BellosatoTech Cybersecurity
Get in Touch

PRIVACY POLICY

Privacy Policy and Data Protection Statement

BellosatoTech by Davide Marino

Version 2.0 — Last updated: March 2026

Applicable Regulations:

EU Regulation 2016/679 (GDPR) · Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code) · Personal Data Protection Act B.E. 2562 (Thai PDPA)

1. Data Controller

The Data Controller responsible for your personal information is:

BellosatoTech by Davide Marino
Viale Aldo Moro 22
Manduria (TA) 74024 — Italy
Email: info@bellosatotech.com
Website: bellosatotech.com

For any enquiry relating to the protection of personal data, please contact the Data Controller directly at the email address above, with the subject line: "Privacy — [Type of Request]".

Note on the DPO (Data Protection Officer): Based on BellosatoTech's current activities, which do not involve large-scale processing or systematic monitoring of data subjects, the appointment of a DPO is not mandatory under Art. 37 GDPR. Should activities expand in a manner that makes such appointment necessary, the Data Controller will promptly designate a DPO and notify the competent supervisory authority. For Thai clients: the same principle applies under Section 41 of the PDPA B.E. 2562.

2. Scope of Application — Dual Jurisdiction

This Privacy Policy applies to all users and clients of BellosatoTech and complies with the following regulations according to the data subject's country of residence:

User's ResidenceApplicable RegulationSupervisory Authority
European Union / ItalyGDPR + Leg. Decree 196/2003Italian Data Protection Authority (Garante)
ThailandPDPA B.E. 2562Personal Data Protection Committee (PDPC)
Both / Other ResidenceBoth regulations for maximum protectionBoth authorities

Where the two regulations diverge, the applicable regime is specified for each category of user. Where they converge — which is the case in the vast majority of instances, given that the PDPA is modelled on the GDPR — a single unified rule applies.

3. Collection of Personal Data

We adhere to the principle of Data Minimisation (Art. 5(1)(c) GDPR / Section 22 PDPA).

We collect exclusively the information you voluntarily provide to us through our Contact Form. This includes:

  • First name and last name
  • Email address
  • Message content (and any personal data contained therein)

We do not collect:

  • Browsing history
  • IP addresses for tracking purposes
  • Behavioural analytics
  • Geolocation data
  • Cookies of any kind (see Section 4)

Provision of data is:

  • Mandatory for the Name, Email and Message fields — without this information it is not possible to respond to your contact request.
  • Optional for consent to marketing communications (separate, non-pre-ticked checkbox).

Consequence of non-provision: If mandatory data is not provided, it will not be possible to process the contact or consultation request.

4. Cookie Policy — Zero-Cookie Website

We do not use cookies of any kind.

This website is designed as a Stateless Static Application. We do not install analytical, tracking, marketing or technical cookies on the user's device. Browsing our website is entirely anonymous.

Direct consequence: No Cookie Consent Banner is required, in full compliance with:

  • Italian Data Protection Authority (Garante) provisions on cookies (8 January 2015 and subsequent 2021 guidelines)
  • PDPA Section 19 regarding browsing data
  • Privacy by Design principle (Art. 25 GDPR)

5. Purposes and Legal Basis for Processing

We process your data on the basis of explicit consent, as required by:

  • Art. 6(1)(a) and Art. 7 GDPR
  • Section 19 PDPA B.E. 2562

Our contact form requires clear, specific and separate consent for each purpose, through non-pre-ticked checkboxes:

  • Mandatory Consent — Handling of Request
    I consent to BellosatoTech processing my contact information (name, email, message) for the purpose of responding to my enquiry and providing preliminary consultation on IT, cybersecurity and digital services.
  • Optional Consent — Marketing Communications (Double Opt-In)
    I consent to receiving occasional updates on BellosatoTech services, including: cybersecurity news, IT consultancy offers, relevant regulatory updates (e.g. GDPR, PDPA, NIS2) and technical newsletters.

Double Opt-In Notice: In accordance with the Italian Data Protection Authority ruling of 4 June 2025, which established double opt-in as a "minimum protection measure" for direct marketing, subscription to promotional communications is confirmed via a follow-up email after the initial consent is recorded.

