Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller is:
- WebGlobalBuild — a brand of Global Svapo S.r.l.s.
- Registered office: Via Dino Buzzati 3, 91026 Mazara del Vallo (TP), Italy
- VAT / Tax ID: 02717040816 — REA: TP-191921
- Share capital: €500.00 fully paid
- Email: [email protected]
- Certified email (PEC): [email protected]
2. Types of data collected
This website collects personal data in connection with the following features. For each, we indicate the type of data, purpose, legal basis, and retention period.
2.1 Contact form
| Data collected | Name, email, project type, message, phone number (optional) |
| Purpose | Respond to user inquiries and create a support ticket |
| Legal basis | Consent (Art. 6.1.a GDPR) — mandatory checkbox before submission |
| Retention | Data is retained until ticket closure and for a maximum of 24 months after closure, unless legally required otherwise |
| Third parties | Resend (confirmation and notification emails) |
2.2 Cost estimator
| Data collected | Email, project type, complexity, selected features, estimated price range, additional notes |
| Purpose | Generate an indicative estimate and create a quote request ticket |
| Legal basis | Consent (Art. 6.1.a GDPR) — mandatory checkbox before submission |
| Retention | Up to 24 months from ticket creation |
| Third parties | Resend (confirmation email) |
Anonymous configuration data from the estimator (project type, complexity, features, price range) may be saved without identifying information for internal statistical purposes.
2.3 Support ticket system
| Data collected | Name, email, phone, request type, title, description, budget, timeline, technologies, attachments (PDF, JPEG, PNG, WebP — max 5 MB each, max 3 files) |
| Purpose | Manage support and quote requests |
| Legal basis | Performance of pre-contractual measures (Art. 6.1.b GDPR) |
| Retention | Up to 24 months after ticket closure |
| Third parties | Resend (email notifications), Supabase Storage (file storage) |
2.4 AI chat
| Data collected | Name (optional), email (optional), message text, conversation history |
| Purpose | Provide automated assistance via AI chatbot |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — providing immediate support to visitors |
| Retention | Chat sessions are retained for up to 12 months |
| Third parties | Anthropic (Claude API) — conversation text is transmitted to Anthropic's servers in the United States for response generation. See section 5 for extra-EU transfer safeguards |
2.5 Live chat with human operator
| Data collected | Name (optional), email (optional), message text |
| Purpose | Provide direct assistance through a human operator |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) |
| Retention | Up to 12 months after session closure |
| Third parties | None — operator messages are handled internally |
2.6 Client portal
| Data collected | Email, password (bcrypt hash), project data, invoices, quotes, messages, reviews |
| Purpose | Contract management, project progress monitoring, billing |
| Legal basis | Performance of a contract (Art. 6.1.b GDPR) |
| Retention | For the duration of the contractual relationship and for 10 years thereafter for tax obligations |
| Third parties | Resend (invitation emails, password reset), Anthropic (portal AI chat — see section 5) |
Portal access uses a session cookie (wgb-portal-session) containing a signed JWT with the minimum data necessary for authentication (client ID, email, project ID). The cookie lasts 30 days and is HttpOnly, Secure, and SameSite Strict.
2.7 AI-powered quote generation (admin area)
| Data transmitted | Project description, project type |
| Purpose | Automatically generate quote line items |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — internal operational efficiency |
| Third parties | Anthropic (Claude API) — description text is transmitted to Anthropic's servers in the USA |
2.8 Rate limiting and security
| Data collected | IP address (SHA-256 hashed with a cryptographic salt before storage) |
| Purpose | Abuse prevention, protection against automated attacks |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — website security |
| Retention | Rate limit records expire automatically at the end of the configured time window |
2.9 IMAP email client (admin area)
| Data collected | Content of emails sent to [email protected] (sender, subject, body, attachments) |
| Purpose | Managing correspondence with clients and prospects through the admin panel |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — operational management of communications |
| Retention | Emails are stored on the Aruba IMAP server and accessible only by the administrator through the admin panel |
| Third parties | Aruba S.p.A. (IMAP email hosting) — data is not shared with any other third parties |
2.10 Push notifications (Web Push API)
| Data collected | Push subscription endpoint, browser encryption keys |
| Purpose | Send push notifications to the site administrator for relevant events (new tickets, messages, etc.) |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — internal operational efficiency |
| Retention | Subscription endpoints are stored in Supabase until revocation or deactivation |
| Third parties | No public user data is involved — push notifications are intended exclusively for the administrator |
2.11 Demo account
The website provides a demo account ([email protected]) with entirely fictitious data to allow evaluation of the client portal features. No real data is associated with this account.
