Last updated · March 2026
Privacy Policy
This policy explains what personal data is collected when you visit carlo.ferrero.dev, how it is used, and what rights you have under the EU General Data Protection Regulation (GDPR — Regulation 2016/679).
1. Data Controller
The data controller — the person responsible for deciding how your data is used — is:
For any privacy-related question or rights request, please write to that email address.
2. What data is collected
This is a personal portfolio website. Data collection is minimal:
2.1 Hosting and server logs (Vercel)
The site is hosted on Vercel. When you visit any page, Vercel automatically logs standard web server data: IP address, browser type, referring URL, pages visited, and timestamps. These logs are used solely to keep the site running and to detect abuse. Carlo does not access individual-level logs in normal operation.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — operating a publicly accessible website requires processing this data.
Retention: Per Vercel's privacy policy. Carlo does not independently store server logs.
2.2 Ask Carlo chat (OpenAI & Anthropic)
The “Ask Carlo” chat feature lets you ask questions about Carlo's work. When you type a message and submit it:
- Your message text is sent to OpenAI solely to generate a mathematical embedding (a numerical representation used to find relevant content). The message is not used to train OpenAI models under Carlo's API agreement.
- Your message and relevant portfolio context are sent to Anthropic (Claude) to generate the reply. It is not used to train Anthropic models under the API terms.
- No chat messages are stored by Carlo or on Carlo's servers. The exchange is transient — once the response is delivered, nothing is retained server-side.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — the feature cannot function without sending the query to an LLM provider. Please avoid entering sensitive personal information in the chat.
2.3 Analytics (planned — Amplitude)
Carlo plans to add usage analytics via Amplitude (EU servers) in the future. Amplitude will only be initialised if you explicitly click “Accept all” on the cookie consent card. If you choose “Necessary only”, Amplitude is never loaded.
Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by clearing cookies/localStorage or by contacting carlo.ferrero.dev@gmail.com.
2.4 Data you voluntarily provide
If you email Carlo directly (via the contact links), your email address and message content are processed to respond to your enquiry.
Legal basis: Pre-contractual steps or legitimate interest (Art. 6(1)(b) and (f) GDPR).
3. Local storage and cookies
This site stores two small items in your browser's localStorage (these are not transmitted to any server):
| Key | Purpose | Duration |
|---|---|---|
portfolio-theme | Remembers your light/dark theme preference | Until you clear browser data |
cf-cookie-consent | Records your consent choice and the version it was given for | Until you clear browser data |
See the Cookie Policy for full details.
4. Third-party processors
| Service | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting and edge delivery | US / EU |
| Supabase Inc. | Vector database for RAG content (portfolio knowledge base — no user data stored) | EU (AWS eu-west-2) |
| OpenAI, L.L.C. | Generating text embeddings for the Ask Carlo chat | US (DPA in place) |
| Anthropic, PBC | Generating chat responses for the Ask Carlo feature | US (DPA in place) |
| Amplitude Inc. (planned) | Usage analytics — only if analytics consent is granted | EU servers |
All third-party processors are bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where data is transferred outside the European Economic Area.
5. Your rights under GDPR
As a person in the EU/EEA, you have the following rights regarding any personal data we process:
- Right of access (Art. 15): You can ask for a copy of the personal data Carlo holds about you.
- Right to rectification (Art. 16): You can ask Carlo to correct inaccurate data.
- Right to erasure (Art. 17): You can ask for your data to be deleted where there is no overriding legal reason to keep it.
- Right to restrict processing (Art. 18): In certain circumstances you can ask Carlo to pause processing your data.
- Right to data portability (Art. 20): For data you provided and that is processed by consent or contract, you can request a machine-readable copy.
- Right to object (Art. 21): You can object to processing based on legitimate interest. Carlo will stop unless there are compelling legitimate grounds.
- Right to withdraw consent: Where processing is based on consent (analytics), you can withdraw at any time. This does not affect the lawfulness of prior processing.
To exercise any of these rights, email carlo.ferrero.dev@gmail.com. Requests are handled within 30 days. You also have the right to lodge a complaint with the Italian supervisory authority, Garante per la protezione dei dati personali, or with the supervisory authority in your country of residence.
6. Changes to this policy
If this policy changes materially — for example, when a new third-party service is added — the “Last updated” date above will be revised. If the changes affect how analytics data is processed, the cookie consent banner will reappear to let you review and re-consent.