Privacy Policy

Last updated: 27 April 2026 (rev. 3 — privacy-friendly analytics enabled, explicit no-banner statement).

This notice describes how BOARDESIGN processes personal data collected through the website boardesign.it and the portal webservices.boardesign.it. It applies to anyone who visits the site, submits the contact form, registers an account, or uses the restricted web services.

This site does not use profiling cookies, third-party analytics cookies, advertising cookies, tracking pixels or equivalent technologies.

The only technical cookie set automatically is the Supabase session cookie (sb-…-auth-token), strictly necessary to keep authenticated users logged in. Traffic statistics are collected via Cloudflare Web Analytics, a system based on an anonymous beacon that does not write any cookie to the browser and does not fingerprint visitors across sites.

In the absence of any processing requiring prior consent under Article 122 of the Italian Privacy Code (Legislative Decree 196/2003) and the "Guidelines on cookies and other tracking tools" of the Italian Data Protection Authority of 10 June 2021, no cookie banner is required or shown. Displaying a banner for purely technical cookies would in fact be inconsistent with the Authority's own guidelines, which prohibit redundant banners.

Embedded third-party content that would entail additional processing — the Google Maps embed on the contact page — is loaded only after the user clicks an explicit consent button: the click itself constitutes a free and specific manifestation of consent and is revocable simply by not clicking.

Full details (data categories, legal bases, processors, retention periods, data-subject rights) are in the sections below.

The data controller is:

BOARDESIGN di Lorenzo Martini — sole proprietorship Registered office: Via Brigata Reggio 27, 42124 Reggio Emilia (RE), Italy Italian VAT no.: 02988860355 SDI code: 5RUO82D E-mail: info@boardesign.it Certified e-mail (PEC): lmartini67@pec.it

For any matter relating to the processing of personal data — including the exercise of the rights listed in §8 — please write to info@boardesign.it.

No Data Protection Officer (DPO) has been appointed because the conditions of Article 37 GDPR do not apply.

We process only the data strictly necessary for the purposes set out below.

a) Browsing data. During normal operation, the IT systems and software procedures that run the website acquire some data whose transmission is implicit in the use of Internet protocols: IP addresses, browser and operating system type, requested URLs, request date and time, response status code. These data are processed by the hosting provider's infrastructure (Cloudflare) for service delivery, security, diagnostics, and abuse prevention.

b) Contact-form data. When you fill in the form on the /en/contact page we collect: first name, surname (optional), e-mail address, message body. The sole purpose is to reply to your enquiry. The message is delivered by e-mail and is not currently stored in any database.

c) Account and registration data. Access to webservices.boardesign.it requires registration with: e-mail address, password (stored by Supabase in encrypted form and never visible to BoardDesign), first and last name (optional). The purpose is authentication, account management, and access to the restricted services.

d) Cookies and technical identifiers. The site uses only technical and functional identifiers, described in detail in §9.

We do not collect special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). We do not knowingly collect data from minors: the site is not directed at users under 16.

• Contact form, registration, account management: Article 6(1)(b) GDPR — pre-contractual measures at the request of the data subject and/or performance of the contract.
• Browsing data and security logs: Article 6(1)(f) GDPR — legitimate interest of the controller in ensuring the proper functioning and security of the site.
• Technical and session cookies: Article 122 of Italian Legislative Decree 196/2003 (Privacy Code) — no prior consent of the user is required.
• Tax and accounting obligations: Article 6(1)(c) GDPR — legal obligation.

Personal data is processed by electronic means, by authorised and trained personnel, in accordance with the technical and organisational measures required by Article 32 GDPR. Processing is carried out in a manner that ensures a level of security appropriate to the risk, including:

• end-to-end encryption of transmissions (HTTPS / TLS 1.2+);
• hashed user passwords;
• role-based access control with database-level Row-Level Security rules;
• logging of access and write operations on personal data;
• bot protection through Cloudflare Turnstile CAPTCHA on the contact form;
• automated and periodic database backups.

We do not perform automated decision-making or profiling within the meaning of Article 22 GDPR.

Personal data may be communicated to the following parties, who act as data processors pursuant to Article 28 GDPR on the basis of data-processing agreements (DPAs) signed with the controller:

Provider	Role	Data processed	Server location
Supabase, Inc.	Authentication, user database, profile storage	E-mail, password (hash), first and last name	Frankfurt, Germany (EU — AWS eu-central-1)
Resend, Inc.	Transactional e-mail delivery (contact form, registration confirmations)	Sender/recipient e-mail address, subject, message body	United States
Cloudflare, Inc.	Hosting (Cloudflare Pages), CDN, anti-bot Turnstile, aggregate traffic statistics (Cloudflare Web Analytics) — beacon-based system, no cookies	Browsing data, IP address (anonymised on the Cloudflare side and not stored in identifiable form), requested URL, referrer, country, browser type, Core Web Vitals, CAPTCHA token	Cloudflare global anycast network
Google LLC	Interactive map (Google Maps embed on /en/contact) — loaded only after the user explicitly clicks the "Load Google Map" button	IP address, browser identifiers	United States

The Roboto and Roboto Mono typefaces are served directly from our own domain (self-hosted via the @fontsource package): no request is made to fonts.googleapis.com or fonts.gstatic.com, so Google does not receive visitors' IP addresses for font delivery.

Data may also be communicated to consultants, accountants, judicial and supervisory authorities within the limits and for the purposes required by law.

Personal data is in no case sold or transferred to third parties for marketing purposes.

