Skip to main content

Privacy Policy

Last Updated: March 14, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how KYDOS SRL (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit this website and when you contact us about our leadership and professional development education. We operate from Milan, Italy, and provide educational services to participants throughout Canada through flexible delivery formats.

Data Controller (GDPR): KYDOS SRL, Via Vincenzo Monti, 8, 20123 Milan (Milano), Italy. Email: [email protected]. Phone: +39 02 8734 6281.

We do not intentionally process special-category data (such as health, religious beliefs, or political opinions) and we do not require a government ID to use this website. Please do not include sensitive information in free-text form fields.

2. Personal Data We Collect

We collect personal data in a limited, purpose-driven way. The types of information we may collect include:

  • Identity and contact data: name, email address, phone number, and basic professional context you choose to provide.
  • Form content: the message you submit, your program selection, and any project details you include in your inquiry.
  • Technical data: IP address, browser type, device and operating system, language preferences, and approximate location derived from IP (country/region level).
  • Usage data: pages viewed, time spent on pages, referral source, and click paths (for example, which page you visited before contacting us).
  • Cookies and identifiers: cookies that keep the site functional and cookies that measure marketing/analytics performance (only where consent is provided). See Section 4.
  • Conversion events: signals that a user took a meaningful action on the website (for example, submitting an inquiry form).

We do not collect financial account details (such as card numbers) through website forms, and we do not request bank information on this site. Enrollment and payment details, where applicable, are communicated during the enrollment process through appropriate channels.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only when there is a lawful basis to do so. Depending on the context, the legal bases include:

  • Contact and enrollment inquiries: When you submit a request through our website, we use the data to respond, assess program fit, and coordinate next steps. Legal basis: GDPR Art. 6(1)(b) (steps at your request prior to entering into a contract) and Art. 6(1)(a) (consent for being contacted as indicated by the consent checkbox).
  • Analytics: If you consent to analytics cookies, we measure site usage to understand what content is helpful and where the site can be improved. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Marketing and remarketing: If you consent to marketing cookies, we may measure advertising performance and build audiences for remarketing or lookalike targeting. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Security and abuse prevention: We process limited technical data to protect the website, enforce rate limiting, and reduce fraud and automated abuse. Legal basis: GDPR Art. 6(1)(f) (legitimate interests in maintaining site security).
  • Legal obligations: Where required by law (for example, bookkeeping for invoices related to services), processing may be necessary to comply with legal obligations. Legal basis: GDPR Art. 6(1)(c).

Automated Decision-Making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Any program recommendations provided in response to an inquiry are human-reviewed and based on the information you provide.

4. Cookies & Tracking

Cookies are small files stored on your device that help websites function and, where permitted, help measure performance. We also use similar technologies such as pixel tags. Our cookie categories align with our cookie preference controls.

Essential cookies (always active)

Essential cookies are required for the website to function and cannot be switched off in our systems. They include cookies that maintain session continuity and remember your cookie choices. Examples include _site_session and cookie_consent. Retention ranges from session to 12 months.

Analytics cookies (consent required)

If enabled, analytics cookies help us understand how the site is used. We may use Google Analytics 4 (GA4) with IP anonymization options. Example cookies include _ga and _ga_XXXXXXXXXX. Our analytics retention setting is typically 14 months, though cookie lifetimes may be longer (for example, 2 years for certain GA4 cookies).

Marketing cookies (consent required)

If enabled, marketing cookies are used to measure advertising performance, understand which campaigns lead to inquiries, and support remarketing and audience creation. Example cookies include _gcl_au (Google Ads) and _fbp / _fbc (Meta). Cookie retention is typically around 90 days, depending on the provider and configuration.

Beyond cookies, measurement may also involve pixel tags (such as gtag.js and Meta Pixel) and, where configured, server-side measurement methods (for example, Meta Conversions API or server-side Google Tag Manager) that transmit event metadata. Where used, these technologies are activated only after consent for the relevant category.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice consistent with GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie for 12 months.

You may withdraw or change consent at any time by using the “Manage cookie preferences” link in the website footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing carried out before your withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only with providers that help us operate the website, deliver our communications, or measure site performance and advertising effectiveness. We do not sell personal data.

