Legal notice

Privacy Policy

Last updated: 12 May 2026 · Version 2.3

This notice describes how Rayo Consulting di Patriarchi Dylan collects, uses and protects the personal data of users who visit the rayo.consulting website (including the www.rayo.consulting version), in compliance with EU Regulation 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and the Italian Data Protection Authority's Order on cookies of 8 January 2022.


Art. 1 · Data Controller

Rayo Consulting di Patriarchi Dylan VAT number: IT 03988190546 Registered office: Vocabolo Marcheggiane 56/C, 06012 Città di Castello (PG), Italy Email: info@rayo.consulting Phone: +39 327 174 6038

For any questions regarding the processing of your personal data, you can contact us at the email address above. No DPO has been appointed as the conditions set out in Art. 37 GDPR do not apply.


Art. 2 · Types of data collected

2.1 Navigation data

IT systems automatically acquire certain technical data necessary for transmitting communications over the computer network: IP addresses, browser type, operating system, request time, referring URL (referrer) and other parameters of the computing environment. Such data are not associated with identifiable users and are used for security purposes and aggregate statistics.

2.2 Data provided voluntarily by the user

We collect the data you provide through:

  • Contact form: first and last name, email address, company name, VAT number, service of interest, indicative budget and project description.
  • External Typeform forms (not embedded in the site): the data you enter in questionnaires hosted on typeform.com and linked from our pages (e.g. sales enquiries, discovery, brief collection).
  • Newsletter subscription: email address and explicit consent to processing.
  • Direct communications: any personal data contained in emails, WhatsApp messages or other direct contact channels.

2.3 Data collected automatically through cookies and analytics tools

With your consent, we collect aggregate analytics data on the use of the site through Google Analytics 4. For details, see Arts. 7 and 8.


Art. 3 · Purposes and legal basis of processing

PurposeLegal basis (GDPR Art. 6)
Responding to contact requests and providing quotesArt. 6(1)(b) · performance of pre-contractual measures
Collecting requests and briefs via external Typeform formsArt. 6(1)(b) · performance of pre-contractual measures
Sending the newsletter with informational and commercial contentArt. 6(1)(a) · explicit consent of the data subject
Technical operation of the site (security logs, abuse prevention)Art. 6(1)(f) · legitimate interest of the Controller
Compliance with legal, tax and accounting obligationsArt. 6(1)(c) · legal obligation
Aggregate statistical analysis of site usage (Google Analytics 4)Art. 6(1)(a) · explicit consent of the data subject
Saving cookie preferences (localStorage)Art. 6(1)(f) · legitimate interest (technical functionality)

We do not use your data for automated profiling, behavioural marketing or to make automated decisions with legal effects (Art. 22 GDPR).


Art. 4 · Retention period

Type of dataRetention period
Contact form dataUntil the request is handled; if a contractual relationship is established, 10 years for tax purposes (Art. 2220 Italian Civil Code)
Data collected via external Typeform formsUntil the request is handled; if a contractual relationship is established, 10 years for tax purposes (Art. 2220 Italian Civil Code)
Newsletter email addressUntil consent is withdrawn (unsubscribe)
Navigation and security logsNo longer than 30 days, unless required to investigate unlawful acts
Google Analytics data (with consent)14 months (GA4 default setting, per Google policy)
Cookie preferences (localStorage)12 months from the date it is set
_ga and _ga_* cookies (with consent)2 years from the date they are set

Art. 5 · Your rights (Arts. 15–22 GDPR)

As a data subject, you have the right to:

  • Access (Art. 15): obtain confirmation as to whether processing of data concerning you is taking place and, if so, obtain a copy.
  • Rectification (Art. 16): request the correction of inaccurate data or the completion of incomplete data.
  • Erasure (Art. 17): request the deletion of your personal data ("right to be forgotten"), unless overriding legitimate grounds or legal obligations apply.
  • Restriction of processing (Art. 18): obtain the suspension of processing in certain cases (e.g. contesting the accuracy of the data).
  • Portability (Art. 20): receive, in a structured, commonly used and machine-readable format, the data you have provided on the basis of consent or a contract.
  • Objection (Art. 21): object to the processing of your data based on the Controller's legitimate interest.
  • Withdrawal of consent: at any time, via the "Cookie preferences" link in the site footer or by sending a request to info@rayo.consulting. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Complaint: lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it), located at Piazza Venezia 11, 00187 Rome.

To exercise your rights, send a request to info@rayo.consulting. We will respond without undue delay and in any case within 30 days of receiving the request, as provided by Art. 12 GDPR. In particularly complex cases, the deadline may be extended by a further 60 days, with prior reasoned notice.


Art. 6 · Recipients and data processors

Your personal data are not sold, rented or transferred to third parties for marketing purposes. They may be disclosed to the following categories of parties, acting as Data Processors pursuant to Art. 28 GDPR, bound by specific contractual agreements:

Technical service providers

ProviderServiceLocationTransfer safeguards
Vercel Inc.Website hosting and CDNUSA (servers also in Europe)SCC + Data Processing Addendum (included in the terms of service; for the Hobby plan, written confirmation can be requested at privacy@vercel.com)
Brevo SAS (formerly Sendinblue)Sending transactional emails (contact form and newsletter)France (EU)Directly subject to the GDPR
Typeform S.L. (with the support of Typeform US LLC and sub-processors)Data collection via external forms linked from the siteSpain (EU) + possible transfers outside the EEASCC (where applicable) + Data Processing Agreement
Google LLCStatistical analysis (Google Analytics 4) · only with consentUSASCC + Google Ads Data Processing Terms

Public authorities

Data may be disclosed to judicial, police or other Italian or European public authorities when required by law or by orders from the authorities.

