Legal document
Privacy Policy.
Last updated
Quick summary
This page explains who collects your data on this website, why, how, for how long, with whom it is shared and which rights you can exercise. The policy is drawn up in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Personal Data Protection Code) as amended by Italian Legislative Decree 101/2018.
In short: your contact data is processed in order to respond to your enquiries, to provide the professional service requested, to comply with legal obligations and to protect the Data Controller’s rights in any disputes. Technical browsing data is processed to ensure the website functions correctly. You may exercise your rights at any time by writing to info@metalogopedia.it and you may lodge a complaint with the Italian Data Protection Authority (Garante).
Essential definitions
For the purposes of this information notice, the definitions set out in Article 4 GDPR apply. In particular:
- Personal data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on personal data (collection, recording, organisation, storage, alteration, consultation, use, disclosure, erasure).
- Data Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
- Data Processor: the natural or legal person who processes personal data on behalf of the Data Controller on the basis of a formal agreement pursuant to Article 28 GDPR.
- Data subject: the natural person to whom the personal data being processed relates.
- Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their data for one or more specific purposes.
- Special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation (Article 9 GDPR).
1. Data Controller
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter also “GDPR”), the Controller of the personal data collected through this website and the related services is:
Mariangela Allegrini, speech and language therapist, owner of the “Metalogopedia” speech therapy practice
- Registered office: Via Dalmazia 34-36, 01100 Viterbo (VT), Italy
- VAT number: IT02192000566
- Italian Tax Code: LLGMNG87M62D643W
- Lazio Region authorisation to practise the health profession: E.0244623.05-03-2026
- Email for privacy matters: info@metalogopedia.it
- Telephone: +39 328 563 6845
Field of activity: non-medical health (speech and language therapy). The practice carries out speech and language assessment and intervention pursuant to Italian Law no. 42 of 26 February 1999 and to the professional profile of the speech and language therapist. No medical diagnoses are made, as these fall within the exclusive competence of a doctor.
The website is hosted and technically maintained by Sharkcode OÜ, a company incorporated under Estonian law, which acts as Data Processor pursuant to Article 28 GDPR on the basis of a Data Processing Agreement (DPA) signed separately with the Data Controller. This information notice concerns the processing carried out by the Data Controller in respect of the website’s visitors.
2. Personal data collected
The following personal data is collected through this website, in the ways described below:
- Personal and contact details, provided voluntarily by the data subject through the contact form (first name, surname, email, telephone number).
- Technical browsing data, collected automatically by the IT systems (IP address, user agent, pages visited, session duration), in aggregated and anonymised form. This data is not associated with identified data subjects but could, by its nature, allow identification through further processing.
- Data relating to the content of the communication, namely the text of the message sent through the contact form or email, which remains within the data subject’s sphere of control as regards what they freely choose to share.
2.1 Special categories of data (health-related data)
Pursuant to Article 9 GDPR and Article 2-quinquiesdecies of Italian Legislative Decree 196/2003 (Personal Data Protection Code), the website’s contact form may collect health-related data when the data subject, in the free-text description of their enquiry, chooses to indicate the clinical conditions of the child or adult for whom a speech and language assessment is requested (for example: language difficulties, stammering, dyslexia, swallowing disorders, voice disorders).
This data belongs to the special categories referred to in Article 9 GDPR and receives reinforced protection. In particular:
- the legal basis for the processing is the data subject’s explicit consent pursuant to Article 9(2)(a) GDPR, collected through a dedicated consent checkbox in the contact form, separate from the general consent to the privacy information notice;
- for minors, consent is given by those holding parental responsibility, pursuant to Article 8 GDPR and Article 2-quinquies of Italian Legislative Decree 196/2003;
- health-related data is never subject to automated profiling or automated decision-making processes;
- health-related data is never transferred outside the European Union;
- processing is carried out solely for the purpose of responding to the data subject’s enquiry and, if the data subject decides to undertake a professional course of treatment at the practice, for the subsequent professional assessment, on the basis of a new and specific information notice provided at the first professional contact at the practice.
If the data subject does not wish to share health-related information through the contact form, they may limit themselves to a generic message (for example “I would like to make an appointment”) and provide the details during the first consultation at the practice.
2.2 Processing of minors’ data
Pursuant to Article 8 GDPR and Article 2-quinquies of Italian Legislative Decree 196/2003, the minimum age for validly giving consent to the processing of personal data is set, in Italy, at 14 years. For minors under the age of 14, consent is given or authorised by the person who holds parental responsibility or legal guardianship.
