COMMERCIO.NETWORK SPA has implemented a mobile application called Commercio App (hereinafter "APP") that can be downloaded on mobile devices (e.g., smartphone, tablet) and is intended for use by its registered members.
COMMERCIO.NETWORK SPA values the privacy of its members and wants to inform them about the ways in which data directly or indirectly related to its members ("Data Subject") is collected, used, and disclosed.
This Privacy Policy (hereinafter "Policy") describes how COMMERCIO.NETWORK SPA (also referred to as "Commercio.Network") processes personal data collected through the APP, detailing what personal data we collect when our App is used, how this data is processed, with whom we share your personal data (and where it is located), how long it is retained, and your choices regarding our use of your data.
It also specifies how you can contact us regarding our privacy practices. Therefore, we encourage you to read this policy carefully. This Policy has been drafted in accordance with Articles 13 and 14 of Regulation EU 2016/679 (hereinafter "Regulation" or "GDPR"). This Policy does not apply to other applications and/or websites that may be accessed by the user via links contained in the Application.
The processing of your personal data will be conducted in line with the principles of fairness, legality, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality, as well as the accountability principle outlined in Article 5 of the Regulation. Therefore, your personal data will be processed in accordance with the provisions of the Regulation and the confidentiality obligations set forth therein.

Personal data processing refers to any operation or set of operations performed with or without automated means and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction.

1. DATA CONTROLLER AND PROCESSOR

In accordance with Article 13 of Legislative Decree no. 196 of June 30, 2003, concerning the Code on the Protection of Personal Data (hereinafter, the "Privacy Code") and Article 13 of Regulation (EU) 2016/679 of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data (hereinafter, "GDPR" or the "Regulation"), we hereby inform you that Commercio.network SpA, headquartered at via Luigi Dalla Via 3b – 36015 Schio (VI) ("Commercio.network"), email privacy@commercio.network, is the Data Controller and that the personal data you provide will be processed in compliance with the aforementioned regulations.

2. CATEGORIES OF DATA PROCESSED

2.1. In relation to the purposes and methods described in the following paragraph (see below, par. 3 "Purpose"), we collect and store the following categories of personal data:
- identification data, such as first name and last name;
- contact data, such as email address;
2.2. Commercio.network does not request or process "sensitive data" (personal data suitable to reveal racial and ethnic origin, religious, philosophical, or other beliefs, political opinions, membership in parties, trade unions, associations or organizations of a religious, philosophical, political, or trade union nature, as well as personal data suitable to reveal health status and sexual life) nor judicial data.

3. PURPOSE OF DATA PROCESSING

The personal data held by Commercio.network is processed within the scope of its regular business activity, for the provision of Commercio.network APP services and to fulfill obligations strictly connected to and instrumental in the management of relationships with Clients, legal, fiscal, accounting, and administrative obligations. In particular, personal data is processed to enable APP navigation, access to your reserved area, and the provision of all other services made available by the Data Controller, including APP security management, as well as contractual and administrative relationships and support services.
Cookies and other tracking or profiling technologies. The APP does not use cookies and/or similar trackers, whether technical or analytical and/or marketing-related. COMMERCIO does not perform profiling on the collected data.

4. LEGAL BASIS FOR DATA PROCESSING

With reference to the above-described activities, please note that, in compliance with the Regulation, the processing of the indicated personal data is mandatory as it is necessary for the performance of a contract to which the data subject is a party (cf. Regulation Article 6, paragraph 1, letter b), as the processing of the indicated personal data is necessary to enable account creation and APP usage. The failure to process data would prevent the creation of the account and access to and use of services through the APP.

5. DATA COMMUNICATION AND PROCESSING METHODS

Personal data may be disclosed by the Data Controller exclusively for the purposes indicated and, when necessary, to the following categories of recipients:
- service providers with whom the Commercio.network platform has a contractual relationship and who collaborate with the Data Controller's business activities (such as providers of accounting and administrative management);
- IT service providers;
- consulting firms, law firms, and accountants;
- when required, competent Judicial Authorities;
- when required, public administrations and supervisory and control authorities.
Personal data will not be disclosed to unidentified third parties. The data subject may request a list of Data Processors involved in these purposes from the Data Controller by contacting them through the communication methods provided in Section 1.
Data will also be processed by persons specifically authorized by the Data Controller, under GDPR regulations, including employees and collaborators, following specific instructions provided by the Data Controller.
The processing of personal data may be performed using both manual and IT tools, always under appropriate technical and organizational measures to ensure its security, integrity, and confidentiality, especially to mitigate risks of destruction or loss, unauthorized access, or unauthorized processing inconsistent with the purposes of data collection.

