Privacy policy

Pursuant to and for the purposes of (i) Legislative Decree No. 196 of June 30, 2003, the "Privacy Code", (ii) the EU Regulation 2016/679 relating to "the protection of natural persons with regard to the processing of personal data, and on the free movement of such data", the "GDPR", Articles 13 and 14, regulations jointly referred to as "Privacy Regulations", a series of obligations are established for those who process - "the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison, interconnection, restriction, deletion or destruction" - (hereafter the "Processing") of information concerning an identified or identifiable natural person (the "Data Subject").

VALETUDO SRL, Tax Code and VAT Number 00978150167, with its registered office at Via Ghiaie No. 6, 24030 Presezzo (BG) (the "Company"), wishes to inform you, in the sections below, regarding the methods and purposes of the Processing of your personal data.

Data Controller

The data controller is the entity that determines the purposes and means of the processing of personal data (the "Data Controller"), and is identified as the Company, represented by the CEO at the time.
The Data Controller can be contacted by email at: privacy@valetudo.com

Methods of collection of the data subject’s data

The Data Controller may become aware of your data under the following circumstances:

In case of a contact request sent through the company's websites, via email, or by phone, in order to request information about the products and services offered by the Company;
During the execution of a contract (purchase of goods or services), including pre-contractual negotiations;
Where you provide your data during the personnel selection process;
Where you provide your data to receive commercial communications, newsletters, and/or to be updated on events organized and marketing initiatives undertaken by the Company;
Where you authorize your data to allow the Company to conduct analysis and market research activities;
Where you provide your data by interacting with the Company’s social media channels.
Where commercial partners of the Company have lawfully communicated your personal data.

Categories of data subject to processing

The following categories of personal data concerning you illustrate the types of data that may be collected through various services and contact channels described in this document:

Identification Data – name, address, email address, phone number, gender, date of birth, identity document, tax code.
Financial Data – bank account details and IBAN.
Biographical Data – education, professional experience, continuous education.
Profiling Data – demographic, behavioral, interaction, usage, consumption.

(the “Data")

Purposes of Processing – Legal Basis – Retention Policy

Your personal data will be processed, predominantly through IT tools, for the purposes described below:

a) Responding to Specific Requests: Your Identification Data will be used to provide a response or specific service requested by you through the communication and contact channels of the Data Controller (email, websites, phone). It is necessary to provide the data marked with an asterisk in the online forms to complete the request.
Legal basis: To perform pre-contractual measures or a contract of which you are a part (Article 6(1)(b) of the GDPR).
Retention policy: Data will be stored for the time strictly necessary to pursue the purposes for which they were collected and, in any case, no longer than ten years from the receipt of the request.

b) Establishing the relationship and executing the contract: Your Identification and Financial Data will be used to respond to any of your commercial requests, to acquire any other preliminary information necessary for establishing the relationship, or for the execution of the contract with you.
Providing the Data is mandatory as required to fulfill legal and contractual obligations. Any refusal to provide them or subsequent opposition to the Processing may prevent the Data Controller from proceeding with contractual relationships.
Legal basis: To perform pre-contractual measures or a contract of which you are a part (Article 6(1)(b) of the GDPR).
Retention policy: Data provided in the context of your request or for the mere formalization of an estimate will be stored for a maximum of ten years. Data processed for the execution of a contract will be stored for the duration of the relationship, as well as for an additional ten years from the termination date of the same.

c) Compliance with legal obligations and fraud prevention: Your Identification and Financial Data provided under the purposes described in point b) may be used to fulfill any civil, administrative, fiscal, accounting, legal, or regulatory obligation arising from the relationship(s) with you.
The Data Controller reserves the right to process Data to prevent potential risks and fraud, as well as to defend its rights deriving from the contract in judicial or extrajudicial proceedings, including for possible debt recovery, directly or through third parties (credit recovery agencies/companies), to whom the data will only be communicated for these purposes.
Legal basis: To perform the relationship of which you are a part (Article 6(1)(b) of the GDPR), to comply with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR), for the legitimate interest of the Data Controller in preventing potential fraud or defending a right or advancing claims from the business relationship with you, unless your interests or fundamental rights prevail (Article 6(1)(f) of the GDPR).
Retention policy: Data may be stored for the time necessary to fulfill legal obligations, and in any case, for the entire duration of the contract, as well as for ten years following the end of the relevant fiscal year.

