ORIVIUM
Privacy Policy
How ORIVIUM processes personal data collected through this website.
Last updated: 7 May 2026
This notice reflects the current website setup: password gate, access request form, transactional email delivery, anti-bot protection, rate limiting, privacy-focused web analytics, error monitoring and necessary technical cookies or similar technologies. No advertising, newsletter or CRM provider is active on the website.
| Processing activity | Data categories | Legal basis | Retention |
|---|---|---|---|
| Access request handling | Business contact details, role, organisation, company context, situation summary and optional telephone number. | Steps requested by the data subject before a possible business relationship; legitimate interest in managing qualified enquiries. | No longer than 24 months unless a longer period is required for legal claims or legal obligations. |
| Restricted website access | Password gate status stored in the first-party technical cookie `orivium-access`. | Necessary to provide the restricted access requested by the visitor; legitimate interest in access control. | 30 days. |
| Website security and operation | Limited technical request data, server logs, security events, Cloudflare Turnstile verification signals and Upstash Redis rate-limit counters based on hashed identifiers. | Legitimate interest in website security, abuse prevention, troubleshooting and service reliability. | Rate-limit counters currently expire after approximately 1 hour. Server and provider logs are limited to what is necessary for security and operation, according to hosting and infrastructure settings. |
| Transactional email delivery | Email address, name, organisation, request content and email delivery metadata processed through Resend to deliver ORIVIUM notifications and requester confirmations. | Steps requested by the data subject before a possible business relationship; legitimate interest in reliable request handling and communication. | ORIVIUM keeps request records no longer than 24 months unless a longer period is required for legal claims or legal obligations. Provider-side records follow the relevant service settings and terms. |
| Aggregated website analytics | Cookieless Vercel Web Analytics data, such as page views, referrers, countries, browser and device information, processed in aggregated form. | Legitimate interest in understanding website performance and improving the website without advertising or profiling. | According to Vercel Web Analytics reporting windows and service settings. |
| Error monitoring | Technical error events processed through Sentry, such as stack traces, runtime metadata, browser or device information and request URLs without query strings. The current configuration removes user fields, cookies, query strings, sensitive headers and contact-form fields before events are sent where applicable. | Legitimate interest in identifying, diagnosing and fixing production errors and maintaining website security and reliability. | According to Sentry project retention settings and service terms, limited to what is necessary for troubleshooting and reliability. |
| Legal compliance and claims | Data necessary to comply with applicable law or to establish, exercise or defend legal claims. | Compliance with legal obligations; legitimate interest in legal protection. | For the period required by law or by the relevant limitation period. |
Controller
Francesco di Castri is the controller for the processing described in this notice.
Privacy requests may be addressed to privacy@orivium.co.
Data we process
When you use the access request form, we ask for the information needed to understand the nature of the request and to contact you.
- Situation summary and previous work, if provided.
- Company context such as sector, geography, revenue range and employee range.
- Sponsor or role in the request and decision timing.
- Name, role, organisation, email address and optional telephone number.
- Technical request data required to operate and protect the website, including limited server logs, the password gate cookie, Turnstile anti-bot verification, rate-limit counters and Sentry error-monitoring diagnostics.
Purposes and legal bases
We process access request data to assess whether ORIVIUM may be the right counterpart for a confidential conversation and to respond to the request. The legal basis is taking steps at the request of the data subject before a potential business relationship and ORIVIUM's legitimate interest in managing serious inbound enquiries.
We process technical logs, Cloudflare Turnstile signals and rate-limit counters to operate, secure and maintain the website. The legal basis is ORIVIUM's legitimate interest in service security and reliability.
We use Vercel Web Analytics to understand aggregate website usage and performance. It is not used for advertising, cross-site tracking or profiling.
We use Sentry to detect and diagnose production errors. It is configured for error monitoring only, without Session Replay, profiling, advertising or marketing profiling.
The password gate cookie is necessary to provide access to the restricted website and is not used for marketing or profiling.
Recipients
Personal data may be accessible to categories of recipients that support the website and ORIVIUM's operations, such as hosting and infrastructure providers, security providers, email delivery providers, professional advisers and public authorities where required by law.
The current active providers are Vercel for hosting, infrastructure and Web Analytics, Resend for transactional email delivery, Cloudflare Turnstile for anti-bot verification, Upstash Redis for rate limiting and Sentry for error monitoring. No advertising, newsletter or CRM provider is active on the website.
Transfers outside the EEA
Some active providers may operate globally or use sub-processors outside the European Economic Area. Where a transfer outside the EEA occurs, it must rely on an appropriate transfer mechanism such as an adequacy decision, standard contractual clauses or another GDPR-compliant safeguard.
Retention
Access request data will be kept only for the time needed to evaluate and manage the request, and in any case no longer than 24 months unless a longer period is required for legal claims or legal obligations.
The password gate cookie expires after 30 days. Rate-limit counters currently expire after approximately 1 hour. Technical logs, error-monitoring records and provider-side records are kept according to the relevant service settings and should be limited to what is necessary for security, operation, reliability and request handling.
Your rights
You may request access, rectification, erasure, restriction, portability and objection where the GDPR conditions are met.
You also have the right to lodge a complaint with a competent supervisory authority, including the Italian Data Protection Authority.
Automated decision-making
The website does not make automated decisions with legal or similarly significant effects and does not carry out profiling for marketing purposes.