How this site collects and processes personal data.

1. Data Controller

The data controller responsible for processing personal data through this website is:

This is a professional portfolio website soliciting executive mandates. Given the limited scale and nature of processing, a Data Protection Officer (DPO) has not been appointed as Article 37 GDPR does not require one for this type of processing activity.

2. Personal data collected

Personal data is only collected when you voluntarily submit the contact form on the Contact page. The following fields are requested:

• Name — your full name
• Email address — for correspondence
• Company / role — optional context
• Engagement type — selected from predefined options
• Message — the content of your enquiry

The principle of data minimisation (Art. 5(1)(c) GDPR and Art. 3 D.Lgs. 196/2003) is applied: only the fields necessary to respond to a professional enquiry are collected.

3. Purpose and legal basis

Personal data submitted through the contact form is processed exclusively for the purpose of responding to professional enquiries regarding executive mandates, interim roles, advisory engagements, and related professional opportunities.

Legal basis: Processing is based on legitimate interest under Article 6(1)(f) GDPR. The controller has a legitimate interest in responding to professional enquiries from individuals who have voluntarily made contact regarding potential executive mandates. The data subject's interests and fundamental rights do not override this interest given the nature of the communication (professional, user-initiated, and limited in scope).

Should the controller engage in future direct marketing unrelated to a specific enquiry, consent will be obtained under Article 6(1)(a) GDPR. Currently no such marketing activities are conducted.

4. Cookies and analytics

No cookies are set by this website. There is no cookie banner because there are no cookies to consent to. This site does not use tracking cookies, advertising cookies, or any cookie-based profiling mechanism.

This site uses Vercel Analytics, a privacy-focused, cookieless analytics service provided by Vercel Inc. (hosting provider). Vercel Analytics collects anonymised, aggregate metrics (page views, referrer) without cookies, without fingerprinting, and without storing personally identifiable information. No individual visitor profile is built.

5. Third-party data processors

Two third-party service providers act as data processors under Article 28 GDPR:

No other third parties receive personal data from this website. Personal data is never sold, rented, or shared with data brokers.

6. International data transfers

Personal data is not transferred outside the European Economic Area, except in the following two cases:

• Vercel Inc. (United States) — hosting and analytics. Vercel is EU-US DPF certified, satisfying the Article 45 GDPR adequacy requirement for transfers to the US.
• Web3Forms — form delivery. Data is transmitted to Web3Forms' servers for the sole purpose of delivering the contact form submission to the controller's email inbox.

Contact form data, once received by the controller, is stored exclusively on email infrastructure within the European Economic Area.

7. Data retention

Personal data from contact form submissions is retained for a period of 12 months from the date of the last correspondence. After this period, the data is deleted unless a legitimate business relationship has been established or a longer retention period is required by applicable law (e.g., Italian civil and tax obligations under Art. 2220 of the Italian Civil Code).

This retention period reflects the nature of executive recruitment cycles, which may span several months from initial contact to final engagement.

8. Data security

Appropriate technical and organisational measures are in place to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (Art. 32 GDPR; Art. 31 D.Lgs. 196/2003). These include:

• All connections to this site are encrypted via HTTPS (TLS).
• Contact form submissions are transmitted via encrypted channels (HTTPS to Web3Forms API).
• Access to submitted data is limited to the data controller personally.
• Email correspondence is handled through a provider with encryption at rest and in transit.

9. Automated decision-making and profiling

No automated decision-making, including profiling, is carried out on personal data collected through this website (Art. 22 GDPR; Art. 2-decies D.Lgs. 196/2003). Every enquiry is reviewed personally by the data controller.

10. Your data protection rights

Under the General Data Protection Regulation (EU 2016/679) and the Italian Personal Data Protection Code (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018), you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR; Art. 2-terdecies D.Lgs. 196/2003) — obtain confirmation as to whether your personal data is being processed and access to that data.
• Right to rectification (Art. 16 GDPR) — request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) — request that processing be restricted under certain circumstances.
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR; Art. 2-terdecies D.Lgs. 196/2003) — object to processing based on legitimate interest, including any direct marketing.
• Right not to be subject to automated decision-making (Art. 22 GDPR) — as confirmed in Section 9, no such processing takes place.

To exercise any of these rights, contact the data controller at mirko@grewing.work. The controller will respond within one month of receiving the request (extendable by two further months for complex or numerous requests, in which case you will be informed of the extension within one month of the original request — Art. 12(3) GDPR).

11. Right to lodge a complaint

If you believe that the processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

In Italy, the supervisory authority is:

You may also lodge a complaint with the supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

12. Technical notes

This website was built and is maintained with AI assistance (Claude Code by Anthropic). No personal data is exposed to AI systems in the course of maintaining this site. The privacy policy and all site content are reviewed and approved by the data controller.

This privacy policy may be updated to reflect changes in data processing practices or regulatory requirements. The current version was published on 29 May 2026.