Grid+ S.r.l. (VAT no. 17387741006), with registered office in Rome, 00165, Via Andrea Ferrara, 45, in the person of its legal representative pro tempore (hereinafter also the “Company” or “Grid+”), as data controller, respects your privacy and is committed to protecting your personal data. This privacy policy (hereinafter, the “Policy”) explains the reasons for, and the methods of collecting, managing and protecting personal data in relation to the services offered through the Website www.gridplus.it.

With reference to the specific Obscura service for document anonymization, please refer to the dedicated privacy Policy on the relevant page: obscura.gridplus.it/Privacy%20policy_informativa_Grid_Obscura.pdf The Company undertakes to process your data in compliance with the General Data Protection Regulation (EU Reg. 2016/679), better known as the “GDPR”, and any other applicable privacy laws. In particular, the processing of personal data carried out by Grid+ will be based on the principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, accuracy, integrity and confidentiality.

This Policy is drawn up pursuant to Articles 13 and 14 of the GDPR and is intended to provide information on how Grid+ processes your personal data, collected through the use of the Website, including all data that the user provides in order to stay informed about news (for example, to subscribe to our newsletter, to interact with the company through the website’s contact form, or to take part in a survey).

The Company acts as data controller and is responsible for your personal data. You may contact the data controller to receive information about the processing of personal data and to exercise the rights that the GDPR grants to the data subject, at the following e-mail address: info@gridplus.it.

This paragraph describes the categories of personal data that we process. In paragraph 4 we will explain the purposes for which we process these categories of personal data. The personal data we collect is subject to your use of our Website and to your acceptance through the appropriate and specific web form, or through the submission of the contact form, or through the formalization of a contract with Grid+.

When you visit our Website, your browser automatically transmits certain data, such as the date and time you visited our web pages, your browser type and settings, your operating system, and your IP address. For more details about the processing of personal data collected through our website, we also invite you to read the cookie policy available here: Cookie Policy.

Through our Website, we process the following personal data relating to the following categories of data subjects:

We limit the quantity and quality of personal data collected only to what is necessary for the purpose for which it is collected, as described in the table below. We limit, protect and monitor all our IT resources against unauthorized access, damage, loss or destruction, whether physical or electronic. We retain personal data only for the time described below, to respond to your requests, within the maximum retention period provided for by law. If we retain your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While they are in our possession, with your help, we strive to maintain the accuracy of your personal data.

To make it easier to understand the purposes, legal bases and conditions under which we process data, we provide below a table setting out the categories of personal data processed, the purposes of the processing, the “legal basis” that authorizes each processing operation and renders it lawful, as well as the period of time for which the Company will retain your personal data:

The Company also informs you that, for the purposes set out above, your personal data will be processed using IT, electronic and manual tools, in compliance with the confidentiality and security rules established by law.

Our website or app may include links to third-party websites. By clicking on such links or enabling them, third parties may process your personal data; therefore, we invite you to also refer to the privacy policy of such websites.

Within the Company’s organization, the data may be processed by collaborators/employees for carrying out the individual processing activities. Grid+ personnel do not intentionally access the content of personal data contained in identification documents and/or company documents, except for the purpose of providing the User with the requested assistance.

Furthermore, we may share your personal data with the categories of recipients listed below, for the purposes set out below, in compliance with the principles of minimization and purpose limitation, putting in place appropriate security measures. Such parties will have access to personal data only to the extent strictly necessary to ensure the proper use of our services by the User. Third parties will in any case be required to process the data in compliance with applicable law.

We will take all reasonable contractual, legal, technical and organizational measures to ensure that your personal data is processed with an adequate level of protection. In particular, for the provision of the services, the categories of parties to which we will disclose the data, on the basis of and within the limits of the purposes pursued, are:

• Suppliers and subcontractors: we may share personal data with suppliers and subcontractors that we use to provide you with the services. Examples of such suppliers and subcontractors are software and data storage providers and/or IT consultants or internal Grid+ personnel.

The data is processed within the European Economic Area (EEA).

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purpose of satisfying any legal, accounting, or reporting requirements or obligations. To determine the appropriate retention period for personal data, we consider the quantity, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. You can find more information about the retention period in the table in paragraph 4.

GRID+ uses algorithms and Artificial Intelligence systems to provide its services. In any case, the Company does not subject the data subject (natural person) to any decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them pursuant to Article 22 GDPR.

We limit the quantity of data, collecting only what is necessary for the purpose and for the time needed to achieve it. We limit, protect and monitor all our information resources to prevent physical or electronic access, damage, loss or destruction, as well as unauthorized access, whether physical or electronic.

With regard to third-party personal data, contained in company documents, that is processed by the Software as a result of the User’s use of the Service, the User remains an autonomous data controller for the processing, for which they define the purposes and means, and will process the personal data within the limits permitted by applicable law, assuming full responsibility for it.

We remind you that you may exercise your rights relating to personal data established by Regulation (EU) 679/2016. Below is a brief description of these rights:

• a) Right to be informed

All natural persons have the right to be informed about the collection and use of their personal data. This is a fundamental transparency requirement as established by the GDPR.

• b) Right to request access to personal data

Known as a “subject access request”, it allows you to obtain a copy of the personal data we hold about you and to verify that we are processing it lawfully.

• c) Right to request the rectification of personal data

It allows you to correct any incomplete or inaccurate data we hold about you; however, we may need to verify the accuracy of the new data you provide.

• d) Right to request the erasure of personal data

It allows you to request the removal and erasure of your personal data where there is no valid reason for us to continue processing it.

You may obtain the erasure of your personal data in the cases provided for by Article 17 GDPR.

However, we inform you that in certain cases we may not be able to fulfill your erasure request for specific legal reasons (for example, where it is necessary to allow us to comply with a legal obligation or to establish, exercise or defend a legal claim), which will be communicated to you at the time of your request.

• e) Right to object to the processing of personal data:

Under the terms provided for by Article 21 GDPR, you may object to the processing of data in cases where we, or a third party, rely on legitimate interest and you believe that such processing harms your fundamental rights and freedoms in some way.

You also have the right to object to the processing of your personal data where it is used for marketing purposes.

• f) Right to request the restriction of the processing of personal data:

You may request the restriction of the processing of your personal data in the cases provided for by Article 18 GDPR.

• g) Right to request the transfer of personal data to you or to a third party:

We will provide to you, or to a party designated by you, your personal data in a structured, commonly used and machine-readable format, under the conditions provided for by Article 20 GDPR. We remind you that this right applies only to information processed by automated means and to processing carried out on the basis of consent, or in the context of the performance of the License Agreement.

• h) Right to withdraw consent at any time

You will have the right to withdraw at any time the consent given for the processing of personal data based on consent, and we will cease to use your personal data, without however affecting the lawfulness of the processing based on the consent given before its withdrawal.

• i) Right to lodge a complaint with the authority

We remind you that you always have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), located at Piazza Venezia 11, Rome, at the e-mail address: protocollo@gpdp.it

To exercise your rights or to request information about how we process your personal data, you can contact us by e-mail at the e-mail address info@gridplus.it.