Privacy Policy

Privacy Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (“GDPR”)

IdentifAI Lab S.r.l., with registered office in Via F.lle Gabba, 1/A, 20121 Milan (Italy), in its capacity as data controller, (hereinafter the “Data Controller”) collects and processes personal data in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), Legislative Decree 30 June 2003, n. 196, consolidated text (“Privacy Code”), the provisions and guidelines of the Italian Data Protection Authority (“Garante”) and the European Data Protection Board (“EDPB”), all collectively referred to as (“Privacy Legislation”), in compliance with privacy principles and the rights of data subjects. The Data Controller provides this privacy information pursuant to Articles 13 and 14 GDPR (“Information Notice”) to you, as a data subject1 of the processing (“Data Subject”), and uses the service provided through it, as requested by your employer with whom the Data Controller has signed a Commercial Agreement.

1. Types of personal data

The Data Controller collects and processes the following personal data concerning you:

Personal data that the Data Controller receives from your employer, in order to set up your account on the Platform and allow you to subsequently authenticate on it:

• Personal data: name and surname.
• Contact data: work e-mail address, physical address, city, postcode, country, telephone number, other possible contacts.
• Work data: employer
• Tax data: tax code, VAT number.

Personal data provided by you during navigation on the Platform and the use of related services:

• Platform usage data: IP address of the device used to access the Platform; the type and settings of the browser used by the Data Subject; date and time of log-in and log-out from the Platform.
• System and maintenance logs: files that record the Data Subject's interactions within the Platform and that may also contain personal data, such as the IP address of the Data Subject's device.

2. Purposes and legal bases of the processing

The Data Controller may collect and process personal data for the purposes and on the basis of the following legal bases:

3. Nature of the provision of Personal Data and consequences of failure to provide them.

Regarding personal data whose processing is necessary for compliance with laws and regulations or for the execution of pre-contractual measures or a contract between the Data Controller and the Data Subject, i.e. for the purposes indicated in points 1-6 of the table above, 1 the provision of the Data Subject's personal data is mandatory. Any refusal would make it impossible for the Data Controller to make the Platform and/or the offer of its services available to the Data Subject.

For the processing of personal data of Data Subjects based on the legitimate interest of the Data Controller, in relation to the purposes indicated in points 7-10 of the table above, the provision of personal data of the Data Subjects is necessary and any refusal would make it impossible for the Data Controller to make the Platform and/or the offer of its services available to the Data Subject.

For the processing of personal data of Data Subjects for which their consent is required, in relation to the purposes indicated in point 11 of the table above, the provision of personal data of the Data Subjects is optional and any refusal does not prejudice or prevent the use of the Platform and the enjoyment of the services offered by the Data Controller by the Data Subject.

4. Means and methods of processing

For the purposes of this Notice, the Data Controller processes your personal data with the aid of electronic or, in any case, automated, IT and telematic tools, with organizational methods and with logics strictly related to the purposes indicated in this Notice and in compliance with the Privacy Regulations. In the course of the processing of personal data, the Data Controller adopts adequate security measures aimed at preventing unauthorized or unlawful access, disclosure, modification or destruction of personal data.

5. Retention period

The Data Controller retains the personal data concerning the Data Subject only for the time strictly necessary to fulfill the purposes for which the data are collected and processed. Please consider that personal data contained within contracts, communications and commercial letters, invoices, bank statements may be subject to retention periods established by law, which may provide for a retention period of up to ten (10) years, based on the ordinary statute of limitations in force and/or specific provisions of the Civil Code. Furthermore, it is pointed out that the Data Controller retains the personal data relating to the Data Subject's account on the Platform, to allow access to it and use of the related service, for the entire duration of the Commercial Agreement between the Data Controller and the Data Subject's employer. If this Commercial Agreement is terminated for any reason, within two (2) days from the termination of the agreement, the Data Subject's account on the Platform will be deactivated. During this period of time, the Data Controller may process the data subject's personal data solely to store them pending definitive cancellation or anonymization, no later than the following thirty (30) days. If the processing of personal data of Data Subjects is based on the consent given by them to the processing, the personal data will be kept until the consent is revoked. What has just been reported also applies in the event that the consent of the Data Subjects has been given for the processing of personal data for marketing purposes, without prejudice to the verification by the Data Controller of the validity and timeliness of such consent at regular intervals (e.g. every twenty-four (24) months). In the event of disputes with the Data Subject, personal data will be kept until the final conclusion of the judicial and/or administrative proceedings. At the end of each personal data retention period, the Data Controller will definitively delete them from its systems and/or make them anonymous. In any case, the Data Controller may further retain personal data if necessary to comply with a legal obligation or for the exercise of its rights of defense in court.

6. Communication and international transfers of personal data

The Data Subject's personal data will not be transferred outside the European Economic Area and the European Union.

