Privacy Policy
Information on the processing of personal data pursuant to EU Regulation 2016/679 (GDPR)
Last updated: 2 April 2026
This privacy policy ("Policy") describes how BAUTIFUL SRL ("Company", "we", "us", or "our") collects, uses, stores, and protects personal data when you visit the website coperti.io ("Website") and use the services offered therein. This Policy is provided in compliance with Article 13 of EU Regulation 2016/679 (General Data Protection Regulation, "GDPR") and Italian Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018.
By using this Website, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
The data controller is:
- Company name: BAUTIFUL SRL
- VAT number: IT03687960926
- Registered office: Via Cuoco 41, 09134 Cagliari, Italy
- Email: welcome@coperti.io
For any enquiry regarding the processing of your personal data, you may contact us at the email address above.
2. Categories of Personal Data Collected
We collect and process the following categories of personal data:
2.1 Data provided voluntarily by the user
- Contact form: first name, last name, email address, restaurant name, city (optional), number of covers (optional), subject, and message.
- Newsletter subscription: email address, collected via a separate explicit opt-in checkbox on the contact form.
- Resource download form (free reports, studies, guides): first name, last name, email address, restaurant or company name (optional), identifier (slug) of the requested resource, and a separate optional opt-in for newsletter and marketing communications.
2.2 Navigation data collected automatically
- Technical data: IP address (anonymised by Cloudflare), browser type and version, operating system, pages visited, date and time of access, referring URL.
- Cloudflare Web Analytics: aggregate, cookieless analytics data collected via a lightweight JavaScript beacon. No cookies are set, no individual user tracking occurs, and data is processed exclusively in aggregate form.
- Microsoft Clarity: heatmaps and session recordings that capture user interactions (clicks, scrolls, mouse movements, page navigation) for the purpose of understanding how users interact with the Website. Clarity uses cookies and is activated only upon your explicit consent.
3. Purposes and Legal Basis for Processing
Your personal data is processed for the following purposes, each supported by a specific legal basis under the GDPR:
| Purpose | Data processed | Legal basis (GDPR) |
|---|---|---|
| Responding to contact requests — managing and replying to your enquiries submitted via the contact form | Name, email, restaurant name, city, covers, subject, message | Art. 6(1)(b) — performance of pre-contractual measures taken at your request |
| Delivering free resources requested via the Website — providing reports, studies, guides and other downloadable content you request | Name, email, restaurant or company name, requested resource identifier (slug) | Art. 6(1)(b) — performance of pre-contractual measures taken at your request |
| Newsletter and marketing communications — sending product updates, news, and promotional content | Email address | Art. 6(1)(a) — your explicit consent, freely given via a separate opt-in checkbox. You may withdraw consent at any time |
| Statistical analysis — understanding aggregate Website usage to improve our services | Anonymized navigation data (Cloudflare Web Analytics) | Art. 6(1)(f) — legitimate interest of the controller. The cookieless, aggregate-only nature of this processing ensures minimal impact on your rights |
| UX improvement — analysing user behaviour through heatmaps and session recordings to improve Website usability | Interaction data (Microsoft Clarity) | Art. 6(1)(a) — your explicit consent, provided via the cookie consent banner |
| Legal obligations — fulfilling obligations under applicable law, regulation, or court order | All data as necessary | Art. 6(1)(c) — compliance with a legal obligation to which the controller is subject |
| Website security — protecting the Website from attacks, fraud, and abuse (DDoS protection, WAF, bot management) | IP address, request metadata | Art. 6(1)(f) — legitimate interest of the controller in ensuring the security and availability of the Website |
4. Data Recipients and Third-Party Processors
Your personal data may be disclosed to the following categories of recipients, who act as data processors pursuant to Article 28 GDPR or as independent controllers where applicable:
- Cloudflare, Inc. (San Francisco, CA, USA) — provides the entire technical
infrastructure of the Website, in particular:
- website hosting, CDN, DNS and DDoS protection;
- Cloudflare Web Analytics: aggregate, cookieless traffic analytics;
- Cloudflare Email Routing: routing of emails sent via the contact form and of
@coperti.ioaliases to the Controller's mailbox.
- Microsoft Corporation (Redmond, WA, USA) — Microsoft Clarity service for heatmap and session recording analytics. The script is loaded only upon explicit user consent. Data transfers outside the EU/EEA are governed by Standard Contractual Clauses (SCC), a Data Processing Agreement (DPA), and certification under the EU-US Data Privacy Framework.
