Privacy
Last updated: June 2026
1. Data controller
- Controller: Sessa Francesco Antonio (natural person)
- NIF: ESZ4443995D
- Address: C. de Fray Ceferino González 9, 28005 Madrid, España
- Email: info@hypatialabs.it
No Data Protection Officer has been designated, as the conditions set out in Article 37 GDPR are not met. For any request relating to data protection, you may contact the data controller at the address indicated above.
2. Data we collect
We collect personal data in the following circumstances:
2.1. Contact form (Web3Forms)
When you submit the contact form, we collect: first name, last name, phone (optional), email and the content of the message you choose to include. The submission of this data is processed through Web3Forms, which acts as a data processor and forwards the form content to our email address without storing it permanently. You can review its privacy policy at web3forms.com/privacy.
Purpose: to respond to the contact request submitted.
Legal basis: consent of the data subject (Article 6.1.a GDPR) and the performance of pre-contractual measures (Article 6.1.b GDPR).
2.2. Communications by email
When you write to us at info@hypatialabs.it, we process your email address and the content of your message in order to respond to your request.
Purpose: to respond to requests and manage the pre-contractual relationship.
Legal basis: consent of the data subject (Article 6.1.a GDPR) and the performance of pre-contractual measures (Article 6.1.b GDPR).
2.3. Web analytics (Umami)
We use Umami, an open source and privacy-friendly web analytics tool, hosted on our own server (analytics.hypatialabs.it). Umami does not use cookies, does not collect personally identifiable data and does not perform cross-site tracking. The data collected are: pages visited, referrer, browser type and country (based on an anonymised IP address, which is not stored).
Purpose: to obtain aggregated and anonymous statistics on the use of the website.
Legal basis: the legitimate interest of the controller (Article 6.1.f GDPR).
3. Recipients of the data
Personal data may be disclosed to the following third-party data processors:
- Web3Forms — processing and sending of the contact form.
- Cloudflare Inc. — website hosting (Cloudflare Pages) and CDN.
Web analytics (Umami) is run on the controller's own server; there is no transfer of data to third-party analytics providers.
Personal data will not be transferred to other third parties except where required by law. The relevant Data Processing Agreements (Article 28 GDPR) have been entered into with Web3Forms and Cloudflare Inc.
4. International transfers
Web3Forms: the contact form data may be processed on servers located outside the European Economic Area (United States). Such transfer is governed by the Standard Contractual Clauses approved by the European Commission. Web3Forms forwards the form content to the controller's email address without storing it permanently.
Cloudflare Inc.: the data processed by Cloudflare may be transferred to the United States. Such transfer takes place on the basis of the EU-US Data Privacy Framework and the Standard Contractual Clauses approved by the European Commission.
5. Retention period
| Processing | Term |
|---|---|
| Contact form data (first name, last name, phone, email, message) | 2 years from the last contact or until consent is withdrawn |
| Communications by email | 3 years (general civil limitation period, Article 1964 of the Spanish Civil Code) |
| Umami analytics (aggregated data) | 24 months on a rolling basis |
| Cloudflare logs | According to Cloudflare's retention policy (normally 30 days) |
6. Rights of the data subject
You may exercise the following rights in relation to your personal data:
- Access: to know which personal data are being processed.
- Rectification: to request the correction of inaccurate data.
- Erasure: to request the deletion of the data.
- Objection: to object to the processing of your data.
- Restriction: to request the restriction of processing.
- Portability: to receive the data in a structured format.
- Complaint: to lodge a complaint with the Agencia Española de Protección de Datos (www.aepd.es).
Where processing is based on consent, the data subject has the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal (Article 7.3 GDPR).
To exercise these rights, send an email to info@hypatialabs.it stating your request and attaching a copy of your identity document.
7. Security
Appropriate technical and organisational measures are adopted to protect personal data from unauthorised access, loss or destruction. The website is delivered over an encrypted HTTPS connection.