7. Persons authorized to process personal data

The Data Subject's personal data may be accessed by the Data Controller's personnel duly trained, authorized and instructed in the processing of personal data. Furthermore, in making the Platform and the service offered through it available, the Data Controller may communicate the Data Subject's personal data to parties outside its organization, such as:

• a) Technology service providers. Providers of website hosting services, who will act as Data Processors on the basis of a corresponding appointment as data processor and related instructions pursuant to an agreement for the processing of personal data pursuant to art. 28 GDPR (e.g. AWS, SimpleNetworks S.r.l., SENDINBLUE, Google).
• b) Third parties, independent data controllers, who provide assistance and consultancy services to the Data Controller, such as consultants and freelancers in legal, tax and commercial matters.
• c) Third parties, independent data controllers in the case of corporate transactions. The communication of the Data Subject's personal data may also take place in the presence of events such as mergers, acquisitions, sales of companies (or their assets) or other extraordinary transactions in which the Data Controller may need to share information with potential buyers or counterparties and their advisors.
• d) Third parties, independent data controllers, in compliance with a legal obligation or to ascertain, exercise or defend a right in court. The Data Controller may communicate the Data Subject's personal data to institutions, law enforcement agencies, judicial authorities, administrative or public security authorities, which request access to the data in the context of the performance of their institutional tasks (e.g. in the course of judicial or administrative proceedings), or for the purpose of fulfilling a legal obligation or protecting their rights. The Data Subject may request the updated list of data processors and independent data controllers to whom the Data Controller may communicate the relevant personal data, by contacting the Data Controller as indicated at the bottom of this Notice.

8. Automated decision-making process

The Data Controller does not subject the Data Subject to any automated decision-making process for the purposes of this Notice.

9. Data Subject Rights

By using the contact details indicated in section 10 of this Notice and using the form made available by the Data Controller at this link, the Data Subject may at any time exercise their rights under Articles 15 et seq. GDPR, namely:

• Right of access: In certain circumstances, the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them exists and, if so, to request access to such personal data. Access information includes, among other things, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the sources of the personal data, the retention period, the technical security measures adopted and the measures adequate to safeguard personal data in case of transfer outside the Single European Area/European3 Union. However, this is not an absolute right and the interests of other individuals may limit the right of access. The Data Subject has the right to request a copy of the personal data. For any additional copies requested, the Data Controller may charge a reasonable fee taking into account the administrative costs incurred.
• Right to rectification: In certain circumstances, the Data Subject has the right to obtain from the Data Controller the rectification of inaccurate personal data concerning them. In addition, the Data Subject4 may have the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.
• Right to erasure (right to be forgotten): The Data Subject has the right to obtain the erasure of personal data concerning them, in certain circumstances, namely (i) when the personal data are no longer necessary for the purposes for which they were collected or processed, or (ii) the Data Subject has withdrawn consent to processing and there is no other legal basis for continuing the processing, or (iii) the Data Subject has objected to the processing and there is no legitimate reason to proceed with the processing, (iv) the Data Subject has objected to the processing for direct marketing purposes, including profiling associated with marketing, or (v) the personal data have been unlawfully processed, or (vi) they must be erased to comply with a legal obligation. In such cases, the Data Controller will take steps to erase, or render permanently unintelligible, such personal data.
• Right to restriction of processing: The Data Subject has the right to obtain restriction of processing of their personal data when (i) they contest the accuracy of the personal data for the period necessary for the Data Controller to verify the accuracy, or (ii) the processing is unlawful and the Data Subject opposes the erasure of their data, or (iii) the data are no longer necessary for the Data Controller but the Data Subject needs them to ascertain, exercise or defend their rights in court, or (iv) the Data Subject objects to the processing, pending verification by the Data Controller of the existence of legitimate grounds for continuing the processing. In this case, the data will be marked and may be processed by the Data Controller only for certain purposes, namely for the storage of data, or to ascertain, exercise or defend a right in court, or to protect the rights of another natural or legal person, or for reasons of relevant public interest of the Union or Italian.
• Right to data portability: In the case of automated processing, when the processing is based on the Data Subject's consent or on a contract with the Data Controller, the Data Subject has the right to receive in a structured, commonly used and machine-readable format the personal data concerning them and which they have provided to the Data Controller, as well as the right to transmit such personal data to another data controller.
• Right to object: In certain circumstances, the Data Subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of personal data by the Data Controller and may request that such personal data no longer be processed. If the Data Subject has the right to object and if they exercise this right, their personal data will no longer be processed by the Data Controller for such purposes unless the Data Controller demonstrates compelling legitimate grounds under the GDPR to continue the processing or for the establishment, exercise or defense of a right in court. If data are processed for marketing purposes, the Data Subject has the right to object at any time to processing for such purposes, including profiling to the extent that it is related to direct marketing. If the Data Subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
• Automated decision-making process: The Data Subject has the right not to be subjected to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects their person. The consent given by the Data Subject to the decision based on the automated processing of their personal data or the necessity of such a decision for the conclusion or performance of a contract between the Data Subject and the Data Controller or if the decision is authorized by European Union or Italian law is exempted from the previous prohibition.
• Withdrawal of consent: The Data Subject also has the right to withdraw consent, where given with regard to certain types of personal data processing activities. Such withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal. Please note that, in certain circumstances pursuant to Article 2-undecies of the Privacy Code, the exercise of rights may be delayed, limited or excluded. In this case, the Data Controller will provide the Data Subject without delay with a reasoned statement and the Data Subject may in any case request the Data Protection Authority to verify that the delay, limitation and exclusion referred to above are based on legitimate grounds. Finally, the Data Subject has the right to lodge a complaint with the National Supervisory Authority, i.e. the Data Protection Authority.

10. Contact details of the Data Controller

The Data Controller is IdentifAI Lab S.r.l. with registered office at Via F.lle Gabba, 1/A, 20121 Milan (Italy), which can also be contacted at the e-mail address privacy@identifai.net.