Given that the website’s contact form is mainly used by parents to request information relating to their children, the Data Controller adopts the following measures:
- the contact form assumes, when referring to a minor, that the enquiry is sent by the holder of parental responsibility;
- the website is not designed for the direct collection of data of minors under 14;
- in order to take on minors at the practice, a dedicated form must be completed and signed by both holders of parental responsibility, on the occasion of the first access to the service;
- for processing that requires explicit consent (in particular the processing of the minor’s health-related data and the possible publication of images), consent is given jointly by both holders of parental responsibility, in line with the position of the Italian Data Protection Authority (Garante), which classifies such consents as acts of extraordinary administration.
3. Purposes of the processing
Personal data is processed for the following purposes:
- Responding to requests for information or appointments, received through the contact form, email, telephone, WhatsApp or similar channels.
- Providing the professional service requested, including the administrative and organisational management of the relationship, on the basis of a specific information notice provided at the first access to the practice.
- Regulatory, tax and accounting compliance, in particular the issuing and retention of invoices and accounting documents for the period required by law.
- Handling any complaints, disputes or investigations by the competent authorities.
- Direct communications to the data subject regarding the progress of the service and any relevant changes.
Technical browsing data is used exclusively to ensure the website functions correctly, to ensure the security of the infrastructure and for aggregated statistical analysis, in ways compatible with the applicable legislation.
4. Legal basis
Depending on the purposes, the processing is based on one or more of the following legal bases provided for in Articles 6 and 9 GDPR:
- Performance of a contract to which the data subject is party, or implementation of pre-contractual measures taken at the data subject’s request (Article 6(1)(b) GDPR).
- Compliance with a legal obligation to which the Data Controller is subject, in particular in tax, accounting and professional supervision matters (Article 6(1)(c) GDPR).
- Explicit consent of the data subject, for processing that requires it: processing of health-related data (Article 9(2)(a) GDPR), publication of images (Article 6(1)(a) GDPR), any newsletter or promotional communications (if activated in the future).
- Legitimate interest of the Data Controller in the technical and security management of the website, to the extent that the interests or the fundamental rights and freedoms of the data subject do not override it (Article 6(1)(f) GDPR).
Pursuant to Article 7(3) GDPR, the consent given may be withdrawn at any time, with effect for the future, by writing to the Data Controller’s email address. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
5. Methods of processing and security measures
Personal data is processed using IT and electronic tools, with logic strictly related to the purposes indicated. Appropriate technical and organisational measures are adopted to ensure a level of security appropriate to the risk, in compliance with Article 32 GDPR. In particular:
- communications between the user’s browser and the website are encrypted using the HTTPS (TLS) protocol;
- access to the systems containing personal data is restricted to the Data Controller and to authorised persons, who hold individual credentials and are trained in the processing procedures;
- the systems are subject to regular backups and to procedures verifying their integrity and availability;
- external suppliers that process data on behalf of the Data Controller are selected on the basis of the guarantees they offer regarding data protection and are appointed as Data Processors pursuant to Article 28 GDPR;
- data is stored on infrastructure located mainly within the European Economic Area, except for the exceptions indicated in section 7.1 concerning transfers outside the EU;
- internal procedures are in place for managing personal data breaches, including a risk assessment within 24 hours of discovery and notification to the Italian Data Protection Authority (Garante) within 72 hours, where the conditions set out in Article 33 GDPR are met.
5.1 Profiling and automated decision-making
The Data Controller does not carry out processing based on wholly automated decision-making processes, including profiling, that produce significant legal effects on the data subject pursuant to Article 22 GDPR. Any aggregated analysis of browsing data is statistical in nature and does not allow individual decisions to be taken in respect of users.
5.2 Data Protection Officer (DPO)
Given the field of activity and the organisational scale in which it operates, the Data Controller is not required to appoint a Data Protection Officer (DPO) on a mandatory basis pursuant to Article 37 GDPR. Requests relating to the processing of personal data can be addressed directly to the Data Controller at info@metalogopedia.it.
6. Retention period
Personal data is retained for as long as is strictly necessary to pursue the purposes indicated, according to the following general rules:
- Contact data (information requests without continuation of the relationship): up to 12 months from the last interaction, after which the data is erased.
- Data relating to the contractual and professional relationship: for the duration of the relationship and for the 10 years following its termination, pursuant to Article 2220 of the Italian Civil Code concerning the retention of accounting records, and in compliance with the deontological provisions of the relevant professional Association concerning clinical documentation.
- Health-related data collected through the contact form: a maximum of 12 months if no professional relationship is established; if a relationship is established, it merges into the clinical documentation with the timeframes set out above.
- Technical browsing data: for as long as is necessary for aggregated statistical analysis and for the security of the infrastructure, as a rule no longer than 12 months.
- Consent to the use of images and videos (see section 9): until the consent is withdrawn by the data subject; withdrawal is followed by the removal of the image or by making it unrecognisable.
