Version 2.2 – Last updated: March 2026
This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "GDPR") and of Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code), as amended by Legislative Decree no. 101 of 10 August 2018.
1. Data Controller
The Controller of the processing of personal data is:
SecBox IT Consultant, VAT no. 03738170780
Email address: [email protected] Certified email (PEC): [email protected]
The Controller has not appointed a Data Protection Officer (DPO) as the conditions for mandatory appointment under Art. 37 of the GDPR are not met. For any matter concerning the processing of personal data, the Controller may be contacted at the address indicated above.
2. Data Processed, Purposes, and Legal Bases
2.1 Browsing Data
During the normal browsing of the secbox.it website, the computer systems and software procedures automatically acquire some technical data, the transmission of which is implicit in the use of Internet communication protocols. This category includes IP addresses, domain names of the computers used by users, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server, as well as parameters relating to the user's operating system and IT environment.
Such data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and ensuring its security, as well as to ascertain responsibility in the event of hypothetical computer crimes. Browsing data are not disclosed to third parties, except in fulfillment of legal obligations.
Legal basis: the Controller's legitimate interest pursuant to Art. 6(1)(f) of the GDPR, consisting of the need to ensure the security of the IT infrastructure and to prevent unlawful activities.
Retention period: 12 months from collection, after which the data are automatically deleted, without prejudice to the need for retention for the investigation of crimes or at the request of the Judicial Authority.
2.2 Technical Cookies
The site uses only technical cookies that are strictly necessary for the functioning of the site itself, including session cookies. The storage of the user's preferences expressed in the consent banner is done via the browser's localStorage (key: secbox-cookie-consent), a local storage mechanism equivalent, for the purposes of the Italian Data Protection Authority's (Garante) Guidelines of 10 June 2021, to preference cookies. Such data are not sent to the server and do not constitute tracking. Pursuant to the Italian Data Protection Authority's Provision of 8 May 2014 and the 2021 Guidelines, technical mechanisms for storing cookie preferences do not require the user's consent.
Retention period: for the duration of the browsing session or, for preference cookies, up to 12 months.
2.3 Third-Party Analytics Cookies (Google Analytics 4)
Subject to the user's explicit consent, the site installs third-party analytics cookies provided by Google LLC as part of the Google Analytics 4 service. These cookies allow the Controller to analyze users' browsing behavior in an aggregated and anonymized form in order to improve the quality and usability of the site.
Legal basis: consent of the data subject pursuant to Art. 6(1)(a) of the GDPR. Consent is given freely, specifically, and on an informed basis via the cookie banner displayed on the first visit. Failure to provide consent does not prevent access to the site.
Withdrawal of consent: the data subject may withdraw consent at any time through the cookie preference management panel (available at the bottom of the page) or via the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout. The withdrawal of consent does not affect the lawfulness of the processing carried out previously.
Data transfer: Google LLC, a company based in the United States of America, processes the data as a data processor pursuant to Art. 28 of the GDPR. The transfer is governed by Standard Contractual Clauses adopted by the European Commission by Decision of 4 June 2021 (2021/914/EU). Google LLC has adhered to the EU-US Data Privacy Framework.
Retention period: 14 months from collection, in accordance with the default configuration of Google Analytics 4.
2.4 Electronic Communications (Contact Requests)
If the user sends a request for information, a quote, or any other communication to the address [email protected], the Controller will process the personal data provided (name, surname, company name, email address, telephone number where indicated, and message content) for the sole purpose of responding to the request.
Legal basis: performance of pre-contractual measures taken at the request of the data subject pursuant to Art. 6(1)(b) of the GDPR or, where a pre-contractual context does not apply, consent of the data subject pursuant to Art. 6(1)(a) of the GDPR.
Retention period: 24 months from the last communication, unless a contractual relationship is established, in which case the retention period provided for in point 2.5 applies.
2.5 Data of SecBox Shield Service Customers
Within the scope of the contractual relationship for the provision of the SecBox Shield service, the Controller processes the following personal data of the customer's company representatives: identification data (name, surname, position), contact data (email address, telephone number), and billing data (company name, VAT number, billing address, payment method data where applicable).
The customer's technical infrastructure data (network logs, firewall events, VPN connections) are processed by SecBox as a Data Processor on behalf of the customer (Controller), pursuant to Art. 28 of the GDPR. The methods of such processing are governed by the Data Processing Agreement attached to the service contract.
Legal basis: performance of the service contract pursuant to Art. 6(1)(b) of the GDPR; fulfillment of legal obligations (invoicing, accounting) pursuant to Art. 6(1)(c) of the GDPR.