d) Candidate Selection: Your Identification and Biographical Data provided during the selection process and present in your CV will be used to evaluate your skills, experience, and qualifications, in order to select the most suitable profiles for open positions, as well as to contact you for further interviews or inform you of the outcome of the selection process.
Legal basis: To perform pre-contractual measures or a contract of which you are a part (Article 6(1)(b) of the GDPR).
Retention policy: Data will be stored for the time strictly necessary to pursue the purposes for which they were collected and in any case, no longer than six months after the conclusion of the selection.

e) Customer loyalty and marketing: Your Identification Data will be used to provide you with news and offers - through automated contact methods (such as email, SMS) and/or traditional methods (such as postal mail) regarding the services offered by the Company – and/or invitations to events, webinars, and conferences. Providing the Data is optional, and failure to provide them or refusal to authorize the Processing will result in the impossibility of carrying out the activities mentioned.
Legal basis: Consent given by you as the Data Subject (Article 6(1)(a) of the GDPR).
Retention policy: The Data may be processed until you withdraw your freely given consent.
With each communication sent, you will be informed about the possibility to oppose the Processing at any time, in a simple and free manner.

f) Market research and satisfaction surveys:Your Identification Data, provided for the purposes described in points b) and e), may be used for sending questionnaires, conducting market research, and/or measuring your level of satisfaction.
Legal basis: Pursuit of a legitimate interest of the Data Controller, consisting of understanding customer preferences, market trends, and allowing the Company to improve the services offered (Article 6(1)(f) of the GDPR).
Retention policy: The Data may be retained until you exercise your right to object to the processing. With each communication sent, you will be informed about the possibility to oppose the Processing at any time, in a simple and free manner.

g) Profiling: Your Identification and Profiling Data may be used to assess personal aspects, analyze or predict preferences related to consumption, through data analysis models, statistical algorithms, and predictive models. Providing the Data is optional, and failure to provide them or refusal to authorize the Processing will result in the impossibility of carrying out the activities mentioned.
Legal basis: Consent given by you as the Data Subject (Article 6(1)(a) of the GDPR).
Retention policy: The Data may be retained for the time strictly necessary and in any case, for a period not exceeding 7 years.

h) Interactions on social networks: Your Identification Data obtained through interactions, such as private messages and comments sent on our Social Media channels, may be used to improve our understanding of your needs, preferences, and interests.
Legal basis: To execute pre-contractual measures or a contract of which you are a part (Article 6(1)(b) of the GDPR).
Retention policy: Data collected via private messaging on the Social Media channel will be retained for the time strictly necessary to pursue the purposes for which it was collected. Data you communicate publicly through comments will be subject to the retention period defined by the policies of the Social Media platform you use to interact with the Company.

i) Defense in legal proceedings for the rights of the data controller: Where required, the Data Controller will provide your Data to Authorities and bodies responsible for law enforcement, regulations, and judicial acts, as well as to third parties in litigation.
Legal basis: Pursuit of a legitimate interest of the Data Controller consisting of the protection of its rights and/or those of third parties or cooperation with Authorities or bodies responsible for law enforcement, unless your interests or fundamental rights prevail (Article 6(1)(f) of the GDPR).
Retention policy: Data will be retained for the time strictly necessary to pursue the purposes for which it was collected. In the case of a contractual relationship, the Data may be retained for up to three years after the cessation of contractual liability between the parties.

If the Data Controller intends to process your Data for purposes other than those described above, it is obliged to inform you of those additional purposes before the Processing occurs.