At the end of the retention periods, the data is erased or irreversibly anonymised.
7. Sub-processors
In order to provide the service, the Data Controller relies on third parties acting as Data Processors pursuant to Article 28 GDPR, on the basis of agreements compliant with the applicable legislation. The list of the main sub-processors is as follows:
| Sub-processor | Purpose | Server location | Safeguards |
|---|---|---|---|
| Sharkcode OÜ | Development and technical maintenance of the website (professional service provider, does not manage its own infrastructure; hosting and network services are provided by the sub-processors listed below). | — | DPA Art. 28 GDPR |
| Cloudflare, Inc. | CDN, DNS, anti-DDoS protection, static hosting of the website (Cloudflare Pages) | Global Cloudflare network, with preference for EU data centres for static content | Standard Contractual Clauses (SCC) pursuant to Article 46 GDPR; GDPR-compliant Cloudflare DPA |
| Resend, Inc. | Sending transactional emails from the contact form to the Data Controller’s mailbox | USA, with optional European servers | SCC, DPA Art. 28 GDPR, data minimised to the content of the enquiry only |
| Cloudflare Turnstile | Anti-spam protection of the contact form in invisible mode (a privacy-friendly alternative to reCAPTCHA) | Cloudflare network | No installation of tracking cookies; SCC; Turnstile Privacy Addendum |
| Counterscale | Privacy-first server-side analytics, run on Cloudflare Workers, without cookies | Cloudflare network (EU) | No identifying cookies; comparable to a technical tool (Garante Decision 231/2021, para. 4.3) |
| Zoho Corporation B.V. (Zoho Mail) | The Data Controller’s info@metalogopedia.it mailbox, used to receive, read and reply to users’ emails. | EU (Zoho European data centres) | DPA Art. 28 GDPR; data hosted in EU data centres; any intra-group transfers outside the EU covered by SCC pursuant to Article 46 GDPR |
7.1 Transfers of data outside the European Union
Some of the sub-processors indicated above are based or have infrastructure outside the European Union (in particular Resend and Cloudflare). Transfers of data to third countries take place in compliance with Article 44 et seq. GDPR, on the basis of the appropriate safeguards provided for by the legislation, in particular:
- Standard Contractual Clauses approved by the European Commission pursuant to Article 46(2)(c) GDPR;
- where applicable, EU-US Data Privacy Framework certification for transfers to the United States;
- supplementary technical measures (encryption in transit and at rest, minimisation of the data transferred).
Health-related data and minors’ data are never subject to transfer outside the European Union.
The updated list of sub-processors can be requested at any time from the Data Controller by writing to info@metalogopedia.it.
8. Cookies and tracking
The website uses exclusively technical cookies necessary for the website to function (session, language preference, status of the consent banner) and relies on a server-side analytics tool (Counterscale) that does not install identifying cookies on the user’s device.
The rules on cookies are detailed on the dedicated Cookie Policy page, which forms an integral part of this information notice. In compliance with Article 122 of Italian Legislative Decree 196/2003 and with the Italian Data Protection Authority’s Guidelines on cookies and other tracking tools (Decision no. 231/2021), the user may consult the cookie policy at any time and manage their preferences via the “Cookie preferences” button available in the footer of every page of the website.
9. Images and videos of people on the website
The metalogopedia.it website, in its Italian and English language versions, the official social media profiles and the practice’s promotional material may contain photographs and video footage portraying identifiable persons, including minors.
9.1 Origin of the images and prior consent
The images and videos published were produced on behalf of the Data Controller and their publication is preceded by the collection of written, explicit, informed and granular consent, formalised through a specific release signed by each person portrayed (or, for minors, by both holders of parental responsibility, in line with the position of the Italian Data Protection Authority, which classifies the online dissemination of a minor’s image as an act of extraordinary administration).
9.2 Legal basis
The processing of images and videos is based on:
- the consent of the data subjects pursuant to Article 6(1)(a) GDPR;
- where applicable, explicit consent pursuant to Article 9(2)(a) GDPR, where the image allows inferences to be drawn about the data subject’s health-related data;
- for minors, the joint consent of both holders of parental responsibility;
- the right to use the portrait pursuant to Articles 96 and 97 of Italian Law no. 633 of 22 April 1941 and Article 10 of the Italian Civil Code.
9.3 Protection of patients’ confidentiality
In compliance with the professional secrecy that binds the speech and language therapist towards their patients and the persons being assessed, the Data Controller does not make publicly identifiable any professional relationship that may exist with a person portrayed. Any status as a patient or user of the service cannot be inferred from the website or from the official channels. The presence of a person in the website’s images does not imply and does not suggest any clinical condition or speech and language course of treatment in progress.
