Last updated: July 5, 2026
Privacy Policy
Under Article 13 of Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by 101/2018. This notice explains how we process the personal data of people who visit and use this site.
This is a courtesy translation. The Italian version of this notice prevails in case of any discrepancy.
1. Data controller
| Controller | Serafini Marco (Novrith) |
|---|---|
| Address | Via della Moscova 13, 20121 Milan (MI), Italy |
| VAT | IT04028670125 |
| Privacy contact | privacy@novrith.com |
| Privacy referent | Marco Serafini |
| DPO | Not appointed, not required under Art. 37 GDPR |
For any request about how we handle your data, or to exercise your rights, write to privacy@novrith.com.
2. Personal data we process
- Contact and identity data: first name, last name, work email and phone number you provide when you fill in the contact form.
- Message content: what you write in the contact form.
- Booking data: name, email, timezone, optional phone and any answers to booking questions, when you book a discovery call through the Cal.com widget.
- Navigation and technical logs: IP address, browser and operating system, pages visited, date, time and duration of the visit, and referring URL, collected automatically by the server and network logs of our host.
- Campaign source data: any UTM parameters present in the URL when you submit a form, which help us understand which channel you came from.
- Aggregate, non-identifying statistics: visit counts not attributable to an identifiable person, collected through Vercel Web Analytics without cookies and without any persistent identifier.
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Replying to requests sent through the contact form and handling the related pre-contractual steps | Art. 6(1)(b) (pre-contractual measures at your request); secondarily Art. 6(1)(f) (legitimate interest in replying) |
| Managing discovery-call bookings | Art. 6(1)(b) (pre-contractual measures) |
| Operating, securing and diagnosing the site | Art. 6(1)(f) (legitimate interest in the correct and secure operation of the platform) |
| Measuring site usage in aggregate, non-identifying form, without cookies, through Vercel Web Analytics | Art. 6(1)(f) (legitimate interest in understanding aggregate site usage to improve content and features); no consent is required because the tool uses no cookies or identifiers |
| Analysing the source of requests (marketing attribution) via the UTM parameters attached to a form submission | Art. 6(1)(f) (legitimate interest in understanding which channels our requests come from) |
4. Recipients
Data may be shared with the following IT service providers, appointed as data processors under Art. 28 GDPR, only as needed to deliver the service. Data is never disclosed or sold to third parties for marketing purposes.
| Provider | Function | Location |
|---|---|---|
| Vercel Inc. | Site hosting, technical logs, and aggregate statistics (Vercel Web Analytics) | United States |
| GetCargo Inc. (Cargo) | Receiving contact and newsletter form submissions | United States |
| Attio Ltd. | CRM, handling the contacts received | United Kingdom |
| Cal.com, Inc. | Discovery-call booking | United States |
| Sanity AS | Content management and image delivery | EEA (Norway) / EU |
An up-to-date list of processors can be requested at any time by writing to privacy@novrith.com.
5. International transfers
Some providers are based in, or process data in, countries outside the European Union. In those cases the transfer relies on the safeguards under Chapter V of the GDPR:
| Provider | Country | Transfer basis |
|---|---|---|
| Vercel Inc. | United States | EU-US Data Privacy Framework, Dec. (EU) 2023/1795 (Art. 45), backed by Standard Contractual Clauses (Art. 46) |
| GetCargo Inc. (Cargo) | United States | Standard Contractual Clauses, Dec. (EU) 2021/914 (Art. 46) |
| Cal.com, Inc. | United States | Standard Contractual Clauses, Dec. (EU) 2021/914 (Art. 46) |
| Attio Ltd. | United Kingdom | Adequacy decision (EU) 2021/1772 (Art. 45) |
| Sanity AS | EEA (Norway) / EU | No extra-EEA transfer with the EU region; for any extra-EEA sub-processor, Standard Contractual Clauses (Art. 46) |
A copy of the safeguards in place can be requested at privacy@novrith.com.
6. Retention
- Contact-form requests that do not lead to a relationship: deleted within 24 months of the last contact.
- Leads and clients (requests that turn into a pre-contractual or contractual relationship): kept for the duration of the relationship and then within the ordinary 10-year limitation period (Art. 2946 of the Italian Civil Code).
- Bookings: for as long as needed to manage the meeting and any follow-up; if they turn into a commercial contact, as above.
- Technical navigation logs: up to 12 months for security and diagnostics.
- Aggregate statistics: non-identifying data, not attributable to an identifiable person.
- Campaign source data (UTM): retained together with the request it relates to, under the terms set out above.
9. Data security
Data is processed with electronic tools, for no longer than needed for the purposes described. We apply appropriate technical and organisational measures (encryption of communications in transit via HTTPS, access controls, data minimisation) to protect it against unauthorised access, loss or disclosure.
10. Your rights
You can exercise the rights under Articles 15-22 GDPR at any time:
- Access (Art. 15): confirmation of processing and access to your data.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your data.
- Restriction (Art. 18): request restriction of processing.
- Portability (Art. 20): receive your data in a structured, readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdraw consent: where processing relies on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise these rights, write to privacy@novrith.com. We respond within 30 days.
11. Profiling and automated decisions
We carry out no automated decision-making or profiling under Art. 22 GDPR that produces legal or similarly significant effects. Usage statistics are aggregate and non-identifying and do not constitute profiling.
12. Right to complain
You have the right to lodge a complaint with the Italian Data Protection Authority, the Garante per la Protezione dei Dati Personali (Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it, protocollo@gpdp.it), under Art. 77 GDPR and Art. 141 of Legislative Decree 196/2003.
13. Updates
This notice may be updated over time. The version published on this page is the one in force; the last-updated date is shown at the top.