INTRODUCTION

Personal data will be processed through the websites (each referred to as the “Website”) owned by the Data Controller, in compliance with the applicable legislation and the protection, confidentiality and security obligations that inspire Copyr’s activity. In the following sections of this policy, each natural person who accesses and/or interacts with a Website (“User”) is provided with detailed information on the purposes of processing, the relevant legal bases, and any other aspect concerning the operations performed on their personal data.

DATA CONTROLLER

Processing activities are carried out by Copyr S.p.A., a sole shareholder company, VAT number 00878291004, Fiscal Code: 00394920581, with registered office in Via Stephenson, 73 – 20157 Milano. The Data Subject can contact Copyr at the following addresses:

• by writing an e-mail to [email protected]
• by calling +39 02 390368.1
• by ordinary mail to the address of the registered office

WEBSITE

This privacy policy refers to the following websites:

• www.copyr.eu 
• www.copyrgiardinaggio.it

Each of the websites will be identified below by the logo mentioned above, to facilitate the User’s understanding of which processing operations are carried out from time to time.

DATA PROCESSED

The categories of data processed are as follows:

• information related to the User’s browsing activity on the Website, including online identifiers and data related to the device in use
• personal data and contact details such as name, surname, date of birth, fiscal code, personal address etc.
• information related to the interaction with the Data Controller or third parties’ online platform and/or all the available features connected to the use of social network (i.e. like, tweet, shared content etc.)
• contact information (in particular, personal address and e-mail) for marketing activities, in case of given consent
• information related to the operations performed by the User using the Website, in case of given consent.

DATA PROCESSING METHODS

The data processing will be inspired by principles of fairness, lawfulness and transparency, protecting the User’s rights and privacy in his quality of Data Subject, and will take place through the use of technological devices and materials suitable to constantly guarantee their protection and security.

Purposes, legal basis and data retention period	Purposes	Legal basis	Data retention period
	User access to the pages of the Website and its functionalities	Data processing is based on the exercise of the legitimate interest of the Data Controller	For the duration the User remains on the Website and for a maximum of 12 months
	Analysis and improvement of the functionalities of the Website and the presentation of products and services to the User	Data processing is based on the exercise of the legitimate interest of the Data Controller aimed at improving the offer of goods and services, also through the process of anonymization of the data.	Up to the data is anonymized and for a maximum of 12 months
	Communication, marketing and User contact activities for commercial purposes and/or for surveys and market research	Data processing is based on the consent of the Data Subject. In case the consent is denied, data processing is based on the exercise of the legitimate interest of the Data Controller according to the article 130 D. Lgs. 196/2003.	•12 months since the consent is given • in case of withdrawal of the consent, within the required technical timeframe to interrupt the activities
	Response to User request of contact or information with tools implemented on the Website (contact form or other technologies)	Data processing is based on the exercise of the legitimate interest of the Data Controller aimed at maintaining relations with Users and/or for carrying out pre-contractual or contractual activities	Up to 12 months from the end of interactions with the User, unless otherwise stated by the contract or by current legislation (ordinary prescription)
	User registration on the Website and provision of the services offered by the platform, including activities related to the payment of goods or services	Data processing is necessary for the performance of pre-contractual and contractual activities	Up to the end of the contractual relationship and for a maximum of 10 years, unless otherwise stated by current legislation
	Authorization to insert comment or post in dedicated areas (forum, guestbooks, comments on articles) and relative publication of the Username of the post/article author	Data processing is based on the exercise of the legitimate interest of the Data Controller aimed at providing the service	Up to the user cancellation
	Acquisition and processing of personal data to fulfill accounting, tax and administrative obligations	Data processing is necessary to fulfill legal obligations to which Data Controller is subject	Up to the end of the contractual relationship and for a maximum of 10 years, unless otherwise stated by current legislation
	Response to requests made by administrative, jurisdictional or public security authorities	Data processing is necessary to fulfill legal obligations to which Data Controller is subject	For a maximum of 10 years, unless otherwise stated by current legislation
	Sending newsletters to the User, in case he/she expressively requested it	Data processing is based on the consent of the Data Subject	Up to the end of the contractual relationship and for a maximum of 10 years, unless otherwise provided by current legislation
	User profiling activities, aimed at providing better products and services more in line with his interests and needs	Data processing is based on the consent of the Data Subject	•12 months since the consent is given • in case of withdrawal of the consent, within the required technical timeframe to interrupt the activities
	Re-contacting the User, as a customer and/or potential customer, following events, occasions, or meetings during which the Data Controller or third parties have collected personal contact details.	Data processing is based on the consent of the Data Subject	Until consent is withdrawn
	Use of training via the Hubspot platform	Data processing is based on the consent of the Data Subject	Until consent is withdrawn

LEGITIMATE INTEREST OF THE DATA CONTROLLER

The specific interests pursued by Data Controller are shown in the table under item “purposes”. If the User wishes to receive further information about the balance between the legitimate interests pursued by Copyr and his/her fundamental rights and freedom, he/she can ask for clarifications at the address indicated, having the right to receive adequate feedback as soon as possible and in any case within the time limits set by law.

