Last updated: 28 May 2026
Privacy Policy
Information notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).
1. Data controller
The data controller is Stefano Scalas, sole proprietor of "Sardinia Driver di Stefano Scalas", with offices at Via Sorgono 12, 09042 Monserrato (CA), Italy.
To exercise your rights, reach out at [email protected] or +39 329 615 8988.
2. Categories of data
We process the following personal data, split by purpose:
2.1 Technical data needed for the site
- Cookie consent preference: stored in your browser's
localStorage, keysd_cookie_consent_v2. Never leaves the device. - Anonymous session identifier: key
sd_session_idinsessionStorage(16 random hexadecimal bytes); regenerated automatically when you close the browser tab. Used to avoid counting the same visit twice; not linked to any identifying data. - Admin technical session cookie
sd_admin: only present after login to the controller's restricted backoffice, attributesHttpOnly,Secure,SameSite=Strict, scoped to/api/admin, duration 12 hours. Does not affect public browsing.
2.2 Contact and booking data
- Contact data voluntarily provided through the contact form or via WhatsApp / email: full name, email address, phone number, content of the request.
- Booking data: requested date of service, number of passengers, pickup and drop-off details, flight or ship number if any.
- Data attached to the lead for security and auditing: country of origin
(Cloudflare
CF-IPCountryheader), SHA-256 hash of the IP address (fieldip_hash, never in clear), SHA-256 hash of the User-Agent (fieldua_hash, never in clear), submission timestamp. Stored in the Cloudflare D1 serverless database together with the lead.
2.3 First-party analytics data (consent only)
If you accept the "Analytics" category from the consent banner, the site sends anonymous tracking requests to our Cloudflare Worker, which writes them into two tables of the Cloudflare D1 serverless database:
-
pageviews— one row per page visit, containing: timestamp, page path, referrer (origin URL, truncated), source classification (organic / social / referral / direct), interface language, country (CF-IPCountry), anonymous session identifier (sd_session_id), SHA-256 hash of the User-Agent. No persistent cookies. -
events— one row per CTA click or interaction event, containing: timestamp, type (e.g.cta_click), CTA label, page path, session identifier, language, JSON event metadata.
Without analytics consent, neither table is written: the Worker does
not even receive the request because the client-side tracking.ts script
sends no beacons. You can withdraw consent at any time from the "Manage
cookies" panel; the tracker turns off inside the same page without a reload.
2.4 Cookies and consent management — summary
On sardiniadriver.com cookie consent is managed via a first-visit banner and a persistent "Manage cookies" panel always available at the bottom-left of the page. Three categories are defined:
- Technical (necessary): always on, no consent required — they keep the site working (consent storage, navigation, security).
- Analytics: opt-in. Measures site usage anonymously and in aggregate
via the
pageviewsandeventstables described above. Active only with consent. - Marketing: opt-in. Would allow advertising profiling and remarketing. Category provisioned, currently not in use: no pixel, no third-party cookie is loaded in this category at the moment.
Consent is stored in localStorage (key
sd_cookie_consent_v2) and can be changed or withdrawn at any time
from the "Manage cookies" panel or by clearing site data from your browser. The
full list of cookies and technologies used is in the
Cookie Policy.
3. Purposes and legal basis
- Reply to your request for a quote or booking (art. 6.1.b GDPR – pre-contractual measures).
- Performance of the chauffeur service if a booking is confirmed (art. 6.1.b GDPR – contract).
- Anonymous browsing measurement (first-party analytics): user consent (art. 6.1.a GDPR), via the cookie banner.
- Service security and anti-spam: legitimate interest of the controller (art. 6.1.f GDPR) — includes the hashed IP of the lead and the anti-bot honeypot field.
- Legal obligations: invoicing, accounting, tax (art. 6.1.c GDPR).
- Defence in court of a right of the controller (art. 6.1.f GDPR – legitimate interest).
4. How we process data
Data is processed with digital and paper tools, with technical and organisational measures to ensure security: HTTPS on the site, administrative authentication with password stored as PBKDF2-SHA256 hash (100,000 iterations, random salt), admin session signed with HMAC-SHA256, HttpOnly+Secure+SameSite=Strict cookie, SHA-256 hashing of technical identifiers (IP, User-Agent), encrypted backups. No automated decision-making or profiling takes place.
5. Recipients and data processors
Data may be shared with the following data processors (art. 28 GDPR):
- Cloudflare, Inc. (USA, with EU edge infrastructure) — hosting of the frontend (Cloudflare Pages), backend (Cloudflare Workers) and serverless database (Cloudflare D1). EU users' requests are served preferentially from European data centres. Extra-EU transfers covered by Standard Contractual Clauses.
- Resend, Inc. (USA) — transactional email delivery (notification to the controller and confirmation to the lead). Processing limited to lead email, subject, email body. Extra-EU transfer covered by Standard Contractual Clauses.
- OpenStreetMap Foundation (UK) — map tile in the contact section (iframe). Does not receive contact data.
- Google LLC (USA) — web font delivery (Google Fonts). Receives the browser's IP address when requesting fonts.
- Meta Platforms (USA) — only as destination of the WhatsApp link
(
wa.me); receives data only when you click. - accountants and tax advisors, strictly for legal purposes;
- public authorities, when required by law.
No data is sold or shared with third parties for marketing.
6. Transfer outside the EU
Some of the processors above (Cloudflare, Resend, Google) are based in the United States. Transfer takes place only under Standard Contractual Clauses approved by the European Commission (Decision 2021/914/EU) and, where applicable, under the Data Privacy Framework. The data that may be transferred includes: lead's email address (Resend), IP and User-Agent hashes (Cloudflare D1), visitor IP when requesting a font (Google Fonts).
7. Retention
- Quote requests (
leadstable): up to 24 months from contact, unless a booking follows. - Confirmed bookings: 10 years for tax obligations.
- Analytics data (
pageviewsandeventstables): up to 180 days (6 months) from the event. Automatic daily deletion via a scheduled Worker job (cron 03:00 UTC). - IP hash and User-Agent hash of leads: together with the lead (24 months).
- Site technical logs at Cloudflare level: up to 12 months.
8. Your rights and how to exercise them
At any time you can exercise the rights under articles 15–22 GDPR:
- access to your data (DSAR — Data Subject Access Request);
- rectification and erasure (right to be forgotten);
- restriction and objection to processing;
- data portability;
- withdrawal of consent, where applicable — for analytics cookies via the "Manage cookies" panel.
How to submit a request: write to [email protected] with subject "GDPR — exercise of rights request" and attach a copy of an identification document (needed to verify your identity before responding). Reply within 30 days of receiving a verified request, as required by art. 12.3 GDPR.
You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
9. Anti-spam measures ("Company" honeypot field)
The contact form includes a hidden field called "Company" (honeypot) that must not be filled in by real users. If it is filled, the request is treated as automated spam and silently discarded without being saved or forwarded by email. Legal basis: legitimate interest of the controller in protecting the infrastructure (art. 6.1.f GDPR).
10. Providing data
Providing the data requested in the contact form is optional, but without it we cannot reply to your request.
11. Updates
This notice may be updated to reflect legal or operational changes. The latest version is always available on this page.