Privacy Policy

The data controller for personal data processing is Ital Tech Hub S.r.l., headquartered in Italy, contactable at: info@ith.it

We collect the following data:

Through the contact form:

• First and Last Name
• Email address
• Phone number
• Company/organization name
• Professional role
• Type of interest
• Message content

Through cookies and the consent system:

• Unique anonymous identifier
• Cookie preferences (necessary, analytics, marketing)
• Date and time of consent
• IP address (anonymized)
• Browser User Agent
• Privacy policy version accepted

Personal data is processed for the following purposes:

• Responding to information requests submitted through the contact form
• Managing expressions of interest related to the Apulia Tech Hub project
• Sending project-related communications, with prior consent
• Recording and demonstrating consents given (GDPR Art. 7.1 obligation)
• Aggregate statistical analysis of web traffic (with consent)
• Performance and speed monitoring of the website
• Compliance with legal obligations

Data processing is based on the following legal grounds:

• Consent (Art. 6.1.a GDPR): for contact form submission, receiving communications, and analytics/marketing cookies
• Legitimate interest (Art. 6.1.f GDPR): for responding to user requests
• Legal obligation (Art. 6.1.c GDPR): for consent registration (Art. 7.1 GDPR) and legal compliance

In accordance with GDPR Art. 7.1, which requires the controller to be able to demonstrate that the data subject has given consent, we securely record:

• Exact date and time of consent
• Privacy policy version accepted
• Which cookie categories were accepted/rejected
• Collection method (cookie banner)
• Any subsequent modifications or withdrawals

Consent register data is retained for 5 years from the date of collection, as required to demonstrate compliance in case of audits.

• Contact form data: 24 months from collection
• Consent register: 5 years (GDPR obligation)
• Analytics data: 26 months (Google Analytics setting)
• Session cookies: until browser is closed

After retention periods expire, data will be deleted or irreversibly anonymized.

Under the GDPR (EU Regulation 2016/679), data subjects have the right to:

• Access (Art. 15): obtain confirmation of the existence of their data and receive a copy
• Rectification (Art. 16): correct inaccurate or incomplete data
• Erasure (Art. 17): request deletion of their data ("right to be forgotten")
• Restriction (Art. 18): restrict processing in certain cases
• Portability (Art. 20): receive their data in a structured format
• Objection (Art. 21): object to processing for legitimate reasons
• Withdraw consent (Art. 7.3): withdraw consent at any time, as easily as it was given

To exercise these rights, contact: info@ith.it

You may also file a complaint with the supervisory authority (Italian Data Protection Authority - Garante per la Protezione dei Dati Personali - www.garanteprivacy.it).

This website uses the following cookie categories:

• Necessary cookies: essential for website operation (theme preferences, cookie consent)
• Analytics cookies: Google Analytics 4, Microsoft Clarity, Vercel Analytics and Vercel Speed Insights for aggregate statistical analysis (with consent)
• Marketing cookies: Google Tag Manager for advertising tag management (with consent)

You can manage your cookie preferences at any time by clicking "Manage Cookies" in the footer or the cookie icon at the bottom left. For more details, see our Cookie Policy.

We use the following third-party services:

Resend (Email Service)

Transactional email service provided by Resend, Inc. We use Resend to send:

• Response emails to contact form requests
• Investor waitlist confirmation emails
• Administrator invitation and welcome emails
• Notifications related to the Apulia Tech Hub project

Data transmitted to Resend includes: recipient email address, name, message content. Resend acts as a data processor under the service agreement.

• Privacy Policy: resend.com/legal/privacy-policy
• Server location: USA
• Transfer legal basis: Standard Contractual Clauses (SCC) for extra-EU transfers
• Retention: 90 days for transactional email logs

Google Analytics 4

Web analytics service provided by Google LLC. Collects anonymous data on user behavior for statistical purposes. IP anonymization enabled.

• Privacy Policy: policies.google.com/privacy
• Server location: USA
• Transfer legal basis: EU-US Data Privacy Framework (DPF)
• Note: Some EU Data Protection Authorities have raised concerns about Google Analytics GDPR compliance. We use IP anonymization and only collect data with explicit consent.

Microsoft Clarity

Behavioral analytics service provided by Microsoft Corporation. Generates heatmaps and anonymous session recordings to improve user experience.

• Privacy Policy: privacy.microsoft.com
• Server location: USA (Microsoft Azure)
• Transfer legal basis: Standard Contractual Clauses (SCC)

Google Tag Manager

Tag management service provided by Google LLC. Enables centralized management of marketing scripts and tags.

