SCROLL
IT / EN Let's talk about your project
Web DevelopmentBusiness WebsitesE-CommerceLanding PagesWebsite Redesign
Software & AppsCustom Web AppsERP & Management SystemsCustom CRMOdoo System Integration
Infrastructure & CloudManaged VPS ServerManaged HostingServer Configuration
MarketingSEO & PositioningGoogle & Social Ad CampaignsSocial Media ManagementEmail Marketing
Brand IdentityLogo DesignCorporate IdentityNaming & Brand Strategy
IT SupportHelpdesk & SupportSystems Maintenance
AI AgentsChatbots & Virtual AssistantsBusiness Process AutomationCustom AI Agents
Not sure where to start?

Tell us about your project and we'll guide you.

Book a free call
Solutions for Startups & New BusinessesSolutions for Growing SMEsEnterprise SolutionsE-Commerce Solutions
Contattaci
HomeServices Solutions About UsBlogContact
IT / EN
Let's talk about your project
Services
WEB DEVELOPMENTBusiness WebsitesE-CommerceLanding PagesWebsite Redesign
SOFTWARE & APPSCustom Web AppsERP & Management SystemsCustom CRMOdoo System Integration
INFRASTRUCTURE & CLOUDManaged VPS ServerManaged HostingServer Configuration
MARKETINGSEO & PositioningGoogle & Social Ad CampaignsSocial Media ManagementEmail Marketing
BRAND IDENTITYLogo DesignCorporate IdentityNaming & Brand Strategy
IT SUPPORTHelpdesk & SupportSystems Maintenance
AI AGENTSChatbots & Virtual AssistantsBusiness Process AutomationCustom AI Agents
Solutions
Solutions for Startups & New Businesses
Solutions for Growing SMEs
Enterprise Solutions
E-Commerce Solutions

Home / Privacy Policy

Privacy Policy

Last updated: 21 June 2026

Note: This is an English-language adaptation of the original Italian privacy notice, prepared for international visitors. It is not a legally certified translation. For the official version, please refer to the Italian original. This document does not constitute legal advice.

This privacy notice describes how personal data of users visiting the website uretech.it is collected, used and protected, in accordance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018.

1. Data Controller

URETECH di Fontanella Federico (sole trader)
VAT No.: IT 04134771205 — Tax Code (C.F.): FNTFRC02D12A944B
Via della Costituzione, 8 — 40068 San Lazzaro di Savena (BO), Italy
Email: [email protected]
PEC (certified email): [email protected]
Phone: +39 02 8286 0103

The Data Controller is responsible for the protection of personal data collected through the site and ensures that processing is carried out in compliance with applicable law.

2. Data Collected and Purposes of Processing

The following describes the categories of personal data collected, the purposes of processing, the legal basis and retention periods for each processing activity.

a) Contact Form (AI Chatbot)

  • Data collected: name, email address, company, phone number, message, services requested, indicative budget, project timeline, notes generated by artificial intelligence.
  • Purpose: to respond to the user's commercial enquiries and provide personalised quotes based on information provided during the conversation.
  • Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) in responding to enquiries from prospective clients, and pre-contractual measures at the data subject's request (Art. 6(1)(b) GDPR).
  • Retention: data is retained for a maximum period of 24 months from the date of the request, after which it is deleted or anonymised.
  • Note: conversations via the chatbot are analysed by third-party AI services (OpenAI, Anthropic) to generate project summaries and assist in preparing quotes. Data transmitted to AI providers is limited to the conversation content and does not include direct contact details (email, phone).

b) Newsletter

  • Data collected: email address.
  • Purpose: sending commercial communications, service updates, technology news and editorial content.
  • Legal basis: explicit consent of the data subject (Art. 6(1)(a) GDPR), given at the time of subscription.
  • Retention: data is retained until the data subject withdraws consent.
  • Right to withdraw: the user may withdraw consent and unsubscribe from the newsletter at any time via the unsubscribe link included in every email, or by contacting the Data Controller at [email protected].