2.12 Google Analytics 4
| Data collected | Anonymous browsing data (pages visited, session duration, scroll depth, UI interactions), IP address (automatically anonymized) |
| Purpose | Statistical analysis of traffic and user behavior on the website |
| Legal basis | Consent (Art. 6.1.a GDPR) — activated only after explicit acceptance via cookie banner |
| Retention | According to Google Analytics retention policies (default 14 months) |
| Third parties | Google LLC (Google Analytics 4) — data is transferred to Google servers in the USA. Google Signals and ad personalization are disabled. See section 5 |
2.13 Vercel Analytics and Speed Insights
| Data collected | Pages visited, referrer, browser, operating system, device type, Core Web Vitals metrics (LCP, FID, CLS, TTFB) |
| Purpose | Website performance monitoring and aggregate traffic analysis |
| Legal basis | Consent (Art. 6.1.a GDPR) — activated only after explicit acceptance via cookie banner |
| Retention | According to Vercel retention policies |
| Third parties | Vercel, Inc. — see section 5 |
2.14 Public reviews
| Data collected | Name, email, company name (optional), review text (max 500 characters), rating (1-5 stars) |
| Purpose | Collect and publish testimonials on the website. Reviews are moderated by the administrator before publication |
| Legal basis | Consent (Art. 6.1.a GDPR) — voluntary form submission |
| Retention | Until the user requests deletion |
| Third parties | None — data is not shared with third parties |
The name and optional company name are published on the website once the review is approved.
2.15 Google Indexing API (admin area)
| Data transmitted | URLs of published, updated, or removed site pages (blog posts, portfolio projects) |
| Purpose | Notify Google for timely content indexing |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) — search engine visibility |
| Third parties | Google LLC (Indexing API) — only public URLs are transmitted, no personal data |
3. Cookies
This website uses technical cookies necessary for its operation and, with user consent, analytics cookies (Google Analytics 4) and performance monitoring tools (Vercel Analytics, Speed Insights). No profiling or advertising cookies are used. For detailed information, please see our Cookie Policy.
4. Third parties
| Service | Data received | Privacy policy |
|---|---|---|
| Resend | Email, name, message content for transactional email delivery | resend.com/legal/privacy-policy |
| Anthropic | Chat conversation text, project descriptions for AI response and quote generation | anthropic.com/privacy |
| Supabase | All stored personal data (database and file storage) | supabase.com/privacy |
| Google LLC | Anonymous browsing data for traffic analysis (Google Analytics 4), public URLs for indexing (Indexing API) | policies.google.com/privacy |
| Vercel | IP address, user agent, HTTP request logs (hosting and CDN), performance metrics and anonymous browsing data (Vercel Analytics and Speed Insights) | vercel.com/legal/privacy-policy |
| Aruba | Inbound and outbound emails (IMAP server for [email protected] mailbox) | aruba.it/informativa-privacy |
5. Extra-EU data transfers
Some personal data is transferred to the United States to the following providers:
- Anthropic, PBC (San Francisco, USA) — receives chat conversation text and project descriptions for response generation via the Claude API. The transfer is based on the Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914). Anthropic does not use data submitted via API to train its models.
- Vercel, Inc. (San Francisco, USA) — website hosting and distribution. The transfer is covered by SCCs and Vercel's Data Processing Agreement.
- Resend, Inc. (USA) — transactional email delivery. The transfer is covered by SCCs.
- Google LLC (Mountain View, USA) — receives anonymous browsing data via Google Analytics 4 and public URLs via the Indexing API. The transfer is based on SCCs and Google's Data Processing Terms.
Data stored in Supabase (database and file storage) is hosted in the EU region (AWS eu-west-1, Ireland). No extra-EU transfer occurs for data stored in the database.
6. Data subject rights
Under Articles 15-22 of the GDPR, users have the right to:
- Access — obtain confirmation of the existence of their personal data and access its content
- Rectification — update or correct inaccurate or incomplete data
- Erasure — request deletion of data, within the limits provided by law
- Restriction — request restriction of processing in certain cases
- Portability — receive their data in a structured, commonly used, and machine-readable format
- Objection — object to processing on legitimate grounds
- Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
To exercise your rights, please contact:
- Email: [email protected]
- Certified email (PEC): [email protected]
7. Right to lodge a complaint
Users have the right to lodge a complaint with the competent supervisory authority:
- Garante per la protezione dei dati personali (Italian Data Protection Authority)
- Piazza Venezia 11, 00187 Rome, Italy
- Email: [email protected]
- PEC: [email protected]
- Website: www.garanteprivacy.it
8. Changes to this policy
The data controller reserves the right to modify this policy at any time. Changes will be published on this page with an updated date shown at the top. Continued use of the website after the publication of changes constitutes acceptance thereof.