The Supabase servers used by BoardDesign are located in Frankfurt (Germany) and therefore within the European Economic Area.

Resend, Cloudflare, and Google (the latter only if the user voluntarily loads the map) may also process data on servers located in the United States. Such transfers are carried out with adequate safeguards under Article 46 GDPR:

• Standard Contractual Clauses (SCCs) approved by the European Commission with Implementing Decision (EU) 2021/914;
• EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023), for certified providers.

A copy of the safeguards in place is available on request to info@boardesign.it.

Personal data is kept only for the time strictly necessary to achieve the purposes for which it was collected:

• Contact-form e-mails: stored in the info@boardesign.it mailbox for up to 24 months from the last exchange, save for legal-defence needs or ongoing conversations.
• User accounts and profiles: kept for the duration of the relationship with the controller and for an additional 12 months after a deletion request, as a precaution to handle any disputes.
• Cloudflare technical and security logs: kept according to the provider's policy, indicatively up to 30 days.
• Tax and accounting records: kept for 10 years as required by Article 2220 of the Italian Civil Code and by tax law.

Once the periods above have elapsed, data is permanently deleted or anonymised.

As a data subject you have the right, at any time and pursuant to Articles 15-22 GDPR, to:

• access your personal data and obtain a copy (Article 15);
• request its rectification if inaccurate or completion if incomplete (Article 16);
• request its erasure ("right to be forgotten") in the cases provided for (Article 17);
• request the restriction of processing (Article 18);
• receive the data in a structured, machine-readable format ("portability", Article 20);
• object to processing based on legitimate interest (Article 21);
• withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal, where applicable.

To exercise these rights, write to info@boardesign.it or, alternatively, to the certified e-mail lmartini67@pec.it. We will reply within 30 days of receipt, save for a reasoned extension under Article 12(3) GDPR.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) if you consider that the processing infringes the GDPR.

The site uses only technical and session cookies, exempt from the prior-consent requirement under Article 122 of the Italian Privacy Code and the Italian Data Protection Authority's "Guidelines on cookies and other tracking tools" of 10 June 2021. For this reason no cookie banner is shown: in the absence of processing subject to consent, the banner would be redundant and inconsistent with those very guidelines.

We do not use third-party analytics cookies (e.g. Google Analytics), advertising cookies, profiling cookies, tracking pixels, or equivalent technologies. Traffic statistics are collected by Cloudflare Web Analytics: a system based on a JavaScript beacon that sends anonymous, aggregated events to our hosting provider — it does not set any cookie in the browser and does not identify individual users either across pages of the same site or across different sites.

First-party cookies

Identifier	Type	Domain	Lifetime	Purpose
sb-awlrlvzvnmawvdrlgckt-auth-token	Technical — session	.boardesign.it (prod), no domain (dev)	Until logout or session expiry	Keeps the user authenticated across the site and the webservices.boardesign.it portal
bd-theme (localStorage)	UI preference	Browser localStorage	Persistent, until manually removed	Stores light/dark theme preference

The bd-theme value is held in the browser's local storage (technically not an HTTP cookie) and is never transmitted to BoardDesign servers.

Embedded third-party services

Some pages embed third-party content. The site is designed to avoid any request to third-party servers until it is strictly necessary for the requested service:

• Cloudflare Web Analytics (statistics beacon, active on every page): beacon.min.js script loaded from the Cloudflare CDN. Sets no cookie, reads no existing cookie, does not use localStorage, does not generate persistent identifiers. Transmits aggregated and anonymous browsing data (URL, country, browser, Core Web Vitals). Notice: www.cloudflare.com/privacypolicy/.
• Cloudflare Turnstile (CAPTCHA on the contact form, page /en/contact): cookies strictly necessary to the operation of the anti-bot system. Loaded when the contact page opens because it is indispensable to protecting the form. Notice: www.cloudflare.com/privacypolicy/.
• Google Maps (map on /en/contact): the map is not loaded by default. A static placeholder is shown with an explicit "Load Google Map" consent button; only after the user clicks does the Google iframe enter the DOM and Google receive the IP address. Each new visit starts fresh — the choice is not remembered in cookies or localStorage. Notice: policies.google.com/privacy.
• Google Fonts: not used. The Roboto and Roboto Mono typefaces are hosted directly on our own servers (self-hosted via @fontsource); no request is sent to fonts.googleapis.com or fonts.gstatic.com.

These services are active only on the pages where the embed is present.

Managing cookies

You can configure your browser to block or delete cookies. Note that without the session cookie sb-…-auth-token it will not be possible to authenticate and access the webservices.boardesign.it portal.

Instructions for the most common browsers: Chrome, Firefox, Safari, Edge.

We adopt technical and organisational measures suitable to protect personal data against unauthorised access, disclosure, modification, or accidental destruction. In particular:

• end-to-end encrypted traffic (HTTPS with HSTS, TLS 1.2 or higher);
• bcrypt hashing of passwords on the Supabase side;
• PostgreSQL Row-Level Security rules limiting access to data pertaining to the user;
• separation of secrets: no access keys are committed to source control;
• periodic review of software dependencies and security updates.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the controller will notify the Italian Data Protection Authority within 72 hours under Article 33 GDPR, and where required will inform the data subjects under Article 34.

This notice may be updated at any time to reflect regulatory, organisational, or technical changes. The current version is always available at https://boardesign.it/en/privacy and shows the date of last update at the top.

In the event of substantive changes affecting registered users' rights, data subjects will be informed by e-mail at least 15 days before the new terms take effect.