6.1 Externally hosted Typeform forms

Some data collection takes place through forms hosted on the external domain typeform.com (therefore outside the rayo.consulting site and not embedded via iframe).
When you fill in such forms, Typeform acts as a data processor on our behalf under the applicable contractual terms (Typeform DPA).
The list of Typeform's sub-processors and the related safeguards is available in the official Typeform documentation.


Art. 7 · Cookies and tracking technologies

The rayo.consulting website uses cookies and similar technologies. Below is the complete classification.

7.1 Technical / essential cookies

Necessary for the correct functioning of the site. They do not require consent under the Italian Data Protection Authority's Order of 8 January 2022.

NameTypeDurationPurpose
rayo_cookie_consent_v2localStorage (not an HTTP cookie)12 monthsSaves the user's cookie preferences so the banner is not shown again

Note: the cookie preference is saved in the browser's localStorage, not via an HTTP cookie. It is not sent to the server.

7.2 Analytics cookies (with consent)

Activated only after your explicit consent via the banner. Used to collect aggregate and anonymous data on the use of the site (pages visited, duration, device, country). Not used for individual profiling.

NameProviderDurationPurpose
_gaGoogle Analytics 42 yearsDistinguishes users; contains an anonymous identifier
_ga_G-FSDE8KC4X4Google Analytics 42 yearsMaintains the session state for the specific GA4 property
_gidGoogle Analytics 424 hoursDistinguishes users over the course of a single day

7.3 Managing preferences

You can change your cookie preferences at any time via:

  • The "Cookie preferences" button in the site footer.
  • The floating cookie icon in the bottom left.
  • By sending a request to info@rayo.consulting.

You can also disable cookies directly in your browser. For specific instructions, consult the guide for the browser you use. Disabling analytics cookies does not compromise the usability of the site.

7.4 Links to external services (Typeform)

When you click a link that opens a form on typeform.com, you leave our domain.
Any cookies or tracking technologies set on typeform.com are governed by Typeform's privacy/cookie policy and not by this notice.


Art. 8 · Google Analytics 4 and Consent Mode v2

The site implements Google Analytics 4 (Property: G-FSDE8KC4X4) with Google Consent Mode v2.

How it works

  • Before consent: the GA4 script is loaded but with the following signals denied: analytics_storage: 'denied', ad_storage: 'denied', ad_user_data: 'denied', ad_personalization: 'denied'. In this mode Google does not place tracking cookies and does not collect identifying data. It may collect aggregate, "cookieless" data for statistical modelling (behavioural modelling), in a fully anonymous form.
  • After consent: if you accept analytics cookies, analytics_storage: 'granted' is sent, the GA4 cookies are activated and sessions are tracked normally with anonymize_ip: true. The ad_storage, ad_user_data and ad_personalization signals remain 'denied' as the site does not use behavioural advertising.
  • Withdrawal of consent: by setting preferences to "reject" or changing preferences, analytics_storage: 'denied' is sent and the GA4 cookies are blocked.

Processing by Google

The data collected by Google Analytics are processed by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The transfer to the USA is covered by the Standard Contractual Clauses (SCC) approved by the European Commission. For more information: policies.google.com/privacy.

The Controller has configured GA4 with:

  • Anonymised IP (anonymize_ip: true): the IP address is truncated before being processed.
  • Data retention: 14 months.
  • No sharing with Google for advertising purposes.
  • No cross-site tracking or integration with Google Ads.

To disable Google Analytics tracking on all sites, you can use the browser add-on: tools.google.com/dlpage/gaoptout.

8.1 · Behavioural events tracked

With your consent, in addition to standard page views, GA4 records the following interaction events:

EventWhen it triggersData transmitted
page_viewOn each page loadURL, page title, referral source
cta_call_clickClick on the "Book a free call" buttonevent_category parameter (e.g. hero, cta_marquee)
newsletter_submitSuccessful newsletter subscriptionevent_category parameter (e.g. newsletter_home, newsletter_page)
contact_form_submitSuccessful submission of the contact formevent_category parameter (contact)

None of these events contain identifying personal data (email address, name, phone number or IP address). They transmit only anonymous behavioural signals. They are sent to Google only after the user's explicit consent (analytics_storage: 'granted'). Without consent, no event is forwarded to Google in identifiable form.


Art. 9 · Transfers outside the European Economic Area

Some of the providers listed in Art. 6 transfer data outside the EEA, in particular to the United States of America. Such transfers take place exclusively on the basis of adequate safeguards pursuant to Arts. 44-46 GDPR, namely:

  • Standard Contractual Clauses (SCC) adopted by European Commission Decision 2021/914/EU.
  • EU-US Data Privacy Framework (DPF), where applicable.

For details on each provider's transfers, please consult their respective privacy notices and Data Processing Agreements. In particular, for Typeform please refer to:


Art. 10 · Data security

We adopt technical and organisational measures appropriate to the risks in order to protect personal data from unauthorised access, loss, destruction or accidental disclosure, in compliance with Art. 32 GDPR. In particular:

  • The site uses encrypted HTTPS/TLS connections.
  • Data transmitted through the forms are encrypted in transit.
  • Access to credentials and systems is limited to authorised personnel.
  • Service providers are also selected on the basis of their security safeguards.

In the event of a personal data breach that poses risks to the rights and freedoms of data subjects, we will notify the Italian Data Protection Authority within 72 hours pursuant to Art. 33 GDPR.


Art. 11 · Changes to this notice

We reserve the right to update this notice at any time to reflect regulatory, technical or operational changes. The updated version will be published on this page with the new revision date and the updated version number.

In the event of substantial changes affecting the processing of data provided by you (e.g. new purposes, new recipients), we will inform you by email if you have provided your address in the context of the newsletter or a contract.

We invite you to consult this page periodically. The last revision is indicated at the top of the document.