Privacy Policy

This notice, drafted pursuant to arts. 13 and 14 of Regulation (EU) 2016/679 (GDPR), describes the methods of processing personal data of users interacting with the website of Emerge Italia di Manuele Fonte and the related services.

The Data Controller for personal data processing is:

Emerge Italia di Manuele Fonte
Zona Ischia 2, 39040 Ora (BZ), Italia
VAT: IT02967140217
Email: info@emergeitalia.it
Phone: +39 351 415 6549

Depending on your interaction with the Site, the Controller may collect the following categories of personal data:

Identification and contact data

• First and last name (or nickname, if applicable)
• Email address
• Phone number (optional in most forms)
• Company name, VAT number and address (for business users)

Navigation and technical data

• IP address (for security, fraud prevention and diagnostic purposes)
• Browser type and version, operating system, screen resolution
• Pages visited, session duration, interaction sequence
• Cookie identifiers and other tracking tools (see Cookie Policy)

Voluntarily provided data

• Content of messages sent via contact forms or reserved area
• Any attachments or documents uploaded
• Preferences expressed on the Site (language, theme, consent choices)

The actual data processed depends on the services active on the Site at the time of visit. For details on individual purposes, please refer to the "Purposes of Processing" section.

Personal data are processed for the following purposes, each based on a specific legal basis under art. 6 GDPR:

Purposes necessary for the service (performance of contract or pre-contractual measures - art. 6(1)(b) GDPR)

• Responding to information requests, quotes or assistance submitted by the user
• Delivering specific services offered by the Site (e.g. account management, bookings, purchases, content downloads)
• Managing operational communications related to the requested service

Legal compliance (legal obligation - art. 6(1)(c) GDPR)

• Tax, accounting and administrative compliance (in case of economic transactions)
• Documentary retention required by Italian law
• Response to requests from competent Authorities

Security and legitimate interest (legitimate interest - art. 6(1)(f) GDPR, subject to balancing assessment)

• IT security, abuse and fraud prevention
• Defence of the Controller's rights in court or out of court
• Aggregated statistics on Site usage (technical analytics exempt from consent under DPA Provv. 8/10/2020)

Marketing and profiling purposes (explicit consent - art. 6(1)(a) GDPR)

• Sending newsletters, promotional communications and event invitations
• Personalisation of content and offers based on interests and behaviour
• Advertising remarketing on third-party platforms (e.g. Google Ads, Meta)

Consent for marketing and profiling is always optional, separate and revocable at any time without affecting the lawfulness of prior processing (art. 7(3) GDPR).

Processing of personal data is based on one of the following legal bases under art. 6 GDPR:

• Consent (art. 6(1)(a) GDPR): for marketing, profiling, newsletter and activation of analytics/marketing cookies. Consent is always optional, granular (separate per purpose) and revocable at any time without prejudice to prior lawful processing (art. 7(3) GDPR).
• Performance of contract (art. 6(1)(b) GDPR): for the provision of services requested by the user and for the performance of pre-contractual measures (e.g. response to quote requests).
• Legal obligation (art. 6(1)(c) GDPR): for tax, accounting, anti-money laundering compliance and for response to requests from competent Authorities.
• Legitimate interest of the Controller (art. 6(1)(f) GDPR): for Site security, fraud prevention, legitimate defence of rights, and for aggregated and anonymised technical analysis. Whenever processing is based on legitimate interest, the Controller has conducted a Legitimate Interest Assessment (LIA) pursuant to EDPB Guidelines and verified the prevalence of the Controller's interest over the data subjects' rights and freedoms. A copy of the balancing is available on request by writing to info@emergeitalia.it.

Pursuant to art. 13(2)(e) GDPR we specify that:

Mandatory data: some data are necessary for the provision of the requested service and are generally marked as such in forms (e.g. with asterisk or "required" label). They typically include identification, contact and service-functional data. Failure to provide them means the Controller cannot fulfil the user's request.

Optional data: other data (e.g. phone, business details, additional details) are optional and serve to improve service quality or enable accessory features. Failure to provide them does not prevent the use of base services.

Consent to promotional purposes (marketing, newsletter, profiling) is always optional and separate. Refusal of consent does not in any way affect the use of the requested services.

