Privacy Policy

Last updated: 18 April 2026

1. Data Controller

The data controller of the personal data processed through this website is:

Corvalys LTD (the "Company", "we", "us" or "our") Company in the process of incorporation under the laws of the Republic of Cyprus. Website: https://corvalys.eu General contact: info@corvalys.eu Privacy & data protection matters: enzo@corvalys.eu

This Privacy Policy is issued in compliance with:

  • Regulation (EU) 2016/679 (the "GDPR");
  • Directive 2002/58/EC (the "ePrivacy Directive") as implemented in EU Member States;
  • the Guidelines of the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) of 10 June 2021 on the use of cookies and other tracking tools;
  • the data protection legislation of the Republic of Cyprus, including Law 125(I)/2018.

2. Categories of Data Processed

We may process the following categories of personal data, depending on how you interact with us:

2.1 Navigation data

Our servers and website infrastructure automatically collect technical information such as:

  • IP address (pseudonymised where technically feasible);
  • browser type, version and language;
  • operating system and device type;
  • date and time of access, pages visited, referring URL;
  • approximate geographic location (country / region level).

This data is processed for the sole purpose of ensuring the proper operation, security and statistical analysis of the website.

2.2 Contact form data

When you reach out to us through the contact form or by email, we process:

  • first name and last name;
  • email address;
  • company name (optional);
  • the content of your message and any attachments.

2.3 Newsletter

If you subscribe to our newsletter we process your email address and, optionally, your first name in order to send you editorial content, product updates and occasional commercial communications.

2.4 Calendly bookings

If you book a call through Calendly (embedded or linked from our site), Calendly LLC processes the data you provide (name, email, time zone, answers to screening questions). Corvalys LTD receives a copy of the meeting record.

2.5 Consent preferences

We store the choices you make in the cookie banner in your browser's local storage so that we do not ask you again at every visit.

3. Purposes and Legal Bases

# Purpose Legal basis (GDPR)
a Respond to information or commercial requests received through the contact form or by email Art. 6(1)(b) — performance of pre-contractual measures at the request of the data subject
b Manage the delivery of consulting services and related agreements Art. 6(1)(b) — performance of a contract
c Send our newsletter and commercial communications Art. 6(1)(a) — consent of the data subject
d Analyse aggregate traffic and improve the website Art. 6(1)(f) — legitimate interest of the controller in running an efficient online presence
e Ensure the technical security of the site and prevent abuse Art. 6(1)(f) — legitimate interest in preserving the integrity of our systems
f Comply with legal, tax and accounting obligations Art. 6(1)(c) — compliance with a legal obligation
g Establish, exercise or defend legal claims Art. 6(1)(f) — legitimate interest

Providing the data listed under purposes (a), (b) and (f) is required in order to obtain the requested service; failing to provide it makes it impossible for us to reply or to enter into an agreement with you. Providing data for purpose (c) is entirely optional.

4. Retention Periods

We retain personal data only for as long as necessary to achieve the purposes for which it was collected, according to the following criteria:

  • Contact requests: up to 24 months from the last contact, then deleted or anonymised, unless a contractual relationship has started;
  • Newsletter: until you withdraw your consent (unsubscribe), after which your email is removed from the active list and kept in a suppression list only for the time strictly necessary to honour the opt-out;
  • Site analytics: aggregate data is retained up to 26 months;
  • Contractual data and invoices: for the entire duration of the agreement and for 10 years after its termination, as required by Cypriot and EU accounting and tax law;
  • Data needed to defend legal claims: until the relevant limitation period has expired;
  • Cookie consent records: up to 12 months, after which the banner is shown again.

At the end of the applicable retention period the data is securely deleted or fully anonymised.

5. Recipients of the Data

Personal data may be disclosed to the following categories of recipients, always under appropriate contractual safeguards and, where applicable, a data processing agreement pursuant to Art. 28 GDPR:

  • Hosting provider — Namecheap, Inc. (infrastructure and domain services);
  • Transactional email provider — Resend, Inc. (delivery of notification and system emails);
  • Meeting scheduling — Calendly LLC (when you book a call);
  • Professional advisors — accountants, auditors, lawyers under obligations of confidentiality;
  • Public authorities — where required by law or by a lawful order.

We never sell your personal data and we do not disclose it to third parties for marketing purposes without your consent.

6. Transfers Outside the European Economic Area

Some of our service providers (in particular Resend, Calendly and occasionally Namecheap support infrastructure) may be established in the United States. In those cases, the transfer takes place on the basis of:

  • the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914);
  • where applicable, the adequacy decision of the European Commission of 10 July 2023 concerning the EU-U.S. Data Privacy Framework, provided that the recipient is self-certified under the Framework;
  • supplementary technical and organisational measures (encryption in transit and at rest, strict access control, data minimisation).

A copy of the clauses in place may be requested by emailing enzo@corvalys.eu.

7. Rights of the Data Subject

As a data subject you are entitled, at any time, to exercise the rights granted by Articles 15 to 22 of the GDPR:

  • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy of it;
  • Right to rectification (Art. 16): correct inaccurate data or complete incomplete data;
  • Right to erasure (Art. 17): have your data deleted where one of the grounds listed in the GDPR applies;
  • Right to restriction (Art. 18): limit the processing of your data in specific circumstances;
  • Right to data portability (Art. 20): receive the data you provided in a structured, commonly used and machine-readable format;
  • Right to object (Art. 21): object to processing based on legitimate interest, including direct marketing;
  • Right not to be subject to automated decision-making (Art. 22);
  • Right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out before withdrawal.

You can exercise your rights by writing to info@corvalys.eu or enzo@corvalys.eu. We will reply within one month of the request, as required by Art. 12(3) GDPR. No fee is charged unless the request is manifestly unfounded or excessive.

8. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

Relevant authorities include:

  • Cyprus — Office of the Commissioner for Personal Data Protection — dataprotection.gov.cy;
  • Italy — Garante per la Protezione dei Dati Personali — garanteprivacy.it;
  • France — Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr;
  • United Kingdom — Information Commissioner's Office (ICO) — ico.org.uk;
  • or any other competent data protection authority in your country of residence.

9. Data Protection Officer

A Data Protection Officer has not been appointed, since the processing activities carried out by Corvalys LTD do not fall within the mandatory cases listed in Art. 37 GDPR. Data protection matters are handled directly by the controller; you can reach us at enzo@corvalys.eu.

10. Automated Decision-Making and Profiling

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

11. Security Measures

We adopt technical and organisational measures that are appropriate to the risk, including:

  • encryption in transit (HTTPS / TLS 1.2+) and at rest for sensitive backups;
  • role-based access control and multi-factor authentication on administrative interfaces;
  • regular security updates, patching and vulnerability monitoring;
  • logging of administrative access and periodic review;
  • written agreements with all processors pursuant to Art. 28 GDPR.

12. Minors

Our services are intended for professional users and are not directed to individuals under the age of 16. We do not knowingly collect personal data relating to minors. If you become aware that a minor has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, in our services or in our organisation. The date of the latest version is shown at the top of this page. Material changes will be highlighted on the website.

14. Contact

For any privacy-related question, request or complaint, please contact Corvalys LTD at info@corvalys.eu or enzo@corvalys.eu.