Privacy Policy — Tommaso Siveri

01 Who we are

This Privacy Policy applies to tomthesign.com ("the Site"). The Site is operated by an independent professional acting as data controller under the EU General Data Protection Regulation (GDPR — Regulation EU 2016/679).

Data Controller

Tommaso Siveri

VAT ID

IT 01735830539

Registered location

Grosseto, Italy

Contact for privacy matters

hello@tomthesign.com

02 Data we collect

The Site does not include any forms, login systems, e-commerce, advertising, or third-party tracking. Personal data is only collected passively when you decide to contact us via the channels exposed on the Site.

Specifically, the following data may be processed:

Email correspondence: if you write to hello@tomthesign.com (or one of its aliases) or any address linked from the Site, we receive your email address, the content of your message, and any metadata your mail client transmits (e.g. signature, IP, technical headers).
LinkedIn interactions: the Site contains a link to a LinkedIn profile. If you contact us via LinkedIn DM or interact with the profile, the data you share is subject to LinkedIn's privacy policy, not this one.
Technical logs: our hosting provider (Netlify, Inc.) may automatically log standard request metadata (IP address, user agent, timestamp) for security, fraud prevention and infrastructure operation. We do not access these logs for analytics or profiling.

03 Why we process it (legal basis)

Personal data is processed exclusively to:

Reply to commercial inquiries and conduct pre-contractual discussions (Art. 6(1)(b) GDPR: performance of pre-contractual measures at your request);
Manage an ongoing professional relationship if an engagement materialises (Art. 6(1)(b) GDPR: contract performance);
Comply with applicable legal and tax obligations (Art. 6(1)(c) GDPR);
Operate and protect the Site infrastructure (Art. 6(1)(f) GDPR: legitimate interest in technical security).

04 Cookies and tracking

The Site does not use analytics cookies, advertising cookies, fingerprinting, or third-party tracking pixels.

Strictly necessary technical cookies may be set by the hosting provider (Netlify) for security and infrastructure routing purposes. These do not require consent under GDPR (Art. 122 of Italian Privacy Code as amended).

05 Third parties

The Site loads typographic resources from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). When fonts are loaded, your IP address may be transmitted to and logged by Google LLC for resource delivery purposes. We do not control Google's processing; please refer to Google's Privacy Policy.

The Site is hosted by Netlify, Inc. (USA). Domain DNS is managed by Aruba S.p.A. (Italy). Email infrastructure is provided by Aruba and Google LLC (Gmail). These providers act as data processors under appropriate contractual arrangements.

06 Retention

Personal data received via email is retained as long as it is necessary for the purposes stated above, and in any case no longer than:

24 months for inquiries that do not result in an engagement;
The duration of the engagement plus the legally mandated retention period for tax and contractual documentation (typically 10 years) for active or past clients;
Hosting provider technical logs are retained according to their own retention policy.

07 Your rights

Under GDPR, you have the right to:

Access the personal data we hold about you (Art. 15);
Request correction of inaccurate data (Art. 16);
Request deletion of your data (Art. 17) when applicable;
Request restriction of processing (Art. 18);
Receive your data in a portable format (Art. 20);
Object to processing based on legitimate interest (Art. 21);
Lodge a complaint with the supervisory authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).

To exercise any of these rights, write to hello@tomthesign.com. We will respond within 30 days as required by GDPR Art. 12.

08 International transfers

Some service providers (e.g. Netlify, Google) are based outside the European Economic Area. Where personal data is transferred to such providers, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) or other adequate safeguards under Chapter V GDPR.

09 Updates

This Privacy Policy may be updated to reflect changes to the Site, applicable law, or service providers. The "Last updated" date at the top reflects the date of the most recent version. Significant changes will be announced visibly on the Site for a reasonable period.