Consequences of refusal in summary:

• Refusal of mandatory data → inability to deliver the requested service
• Refusal of optional data → no consequence on base services; possible inability to access accessory features
• Refusal of marketing consent → no promotional communications, free use of all services

Pursuant to art. 50 of Regulation (EU) 2024/1689 (AI Act), we inform you that the Site offers a conversational assistant based on Large Language Models (LLM).

Transparency on AI interaction

• You are always informed that you are interacting with an AI system and not with a natural person.
• Messages you send are processed by OpenAI LLC (United States) to generate contextual responses.
• Conversation transcripts are retained to handle any follow-up requests and for service improvement.
• At the end of the session, a summary may be sent to the Controller's staff for any commercial follow-up, only if you provided contact details.

No automated decision-making (art. 22 GDPR)

• The AI assistant does not make decisions with legal effects or similarly significant effects on you.
• Responses are informational or commercial in nature.
• Any final decision (quotes, contracts, services) is taken by the Controller's human staff.

Extra-EU data transfer

• Prompts are transferred to OpenAI LLC (USA) under Standard Contractual Clauses art. 46 GDPR.
• OpenAI states it does not use API inputs to train its models (zero-data-retention for API requests).
• Supplementary technical measures: encryption in transit (TLS 1.3) and at rest.

Your rights

• Request the erasure of the transcripts of your conversations by writing to info@emergeitalia.it.
• Opt for exclusively human interaction by contacting the Controller directly through the details indicated in the "Contacts" section.
• Obtain further information on the logic and purposes of the AI system.

Provider privacy policy: openai.com/policies/privacy-policy

The Controller does not carry out fully automated decision-making, including profiling, pursuant to art. 22 GDPR, which produces legal effects concerning the data subject or similarly significantly affects them.

Any marketing profiling (see dedicated section, if applicable) only affects the personalisation of commercial content and does not produce significant consequences on the data subject's rights.

Pursuant to Article 13.1.e) of the GDPR, your personal data may be disclosed to the following categories of recipients, always within the declared purposes:

• Technical service providers (hosting, CDN, security, application maintenance) — acting as Data Processors under Art. 28 GDPR;
• Mail and communication providers (transactional emails, newsletter, customer support) — Processors under Art. 28 GDPR;
• Analytics and marketing providers (see Trackers and cookies section) — Processors under Art. 28 GDPR unless otherwise stated;
• Payment service providers (gateway, PSP) — Independent Controllers for data strictly necessary to the transaction;
• Consultants, accountants, legal advisors — Processors or Independent Controllers depending on the contractual relationship;
• Public authorities (judicial, tax, supervisory) — only upon specific legitimate request and within statutory limits.

The up-to-date list of Processors appointed under Art. 28 GDPR is available upon request at info@emergeitalia.it.

Your data is not sold, transferred or disclosed to third parties for purposes other than those declared in this notice.

Some Data Processors (see "Data Recipients") are based outside the European Economic Area (EEA). The Controller ensures that such transfers take place in compliance with arts. 44-49 GDPR through one of the following safeguards:

• Adequacy decision under art. 45 GDPR: for countries declared adequate by the European Commission (United Kingdom, Switzerland, Andorra, Argentina, commercial Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay, Japan, Republic of Korea)
• EU-US Data Privacy Framework (Implementing Decision (EU) 2023/1795 of 10 July 2023): for US Processors certified under DPF
• Standard Contractual Clauses (SCC) under Implementing Decision (EU) 2021/914 of the European Commission: for Processors not covered by adequacy decisions, supplemented by supplementary technical measures (at-rest and in-transit encryption, pseudonymisation, logical data segregation) following the CJEU Schrems II judgment (C-311/18 of 16 July 2020)
• Binding Corporate Rules (BCR) under art. 47 GDPR, for Processors that have adopted them

The data subject may request a copy of the safeguards adopted and the updated list of processing countries by writing to info@emergeitalia.it.

Personal data is retained only for the time strictly necessary for the purposes for which it was collected, according to the specific terms set out below. After the term, data is erased or anonymised, save where retention is required for the establishment, exercise or defence of legal claims (Art. 2947 of the Italian Civil Code) or for regulatory obligations.

The data subject may at any time request early erasure of their data by writing to info@emergeitalia.it, except where the Controller is required to retain it by law.

