PRIVACY POLICY
pursuant to Articles 13 and 14 of EU Regulation No. 679/2016 (GDPR)
In order to conduct correct and transparent processing, Aptus.AI S.r.l. renders the following information - drafted pursuant to Articles 13 and 14 of Regulation (EU) No. 679/2016 on the "Protection of Individuals with regard to the Processing of Personal Data" ("GDPR"), Legislative Decree No. 196/2003 (so-called "Privacy Code"), as amended by Legislative Decree 101/2018 - intended for all those who visit and interact with the Website www.aptus.ai ("Website").
1. Data Controller - Who processes your data?
The data controller who process your personal data is Aptus.AI S.r.l., with a registered office in Pisa (PI), Via dell'Argine n. 1, 56122, VAT no. 02288220508 ("Controller"). For any questions concerning the processing of your personal data, you may contact the Data Controller at the following addresses:
a) Mail: at the registered office;
b) E-mail: info@aptus.ai;
c) PEC: aptus.ai@pec.it.
2. Subject of processing - What personal data do we process?
The Data Controller collects and processes the following personal data:
(a) Personal data directly provided by the data subject: personal data directly provided by the data subject: personal data, identifying and non-sensitive data (such as name, surname, e-mail address, telephone number, data relating to employment and education, skills and professional qualifications;
(b) Personal data not directly provided by the data subject: personal data not directly provided by the data subject: personal, identifying and non-sensitive data automatically collected while browsing the Website (such as, for example, the accesses to a certain page, the amount of data transferred, ID numbers, IP addresses, URL addresses, cookies, etc. - click here to view our Cookie Policy).
The personal data collected and processed by the Controller include:
(c) Personal data directly provided by the data subject: personal, identifying and non-sensitive data (in particular, name, surname, e-mail address, telephone number, data relating to employment and education, skills and professional qualifications);
(d) Personal data not directly provided by the data subject: personal, identifiable and non-sensitive data collected automatically when browsing the Website (e.g. page accesses, amount of data transferred, session ID numbers, IP addresses, URL addresses, cookies, etc.), and which are collected automatically when the Website is visited. - click here to view our Cookie Policy).
3. Purpose and legal basis of processing - Why do we process your personal data?
The Data Controller may process your personal data, also by manual, computerized and telematic means, for the following purposes:
(a) Allow the web browsing on the Website:
Some of your personal data may be automatically collected during the browsing on the Website. In order to process some of this data, it is necessary to acquire your consent (e.g. analytics cookies), for others your consent is not necessary (e.g. technical cookies).The legal basis of this processing is, in the first case, the consent (Art. 6, c. 1, lett. a) of the GDPR) or, in the second case, the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR).The legitimate interest of the Data Controller consists in ensuring a secure browsing on the Website and its smooth operation. Without prejudice to the provisions of Section 7 lett. (c), you have the right to object at any time, on grounds related to your particular situation, to the processing of your personal data performed for the purpose in question. In order to exercise such right, you may contact the Data Controller at one of the addresses listed under Section 1 ("Data Controller - Who processes your data?").For further information on the methods of processing for this specific purpose, on the data retention time or for other details, please consult our Cookie Policy.
If you are simply browsing the Website, this is the only processing that we perform on your personal data.
(b) Send informational and promotional communications.
Your personal data may be used for general marketing purposes, including the sending of informational and promotional communications related to the services offered by the Data Controller.
The legal basis for this processing is the explicit consent of the data subject (Art. 6, c. 1, lett. a) of the GDPR).
If you change your mind, you may withdraw your consent in any moment or object to this processing by contacting the Data Controller at one of the addresses listed under Section 1 ("Data Controller - Who processes your data?") or through the “unsubscribe” link included in any promotional communication sent by the Data Controller.
Providing data for this purpose is optional: there is no legal or contractual obligation on your part.
(c) Respond to requests.
