Privacy Policy

Effective date: February 2026 · Last updated: February 2026

This policy explains what data lonardi.org collects, why, how it is processed, and what rights you have. The site is operated by Sandro Lonardi.

If you have questions about this policy, get in touch via the contact form.

What data is collected

Vercel Web Analytics

This site uses Vercel Web Analytics to measure aggregate traffic. Vercel Web Analytics does not use cookies and does not store personal identifiers. Each visit generates a hash from the incoming request that cannot identify you and is discarded after 24 hours.

Data collected per page view: page URL, referrer URL, approximate geographic location (country, region, city) derived from IP address, operating system and version, browser and version, device type, and timestamp. No IP addresses are stored. No cross-site tracking occurs.

Data processor: Vercel Inc., San Francisco, USA. Vercel privacy policy↗

PostHog

This site uses PostHog for behavioral analytics, including page interactions, scroll depth, click tracking, and session recordings. PostHog is used to understand how visitors navigate the site and interact with its content.

PostHog collects: pages visited and navigation paths, click and scroll interactions, time spent on pages, browser and device information, approximate geographic location derived from IP address, referrer information, and JavaScript errors.

PostHog is configured with in-memory persistence only. It does not set cookies or use localStorage on your device. No data persists after you close your browser tab, and your activity cannot be linked across separate sessions. PostHog also records browsing sessions to replay visitor interactions. Contact form inputs (name and email fields) are masked in session recordings and are not captured.

PostHog honors the Do Not Track (DNT) browser setting. If your browser sends a DNT signal, PostHog will not track your activity.

PostHog data is processed on US servers. Data processor: PostHog Inc., San Francisco, USA. PostHog privacy policy↗

Contact form

When you submit the contact form on the /contact page, the following information is collected: your name, your email address, and your message.

This data is used solely to respond to your inquiry. Form submissions are sent via email using Resend and are not stored in a database. Resend processes the data only for the purpose of delivering the email.

Cloudflare Turnstile is used on the contact form to distinguish human visitors from bots. Turnstile may process browser type and settings, operating system information, the date and time of the request, and IP address (processed by Cloudflare, not stored by this site). Turnstile does not use CAPTCHA challenges and does not set tracking cookies. Cloudflare privacy policy↗

Server logs

The site is hosted on Vercel. Vercel's infrastructure may log standard HTTP request information (IP addresses, timestamps, request paths) for operational and security purposes. These logs are managed by Vercel and subject to their privacy policy.

Information you provide directly

If you contact me via the contact form or email, the contents of your message and any information you provide are retained as long as necessary to address your inquiry.

Why data is collected

•Analytics: Understanding how the site is used, which pages are visited, how visitors interact with content, and where visitors come from, so I can improve the site.

•Session recordings: Reviewing how visitors navigate the site to identify usability issues and improve the experience. Form inputs are masked in recordings.

•Contact form: Receiving and responding to inquiries about professional engagements.

•Security: Protecting the contact form from spam and automated abuse.

•Error monitoring: Capturing unhandled JavaScript errors to maintain site reliability.

Legal basis for processing

For visitors in the European Economic Area (EEA), the United Kingdom, and Switzerland, the legal bases for processing are:

•Legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nFADP): For Vercel Web Analytics and PostHog analytics, neither of which use cookies or persistent identifiers. PostHog uses in-memory storage only, meaning no data persists after you close your browser tab. Also for Cloudflare Turnstile bot protection and JavaScript error monitoring. PostHog honors the Do Not Track browser signal as an additional opt-out mechanism.

•Contractual necessity / pre-contractual measures (Art. 6(1)(b) GDPR): For processing contact form submissions, as you are initiating a professional inquiry.

Data sharing and transfers

Your data is not sold, rented, or shared with third parties for marketing purposes. Data is shared only with the following service providers, solely for the purposes described above:

Provider	Purpose	Location	Safeguards
Vercel Inc.	Hosting, web analytics	USA	EU Standard Contractual Clauses
PostHog Inc.	Behavioral analytics, session recordings	USA	EU Standard Contractual Clauses
Cloudflare Inc.	Bot protection (Turnstile)	USA / Global	EU Standard Contractual Clauses
Resend Inc.	Email delivery	USA	EU Standard Contractual Clauses

Where data is transferred outside the EEA, UK, or Switzerland, appropriate safeguards are in place in accordance with GDPR Chapter V, the UK GDPR, and the Swiss nFADP.

Data retention

•Vercel Web Analytics: Visitor hashes discarded after 24 hours. Aggregated data retained indefinitely.

•PostHog: Event data and session recordings retained per PostHog's default retention policies.

•Contact form: Emails retained as long as necessary.

•Server logs: Managed by Vercel per their retention policy.

Your rights

Depending on your location, you may have the following rights regarding your personal data.

European Economic Area and Switzerland (GDPR / nFADP)

Access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest, and the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, contact your local data protection authority.

United Kingdom (UK GDPR)

The same rights as under the EU GDPR apply. You may lodge a complaint with the Information Commissioner's Office (ICO).

California (CCPA / CPRA)

California residents have the right to know what personal information is collected and how it is used, request deletion of personal information, and opt out of the sale or sharing of personal information. This site does not sell or share personal information as defined by the CCPA. To exercise your rights, use the contact form.

Other jurisdictions

If you are located in a jurisdiction with data protection laws granting rights over your personal data, you may exercise those rights by contacting me. I will respond to requests in accordance with applicable law.

To exercise any of these rights, get in touch via the contact form. I will respond within 30 days.

Do Not Track

This site respects the Do Not Track (DNT) browser signal. When DNT is enabled, PostHog analytics and session recordings are not activated. Vercel Web Analytics operates independently of DNT as it does not use cookies or process personal identifiers.

You can enable DNT in most browsers through the privacy or security settings.

Children

This site is not directed at individuals under the age of 18. No data is knowingly collected from minors.

Changes to this policy

This policy may be updated from time to time. Material changes will be indicated by updating the "Last updated" date at the top of this page. Continued use of the site after changes constitutes acceptance of the updated policy.

Contact

For any questions about this policy, use the contact form.