Privacy Notice
Hubnix — AI & Technology Partner
Ditta Individuale di Oleksii Panchenko
P.IVA: IT14660020968
Effective date: 13 April 2026 · Last updated: 4 June 2026 · See change history
1. Who We Are
Hubnix is an AI and technology consultancy operated by Oleksii Panchenko as a Ditta Individuale under Italian law. We provide AI automation, cloud infrastructure, cybersecurity, ICT compliance, system architecture, and digital presence services to small and medium enterprises.
Data Controller: Oleksii Panchenko
Email: [email protected]
Address: Via Salvini 27, 20090 Trezzano sul Naviglio (MI), Italy
Data Protection Officer: None appointed. As a micro-enterprise whose core activity does not consist of large-scale systematic monitoring or large-scale processing of special categories of data, the conditions of Article 37(1) GDPR are not met. The data controller above is the point of contact for all data-protection matters.
2. What Personal Data We Collect
We collect and process personal data only when necessary for the purposes described below:
- Identity data: name, company name, job title
- Contact data: email address, phone number
- Business data: project requirements, service requests, contractual terms
- Financial data: P.IVA/fiscal code, IBAN, invoice details (for clients and suppliers only)
- Technical data: IP addresses, browser type, system logs (for website visitors and security monitoring)
- Communication data: email content, contact form submissions, meeting notes
- Platform account data: if you create an account on our self-service platform — your email address (used for passwordless sign-in links), session identifiers, and security audit entries (action, timestamp, IP address)
- Card content: the business-card information you choose to enter and publish through the platform (name, role, contact details, photo). You control this content and can edit or unpublish it at any time
We do not collect special categories of personal data (health, biometric, political opinions, etc.) unless explicitly required by a client engagement, in which case it is processed exclusively on local infrastructure within the EU with no cloud transfer.
Children: Our services are directed at businesses, not children. We do not knowingly collect or process the personal data of individuals under 16. If you believe a minor has provided us personal data, contact us and we will delete it.
Is providing data mandatory? Data needed to deliver a contracted service and to meet our legal obligations (e.g. invoicing data under Italian tax law) is required — without it we cannot provide the service or issue compliant invoices. Contact-form and scheduling data is provided voluntarily; not providing it only means we cannot respond to your enquiry. Website-analytics data is aggregate and contains no personal identifiers.
3. How and Why We Process Your Data
| Purpose | Legal Basis | Retention |
|---|---|---|
| Client project delivery | Art. 6(1)(b) — Contract | Contract + 10 years |
| Website contact form | Art. 6(1)(a) — Consent | Until purpose fulfilled |
| Invoicing and accounting | Art. 6(1)(c) — Legal obligation | 10 years (Italian tax law) |
| Security monitoring | Art. 6(1)(f) — Legitimate interest | Logs 90 days, incidents 1 year |
| AI-assisted operations | Art. 6(1)(f) — Legitimate interest | Agent memory 90 days, audit logs 1 year |
| Website analytics (Cloudflare Web Analytics — cookieless) | Art. 6(1)(f) — Legitimate interest | Aggregate only — no personal identifiers |
| Platform accounts (passwordless sign-in, sessions) | Art. 6(1)(b) — Contract | Account lifetime; security audit entries 12 months |
| Digital business cards (content you publish) | Art. 6(1)(b) — Contract | Until you unpublish or delete it, or your account is deleted |
| Payments and subscriptions (via Stripe) | Art. 6(1)(b) — Contract; Art. 6(1)(c) for fiscal records | Fiscal records 10 years (Italian tax law) |
| Pre-contractual enquiries | Art. 6(1)(b) — Steps prior to contract | 12 months after last contact |
4. AI Processing Disclosure
Hubnix uses artificial intelligence systems in its operations, in compliance with the EU AI Act:
- AI-assisted task management: Client communications may be processed by AI systems to route tasks, draft responses, and manage project workflows. All AI outputs are reviewed and approved by the data controller before external communication.
- Security analysis: Automated security tools analyse system logs and network traffic to detect threats. No personal data profiling or automated decision-making with legal effects occurs.
- Sensitive data handling: Any data classified as confidential or restricted is processed exclusively on local AI models within EU-hosted infrastructure. It is never transmitted to external cloud AI services.
These systems are classified as limited-risk or minimal-risk under the EU AI Act. Transparency obligations are met through this notice. We maintain internal AI Impact Assessments (AIIA) and, where personal-data processing is involved, Data Protection Impact Assessments (DPIA) for our AI-mediated processing.
No solely-automated decisions: we do not take decisions producing legal or similarly significant effects about you based solely on automated processing. Every AI-assisted output that affects an external party is reviewed by the data controller before it is acted on. You may request human review of any such processing under Article 22(3) GDPR.
