PROCESSING OF PERSONAL DATA

INTRODUCTION

TechStar srl (hereinafter the "Owner") acknowledges the importance of personal data protection and, for this purpose, intends to inform about the methods of collection, processing, and storage of such data related to the use of the Meta Presence^® platform and its related services. The aim is to make the user aware of their rights and the ways to easily exercise them, in line with the principles of lawfulness, fairness, and transparency in processing.

This information is provided pursuant to Article 13 of the European Regulation No. 2016/679 concerning the protection of individuals with regard to the processing of personal data, and free movement of such data (the "Regulation"), as well as in accordance with Legislative Decree No. 196/03 and subsequent amendments (the "Privacy Code"), the provisions of the Data Protection Authority, and the Guidelines of the European Committee of Guarantees (hereinafter collectively the "Applicable Regulations").

This information is provided solely for the use of the Meta Presence^® platform and does not apply to other websites or platforms that may be accessible or consulted through external links.

PARTIES INVOLVED

Data Subject: the individual identified or identifiable whose personal data is subject to processing.

Data Controller: TechStar srl with registered office at via Buonarroti 41 – 33010 Tavagnacco (UD), VAT No. and Tax Code 03035830300.

The Data Controller has appointed the Data Protection Officer (DPO), who can be contacted for explanations regarding this Privacy Policy or to exercise the rights provided by data protection legislation described in the following text. To contact the DPO, use the following email address: dpo@techstar.it.

For any information related to this Privacy Policy, you can write to the following email address: privacy@techstar.it.

 

1. WHO IS THE RECIPIENT OF THIS PRIVACY POLICY?

1.1 This Policy concerns the individual providing personal data to access and use one or more services of the Meta Presence^® platform, hereinafter generically referred to as the "Data Subject."

 

2. WHAT PERSONAL DATA IS BEING PROCESSED?

2.1 Definition of Personal Data
"Personal Data" refers to any information concerning an identified or identifiable natural person, such as name, phone number, email address, location data, an online code (e.g., IP address), or characteristics of their physical, physiological, mental, economic, cultural, or social identity.

2.2 Data Processed by Meta Presence^®:
- Data provided by the Data Subject: identifiable and contact data (such as name, surname, and email address) provided by the Data Subject for access to Meta Presence^®; the Data Controller will process the data in compliance with the Applicable Regulations, assuming that they refer to the user.

- Data related to the Data Subject's use of the Meta Presence^® platform: date and time of access and exit from Meta Presence^®; avatar position within Meta Presence^®; type of hardware and software device used (PC, tablet, mobile, immersive headset, browser, O.S.); data collected from the interactions carried out by the Data Subject within Meta Presence^® (movements, interactions with objects, subjects, documents, images/videos/audio). As previously described, without the release of specific consent, such data will be used exclusively in an anonymous and aggregated form for statistical analysis.

- Other Data collected during the use of the Meta Presence^® platform includes interactions with objects, subjects, documents, images/videos/audio; avatar "reactions" (functions available in the menu to report reactions) and all information related to the attention level and "Sentiment" of the user, autonomously obtainable from the platform; comments, suggestions, and needs collected during interactions through all available contact systems (email exchanges, chat, chatbot, etc.); images and video streaming of connected users (even in case of activating their camera); shapes and images used to customize their avatar.

The Meta Presence^® platform includes various features, some of which involve the processing of Personal Data, while others do not. On the Meta Presence^® platform, profiling will be possible only if specific consent is given.

In general, except for functions where Personal Data (e.g., email address) is entered, the data will always be processed anonymously and aggregated for statistical analysis, such as obtaining quantitative data on the number of entries, time spent on the platform, time and quantity of interaction with individual objects, subjects, etc. In functions where specific consent is required for profiling, the Data Subject will always have the option to decide whether to provide and/or revoke the consent given for the processing of their Personal Data for that purpose.

It is specifically emphasized that Meta Presence^® has three types of users (here also understood as Data Subjects): "visitor," "invited," and "registered." In the case of accessing Meta Presence^® by a "visitor" user (illustratively comparable to accessing/visiting a site on the web), no Personal Data will be recorded or processed, only anonymous and aggregated data. Also, in the case of an "invited" user (similarly, for example, to a person invited via a link to a meeting on a video conferencing platform), no Personal Data will be recorded or processed outside of the email to which the access link is sent, except for any consent given by the Data Subject to profiling. In the case of a "registered" user (comparable, always as a mere example, to a person accessing a specific position of management software present on a company cloud), the processed data will be the identification data necessary for access (e.g., user name, email), and if the relevant consent is given, profiling will also be carried out.

