PRIVACY POLICY

COMMERC.IO SRL  PRIVACY POLICY

Information pursuant to EU Regulation 2016/679 (GDPR)

1. DATA CONTROLLER AND DATA PROCESSOR

Pursuant to Article 13 of Legislative Decree No. 196 of 30 June 2003 laying down the Code for the Protection of Personal Data (hereinafter, the “Privacy Code”) and Article 13 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (hereinafter, “GDPR” or the “Regulation”), we wish to inform you that Commerc. io srl, based in Via Luigi Dalla Via 3b – 36015 Schio (VI) (“Commerc.io”) is the Data Controller and that the personal data you provide will be processed in compliance with the above mentioned regulation.
We also inform you that Commerc.io is required to provide information on the use of personal data provided by users who use the Commerc.io platform (the “Customers” or “Data Subjects”).We have appointed a Data Protection Officer (“DPO”), whom you can contact to exercise your rights listed in paragraph 8 below, as well as for any request for information relating to this Policy.
The DPO of Commerc.io is Mr. Enrico Talin.
E-mail address: dpo@Commerc.io
Postal address: Schio (VI) – cap 36015 – via Luigi Dalla Via 3b

2. CATEGORIES OF DATA SUBJECT TO PROCESSING

In relation to the purposes and methods described in the next paragraph (see below, par. 4), we collect and store the following categories of personal data
identification data, such as name and surname, tax code, date of birth;
contact data, such as the address of residence, billing address if different from the address of residence, e-mail address and telephone number;
Transaction data, such as details of transactions to and from the hosted wallet;
location and online identification data, such as IP address, pages visited, content clicked, operating system and browser used and traffic data, etc..
Commerc.io does not require and does not process on its own initiative “sensitive data” (personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, trade unions, associations or organizations of a religious, philosophical, political or trade union, as well as personal data disclosing health and sex life). However, it is possible that in order to carry out specific requests for services and operations inherent to the relationship with the Client, we may also process such data.

3. PURPOSES AND METHODS OF DATA PROCESSING

Purpose of processing.
The personal data held by Commerc.io, are processed as part of its normal activity in order to:

assess the adequacy of the services offered by Commerc.io with respect to the personal characteristics of the Customer, as required by law;
comply with the obligations of identification and adequate verification provided by the legislation on the fight against money laundering and terrorist financing;
to establish the contractual relationship for the supply of Commerc.io’s services and to carry out the obligations strictly connected with and instrumental to the management of the relationship with the Customer, the fulfilment of fiscal, accounting and administrative obligations and any credit recovery activity
submit, even with the help of third parties, any questionnaires in order to improve the services of Commerc.io;
provide information on the services provided by Commerc.io;
to send newsletters and commercial communications, updates and promotional offers according to the communication preferences of the Customer
carry out activities of customer segmentation according to non-intrusive logic and criteria and in any case in such a way as not to affect the freedoms and fundamental rights of the Customer (for example, differentiated communications between registered and unregistered users).
Profiling for marketing purposes is carried out using parameters in such a way that the Client receives only commercial information of his/her interest. In order to do this, the Data Controller will rely on personal data (age ranges), answers to questionnaires, navigation data (for example, if you have searched for information about a particular service, the Data Controller may ensure that you receive information about the same or similar services).

Legal basis for processing.

With reference to the activities described above, it should be noted that, in accordance with the Regulation:

the processing referred to in letters a) and b) is necessary to comply with a legal obligation to which the Data Controller is subject (see Article 6(1)(c));
the processing referred to in letter c) is necessary for the performance of a contract to which the data subject is party (see Article 6, paragraph 1, letter b));
the processing referred to in points d) and e) is necessary for the pursuit of the legitimate interest of the Data Controller (see Article 6(1)(f));
The processing referred to in letter f) is carried out exclusively on the basis of the consent given by the Data Subject (see article 6, paragraph 1, letter a).

4. CATEGORIES OF PERSONS TO WHOM THE DATA MAY BE COMMUNICATED OR WHO CAN LEARN ABOUT THEM AS MANAGERS OR AGENTS

Personal data may be communicated by the Data Controller solely and exclusively for the purposes indicated and where necessary, to the following categories of subjects

service providers with whom the Commerc.io platform has a contractual relationship and who collaborate in the business activities of the Data Controller (such as providers of affiliate programs, accounting and administrative management, mailing, payment or statistical analysis services);
service providers with whom Commerc.io has a contractual relationship for its own legitimate interest to receive feedback from customers for the service provided. In this case, the data are never transferred for commercial purposes, but only for the purpose of receiving customer reviews;
IT service providers;
consulting companies, law firms and accountants;
where requested, the competent Judicial Authorities;
where required, public administrations and supervisory and control authorities. Personal data will not, however, be disclosed to unspecified subjects.

