In compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and Legislative Decree No. 196 of June 30, 2003, the company SIMIT S.r.l. (hereinafter also referred to as "SIMIT" or simply "we"), with registered office at Via Piccolomini, 24 – 67100 L’Aquila, VAT no. 01716530660, REA AQ – 115065, informs users about the purposes and methods of personal data processing, the scope of communication and dissemination, and the nature of its provision.

Collected Data: Purposes and Legal Basis for Processing

Data voluntarily provided by the user

These are data voluntarily provided by the user to SIMIT by filling out forms, testing or purchasing services, sending email messages to our corporate email addresses, or contacting us by phone.
They are collected and processed for the following purposes:

A. For the performance of contractual activities with the customer. In the case of using SIMIT services, or requesting contact, user data – even during trial periods – may be used to verify the user experience directly as well as to provide contractual services or pre-contractual requests, including technical assistance to the customer and their users.
The legal basis for this processing is the existence of a pre-contractual request by the user or the necessity to perform contractual services.

B. For administrative purposes and the fulfillment of legal obligations such as accounting, tax, or to respond to requests from judicial authorities.
The legal basis for this processing is compliance with legal obligations.

C. Subject to specific consent, for periodic sending – via email, newsletter, SMS, push notifications or regular mail – of commercial and promotional communications.
In the case of direct marketing regarding products analogous or similar to those purchased by the customer, marketing activities for new products or services of the Company may be conducted, based on the legitimate interest of the same and without the consent of the data subject, who always has the right to object to such processing.

D. In the case of sending a curriculum vitae, exclusively for personnel selection purposes. The legal basis for the processing is the express consent manifested by the data subject by sending the documentation.

Data collected during the use of our services

These are user data collected during access (e.g., to our websites, control panels, webmail, chat) and use of our services through available methods (e.g., API) and protocols (e.g., POP, IMAP, SMTP, Webmail, Web, etc.), such as:

• Location data derived from the user's connection IP address or sent by the device or software used to access the services.
• Device or software data derived from information it sends to our systems during access to services.
• Data on the activity the user performs, via their device, during access to our services.
• Cookies, pixel tags, and similar technologies to identify the browser or device of the user.
• Logs of activities performed by the user during the use of our services or viewing of content provided by SIMIT.

This information includes:

• Date, time, IP address, login, action performed.
• Characteristics of the device or software, details, and outcome of the action performed.
• Some details of email messages sent and received (e.g., date and time, IP, sender, recipient, subject, message-ID).

These data are not accompanied by any additional personal information and are used to:

• Derive anonymous statistical information on the use of services.
• Provide technical assistance.
• Perform checks and technical maintenance.
• Perform antispam/antivirus analysis.
• Identify and prevent fraud or other abuses.
• Manage needs for monitoring the methods of service use.
• Ascertain responsibility in case of computer crimes.
• Identify cookies that could uniquely identify the browser or the SIMIT account of the user.

The collection of such data is functional to the use of the service and constitutes an integral part of the system functionalities offered by SIMIT.
The legal basis legitimizing the processing of such data is the execution of a contract to which the data subject is a party.

Methods of Processing and Data Retention Times

Collected data will be processed using electronic or automated, IT and telematic tools, or through manual processing with logic strictly correlated to the purposes for which the personal data were collected and, in any case, so as to guarantee their security.
We will retain user data only for the time necessary to provide the requested products and services, unless we are required to keep them for longer periods as a consequence of laws, regulations or – if necessary – for the resolution of disputes or judicial investigations, and in any case not exceeding ten years from the termination of the contractual relationship.
In any case, SIMIT applies rules that prevent the retention of data indefinitely and therefore limits the retention time in compliance with the principle of data minimization.

Authorized Subjects for Processing, Processors, and Data Communication

The processing of collected data is carried out by internal SIMIT personnel identified for this purpose and authorized according to specific instructions given in compliance with current legislation.
The collected data, if necessary or instrumental for the execution of the indicated purposes, may be processed by third parties appointed as External Data Processors, or, depending on the case, communicated to them as independent controllers, specifically:

• Companies belonging to our corporate group.
• Persons, companies, associations, or professional firms providing assistance and consultancy to SIMIT.
• Companies, entities, associations performing services connected and instrumental to the execution of the above purposes (market analysis and research service, credit card payment management, computer systems maintenance, goods shipping).
• Companies that purchase and/or resell SIMIT services.

For purposes other than those above, collected personal data will not be disseminated or exchanged with subjects other than the Controller, the Processor, and the authorized persons, without the express consent of the data subject.

