⚠️ DRAFT — TO BE VALIDATED BEFORE PUBLICATION
Draft compiled from currently available MTF data. Must be fully reviewed by Cimino (DPO) or legal counsel before publication. All items marked
[TO VERIFY]require explicit confirmation.To remove draft state: delete this block, update
versionin frontmatter (e.g."1.0.0") and setnoindex: false.
1. Data controller
MTF Srl Registered office: Via Tempio del Cielo, 3 — 00144 Rome, Italy VAT / Tax ID: 03042700124 Share capital: € 20,000.00 fully paid Phone: +39 06 6385048 — Fax: +39 06 66410392 Email: [email protected]
[TO VERIFY] Indicate whether MTF has appointed a formal Data Protection Officer (DPO) and provide their contact. If Cimino acts as DPO substitute, indicate a dedicated email (e.g.
[email protected]) to separate GDPR requests from the general inbox.
2. Types of data processed
Through www.mtf-srl.com MTF processes:
2.1 Data voluntarily provided via the contact form
- First and last name
- Company
- Email address
- Phone number (optional)
- Free-text message
- Solution/service of interest (selection field)
2.2 Attribution data automatically collected
- UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
- gclid (Google Click Identifier), fbclid (Facebook Click Identifier)
- Referrer (origin URL)
- Submission page URL
- Browser user agent
- Visitor IP address (temporarily visible to the Cloudflare Workers serverless service, never stored in clear text)
2.3 Aggregated traffic data
The site uses Cloudflare Web Analytics, a cookie-less traffic measurement system that does not identify individual visitors. No personal data is processed for statistical purposes.
[TO VERIFY] Confirm whether Cloudflare Web Analytics is in use and whether no other trackers (Google Analytics, Meta Pixel, etc.) are active. If additional trackers are activated in the future, update this section.
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Responding to requests received via the contact form or direct email | Art. 6.1.b GDPR — Implementation of pre-contractual measures at the data subject’s request |
| Tracking lead origin (UTM/gclid/referrer) to optimize marketing activities | Art. 6.1.f GDPR — Legitimate interest of the Controller in improving its commercial channels |
| Sending follow-up commercial communications to acquired customers | Art. 6.1.f GDPR — Legitimate interest, with right to object at any time |
| Compliance with legal obligations (tax, accounting, retention) | Art. 6.1.c GDPR — Legal obligation |
[TO VERIFY] If MTF intends to send newsletters or promotional communications to subjects who are NOT acquired customers, explicit consent is required (art. 6.1.a). Add purpose + legal basis + consent collection mechanism.
4. Retention period
| Data | Retention |
|---|---|
| Contact form data if NO commercial opportunity materializes | 24 months from last contact |
| Contact form data if opportunity or contractual relationship is established | Duration of relationship + 10 years (tax/accounting obligations) |
| Attribution data (UTM/gclid) | 24 months (aggregate use for channel performance analysis) |
| Temporary lead queue on Cloudflare KV | Maximum 7 days (auto-deletion) |
5. Recipients
Data may be communicated to the following recipients, exclusively for the purposes listed above:
- MTF authorized internal staff (commercial, technical, administrative teams)
- Resend (Resend Inc., United States) — provider of transactional email service, acting as Data Processor (art. 28 GDPR), with signed DPA and Standard Contractual Clauses (SCC)
- Cloudflare, Inc. (United States) — provider of hosting, edge serverless and KV storage services, acting as Data Processor, with signed DPA and SCC
- SAP Italia S.p.A. — exclusively for leads transferred to the SAP Business One CRM, with related processing agreements
[TO VERIFY] Confirm DPA agreements actually signed with each provider. Update if providers change or new ones are added (e.g. Telegram for internal notifications, LinkedIn for outbound, external CRM).
6. Non-EU transfers
Some Data Processors (Resend, Cloudflare) are headquartered in the United States. Data transfers are governed by:
- Standard Contractual Clauses (SCC) approved by the European Commission
- Where applicable, EU-US Data Privacy Framework certifications of the respective providers
[TO VERIFY] Verify current DPF status and adherence of Resend and Cloudflare to the framework. Update references based on regulatory developments.
7. Data subject rights
Pursuant to articles 15-22 of GDPR, the data subject is entitled to:
- Access their personal data (art. 15)
- Rectify inaccurate data (art. 16)
- Erase the data (art. 17, “right to be forgotten”)
- Restrict processing (art. 18)
- Data portability (art. 20)
- Object to processing based on legitimate interest (art. 21)
- Withdraw consent, where given (art. 7.3)
- Complain to the supervisory authority (in Italy: Garante per la protezione dei dati personali — www.garanteprivacy.it)
To exercise these rights, write to [email protected] with “GDPR Request” in the subject.
[TO VERIFY] If MTF has a dedicated privacy email (e.g.
[email protected]or[email protected]), replace here.
8. Cookies
For information on technical cookies in use and how to manage them, please refer to the Cookie Policy.
9. Security
MTF adopts technical and organizational measures appropriate to protect data from unauthorized access, loss or destruction, including:
- Encrypted communications via HTTPS/TLS on all channels
- Internal CRM access controls with authentication and role-based permissions
- Periodic encrypted backups
- Access and transfer monitoring
10. Updates to this notice
This notice may be updated. The effective date and version number are shown at the bottom. Substantial changes will be communicated, where possible, to identified data subjects.
Version and effective date are shown in the page header.