Privacy Policy
Last updated: 13 June 2026
1. Data Controller
Garnebo, Via Respighi 16, 40033 Casalecchio di Reno (BO), Italy — P.IVA IT04239601208
Contact: info@garnebo.com
2. What data we collect and why
| Activity | Data collected | Legal basis | Retention |
|---|---|---|---|
| Quote request form | Full name, phone, email, property address, estimated area (m²), description of works, preferred contact method, preferred language | Art. 6(1)(b) GDPR — pre-contractual measures | Email inbox up to 24 months. CloudWatch logs auto-deleted after 30 days. |
| Analytics (GA4) | Anonymised usage data (pages visited, session duration, referral source). IP addresses anonymised before storage. | Art. 6(1)(a) GDPR — consent via cookie banner | 14 months (Google). Processing only after cookie consent. |
| WhatsApp / email contact | Name, phone or email, message content | Art. 6(1)(b) GDPR — pre-contractual measures | Duration of business relationship, deleted on request. |
We do not use your data for automated profiling, direct marketing, or sale to third parties.
3. Sub-processors
| Processor | Service | Location | DPA |
|---|---|---|---|
| Amazon Web Services EMEA SARL | API Gateway, Lambda compute, SES email delivery, CloudWatch logging | eu-central-1 (Frankfurt, Germany — EU) | aws.amazon.com/agreement |
| Google LLC | Google Analytics 4 (anonymised analytics) | USA (Standard Contractual Clauses apply) | business.safety.google/adsprocessorterms |
All processors are contractually bound to process your data only on our instructions and in compliance with GDPR.
4. Property & site data
During site surveys and work execution we collect technical property data needed for quoting and job delivery. Site photos are used for internal documentation, quality control, and — only with written consent — for our commercial portfolio.
| Activity | Data collected | Legal basis | Retention |
|---|---|---|---|
| Site surveys & quoting | Property address, site photos (before, during, after), floor plans, measurements, video walkthrough recordings | Art. 6(1)(b) GDPR — contract execution. Video recordings: Art. 6(1)(a) — explicit consent. | Photos and technical docs: 5 years. Video recordings: duration of project + 1 year. |
| Work execution | Condominium access details, existing plant documentation (DiCo, electrical diagrams), scope documentation | Art. 6(1)(b) GDPR — contract execution | 10 years (aligned with contract retention) |
| Client identity & invoicing | Name, surname, Codice Fiscale, bank account (IBAN), payment records | Art. 6(1)(b) — contract execution. Art. 6(1)(c) — legal obligation (tax law). | 10 years (Art. 2220 Codice Civile + tax law) |
We do not collect special categories of data (health, biometrics, political opinions — Art. 9 GDPR), data on minors, or data for automated profiling or marketing without separate consent.
5. Site photos & portfolio use
Site photos serve dual purposes. Operational use (documentation, quality control, before/after comparison) is necessary for contract execution and does not require consent. Commercial use (portfolio on website, social media, printed materials) requires separate written consent via a photo release clause integrated into the B2C contract.
Portfolio photos are anonymised before publication — faces, visible addresses, family photographs, and any personally identifiable elements are removed. Without explicit consent, photos are used exclusively for operational purposes and deleted at the end of the retention period.
6. Subcontractor data sharing
Licensed subcontractors receive only the information necessary to execute their scope — property address, site access details, relevant floor plans, and existing plant documentation. They do not receive client financial data, personal contact details (beyond what is needed for site access), or full contract terms. Each subcontractor is an independent data controller for the data they receive.
7. Additional recipients
| Recipient | Data shared | Purpose | Legal basis |
|---|---|---|---|
| Licensed subcontractors | Property address, site access details, floor plans, existing plant documentation | Job execution, DiCo issuance | Art. 6(1)(b) — contract execution |
| Commercialista | Client name, invoices, payment records | Accounting, tax filing | Art. 6(1)(c) — legal obligation |
| Consulente del lavoro | Client name, contract value | Invoicing, tax declarations | Art. 6(1)(b) + Art. 6(1)(c) |
| Cloud storage (Google Drive) | All operational data categories | Operational file storage | Art. 6(1)(b) + Legitimate interest (Art. 6.1.f) |
B2C client data is not transferred outside the European Union. Where cloud tools with non-EU data residency are used (e.g. Airtable, WhatsApp), mitigation measures apply: only non-sensitive operational data in Airtable; sensitive documents transferred via email or EU-based cloud storage. WhatsApp is used only for client-initiated communication.
8. Operational data retention
| Data category | Retention period | Legal basis |
|---|---|---|
| Contracts, invoices, payment records | 10 years | Art. 2220 Codice Civile + tax law |
| Site photos (operational) | 5 years | Construction warranty period (Art. 1669 c.c.) |
| Site photos (portfolio, with consent) | Until consent withdrawn | GDPR Art. 17 — right to erasure |
| Floor plans / technical documents | 10 years | Aligned with contract retention |
| Client contact details | 5 years after last contract | Warranty + legitimate interest in follow-up |
| WhatsApp messages | Duration of project + 1 year | Operational reference; deleted after |
| Subcontractor DURC / Patente copies | 5 years | Joint liability exposure period (Art. 29 D.Lgs. 276/2003) |
9. Data breach protocol
In the event of a personal data breach (unauthorised access, loss, destruction):
- Contain: immediately secure affected systems; revoke compromised access.
- Assess risk: determine whether the breach is likely to result in a risk to client rights and freedoms.
- Notify Garante Privacy: within 72 hours of becoming aware, if risk exists (GDPR Art. 33) — via Garante Privacy online portal.
- Notify affected clients: without undue delay, if high risk (GDPR Art. 34) — direct communication explaining nature of breach, likely consequences, and mitigation measures.
- Document internally: record breach details, effects, and remedial actions (GDPR Art. 33.5).
10. Your rights (Art. 15–22 GDPR)
Under GDPR Articles 15–22 you have the right to: access your data, rectify it, have it erased, restrict processing, receive it in a portable format, object to processing, and withdraw consent for analytics cookies via the cookie banner at any time without affecting prior processing.
To exercise any right email info@garnebo.com. We will respond within 30 days.
11. Supervisory authority
You have the right to lodge a complaint with the Italian supervisory authority:
Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it
12. Changes to this policy
We may update this policy when our services or legal obligations change. Material changes will be communicated via a notice on the website. The "Last updated" date at the top reflects the current version.