Privacy Notice
Hubnix — AI & Technology Partner
Ditta Individuale di Oleksii Panchenko
P.IVA: IT14660020968
Effective date: 13 April 2026 · Last updated: 27 June 2026 · See change history
1. Who We Are
Hubnix is an AI and technology consultancy operated by Oleksii Panchenko as a Ditta Individuale under Italian law. We provide AI automation, cloud infrastructure, cybersecurity, ICT compliance, system architecture, and digital presence services to small and medium enterprises.
Data Controller: Oleksii Panchenko
Email: oleksii.panchenko@hubnixco.com
Location: Milan, Italy
Data Protection Officer: None appointed. As a micro-enterprise whose core activity does not consist of large-scale systematic monitoring or large-scale processing of special categories of data, the conditions of Article 37(1) GDPR are not met. The data controller above is the point of contact for all data-protection matters.
2. What Personal Data We Collect
We collect and process personal data only when necessary for the purposes described below:
- Identity data: name, company name, job title
- Contact data: email address, phone number
- Business data: project requirements, service requests, contractual terms
- Financial data: P.IVA/fiscal code, IBAN, invoice details (for clients and suppliers only)
- Technical data: IP addresses, browser type, system logs (for website visitors and security monitoring)
- Communication data: email content, contact form submissions, meeting notes
- Platform account data: if you create an account on our self-service platform — your email address (used for passwordless sign-in links), session identifiers, and security audit entries (action, timestamp, IP address)
- Card content: the business-card information you choose to enter and publish through the platform (name, role, contact details, photo). You control this content and can edit or unpublish it at any time
- LinkedIn profile import data: if you choose to import from LinkedIn, then — with the consent you give on LinkedIn — we receive your name, professional headline and current position (job title and company) to pre-fill your card. These pre-fill suggestions are editable, are stored solely to populate your card, and you can remove them at any time from the card editor (or by deleting your account)
- Abuse-report data: if you report a published card, the name, email and explanation you submit, so we can assess and respond to the report (DSA notice-and-action)
We do not collect special categories of personal data (health, biometric, political opinions, etc.) unless explicitly required by a client engagement, in which case it is processed exclusively on local infrastructure within the EU with no cloud transfer.
Children: Our services are directed at businesses, not children. We do not knowingly collect or process the personal data of individuals under 16. If you believe a minor has provided us personal data, contact us and we will delete it.
Is providing data mandatory? Data needed to deliver a contracted service and to meet our legal obligations (e.g. invoicing data under Italian tax law) is required — without it we cannot provide the service or issue compliant invoices. Contact-form and scheduling data is provided voluntarily; not providing it only means we cannot respond to your enquiry. Website-analytics data is aggregate and contains no personal identifiers.
3. How and Why We Process Your Data
| Purpose | Legal Basis | Retention |
|---|---|---|
| Client project delivery | Art. 6(1)(b) — Contract | Contract + 10 years |
| Website contact form | Art. 6(1)(a) — Consent | Until purpose fulfilled |
| Invoicing and accounting | Art. 6(1)(c) — Legal obligation | 10 years (Italian tax law) |
| Security monitoring | Art. 6(1)(f) — Legitimate interest | Logs 90 days, incidents 1 year |
| AI-assisted operations | Art. 6(1)(f) — Legitimate interest | Agent memory 90 days, audit logs 1 year |
| Website analytics (Cloudflare Web Analytics — cookieless) | Art. 6(1)(f) — Legitimate interest | Aggregate only — no personal identifiers |
| Advertising conversion measurement (Google Ads — opt-in) | Art. 6(1)(a) — Consent | Until consent withdrawn; nothing stored before opt-in |
| Platform accounts (passwordless sign-in, sessions) | Art. 6(1)(b) — Contract | Account lifetime; security audit entries 12 months |
| Digital business cards (content you publish) | Art. 6(1)(b) — Contract | Until you unpublish or delete it, or your account is deleted |
| LinkedIn profile import (optional card pre-fill) | Art. 6(1)(a) — Consent | Until you remove the import, withdraw consent, or delete your account |
| Payments and subscriptions (via Stripe) | Art. 6(1)(b) — Contract; Art. 6(1)(c) for fiscal records | Fiscal records 10 years (Italian tax law) |
| Handling abuse reports about published cards (DSA notice-and-action) | Art. 6(1)(c) — Legal obligation (Reg. (EU) 2022/2065, Art. 16); Art. 6(1)(f) — Legitimate interest | Report + outcome up to 12 months |
| Pre-contractual enquiries | Art. 6(1)(b) — Steps prior to contract | 12 months after last contact |
4. AI Processing Disclosure
Hubnix uses artificial intelligence systems in its operations, in compliance with the EU AI Act:
- AI-assisted task management: Client communications may be processed by AI systems to route tasks, draft responses, and manage project workflows. All AI outputs are reviewed and approved by the data controller before external communication.
