evoseed
ITEN

Privacy Policy

Last updated: 16 May 2026

This Privacy Policy describes how personal data of users visiting evoseed.io and its related subdomains (the "Site") is processed, pursuant to Regulation (EU) 2016/679 ("GDPR") and the Italian Legislative Decree 196/2003 as amended ("Italian Privacy Code").

1. Data Controller

The data controller is evoseed S.r.l., an Italian innovative startup, registered office at Via Lucrezio 13 — 34134 Trieste (TS), Italy, VAT/Tax ID 01361650326, REA TS-208336, certified email evoseed@pec.it, contact email info@evoseed.io.

The controller is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For any privacy-related request, you may contact the controller at the addresses above.

2. Categories of data processed

The Site processes only data voluntarily provided by the user or generated automatically by navigation:

  • Contact data — name, surname, company name, email, phone number, role, subject and content of the message. Collected via the "Contacts" and "Vibe Lab" forms.
  • Newsletter subscription data — email address, collected via the subscription form.
  • Anonymous navigation data — pages visited, country, browser and device type, collected in aggregate, anonymous form via self-hosted Umami Analytics on evoseed's own infrastructure (no cookies, no full IP addresses stored, no extra-EU transfers).
  • Technical security logs — IP address, user agent and request timestamps, processed solely for security and abuse prevention purposes and retained for no more than 30 days.

No special categories of data (Article 9 GDPR) and no data of minors are processed.

3. Purposes of processing

Data is processed to:

  • reply to requests sent via the Site's forms;
  • manage the pre-contractual and commercial relationships arising from such requests;
  • send service communications or, with explicit consent, the newsletter with updates on products and content;
  • produce aggregate, anonymous usage statistics for optimisation purposes;
  • ensure Site security, prevent fraud and comply with legal obligations.

4. Legal basis

Processing is based on:

  • Data subject's consent (Art. 6(1)(a) GDPR) — for newsletter and commercial communications.
  • Pre-contractual measures (Art. 6(1)(b) GDPR) — to act upon requests sent through the contact and Vibe Lab forms.
  • Legitimate interest of the controller (Art. 6(1)(f) GDPR) — for aggregate analytics (self-hosted Umami, recital 47 GDPR) and Site security.
  • Legal obligation (Art. 6(1)(c) GDPR) — for retention of accounting and tax records, where applicable.

5. Processing methods

Processing is carried out by means of IT systems, with access restricted to authorised personnel of the controller and of its technical providers. Data is transmitted over encrypted connections (HTTPS/TLS). Appropriate technical and organisational measures are adopted to ensure a security level proportionate to the risk (Art. 32 GDPR), including access control, activity logging and backups.

6. Retention period

  • Contact and Vibe Lab form data — kept in the internal database for up to 24 months from collection; in the CRM system (Pipedrive) for the duration of the commercial relationship or until the data subject requests deletion.
  • Newsletter — until consent is withdrawn or the user unsubscribes.
  • Technical security logs — no more than 30 days from creation.
  • Anonymous analytics — kept in aggregate form, with no personal identifiers.

After these periods, data is irreversibly deleted or anonymised, subject to legal obligations or the need to establish or defend a legal claim.

7. Disclosure and external Processors

Personal data is not disclosed to undefined recipients. It may be shared, within the limits of the purposes above, with the following entities, appointed as data Processors under Article 28 GDPR:

  • Amazon Web Services EMEA SARL (Amazon SES, eu-central-1 region, Frankfurt, Germany) — transactional email delivery.
  • Pipedrive OÜ (Tallinn, Estonia) — CRM for commercial contacts.
  • Hetzner Online GmbH (Gunzenhausen, Germany) — infrastructure hosting.
  • Cloudflare, Inc. — CDN, DNS and attack mitigation services.
  • Consultants, professionals or companies providing outsourced services to the controller (tax, legal, IT advisors), strictly within the purpose for which they are involved.

The up-to-date list of Processors is available upon request to info@evoseed.io.

8. Data transfers outside the EU

Some providers (Amazon Web Services, Cloudflare) are based in the United States. Such transfers comply with Articles 44 et seq. GDPR, on the basis of:

  • the EU-US Data Privacy Framework adequacy decision (Decision (EU) 2023/1795 of 10 July 2023), where the provider has joined the framework;
  • Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914);
  • supplementary measures where applicable (encryption in transit and at rest).

9. Data subject rights

Under Articles 15-22 GDPR, the data subject has the right to:

  • access their personal data and obtain a copy;
  • request rectification, update or supplementation;
  • obtain erasure (right to be forgotten), in the cases provided by law;
  • restrict processing or object to processing based on legitimate interest;
  • receive their data in a structured format and port it to another controller;
  • withdraw consent at any time, without affecting the lawfulness of processing based on consent given before withdrawal;
  • lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the competent supervisory authority in the EU member state of habitual residence.

Requests should be sent to info@evoseed.io. The controller will respond within 30 days, extendable by a further 60 days in complex cases (Art. 12(3) GDPR).

10. Automated decision-making

The controller does not carry out automated decision-making, including profiling, that produces legal effects or similarly significantly affects the data subject (Art. 22 GDPR).

11. Cookies

The Site uses only technical cookies necessary for its operation and anonymous analytics tools (self-hosted Umami). No profiling cookies and no third-party marketing cookies are used. For more details please refer to the Cookie Policy.

12. Changes to the Privacy Policy

This Privacy Policy may be updated as a result of regulatory, organisational or technical changes. Previous versions are kept by the controller. Users are invited to consult this page periodically; material changes will be communicated on the Site.