← Back to home

Privacy Policy

Last updated: May 24, 2026

This is a courtesy translation. The Italian version is the legally binding one. In case of any discrepancy, the Italian text prevails.

Data controller

This website https://khayal.digital is operated by:

Khayal Gafarov
Place of business: Perugia (Umbria), Italy
VAT: IT04043230541
Email: khayal.gafarov@libero.it

The controller has not appointed a Data Protection Officer (DPO) under Art. 37 GDPR, as the processing activities do not fall within the categories that require mandatory appointment.

Types of data collected

  • Contact form data: full name, email, phone (optional), company (optional), service type, budget, timeline, and project description.
  • Technical browsing data: IP address, user-agent, pages visited, referrer, date and time of access.
  • Anonymised statistical data collected through Google Analytics (only with prior consent).
  • Technical cookies necessary for the operation of the site (e.g. storing cookie preferences).

Purposes and legal basis of processing

  • Responding to requests submitted through the contact form — legal basis: performance of pre-contractual measures taken at the request of the data subject (Art. 6(1)(b) GDPR) and the consent expressed at the time of submission (Art. 6(1)(a) GDPR).
  • Ensuring the proper technical functioning of the site (technical cookies, security logs) — legal basis: legitimate interest of the controller (Art. 6(1)(f) GDPR).
  • Anonymised statistical analysis of site usage via Google Analytics — legal basis: user’s consent (Art. 6(1)(a) GDPR), which can be withdrawn at any time.

Method of processing

Data are processed by electronic means, with appropriate technical and organisational security measures to prevent unauthorised access, loss or disclosure.

Retention periods

  • Contact form data: retained for 24 months from the last interaction, unless the request develops into a contractual relationship (in which case statutory civil and tax retention periods apply).
  • Google Analytics data: retained for 14 months (the GA4 default), then automatically deleted.
  • Technical cookies: session duration, or up to 6 months for the cookie consent record.
  • Security logs: 30 days, unless required for incident investigation.

Recipients of data and third-party services

To operate the site and handle requests, data may be communicated to the following parties, acting as data processors under Art. 28 GDPR:

  • Vercel Inc. (USA) — hosting and CDN provider. Processes technical browsing data necessary to deliver the site. Vercel privacy policy.
  • Google LLC (USA) — provider of Google Analytics 4. Processes anonymised browsing data for statistical purposes, only with the user’s prior consent. Google privacy policy.
  • Web3Forms (form forwarding service, USA) — receives and forwards by email to the controller the data submitted via the contact form. The service does not retain data permanently. Web3Forms privacy policy.

Extra-EU data transfers

Some of the third-party services listed above (Vercel, Google Analytics, Web3Forms) are based in the United States. Transfers of personal data to such recipients take place on the following legal bases:

  • Vercel Inc. and Google LLC adhere to the EU-US Data Privacy Framework, covered by the European Commission’s adequacy decision of 10 July 2023; the transfer therefore takes place toward a country deemed adequate under Art. 45 GDPR, limited to certified controllers/processors.
  • For Web3Forms, the transfer is based on the Standard Contractual Clauses (SCC) approved by the European Commission with decision 2021/914/EU, supplemented by additional technical and organisational measures in line with EDPB Recommendations 01/2020.

User rights

Under Articles 15-22 GDPR, the user may exercise the following rights at any time:

  • access to their personal data;
  • rectification of inaccurate data or completion of incomplete data;
  • erasure of data (right to be forgotten);
  • restriction of processing;
  • objection to processing based on legitimate interest;
  • data portability;
  • withdrawal of consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal. Consent to analytics cookies can be withdrawn through the “Manage cookies” button in the site footer.

Requests can be sent by email to: khayal.gafarov@libero.it. The controller will respond without undue delay and in any case within 30 days.

Automated decision-making and profiling

The controller does not carry out fully automated decision-making within the meaning of Art. 22 GDPR, including profiling, that produces legal effects or significantly affects the data subject. Data collected through the contact form is reviewed personally by the controller for the purpose of replying to the request. Google Analytics 4 statistics are aggregated and are not used to profile individual users.

Right to lodge a complaint with the supervisory authority

The user has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) if they believe that the processing of their personal data infringes the applicable law.

Children’s data

The Site has a professional nature and is intended exclusively for adults acting in a business or professional capacity. It is not directed at minors under the age of 18 and the controller does not knowingly collect personal data from minors.

Should the controller become aware of having collected, even inadvertently, personal data from a minor without the verifiable consent of those who exercise parental responsibility, such data will be erased without undue delay. Reports may be sent to khayal.gafarov@libero.it.

For reference, under Art. 8 GDPR and Art. 2-quinquies of the Italian Privacy Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018), Italy has set the age for valid digital consent of minors in relation to information society services at 14 years. The controller nevertheless applies a more protective threshold given the strictly professional nature of the Site.

Cookies

For details on the cookies used by the site, please see the Cookie Policy.

Changes to this notice

This Privacy Policy may be updated at any time. The version in force is always the one published on this page, bearing the date of the latest update.