- Security analysis: Automated security tools analyse system logs and network traffic to detect threats. No personal data profiling or automated decision-making with legal effects occurs.
- Sensitive data handling: Any data classified as confidential or restricted is processed exclusively on local AI models within EU-hosted infrastructure. It is never transmitted to external cloud AI services.
These systems are classified as limited-risk or minimal-risk under the EU AI Act. Transparency obligations are met through this notice. We maintain internal AI Impact Assessments (AIIA) and, where personal-data processing is involved, Data Protection Impact Assessments (DPIA) for our AI-mediated processing.
No solely-automated decisions: we do not take decisions producing legal or similarly significant effects about you based solely on automated processing. Every AI-assisted output that affects an external party is reviewed by the data controller before it is acted on. You may request human review of any such processing under Article 22(3) GDPR.
5. Who We Share Data With
We share personal data only with the following recipients, and only to the extent necessary:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Anthropic (Claude API) | AI task processing (no confidential data sent) | Ireland → USA · SCCs Modules 2/3 + EU-US DPF + content redaction |
| Cloudflare | Website + platform hosting, CDN, security; platform database and media stored in Cloudflare's EU jurisdiction | USA · EU-US DPF + SCCs Module 2 + EU-pinned storage for platform data |
| Stripe | Payment and subscription processing; card data is handled entirely by Stripe (PCI DSS Level 1) — we never store card numbers | Ireland → USA · Stripe DPA + SCCs |
| Resend | Transactional email delivery (sign-in links, service notifications) | USA · DPA + SCCs Module 2 |
| Microsoft 365 | File/document sync (OneDrive), Partner Center | Ireland → USA · EU Data Boundary + EU-US DPF + SCCs Module 3 |
| Backblaze B2 | Encrypted off-site backups | EU storage · EU-US DPF + SCCs Module 2 + client-side encryption |
| GitHub | Source code + website deployment | Netherlands → USA · EU-US DPF + SCCs Module 2 |
| Atlassian (Jira) | Service-desk ticketing | EU / USA · EU-US DPF + SCCs Module 2 |
| Linear | Project tracking | USA · SCCs Module 2 |
| Migadu | Email hosting | Switzerland · adequacy decision |
| Calendly | Appointment scheduling | USA · EU-US DPF + SCCs Module 2 |
| Aruba | Electronic invoicing (FatturaPA) | Italy · domestic (no international transfer) |
| Gulisano & Partners | Accounting and tax compliance | Italy · domestic (no international transfer) |
| Google (Google Ireland Limited / Google LLC) | Advertising conversion measurement via Google Ads gtag.js — loaded only after you opt in through our consent banner | Ireland → USA · EU-US DPF + SCCs Module 2 · Consent Mode v2, denied by default |
| LinkedIn (LinkedIn Ireland Unlimited Company) | Optional profile import to pre-fill your digital card, at your request (DMA Member Data Portability) — we receive your profile data from LinkedIn under the consent you give there; we transmit only the authentication request | Ireland (EU/EEA) · no international transfer · consent captured on LinkedIn |
We do not sell, rent, or trade personal data. We do not share data with third parties for marketing purposes.
6. International Data Transfers
Some of our service providers are located outside the European Economic Area, as shown in the table above. Where data is transferred to the United States, we rely on the EU-US Data Privacy Framework adequacy decision (European Commission Implementing Decision 2023/1795, 10 July 2023) where the recipient is DPF-certified, and in every case on the EU Standard Contractual Clauses (Implementing Decision 2021/914) as the contractual transfer mechanism — with supplementary measures (encryption in transit and at rest, client-side encryption for backups, and content-redaction discipline for AI services) per EDPB Recommendations 01/2020. Where data is transferred to Switzerland (Migadu) we rely on the Swiss adequacy decision. You may request a copy of the relevant safeguards by contacting us.
For sensitive or confidential workloads, we process data exclusively on EU-hosted infrastructure using local AI models, with no international transfer.
7. How We Protect Your Data
- Encryption: TLS in transit for all services; LUKS2 disk encryption for sensitive storage
- Access control: SSH key-only authentication, multi-factor authentication on all administrative accounts, zero-trust mesh network
- Monitoring: 24/7 automated security monitoring (SIEM, IPS, honeypots, vulnerability scanning)
- Data minimisation: We collect only what is necessary for each stated purpose
- Retention limits: Data is deleted or anonymised when the retention period expires
- Incident response: Documented incident management procedures with breach notification within 72 hours per Art. 33 GDPR
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of the personal data we hold about you
- Rectification (Art. 16): Request correction of inaccurate personal data
- Erasure (Art. 17): Request deletion of your personal data (subject to legal retention obligations)
- Restriction (Art. 18): Request restricted processing in certain circumstances
- Data portability (Art. 20): Receive your data in a structured, machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest; objection to direct marketing is absolute and honoured immediately
- Automated decisions (Art. 22): Not be subject to a decision based solely on automated processing producing legal or similarly significant effects, and to obtain human intervention (we do not make such solely-automated decisions — see §4)
- Withdraw consent (Art. 7): Where processing is based on consent, withdraw it at any time
To exercise any of these rights, use our data-rights intake form — it routes directly to our DSAR handling process and issues a tracking ID. You may also write to privacy@hubnixco.com with the subject line "GDPR Request".
