Privacy Policy
Personal data processing notice pursuant to art. 13 of EU Regulation 2016/679 (GDPR).
Notice pursuant to article 13 of Regulation (EU) 2016/679 (GDPR). Last updated: 8 May 2026.
a. Identity and contact details of the Data Controller
Agorà Security S.r.l. Viale Sant’Agostino 136, 36100 Vicenza (VI), Italy Italian fiscal code and VAT ID: 04450760246 Email: privacy@agorasecurity.it
b. Data Protection Officer (DPO)
The Data Controller has not appointed a DPO, as it does not fall within the categories required by art. 37 GDPR. Requests concerning personal data processing may be addressed to privacy@agorasecurity.it.
c. Purposes of the processing and legal bases
| # | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| c.1 | Response to information requests and commercial enquiries | Pre-contractual measures (Art. 6.1.b) |
| c.2 | Provision of requested services, management of the contractual relationship | Performance of a contract (Art. 6.1.b) |
| c.3 | Administrative, accounting and tax compliance | Legal obligation (Art. 6.1.c) |
| c.4 | Recruitment and selection of personnel (spontaneous applications) | Consent of the data subject (Art. 6.1.a) |
| c.5 | Direct email marketing communications to subjects who have requested them | Explicit consent (Art. 6.1.a) |
| c.6 | Website security and abuse prevention (technical navigation logs) | Legitimate interest (Art. 6.1.f) |
d. Categories of personal data processed
- Identification and contact data: first name, last name, email, telephone, company name, business role.
- Curricular data (only for applications): education, training, work experience, skills, qualifications, optional photograph.
- Navigation data: IP address, user-agent, timestamp, requested URIs, server response codes. Automatically collected by the CDN for security purposes.
- Content of communications: data voluntarily provided in emails sent to the addresses published on the site.
- Special categories of data: processed exclusively if voluntarily disclosed in the context of an application.
e. Categories of recipients
- Employees and collaborators of the Data Controller, authorised to process the data.
- Technical providers, designated as Data Processors pursuant to art. 28 GDPR. In particular:
- GitHub, Inc. — static hosting of the website (GitHub Pages);
- Cloudflare, Inc. — authoritative DNS, CDN and edge security services.
- Legal, tax and accounting consultants, acting as independent controllers or processors depending on the relationship.
- Judicial, administrative or supervisory authorities, where required by law.
The updated list of Data Processors is available upon written request. Personal data are not disseminated indiscriminately.
f. Transfers of data outside the EU
Any transfers of personal data outside the European Union are carried out in compliance with the GDPR (arts. 44-49) by means of Standard Contractual Clauses adopted by the European Commission with Implementing Decision (EU) 2021/914, or other appropriate safeguards. Specifically:
- the website is hosted on GitHub Pages (GitHub, Inc., 88 Colin P. Kelly Jr. St., San Francisco, CA — United States);
- inbound traffic is routed through the global CDN network of Cloudflare, Inc. (101 Townsend St., San Francisco, CA — United States), which distributes requests to its data centres, including those located outside the European Union, according to its own routing rules.
Both providers adhere to the EU-US Data Privacy Framework and have entered into the Standard Contractual Clauses.
g. Retention period
- Response to information requests: up to 12 months from the request in the absence of a contractual relationship; otherwise for the duration of the contract and the following 10 years (ordinary and tax limitation periods).
- Service delivery and administrative management: duration of the relationship and the following 10 years.
- Recruitment: unsuccessful applications, up to 6 months from the last significant contact; hired candidates, duration of the relationship and the following 10 years.
- Direct marketing: until consent is withdrawn.
- Navigation logs: short periods necessary for security purposes, as detailed in the Cookie Policy.
After these periods, data are deleted, destroyed or anonymised, except where otherwise required by law.
h. Data subject rights
Pursuant to articles 15-22 GDPR, the data subject has the right to:
- Access (art. 15) — obtain confirmation of processing and related information.
- Rectification (art. 16) — correct inaccurate data and complete incomplete data.
- Erasure / right to be forgotten (art. 17) — request removal of data in the cases provided.
- Restriction of processing (art. 18) — restrict processing in the cases provided.
- Portability (art. 20) — receive data in a structured format and transmit it to another controller.
- Object (art. 21) — object to processing based on legitimate interest or for direct marketing purposes.
- Not to be subject to automated decision-making (art. 22) — obtain human intervention and contest profiling.
- Withdrawal of consent — revocable at any time, without prejudice to processing previously carried out.
- Lodge a complaint with the supervisory authority (art. 77) — Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Roma; tel. (+39) 06 696771; protocollo@gpdp.it; www.garanteprivacy.it.
Rights may be exercised by written request to the contact details indicated under point (a).
i. Nature of the provision and consequences of refusal
The provision of data for the purposes referred to in points c.1, c.2 and c.3 is necessary: any refusal makes it impossible to follow up on requests and fulfil contractual and legal obligations. The provision of data for recruitment purposes (c.4) and direct marketing (c.5) is optional, consent-based, and refusal does not affect the provision of other services. For navigation logs (c.6) please refer to the Cookie Policy.
j. Method of processing
Processing is carried out by means of operations of collection, recording, organisation, structuring, storage, adaptation, modification, retrieval, consultation, use, communication, comparison, interconnection, restriction, erasure and destruction. Logical and physical security is ensured by technical and organisational measures appropriate pursuant to art. 32 GDPR.
k. Changes to this notice
This notice may be subject to modifications and updates. Substantial changes will be communicated through the website. We recommend consulting this page regularly.