Document drafted pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR)
Last updated: 18 Gennaio 2026
In compliance with the principle of transparency set forth in Art. 12 of Regulation (EU) 2016/679 (hereinafter 'GDPR'), please be advised that the Data Controller is McFrancis, a legal entity under Italian law with its registered office at Via Sandro Botticelli 58, Turin, Tax Code/VAT No. 12272120010. Any request concerning data protection may be formally addressed to the certified email (PEC) address steven.di.francesca@pec.it or to the dedicated email address steven@mcfrancis.com.
The processing of personal data is guided by the principles of lawfulness, fairness, and transparency (Art. 5 GDPR) and is based on the following legal grounds (Art. 6 GDPR):
The Data Controller acquires and processes, within the limits of the principle of data minimization (Art. 5.1.c GDPR):
Processing is carried out using IT and electronic tools suitable for ensuring security (Art. 32 GDPR) and confidentiality. Data will be stored for the period strictly necessary to achieve the purposes (storage limitation principle), and specifically:
| Category | Purpose | Legal basis | Duration |
|---|---|---|---|
| Contact details | Inquiry management/pre-contractual | Art. 6.1.b GDPR | Up to 24 months from the last interaction |
| Contractual data | Performance of the contract and legal obligations | Art. 6.1.b/6.1.c GDPR | 10 years (statute of limitations/tax purposes) |
| Access logs | Security, anti-fraud | Art. 6.1.f GDPR | 12 months (unless otherwise required by law) |
| Marketing | Commercial communications | Art. 6.1.a GDPR | 24 months (consent renewal) |
Data will not be disseminated. It may be shared with third parties, appointed where necessary as Data Processors pursuant to Art. 28 of the GDPR (e.g., IT service providers, legal and tax consultants), or with Public Authorities in the exercise of their legitimate functions.
The Data Subject may exercise at any time the rights set forth in Articles 15-22 of the GDPR (Access, Rectification, Erasure/Right to be Forgotten, Restriction, Portability, Objection) by submitting a formal request to the Data Controller. The right to lodge a complaint with the Data Protection Authority (Art. 77 GDPR) remains unaffected should they believe that the processing violates current regulations.
Providing data for contractual purposes is mandatory; failure to do so will make it impossible to proceed with the mediation relationship. Providing data for marketing purposes is optional, and withholding consent does not affect your access to the main services.
Personal data is stored on servers located within the European Union. Should it become necessary, for technical and operational reasons, to use entities located outside the European Economic Area (EEA), the transfer will take place in accordance with Chapter V of the GDPR, following the signing of Standard Contractual Clauses (SCC) or the verification of Adequacy Decisions by the European Commission.
The Owner reserves the right to make changes to this privacy policy at any time by notifying Users on this page. It is therefore recommended to check this page frequently, referring to the date of the last modification listed at the bottom.
Data processing follows a 'Zero-Knowledge' security model (Zero-Knowledge Architecture). Personal data collected via the public interface (SAMI) is transmitted and stored in the hardened management system (Janus II) exclusively in encrypted format. The process includes:
If personal data is not obtained directly from the data subject, the Controller shall inform the data subject, within a reasonable period and in any case no later than one month (or at the first useful contact), regarding: the sources from which the data originate, the categories of data being processed, the purposes and legal bases, the recipients, as well as the rights recognized by the GDPR.
The Data Controller adopts incident management procedures compliant with Articles 33–34 of the GDPR. In the event of a personal data breach, where the breach poses a risk to the rights and freedoms of natural persons, notification to the Supervisory Authority will be made within 72 hours and, if there is a high risk, communication to the data subjects. The process includes: containment, forensic analysis, impact assessment, corrective measures, and recording the event in the incident log.
For matters concerning personal data protection, the data subject may contact the Data Controller at the address steven@mcfrancis.com or the certified email (PEC) address steven.di.francesca@pec.it. If a Data Protection Officer (DPO) is appointed, the relevant contact details are published on this page. A dedicated channel is available for reporting vulnerabilities or security incidents.