Privacy policy.

 

Privacy Policy

Last updated: 19/6/2026

This privacy policy describes how the personal data of users who visit the isaros.art website and who get in touch through the contact form on the site is processed, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and applicable Italian law.

1. Data controller

The data controller is Isabella Rosa, VAT number 04370241202, based in Bologna, Italy.

For any request concerning the processing of personal data and for the exercise of the rights provided by the GDPR, you may write to atelier@isaros.art.

2. Categories of data processed

The site processes the following categories of data.

Data provided voluntarily by the user. When the user fills in the contact form, the name, the email address and the content of the message are collected, together with any further personal data the user freely chooses to include in the text.

Navigation data. The IT systems and software procedures responsible for the operation of the site acquire, in the course of their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols, such as IP addresses, browser and device type, and access times. This data is used solely to obtain anonymous statistical information on the use of the site and to monitor its correct functioning and security.

Cookies and similar technologies. The site uses technical cookies and, subject to consent, any analytics cookies. Full information is provided in the Cookie Policy, available on a dedicated page of the site.

3. Purposes and legal bases of processing

Personal data is processed for the following purposes.

To respond to requests sent through the contact form and to manage the resulting communication. The legal basis is the controller’s legitimate interest in responding to the requests received, pursuant to Article 6(1)(f) of the GDPR, and, where the request concerns the creation of a work or a purchase, the performance of pre-contractual measures taken at the request of the data subject, pursuant to Article 6(1)(b).

To ensure the correct functioning, security and maintenance of the site. The legal basis is the controller’s legitimate interest, pursuant to Article 6(1)(f).

To comply with legal obligations, for example in tax and accounting matters where a commercial relationship is established. The legal basis is compliance with a legal obligation, pursuant to Article 6(1)(c).

4. Nature of the provision of data

The provision of the data requested by the contact form, name and email address, is necessary in order to respond to the request. Failure to provide this data makes it impossible to reply. The provision of any further data included in the text of the message is optional.

5. Methods of processing

Data is processed by electronic means, with technical and organisational measures adequate to ensure its security, confidentiality and integrity, and to prevent unauthorised access, loss or misuse. The data is not subject to dissemination.

6. Recipients and data processors

In order to provide its services, the controller relies on third-party suppliers that act as data processors pursuant to Article 28 of the GDPR.

Squarespace, as the provider of the platform on which the site is built and hosted and through which the messages sent via the contact form pass. Squarespace Inc. is a company based in the United States.

Zoho (Zoho Corporation), as the provider of the email service through which the controller receives and manages the messages sent via the contact form. The mailbox is hosted on Zoho's European data centre (EU data residency). Zoho is a globally operating company; its parent entity is based outside the EU. 

Data may also be disclosed to parties whose right of access is provided for by law, such as judicial or supervisory authorities.

7. Transfer of data outside the EU

Some of the suppliers indicated are based outside the European Union, in particular in the United States. In such cases the transfer takes place in compliance with the safeguards provided for in Chapter V of the GDPR, such as the adequacy decisions of the European Commission, including the Data Privacy Framework, or the standard contractual clauses adopted by the European Commission. The user may request further information on the safeguards applied by writing to the controller.

8. Retention period

Data collected through the contact form is retained for the time necessary to handle the request and, thereafter, for a maximum period of 24 months, unless retention for a longer period is necessary to comply with legal obligations or to manage an ongoing contractual relationship. Navigation data is retained for the time strictly necessary for the purposes indicated.

9. Rights of the data subject

The data subject has the right to exercise, in the cases and within the limits provided for by Articles 15 to 22 of the GDPR, the following rights:

  • the right of access to their personal data;

  • the right to rectification of inaccurate or incomplete data;

  • the right to erasure of the data;

  • the right to restriction of processing;

  • the right to data portability;

  • the right to object to processing based on legitimate interest;

  • the right to withdraw consent, where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.

To exercise these rights, the data subject may write to atelier@isaros.art.

The data subject also has the right to lodge a complaint with the competent supervisory authority, the Italian Data Protection Authority (Garante per la protezione dei dati personali), if they consider that the processing of their data infringes current legislation.

10. Automated decision-making

The controller does not carry out automated decision-making, including profiling, that produces legal effects on the data subject or similarly significantly affects them.

11. Changes to this privacy policy

The controller reserves the right to update this privacy policy in order to align it with regulatory or organisational changes. The updated version will be published on this page with an indication of the date of last update.

Purpose. The email address provided to subscribe to the newsletter is processed in order to send periodic communications relating to the activity of the atelier, new works and initiatives.

Legal basis. Processing is based on the consent of the data subject, pursuant to Article 6(1)(a) of the GDPR. Consent is optional, is collected separately and specifically, and may be withdrawn at any time.

How to withdraw. The data subject may unsubscribe at any time through the unsubscribe link at the bottom of every message, or by writing to the controller. Withdrawal of consent does not affect the lawfulness of communications sent previously.

Data processor. The newsletter subscription addresses are collected and stored through the Squarespace platform, which acts as data processor. Squarespace Inc. is based in the United States. The related transfer of data outside the EU takes place under the safeguards described in section 7 of this policy (Data Privacy Framework and standard contractual clauses). 

Retention. The address is retained until consent is withdrawn or the subscription is cancelled.