01 Data Controller
The Data Controller of this website is Lorenzo Stipa, VAT No. 13615331009, with registered office at Viale Vasco de Gama 16, Rome, Italy.
For any questions or requests regarding the processing of your personal data, you may contact the Data Controller at the above address or via email at hello@norienstudio.com.
02 What Data We Collect and How We Use It
We process personal data in compliance with Article 6 of Regulation (EU) 2016/679 (the “GDPR”) and, where applicable, on the basis of your freely given consent pursuant to Article 7 GDPR.
2.1 Data Collected Through the Website
When you browse our website or contact us, we may collect:
| Type of data | Purpose | Legal basis |
|---|---|---|
| Contact details (name, email address, company name) | Responding to enquiries; providing information about our services | Pre-contractual measures (Art. 6(1)(b) GDPR); Consent (Art. 6(1)(a) GDPR) |
| Navigation data (IP address, browser type, browsing behaviour) | Website operation, security, and analytics | Legitimate interest (Art. 6(1)(f) GDPR); Consent for non-essential cookies (Art. 122 Italian Privacy Code) |
| Data provided via contact forms, quote requests, or newsletters | Communicating with you; sending commercial updates | Consent (Art. 6(1)(a) GDPR); Performance of a contract (Art. 6(1)(b) GDPR) |
2.2 Data Collected in the Provision of Advertising Campaign Services
In order to deliver AI-driven advertising campaign services, we may process the following categories of data on behalf of our clients:
- Campaign performance metrics
- Audience targeting parameters
- Aggregated analytics data
These data are processed as a data processor on behalf of the client, who acts as the Data Controller for the end users’ personal data. The processing is governed by a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.
2.3 Artificial Intelligence and Automated Processing
Our advertising campaigns leverage artificial intelligence technologies for campaign optimisation, audience segmentation, and performance analysis. In compliance with Article 4 of Italian Law No. 132 of 23 September 2025, we ensure that the use of AI systems is carried out in a lawful, fair, and transparent manner, with respect for data protection rights and in full compatibility with the purposes for which data were collected.
Where AI-driven decision-making produces legal effects concerning natural persons or similarly significantly affects them, we provide meaningful information about the logic involved, the significance, and the envisaged consequences, as required by Article 13(2)(f) GDPR.
03 Cookies and Similar Technologies
Our website uses cookies and similar tracking technologies. In accordance with Article 122 of Italian Legislative Decree No. 196/2003 (the “Italian Privacy Code”), the storage of information in your terminal equipment is permitted only with your prior consent, provided in a simplified manner.
3.1 Categories of Cookies Used
| Category | Purpose | Consent required |
|---|---|---|
| Technical cookies | Essential for website functionality; user session management; security | No |
| Analytics cookies | Aggregated statistical analysis of website usage | Yes |
| Marketing / profiling cookies | AI-driven advertising optimisation; conversion tracking; retargeting | Yes |
You may manage your cookie preferences at any time through our cookie consent banner and through your browser settings. Consent may be withdrawn with the same ease with which it was given, as required by Article 7(3) GDPR.
04 Third-Party Recipients and Data Processors
We may share your personal data with the following categories of recipients:
- AI technology and cloud service providers (acting as data processors under Art. 28 GDPR)
- Advertising platforms (e.g., Google Ads, Meta Ads) for campaign delivery
- Analytics service providers
- Email marketing and CRM providers
- Professional advisors, where necessary (legal, accounting)
All third-party processors are carefully selected for their GDPR compliance, provide adequate guarantees, and are bound by a written contract in accordance with Article 28 GDPR. An up-to-date list of processors is available upon request.
05 International Data Transfers
Where personal data are transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as:
- Adequacy decisions issued by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (BCRs)
You may obtain further information about the safeguards applied by contacting the Data Controller.
06 Data Retention
Personal data are retained for no longer than necessary to fulfil the purposes for which they were collected:
- Contact enquiries: up to 24 months from the last communication
- Newsletter subscriptions: until consent is withdrawn
- Website navigation data: in accordance with applicable cookie durations (as set out in the cookie banner)
- Contractual data: for the duration of the contract and for the period required by applicable tax and accounting laws (typically 10 years)
Upon expiry of the retention period, data are securely erased or anonymised.
07 Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Access control and authentication mechanisms
- Regular security testing and vulnerability assessments
- Staff training on data protection
- Incident response and business continuity procedures
08 Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — obtain confirmation as to whether your data are being processed and access to the data
- Right to rectification — request correction of inaccurate data
- Right to erasure (“right to be forgotten”) — request deletion of your data
- Right to restriction of processing — request limited processing
- Right to data portability — receive your data in a structured, commonly used format
- Right to object — object to processing based on legitimate interest, including profiling
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
- Right to lodge a complaint — with the Italian Data Protection Authority or the supervisory authority of your EU Member State of residence
To exercise your rights, contact us at hello@norienstudio.com. We will respond without undue delay and in any event within one month, extendable by a further two months where necessary, taking into account the complexity and number of requests.
09 Complaints to the Supervisory Authority
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), pursuant to Article 77 GDPR, at the following contact details:
- Address: Piazza Venezia 11, 00187 Rome, Italy
- Website: www.garanteprivacy.it
- Email: protocollo@gpdp.it
- PEC: protocollo@pec.gpdp.it
10 Minors
Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data without parental consent, please contact us and we will promptly delete the data.
11 Changes to This Privacy Policy
We reserve the right to update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. Any changes will be published on this page with an updated “Last updated” date. We encourage you to review this policy periodically.
12 Contact
Viale Vasco de Gama 16, Rome, Italy
Email: hello@norienstudio.com
Website: www.norienstudio.com