Legal notice
Privacy Policy
This notice describes how Rayo Consulting di Patriarchi Dylan collects, uses and protects the personal data of users who visit the rayo.consulting website (including the www.rayo.consulting version), in compliance with EU Regulation 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and the Italian Data Protection Authority's Order on cookies of 8 January 2022.
Art. 1 · Data Controller
Rayo Consulting di Patriarchi Dylan VAT number: IT 03988190546 Registered office: Vocabolo Marcheggiane 56/C, 06012 Città di Castello (PG), Italy Email: info@rayo.consulting Phone: +39 327 174 6038
For any questions regarding the processing of your personal data, you can contact us at the email address above. No DPO has been appointed as the conditions set out in Art. 37 GDPR do not apply.
Art. 2 · Types of data collected
2.1 Navigation data
IT systems automatically acquire certain technical data necessary for transmitting communications over the computer network: IP addresses, browser type, operating system, request time, referring URL (referrer) and other parameters of the computing environment. Such data are not associated with identifiable users and are used for security purposes and aggregate statistics.
2.2 Data provided voluntarily by the user
We collect the data you provide through:
- Contact form: first and last name, email address, company name, VAT number, service of interest, indicative budget and project description.
- External Typeform forms (not embedded in the site): the data you enter in questionnaires hosted on
typeform.comand linked from our pages (e.g. sales enquiries, discovery, brief collection). - Newsletter subscription: email address and explicit consent to processing.
- Direct communications: any personal data contained in emails, WhatsApp messages or other direct contact channels.
2.3 Data collected automatically through cookies and analytics tools
With your consent, we collect aggregate analytics data on the use of the site through Google Analytics 4. For details, see Arts. 7 and 8.
Art. 3 · Purposes and legal basis of processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Responding to contact requests and providing quotes | Art. 6(1)(b) · performance of pre-contractual measures |
| Collecting requests and briefs via external Typeform forms | Art. 6(1)(b) · performance of pre-contractual measures |
| Sending the newsletter with informational and commercial content | Art. 6(1)(a) · explicit consent of the data subject |
| Technical operation of the site (security logs, abuse prevention) | Art. 6(1)(f) · legitimate interest of the Controller |
| Compliance with legal, tax and accounting obligations | Art. 6(1)(c) · legal obligation |
| Aggregate statistical analysis of site usage (Google Analytics 4) | Art. 6(1)(a) · explicit consent of the data subject |
| Saving cookie preferences (localStorage) | Art. 6(1)(f) · legitimate interest (technical functionality) |
We do not use your data for automated profiling, behavioural marketing or to make automated decisions with legal effects (Art. 22 GDPR).
Art. 4 · Retention period
| Type of data | Retention period |
|---|---|
| Contact form data | Until the request is handled; if a contractual relationship is established, 10 years for tax purposes (Art. 2220 Italian Civil Code) |
| Data collected via external Typeform forms | Until the request is handled; if a contractual relationship is established, 10 years for tax purposes (Art. 2220 Italian Civil Code) |
| Newsletter email address | Until consent is withdrawn (unsubscribe) |
| Navigation and security logs | No longer than 30 days, unless required to investigate unlawful acts |
| Google Analytics data (with consent) | 14 months (GA4 default setting, per Google policy) |
| Cookie preferences (localStorage) | 12 months from the date it is set |
_ga and _ga_* cookies (with consent) | 2 years from the date they are set |
Art. 5 · Your rights (Arts. 15–22 GDPR)
As a data subject, you have the right to:
- Access (Art. 15): obtain confirmation as to whether processing of data concerning you is taking place and, if so, obtain a copy.
- Rectification (Art. 16): request the correction of inaccurate data or the completion of incomplete data.
- Erasure (Art. 17): request the deletion of your personal data ("right to be forgotten"), unless overriding legitimate grounds or legal obligations apply.
- Restriction of processing (Art. 18): obtain the suspension of processing in certain cases (e.g. contesting the accuracy of the data).