International Data Transfer

SIMIT does not transfer your data outside of Italy and the European Economic Area (EEA) for the direct execution of its services.
However, to conduct specific marginal processing and service provisions requested by the customer (such as, for example, the registration of software produced abroad), and which require the mandatory transfer of data abroad, when this occurs, appropriate measures will be adopted to ensure an adequate level of protection also in other Countries outside Italy or the EEA.

Security

We use organizational, administrative, technical, and physical security measures to safeguard your user data and to ensure they are processed in a timely, accurate, and complete manner. We also ask our suppliers to safeguard data and use them only for the specified purposes.

Privacy by default and by design
Our software and systems have been designed and built following the concept of “Data protection by default and by design”.

Data Integrity and Security
We use data encryption for which we are required to guarantee a level of security adequate to the risk of their loss or theft. A procedure is also active to digitally sign log files and give them a certain date in compliance with Italian regulations.

Log Retention according to law
We retain logs according to law for the period prescribed by Italian legislation, in order to be able to respond to investigations and requests from judicial authorities.

Data Confidentiality
All data transiting for the execution of our services are protected by SSL/TLS encryption.

Vulnerability Management
To detect potential software vulnerabilities and block the spread of Virus/Malware, we use tools designed to verify and discover vulnerabilities and criticalities in systems and software. We perform continuous monitoring to verify that the process is compliant.

Backup and Data Availability
We ensure that all collected and stored data are treated with principles ensuring their availability and integrity for the execution of existing contracts. To this end, we perform periodic backups, check them, and monitor that systems and applications are always available and running.

Authorized Personnel
All SIMIT collaborators follow internal training paths regarding GDPR requirements and are constantly updated and sensitized on the themes of security and protection of the data we process, also through the signing of specific confidentiality agreements.

Customer Rights

You have the right to access, update, delete, modify or correct your personal data.
In particular, you have the right to:

• Revoke consent for the use of your personal data at any time, where the processing is based on your consent. However, any failure to provide or revocation of collected personal data, or other personal data eventually requested during the contractual relationship, may entail the impossibility for SIMIT to establish and/or continue, in whole or in part, the contractual relationship, or respond to pre-contractual requests.
• Limit and/or object to the use of your data.
• Request a manual review of certain automated data processing activities that affect your rights.
• Export your data from reserved areas at any time, during the contract validity period.
• Revoke consent to receive marketing communications from SIMIT
• Delete your data from reserved areas at any time: the data will be permanently removed from any system within a maximum of 90 days, subject to different regulatory obligations.

Marketing Choices

We use collected data, if you have expressly provided consent, or in case of direct marketing of products or services similar to those already purchased based on our legitimate interest, to inform you about promotional activities that might interest you.
In particular, we use them to:

• Communicate promotional, commercial, and advertising initiatives on events and partnerships, via email, SMS sending or push notifications, operator phone calls, customer care service consisting of offering dedicated services in sales and post-sales.
• Perform analysis and reporting activities connected to promotional communication systems, such as detecting the number of opened emails, clicks made on links present within the communication, the type of device used to read the communication and the relative operating system, or the list of addresses unsubscribed from the newsletter.

Roles

SIMIT as Data Controller and SIMIT as Data Processor
The concepts of “Data Controller” and “Data Processor” are important to understand a company's responsibilities.
Depending on the scenario, a company can be a Data Controller, a Data Processor, or have both roles and assume specific responsibilities. Consequently:

Data Controller

A company has the role of Data Controller when it has the responsibility to decide why and how (the “purposes” and “means”) personal data are processed.

• Data Controllers must adopt compliance measures that include how data are collected, the purpose for which they are used, and the retention period. They must also ensure that people can access the data provided.
• Data Controllers must ensure that Data Processors respect their contractual commitments regarding the secure and legal processing of data.

For example, when SIMIT processes the customer's tax data, such as issuing an invoice, it holds the role of Data Controller.

Data Processor

A company is defined as a Data Processor when it processes personal data on behalf of a Data Controller. Data Processors have the obligation to process data securely and legally.
For example, for the technical support service, SIMIT processes data on behalf of the customer; the latter must have an adequate legal basis for SIMIT to process such data.

Questions or Complaints

For any questions regarding this privacy policy or how user data are managed, it is possible to contact us directly using the CONTACT form indicating GDPR/PRIVACY in the field dedicated to the "Reason for contact".
Our Data Protection Officer will respond within the terms provided by current legislation.