Your personal data may be processed to manage and respond to requests for information, assistance or of other nature sent to us. The legal basis for this processing is the performance of a contract, the implementation of pre-contractual measures at the request of the data subject Art. 6, c. 1, lett. b) of the GDPR) or, as the case may be, the legitimate interest of the Data Controller (Art. 6, c. 1, lett. f) of the GDPR.
It constitutes a legitimate interest of the Data Controller to respond to requests for information, reports complaints or claims from data subjects. This legitimate interest of the Data Controller also coincides with the legitimate interest of the data subjects making the requests, who can reasonably expect their personal data to be used by the Data Controller to provide a response within the context of their relationship. The legitimate interest of the Data Controller thus identified may therefore be deemed to override the fundamental rights and freedoms of the data subject, also due to these reasonable expectations.
The provision of personal data for this processing is necessary and, therefore, failing to provide such data shall result in the impossibility to respond to your requests. Without prejudice to the provisions of Section 7 lett. (c), you have the right to object at any time, on grounds related to your particular situation, to the processing of your personal data performed for the purpose in question. In order to exercise such right, you may contact the Data Controller at one of the addresses listed under Section 1 ("Data Controller - Who processes your data?").
(d) Process applications for open positions listed in the "Careers" section of the Website and spontaneous applications.
Your data may be processed for the processing and consequent management of applications for open positions listed in the "Careers" section of the Website, or of spontaneous applications, which may be forwarded to the Data Controller from the same section of the Website.
The legal basis for this processing is the implementation of pre-contractual measures at the request of the data subject; (Art. 6, c. 1, letter b) of the GDPR). The provision of data for this purpose is necessary and, therefore, failing to provide such data shall result in the impossibility to process and manage your application.
(e) Allow the exercise of your rights.
The Data Controller may process your personal data in order to:
i. Respond to requests for the exercise of the right related to the provision of services on the Website;
ii. Carry out activities that are necessary as a consequence of the exercise of such rights;
iii. Receive and respond to requests for the exercise of rights related to the protection of personal data, as provided for by GDPR, and to perform all related activities.
The legal basis for this processing is the compliance with a legal obligation to which the Data Controller is subject (Art. 6, c. 1, letter c) of the GDPR). The provision of data for this purpose is necessary and, therefore, failing to provide such data shall imply the impossibility for the Data Controller to allow the exercise of your rights.
(f) Exercise our rights.
The Data Controller may process your personal data for the ascertainment, exercise or defense of a right before all the competent authorities. The legal basis for this processing is the legitimate interest (Art. 6, c. 1, lett. f) of the GDPR).
It is a legitimate interest of the Data Controller to seek legal remedies to ensure the respect of its contractual rights, or to demonstrate its compliance with obligations arising from the contract with the data subject or imposed on the Data Controller by law. Its legitimate interest is further grounded in the constitutionally protected right to defense. The legitimate interest of the Data Controller thus identified may therefore be deemed to override the fundamental rights and freedoms of the data subject.
Without prejudice to the provisions of Section 7 lett. (c), you have the right to object at any time, on grounds related to your particular situation, to the processing of your personal data performed for the purpose in question. In order to exercise such right, you may contact the Data Controller at one of the addresses listed under Section 1 ("Data Controller - Who processes your data?").
4. Data disclosure – Who are the recipients of your personal data?
Your personal data will be processed exclusively by employees and collaborators of the Data Controller, specifically authorized pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code, or by companies expressly appointed as data processors, pursuant to Article 28 of the GDPR.
The data subject may request from the Data Controller, at any time, an updated list of the data processors carrying out processing operations on your personal data.
Your personal data will not be disseminated in any way, meaning it will not be made known to indeterminate subjects, in any form, even through mere availability or consultation.
5. Data transfer - To whom are your personal data transferred?
In general, the Data Controller does not transfer the personal data of data subjects to recipients in third countries outside the European Union or to international organizations. In the event that this should occur, the Data Controller ensures that all transfers will be subject to the appropriate safeguards described in Article 46 of the GDPR.