c) Careers (Job Applications)

  • Data collected: first name, surname, email address, mobile number, preferred work location, curriculum vitae (PDF format).
  • Purpose: assessment of applications received for open or future positions.
  • Legal basis: consent of the data subject (Art. 6(1)(a) GDPR) and pre-contractual measures at the data subject's request (Art. 6(1)(b) GDPR).
  • Retention: data is retained for a maximum period of 24 months from the date the application is received, unless the candidate requests otherwise. After this period, data is securely deleted.
  • Security: CVs are stored in encrypted form on secure servers, with access restricted exclusively to authorised personnel involved in the recruitment process.

d) Browsing Data

  • Data collected: IP address, browser user agent, date and time of access.
  • Purpose: to ensure the correct technical operation of the website, infrastructure security and the application of rate-limiting mechanisms to protect against abuse.
  • Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) in ensuring site security and operability.
  • Retention: browsing data is not persistently stored in identifiable form, except where the user submits a form (in which case it is associated with the request for the applicable retention period).

3. Telephone Call Recording

As part of its customer support and request-handling service, the Data Controller may carry out audio recording of telephone calls with clients. Recording is not always active: it is activated by the operator on a case-by-case basis (“on-demand”) only when necessary for the purposes set out below, and concerns exclusively calls with clients (inbound and outbound).

Data processed

  • Data collected: audio recording of the conversation and personal data contained therein (identification and contact details possibly provided verbally, content of the request); any transcription and summary generated automatically.
  • Special categories: no special category of data (Art. 9 GDPR) is requested or intentionally collected. Callers are asked not to disclose such data during the call.

Purposes of processing

  • management and documentation of client requests;
  • monitoring and improving service quality and staff training;
  • handling complaints, disputes and any evidentiary needs;
  • AI-assisted processing of the individual call, solely to summarise the conversation and prepare quotes, activities or projects for the client concerned.

Legal basis

Processing is based on the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) in documenting client requests, ensuring and improving service quality, efficiently preparing commercial documentation and protecting its rights. The related balancing test (Legitimate Interest Assessment, in line with EDPB Guidelines 1/2024) is kept on file by the Data Controller. The data subject has the right to object at any time to this processing (Art. 21 GDPR — see section “Data Subject Rights”).

Notice and procedure

Before any recording, the data subject is informed by a short voice announcement referring to this section. On inbound calls the announcement is played at the start of the call; on outbound calls it is played when the operator starts recording, before recording begins. Anyone who does not wish to be recorded may inform the operator or use an alternative contact channel. Recording is optional and refusal does not prevent use of the service.

Recipients

Recordings are accessible only to the Data Controller’s authorised personnel. They may be processed by external providers appointed as Data Processors under Art. 28 GDPR, including Hetzner Online GmbH (Germany) for infrastructure and, limited to AI processing, artificial-intelligence service providers (including Google, OpenAI, Anthropic), identified upon activation of that function. Data is neither disclosed nor transferred to third parties for their own purposes.

Retention and data location

Recordings are kept for the time strictly necessary and in any case no longer than 6 (six) months from the date of the call, save for retention required to handle disputes or to comply with legal obligations; after that period they are securely and automatically deleted. AI processing outputs follow the same terms. Recordings are stored on infrastructure located in the European Union (Germany). For AI processing only, where providers located outside the European Economic Area are used, the transfer is supported by adequate safeguards (EU-US Data Privacy Framework adequacy decision where applicable, or Standard Contractual Clauses under Art. 46 GDPR); providers do not use the data to train their own models.