The Data Controller will process the data in compliance with the Regulations, assuming that they refer to the Data Subject or to third parties who have expressly authorized their conferment based on a valid legal basis.

 

3. HOW ARE DATA COLLECTED?

3.1 Process
The Controller collects personal data concerning the Data Subject when provided by the latter for access to the Meta Presence^® platform. Personal data can also be provided by the Data Subject through interactions with subjects and/or objects during the use of Meta Presence^®.

 

4. WHAT ARE THE PURPOSES, LEGAL BASES, AND THE NATURE OF THE OBLIGATORY OR OPTIONAL TREATMENT?

4.1 Purposes
Personal Data of the Data Subject will be processed for the following purposes:
a) for the execution of a contract of which the Data Subject is a party, including pre-contractual measures and preliminary activities aimed at allowing the user such access (e.g., the possibility, also through the data processor, to contact the user for a possible direct demonstration to illustrate to the Data Subject the functioning of Meta Presence^®); for responding to queries or complaints from the Data Subject; for providing assistance; for communicating with the Data Subject, etc.
b) for statistical analysis on aggregated and anonymous data, without the possibility of identifying the user.
c) for the need to ascertain, exercise, or defend a right in court or whenever the judicial authorities exercise their judicial functions.
d) for user profiling if the relevant consent is given.
e) for communication to third-party entities or companies so that they carry out promotion and sale activities of similar products and services or for statistical surveys and market research if the relevant consent is given.

4.2 Legal basis
The legal basis for the processing of Personal Data for the purposes under point a) is the contract concluded with the Data Subject, including its pre-contractual phase and direct contact to respond to their requests and/or to provide the agreed services. The purpose under point b) does not involve the processing of Personal Data, while the purpose under point c) is based on the Controller's legitimate interest in legal protection. The legal basis for the processing of Personal Data for the purposes under points d) and e) is consent. It is understood that, for services and products similar to those for which interest has been expressed, commercial communications may be sent based on legitimate interest within the limits allowed by the regulations.

4.3 Mandatory or optional nature of Data Provision
The provision of Personal Data for the purposes under point a) is necessary to fulfill the Data Subject's request to access Meta Presence^® and use the related services, as well as to fulfill any additional requests related to the services. The failure to provide such data could, therefore, make it impossible to respond to the Data Subject's request or to proceed with the fulfillment and implementation of the requested services or to follow up on the contractual obligations undertaken, resulting in the impossibility of allowing the Data Subject to access Meta Presence^® and/or correctly use the related services.

 

5. HOW ARE DATA PROCESSED? IS THERE EXTRA-EU TRANSFER?

5.1 Process
Data is processed mainly electronically and telematically using tools suitable to ensure its security, availability, integrity, and confidentiality. The data processing takes place through cloud systems, the servers of which are located in the European Union.

5.2 Transfer to third countries
The Personal Data of the Data Subject will not be transferred to countries outside the European Economic Area (EEA), to countries that have not been judged "adequate" according to the criteria of the competent authorities or without the adoption of the appropriate safeguard measures established by the Regulation (e.g., Standard Contractual Clauses or clauses that do not guarantee adequate levels of security in data management).

 

6. WHO ARE THE RECIPIENTS OF THE PROCESSED DATA?

6.1 In general
The personal data of users who request the sending of information materials (responses to questions, quotes, etc.) are used solely to perform the requested service or performance and are communicated to third parties only where necessary for the fulfillment of requests or communication is imposed by legal obligations or in the event of a legal proceeding.

6.2 Categories of recipients of your Personal Data
The Data Controller communicates the personal data of users only within the limits permitted by law and in accordance with the following. Without prejudice to communications arising from any legal obligations, the Personal Data of the Data Subject may come to the knowledge of: (i) employees and collaborators of the Controller, who act as authorized subjects to process and are instructed by the Data Controller; (ii) suppliers of the Data Controller who perform specific technical, IT, and organizational services connected to the use or promotion of instrumental services to the Data Controller's activity. These subjects will act from time to time as authorized subjects by the Data Controller (as in the case of employees and collaborators), as data processors on behalf of the Data Controller (or other service providers), or as independent data controllers. In addition, the data may be communicated to the police forces or the judicial authority, in accordance with the law and upon formal request by such subjects, or in case there are reasonable grounds to believe that the communication of such data is reasonably necessary to (1) investigate, prevent, or take action regarding suspected illegal activities or assist state control and supervisory authorities; (2) defend against any claims or accusations by third parties or protect the security of the platform and the company; or (3) exercise or protect the rights, property, or safety of the Data Controller, its affiliates, its customers, its employees, or any other subject. If the relevant consent is given, the data may be communicated to third-party entities or companies so that they carry out promotion and sale activities of similar products and services or for statistical surveys and market research.

