Legal document · GDPR Art. 13 · EU Reg. 2016/679

Privacy Policy

Notice on the processing of personal data provided to users of the fortgale.com site pursuant to Art. 13 of EU Regulation 2016/679 (GDPR) and applicable EU member state implementations.

Controller Fortgale S.r.l. · Last updated 5 May 2026 · Version 2.0

This document is drafted in accordance with the principles of EU Regulation 2016/679 (GDPR) on personal data protection in order to allow users of the fortgale.com site (hereinafter the "Site") to understand Fortgale's privacy policy, how their personal information is processed and — if necessary — to provide express, free, specific and unambiguous consent.

The processing carried out by Fortgale S.r.l. (hereinafter "Fortgale") is based on the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, data minimisation, accuracy, integrity and confidentiality, as well as the principle of accountability under Art. 5 GDPR.

Specific technical and organisational measures are adopted to prevent data loss, unlawful or incorrect use and unauthorised access. Fortgale is ISO/IEC 27001 certified for the information security management system.

01 General information

Users (hereinafter "Data Subjects", ex Art. 4.1 GDPR) are informed of the following general profiles, valid for all processing scopes.

1.1 Data Controller

The Data Controller is the undersigned company, in the person of its legal representative:

1.2 Data Protection Officer (DPO)

For requests regarding personal data processing it is possible to contact the Fortgale privacy contact at privacy@fortgale.com. The appointment of a formal DPO, where required, will be communicated in this section.

1.3 Definitions

  • Personal data — any information relating to an identified or identifiable natural person (Art. 4.1 GDPR).
  • Processing — any operation applied to personal data (collection, recording, storage, etc.; Art. 4.2 GDPR).
  • Data Subject — the natural person whose personal data is being processed.
  • Controller — Fortgale S.r.l., which determines the purposes and means of processing.
  • External processor — suppliers that process data on Fortgale's behalf (e.g. IT providers, hosting, M365).

02 Browsing data

The information systems and software procedures responsible for the operation of the Site acquire, in the normal course of operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified data subjects but that, by its very nature, could — through processing and association with data held by third parties — allow users to be identified.

This category of data includes:

  • IP addresses or domain names of the devices used to connect to the Site;
  • URI addresses of requested resources, time of request, HTTP method used;
  • size of the file obtained in response, response status code;
  • parameters relating to the operating system, browser and IT environment of the user.

2.1 Purpose and legal basis

This data is processed for the sole purpose of obtaining anonymous statistical information on the use of the Site, monitoring its correct operation and ensuring its security. The legal basis is the legitimate interest of the Controller (Art. 6.1.f GDPR) in technical maintenance and defence against attempted abuse or intrusion. The data may be used for the establishment of liability in the event of hypothetical computer crimes against the Site.

2.2 Retention period

Browsing logs are kept for a maximum period of 6 (six) months, save for any extensions related to investigation activities or the exercise of rights in court.

2.3 Provision

Browsing data is collected automatically and its provision is implicit in the use of Internet protocols; specific consent is not required, as it is data collected for the legitimate interest in security and technical maintenance of the Site.

03 Contacts, forms and bookings

The optional, explicit and voluntary sending of email to the addresses indicated on the Site (e.g. info@fortgale.com, privacy@fortgale.com) and/or the completion of contact and appointment booking forms (Microsoft Outlook Bookings) entails the acquisition of the Data Subject's address and any other personal data contained in the communication, in order to respond to requests and/or schedule the meeting.

3.1 Types of data collected

By way of example, the following personal data may be collected:

  • name and surname;
  • email address (typically business);
  • phone number (optional);
  • company name, role and sector of activity (to qualify the request);
  • free content of the message;
  • date and time of the appointment (Bookings).

3.2 Purpose and legal basis

The data is processed for the purpose of managing and responding to the request received and for the execution of pre-contractual measures at the Data Subject's request (Art. 6.1.b GDPR). For requests without contractual purpose (e.g. simple informational questions) the legal basis is the consent of the Data Subject (Art. 6.1.a GDPR), expressed by sending the communication voluntarily.

3.3 Retention period

Data is kept for the time strictly necessary to handle the request and — in the event of an established commercial relationship — for the duration of the contract and for the subsequent 10 years for the purposes of fulfilling tax, accounting and civil law obligations.

3.4 Provision

Provision is optional; however, failure to provide the data marked as mandatory may entail the impossibility of evaluating and following up on the Data Subject's request.

04 Newsletter and information materials

Should the user decide to subscribe to information communications or download gated content (whitepapers, threat intelligence reports, runbooks), Fortgale processes name, email and — if requested — role and company for:

  • sending the requested content;
  • sending periodic communications on Fortgale research, events and news.

