Overview
This page explains how Guido Pettinari handles personal data in connection with consulting, software development, technical implementation, and related professional services.
It supplements the website privacy notice at aiconsultant.it/privacy, which covers browsing of the website and any website-specific forms or tools.
This document is intentionally concise and proportionate to the operating model of a sole proprietor consultancy.
1. Identity and contact details
Data handling under this policy is carried out by:
Guido Pettinari
Contact for privacy-related matters: guido@aiconsultant.it
2. Scope
This policy applies to personal data received directly from clients, prospects, partners, or made available during the delivery of professional services.
It does not replace project-specific contracts, data processing agreements, or client instructions. Where those documents exist, they prevail for the relevant engagement.
3. Role: controller or processor
Depending on the engagement, Guido Pettinari may act:
- as controller, for personal data processed for his own business operations, such as website inquiries, client communications, invoicing, accounting, and contract management;
- as processor, where personal data is processed solely on behalf of a client and under the client's documented instructions;
- in limited cases, as an independent controller for processing that is required to comply with legal, tax, security, or professional obligations.
The actual role depends on the substance of the engagement and, where applicable, the relevant contract or data processing agreement.
4. Categories of personal data
Depending on the engagement, the data handled may include:
- contact and identity data of client representatives;
- billing, contractual, and administrative data;
- communications, meeting notes, and project correspondence;
- project documentation and technical materials;
- technical or security-related data reasonably necessary for service delivery;
- personal data contained in client systems, datasets, or materials where access to that data is necessary for the agreed work.
Special category data and criminal-offence data are not intentionally sought unless strictly necessary for the engagement and lawfully supported.
5. Purpose of processing
Where acting as controller, personal data may be processed to:
- respond to inquiries and manage business relationships;
- prepare proposals, negotiate, and perform contracts;
- deliver consulting, software, automation, or technical services;
- issue invoices and comply with accounting or tax obligations;
- maintain the security and integrity of systems and business operations;
- protect legal rights and handle disputes or claims.
Where acting as processor, personal data is processed only to the extent necessary to provide the agreed service and according to the client's documented instructions.
6. Legal bases
Where acting as controller, processing is generally based on one or more of the following:
- performance of a contract or steps requested before entering into a contract;
- compliance with legal obligations;
- legitimate interests, such as running the business, securing systems, and managing client relationships.
Where consent is used for a specific activity, it will be requested separately where required.
Where acting as processor, the legal basis for the underlying processing is determined by the client as controller.
7. Data minimization and access
Only the personal data reasonably necessary for the relevant purpose is handled.
Where possible, anonymized, synthetic, or non-production data is preferred over real personal data.
Access to personal data is limited to what is necessary for the performance of the engagement.
8. Security measures
Appropriate technical and organizational measures are applied in a manner proportionate to the scope of the work and the sensitivity of the data.
These measures may include, where applicable:
- use of supplier-controlled devices;
- password protection, screen lock, and device encryption;
- multi-factor authentication where supported;
- secure communication channels such as HTTPS, SSH, or VPN where appropriate;
- restricted access to credentials, systems, and project materials;
- regular software and system updates;
- secure handling of secrets and API keys.
9. Third-party services and subprocessors
Third-party services may be used for email, cloud storage, source control, collaboration, hosting, analytics, productivity, and other operational needs.
Where personal data is processed on behalf of a client, relevant third-party providers may act as subprocessors or independent providers depending on the service and contractual setup.
Where required by law or contract, additional information about relevant providers can be supplied in project documentation, contract terms, or on request.
10. International transfers
If the use of a third-party provider involves an international transfer of personal data, the transfer will be handled using the provider's applicable transfer mechanisms and any safeguards required by law or contract.
11. Retention and deletion
Personal data is kept only for as long as reasonably necessary for the relevant purpose, including service delivery, legal and accounting obligations, security, record keeping, and the establishment, exercise, or defense of legal claims.
At the end of an engagement, client data may be returned, deleted, or retained only to the extent required by law, contract, or legitimate operational necessity.
12. Personal data breaches and incidents
If a personal data breach affecting client data processed on behalf of a client is identified, the client will be informed without undue delay, and reasonable cooperation will be provided in line with the scope of the engagement and applicable contractual obligations.
13. Data subject rights
Where Guido Pettinari acts as controller, data subjects may contact guido@aiconsultant.it to exercise applicable rights, including access, rectification, erasure, restriction, objection, or data portability, where available under applicable law.
Where Guido Pettinari acts as processor on behalf of a client, requests relating to personal data should normally be addressed first to the relevant client as controller. Reasonable assistance may be provided where appropriate.
Data subjects also have the right to lodge a complaint with the competent supervisory authority.
14. Updates
This policy may be updated from time to time to reflect changes in services, tools, legal requirements, or working practices.