6.3 Processing related to avatars created through third-party services
Within Meta Presence^®, avatars created through external services (such as ReadyPlayerMe) can be used, even if embedded in the platform only through a frame. The data related to the avatar will be processed directly by these third-party companies as independent data controllers; please refer to the privacy policies of these third-party entities for more information on the data processing carried out for this purpose.

 

7. HOW LONG DOES THE DATA PROCESSING LAST?

7.1 In general
The personal data of the Data Subjects are used solely for the purpose of performing the requested service or performance and are disclosed to third parties only when necessary for the fulfillment of the service (e.g., service providers) or when communication is required by legal obligations or in the context of legal proceedings.

7.2 Categories of Recipients of your Personal Data
TechStar discloses the personal data of users only within the limits allowed by law and in accordance with the following. Without prejudice to communications arising from any legal obligations, the Personal Data of the Data Subject may be disclosed to: (i) employees and collaborators of TechStar, acting as authorized persons for processing and instructed by the Data Controller; (ii) TechStar's suppliers providing specific technical, IT, and organizational services related to the use of the service or other instrumental services to the activity performed. These entities will act from time to time as authorized by the Data Controller (as in the case of employees and collaborators), as data processors on behalf of the Data Controller, or as independent data controllers. In the latter case, these entities, operating for their own purposes as independent data controllers, will issue their own information to which reference is made. In addition, the data may be disclosed to law enforcement agencies or the judicial authority, in compliance with the law and upon formal request by such entities, or if there are reasonable grounds to believe that the communication of such data is reasonably necessary to (1) investigate, prevent, or take action regarding suspected illegal activities or assist state supervisory and control authorities; (2) defend against any claims or accusations by third parties, or protect the security of the Site and the company; or (3) exercise or protect the rights, property, or safety of TechStar, its affiliates, its customers, its employees, or any other party. Your Data will not be disclosed in any way.

7.3 Processing related to avatars created through third-party services
Within Meta Presence^®, avatars created through external services (such as readyplayer.me) can be used, even if embedded in the displayed page through framing.
The data related to the avatar will be processed directly by these third-party companies as independent data controllers; please refer to the privacy policies of these third-party entities for more information on the data processing carried out for this purpose.

 

8. HOW CAN THE PROCESSING OF PERSONAL DATA BE CONTROLLED?

8.1 Your rights and how to exercise them
The Regulation grants the Data Subject various rights, described below, to control their personal data and its processing by the Data Controller.
To exercise your rights, simply send a request to the following address: privacy@techstar.it.

8.2 Can you request access to your personal data?
If you wish to access your personal data, you can request a copy of the data in the format provided on the platform and information about their processing.
The right of access may be limited in cases provided by law or applicable regulations.

8.3 Can you request the correction of your personal data?
If you believe that personal data is inaccurate or incomplete, you can request that such data be modified or supplemented accordingly. In some cases, supporting documentation may be required.

8.4 Can you request the deletion of your personal data?
If you wish, you can request the deletion of personal data, within the limits provided by law and in cases where retention is not necessary for the purposes for which they were collected and processed.

8.5 Can you object to the processing of your personal data processed based on legitimate interests?
If you disagree with the processing of personal data based on legitimate interests, you can object at any time for reasons related to your particular situation, indicating the processing activity to which the objection refers and the reasons for the objection. Your personal data will no longer be processed unless there are legitimate reasons to do so or the processing is necessary for the establishment, exercise, or defense of a legal right.

8.6 Can you object to the processing of your personal data for profiling purposes?
You have the right to object, at any time, to the processing of personal data for profiling purposes.

8.7 Can you limit the processing of your personal data?
Under certain conditions, you have the right to obtain the limitation of processing concerning the data if it is not relevant to the continuation of the contractual relationship or necessary for a legal obligation.

8.8 Do you have rights against an automated decision?
In general, you have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect or significantly affects the Data Subject. However, an automated decision that is necessary for the conclusion or performance of a contract, authorized by an Italian or European Union law, or for which consent has been given, may be adopted. In any case, you have the opportunity to contest the decision, express your opinions, and request the intervention of a person who can review the decision.

8.9 Can you request the portability of some of your personal data?
Where technically feasible, you can request a copy of the personal data provided in a commonly used, structured, and machine-readable format. Where technically feasible, it is also possible to request the transmission of this copy to third-party controllers indicated.

8.10 Can you file a complaint with the Italian Data Protection Authority?
In addition to the rights mentioned above, it will be possible to file a complaint with the competent supervisory authority (usually the one in your place of residence); in Italy, you should contact the Italian Data Protection Authority.