Your personal data will not be sold, rented, or otherwise disclosed to third parties for their own marketing purposes.
Within our organisation, access to your data is limited to authorised personnel who need it to perform their duties, and who have been instructed on data protection obligations.
5. International Data Transfers
Your personal data is primarily stored and processed on servers located within the European Union.
However, some of our third-party processors (Cloudflare and Microsoft) may process personal data in countries outside the EU/EEA, including the United States. In such cases, we ensure that appropriate safeguards are in place:
- Standard Contractual Clauses (SCC) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, which contractually bind the recipient to protect your data to EU standards.
- EU-US Data Privacy Framework — Cloudflare and Microsoft are certified under this framework, providing additional assurance that US-based processing meets EU adequacy requirements.
- Supplementary measures — including encryption in transit and at rest, access controls, and data minimisation practices.
You may request a copy of the applicable Standard Contractual Clauses by contacting us at welcome@coperti.io.
6. Data Retention Periods
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:
| Data category | Retention period |
|---|---|
| Contact form submissions | 24 months from the date of last contact |
| Resource download form data | 24 months from the resource download, unless separate newsletter consent is given |
| Newsletter subscription data | Until withdrawal of consent; in any event, no longer than 24 months from the last interaction |
| Navigation and analytics data (Cloudflare) | 14 months, after which data is permanently anonymised |
| Microsoft Clarity data | 13 months |
| Cookie consent records | 12 months |
| Data retained for legal obligations | As required by applicable law (up to 10 years for fiscal and accounting records pursuant to Italian civil and tax legislation) |
Upon expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised.
7. Your Rights as a Data Subject
Under Articles 15 to 22 of the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15) — you have the right to obtain confirmation as to whether personal data concerning you is being processed, and to access such data along with information on the purposes, categories of data, recipients, and retention periods.
- Right to rectification (Art. 16) — you have the right to obtain the correction of inaccurate personal data, and the completion of incomplete data.
- Right to erasure (Art. 17) — you have the right to request the deletion of your personal data where, among other grounds, the data is no longer necessary for the purposes for which it was collected, or you withdraw your consent.
- Right to restriction of processing (Art. 18) — you have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
- Right to data portability (Art. 20) — you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller without hindrance.
- Right to object (Art. 21) — you have the right to object at any time to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
How to exercise your rights
You may exercise any of the above rights by sending an email to welcome@coperti.io, specifying your request. We will respond within 30 days, as required by law. In complex cases, this period may be extended by a further 60 days, of which you will be informed.
Right to lodge a complaint
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Italy, this is:
- Garante per la protezione dei dati personali
- Website: www.garanteprivacy.it
- Email: garante@gpdp.it
- PEC: protocollo@pec.gpdp.it
8. Nature of Data Provision
The provision of personal data via the contact form (name, email, restaurant name, subject, message) is necessary to allow us to respond to your enquiry. Failure to provide such data will make it impossible for us to process your request.
The provision of optional fields (city, number of covers) is voluntary and does not affect our ability to respond to your enquiry.
Newsletter consent is entirely optional and separate from the contact form submission. You may submit a contact request without subscribing to the newsletter.
9. Automated Decision-Making and Profiling
We do not carry out any automated decision-making, including profiling, as referred to in Article 22(1) and (4) GDPR, that produces legal effects concerning you or similarly significantly affects you.
10. Cookies and Tracking Technologies
This Website uses technical cookies strictly necessary for its operation, as well as analytics cookies (Microsoft Clarity) that are activated only upon your explicit consent.
Cloudflare Web Analytics does not use cookies and operates through a cookieless JavaScript beacon that collects only aggregate, non-identifiable data.
For full details on the types of cookies used, their purposes, and how to manage your preferences, please refer to our Cookie Policy.
11. Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time. The date of the last update is indicated at the top of this page. In the event of substantial changes that materially affect how we process your personal data, we will provide adequate notice (for example, by displaying a prominent notice on the Website or by sending you an email notification where appropriate).
We encourage you to review this page periodically to stay informed about how we protect your personal data.
12. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the Italian Republic, including EU Regulation 2016/679 (GDPR) and Italian Legislative Decree no. 196/2003, as subsequently amended.
For any dispute arising from or in connection with this Privacy Policy that cannot be resolved amicably, the competent court shall be the Tribunale di Cagliari (Court of Cagliari), Italy.
13. Contact Information
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at:
- BAUTIFUL SRL
- Via Cuoco 41, 09134 Cagliari, Italy
- Email: welcome@coperti.io
- VAT: IT03687960926