Privacy Policy

Last Updated: March 12, 2026

1. Introduction and Controller Identity

This Privacy Policy explains how FAMA SRL (“FAMA SRL”, “we”, “our”, or “us”) collects, uses, discloses, and protects personal data when you visit our website and interact with our educational services available to participants throughout Canada. This policy applies to data processed through our website and any communication channels referenced on this site.

Data Controller: FAMA SRL, Via Trenno, 15, 20151 Milan (MI), Italy. Contact email: [email protected]. We operate from Italy and provide professional education accessible across Canada. We do not appoint a Data Protection Officer at this time as we do not process large-scale special-category data.

By accessing this website, you acknowledge this Privacy Policy. Where required by law, we will ask for your consent before processing personal data for non-essential purposes such as analytics or marketing cookies.

2. Personal Data We Collect

We collect the following categories of personal data, depending on how you interact with us:

• Identity and contact details: name, email address, telephone number.
• Form content: messages you send, program interests, goals, timelines, and any information you choose to include when requesting information or enrollment.
• Technical data: IP address, device identifiers, browser type and version, operating system, language preferences, approximate geolocation derived from IP, and basic security logs.
• Usage data: visited pages, time on page, navigation paths, referrer/UTM parameters, click interactions (if analytics is enabled with your consent).
• Cookies and similar technologies: essential cookies for basic site operation, and—only with your consent—analytics and marketing identifiers as detailed in Section 4 and our Cookie Policy.
• Communications metadata: timestamps, channel (email/phone), and delivery status for our legitimate business records.

We do not intentionally collect special-category data (such as health data, political opinions, religious beliefs), government identifiers, or payment card numbers through this website. Please do not include sensitive information in free-text fields.

3. Why We Process Personal Data and Legal Bases (GDPR)

• Responding to inquiries and providing program information: to process your request, schedule sessions, and communicate next steps. Legal bases: performance of a contract or pre-contractual steps (Art. 6(1)(b)) and your consent when applicable (Art. 6(1)(a)).
• Service administration and security: to operate the website, maintain security, detect fraud/abuse, and ensure availability. Legal basis: legitimate interests (Art. 6(1)(f)).
• Analytics (optional): to understand site usage and improve content, if you consent to analytics cookies. Legal basis: consent (Art. 6(1)(a)).
• Marketing and remarketing (optional): to measure campaign performance and show relevant ads, only if you consent. Legal basis: consent (Art. 6(1)(a)).
• Legal and compliance: to comply with obligations such as record-keeping and responding to lawful requests. Legal basis: legal obligation (Art. 6(1)(c)).

Automated Decision-Making: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects under GDPR Article 22.

4. Cookies and Similar Technologies

We use a three-category approach consistent with our on-site preferences panel and Cookie Policy.

• Essential cookies (always active): required for core site functions, such as session continuity and storing your consent choices. Examples: _site_session (session), cookie_consent (12 months).
• Analytics cookies (consent-based): Google Analytics 4 with IP anonymization to understand site usage. Examples: _ga (2 years), _ga_XXXXXXXXXX (2 years). Data retention typically 14 months at the analytics provider level.
• Marketing cookies (consent-based): used for advertising and remarketing measurement. Examples: _gcl_au (90 days), _fbp (90 days), _fbc (90 days when a click ID is present).

You can manage preferences at any time via “Manage cookie preferences” in the page footer. For details, please review our dedicated Cookie Policy.

5. Consent and Withdrawal

Visitors in the EEA, including Italy, receive a consent prompt for analytics and marketing cookies. We activate these categories only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your choice is stored in the cookie_consent browser cookie for up to 12 months. You may withdraw or change consent at any time via the preferences panel or by clearing cookies. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

6. Sharing with Service Providers and Advertising Partners

We share personal data with trusted providers who help us operate and improve our website and educational communications. These recipients process data under our instructions and may not use it for their own independent purposes.

• Infrastructure and security: content delivery and basic security services (e.g., CDN, DDoS mitigation) that receive IP addresses and traffic metadata.
• Analytics (if consented): Google Analytics 4 receives cookie IDs and aggregated usage data.
• Marketing (if consented): advertising platforms (e.g., Google Ads, Meta) may receive pixel or server-side event data and hashed identifiers solely for measurement and remarketing where permitted.
• Professional advisors and legal authorities: when required to comply with law, enforce our rights, or protect users.

We do not sell personal data. We do not enable providers to use site data for their own independent commercial purposes.

7. International Transfers

Because we use global service providers, your data may be transferred outside the EEA/UK, including to the United States. Where applicable, we rely on the EU–US Data Privacy Framework and its UK Extension, Swiss–US DPF, and/or Standard Contractual Clauses (EU 2021/914). We also implement supplementary safeguards where appropriate. Copies of relevant transfer mechanisms are available upon request where disclosure does not compromise security or confidentiality.