The Site is not directed to children under 14. Pursuant to Art. 8 of Regulation (EU) 2016/679 and Art. 2-quinquies of Italian Legislative Decree 196/2003, consent to the processing of personal data for information society services is validly given by minors aged 14 or older; for younger children, consent must be given or authorised by the holder of parental responsibility.

The Controller does not knowingly collect personal data of children under 14. If we become aware of having collected such data without valid parental consent, we will delete it without delay.

Parents or guardians who believe that a minor has submitted personal data without authorisation may contact us at info@emergeitalia.it to request removal.

Emerge Italia di Manuele Fonte adopts technical and organisational measures appropriate under art. 32 GDPR to ensure a level of security commensurate with the risk, taking into account the state of the art, costs of implementation, nature and purposes of processing.

• Encryption in transit: HTTPS connections with TLS 1.3 protocols for all communications
• Encryption at-rest: encryption of data persisted on databases and backup systems
• Credentials management: use of protected password manager, multi-factor authentication for admin accounts, least-privilege principle
• Pseudonymisation and minimisation of data where technically feasible
• Encrypted periodic backups and documented procedures for timely restoration of availability and access to personal data in case of physical or technical incident (art. 32(1)(c) GDPR)
• Periodic testing: regular evaluation, verification and analysis of the effectiveness of security measures (art. 32(1)(d) GDPR), including internal audits
• Access traceability: logs of personal data access operations (DPA Provv. 27/11/2008 and subsequent)
• Timely security updates on all systems and services used
• Personnel training authorised to process personal data and written confidentiality obligations
• Data breach management procedure: notification to the supervisory authority within 72 hours of becoming aware of the breach (art. 33 GDPR), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons

For IT security, abuse prevention, debugging and technical diagnostics, the Site automatically collects certain data related to server requests (so-called system logs):

• visitor IP address;
• browser type and version (user-agent);
• date and time of the request;
• URL of the requested page and HTTP response code;
• any referrer URL.

Legal basis: legitimate interest of the Data Controller in Site security (art. 6.1.f GDPR) and compliance with data security obligations (art. 32 GDPR).

Retention: system logs are kept for a period of 30 days, unless an extension is required for ascertainment, dispute or legal defence purposes.

Recipients: logs are not disclosed to third parties, unless requested by judicial or other competent Authorities.

As a data subject, pursuant to arts. 15-22 GDPR, you have the right to:

• Access (art. 15) - obtain confirmation of processing and a copy of your personal data
• Rectification (art. 16) - correct inaccurate data or complete incomplete data
• Erasure (art. 17) - request erasure of data ("right to be forgotten"), within the limits provided by law
• Restriction (art. 18) - restrict processing in certain cases
• Notification (art. 19) - be informed of any rectifications or erasures communicated by the Controller to data recipients
• Portability (art. 20) - receive data in a structured, commonly used and machine-readable format
• Objection (art. 21) - object to processing on legitimate grounds, in particular to direct marketing
• Automated decision-making (art. 22) - not be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you
• Withdrawal of consent (art. 7(3)) - withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before withdrawal

How to exercise your rights: write to info@emergeitalia.it. The Controller responds within 30 days of receipt of the request, extendable to 90 days in case of complexity (art. 12(3) GDPR).

Complaint to the supervisory authority: you also have the right to lodge a complaint with the competent supervisory authority. In Italy, the Garante per la Protezione dei Dati Personali:

• Address: Piazza Venezia 11, 00187 Rome
• Website: www.garanteprivacy.it
• Email: garante@gpdp.it
• PEC: protocollo@pec.gpdp.it

Emerge Italia di Manuele Fonte reserves the right to amend this Privacy Policy at any time to comply with regulatory, organisational or technological developments. Changes will be published on this page with the indication of the date of last update.

In the event of substantial changes affecting processing, data subjects will be informed by means of a clear notice on the Site or by email, if a contact address is available.

Users are invited to consult this page periodically to stay informed about the processing carried out.

For any question regarding the processing of your personal data or to exercise the rights under arts. 15-22 GDPR, you can contact the Controller:

Email: info@emergeitalia.it
Phone: +39 351 415 6549
Address: Zona Ischia 2, 39040 Ora (BZ), Italia

The Controller responds within 30 days of receipt of the request, extendable to 90 days for particularly complex or numerous requests (art. 12(3) GDPR).