collect data of anyone under 14.

3. Purposes and legal basis

PurposeLegal basis
Replying to requests sent through the contact form and handling the related pre-contractual stepsArt. 6(1)(b) (pre-contractual measures at your request); secondarily Art. 6(1)(f) (legitimate interest in replying)
Managing discovery-call bookingsArt. 6(1)(b) (pre-contractual measures)
Operating, securing and diagnosing the siteArt. 6(1)(f) (legitimate interest in the correct and secure operation of the platform)
Measuring site usage in aggregate, non-identifying form, without cookies, through Vercel Web AnalyticsArt. 6(1)(f) (legitimate interest in understanding aggregate site usage to improve content and features); no consent is required because the tool uses no cookies or identifiers
Analysing the source of requests (marketing attribution) via the UTM parameters attached to a form submissionArt. 6(1)(f) (legitimate interest in understanding which channels our requests come from)
Newsletter signup is a separate, consent-based processing activity, described in its own notice (see section 7). The contact form requires no marketing consent and works without it.

4. Recipients

Data may be shared with the following IT service providers, appointed as data processors under Art. 28 GDPR, only as needed to deliver the service. Data is never disclosed or sold to third parties for marketing purposes.

ProviderFunctionLocation
Vercel Inc.Site hosting, technical logs, and aggregate statistics (Vercel Web Analytics)United States
GetCargo Inc. (Cargo)Receiving contact and newsletter form submissionsUnited States
Attio Ltd.CRM, handling the contacts receivedUnited Kingdom
Cal.com, Inc.Discovery-call bookingUnited States
Sanity ASContent management and image deliveryEEA (Norway) / EU

An up-to-date list of processors can be requested at any time by writing to privacy@novrith.com.

5. International transfers

Some providers are based in, or process data in, countries outside the European Union. In those cases the transfer relies on the safeguards under Chapter V of the GDPR:

ProviderCountryTransfer basis
Vercel Inc.United StatesEU-US Data Privacy Framework, Dec. (EU) 2023/1795 (Art. 45), backed by Standard Contractual Clauses (Art. 46)
GetCargo Inc. (Cargo)United StatesStandard Contractual Clauses, Dec. (EU) 2021/914 (Art. 46)
Cal.com, Inc.United StatesStandard Contractual Clauses, Dec. (EU) 2021/914 (Art. 46)
Attio Ltd.United KingdomAdequacy decision (EU) 2021/1772 (Art. 45)
Sanity ASEEA (Norway) / EUNo extra-EEA transfer with the EU region; for any extra-EEA sub-processor, Standard Contractual Clauses (Art. 46)

A copy of the safeguards in place can be requested at privacy@novrith.com.

6. Retention

  • Contact-form requests that do not lead to a relationship: deleted within 24 months of the last contact.
  • Leads and clients (requests that turn into a pre-contractual or contractual relationship): kept for the duration of the relationship and then within the ordinary 10-year limitation period (Art. 2946 of the Italian Civil Code).
  • Bookings: for as long as needed to manage the meeting and any follow-up; if they turn into a commercial contact, as above.
  • Technical navigation logs: up to 12 months for security and diagnostics.
  • Aggregate statistics: non-identifying data, not attributable to an identifiable person.
  • Campaign source data (UTM): retained together with the request it relates to, under the terms set out above.

7. Newsletter

The newsletter is sent only with your explicit prior consent and is delivered through Resend (Plus Five Five, Inc.). You can unsubscribe at any time using the link in every message. The processing of data for the newsletter is described in its dedicated notice (/privacy/newsletter), shown at the point of signup.

8. Cookies

This site uses strictly technical cookies only and sets no profiling or analytics cookies. See the Cookie Policy (/cookies) for details.

9. Data security

Data is processed with electronic tools, for no longer than needed for the purposes described. We apply appropriate technical and organisational measures (encryption of communications in transit via HTTPS, access controls, data minimisation) to protect it against unauthorised access, loss or disclosure.

10. Your rights

You can exercise the rights under Articles 15-22 GDPR at any time:

  • Access (Art. 15): confirmation of processing and access to your data.
  • Rectification (Art. 16): correct inaccurate or incomplete data.
  • Erasure (Art. 17): request deletion of your data.
  • Restriction (Art. 18): request restriction of processing.
  • Portability (Art. 20): receive your data in a structured, readable format.
  • Objection (Art. 21): object to processing based on legitimate interest.
  • Withdraw consent: where processing relies on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, write to privacy@novrith.com. We respond within 30 days.

11. Profiling and automated decisions

We carry out no automated decision-making or profiling under Art. 22 GDPR that produces legal or similarly significant effects. Usage statistics are aggregate and non-identifying and do not constitute profiling.

12. Right to complain

You have the right to lodge a complaint with the Italian Data Protection Authority, the Garante per la Protezione dei Dati Personali (Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it, protocollo@gpdp.it), under Art. 77 GDPR and Art. 141 of Legislative Decree 196/2003.

13. Updates

This notice may be updated over time. The version published on this page is the one in force; the last-updated date is shown at the top.