9.4 Purposes
The images and videos are used for the presentation and promotion of the practice’s activities: publication on the website, on the official social media profiles and in printed promotional material (brochures, business cards, posters).
9.5 Retention period
The images and videos are kept published for as long as is necessary for the purposes indicated and, in any case, until the consent is withdrawn. In the event of withdrawal, the Data Controller promptly removes the image or makes it unrecognisable, without prejudice to the processing already lawfully carried out before the withdrawal.
9.6 Rights of data subjects and withdrawal
The persons portrayed, or the holders of parental responsibility for minors, may at any time exercise the rights provided for in Articles 15 to 22 GDPR and withdraw the consent given, as easily as it was granted, by writing to info@metalogopedia.it. On reaching the age of majority, the minor takes over the direct exercise of their own rights, including the right to request the removal of the image pursuant to Article 17 GDPR.
Publication on the social media profiles may entail the transfer of data outside the European Union, on the basis of the appropriate safeguards provided for in Article 44 et seq. GDPR. Once published on social media platforms, the images may be copied or disseminated in ways that are difficult for third parties to control, even after consent has been withdrawn; the Data Controller promptly removes the content from the channels under its own control.
10. Rights of the data subject
The data subject may at any time exercise the rights granted by Articles 15 to 22 GDPR, and in particular:
- Right of access (Article 15 GDPR): to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, access to that data and to information about the processing.
- Right to rectification (Article 16 GDPR): to request the correction of inaccurate data or the completion of incomplete data.
- Right to erasure (“right to be forgotten”, Article 17 GDPR): to request the erasure of data concerning them, save for the exceptions provided for by the Regulation.
- Right to restriction of processing (Article 18 GDPR): in the cases provided for by the Regulation.
- Right to data portability (Article 20 GDPR): to receive the personal data provided in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller.
- Right to object (Article 21 GDPR): to object at any time to the processing of personal data on grounds relating to their particular situation, in the cases provided for.
- Right not to be subject to automated decision-making (Article 22 GDPR), including profiling, that produces significant legal effects.
- Right to withdraw consent (Article 7(3) GDPR): at any time, without prejudice to the lawfulness of processing carried out before the withdrawal.
To exercise these rights, the data subject may write to the Data Controller at info@metalogopedia.it. The Data Controller responds to the request within one month of receipt, subject to justified extensions pursuant to Article 12(3) GDPR.
11. Complaint to the Data Protection Authority
Pursuant to Article 77 GDPR, a data subject who considers that the processing of their personal data infringes the Regulation may lodge a complaint with the Italian Data Protection Authority (Garante) (registered office in Rome, Piazza Venezia 11). The procedures for lodging a complaint can be consulted on the official website www.garanteprivacy.it. The right to bring proceedings before the competent judicial authority remains unaffected.
The right to lodge a complaint with the Italian Data Protection Authority (Garante) is not conditional upon the exercise of the other rights provided for in Articles 15 to 22 GDPR, nor upon sending a prior request to the Data Controller. The data subject may apply directly to the Authority even without having first contacted the Data Controller, although prior dialogue is always preferred with a view to a collaborative solution.
12. Jurisdiction for disputes
For any dispute relating to the processing of personal data and to the interpretation, performance and validity of this privacy policy, without prejudice to the mandatory jurisdiction of the Consumer’s Court pursuant to Article 66-bis of the Italian Consumer Code (Italian Legislative Decree 206/2005), the Court of Viterbo has exclusive jurisdiction.
In matters of personal data protection, the data subject retains the right to apply to the Italian Data Protection Authority (Garante) pursuant to Article 141 et seq. of Italian Legislative Decree 196/2003 and Article 77 GDPR, as well as to bring proceedings before the judicial authority of their place of residence or domicile in the cases provided for in Article 79 GDPR.
13. Changes to this privacy policy
The Data Controller reserves the right to make changes to this privacy policy at any time, giving adequate notice of them on the website. Users are encouraged to consult the page regularly and, in particular, the date of the last change indicated at the top and bottom of the document. Significant changes will be communicated in advance, where possible, to data subjects who have an active relationship with the Data Controller.
The main legislative reference for this information notice is Regulation (EU) 2016/679 (GDPR), supplemented by Italian Legislative Decree 196/2003 (Personal Data Protection Code) as amended by Italian Legislative Decree 101/2018, as well as by the Guidelines and decisions of the Italian Data Protection Authority (Garante), in particular the decisions on cookies (Decision no. 231/2021), tracking walls (Decision no. 467/2024) and Google Analytics 4 (Decision no. 317/2025).
Do you have questions about your personal data? Write to me at info@metalogopedia.it.
Document last modified: 2026-05-27.