Privacy Policy

This notice describes how IESolution 2.0 s.r.l. (hereinafter "IESolution", "we") processes personal data collected through the website www.iesolution.it and the connected services, in accordance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code) as amended by Legislative Decree 101/2018.

1. Data controller

The data controller is:

• IESolution 2.0 s.r.l.
• Registered office: Via Vallesana 1, Parco Poggio Vallesana pal. Acacia sc.B, 80016 Marano di Napoli (NA), Italy
• VAT / Tax code: IT 10556961216
• REA: NA 10556961216
• LEI: 815600CF830EDDF77854
• Email: [email protected]
• Certified email (PEC): as per company chamber registry
• Phone: +39 081 19681204

To exercise GDPR rights or for any request relating to personal data processing, the controller can be contacted at the addresses above with the subject "Privacy — data subject request".

2. Personal data processed

In connection with website and service use, IESolution may process the following categories of data:

2.1 Navigation data

The IT systems and software procedures used to run the website acquire, in their normal operation, some data whose transmission is implicit in Internet communication protocols: IP addresses, domain names of users' computers, URI addresses of requested resources, request time, HTTP method, response status code, parameters relating to the user's operating system and browser environment.

2.2 Voluntarily provided data

By filling in the contact form, requesting a demo or writing to our email addresses, the user provides identification and contact data: first name, last name, company name, job role, work email, phone number, message content. May also include any additional data the user voluntarily chooses to share.

2.3 Cookies and similar technologies

The website uses exclusively technical cookies necessary for operation. For details refer to the Cookie Policy.

3. Purposes of processing

Personal data is processed for the following purposes:

1. Responding to user requests (demo request, sales information, support, general contact): replying to messages sent via the website or email, conducting pre-contractual activities and providing the requested information.
2. Execution of contractual relationships and related obligations: SaaS contract management, customer support, invoicing, accounting and tax compliance.
3. Compliance with legal obligations: civil, tax, anti-money-laundering rules, document retention under arts. 2214-2220 of the Italian Civil Code, IT security and operational resilience obligations (DORA, NIS2, GDPR).
4. Website security and fraud prevention: detection of anomalous access, protection against cyber attacks, audit logs for infrastructure security, investigation of illegal site use.
5. Legal defence: establishment, exercise or defence of a right in court, civil or out-of-court proceedings.
6. Service communications: updates on existing contracts, service changes, technical or legally relevant communications.

4. Legal basis

The legal bases for processing under art. 6 GDPR are:

• Art. 6.1.b GDPR — performance of a contract to which the data subject is party or pre-contractual measures at the data subject's request (purposes 1 and 2).
• Art. 6.1.c GDPR — compliance with a legal obligation (purpose 3).
• Art. 6.1.f GDPR — legitimate interest of the controller in infrastructure security, defence of its rights and proper continuation of the business relationship (purposes 4, 5 and 6). The balancing test between legitimate interest and data subject rights is documented internally and available on request.

Providing the data is optional, but failure to provide the strictly necessary data (e.g. email to receive a reply) makes it impossible to follow up on the request.

5. Retention period

Personal data is kept for the time strictly necessary to achieve the purposes for which it was collected, in accordance with the minimisation principle (art. 5.1.c GDPR) and according to the following criteria:

• Contact data from forms / email: up to 24 months from the last active contact, unless a contractual relationship is subsequently established.
• Contractual and accounting data: 10 years from the date the relationship ended, pursuant to arts. 2214 and 2220 of the Italian Civil Code and Presidential Decree 633/1972.
• System and security logs: up to 12 months, unless longer retention is required for ongoing security investigations or legal obligations (e.g. art. 132 Legislative Decree 196/2003 for traffic data, where applicable).
• Data processed for legal defence: until the applicable limitation period (typically 10 years under art. 2946 c.c.) and for as long as needed to exercise the right.

Once these periods expire, data is deleted or made irreversibly anonymous, except for archiving for statistical or public-interest purposes compatible with the original purposes (art. 89 GDPR).

6. Data recipients

Data may be disclosed to parties duly appointed as Data Processors under art. 28 GDPR, including:

• Transactional email service providers (Turbo SMTP, Amazon Web Services Simple Email Service) for sending service communications and replies to requests.
• Cloud service providers for infrastructure hosting and backups, accredited and subject to due-diligence review under EU Reg. 2022/2554 (DORA).
• External consultants in legal, tax, accounting and compliance fields, exclusively for matters in their competence.
• Parties tasked with specific website-related services (maintenance, security monitoring, anti-fraud).

Data may also be disclosed to public bodies (judicial authority, IVASS, Italian Data Protection Authority, Italian Tax Agency, supervisory bodies) when required to fulfil legal obligations or to satisfy authority requests.

Data is not disseminated and is not sold, transferred or exchanged with third parties for marketing purposes.

7. Non-EU transfers

Personal data is mainly processed within the European Economic Area (EEA). Where some providers use infrastructure or services in non-EU countries (e.g. United States for cloud providers), transfer occurs only in the presence of one of the safeguards provided by Chapter V GDPR:

• European Commission adequacy decision (e.g. EU-US Data Privacy Framework for certified US companies);
• Standard Contractual Clauses (SCC) adopted by the European Commission via Decision (EU) 2021/914;
• Supplementary technical and organisational measures where required following Transfer Impact Assessment (TIA) under Schrems II case law.

A copy of the safeguards applied for each transfer can be provided on request.

8. Data subject rights

Under arts. 15-22 GDPR, the data subject has the right to:

• Access (art. 15): obtain confirmation of processing and a copy of the personal data processed.
• Rectification (art. 16): update or correct inaccurate or incomplete data.
• Erasure (art. 17): obtain deletion of own data in the cases provided by law.
• Restriction (art. 18): limit processing in the cases provided by law.
• Portability (art. 20): receive in a structured, commonly used and machine-readable format the data provided, and transmit it to another controller.
• Objection (art. 21): object to processing based on legitimate interest, for reasons connected to the data subject's particular situation.
• Not be subject to automated decisions (art. 22), including profiling (see section 10).

Rights can be exercised by writing to [email protected] with subject "Privacy — data subject request", indicating the right to be exercised and providing the data needed to identify the requester. A response is given within 30 days of receiving the request, extendable by a further two months in case of complex or numerous requests (art. 12.3 GDPR), with prior notice.

9. Complaint to the supervisory authority

Without prejudice to the right to a judicial remedy, the data subject has the right to lodge a complaint with the Italian Data Protection Authority under art. 77 GDPR:

• Garante per la Protezione dei Dati Personali
• Piazza Venezia, 11 — 00187 Rome, Italy
• Website: www.garanteprivacy.it
• Email: [email protected]

10. Automated decisions and profiling

IESolution does not carry out processing consisting in solely automated decisions, including those producing legal effects on the data subject or significantly affecting them, under art. 22 GDPR. No profiling activity is carried out on visitors of the institutional website.

11. Cookies

For information on cookies used by the site, purposes, duration and management methods, please refer to the Cookie Policy.

12. Changes to this notice

This notice may be updated. Any substantive changes will be communicated to data subjects through the website or, where possible, by direct communication. The date of the latest update is indicated at the top of the document. The history of previous versions can be obtained by contacting the controller.