Privacy Policy

Information on the processing of personal data - 1

Effective from 22/05/2025

PREAMBLE

This notice takes into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR) and the Privacy Code (Legislative Decree No. 196 of June 30, 2003). The document is also prepared in accordance with the Guidelines of the Privacy Guarantor (Guidelines for Countering Spam, July 4, 2013).

DATA CONTROLLER

BLUEBILOBA STARTUP INNOVATIVE S.R.L., VIA COLUCCIO SALUTATI 78 - 50126 - FLORENCE (FI) - P.IVA 06826060482, Phone: +39 335 789 5874, Email: privacy@bluebiloba.com

Site to which this privacy policy refers: https://www.remainitalia.it/ (Sito).

The Data Controller has not appointed a Data Protection Officer (DPO) as the conditions for obligation do not apply. Therefore, you can send any request for information directly to the Data Controller.

GENERAL INFORMATION

This document describes how the Data Controller processes your personal data provided on the Site.

The main processing activities of your personal data are described below. In particular, the legal basis of the processing, whether the provision is mandatory, and the consequences of not providing personal data are explained. To best describe your rights, where necessary, it is also indicated if a specific processing activity is not carried out.

CATEGORIES OF PERSONAL DATA PROCESSED, PURPOSES, LEGAL BASIS, AND RETENTION PERIOD

Site Registration: not performed..

Purchases on the Site : not provided for..

Responding to Your requests – Data sent via the indicated communication channels (email, telephone) are processed to provide a response (legitimate interest of the Controller, Art. 6 §1 f GDPR, or execution of pre-contractual measures Art. 6 §1 b GDPR).

Generic Marketing not performed (the Controller does not send unsolicited promotional communications unless prior consent is given).

Profiling (for marketing or advanced personalization purposes): not performed..

Transfer of data to third parties for their own purposes: not performed..

Geolocation (for location-based services requiring consent): not performed..

Curriculum Vitae (Candidature): not specifically solicited through the Site..

Online Bookings: not present.

Publication of user photos and videos: not performed..

Web scraping – The use of automated processes or scraping systems to extract data from the Site without written authorization from the Controller is prohibited.

Security Measures

Adequate technical and organizational measures pursuant to Art. 32 GDPR (e.g., encryption, backup, access control).

Communication of personal data

Within its ordinary activities, the Data Controller may communicate your personal data to certain categories of subjects. In Article 2, you can find the list of subjects to whom the Data Controller communicates your personal data. To facilitate the protection of your rights, Article 2 may specify in some cases when your data are not communicated to third parties.

The "communication" of personal data to third parties is different from "transfer" (governed by the preceding point, if carried out and if it requires consent). In fact, in communication, the third party to whom the data is transmitted can use it only for the specific purposes described in the relationship with the Data Controller (typically acting as a Data Processor). In transfer, however, the third party becomes an autonomous Data Controller of the personal data, and your consent is always required to transfer your personal data to third parties for their own autonomous purposes.

Notwithstanding the foregoing, it is understood that the Data Controller may still use your personal data to correctly fulfill obligations imposed by current laws.

SPECIFIC PRIVACY INFORMATION

Art. 1 Processing methods

1.1 The processing of your personal data will mainly be carried out with the aid of electronic or otherwise automated means, according to methods and with tools suitable for guaranteeing their security and confidentiality, in compliance with the GDPR.

1.2 The information acquired and the processing methods will be relevant and not excessive compared to the type of services rendered. Your data will also be managed and protected in secure IT environments appropriate to the circumstances.

1.3 Through the Site, as a rule, "special categories of data" (as defined by Art. 9 GDPR, e.g., data relating to health, racial origin, religious beliefs) are not processed. Should it be strictly necessary to process such data for a specific purpose (e.g., user request), this will only occur with your explicit consent or other suitable legal basis.

1.4 Judicial data (Art. 10 GDPR) are not processed through the Site.

Art. 2 Communication of personal data

The Data Controller may communicate your personal data, for the indicated purposes, to the following categories of subjects:

• Subjects who can access the data by virtue of legal provisions, regulations, or EU legislation, within the limits provided by such rules (e.g., Public Authorities, law enforcement).

• Employees and collaborators of the Controller, specifically authorized and instructed in data processing.

• Service providers who typically act as Data Processors pursuant to Art. 28 GDPR (e.g., technical service providers, hosting providers, IT companies, communication agencies, postal services, email sending platforms). The updated list of Data Processors can be requested from the Controller.

• As no direct purchases involving online payments managed by the Controller / shipments are provided for on the Site, there is no communication of data to payment institutions or couriers for such purposes.

• Legal, administrative, and tax consultancy firms, if communication is necessary or functional for the correct fulfillment of regulatory obligations or for the protection of the Controller's rights.

The Data Controller will not disseminate your personal data, except for specific legal provisions or your explicit consent.

Art. 3 Retention of personal data

3.1 Your personal data will be kept for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principle of minimization and storage limitation (Art. 5 GDPR). The specific retention periods for the different categories of data and purposes are indicated in the "CATEGORIES OF PERSONAL DATA PROCESSED..." section at the beginning of this policy.

3.2 At the end of the retention period, the data will be deleted, anonymized, or destroyed, unless their further retention is necessary to comply with specific legal obligations (e.g., ten-year retention for billing data pursuant to tax legislation) or to protect a right in court.

Art. 4 Transfer of personal data

4.1 The Data Controller is based in the European Economic Area (EEA). Personal data are mainly processed within the EEA.

4.2 As a rule, personal data are not systematically transferred outside the European Economic Area, except for the use of third-party services that guarantee adequate protection measures as indicated above.

For more information on the guarantees relating to data transfers outside the EEA, you can contact the Controller.

Art. 5. Rights of the data subject

In relation to the processing described in this policy, as a data subject, you may, under the conditions provided by the GDPR, exercise the rights set forth in Articles 15 to 22 of the GDPR and, in particular, the following rights:

• Right of access (Art. 15 GDPR): the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to your personal data.

• Right to rectification (Art. 16 GDPR): the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data.

• Right to erasure (right to be forgotten) (Art. 17 GDPR): the right to obtain, without undue delay, the erasure of personal data concerning you, in the cases provided for by the GDPR.

• Right to restriction of processing (Art. 18 GDPR): the right to obtain the restriction of processing, in the cases provided for by the GDPR.

• Right to data portability (Art. 20 GDPR): the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Controller and the right to transmit those data to another controller without hindrance, in the cases provided for by the GDPR.

• Right to object (Art. 21 GDPR): the right to object, at any time on grounds relating to your particular situation, to the processing of personal data concerning you based on the lawfulness condition of legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority, including profiling, unless there are compelling legitimate grounds for the Controller to continue the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Furthermore, the right to object at any time to processing where personal data are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

• Right to withdraw consent: where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): the right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187, Rome (RM) - [www.gpdp.it](http://www.gpdp.it)).

The above rights may be exercised by an informal request to the Data Controller at the contacts indicated at the beginning of this policy (Email: privacy@bluebiloba.com). privacy@bluebiloba.com).

Art. 6. Amendments and Miscellaneous

The Data Controller reserves the right to make changes to this policy at any time, by giving appropriate notice to Users on this page and, where technically and legally feasible, by sending a notification to Users through one of the contact details in its possession. Therefore, please consult this page regularly, referring to the date of the last update indicated at the bottom.

If the changes affect processing whose legal basis is consent, the Controller will collect the User's consent again, if necessary.

Last updated: 22/05/2025