Legal
How Ospita collects, uses, stores, and shares personal data — written under the EU General Data Protection Regulation (GDPR) and the Italian Privacy Code.
For the purposes of GDPR and the Italian Privacy Code (D.Lgs. 196/2003 as amended), the Data Controller is:
[LEGAL_NAME] (trading as Ospita)
Sole proprietorship registered in Italy
Partita IVA: [P_IVA]
Registered address: [REGISTERED_ADDRESS]
Email: hello@ospita.co
We have not appointed a Data Protection Officer as we are not legally required to. You can reach the person responsible for privacy matters at the email above.
This policy applies to personal data processed through ospita.co and the data we collect when you contact us about working together. Personal data we process on behalf of paying clients (for example, audience data of a client's social account or content provided to us for clipping) is governed by a separate Data Processing Agreement (DPA) included in or annexed to each client's Master Services Agreement.
When you contact us (e.g., via the inquiry email, the booking link, or any form on the site), we collect:
The site currently does not use analytics or tracking cookies. The only data automatically collected is what's strictly necessary for the site to function (e.g., IP-level access logs maintained by our hosting provider for security and abuse prevention) and is not used to build profiles about you.
If we add analytics in the future (e.g., privacy-preserving tools such as Plausible or PostHog), this policy will be updated and — where required — a cookie consent banner will appear before any non-essential tracking is set.
We process personal data only when we have a lawful basis under Article 6 of the GDPR. Specifically:
| Purpose | Legal basis |
|---|---|
| Responding to your inquiry and assessing whether to engage with you | Pre-contractual measures (Art. 6(1)(b)) and our legitimate interest in operating the business (Art. 6(1)(f)) |
| Sending you the proposal, MSA, and onboarding documents if we move forward | Pre-contractual measures (Art. 6(1)(b)) |
| Issuing invoices and collecting payment | Performance of contract (Art. 6(1)(b)) and compliance with Italian tax obligations (Art. 6(1)(c)) |
| Operational communications about ongoing services | Performance of contract (Art. 6(1)(b)) |
| Marketing emails about new services, case studies, or updates | Your consent (Art. 6(1)(a)) — opt-in, opt-out anytime |
| Defending or pursuing legal claims | Our legitimate interest (Art. 6(1)(f)) |
We do not sell personal data. We share it only with the service providers (Processors) we rely on to run the business. Each Processor has been chosen because they offer adequate technical and organizational safeguards.
| Processor | Purpose | Location |
|---|---|---|
| Google (Google Workspace) | Email and document collaboration | EU / United States |
| Stripe | Payment processing, invoicing, fraud prevention | EU / United States |
| Vercel (or equivalent web host) | Hosting ospita.co | United States / Global CDN |
| Calendly (when activated) | Booking discovery calls | United States |
| Accounting / tax professionals | Italian fiscal compliance | Italy |
We may also disclose data to law-enforcement, regulatory, or judicial authorities when we are legally required to do so.
Some of our Processors are based outside the European Economic Area (EEA), primarily in the United States. When personal data leaves the EEA, we ensure the transfer relies on a valid GDPR transfer mechanism — typically:
| Category | Retention |
|---|---|
| Inquiries that don't become engagements | 24 months from last contact, then deleted |
| Active client communications | Duration of engagement + 24 months |
| Invoices, fiscal documents | 10 years (Italian Civil Code Art. 2220) |
| Marketing-list subscribers | Until you unsubscribe or after 24 months of inactivity |
| Hosting access logs | Up to 30 days, then rotated |
Under the GDPR (Articles 15–22) you have the following rights regarding the personal data we hold about you:
To exercise any of these, email hello@ospita.co. We will respond within 30 days (Art. 12 GDPR).
If you believe we've handled your data unlawfully, you can lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at garanteprivacy.it.
ospita.co currently sets no cookies beyond what is strictly necessary for the site to function. We do not use advertising, marketing, or profiling cookies. If this changes, this section will be updated and a cookie banner will be presented to obtain consent before any non-essential cookie is set.
We apply reasonable, industry-standard security measures including:
No system is impenetrable. If a personal-data breach affects your data and is likely to result in a risk to your rights, we will notify you and the Garante within 72 hours of becoming aware of it, as required by Art. 33–34 GDPR.
Our services are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, please contact us and we will delete the data promptly.
We may update this policy from time to time to reflect changes to our practices, the services we use, or legal requirements. The current version always lives at ospita.co/privacy. Material changes affecting how we process data will be communicated by email (where we have your email) and announced on the website at least 14 days before they take effect.
Privacy questions, data-subject requests, or anything you're not sure about — email hello@ospita.co with "Privacy" in the subject line.