Your consent is:

  • Freely given and informed — we clearly explain each purpose
  • Granular — separate checkboxes for different purposes
  • Unconditional — refusal of optional consent does not affect the service
  • Documented — we record the date, time and version of the policy at the time consent is given
  • Withdrawable at any time — by writing to info@bellosatotech.com with the subject line "Withdraw Consent"

We do not use pre-ticked boxes. We do not process your data for purposes other than those for which you have expressly given consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR / Section 19(3) PDPA).

6. Data Retention Periods

We retain your personal data only for as long as strictly necessary for the purposes for which it was collected, in compliance with the following regulations:

Type of DataRetention PeriodLegal Basis
Contact requests with no commercial relationship1 year from last contactData minimisation
GDPR Art. 5(1)(e)
PDPA Sec. 22
Data relating to consultancy engagements10 years from end of engagementArt. 2220 Italian Civil Code
Applicable PDPA Sec.
Tax documents and invoices10 yearsArt. 22 D.P.R. 600/1973 (Italy)
Sec. 12 Thai Revenue Code
Consent records and DSAR logs3 years from withdrawalArt. 7(1) GDPR (burden of proof)
Sec. 19 PDPA
Marketing opt-inUntil consent is withdrawnArt. 7(3) GDPR
Section 19(3) PDPA

Upon expiry of the retention period, data is securely and irreversibly deleted or anonymised, unless legal obligations require longer retention. You may request early deletion subject to our legal retention obligations (see Section 9).

7. Data Sharing and Security

We do not sell, exchange, rent or transfer your personal information to third parties for commercial purposes.

Your data is protected through comprehensive security measures in accordance with Art. 32 GDPR and Section 37 PDPA:

  • Technical Measures: HTTPS/TLS encryption for all data in transit, encryption of data at rest in storage systems, access protected by multi-factor authentication, regular security updates.
  • Organisational Measures: Data access restricted to the Data Controller only (need-to-know principle), documented confidentiality obligations and internal management procedures.
  • Physical Measures: Devices and archives secured in physically protected locations, automatic device lock upon inactivity.

8. Cross-Border Data Transfers

In certain operational circumstances (e.g. hosting services, professional email, cloud tools), personal data may be transferred outside national borders. Such transfers are carried out in compliance with:

For EU/Italian users — GDPR Arts. 44–49:

Transfers to third countries only take place in the presence of at least one of the following conditions:

  • An adequacy decision by the European Commission (Art. 45 GDPR)
  • Standard Contractual Clauses (SCCs) approved by the Commission (Art. 46(2)(c) GDPR)
  • The data subject's explicit consent for the specific transfer (Art. 49(1)(a) GDPR)

For Thai users — PDPA Sections 28–29:

Transfers to foreign countries only take place if:

  • The destination country is included in the PDPC list of countries with adequate standards; or
  • Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the PDPC are in place (effective 24 March 2024); or
  • The data subject's explicit consent for the specific transfer has been obtained

In all cases, we carry out prior due diligence on service providers to ensure they maintain security standards equivalent to those required by both applicable regulations.

9. Your Rights

For EU/Italian users (GDPR Arts. 15–21)

  • Access (Art. 15): Copy of personal data
  • Rectification (Art. 16): Correction of inaccurate data
  • Erasure (Art. 17): "Right to be Forgotten"
  • Restriction (Art. 18): Temporary suspension
  • Portability (Art. 20): Export in machine-readable format
  • Objection (Art. 21): Reject processing based on legitimate interests
  • Withdrawal (Art. 7(3)): Withdraw consent at any time

For Thai users (PDPA Sections 30–38)

  • Access and copy: Section 30
  • Rectification: Section 35
  • Erasure: Section 33
  • Restriction: Section 34
  • Portability: Section 31
  • Objection: Section 32
  • Withdrawal of consent: Section 19(3)

How to Exercise Your Rights

Please submit a written request to:
Email: info@bellosatotech.com
Subject: "Data Subject Access Request — [Your Name] — [Type of Right]"

We will respond within 30 days of receipt of the request (Art. 12(3) GDPR / Section 39 PDPA). For particularly complex requests, this period may be extended by a further 60 days, with prior written notification and justification.