Data Processing Methods

In relation to the purposes indicated above, the Company processes the Data, in compliance with the security measures outlined in Article 32 of the GDPR, using manual, computer, and telematic tools, aimed at storing, managing, and transmitting the Data, solely for the purpose of pursuing the purposes for which they were collected, and in any case, in a manner that ensures their security and confidentiality, as well as the respect of the principles of fairness, lawfulness, and transparency.

The Data Controller carries out Processing that consists of automated decision-making processes on the Data being processed.

Scope of Data Communication

Your Data may be made accessible to:

Employees and collaborators of the Company in their capacity as persons authorized and/or designated for Processing and/or system administrators;
Consultants and suppliers who, on behalf of the Data Controller, carry out administrative, accounting, fiscal, or legal activities outsourced;
IT service providers offering information technology and computer infrastructure services;
Marketing agencies for the management of targeted advertising campaigns;
Supervisory Bodies, Judicial Authorities, and all institutional Entities to whom communication is mandatory by law for the purposes mentioned;
Other third parties to perform the specific services requested. These third parties are provided only with the information necessary to carry out their respective functions.

All external parties to the organization are authorized and instructed to process your Data in accordance with Article 28 of the GDPR.

Data Transfer to a Third Country or International Organization

The Data is processed within the European Union and stored on servers located there. However, the Data Controller may, if necessary, transfer the data to a third country or international organization and/or move the servers outside the EU. In such a case, the Data Controller ensures that the transfer of data outside the EU will occur in compliance with the applicable legal provisions, as outlined in Article 44 of the Privacy Code and Articles 46 et seq. of the GDPR.

Rights of the Data Subject

Finally, the Company informs you that, in accordance with the current legislation on personal data protection, you may exercise specific rights at any time – as outlined in Articles 15-22 of the GDPR – and in particular, you may request from the Data Controller:

a) The right of access: the possibility to obtain from the Data Controller confirmation as to whether or not personal data processing is underway, and in such case, to access your personal data;

b) The right to rectification, including the completion of incomplete personal data;

c) The right to erasure to have your data erased without delay upon your request, and obligatorily if:

• the personal data is no longer necessary for the purposes of the processing;

• the consent on which the processing is based is revoked, and there is no other legal ground for processing;

• the personal data has been processed unlawfully;

• the personal data must be erased to comply with a legal obligation under EU or member state law.

• the Data Subject objects to the processing, and there is no overriding legitimate reason for proceeding with the processing, or when they object to processing for direct marketing purposes under Article 21(2) of the GDPR (personal data processed for direct marketing purposes);

d) The right to restriction of processing: in cases where the accuracy of the personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or where the processing is unlawful and/or the Data Subject has objected to processing and requested its restriction;

e) The right to data portability: the right to receive from the Data Controller, in a structured, commonly used, and machine-readable format, the personal data, and to transmit such data to another Data Controller, only for cases where the processing is based on consent and for the data processed by automated means;

f) The right to object: to object to the processing of your personal data, provided the Data Controller can demonstrate legitimate grounds to continue the processing;

g) The right to withdraw consent at any time, when the processing is based on explicit consent, without affecting the lawfulness of the processing carried out before the withdrawal;

h) The right to lodge a complaint with a supervisory authority in the Member State where you reside or work, or in the State where the alleged violation occurred, without prejudice to any other administrative or judicial remedy, in case of violations of the provisions of the aforementioned Regulation.

If you wish to obtain more information about the processing of your personal data and exercise the rights mentioned above, you can send a written request using the contact details provided in the "Data Controller" section of this notice. In the case of a request for information regarding your data, the Data Controller will respond as soon as possible – unless it is impossible or would require disproportionate effort – and in any case, no later than thirty days from the request. Any inability or delays by the Data Controller in meeting the requests will be adequately explained.

Additionally, you always have the right to file a complaint with the Data Protection Authority, which can be contacted at garante@gpdp.it or through the website https://www.gpdp.it.

Last update: February 2024