- Portability (Art. 20): receive, in a structured, commonly used and machine-readable format, the data you have provided on the basis of consent or a contract.
- Objection (Art. 21): object to the processing of your data based on the Controller's legitimate interest.
- Withdrawal of consent: at any time, via the "Cookie preferences" link in the site footer or by sending a request to info@rayo.consulting. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Complaint: lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it), located at Piazza Venezia 11, 00187 Rome.
To exercise your rights, send a request to info@rayo.consulting. We will respond without undue delay and in any case within 30 days of receiving the request, as provided by Art. 12 GDPR. In particularly complex cases, the deadline may be extended by a further 60 days, with prior reasoned notice.
Art. 6 · Recipients and data processors
Your personal data are not sold, rented or transferred to third parties for marketing purposes. They may be disclosed to the following categories of parties, acting as Data Processors pursuant to Art. 28 GDPR, bound by specific contractual agreements:
Technical service providers
| Provider | Service | Location | Transfer safeguards |
|---|---|---|---|
| Vercel Inc. | Website hosting and CDN | USA (servers also in Europe) | SCC + Data Processing Addendum (included in the terms of service; for the Hobby plan, written confirmation can be requested at privacy@vercel.com) |
| Brevo SAS (formerly Sendinblue) | Sending transactional emails (contact form and newsletter) | France (EU) | Directly subject to the GDPR |
| Typeform S.L. (with the support of Typeform US LLC and sub-processors) | Data collection via external forms linked from the site | Spain (EU) + possible transfers outside the EEA | SCC (where applicable) + Data Processing Agreement |
| Google LLC | Statistical analysis (Google Analytics 4) · only with consent | USA | SCC + Google Ads Data Processing Terms |
Public authorities
Data may be disclosed to judicial, police or other Italian or European public authorities when required by law or by orders from the authorities.
6.1 Externally hosted Typeform forms
Some data collection takes place through forms hosted on the external domain typeform.com (therefore outside the rayo.consulting site and not embedded via iframe).
When you fill in such forms, Typeform acts as a data processor on our behalf under the applicable contractual terms (Typeform DPA).
The list of Typeform's sub-processors and the related safeguards is available in the official Typeform documentation.
Art. 7 · Cookies and tracking technologies
The rayo.consulting website uses cookies and similar technologies. Below is the complete classification.
7.1 Technical / essential cookies
Necessary for the correct functioning of the site. They do not require consent under the Italian Data Protection Authority's Order of 8 January 2022.
| Name | Type | Duration | Purpose |
|---|---|---|---|
rayo_cookie_consent_v2 | localStorage (not an HTTP cookie) | 12 months | Saves the user's cookie preferences so the banner is not shown again |
Note: the cookie preference is saved in the browser's localStorage, not via an HTTP cookie. It is not sent to the server.
7.2 Analytics cookies (with consent)
Activated only after your explicit consent via the banner. Used to collect aggregate and anonymous data on the use of the site (pages visited, duration, device, country). Not used for individual profiling.
| Name | Provider | Duration | Purpose |
|---|---|---|---|
_ga | Google Analytics 4 | 2 years | Distinguishes users; contains an anonymous identifier |
_ga_G-FSDE8KC4X4 | Google Analytics 4 | 2 years | Maintains the session state for the specific GA4 property |
_gid | Google Analytics 4 | 24 hours | Distinguishes users over the course of a single day |
7.3 Managing preferences
You can change your cookie preferences at any time via:
- The "Cookie preferences" button in the site footer.
- The floating cookie icon in the bottom left.
- By sending a request to info@rayo.consulting.
You can also disable cookies directly in your browser. For specific instructions, consult the guide for the browser you use. Disabling analytics cookies does not compromise the usability of the site.
7.4 Links to external services (Typeform)
When you click a link that opens a form on typeform.com, you leave our domain.
