What I keep, what I don’t.

This site captures one thing: people who want to talk to me. That happens through Gideon (the chat on /contact) or through the booking widget. I store what you send me on Notion. I use Vercel’s anonymous, cookieless analytics for aggregate page-view counts — no cookies, no personal data, no cross-site tracking. There is no cookie banner because I do not set tracking cookies.

The data controller is me, personally:

Nexmatica is a brand under which I operate, not a separate legal entity. All data responsibility sits with me as a natural person.

• Chat content (via Gideon). Your messages and any name, email, role, or context you share during the conversation. Saved to a private Notion database (Leads). The full transcript is also written to a separate Conversations database for analytics about which conversations led somewhere.
• Booking data (via Cal.com). When you click Book a 20-min call, the booking is handled by Cal.com. They collect your name, email, and the timeslot. Their privacy policy applies to that interaction.
• IP address (rate limit only). Your IP is stored briefly (up to 24h) on Upstash Redis to enforce a hard cap of two lead submissions per hour. It is never sold, shared, or used for tracking, and rotates out of cache automatically.
• Functional session cookie. One gideon_session cookie (HTTP-only, randomly generated UUID). It exists so the chat remembers you across page reloads. No tracking, no third-party fingerprinting. It expires in 24 hours.

GDPR Article 6(1)(f) — legitimate interest. I run this site to qualify and respond to inbound interest in working with me (founders, operators, recruiters, press). The data minimisation principle applies: I keep the minimum needed to follow up on a conversation.

For visitors in Switzerland, the same principles apply under the revised Federal Act on Data Protection (revFADP, in force since September 2023).

• Active leads. People I am currently in conversation with: kept for the duration of the engagement plus 12 months.
• Inactive leads. No contact for six months or more: deleted automatically every quarter via a manual review of Notion.
• Automated session data. Session cookie expires after 24h. Rate-limit IP records expire within 24h. Conversation logs follow the same retention as the associated lead.

I rely on the following data processors. All operate under standard contractual clauses (SCCs) where the data leaves the EU/EEA:

• Anthropic, PBC (United States). Powers the Gideon chat. Your messages are sent to Anthropic to generate a reply. Anthropic does not train on API customer content.
• Notion Labs, Inc. (United States). Stores leads and conversation transcripts on a private workspace I own.
• Cal.com, Inc. (European Union). Powers the booking widget. When you open the booking modal, Cal sets its own cookies and may collect additional data per their privacy policy.
• Upstash, Inc. (United States). Hosts the Redis cache used for session state and rate limiting.
• Vercel, Inc. (United States). Hosts the site itself. Standard request logs (IP, user agent, timestamp) are kept by Vercel under their retention policy. I also use Vercel Web Analyticsfor anonymous, cookieless aggregate page-view counts — no personal data is captured, no cross-site tracking, no fingerprinting.

Under GDPR (and revFADP for Swiss residents), you have the right to:

• ·Access the data I hold about you.
• ·Have it corrected if inaccurate.
• ·Have it deleted (right to be forgotten).
• ·Restrict or object to its processing.
• ·Receive it in a portable format.
• ·Lodge a complaint with the supervisory authority. In Switzerland: FDPIC (edoeb.admin.ch). In Italy: Garante per la protezione dei dati personali (garanteprivacy.it).

To exercise any of these rights, write to hi@jacopo.fyi. I respond within 30 days.

• ·I do not use Google Analytics, Plausible, or any tool that sets tracking cookies.
• ·I do not run ads or retargeting pixels.
• ·I do not sell, share, or rent your data to anyone.
• ·I do not embed social media widgets that track you.
• ·I do not fingerprint your browser or device.
• ·I do not use AI to make automated decisions about you that have legal effects.

If I change anything material on this page, I’ll bump the “Last updated” date at the top. Substantive changes will also be flagged briefly here.