6. Data retention period - How long do we keep your personal data?
The period for which the personal data are stored for your personal data depends on the specific processing carried out and on the purpose pursued:
(a) Personal data processed for the purposes set out in point 3(a) will be retained for the periods indicated in the Cookie Policy;
(b) The personal data processed for the purpose referred to in point 3, letter (b) will be retained until the consent is withdrawn and, in any case, no longer than 2 years from the collection of the data. The Data Controller, in this regard, reserves the right, before the expiry of this term, to request the renewal of consent and/or the updating of the data;
(c) Personal data processed for the purpose of point 3, letter (c) will be retained for 2 years from receipt of the request by the data subject;
(d) Personal data processed for the purpose of point 3, letter (d) will be retained for 2 years after receipt of the application by the data subject;
(e) Personal data processed for the purpose referred to in point 3, letter (e) will be retained until the relevant rights are time-barred and, in any case, no longer than the maximum terms established by the GDPR and/or the law;
(f) Personal data processed for the purpose referred to in Section 3, letter (f) shall be retained until the relevant rights are time-barred and, in any case, no longer than the maximum terms established by the GDPR and/or the law.
7. Rights of the data subjects - What are your rights?
The GDPR grants you, as a data subject, some important rights that you can exercise against the Data Controller. According to the GDPR, you are granted the right to:
a. Request the access to your personal data and to the information related to them (pursuant to Article 15 of GDPR); request the rectification of inaccurate personal data or to have incomplete personal data completed (pursuant to Article 16 of GDPR); request the erasure of personal data concerning you (if one of the grounds provided for by Article 17, paragraph 1, of GDPR applies and in compliance with the exceptions as per paragraph 3 of said Article); request the restriction of processing of your personal data (in accordance with the conditions provided for by Article 18, paragraph 1, of GDPR);
b. Request and obtain from the Data Controller – in cases where the legal basis is the performance of the contract or consent and the processing is performed by automated means – the personal data provided to the Data Controller, in a structured, commonly used and machine-readable format, with the right to transmit that data to another controller (the so-called right to data portability, provided for by Article 20 of GDPR);
c. Object at any time to a processing of your personal data which has a legitimate interest as the legal basis (pursuant to Article 21 of GDPR). In case of an objection, the Data Controller will refrain from further processing of your personal data unless they can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims;
d. Withdraw your consent at any time, limitedly to the cases where the processing is based on your consent for one or more specific purposes and concerns common personal data (such as date and place of birth or the place of residence), or special categories of personal data (such as data revealing your racial origin, political opinions, religious beliefs, state of health or sexual life), without prejudice to the lawfulness of the processing performed before the withdrawal of consent (pursuant to Article 13, paragraph 2, lett c.) of GDPR). any time, limited to cases where the processing is based on your consent for one or more specific purposes and concerns common personal data (e.g. date and place of birth or place of residence), or special categories of data (e.g. data revealing your racial origin, political opinions, religious beliefs, state of health or sex life), without affecting the lawfulness of the processing based on the consent given before the withdrawal (ex art. 13, par. 2, lett. c) of the GDPR).
e. Lodge a complaint with a supervisory authority (Autorità Garante per la protezione dei dati personali – garanteprivacy.it) (pursuant to Article 13, paragraph. 2, lett. d) of GDPR).
Pursuant to Article 12 of the GDPR, the Data Controller will provide any information on actions taken on a request of exercise of right without undue delay and, in any event, within one month of receipt of the request. That period may be extended by 3 (three) further months where necessary, taking into account the complexity and number of requests. In such cases, the Data Controller will inform you of the extension and the reasons for the delay within one month of receiving the request. If you have made the request electronically, the information will be provided to you electronically, where possible, unless you request otherwise.
Last update: 31 October 2023