8. Data Retention

• Contact requests and correspondence: 2 years from your last interaction, unless a longer period is legally required.
• Analytics records: typically 14 months in aggregated form at the provider level.
• Marketing cookies: per cookie lifetime listed in Section 4 and in the Cookie Policy.
• Server logs: approximately 90 days for security and troubleshooting.
• Consent records: up to 3 years for audit purposes.
• Legal and tax records: as required under applicable law.

9. Your Rights

If you are in the EEA/Italy, under GDPR you may have the following rights, subject to conditions and exemptions:

• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Erase data in certain circumstances (“right to be forgotten”).
• Restrict processing in specific situations.
• Data portability for data you provided to us.
• Object to processing based on legitimate interests and to direct marketing.
• Withdraw consent at any time where processing is based on consent.

To exercise any right, email [email protected] with “Privacy Request” in the subject line and describe your request. We will respond within 30 days, extendable by 60 days for complex requests. You also have the right to lodge a complaint with the Italian Supervisory Authority (Garante per la protezione dei dati personali).

10. Children

This website and our programs are intended for adult learners and organizational teams. We do not knowingly collect data from individuals under 16 years of age. If you believe a child has provided personal data, please contact us and we will delete it promptly.

11. Do Not Track

Some browsers offer a “Do Not Track” signal. Our website does not respond to DNT signals. Analytics and marketing cookies only run with your explicit consent through our cookie preferences panel.

12. Requests for Deletion and Account-Free Use

We do not operate end-user accounts on this site. You may request deletion of personal data we hold by emailing [email protected] with “Data Deletion Request” in the subject line. We will verify identity and complete deletion unless retention is required by law or legitimate interests such as security or dispute resolution.

13. Business Transfers

If FAMA SRL is involved in a merger, acquisition, reorganization, asset sale, financing, or insolvency event, personal data may be transferred to a successor entity subject to this Privacy Policy or an equivalent policy. We will post a notice on the website if material changes occur.

14. California (CCPA/CPRA)

For California residents, the following categories of personal information may have been collected in the last 12 months: identifiers (name, email, IP), internet/network activity (site usage), and inferences (interests) for advertising where consented. We disclose such data to service providers and advertising partners for permitted business purposes. We do not sell personal information as defined by CCPA. We may “share” personal information for cross-context behavioral advertising only with your cookie consent. Rights include: Know, Delete, Correct, Opt-Out of sale/sharing, and Non-Discrimination. To exercise rights, email [email protected] with “California Privacy Request”. Authorized agents must provide written authorization. We will verify identity before fulfilling requests.

15. Virginia (VCDPA)

Virginia residents have rights to Access, Correct, Delete, Data Portability, and Opt-Out of targeted advertising. We do not sell personal data or conduct profiling that produces legal or similarly significant effects. Submit requests by emailing “Virginia Privacy Request” to [email protected]. If we deny your request, you may appeal within 60 days by emailing “Appeal of Refusal — Privacy Request”.

16. Nevada

Nevada residents may submit a verified opt-out of sale request by emailing “Nevada Do Not Sell Request” to [email protected]. We do not currently sell personal information under Nevada law (NRS 603A).

17. Canada (PIPEDA and Provincial Laws)

We provide educational services across Canada and handle inquiries from Canadian residents. While FAMA SRL is established in Italy and applies GDPR protections, we also consider principles of Canada’s PIPEDA and relevant provincial privacy laws. We collect personal information for reasonable, limited purposes connected to your inquiry or participation in our programs, and we obtain consent where required. You may request access to or correction of your personal information and withdraw consent (for example, to optional analytics/marketing) subject to legal and contractual restrictions. To exercise these rights, email [email protected]. Data may be transferred outside of Canada for processing; by using our site, you acknowledge that foreign laws may permit foreign authorities to access your information in certain circumstances.

18. Security Measures

We implement administrative, technical, and organizational safeguards to protect personal data, including HTTPS/TLS encryption in transit, access controls, least-privilege principles for internal handling, and routine security updates. While we take reasonable steps to secure data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Changes to This Policy

We may revise this Privacy Policy to reflect changes in law, our services, or data practices. Material changes will be announced via a notice on our homepage at least 14 days before taking effect. The “Last Updated” date at the top of this page indicates the most recent revision.

Contact

Controller: FAMA SRL, Via Trenno, 15, 20151 Milan (MI), Italy. Email: [email protected]. Supervisory Authority in Italy: Garante per la protezione dei dati personali. We welcome your questions, requests, and feedback regarding privacy and data protection.