5. Who We Share Data With
We share personal data only with the following recipients, and only to the extent necessary:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Anthropic (Claude API) | AI task processing (no confidential data sent) | Ireland → USA · SCCs Modules 2/3 + EU-US DPF + content redaction |
| Cloudflare | Website + platform hosting, CDN, security; platform database and media stored in Cloudflare's EU jurisdiction | USA · EU-US DPF + SCCs Module 2 + EU-pinned storage for platform data |
| Stripe | Payment and subscription processing; card data is handled entirely by Stripe (PCI DSS Level 1) — we never store card numbers | Ireland → USA · Stripe DPA + SCCs |
| Resend | Transactional email delivery (sign-in links, service notifications) | USA · DPA + SCCs Module 2 |
| Microsoft 365 | File/document sync (OneDrive), Partner Center | Ireland → USA · EU Data Boundary + EU-US DPF + SCCs Module 3 |
| Backblaze B2 | Encrypted off-site backups | EU storage · EU-US DPF + SCCs Module 2 + client-side encryption |
| GitHub | Source code + website deployment | Netherlands → USA · EU-US DPF + SCCs Module 2 |
| Atlassian (Jira) | Service-desk ticketing | EU / USA · EU-US DPF + SCCs Module 2 |
| Linear | Project tracking | USA · SCCs Module 2 |
| Migadu | Email hosting | Switzerland · adequacy decision |
| Calendly | Appointment scheduling | USA · EU-US DPF + SCCs Module 2 |
| Aruba | Electronic invoicing (FatturaPA) | Italy · domestic (no international transfer) |
| Gulisano & Partners | Accounting and tax compliance | Italy · domestic (no international transfer) |
We do not sell, rent, or trade personal data. We do not share data with third parties for marketing purposes.
6. International Data Transfers
Some of our service providers are located outside the European Economic Area, as shown in the table above. Where data is transferred to the United States, we rely on the EU-US Data Privacy Framework adequacy decision (European Commission Implementing Decision 2023/1795, 10 July 2023) where the recipient is DPF-certified, and in every case on the EU Standard Contractual Clauses (Implementing Decision 2021/914) as the contractual transfer mechanism — with supplementary measures (encryption in transit and at rest, client-side encryption for backups, and content-redaction discipline for AI services) per EDPB Recommendations 01/2020. Where data is transferred to Switzerland (Migadu) we rely on the Swiss adequacy decision. You may request a copy of the relevant safeguards by contacting us.
For sensitive or confidential workloads, we process data exclusively on EU-hosted infrastructure using local AI models, with no international transfer.
7. How We Protect Your Data
- Encryption: TLS in transit for all services; LUKS2 disk encryption for sensitive storage
- Access control: SSH key-only authentication, multi-factor authentication on all administrative accounts, zero-trust mesh network
- Monitoring: 24/7 automated security monitoring (SIEM, IPS, honeypots, vulnerability scanning)
- Data minimisation: We collect only what is necessary for each stated purpose
- Retention limits: Data is deleted or anonymised when the retention period expires
- Incident response: Documented incident management procedures with breach notification within 72 hours per Art. 33 GDPR
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of the personal data we hold about you
- Rectification (Art. 16): Request correction of inaccurate personal data
- Erasure (Art. 17): Request deletion of your personal data (subject to legal retention obligations)
- Restriction (Art. 18): Request restricted processing in certain circumstances
- Data portability (Art. 20): Receive your data in a structured, machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest; objection to direct marketing is absolute and honoured immediately
- Automated decisions (Art. 22): Not be subject to a decision based solely on automated processing producing legal or similarly significant effects, and to obtain human intervention (we do not make such solely-automated decisions — see §4)
- Withdraw consent (Art. 7): Where processing is based on consent, withdraw it at any time
To exercise any of these rights, use our data-rights intake form — it routes directly to our DSAR handling process and issues a tracking ID. You may also write to [email protected] with the subject line "GDPR Request".
We will respond to your request within 30 days, free of charge. For complex or numerous requests this period may be extended by up to a further 60 days, in which case we will inform you within the first 30 days and explain why (Art. 12(3)).
9. Cookies
hubnixco.com does not use advertising trackers, Meta Pixel, Google Analytics, or any behavioural-tracking technology, and sets no advertising or profiling cookies. We use Cloudflare Web Analytics — a cookieless, privacy-preserving service that measures aggregate traffic (page views, referrer, country) without setting cookies or collecting personal identifiers, so no consent banner is required. Cloudflare may also set strictly-necessary security cookies for DDoS protection and bot detection. If you book a meeting on our contact page, the embedded Calendly scheduler may set cookies necessary to operate the booking widget. If you sign in to our self-service platform, we set strictly-necessary, secure session cookies (__Host- prefixed, HttpOnly) solely to keep you signed in — these are exempt from consent requirements and are never used for tracking.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Italian Data Protection Authority (Garante per la protezione dei dati personali) within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay if the breach poses a high risk
- Document the breach, its effects, and remedial actions taken
11. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for Hubnix is:
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma
Website: garanteprivacy.it
Email: [email protected]
12. Changes to This Notice
We may update this privacy notice from time to time. Material changes will be communicated via our website. The "last updated" date at the top of this notice indicates the most recent revision.
- 4 June 2026: Self-service platform launch coverage — added platform account data and published card content to §2, processing/retention rows for platform accounts, cards and payments to §3, Stripe and Resend to the recipient list in §5 (with the platform database and media noted as stored in Cloudflare's EU jurisdiction), and the strictly-necessary platform session cookie to §9.
- 24 May 2026: Recipient list reconciled with our internal records of processing — added Microsoft 365, Backblaze B2, GitHub, and Atlassian; per-recipient countries and transfer mechanisms now shown. Added an AI impact-assessment and Article 22 (no solely-automated decisions) disclosure, a Data Protection Officer statement, a children's-data statement, and clarification of which data is mandatory. Cookie/analytics section corrected to accurately describe Cloudflare Web Analytics (cookieless).
- 13 April 2026: Initial publication.
13. Contact
For any questions about this privacy notice or our data processing practices:
Oleksii Panchenko
Email: [email protected]
Address: Via Salvini 27, 20090 Trezzano sul Naviglio (MI), Italy