5. DATA TRANSFER THIRD COUNTRIES

The Data Controller reserves the right to transfer your personal data to third countries. Data transfers outside the European Economic Area are subject to a special regime under the Regulation and are only made to parties located in countries that ensure a level of protection of personal data deemed adequate on the basis of an adequacy decision by the Commission or through the adoption of appropriate safeguards (including standard contractual conditions provided by the European Commission), provided that the data subjects have enforceable rights and effective remedies.

6. RIGHTS OF THE INTERESTED PARTY

a. SPECIFIC RIGHTS OF THE INTERESTED PARTY
Listed below are the rights of the Interested Subjects pursuant to articles 15 to 21 of the Regulations:

Right of Access (Article 15): The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, to obtain access to such personal data;
Right of rectification (art.16): the data subject has the right to obtain from the Data Controller the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing a supplementary declaration;
Right to erasure or “right to be forgotten” (art.17): the data subject has the right to obtain from the Data Controller the erasure of personal data concerning him/her without undue delay and the Data Controller has the obligation to erase the personal data.
Right to restriction of processing (art.18): the data subject has the right to obtain from the Data Controller the restriction of processing when one of the following hypotheses applies:
The data subject disputes the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data;
the processing is unlawful and the data subject opposes the deletion of the data but requests the restriction of the use thereof;
although the Data Controller no longer needs the data for processing purposes, the personal data are necessary to the data subject for the establishment, exercise or defence of legal claims;
The Data Subject has objected to the processing of the data pursuant to Article 21(1), pending verification as to whether the Data Controller’s legitimate reasons prevail over those of the Data Subject.
Right to data portability (art.20): The data subject has the obligation to receive in a structured, commonly used and machine-readable format the personal data concerning him or her provided to a Data Controller and has the right to transmit such data to another Data Controller without hindrance from the Data Controller to whom he or she provided it.
Right to object (art.21): The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), including profiling on the basis of these provisions. The Data Controller shall refrain from further processing the personal data unless he demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Processing for direct marketing purposes. If personal data are processed for direct marketing purposes, the data subject has the right to withdraw the consent given or to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
b. MODALITIES FOR THE EXERCISE OF RIGHTS AND FEEDBACK
In accordance with the provisions of Article 12 of the Regulation, with reference to the rights of the data subject listed above:

the Data Controller shall provide the data subject with information regarding the action taken with respect to the data subject’s request within one month of receipt thereof. This term may be extended by two months, if necessary, taking into account the complexity and number of requests. In the latter case, the Data Controller shall inform the data subject of such extension and the reasons for the delay, within one month of receipt of the request;
the response provided to the data subject shall be concise, transparent and easily accessible; the language shall be clear and simple. The form of the response is written and accessible. it is up to the Data Controller to assess the complexity of the response to the data subject and the decision to request a contribution, but only if the requests are manifestly unfounded or excessive.

In order to make use of the rights available to you, you may contact the Data Protection Officer at the e-mail address dpo@commerc.io or in the other ways indicated in paragraph 1 above. We will take care of your request and provide you, within 30 days of receiving it, with information about the actions we have taken in this regard.

7. DATA RETENTION

For the purposes of the execution of the contract and regulatory compliance, we will keep your personal data only for the time necessary to manage the relationship in place, as well as for the fulfillment of legal obligations under applicable law. In any case, in accordance with our data retention policy, your data will be kept for a maximum period of 10 years from the termination of the contract.

8. SUPERVISORY AUTHORITY

Without prejudice to any other administrative or jurisdictional recourse, you will have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data is in breach of the Regulation. Within the Commerc.io Group, the leading Control Authority is the Privacy Guarantor in Italy. Further information is available on the website http://www.garanteprivacy.it.
In any case, we are interested in being informed of any grounds for complaint and we invite you to contact our Data Protection Officer before referring the matter to the Supervisory Authority, so that we can prevent and resolve any disputes in an amicable and timely manner, with the utmost courtesy, seriousness and discretion.