We will respond to your request within 30 days, free of charge. For complex or numerous requests this period may be extended by up to a further 60 days, in which case we will inform you within the first 30 days and explain why (Art. 12(3)).
9. Cookies & Consent
hubnixco.com sets no advertising or profiling cookies and loads no analytics or advertising tracker before you consent. By default — and for every visitor who does not opt in — only Cloudflare Web Analytics runs: a cookieless, privacy-preserving service that measures aggregate traffic (page views, referrer, country) without setting cookies or collecting personal identifiers, so it requires no consent.
Consent-based advertising measurement (Google Ads). If you opt in through our consent banner, we load Google's gtag.js tag (Google Ads ID AW-18275195906) for the sole purpose of measuring advertising conversions — that is, recognising when a visit originated from one of our ads. We use Google Consent Mode v2 with all four signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) set to denied by default; nothing ad-related is loaded into storage or sent until you accept. Your choice is recorded only in your browser's local storage under the key hubnix-consent-v2 — this is a local preference, not a cookie, and is never transmitted to a server. You can change or withdraw your consent at any time using the "Cookie settings" link in the footer; on withdrawal we instruct Google to revoke the consent signals. This advertising measurement is separate from, and additional to, the cookieless Cloudflare Web Analytics described above.
Cloudflare may also set strictly-necessary security cookies for DDoS protection and bot detection. If you book a meeting on our contact page, the embedded Calendly scheduler may set cookies necessary to operate the booking widget. If you sign in to our self-service platform, we set strictly-necessary, secure session cookies (__Host- prefixed, HttpOnly) solely to keep you signed in — these are exempt from consent requirements and are never used for tracking.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Italian Data Protection Authority (Garante per la protezione dei dati personali) within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay if the breach poses a high risk
- Document the breach, its effects, and remedial actions taken
11. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for Hubnix is:
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma
Website: garanteprivacy.it
Email: protocollo@gpdp.it
12. Changes to This Notice
We may update this privacy notice from time to time. Material changes will be communicated via our website. The "last updated" date at the top of this notice indicates the most recent revision.
- 27 June 2026: Introduced opt-in advertising conversion measurement — added Google Ads (gtag.js, ID AW-18275195906) behind a Google Consent Mode v2 banner that defaults all four signals to denied, with the consent choice stored locally (localStorage key
hubnix-consent-v2, not a cookie) and withdrawable at any time via the footer "Cookie settings" link. Rewrote §9 (Cookies & Consent) accordingly, added an opt-in advertising row to §3 (Art. 6(1)(a) consent) and Google (Google Ireland Limited / Google LLC) to the §5 recipient list. This is separate from, and additional to, the existing cookieless Cloudflare Web Analytics. - 16 June 2026: Optional LinkedIn profile import for digital business cards — added LinkedIn-import profile data to §2, a consent-based (Art. 6(1)(a)) processing/retention row to §3, and LinkedIn (LinkedIn Ireland, EU/EEA) as the import source in §5. The import is entirely optional, requires your consent on LinkedIn, pre-fills editable card fields only, and can be withdrawn at any time from the card editor or by deleting your account.
- 4 June 2026: Self-service platform launch coverage — added platform account data and published card content to §2, processing/retention rows for platform accounts, cards and payments to §3, Stripe and Resend to the recipient list in §5 (with the platform database and media noted as stored in Cloudflare's EU jurisdiction), and the strictly-necessary platform session cookie to §9.
- 24 May 2026: Recipient list reconciled with our internal records of processing — added Microsoft 365, Backblaze B2, GitHub, and Atlassian; per-recipient countries and transfer mechanisms now shown. Added an AI impact-assessment and Article 22 (no solely-automated decisions) disclosure, a Data Protection Officer statement, a children's-data statement, and clarification of which data is mandatory. Cookie/analytics section corrected to accurately describe Cloudflare Web Analytics (cookieless).
- 13 April 2026: Initial publication.
13. Contact
For any questions about this privacy notice or our data processing practices:
Oleksii Panchenko
Email: oleksii.panchenko@hubnixco.com
Location: Milan, Italy