Last update: January 2026

This policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and describes how Eleventi Lab (hereinafter also referred to as the “Data Controller”) processes the personal data of users who consult and use the website https://www.eleventilab.com (hereinafter referred to as the “Website”), as well as those who send requests via the contact form (WPForms) or contact the Data Controller by email/telephone.

Data Controller: Elena Memmola – “Eleventi Lab”
Tax ID: MMMLNE82P51L219U
Privacy contact email: info@eleventilab.com
Telephone: +39 333 360 22 38
DPO (Data Protection Officer): not designated (unless required or voluntarily assigned)

Depending on your interaction with the Website, the following may be processed:

a) Browsing data
Technical data (e.g., IP address, log, browser type, operating system, requested URLs, access time) necessary for the functioning of the Website and security.

b) Data provided voluntarily by the user (WPForms/contact form)

When you fill out a form or contact the Data Controller, we may process: first and last name, email address, phone number (if provided), type of event, message content, and any additional information you choose to include.

c) Statistical/measurement data (Google Analytics)
Data relating to the use of the Website for aggregate analysis and performance measurement, via Google Analytics (GA4). GA4 states that it does not record or store IP addresses and that it “discards” them before recording, particularly for EU traffic.

We process data for the following purposes:
1. Responding to contact requests, information requests, and quotes (WPForms, email, telephone)
Legal basis: performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR) and, for anything beyond that, legitimate interest in managing communications (Art. 6(1)(f) GDPR).

2. Technical management and security of the Website (log, abuse prevention, defense against attacks)
Legal basis: legitimate interest of the Data Controller in security and proper functioning (Art. 6(1)(f) GDPR).

3. Statistical analysis and measurement of visits (Google Analytics)
Legal basis: consent (Art. 6(1)(a) GDPR), when required by applicable law for non-essential cookies/tracking tools. (If the Website uses a CMP/cookie banner, GA is only activated after consent has been given.)

Processing is carried out using IT and telematic tools, with logic related to the purposes indicated and adopting adequate security measures to protect the data (e.g., access control, updates, backups, anti-intrusion measures).

• Browsing data: necessary for the functioning of the Site; failure to provide such data may prevent its correct use.
• Contact form data: provision is optional, but necessary to receive a response.
• Analytics data: optional; you can refuse or revoke your consent without consequences on the use of the Website (except for features related to banners/cookies).

The data may be disclosed to:

• authorized personnel of the Data Controller;
• technical suppliers (hosting, WordPress maintenance, email services), appointed as Data Processors if necessary;
• WPForms (WordPress plugin for forms): content sent via the form may be saved in the WordPress database and/or forwarded by email to the Data Controller according to the website configuration;
• Google for the Google Analytics (GA4) service.

The data is not disclosed.

The use of services such as Google may involve data transfers to countries outside the EEA, in particular the United States, depending on the configurations and methods of service delivery. In such cases, the transfer takes place on the basis of the safeguards provided for by the GDPR (e.g., adequacy decision, or Standard Contractual Clauses and additional measures, where applicable). The Data Privacy Framework (EU–US DPF) is one of the public frameworks for certain transfers/adherence.

Unless otherwise required by law, data is retained according to the following criteria:

• Contact/quote requests (forms, emails): for the time necessary to manage the request and, in the case of a relationship, for the duration of the contract and subsequent legal terms; in the absence of a contract, generally up to 24 months (organizational criterion, modifiable by the Data Controller).
• Security logs and technical data: for limited and proportionate periods (e.g., from a few days to a few months), unless necessary for the investigation/prosecution of abuse or defense in court.
• Google Analytics (GA4): according to the retention settings configured in the service (typically up to 14 months for user/event level data, if set up that way).

You may exercise your rights under Articles 15-22 of the GDPR, including:

• access, rectification, erasure;
• restriction and objection to processing;
• data portability (in the cases provided for);
• withdrawal of consent (without prejudice to the lawfulness of previous processing).

To exercise your rights, please write to info@eleventilab.com.

If you suspect that the processing violates the GDPR, you may lodge a complaint with the competent Supervisory Authority. In Italy: Garante per la Protezione dei Dati Personali (Italian Data Protection Authority).

The Website may use technical cookies and, with prior consent, cookies/measurement and tracking technologies (e.g., Google Analytics). For detailed information (types, duration, preference management), please refer to the Website’s Cookie Policy and the consent management banner, if available.

The Website and related services are not intended for underage persons. If you believe that an underage person has provided personal data, please contact the Data Controller to request its removal.

The Data Controller may periodically update this Privacy Policy. The updated version is published on this page with an indication of the date of the last update.