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, conversions, and remarketing list signals. Privacy policy: https://policies.google.com/privacy.
  • Meta Platforms, Inc. (Meta Pixel, custom/lookalike audiences, conversion measurement): page view and conversion events, audience membership signals, and where configured, hashed identifiers. Privacy policy: https://www.facebook.com/privacy/policy.
  • Cloudflare (CDN and security): limited technical data such as IP address and request metadata for security and performance. Privacy policy: https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes. They act as service providers or independent controllers depending on the service and configuration; their policies explain how they process data.

7. International Transfers

KYDOS SRL is established in Italy. Some service providers may process data outside the European Economic Area (EEA) or the UK, including in the United States. Where data is transferred internationally, we rely on appropriate safeguards, which may include the EU–US Data Privacy Framework (DPF) where applicable, the UK Extension to the DPF, and Standard Contractual Clauses (EU Commission Decision 2021/914) as a fallback measure. UK transfers may also rely on the UK IDTA where appropriate.

8. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, and then delete or anonymize it unless we must retain it for legal reasons.

  • Contact inquiries: up to 2 years from the last interaction, to support follow-up and continuity.
  • Email correspondence: for the duration of the relationship and typically 1 additional year for record-keeping, unless a longer period is required by law.
  • Analytics data: typically 14 months in analytics settings, subject to configuration.
  • Marketing cookies: retained according to cookie lifetimes (often around 90 days), unless you withdraw consent sooner.
  • Server logs: typically up to 90 days for security and debugging.
  • Cookie consent record: up to 3 years for audit and compliance evidence.
  • Legal and tax records: where applicable, retained for periods required by Italian law (often 6–10 years depending on document type).

9. Your Rights (GDPR & UK GDPR)

If you are located in the EEA or UK, you have rights under data protection law, including: the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right to withdraw consent (Art. 7(3)).

To exercise these rights, contact us at [email protected]. We typically respond within 30 days, which may be extended by up to 60 days for complex requests as permitted by law.

You also have the right to lodge a complaint with a supervisory authority. As we are established in Italy, the supervisory authority is the Italian Garante per la protezione dei dati personali. Website: https://www.garanteprivacy.it/. General EU guidance is also available via the European Data Protection Board: https://edpb.europa.eu/.

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that a child under 16 has submitted personal data without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling policies.

12. Data Deletion Requests

You may request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. For security, we may ask for limited information to verify your identity before completing the request. Where we must keep certain records for legal obligations, we will restrict processing to those purposes and retain only what is required.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide a notice on this website.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended (CCPA/CPRA). In the last 12 months, we may have collected: identifiers (such as name, email, IP address, cookie IDs), internet or other electronic network activity (such as page views and interactions), and inferences (such as general interest categories derived from site interaction for advertising measurement where consent is provided).

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising when marketing cookies are enabled. California residents can opt out by using the cookie preferences panel available from “Manage cookie preferences” in the footer.

You may request access, deletion, or correction by emailing [email protected] with the subject “California Privacy Request”. We may need to verify your identity. Authorized agents may submit requests on your behalf with proof of authorization. We will not discriminate against you for exercising your rights.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act (VCDPA), including rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. Submit requests by emailing [email protected] with the subject “Virginia Privacy Request”.

We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects. If you wish to appeal a decision on your request, email us with the subject “Appeal of Refusal — Privacy Request”. We respond within 60 days where required.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information as defined by Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service provider arrangements. If changes are material, we will provide a notice on the website at least 14 days before the updated policy takes effect. The “Last Updated” date at the top of this page indicates the most recent revision.

18. Contact

For questions about this Privacy Policy or to submit a privacy request, contact:

KYDOS SRL
Via Vincenzo Monti, 8
20123 Milan (Milano), Italy
Email: [email protected]
Phone: +39 02 8734 6281

If you are contacting us from Canada, please note that we handle personal data in a manner consistent with GDPR standards and, where applicable, consider Canadian privacy expectations for transparency, reasonable purpose, and access requests. If you have questions about cross-border processing, include “Canada Privacy” in your email subject and we will respond with the relevant details.