IT

Privacy Policy

Last updated: May 2026

This notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended ("Italian Privacy Code"), to describe how personal data of users visiting beatricerandazzomakeup.com is processed.

1. Data Controller

Beatrice Randazzo — Make-Up Artist (freelance professional)
Based in: Varese (VA), Italy
Email: beatricerandazzo.mua@gmail.com

No Data Protection Officer (DPO) has been appointed, as the conditions of Art. 37 GDPR do not apply.

2. Types of Data Collected

2.1 Data voluntarily provided by the user (contact form)

When you fill in the contact form, the following data is processed: name, email address, subject and message content. Submission is voluntary; failure to provide such data prevents us from responding to your request.

2.2 Browsing data automatically collected (server logs)

The IT systems and software procedures used to operate the site collect, in the normal course of operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. The web server (Nginx) records the following in its log files for IT security and diagnostic purposes:

  • IP address of the user's device
  • Browser type and operating system (User-Agent)
  • Date and time of the request
  • Requested URL and HTTP response status code
  • Referrer URL, if present

This data is not cross-referenced with other information and is used solely to ensure service security, prevent abuse and diagnose technical issues. Logs are retained for a maximum of 12 months, except where required for the investigation of offences pursuant to Art. 132 of the Italian Privacy Code. No cookies are installed at this stage.

2.3 Data collected via analytical cookies (consent-based only)

Only after the user has given explicit consent via the cookie banner does the site activate Google Analytics 4 (Enhanced Measurement). The data collected is described in detail in the Cookie Policy and includes: analytical cookie identifier, pages visited, visit duration, traffic source, approximate geographic location, device type, browser language and site interactions (scrolls, outbound link clicks, downloads, internal searches, form interactions).

3. Purposes and Legal Bases of Processing

PurposeLegal basis (GDPR)Retention
Replying to enquiries received via the contact form Art. 6.1.b — performance of pre-contractual measures at the request of the data subject Time required to handle the enquiry plus up to 24 months in the Controller's email archive
IT security, prevention of abuse and technical diagnostics (server logs) Art. 6.1.f — legitimate interest in keeping the site secure and operational (GDPR Recital 49) Maximum 12 months
Aggregate statistical measurement of site usage via Google Analytics 4 Art. 6.1.a — explicit consent of the data subject (revocable at any time) 2 months (GA4 user/event-level setting); aggregate data retained indefinitely
Compliance with legal obligations Art. 6.1.c — legal obligation As required by law

4. Methods of Processing

Data is processed using electronic tools, adopting appropriate technical and organisational measures pursuant to Art. 32 GDPR, including: encrypted HTTPS (TLS) connection, HTTP security headers, input sanitisation, anti-spam honeypot protection, restricted credential-protected system access. Processing is carried out exclusively by the Controller; no automated decision-making or profiling pursuant to Art. 22 GDPR takes place.

5. Parties Processing Data on Behalf of the Controller (Processors per Art. 28 GDPR)

To deliver the service, certain data may be processed by external suppliers acting as Processors or independent controllers, each with their own privacy notice:

  • OVH SAS (or other hosting provider as listed in DNS records) — server hosting and log file storage
  • Google LLC / Google Ireland Ltd. — Gmail service (for receiving messages sent through the contact form) and Google Analytics 4 (consent-based only)
  • UEBB — site development and technical maintenance

An up-to-date list of suppliers and their purposes is available on written request to the Controller.

6. Transfer of Data Outside the EU

Some services used (Google Analytics 4, Gmail) may involve the transfer of personal data to servers located in the United States. Such transfers take place in compliance with the EU-US Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023), to which Google LLC adheres. As a fallback, Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46 GDPR are in place.

7. Data Subject Rights (Arts. 15-22 GDPR)

You may exercise the following rights at any time by writing to beatricerandazzo.mua@gmail.com:

  • Access (Art. 15) — obtain confirmation of processing and a copy of the data
  • Rectification (Art. 16) — correct inaccurate or incomplete data
  • Erasure (Art. 17, "right to be forgotten") — request the removal of data
  • Restriction (Art. 18) — restrict processing in specific cases
  • Portability (Art. 20) — receive data in a structured, machine-readable format
  • Object (Art. 21) — object to processing based on legitimate interest
  • Withdraw consent (Art. 7.3) — withdraw at any time, without affecting the lawfulness of processing carried out on the basis of consent before withdrawal

You also have the right to lodge a complaint with the competent supervisory authority: in Italy this is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it), Piazza Venezia 11, 00187 Rome. Exercising your rights is free of charge; the Controller will respond within 30 days.

8. Records of Processing Activities

The Controller maintains the Records of Processing Activities pursuant to Art. 30 GDPR, documenting purposes, categories of data and data subjects, recipients, retention periods and security measures adopted. The Records are made available to the Supervisory Authority on request.

9. Cookies

For detailed information about the cookies used and how to manage your consent, please consult the Cookie Policy.

10. Changes to this Privacy Policy

The Controller reserves the right to update this notice to reflect regulatory or operational changes. The current version is always available on this page with the last-updated date shown at the top. Users are encouraged to review it periodically.