Retention period: for the entire duration of the contract; tax and accounting documents for 10 years pursuant to Art. 2220 of the Italian Civil Code and current tax provisions; security logs for 24 months in accordance with NIS2 best practices and contractual requirements.
3. Processing Methods and Security Measures
Personal data are processed using automated electronic tools and, limited to accounting and tax documents, also in paper form. Appropriate technical and organizational measures are adopted to ensure a level of security appropriate to the risk, pursuant to Art. 32 of the GDPR, including encryption of data in transit (TLS 1.3 protocol), encryption of data at rest (AES-256 algorithm), role-based access control (RBAC), and the management of immutable logs with WORM technology.
The processing is carried out by specially authorized and trained internal personnel, as well as by any data processors appointed pursuant to Art. 28 of the GDPR.
4. Disclosure of Data to Third Parties
Personal data are not sold or transferred to third parties for commercial or profiling purposes. The data may be disclosed to the following categories of recipients:
| Category of recipient | Legal role | Purpose |
|---|---|---|
| Google LLC (Google Analytics) | Processor pursuant to Art. 28 GDPR | Anonymized statistical analysis (only with consent) |
| Hosting service provider | Processor pursuant to Art. 28 GDPR | Management of the website infrastructure |
| Accounting and tax professionals | Independent Controllers | Accounting, tax, and civil law compliance |
| Judicial and public security authorities | Independent Controllers | Fulfillment of legal obligations |
5. Transfer of Data to Third Countries
Personal data are not transferred to third countries outside the European Economic Area (EEA), with the exception of the processing carried out by Google LLC for Google Analytics, the safeguards for which are described in point 2.3 of this notice.
6. Rights of the Data Subject
Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:
Access (Art. 15): obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the personal data and the information indicated in the regulation.
Rectification (Art. 16): obtain the rectification of inaccurate personal data concerning them and the completion of incomplete data, taking into account the purposes of the processing.
Erasure (Art. 17): obtain the erasure of personal data concerning them in the cases provided for by the regulation (the so-called "right to be forgotten"), without prejudice to legal retention obligations.
Restriction of processing (Art. 18): obtain restriction of processing in the cases provided for by the regulation.
Data portability (Art. 20): receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the processing is based on consent or on a contract.
Objection (Art. 21): object at any time to the processing of personal data concerning them which is based on the legitimate interest of the Controller, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
Withdrawal of consent (Art. 7(3)): withdraw the consent given at any time, without affecting the lawfulness of the processing carried out before the withdrawal.
How to exercise your rights: the request must be sent in writing to the address [email protected], with the subject "Exercise of rights – GDPR", attaching a copy of a valid identity document. The Controller will respond within 30 days of receiving the request; this period may be extended by a further 60 days in the event of particular complexity or a high number of requests, subject to prior notice to the data subject.
7. Right to Lodge a Complaint
Without prejudice to the right to seek a judicial remedy pursuant to Art. 79 of the GDPR, a data subject who considers that the processing of their personal data is carried out in breach of the applicable legislation has the right to lodge a complaint with the competent supervisory authority:
Garante per la protezione dei dati personali (Italian Data Protection Authority) Piazza Venezia, 11 – 00187 Rome (RM), Italy Telephone: +39 06 69677.1 Email: [email protected] Official website: https://www.garanteprivacy.it
8. Cookie Policy
Technical cookies (always active, do not require consent)
| Cookie name | Duration | Purpose |
|---|---|---|
secbox-cookie-consent (localStorage) | 12 months | Stores the preferences expressed by the user in the cookie banner; stored in localStorage, not sent to the server |
| Server session cookie | Session duration | Technical operation of the site |
Third-party analytics cookies (require consent)
| Cookie name | Provider | Duration | Purpose |
|---|---|---|---|
_ga | Google Analytics 4 | 2 years | Distinguishes between unique users |
_ga_[ID] | Google Analytics 4 | 2 years | Maintains the session state |
Cookie management
Consent preferences can be changed at any time by accessing the management panel available at the bottom of the site's pages. It is also possible to disable cookies through the settings of the browser in use; completely disabling technical cookies may compromise the proper functioning of some site features.
9. Updates to This Policy
The Controller reserves the right to update this policy, particularly following changes in legislation, case law, or data processing methods. The current version is always published on this page, indicating the date of the last update. In the event of substantial changes affecting customers of the SecBox Shield service, the Controller will provide notification via email.