• Privacy Policy: policies.google.com/privacy
• Server location: USA
• Transfer legal basis: EU-US Data Privacy Framework (DPF)

Vercel Analytics

Privacy-friendly web analytics service provided by Vercel Inc. Collects aggregate and anonymous data on site visits without using persistent tracking cookies.

• Privacy Policy: vercel.com/legal/privacy-policy
• Server location: USA
• Transfer legal basis: EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC)
• Privacy features: No personal identifiers, session hashes discarded after 24 hours

Vercel Speed Insights

Web performance monitoring service provided by Vercel Inc. Measures Core Web Vitals and site performance metrics anonymously.

• Privacy Policy: vercel.com/legal/privacy-policy
• Server location: USA
• Transfer legal basis: EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC)

Vercel (Hosting)

Hosting and deployment platform provided by Vercel Inc. Data is processed in compliance with GDPR.

• Privacy Policy: vercel.com/legal/privacy-policy
• Server location: Global Edge Network (EU and USA)
• Transfer legal basis: EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC)

Supabase (Database)

Managed PostgreSQL database for consent registration, contact management and investor area data.

• Privacy Policy: supabase.com/privacy
• Server location: EU (Frankfurt, Germany)
• Legal basis: No extra-EU transfer necessary - data stored entirely in EU
• Security: At-rest and in-transit encryption, Row Level Security (RLS)

Supabase Storage

File storage service for user-uploaded documents (e.g., investor authorization documents). Integrated into the Supabase platform, files are stored on the same EU servers as the database.

• Privacy Policy: supabase.com/privacy
• Server location: EU (Frankfurt, Germany)
• No extra-EU transfer - Data remains in Europe

Some of the third-party services we use are headquartered in the United States. To ensure GDPR compliance, data transfers to the USA are made on the basis of:

EU-US Data Privacy Framework (DPF)

The Data Privacy Framework is the mechanism approved by the European Commission (Adequacy Decision of July 10, 2023) for data transfers to certified organizations in the USA. The following services are DPF certified:

• Google LLC (Google Analytics, Google Tag Manager)
• Vercel Inc. (Hosting, Analytics, Speed Insights)

Standard Contractual Clauses (SCC)

Standard Contractual Clauses are standard clauses approved by the European Commission that guarantee adequate protections for personal data transferred outside the EU. We use SCCs with:

• Resend, Inc.
• Microsoft Corporation (Microsoft Clarity)
• Vercel Inc. (as additional protection to DPF)

Data stored in EU

The following data is stored exclusively on servers located in the European Union and is not subject to extra-EU transfer:

• Main database (Supabase - Frankfurt, Germany): contacts, consents, investor data
• Supabase Storage (EU - Frankfurt, Germany): user-uploaded documents

For users who sign up for the Investor Area waitlist, we collect additional data:

Data collected:

• Email and full name
• Subject type (Private Individual, Private Company, Public Entity)
• For non-private subjects: organization name, role, authorization declaration
• Authorization document (letter of appointment, power of attorney, company registration - PDF max 10MB)
• Investment profile (Retail, Professional, Institutional)
• Optional message

Processing purposes:

• Managing the waitlist for Investor Area access
• Verifying authorization to represent the organization (for non-private subjects)
• Communications related to investment opportunities in the project
• Regulatory compliance (Art. 76 D.P.R. 445/2000 on false declarations)

Legal basis:

• Explicit consent (Art. 6.1.a GDPR)
• Legitimate interest for authorization verification (Art. 6.1.f GDPR)

Retention:

• Waitlist data: 36 months from registration or until Investor Area access
• Authorization documents: 5 years (regulatory requirement Art. 76 D.P.R. 445/2000)

Uploaded documents are stored on Supabase Storage (EU - Frankfurt) with end-to-end encryption and access limited to authorized administrators only. Data never leaves the European Union.

We implement appropriate technical and organizational security measures to protect personal data:

• Communication encryption (HTTPS/TLS 1.3)
• Content Security Policy (CSP) to prevent XSS attacks
• HTTP Strict Transport Security (HSTS)
• Role-based access control
• Database Row Level Security
• Rate limiting to prevent abuse
• Activity monitoring and logging

We reserve the right to modify this Privacy Policy at any time. In case of substantial changes requiring new consent:

• The version number will be updated
• The cookie banner will be displayed again
• Registered users will receive email notification
• Changes will be visible on the Version History page

We encourage you to periodically check this page to stay informed about any changes.