Privacy Policy
Last updated: 2026-06-01
Who we are
Keelroot S.r.l. (“keelroot”, “we”) is registered at 1209 MOUNTAIN ROAD PL NE STE R, ALBUQUERQUE, NM 87110, VAT IT-12345670019. We are the data controller for the information you provide through this site.
What we collect
We collect the minimum data needed to reply to you, run a secure site, and — only with your consent — understand how visitors use it:
- Contact form submissions — name, email, optional topic and budget, message body.
- Server logs — IP address, user agent, timestamp, request path. Used for abuse prevention, retained for 30 days.
- Analytics data (consent only) — pages visited, session duration, traffic source, approximate location (country/region level). Collected via Google Analytics 4. IP addresses are anonymised before storage.
- Heatmap & session data (consent only) — mouse movements, clicks, scroll depth, and session recordings. Collected via Microsoft Clarity. Clarity automatically masks form inputs and sensitive content.
Lawful basis
- Contact form — GDPR Art. 6(1)(b): processing necessary for pre-contractual measures at your request.
- Server logs — GDPR Art. 6(1)(f): legitimate interest in operating a secure and functional site.
- Analytics & heatmaps — GDPR Art. 6(1)(a): your explicit consent via the cookie banner. You can withdraw at any time by clearing cookies and localStorage for this domain.
Retention
- Contact messages — kept for 24 months after the last meaningful exchange, then deleted.
- Server logs — 30 days.
- Analytics data — 14 months in Google Analytics (our retention setting); raw event data deleted after 2 months.
- Clarity recordings — 90 days rolling window (Microsoft's default).
Sub-processors
We use a short, intentional list of sub-processors:
- Resend — transactional email delivery (US/EU, SCCs in place).
- Vercel / self-hosted servers — site hosting and edge.
- Cloudflare — DDoS protection and WAF.
- Google LLC — Google Analytics 4 — website analytics (US, under SCCs and EU–US Data Privacy Framework). Only active with your consent. Google Privacy Policy ↗
- Microsoft Corporation — Clarity — heatmaps and session replay (US, under SCCs and EU–US Data Privacy Framework). Only active with your consent. Microsoft Privacy Statement ↗
Your rights
Under GDPR you can ask us at any time to:
- Access the data we hold about you
- Correct or update it
- Delete it (“right to be forgotten”)
- Port it to another controller
- Object to or restrict our processing
- Withdraw consent for analytics at any time (clearing cookies/localStorage is sufficient)
Email [email protected] with the subject “privacy” — we reply within five working days.
Complaints
You can lodge a complaint with the Italian supervisory authority (Garante per la protezione dei dati personali, garanteprivacy.it). We'd rather you wrote to us first so we can fix it.