Privacy & cookies

The data controller is Mattia Lazzari. To exercise your GDPR rights (Articles 15–22) or for privacy-related requests, use the contact details in the site’s contact section (including the professional email address).

Contact form (Formspree): collection is minimised on the contact channel. Your email address is collected through Formspree as the operational identifier needed to reply; any further personal data depends solely on what you freely choose to include in the message body. Formspree provides submission infrastructure; operational processing by that provider is governed by its contractual and privacy documentation.

Technical data and session/consent cookies: only technical cookies (or equivalent browser local storage) required for secure operation are used—for example to remember consent and to manage controlled unlocking of content. Systems that deliver the site may also automatically collect data implicitly transmitted when using Internet protocols (e.g. IP address, browser type, access times), processed by the hosting provider strictly as needed for delivery, security logging, and infrastructure resilience.

Establish professional relationships initiated through the contact form (handling inbound requests and relevant follow-up).

Allow you to browse the site and read informational content about professional background and showcased projects.

Comply with legal obligations and handle disputes or requests from competent authorities.

Your consent (for technical cookies and for storing the consent choice) and the controller’s legitimate interests (for site security, abuse prevention, and protection of service integrity), with the operational detail below.

For technical cookies strictly tied to storing the consent choice and controlled unlocking of assets, your consent applies where required by applicable law.

For site security, technical service operation, and protection of portfolio integrity—including processing by the hosting provider strictly supporting those purposes—the legal basis is legitimate interests.

For data submitted via the contact form: your consent and/or pre-contractual measures at your request, depending on the nature of the inquiry.

Data submitted by email is retained only for as long as needed to respond to the request; the same principle applies to requests sent through the contact form. Where applicable, data may be retained for any further period imposed by law. Server/hosting logs are retained according to the infrastructure provider’s policies.

Data may be processed by providers strictly necessary to run the site, such as: hosting (e.g. Vercel or equivalent), headless CMS in the cloud (e.g. Sanity for images and copy), and Formspree for contact-form submission, within the limits of their privacy notices and applicable data-processing agreements or standard contractual clauses.

This site adopts technical measures intended to support availability and integrity of data and to reduce risks of unauthorised access (an infrastructure-resilience note aligned with NIS2-oriented continuity and security objectives at digital-service level).

The architecture is designed to mitigate common web-application threats and protect portfolio integrity—for example through Content Security Policy (CSP) oriented to limiting unnecessary script execution, constraining non-essential external scripts, and separating static content from interactive components. These measures do not replace full organisational compliance assessments, but document a deliberate approach to reducing application-level attack surface.

You may request access, rectification, erasure, restriction, portability (where applicable) and object where provided by Regulation (EU) 2016/679. You may lodge a complaint with your local supervisory authority (in Italy, the Garante per la protezione dei dati personali).

Cookie policy: only technical cookies (or equivalent local storage) required for application operation are used—in particular to remember consent and to support controlled unlocking of content.

Commercial profiling, remarketing, or third-party behavioural tracking is not part of the configuration described here. If analytics, social plugins, or marketing tags are introduced later, this section will be updated and, where legally required, specific consent will be collected before activation.

Requests to CDNs for fonts or icons (if any) are technical communications to the vendor’s domain; related processing is described in that vendor’s documentation.