6. DATA TRANSFER TO THIRD COUNTRIES

The Data Controller will not transfer your personal data to third countries.

7. DATA SUBJECT RIGHTS

7.1. SPECIFIC RIGHTS OF THE DATA SUBJECT Under the Regulation, the Data Subject is granted the following rights (Articles 15 to 21 of the Regulation):
- Right of Access (Art. 15): The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, and if so, access to such personal data;
- Right to Rectification (Art.16): The Data Subject has the right to obtain the correction of inaccurate personal data concerning them from the Data Controller without undue delay. Considering the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by providing a supplementary statement;
- Right to Erasure or "Right to be Forgotten" (Art.17): The Data Subject has the right to obtain from the Data Controller the deletion of personal data concerning them without undue delay, and the Data Controller has the obligation to delete personal data.
- Right to Restrict Processing (Art.18): The Data Subject has the right to restrict processing under the following circumstances:
i. The Data Subject contests the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data;
ii. processing is unlawful, and the Data Subject opposes the deletion of data but requests restriction of its use;
iii. although the Data Controller no longer needs the data for processing, the personal data is necessary for the Data Subject to establish, exercise, or defend a legal claim;
iv. The Data Subject has objected to processing under Art. 21, paragraph 1, pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject.
- Right to Data Portability (Art.20): The Data Subject has the right to receive in a structured, commonly used, and machine-readable format the personal data concerning them that they provided to a Data Controller, and they have the right to transmit such data to another Data Controller without hindrance.
- Right to Object (Art.21): The Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them under Article 6, paragraph 1, letters e) or f), including profiling based on those provisions.
The Data Controller will refrain from further processing personal data unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for establishing, exercising, or defending a legal claim.

7.2. METHODS FOR EXERCISING RIGHTS AND RESPONSE In accordance with Article 12 of the Regulation, with regard to the rights of the Data Subject previously listed:
1. The Data Controller provides the Data Subject with information regarding the action taken on their request within one month of receiving it. This period may be extended by two months if necessary, taking into account the complexity and number of requests. In such cases, the Data Controller informs the Data Subject of the extension and the reasons for the delay within one month of receiving the request;
2. The response provided to the Data Subject is concise, transparent, and easily accessible, using clear and simple language. The response is written and accessible. The Data Controller, at its discretion, may require a contribution if requests are manifestly unfounded or excessive.
To exercise your rights, please contact the Data Controller at the email address privacy@commercio.network or through the other means indicated in the previous paragraph 1. We will address your request and provide information regarding the actions taken in response within 30 days of receiving it.

8. DATA RETENTION

For the purpose of fulfilling the contract and regulatory obligations, we will retain your personal data only for as long as necessary to manage the existing contractual relationship and comply with applicable legal obligations. In any case, in line with our data retention policy, your data will be stored for a maximum period of 10 years from the termination of the contract.

9. SUPERVISORY AUTHORITY

Without prejudice to any other administrative or judicial recourse, you have the right to file a complaint with a supervisory authority if you believe that the processing that concerns you is in violation of the Regulation. Within the Commercio.network Group, the lead Supervisory Authority is the Privacy Guarantor in Italy. Further information is available on the website http://www.garanteprivacy.it.
In any case, we welcome being informed of any reasons for complaint and invite you to contact the Data Controller before approaching the supervisory authority, so that we may address and resolve any disputes amicably and promptly, with the utmost courtesy, seriousness, and discretion.

10. MODIFICATION AND REVISION

This Policy may be subject to changes, which will be communicated at the first available opportunity. The updated version of this policy can always be found in the privacy section of each user's personal page and will be communicated via email to each user.

Version as of November 4, 2024