Skip to content

Privacy Policy

Last updated: May 2026

1. Data controller

  • Controller: Francesco Antonio Sessa
  • NIF: ESZ4443995D
  • Address: C. de Fray Ceferino González 9, 28005 Madrid, Spain
  • Email: francesco@sessa.es

No Data Protection Officer has been appointed as the conditions set out in Art. 37 GDPR (General Data Protection Regulation) do not apply. For any queries regarding data protection, please contact the data controller at the address indicated above.

2. Data we collect

We collect personal data in the following circumstances:

2.1. Appointment booking (Cal.com)

When a user books a call through the integrated calendar (Cal.com), the following data are collected: name, email, and any optional notes the user chooses to include. This data is processed by Cal.com Inc. as a data processor. You can review their privacy policy at cal.com/privacy.

Purpose: to manage and confirm the requested appointment.

Legal basis: consent of the data subject (Art. 6.1.a GDPR) and performance of pre-contractual measures (Art. 6.1.b GDPR).

2.2. Web analytics (Umami)

We use Umami, an open-source and privacy-friendly web analytics tool, hosted on our own server (Hetzner, Germany — EU). Umami does not use cookies, does not collect identifiable personal data, and does not perform cross-site tracking. Data collected includes: pages visited, referrer, browser type, country (based on anonymised IP), and visit duration.

Purpose: to obtain aggregated, anonymous statistics on website usage.

Legal basis: legitimate interest of the controller (Art. 6.1.f GDPR).

2.3. Google Analytics and Google Ads

This website uses or may use Google Analytics and Google Ads, services provided by Google LLC (USA). These tools use cookies to analyse browsing behaviour and measure the effectiveness of advertising campaigns. Data may be transferred to Google servers in the United States. These tools will only be activated when the user gives their consent through the cookie banner. This policy will be updated before their effective implementation if they are not active at the time of your visit.

Purpose: web traffic analysis and advertising conversion measurement.

Legal basis: consent of the data subject (Art. 6.1.a GDPR).

Users can accept or reject these cookies through the cookie banner. Further information is available in Google's Privacy Policy.

3. Recipients of data

Personal data may be communicated to the following third-party data processors:

  • Cal.com Inc. — appointment booking management.
  • Cloudflare Inc. — website hosting (Cloudflare Pages) and CDN.
  • Hetzner Online GmbH — hosting of the analytics server (self-hosted Umami instance, open-source software). No data is transferred to any Umami entity.
  • Google LLC — web analytics (Google Analytics) and advertising (Google Ads), when the user gives their consent.

Personal data will not be shared with third parties except where required by law.

Data Processing Agreements (Art. 28 GDPR) have been entered into with Cal.com Inc. and Cloudflare Inc. Hetzner Online GmbH acts as an infrastructure provider under its service conditions, which include GDPR-compliant data protection clauses.

4. International transfers

Data processed by Cal.com, Cloudflare, and Google may be transferred to the United States. Such transfers are carried out on the basis of standard contractual clauses approved by the European Commission or the EU-US Data Privacy Framework.

Cal.com Inc.: transfer covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

Cloudflare Inc.: transfer covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.

5. Retention periods

Processing activityRetention period
Cal.com booking data (name, email)2 years from the last booking or until consent is withdrawn
Email communications3 years (general civil limitation period, Art. 1964 CC)
Umami analytics (aggregated data)24 months on a rolling basis
Google Analytics (when active)14 months (default GA4 configuration)
Cloudflare logsAccording to Cloudflare's retention policy (typically 30 days)

6. Data subject rights

Users may exercise the following rights regarding their personal data:

  • Access: to know what personal data is being processed.
  • Rectification: to request correction of inaccurate data.
  • Erasure: to request deletion of data.
  • Objection: to object to the processing of their data.
  • Restriction: to request restriction of processing.
  • Portability: to receive data in a structured format.
  • Complaint: to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

Where processing is based on consent, the data subject has the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7.3 GDPR).

To withdraw cookie consent, you can use the "Manage cookies" button in the website footer, or the "Reset your cookie preferences" button in our cookie policy.

To exercise these rights, please send an email to francesco@sessa.es stating your request and attaching a copy of your identity document.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

7. Security

Appropriate technical and organisational measures are applied to protect personal data against unauthorised access, loss, or destruction. The website is served over an encrypted HTTPS connection.