Privacy notice

monetaise.com is the trading name of the independent advisory practice founded by Gianluca Carrera. We are the data controller for the personal data described in this notice. We operate as a sole practitioner based in Italy. The consultancy is independent and unaffiliated with any larger group.

Questions, requests, and the rights set out below should be directed to monetaise@monetaise.com. We aim to respond within five working days; statutory deadlines (typically one month under the GDPR) apply where relevant.

We only collect data you choose to enter. There are two collection points on the site:

1. The assessments (/diagnostic, /readiness, /cx-readiness, /cfo-readiness). You give us company context — industry, revenue band, business model, geography, company name and website (both optional) — and answer the maturity questions on a 1–5 scale. These answers, plus your deterministic scores and the AI-generated narrative, are stored against an anonymous session ID at this stage. No personal contact information is required to complete an assessment or see your scores.
2. The optional lead-capture form on the results page. If you choose to receive the full written report by email, you give us your first name, email address, role (optional), and a GDPR consent confirmation. You can also optionally opt in to our newsletter at the same point. Only at this step do your assessment answers become linked to a person.

The Express diagnostic (/diagnostic) additionally asks for company name, phone (optional), and how you heard about us, when you request a quote.

We also collect basic technical data automatically when you visit: your IP address, browser and device type, the pages you visit, and the referring URL. This is used for security, anti-abuse, and aggregate analytics — see Cookies and analytics below.

Under the GDPR, every processing activity needs a lawful basis. Ours are:

• Delivering your report and follow-up — your explicit consent, given via the tickbox at the lead-capture form (Art. 6(1)(a) GDPR). You can withdraw consent at any time; the withdrawal does not affect processing done before withdrawal.
• Generating anonymous peer benchmarks — our legitimate interest in providing comparative context to respondents (Art. 6(1)(f) GDPR). Benchmarks are computed from aggregate scores only; individual rows flagged as test/QA, and rows where you have not consented to be contacted, are still counted in the aggregate but never identified to anyone else.
• Sending you the newsletter, if you opt in — your explicit consent (Art. 6(1)(a)). Every email contains an unsubscribe link.
• Responding to a request for quote — necessary for steps prior to entering a contract at your request (Art. 6(1)(b)).
• Security, fraud prevention, and aggregate analytics — our legitimate interest in keeping the service safe and measurable (Art. 6(1)(f)).

To run the service we use a small number of specialist processors. Each acts on our instructions and is bound by contract (and by the relevant data-transfer commitments published on their site).

• Supabase (database + storage) — your assessment answers, scores, AI narrative, and lead details are stored in a Supabase Postgres project hosted in the EU (Frankfurt, eu-north-1). Service-role access only; no public read.
• Anthropic(AI inference) — your assessment answers are sent to Anthropic's Claude API to generate the written analysis. Anthropic is a US company; transfers rely on their published data-processing terms and standard contractual clauses. Inputs are not used to train Anthropic's models, per their commercial terms.
• Resend (email delivery) — sends your report email and any administrative communications. US-based; transfers rely on standard contractual clauses.
• Vercel (web hosting) — runs the site itself. US company with EU edge servers. Request logs (IP, path, status) are retained for operational diagnostics.
• Google Analytics 4 (aggregate site analytics, when enabled) — collects anonymised usage data via cookies. We do not send personally identifying fields to GA. IP anonymisation is enabled by default in GA4.
• Substack (newsletter, if you opt in) — your email address is added to our publication on Substack. US-based; their privacy policy governs how they handle your subscription.

We do not sell your data, do not share it with advertisers, and do not pass it to other third parties beyond what is listed above.

• Assessment answers + scores + narrative — retained indefinitely in anonymised, aggregated form for benchmarking. Rows with an identified lead are kept while the contact relationship is active, and for up to three years after the last interaction, then deleted.
• Lead details (name, email, role, company) — kept while you remain a contact and for up to three years after our last interaction, then deleted. You can ask for deletion sooner; see below.
• Newsletter subscription — kept until you unsubscribe.
• Technical / log data — kept for up to 90 days for security and diagnostics, then rotated out.

Under the GDPR you have the right to:

• Access — get a copy of the personal data we hold on you.
• Rectification — correct anything that is wrong or incomplete.
• Erasure— ask us to delete your personal data ("right to be forgotten"). We will delete it within one month unless we have a legal obligation to keep it.
• Restriction — ask us to limit how we use your data, e.g. while a correction is being verified.
• Portability — receive your data in a structured, machine-readable format (we will provide JSON on request).
• Objection — object to processing based on legitimate interests (e.g. benchmarking). We will stop unless we have compelling grounds that override your interests.
• Withdraw consent at any time, where consent is the lawful basis. Newsletter unsubscribe is one-click via every email footer; everything else, email us.
• Lodge a complaint with a supervisory authority. In Italy this is the Garante per la protezione dei dati personali.

To exercise any of these rights, email monetaise@monetaise.com from the address you used to contact us, or with enough information to identify your record. We will not charge for reasonable requests.

The site uses a minimal set of cookies. Strictly necessary cookies run the site itself (session, security). When Google Analytics is enabled, GA4 sets first-party cookies (_ga, _ga_*) to count visits and measure aggregate usage. We do not use third-party advertising or retargeting cookies, and we do not embed third-party trackers from social platforms.

We do not currently display a cookie banner because the only non-essential cookies in scope are first-party analytics cookies with IP anonymisation. If we add anything that requires prior consent (advertising, third-party tracking, social embeds), we will add a consent layer first.

monetaise.com is a B2B service intended for executives and professionals. It is not directed at children, and we do not knowingly collect data from anyone under 16. If you believe a child has submitted personal data through the site, email us and we will delete it.

We rely on HTTPS in transit, encrypted-at-rest storage at Supabase, service-role-only access to the database, and minimum-necessary permissions for every processor. No system is perfectly secure; if a breach occurs that is likely to affect your rights, we will notify both the supervisory authority within 72 hours and you, the affected individuals, without undue delay.

We may update this notice from time to time as the service evolves. Material changes will be flagged at the top of this page and, where they affect you specifically, communicated by email. The "Last updated" date above always reflects the most recent revision.