Privacy Policy
Last updated: 06/05/2026
This Privacy Policy describes how Andrea Berni (WaveStaq) processes the personal data of users visiting this website ("Site"), in accordance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.
Data Controller
The Data Controller is:
- Andrea Berni (brand: WaveStaq)
- VAT number: 04225350364
- Registered office: Strada Cavo Argine 34/6, 41121 Modena (MO)
- Operational office: Via Tandura 38, 00144 Roma (RM)
- Email: info@wavestaq.com
For any request regarding the processing of your personal data, please write to info@wavestaq.com.
A Data Protection Officer (DPO) has not been appointed pursuant to Article 37 GDPR, as the conditions of mandatory designation set out in the regulation do not apply.
Types of data collected
The Controller collects the following categories of personal data, either automatically during navigation or voluntarily provided by the user:
Data collected automatically
- Navigation data: IP address (anonymised), browser type, operating system, pages visited, visit duration, referrer, browser language, screen resolution
- Technical and session cookies (see Cookie Policy)
- Statistical tracking tools (Google Analytics 4) activated only with prior consent
Data voluntarily provided
- Contact form data: name, email address, text message, phone number (optional)
- reCAPTCHA token: to verify that submissions do not originate from automated bots
No special category data (Article 9 GDPR) — such as data relating to health, religious opinions or sexual orientation — is collected by this Site.
Processing methods and location
Personal data is processed using electronic tools with security measures appropriate to prevent loss, unauthorised access, alteration or disclosure (Article 32 GDPR), including:
- HTTPS (TLS 1.2+) connection across the entire Site
- Anonymisation of the IP address before being written to logs (last octet zeroed for IPv4, last 80 bits zeroed for IPv6)
- SHA-1 hash of the User-Agent in consent records, so that it is not directly linkable to an individual user
- Encrypted daily database backups
- Administrative panel access protected by individual credentials
Data is processed at the Controller's offices (Strada Cavo Argine 34/6, 41121 Modena (MO) and Via Tandura 38, 00144 Roma (RM)) and at the hosting provider's servers located within the European Economic Area (EEA).
Some third-party services (e.g. Google Analytics, Google reCAPTCHA) may involve the transfer of data to non-EU countries. In such cases, transfers are based on the Standard Contractual Clauses (SCC) approved by the European Commission or analogous adequate safeguards under Chapter V GDPR.
Purposes and legal basis of processing
Personal data is processed for the following purposes:
| Purpose | Legal basis (GDPR) | Type of data |
|---|---|---|
| Provision of the Site (technical cookies, session) | Art. 6.1.f — legitimate interest | Navigation data, session cookies |
| Replying to contact form requests | Art. 6.1.b — pre-contractual measures | Name, email, message |
| Form protection from automated submissions (reCAPTCHA) | Art. 6.1.f — legitimate interest | Token, IP address |
| Site usage statistics (Google Analytics 4) | Art. 6.1.a — consent | Aggregated usage data |
| Compliance with legal obligations (consent log, audit) | Art. 6.1.c — legal obligation | Anonymised IP, timestamp, consent token |
Third-party services used
Google Analytics 4
Provider: Google Ireland Limited (EU) / Google LLC (USA)
Purpose: anonymous measurement of Site traffic (number of visits, page views, sources, session duration)
Data collected: statistical cookies (_ga, _ga_*), anonymised IP address, usage data
Legal basis: user consent (Art. 6.1.a GDPR)
Retention: 14 months (GA4 default)
Non-EU transfer: USA, based on Standard Contractual Clauses
Google Privacy Policy · Opt-out
Google Tag Manager
Provider: Google Ireland Limited (EU) Purpose: technical orchestration of third-party scripts (does not itself collect tracking data) Legal basis: legitimate interest (Art. 6.1.f GDPR) for the empty container; orchestrated scripts each follow their own legal basis Retention: no persistent data
Google reCAPTCHA
Provider: Google Ireland Limited (EU) / Google LLC (USA)
Purpose: protection of Site forms from spam and automated abuse
Data collected: _GRECAPTCHA cookie, IP address, behavioural data (mouse movement, click patterns)
Legal basis: Controller's legitimate interest in the security of its systems (Art. 6.1.f GDPR)
Non-EU transfer: USA, Standard Contractual Clauses
Google reCAPTCHA Privacy Policy
Contact form
Purpose: responding to information requests sent by the user Data collected: name, email, message, phone (optional) Legal basis: pre-contractual measures at the request of the data subject (Art. 6.1.b GDPR) Retention: messages are kept for the time needed to handle the request and for a maximum of 24 months, unless evolving into a contractual relationship
Hosting
The Site is hosted by a provider located within the European Economic Area. Technical access logs (IP, user-agent, requested URL, timestamp) are kept by the provider for IT security purposes for a maximum of 30 days.
Data retention period
| Data | Retention period |
|---|---|
| Technical session cookies | Duration of the browser session |
Consent cookie (andreaberni_legal_consent) |
60 days from the user's choice |
| Consent log (audit) | 5 years (Art. 7.1 GDPR obligation to demonstrate consent) |
| Google Analytics cookies | 14 months (GA4 default) |
| reCAPTCHA cookies | 6 months |
| Contact form messages | Up to 24 months from last contact |
| Hosting technical logs | 30 days |
At the end of the retention period, data is deleted or anonymised.
Data subject rights
Pursuant to Articles 15-22 GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure of data ("right to be forgotten", Art. 17)
- Restrict processing (Art. 18)
- Portability of data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time (Art. 7.3), without affecting the lawfulness of processing based on consent prior to withdrawal
- Lodge a complaint with the supervisory authority: the Italian Data Protection Authority (Garante per la protezione dei dati personali) — www.garanteprivacy.it
To exercise these rights, write to info@wavestaq.com with subject "GDPR rights request".
The Controller will respond within 30 days of receiving the request, extendable by a further 60 days in cases of particular complexity (Art. 12.3 GDPR).
See also the dedicated page: Your GDPR rights
Cookies
For detailed information on the cookies used by the Site, see the Cookie Policy.
You can change your cookie preferences at any time by clicking on the shield icon in the bottom-left corner of every page of the Site.
Changes to this Privacy Policy
The Controller reserves the right to modify this Privacy Policy at any time, for instance to align it with new legal provisions or new services activated.
Substantial changes will be notified to users via a clearly visible notice on the Site. The date of last modification is shown at the top of the document.
The history of previous versions is kept by the Controller and available upon written request.
Definitions
Personal data: any information relating to an identified or identifiable natural person.
Processing: any operation performed on personal data (collection, recording, organisation, storage, consultation, modification, communication, deletion).
Controller: the natural or legal person who determines the purposes and means of processing.
Data subject: the natural person to whom the personal data refers.
Cookie: small text file stored on the user's device to allow the Site to function correctly or to collect usage statistics.
Tracking tools: cookies and any other technology (e.g. pixels, fingerprinting, local storage) that allows users to be identified or tracked.
For any questions about this Privacy Policy, please write to info@wavestaq.com.
WaveStaq