Any cookies or tracking technologies set on typeform.com are governed by Typeform's privacy/cookie policy and not by this notice.
Art. 8 · Google Analytics 4 and Consent Mode v2
The site implements Google Analytics 4 (Property: G-FSDE8KC4X4) with Google Consent Mode v2.
How it works
- Before consent: the GA4 script is loaded but with the following signals denied:
analytics_storage: 'denied',ad_storage: 'denied',ad_user_data: 'denied',ad_personalization: 'denied'. In this mode Google does not place tracking cookies and does not collect identifying data. It may collect aggregate, "cookieless" data for statistical modelling (behavioural modelling), in a fully anonymous form. - After consent: if you accept analytics cookies,
analytics_storage: 'granted'is sent, the GA4 cookies are activated and sessions are tracked normally withanonymize_ip: true. Thead_storage,ad_user_dataandad_personalizationsignals remain'denied'as the site does not use behavioural advertising. - Withdrawal of consent: by setting preferences to "reject" or changing preferences,
analytics_storage: 'denied'is sent and the GA4 cookies are blocked.
Processing by Google
The data collected by Google Analytics are processed by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The transfer to the USA is covered by the Standard Contractual Clauses (SCC) approved by the European Commission. For more information: policies.google.com/privacy.
The Controller has configured GA4 with:
- Anonymised IP (
anonymize_ip: true): the IP address is truncated before being processed. - Data retention: 14 months.
- No sharing with Google for advertising purposes.
- No cross-site tracking or integration with Google Ads.
To disable Google Analytics tracking on all sites, you can use the browser add-on: tools.google.com/dlpage/gaoptout.
8.1 · Behavioural events tracked
With your consent, in addition to standard page views, GA4 records the following interaction events:
| Event | When it triggers | Data transmitted |
|---|---|---|
page_view | On each page load | URL, page title, referral source |
cta_call_click | Click on the "Book a free call" button | event_category parameter (e.g. hero, cta_marquee) |
newsletter_submit | Successful newsletter subscription | event_category parameter (e.g. newsletter_home, newsletter_page) |
contact_form_submit | Successful submission of the contact form | event_category parameter (contact) |
None of these events contain identifying personal data (email address, name, phone number or IP address). They transmit only anonymous behavioural signals. They are sent to Google only after the user's explicit consent (analytics_storage: 'granted'). Without consent, no event is forwarded to Google in identifiable form.
Art. 9 · Transfers outside the European Economic Area
Some of the providers listed in Art. 6 transfer data outside the EEA, in particular to the United States of America. Such transfers take place exclusively on the basis of adequate safeguards pursuant to Arts. 44-46 GDPR, namely:
- Standard Contractual Clauses (SCC) adopted by European Commission Decision 2021/914/EU.
- EU-US Data Privacy Framework (DPF), where applicable.
For details on each provider's transfers, please consult their respective privacy notices and Data Processing Agreements. In particular, for Typeform please refer to:
Art. 10 · Data security
We adopt technical and organisational measures appropriate to the risks in order to protect personal data from unauthorised access, loss, destruction or accidental disclosure, in compliance with Art. 32 GDPR. In particular:
- The site uses encrypted HTTPS/TLS connections.
- Data transmitted through the forms are encrypted in transit.
- Access to credentials and systems is limited to authorised personnel.
- Service providers are also selected on the basis of their security safeguards.
In the event of a personal data breach that poses risks to the rights and freedoms of data subjects, we will notify the Italian Data Protection Authority within 72 hours pursuant to Art. 33 GDPR.
Art. 11 · Changes to this notice
We reserve the right to update this notice at any time to reflect regulatory, technical or operational changes. The updated version will be published on this page with the new revision date and the updated version number.
In the event of substantial changes affecting the processing of data provided by you (e.g. new purposes, new recipients), we will inform you by email if you have provided your address in the context of the newsletter or a contract.
We invite you to consult this page periodically. The last revision is indicated at the top of the document.