PRIVACY POLICY

Effective date: «__» __________ 2025

This Privacy Policy (hereinafter, the "Policy") governs the collection, processing, and protection of personal data of users who visit and interact with the official corporate website of the [Il Nostro] project. The document is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the ePrivacy Directive, and other applicable international and national data protection laws.

1. DEFINITIONS

Personal Data — any information relating to an identified or identifiable natural person.

Data Processing — any operation or set of operations performed on personal data, including collection, recording, organization, storage, modification, use, transfer, erasure, or destruction.

Data Controller — the entity that determines the purposes and means of processing personal data (in this case, the Company).

Data Processor — a third party that processes data on behalf of and under the instructions of the Controller.

Data Subject — the natural person to whom the personal data relates.

Cookies — small text files stored on the user's device when visiting the website, containing technical and behavioral data.

2. DATA CONTROLLER

Project Name: [Il Nostro]
Registered Address: Amsterdam, Netherlands
Privacy Contact Email: ilnostro@ilnostro.info
Phone: +39 35 100 37 467

3. CATEGORIES OF COLLECTED DATA

We collect and process the following categories of personal data:

• Identification Data: name, surname, position, company name;
  
  
• Contact Data: email, phone number, mailing address;
  
  
• Technical Data: IP address, cookies, device identifiers, browser settings, system language;
  
  
• Interaction Data: visit history, site behavior, interface actions;
  
  
• Business Information: inquiries, business correspondence, cooperation details;
  
  
• Marketing Data: preferences, interaction history with campaigns and content;
  
  
• Voluntarily Provided Data: form responses, file uploads, comments.
  
  

4. PURPOSES AND LEGAL BASES FOR PROCESSING

Purpose of Processing

Legal Basis

Responding to inquiries via the website

Art. 6(1)(b) GDPR – performance of a contract or request

Communication with investors and partners

Art. 6(1)(f) GDPR – legitimate interest

Sending newsletters, insights, and offers

Art. 6(1)(a) GDPR – consent of the data subject

Analyzing user behavior

Art. 6(1)(f) GDPR – legitimate interest

Improving UI/UX and product development

Art. 6(1)(f) GDPR – legitimate interest

Ensuring security, fraud prevention

Art. 6(1)(c) GDPR – legal obligations

Legal reporting and compliance

Art. 6(1)(c) GDPR – legal obligations

5. DATA RETENTION

Personal data is stored based on the principles of data minimization and purpose limitation:

• Contact and identification data – up to 24 months from the last interaction;
  
  
• Technical and analytical data – up to 12 months (longer if anonymized);
  
  
• Correspondence and documentation – up to 5 years;
  
  
• Consent-based data – until consent is withdrawn.
  
  

After the retention period expires, data is securely deleted or anonymized.

6. DATA SUBJECT RIGHTS

Each user has the right to:

• Request confirmation and access to their personal data;
  
  
• Request correction or completion of data;
  
  
• Request deletion (“right to be forgotten”);
  
  
• Restrict or object to data processing;
  
  
• Port data to another controller;
  
  
• Withdraw consent at any time;
  
  
• Object to processing for marketing purposes;
  
  
• File a complaint with a supervisory authority (e.g., European Data Protection Board).
  
  

7. THIRD-PARTY DATA DISCLOSURE

Data is only shared when there is a valid legal basis. Recipients may include:

• Cloud service providers (AWS, Google Cloud, etc.);
  
  
• Analytics and communication platforms (Google, Meta, Sendinblue, etc.);
  
  
• Auditors, legal and tax advisors;
  
  
• Public authorities and courts — in response to lawful requests;
  
  
• Entities involved in mergers, acquisitions, or restructuring.
  
  

We conclude Data Processing Agreements (DPAs) with all relevant third parties.

8. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies (Web Beacons, SDKs, LocalStorage) for:

• Proper website functionality;
  
  
• User behavior analysis;
  
  
• Content and ad personalization (only with consent).
  
  

Users can manage cookies via the banner on first visit or through browser settings.

9. SECURITY MEASURES

We implement high standards of data protection, including:

• TLS/SSL traffic encryption;
  
  
• Role-based access control and authentication;
  
  
• Logging and auditing of access and incidents;
  
  
• Access minimization policies and regular permission reviews;
  
  
• Data Loss Prevention (DLP) mechanisms;
  
  
• Backup and recovery management.
  
  

10. INTERNATIONAL DATA TRANSFERS

When processing or storing data outside the EEA, we ensure one of the following mechanisms is applied:

• Standard Contractual Clauses (SCCs);
  
  
• Data Privacy Framework certification of recipients;
  
  
• Transfer Impact Assessments and compensatory measures.
  
  

11. AUTOMATED DECISION-MAKING (PROFILING)

We do not make decisions that produce legal or similarly significant effects solely based on automated processing. However, we use profiling for marketing purposes (e.g., content recommendations).

12. POLICY UPDATES

We reserve the right to update this Policy periodically. The current version is always available on our website. In case of material changes, we will notify users via additional means (e.g., email or pop-up notice).

13. CONTACT INFORMATION

For any questions, comments, or complaints regarding data processing:

Contact Person: Legal & Regulatory Affairs Department
Email: ilnostro@ilnostro.info
Mailing Address: Amsterdam, Netherlands

At [Il Nostro], we consider data protection a cornerstone of digital trust and sustainable partnerships. We are committed to transparency, ethics, and full compliance with international standards.