MAXIMUM TERM OF DATA RETENTION AND SUBSEQUENT ACTIVITIES

In the event of litigation with the User or with third parties, or control of the competent Authorities, the conservation may be extended up to the expiry of the last applicable prescription period. At the end of each of the periods indicated above, the Data Controller undertakes to delete all personal data that is no longer necessary in relation to each of the legal bases listed, or, alternatively, to proceed with their definitive and irreversible anonymization.

CONSEQUENCES OF FAILURE TO PROVIDE DATA

The provision of personal data from time to time indicated as mandatory is necessary to pursue the related purposes: not providing such data makes it impossible to proceed with the related processing.

The provision of the other personal data is optional: failure to provide such additional data may make it impossible to access all or part of the Website’s function or characteristics in whole or in part.

PERSONAL DATA OBTAINED FROM THIRD PARTIES ON THE BASIS OF JOINT OWNERSHIP PROCESSING

This privacy policy is valid for Data Subject also according to the Article 14 GDPR, if he/she intends to use the registration function on the Website through a connector offered by the following social networks:  Facebook (owned by Facebook Ireland Ltd. and/or Facebook Inc.); LinkedIn (provided by LinkedIn Ireland Unlimited Company). The Data Controller informs that the data processing may also be carried out through the social networking platform identified above through the official pages of the Company. In such cases, data processing will be carried out under the so-called “joint ownership”, according to the guidelines and terms of use of each platform, as set by the relative owners.

AUTOMATED DECISION-MAKING PROCESSES

The Website does not process any personal data through automated decision-making processes, according to Article 22 (1) and (4) GDPR. In any case, any automated operations will not have any legal effect on the data subject or significantly affect them, unless the User has given their specific and express informed consent in accordance with the limits of the law.

CATEGORIES OF SUBJECT THAT PROCESS PERSONAL DATA

Whitin the limits of the obligations, tasks or purposes indicated above, personal data may be made available and/or communicated to:

• employees and/or collaborators of the Data Controller
• judicial, administrative and/or public security authorities, in compliance with regulatory provisions
• other third parties appointed as Data Processor (such as suppliers)

The Data Controller is particularly keen to inform the User that the services of the following third parties are used:

• Usercentrics A/S for the managing the cookies of each Website
• Hubspot, Inc. for the management of form and contacts received from Users
• The Rocket Science Group LLC. (MailChimp) for managing newsletters
• Twenty-three Aps, for the management of the video-marketing platform
• Microsoft Ireland Operations Limited, for the training service.

The complete list of Data Processors and third parties can be requested from Data Controller at any time, at the indicated references.

THIRD PARTIES SERVICES

The Data Controller has incorporated some videos saved on the YouTube platform. The User can view such contents directly from the pages of the website in which they are incorporated. YouTube can collect data on web traffic relating to the pages where the service is installed.

YouTube is a service operated by Google Ireland Ltd and tracks usage data for such videos.

TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

Personal data may be transferred to countries outside the EEA exclusively for technical needs, in any case to subjects based in countries recognized as adequate by the European Commission, or with the stipulation of specific Standard Contractual Conditions in the text approved by the European Commission.

COOKIES

Cookies are small text files that are transmitted from the Website to the devices of users who visit it, and which are then retransmitted to the Website on subsequent visits; they may have different characteristics and be used for different purposes, both by the Data Controller and by third parties who provide technical services to the Data Controller or directly to the User. For any questions, please refer to the complete policy regarding cookies and other online identifiers (see table below).

DATA SUBJECTS’ RIGHTS

The User, as a Data Subject according to the GDPR, can at any time exercise the rights attributed to him by the Regulation.

In particular, the User has the right to:

• access his/her personal data
• obtain the correction or cancellation of the same or the limitation of the processing that concern him/her
• oppose the processing
• obtain his/her data portability, where provided by the law
• withdraw consent, where provided: the withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the revocation
• lodge a complaint with the supervisory authority

Last updated on: 7^th August, 2025