The legal basis is the consent of the Data Subject (Art. 6.1.a GDPR), provided via double opt-in. Consent is freely revocable at any time via the unsubscribe link present in every communication or by writing to privacy@fortgale.com.

Data is kept until consent is revoked, after which it is deleted or anonymised within 30 days.

05 Incident Response reports

In the event of a cyber incident report via the 24/7 hotline or the dedicated emergency forms, personal data and data relating to information systems, logs, technical artefacts and — possibly — data of third parties involved in the incident may be acquired.

The legal basis is the execution of pre-contractual measures and the provision of the requested service (Art. 6.1.b GDPR) and, where applicable, the legitimate interest of both parties in incident management (Art. 6.1.f GDPR). In cases where Fortgale processes customers' personal data on their behalf, it acts as external data processor (Art. 28 GDPR) on the basis of a specific DPA (Data Processing Agreement).

Data is kept for the duration of the contractual relationship and for the subsequent 10 years in line with documentation obligations required by NIS2 transposition and with civil law statutes of limitations.

07 Data recipients and extra-EU transfers

Personal data is processed by authorised internal personnel duly instructed (Art. 29 GDPR). It may also be processed by external data processors providing technical services to Fortgale, in particular:

  • Microsoft Ireland Operations Ltd — Microsoft 365 (email, OneDrive, Teams) and Outlook Bookings. Data residency: European Union.
  • Hosting / CDN providers — EU-based IaaS providers for the Site's staging and production environments. Data residency: European Union. The detailed list of providers is available on request under NDA.
  • Google Ireland Limited — limited to loading Google Fonts used for the Site's typography.
  • LinkedIn Ireland Unlimited Company — only if marketing consent is active, for the LinkedIn Insight Tag pixel.
  • Mailing providers — EU-based newsletter sending systems, identified in the Cookie Policy when activated.
  • Legal, tax and audit consultants — only if necessary for the fulfilment of legal obligations.
  • Judicial authorities and law enforcement — exclusively in the presence of legitimate requests provided for by law.

Extra-EU transfers. Fortgale prefers suppliers with EU data residency. Where processing implies a transfer to third countries (e.g. United States for Google Fonts), the transfer takes place exclusively on the basis of suitable safeguards under Art. 44-49 GDPR — primarily Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) and, where applicable, adequacy decisions (e.g. EU-US Data Privacy Framework).

Personal data is not disseminated and is not subject to automated decision-making processes that produce legal effects on the Data Subject (Art. 22 GDPR).

08 Rights of the Data Subject

The Data Subject has the right to exercise at any time the following rights provided for by Articles 15-22 GDPR:

  • Access to one's personal data (Art. 15);
  • Rectification of inaccurate or incomplete data (Art. 16);
  • Erasure ("right to be forgotten", Art. 17);
  • Restriction of processing (Art. 18);
  • Portability of data in structured and readable format (Art. 20);
  • Object to processing based on legitimate interest (Art. 21);
  • Not be subject to automated decisions and profiling (Art. 22);
  • Withdraw consent previously given, without prejudice to the lawfulness of processing based on consent given before withdrawal (Art. 7.3).

To exercise their rights, simply write to privacy@fortgale.com indicating in the subject "GDPR · rights exercise" and specifying the request. Fortgale responds within 30 days of receipt, extendable by another 60 in case of particular complexity (Art. 12.3 GDPR).

In the event of no response or unsatisfactory response, the Data Subject has the right to lodge a complaint with the Supervisory Authority — the relevant national Data Protection Authority for their EU member state — pursuant to Art. 77 GDPR and Art. 13.2.d, as well as to protect their rights in court.

09 Security measures

Fortgale adopts technical and organisational measures appropriate to the risk (Art. 32 GDPR) to ensure confidentiality, integrity, availability and resilience of processing systems and services. In particular:

  • encryption of data in transit (TLS 1.3) and at rest;
  • role-based access control, multi-factor authentication on critical systems;
  • centralised logging and 24-hour monitoring by the Fortgale SOC;
  • redundant backups and tested disaster recovery procedures;
  • vulnerability management and periodic penetration testing processes;
  • continuous training of personnel authorised to process;
  • ISO/IEC 27001 certification for the information security management system;
  • complementary ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (health & safety) certifications.

10 Document updates

This notice is subject to periodic review to align it with regulatory, technical and process developments. Any updates will be published on this page with indication of the date of last revision and version.

Last updated: 5 May 2026 · Version: 2.0

Questions? Write to privacy@fortgale.com — we respond within 5 business days.