Skip to main content
Policy

Privacy Policy.

Last updated: 2026-05-07

We process personal data in accordance with EU Regulation 2016/679 (GDPR) and applicable Italian law. This policy explains who we are, what data we collect, why we process it, and what rights you have.

1. Data Controller

The data controller is:

Lima Studio di Giovanni Carlo Perniola Operating address: Segrate (Milan), Italy VAT: 14678100968

Email: [email protected] Certified email (PEC): [email protected] Phone: +39 366 269 0995

2. What data we collect

We only collect data you provide directly.

From the contact form

When you fill in the contact form we collect your name, email address and message. Optionally you can also share phone, company, project type and start date.

From direct communications

Email, WhatsApp or phone: any data you share with us is used solely to reply to your request.

Technical data automatically logged

For security and operational reasons, our hosting (Vercel) and our anti-abuse rate-limiter (Upstash) automatically log IP address, user-agent and timestamp of incoming requests to the site. Legal basis: legitimate interest (Art. 6.1.f GDPR) — protecting the infrastructure and preventing abuse. Retention: Vercel logs for around 30 days, Upstash rate-limit counters for around 24 hours. We do not profile, do not aggregate for commercial purposes, do not resell this data.

3. Why we process your data

Your data is processed for four specific purposes, each with its own legal basis.

Responding to your contact request — legal basis: performance of pre-contractual measures (Art. 6.1.b GDPR). If you write asking for a quote, we need your data to reply.

Infrastructure security and abuse prevention — legal basis: legitimate interest (Art. 6.1.f GDPR). The hosting and rate-limit technical logs described in section 2.

Anonymous navigation statistics (Vercel Web Analytics + Speed Insights) — legal basis: legitimate interest (Art. 6.1.f GDPR). Aggregate, anonymous site-usage measurement; no cookies installed, no identifiable data collected.

Legal obligations — legal basis: legal obligation (Art. 6.1.c GDPR). For example, retention of accounting documents.

4. Who sees your data

Your data is not sold, transferred or shared with third parties for profiling or marketing.

The following parties may access data, acting as data processors or technical providers:

  • Resend Inc. — sending transactional email (your contact request lands in our inbox).
  • Vercel Inc. — site hosting and technical processing of HTTP requests. Logs IP, user-agent, timestamp, route for security and diagnostics.
  • Upstash Inc. — serverless Redis used for rate-limiting the contact form. Logs the visitor IP for request counting (anti-spam / anti-abuse purpose).
  • Google LLC — our operational mailbox is temporarily hosted on Gmail (consumer service). Migration to a domain mailbox is planned shortly.
  • Mux Inc. — on-demand video streaming for the desktop-only hero video. Receives the video file request and the playback metrics strictly necessary for delivery.
  • Meta Platforms Inc. — only if you contact us via the WhatsApp button (redirect to wa.me).

All providers operate in compliance with the GDPR.

5. Data transfers outside the European Union

Some of the providers listed in section 4 are US-based. When you interact with the site, certain personal data (in particular your connection IP and any information you submit through the form) may be transferred to the United States.

Safeguards applied to these transfers, under Chapter V GDPR and the Art. 13.1.f GDPR notice obligation:

  • Vercel Inc. — Hosting + edge runtime — United States — Standard Contractual Clauses 2021 (modules 2 and 3) + adherence to the EU-US Data Privacy Framework (DPF).
  • Resend Inc. — Transactional email delivery — United States — Standard Contractual Clauses 2021 + DPF.
  • Upstash Inc. — Serverless Redis rate-limiting (logs visitor IP) — United States or EU region depending on configuration — Standard Contractual Clauses 2021 + DPF. Processing legal basis: legitimate interest (Art. 6.1.f GDPR).
  • Google LLC — Operational contact mailbox (Gmail consumer, temporary) — United States — Data Privacy Framework.
  • Mux Inc. — Desktop hero video streaming — United States — Standard Contractual Clauses 2021 + DPF.
  • Meta Platforms Inc. — WhatsApp redirect (only if you trigger the button) — United States — Data Privacy Framework.

Transfers to the United States rely, where possible, on the EU-US adequacy decision of 10 July 2023 (Data Privacy Framework) and, residually, on the Standard Contractual Clauses approved by the EU Commission in 2021.

You can request a copy of the applicable standard contractual clauses by writing to [email protected].

6. How long we keep your data

Contact request data is retained only for the time needed to handle your request, and in any case no longer than 24 months from the last communication.

Hosting technical logs (Vercel) are retained for around 30 days; Upstash rate-limit counters for around 24 hours.

Data we are required to retain by law is kept for the period specified by the applicable regulation.

7. Your rights

At any time you can exercise the following rights:

  • Access to your personal data
  • Rectification of inaccurate or incomplete data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Portability of your data in a structured format
  • Objection to processing

To exercise your rights write to [email protected] or via certified email to [email protected]. We will reply within 30 days.

You also have the right to lodge a complaint with the competent supervisory authority — the Italian Data Protection Authority (Garante per la protezione dei dati personali), garanteprivacy.it — if you believe the processing of your data violates the GDPR.

8. Changes to this policy

This policy may be updated. The date of the most recent change is shown at the top of the document. We recommend reviewing it periodically.