How Studio Legale Tofani processes personal data of visitors to tofani.legal, newsletter subscribers, and those who contact us for consultation. Current version last updated 19 April 2026.
The data controller is Studio Legale Tofani, with offices at Via Sardegna, 50, 00187 Roma (IT), VAT 10514750586, registered with the Ordine degli Avvocati di Roma.
For any matter relating to this notice, write to info@tofani.legal or call +39 06 42016048.
The Firm has not appointed a DPO under GDPR art. 37 because the processing does not fall within the mandatory scenarios (public authority; large-scale processing of special categories; large-scale systematic monitoring).
Privacy requests can be addressed directly to the Controller at info@tofani.legal.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Pages visited, timestamps | Technical operation, security | Legitimate interest (art. 6.1.f) | 90 days |
| Country code (x-vercel-ip-country header) | Aggregated geographic statistics | Legitimate interest | 90 days |
| User-agent (browser/device) | Debugging, rendering optimization | Legitimate interest | 90 days |
Pseudonymized session ID (tfn_sid, 30 min) | Unique visitor counting | Legitimate interest (technical analytic cookie) | 30 min sliding |
No IP addresses are stored (the system explicitly discards the x-forwarded-for header before database write).
If you contact us via /contacts or email we collect: name, surname,
email, message content.
| Purpose | Legal basis | Retention |
|---|---|---|
| Handling consultation requests | Pre-contractual measures (art. 6.1.b) | Up to 24 months from last contact, unless a professional mandate is engaged |
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Delivery of editorial contributions by the Firm's lawyers | Explicit consent (art. 6.1.a) | Until consent withdrawn |
| IP at subscription + confirmation | Burden of proof of consent (art. 7.1 GDPR) | Legal obligation | 10 years (statute of limitations) |
| User-agent | Proof of consent | Legal obligation | 10 years |
| Accepted notice version | Proof of consent | Legal obligation | 10 years |
Double opt-in: enrollment finalizes only after clicking the confirmation link received by email. Withdrawal: click «unsubscribe» in any email (GDPR art. 7 + Italian Legislative Decree 70/2003 art. 13) or write to info@tofani.legal.
Personal data of clients and of counterparties involved in professional mandates are processed in compliance with art. 3 of the Italian Forensic Code of Ethics (professional secrecy) and anti-money-laundering law (Legislative Decree 231/2007). This website does not collect data within active engagements; any engagement-related processing uses separate secure channels (certified email, secure portals, in-office meetings).
| Processor | Role | Location | Data transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Application hosting + CDN | USA (with EU edge) | EU-US Data Privacy Framework (DPF) |
| Supabase Inc. | Database + storage + auth | EU-West region | Within EEA — no transfer |
| MailerSend | Transactional email delivery | USA | Standard Contractual Clauses (SCC) + EU-US DPF |
| Google LLC (Fonts) | Typography fonts served via CDN | Google Fonts CDN if configured in Theme editor, otherwise bundled | Runtime request to fonts.googleapis.com only if font CDN is enabled |
| Google LLC (Search Console) | Indexing monitoring | USA | EU-US DPF · Controller access to aggregated technical data |
Data is not sold or transferred to third-party marketers.
Certain providers (Vercel, MailerSend) are U.S. entities. Transfer is grounded on:
As a data subject, you have the right to:
How to exercise: write to info@tofani.legal with subject line «GDPR rights request». Response within 30 days (extendable by 60 days in complex cases under art. 12 GDPR, with prior notice).
In addition to the retention periods in Section 3, data is kept for statutory periods (tax, accounting, anti-money-laundering). At the end of retention, data is securely deleted or irreversibly anonymized.
The Firm applies technical and organizational measures appropriate to the risk (art. 32 GDPR): TLS 1.2+, AES-256 at rest, MFA on privileged access, daily encrypted backups (30-day retention), access logging, 72-hour data breach notification procedure (art. 33 GDPR).
Data is not subject to profiling or automated decision-making as defined in GDPR art. 22.
The Controller reserves the right to amend this notice as applicable law requires. The current version is always at tofani.legal/en/privacy-notice. Newsletter subscribers are notified of substantial changes by email.
Last updated: 19 April 2026 · version: v1-2026-04