Privacy policy

Who handles your data

Everything this page is about goes through my hands only. I, Carlo Varenna, run geo-milan.com as a solo editor: no team, no departments, one person opening every incoming message one by one. Before the General Data Protection Regulation (GDPR), I am the data controller for it. If you have a question, or want to exercise a right of yours, the address is hello@geo-milan.com.

What is collected

Only one track reaches me, the form. It asks for three exact things and nothing else —

• Your name, so that the reply can address you the right way.
• Your email, so the reply knows where to return.
• A free-text message, where you describe the case — the AI answer that weighs on you, the prompt that drew it out, the firm or listing it concerns, the two-language page where the Italian and the English don't say the same thing.

That's all. No account to set up, no login, no payment data typed in here, no profile built up quietly. The message comes into an inbox and stays a message there. To keep automated submissions away, I save the moment of sending together with a salted SHA-256 hash of the IP address it leaves from; the plain IP, any browser fingerprint and device traits I never keep.

What is not collected

It also matters to say what this site refuses to do on purpose:

• Zero tracking cookies, of any kind. Visits I count with self-hosted, cookieless, privacy-respecting analytics, served by a first-party proxy on this same domain; nothing migrates from one site to another and no visitor is recognised one by one.
• No advertising pixels, no remarketing labels, no marketing-automation trackers.
• No automated profiling and no automated decision that produces a legal effect on you.
• No sale, no rental, no sharing of personal data: there is no commercial machine here to feed them to.

Why the law allows it

The moment you send the form, handling your name, email and message rests on Article 6(1)(b) GDPR — steps taken at your request before any agreement. The IP hash, which protects the form from abuse, rests instead on the legitimate interest of Article 6(1)(f). Should a paid piece of work ever produce data on the status of a payment, the contractual basis would cover it.

How long it is kept

• Form messages and the email thread they grow into: kept while the work is open, then for a further 24 months so the exchange stays on record, and deleted afterwards. A message that leads nowhere is kept 12 months and then gone.
• IP hashes: kept 90 days, the span that's useful for reading a pattern of abuse, then deleted.
• Any payment receipts: where a paid piece of work generates them, I keep them only for the period tax and accounting demand, then delete them.

Your rights

Over the data you entrust to me, the GDPR gives you the right of access, rectification, erasure, portability, restriction and objection. A single email to hello@geo-milan.com is enough to set any one of them in motion, and you'll have a reply within a month. If you believe your data has been handled badly, you may also turn to the data-protection supervisory authority of the country where you live.

Where the data is hosted

The servers that carry geo-milan.com stand in European Union (Germany). In the rare case where a further processor (email provider) worked from outside the European Union, that transfer leans on standard contractual clauses and on the additional safeguards that party publishes.

Changes to this policy

If the way I handle data changes into something that has weight, I rewrite this page to say so, and the "Updated" date at the top moves with it. A change that truly counts stays flagged on the home page for 30 days, so anyone passing back through the site won't risk missing it.