Last updated: [February 2026]

1. Data Controller

The Data Controller is:

Fiorita di Risaliti Rosita
Address: Via G. Pascoli, 1/3 – 51039 Valenzatico, Quarrata (PT) – Italy
Tax Code: RSLRST70H61G713T
VAT No.: 01193980479
Email: r.rfiorita@gmail.com
PEC: fiorita@gigapec.it
Tel.: +39 333 3622105

2. Types of Data Processed

In relation to the use of the site and contacts, the Controller may process:

a) Data provided voluntarily by the user
Through the contact form or direct communications: first and last name, email, event date, message (and any personal data freely entered in the text).

b) Browsing data
Technical data collected automatically by IT systems (e.g., IP address, user agent, access logs, device and browser information), necessary for the operation and security of the site.

c) Cookies and similar technologies
The site may use technical cookies and, subject to consent, third-party cookies/tools related to embedded content (e.g., maps, videos, fonts). Details are provided in the Cookie Policy and managed through the CookieYes banner.

3. Purposes of Processing and Legal Bases

Personal data are processed for the following purposes:

  1. Management of contact requests and information/quotes
  • Purpose: to respond to inquiries about wedding services, corporate events, Christmas/seasonal arrangements.
  • Legal basis: performance of pre-contractual measures taken at the request of the data subject (Art. 6.1.b GDPR).
  1. Administrative/accounting obligations related to the management of the relationship (if an engagement is initiated)
  • Purpose: contractual management and tax/administrative obligations.
  • Legal basis: legal obligation (Art. 6.1.c) and/or performance of the contract (Art. 6.1.b).
  1. Security, prevention of abuse and site malfunctions
  • Purpose: to ensure the security and integrity of the site, prevent fraud/attacks.
  • Legal basis: legitimate interest of the Controller (Art. 6.1.f).
  1. Management of cookies and third-party content (maps, videos, fonts)
  • Purpose: to improve the experience and enable functionality/embedding.
  • Legal basis: user consent, where required (Art. 6.1.a) and cookie/ePrivacy regulations; for strictly technical cookies, consent is not required.

4. Methods of Processing

Processing is carried out using IT and electronic tools, in compliance with the principles of lawfulness, fairness, transparency, and data minimization. Technical and organizational measures appropriate to data protection are adopted.

5. Recipients and Suppliers (Data Processors)

Data may be processed by external parties providing technical and organizational services, appointed (where applicable) as Data Processors pursuant to Art. 28 GDPR, including:

  • Hosting/infrastructure: Amazon Web Services (AWS) for WordPress site hosting.
  • Email and productivity services: Google Workspace.
  • Cookie consent management: CookieYes (banner/CMP).
  • Embedded content providers (if activated by the user): Google Maps, YouTube, Vimeo.
  • External fonts: Google Fonts (if loaded from CDN).

Data may also be disclosed to authorized parties (collaborators) and to entities/authorities when required by law.

6. Data Transfer Outside the EU

Some suppliers (e.g., Google, AWS, YouTube/Vimeo, CookieYes) may involve data processing outside the European Economic Area or by non-EU companies, according to their infrastructure. In such cases, the transfer takes place in compliance with GDPR through appropriate safeguards (e.g., Adequacy Decisions, SCC – Standard Contractual Clauses and additional measures, where applicable).

7. Retention Periods

  • Requests from the contact form: up to 24 months from receipt, unless further needs arise (e.g., development of negotiations, protection in case of disputes).
  • Contractual/administrative data (if an engagement is initiated): for the period required by civil and tax law (typically 10 years for accounting/tax documentation).
  • Technical security logs: for the time strictly necessary for security and maintenance purposes.

8. Rights of the Data Subject

Users may exercise the rights provided by Arts. 15-22 GDPR: access, rectification, erasure, restriction, portability, objection, as well as withdraw consent (when processing is based on consent) without prejudice to the lawfulness of prior processing.

To exercise these rights, please contact the Controller at the details provided in Section 1.

It is also possible to lodge a complaint with the Italian Data Protection Authority.

9. Minors

The site and services are not intended for individuals under 18 years of age. Should data concerning minors be submitted, the Controller will process them within the limits of the law and may request additional information.

10. Changes to This Privacy Policy

This privacy policy may be updated. Changes will be published on this page with an indication of the update date.