Artificial intelligence and absence of automated decision-making

AI processing is of a merely supportive nature to the operator (call summary, draft quote or activity): it does not involve automated decisions producing legal effects or significantly affecting the data subject (Art. 22 GDPR), nor profiling, nor emotion recognition. Recordings and their outputs are not used to train artificial-intelligence models: should the Data Controller intend to pursue such a purpose in the future, it will do so as a separate processing activity, subject to an appropriate legal basis, anonymisation measures and a dedicated impact assessment, updating this notice in advance.

Given the nature of the processing, the Data Controller has carried out a data protection impact assessment (DPIA, Art. 35 GDPR), kept on file.

4. Third-Party Services

The website uses third-party services for its operation. The following lists these services and their privacy implications for the user:

  • Google Fonts (Google LLC, USA): the site loads typefaces from Google's servers. During loading, the user's IP address is transmitted to Google's servers. More information: Google Privacy Policy.
  • CDN — Cloudflare and unpkg.com: the site uses content delivery networks (CDNs) to load JavaScript libraries (including Three.js, React, Lenis). The user's IP address is transmitted to these services during resource loading.
  • AI Providers — OpenAI (USA) and Anthropic (USA): the contents of chatbot conversations may be transmitted to these providers for analysis and generation of project summaries. Data transmitted is limited to the conversation content.
  • Webhook (if configured): data submitted via forms may be sent to external services via webhooks for business automation purposes (e.g., CRM, lead management, internal notifications).

5. International Data Transfers

Some of the third-party services listed above are based in the United States of America. Personal data may therefore be transferred outside the European Union, in particular to the USA, via the following services:

  • Google Fonts (Google LLC)
  • OpenAI
  • Anthropic

Such transfers take place with adequate safeguards under the GDPR, in particular through:

  • The EU-US Data Privacy Framework, for providers that have obtained certification;
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.

The user may request further information on the safeguards adopted by contacting the Data Controller at [email protected].

6. Cookies

For detailed information on cookies used by the site, how they are managed and how to disable them, please refer to the Cookie Policy, accessible from the cookie banner displayed on first visit to the site or from the dedicated page.

7. Security Measures

The Data Controller adopts appropriate technical and organisational measures to ensure the security of personal data processed, including:

  • Rate limiting on all API endpoints to prevent abuse and automated attacks.
  • Validation and sanitisation of all inputs received via site forms.
  • Parameterised queries for protection against SQL injection attacks.
  • CSRF tokens (WordPress Nonce) for protection against Cross-Site Request Forgery attacks.
  • Protected CV storage in directories with restricted access and restrictive permissions.
  • HTTPS connection with SSL/TLS certificate for encryption of all data in transit.

8. Data Subject Rights

Under Articles 15–22 of the GDPR, the data subject has the right to:

  • Access (Art. 15): obtain confirmation of whether processing is taking place and access their personal data.
  • Rectification (Art. 16): obtain correction of inaccurate personal data or completion of incomplete data.
  • Erasure (Art. 17): obtain deletion of personal data in the cases provided for by law.
  • Restriction of processing (Art. 18): obtain restriction of processing in the cases provided for by law.
  • Data portability (Art. 20): receive personal data in a structured, commonly used and machine-readable format.
  • Object (Art. 21): object to the processing of personal data based on the Data Controller’s legitimate interest.
  • Withdraw consent: withdraw consent given at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

How to exercise your rights

The data subject may exercise their rights by sending a written communication to the Data Controller at: [email protected]

The Data Controller undertakes to respond to the request within 30 days of receipt.

The data subject also has the right to lodge a complaint with the competent supervisory authority:

Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
Website: www.garanteprivacy.it
Email: [email protected]
PEC: [email protected]

9. Changes to This Privacy Notice

The Data Controller reserves the right to make changes to this privacy notice at any time, by publishing the updated version on the website. Users are therefore invited to periodically consult this page to check for any updates.

Changes to this notice will take effect from the date of publication on the website.

Notice prepared in accordance with EU Regulation 2016/679 (GDPR) — Articles 13 and 14.
Last revised: 21 June 2026.