Limitations:

Certain rights may be limited by legal obligations. For example, we cannot erase tax documents that we are legally required to retain (10 years under Art. 22 D.P.R. 600/1973 for Italian clients / Section 12 of the Thai Revenue Code for Thai clients). In all cases, we will inform you of any limitations applicable to your specific request.

10. Children's Data

Our services are intended exclusively for adults and businesses.

  • For EU/Italian users: We do not knowingly collect personal data of individuals under the age of 14 without verifiable parental or legal guardian consent, pursuant to Art. 8 GDPR and Art. 2-quinquies of Legislative Decree 196/2003.
  • For Thai users: We do not knowingly collect personal data of individuals under the age of 10 without parental or legal guardian consent, pursuant to Section 20 PDPA B.E. 2562.

If we become aware of any inadvertent collection of data from minors below the thresholds indicated, we will take immediate steps to delete the information and, where necessary, notify the competent supervisory authority.

11. Data Breach Notification

In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects:

  • To Supervisory Authorities: Italian Garante (EU users): notification within 72 hours, pursuant to Art. 33 GDPR. Thai PDPC (Thai users): notification within 72 hours, pursuant to Section 37(4) PDPA.
  • To Data Subjects: Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, data subjects will be notified directly and without undue delay (Art. 34 GDPR / Section 37(5) PDPA).

We maintain a documented Data Breach Response Plan, which includes procedures for detection, risk assessment, containment, authority notification and data subject communication.

12. Automated Decision-Making and Artificial Intelligence

We do not use automated decision-making or profiling that produces legal effects or significantly affects natural persons (Art. 22 GDPR / Section 26 PDPA). All decisions relating to your requests are made by qualified human professionals.

Use of AI tools in support of operations: BellosatoTech may use artificial intelligence tools (e.g. AI assistants) as internal support for consultancy activities. In such cases, no personal data of data subjects is shared with such tools without prior anonymisation or explicit consent. This is consistent with the emerging requirements of the EU AI Act (EU Regulation 2024/1689, gradual application from 2025–2026) and the Italian Data Protection Authority's guidelines on AI and data protection.

13. Competent Supervisory Authorities

If you believe that the processing of your personal data does not comply with applicable law and that we have not adequately addressed your concerns, you have the right to lodge a complaint with the competent supervisory authority:

For users in Italy / European Union

Garante per la protezione dei dati personali
Piazza Venezia 11 — 00187 Rome, Italy
Web: www.garanteprivacy.it
Email: garante@gpdp.it

For users in Thailand

Office of the Personal Data Protection Committee (PDPC)
Ministry of Digital Economy and Society
Bangkok, Thailand
Web: www.pdpc.go.th

We nonetheless encourage you to contact us first at info@bellosatotech.com — we are committed to resolving any concern or issue directly and with the utmost care.

14. Response Times

We are committed to responding to all legitimate requests within 30 days of receipt (Art. 12(3) GDPR / Section 39 PDPA). For particularly complex or numerous requests, this period may be extended by a further 60 days, with timely and reasoned notification to the data subject.

15. Changes to This Privacy Policy

This Privacy Policy is reviewed periodically to incorporate regulatory updates, new guidelines or changes in processing activities. Any material changes will be communicated to data subjects who have provided an email address, and will in any case be published on this page with the update date prominently displayed. Continued use of the website following the publication of changes constitutes acceptance of the updated version of this Policy.

16. Governing Law and Jurisdiction

  • EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 with regard to relationships with European users
  • PDPA B.E. 2562 with regard to relationships with users resident in Thailand

Any dispute relating to the application of this Privacy Policy that cannot be resolved amicably shall be subject to the jurisdiction of the Court of Taranto (Italy) for relationships with European users, unless mandatory provisions of law provide otherwise.

This Privacy Policy has been drafted in compliance with EU Regulation 2016/679 (GDPR), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and the Personal Data Protection Act B.E. 2562 (Thai PDPA), updated to March 2026.

BellosatoTech by Davide Marino — info@bellosatotech.com

Legal Privacy GDPR PDPA