Nepturnal

from the deep

Privacy Policy

Last updated: [YYYY-MM-DD — set on the day you publish this filled-in version, not before]

This Privacy Policy describes how www.nepturnal.art (the “Site”) collects and processes personal data of visitors and people who contact the Site.

1. Who we are

The Site is operated by [Valentina Marconi — verify full legal name as registered for Italian fiscal purposes], based in [city, Italy].

Contact for privacy matters: [email — the one you actually monitor for privacy/legal mail; can be the same as artist-brand email or separate]

2. What we collect and why

2a. Server access logs

When you visit any page on the Site, our web server (nginx) automatically records:

  • Your IP address
  • The date and time of the request
  • The page or resource requested
  • Your user-agent (browser identification)
  • The referring page (where you came from)

This is standard for any website and is used for security, debugging, and traffic analysis. Logs are retained for [30 days / 90 days / X months — set per M6 hardening decision]. We do not link log entries to identifiable individuals.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR — site security and integrity).

2b. Contact form submissions

If you use the contact form on the Site, we receive:

  • Your name (as you provide it)
  • Your email address
  • The content of your message
  • The IP address from which the form was submitted (recorded automatically by the form plugin)

We use this information solely to respond to your inquiry. Contact form submissions are retained for [X months/years after the conversation closes — pick a window and document it], then deleted.

Legal basis: consent (you submitted the form) and pre-contractual necessity (Art. 6(1)(b) GDPR).

2c. Language preference cookie

The Site stores a small cookie (pll_language) to remember which language you’ve selected (English or Italian). This is a functional cookie that does not require consent under GDPR; without it, the language switcher cannot remember your preference between page visits.

  • Cookie name: pll_language
  • Cookie duration: 1 year
  • Purpose: language preference

Legal basis: legitimate interest / necessity for service (Art. 6(1)(f) GDPR — functional necessity).

2d. What we do NOT collect

  • We do not use analytics services (no Google Analytics, no Matomo, no Plausible, no third-party trackers).
  • We do not run advertising or remarketing pixels.
  • We do not have comments on blog posts or any other user-generated content collection.
  • We do not currently operate a newsletter.

3. Sharing your data

We do not sell, rent, or share your personal data with third parties, except:

  • When required by law or legal process
  • With hosting infrastructure providers (see §4 below) acting as data processors under our instructions

4. Hosting and infrastructure

The Site is hosted on a virtual private server [in EU / location — verify and disclose].

  • Web server: nginx
  • Database: MariaDB
  • CDN / proxy: [Caddy reverse proxy on a separate VM — name the location and hosting provider]
  • Email forwarding (contact form delivery): [email provider — Gmail / ProtonMail / etc. — disclose]

These providers are data processors. They process your data only to enable the Site’s operation.

5. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”), subject to legal retention requirements
  • Restrict processing of your data
  • Data portability (receive your data in a machine-readable format)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with the Italian supervisory authority: Garante per la protezione dei dati personali

To exercise any of these rights, contact us at [email].

We will respond within 30 days as required by Art. 12(3) GDPR.

6. Children’s data

The Site is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has submitted data through the contact form, please contact us at [email] for prompt deletion.

7. Security

We take reasonable technical and organizational measures to protect your data. The Site operates over HTTPS (TLS encryption) end-to-end. The server is hardened per standard practice. No internet transmission is 100% secure; we cannot guarantee absolute security.

8. Changes to this policy

If we change this policy (e.g. when newsletter or commissions activate), we will update the “Last updated” date at the top. Material changes will be announced on the Site’s homepage for at least 30 days.

9. Contact