Privacy Policy

Last updated: 28 May 2026

1. Data controller

The velobox.it website is operated by Simone Schilirò (the "Controller"), as part of the VELOBOX project (subject to an Italian industrial property application).
Contact email: info@velobox.it

2. Types of data collected

The personal data collected, autonomously or through third parties, may be:

• Navigation data: IP address (anonymised), browser type, operating system, pages visited, date and time of access, referring site. Collected automatically by the IT systems and software procedures responsible for the operation of the website.
• Data provided voluntarily: first name, last name, email address, phone number, company name (for dealers), message. Collected when the user fills in one of the contact, dealer or waiting-list forms.
• Cookies and similar identifiers: details in the Cookie Policy.

3. Purposes of processing

• Provide the requested services (response to contact requests, dealer information, waiting-list registration).
• Statistical analysis of traffic (in aggregate and anonymous form, subject to consent).
• Protection of the website from abuse and bots (e.g. Cloudflare Turnstile on the forms).
• Legal obligations.

4. Legal basis

The legal bases for processing are:

• Art. 6(1)(a) GDPR — Consent: for analytics and marketing cookies, where required.
• Art. 6(1)(b) GDPR — Performance of pre-contractual measures: for the processing of data provided through the forms, in order to respond to requests.
• Art. 6(1)(f) GDPR — Legitimate interest: for the security of the website (anti-bot Turnstile) and for aggregate operational analysis.

5. Methods of processing and retention

Data is processed using electronic tools, adopting the appropriate security measures provided for by the GDPR. Retention follows these criteria:

• Contact form emails: 24 months from the last interaction, unless further requests are made.
• Waiting-list data: until product launch + 12 months, unless deletion is requested.
• Google Analytics data: 14 months (the maximum setting of the free GA4 platform).
• Cloudflare/Vercel security logs: according to the provider's retention policy (typically 30-90 days).

6. Data recipients (processors and sub-processors)

Data may be processed by the following parties acting as processors:

• Vercel Inc. (website hosting) — privacy policy: vercel.com/legal/privacy-policy
• Cloudflare Inc. (CDN, DNS, Turnstile bot protection) — privacy policy: cloudflare.com/privacypolicy
• Google LLC (Google Analytics 4) — privacy policy: policies.google.com/privacy
• Resend Inc. (sending emails from the forms) — privacy policy: resend.com/legal/privacy-policy
• Microsoft Corporation (shared mailbox info@velobox.it via M365) — privacy policy: privacy.microsoft.com

7. Transfers outside the EU

Some of the processors listed above (Google, Cloudflare, Vercel, Resend, Microsoft) are based in the United States. Transfers are governed by the Standard Contractual Clauses approved by the European Commission and by the EU-US Data Privacy Framework for certified parties.

8. Rights of the data subject

You have the right at any time to:

• Access your data (Art. 15 GDPR)
• Request its rectification (Art. 16) or erasure (Art. 17)
• Restrict its processing (Art. 18)
• Object to the processing (Art. 21)
• Request its portability (Art. 20)
• Withdraw consent at any time (Art. 7) — this does not affect the lawfulness of prior processing
• Lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)

To exercise your rights, write to info@velobox.it. Response guaranteed within 30 days.

9. Cookies

For details on the cookies and similar technologies used by the website, see our Cookie Policy. You can manage your preferences at any time from the cookie banner.

10. Changes

This Privacy Policy may be updated. The date of the last update is shown at the top of the page. Significant changes will be communicated to registered users by email.