Policy for the Processing of Personal Data in accordance with Art. 13 of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (hereinafter "GDPR")

This information is provided by Pirate Rocket S.r.l. (VAT number 02644170033) and by Finanth S.r.l. (VAT number 13191250961), with legal address in Milan at Via Giovanni Battista Sammartini, 33, as Joint Controllers (hereinafter the "Joint Controllers") of the processing of personal data (hereinafter the "Processing").

a) The Processing in which you are listed as a "Data Subject" shall be carried out for the following purposes:

• sending commercial communications via email and/or by telephone, on the basis of art. 6, co. 1, lett. f) of the GDPR, that is the legitimate interest of the Joint Controllers, which intends to protect its rights and interests provided by the relevant provision of the Guarantor Authority;
• for newsletter sending, according to art. 6, co. 1, lett. a) of GDPR.

b) the Joint Controllers may communicate personal data to the following parties: c) the period of conservation of personal data is as follows:

• for the sending of commercial communications on the basis of the legitimate interest of the Joint Controllers and personal data will be kept for 5 (five) years;
• for newsletter sending the data will be kept for 5 (five) years;
• for tax purposes, personal data will be kept for a period of 10 years as prescribed by law.

d) personal data is stored in computer files located both inside and outside the European Union, if this is decisive for the achievement of the purposes set out in point (a). In the latter case, the Joint Controllers shall ensure that personal data is treated with the utmost confidentiality by undertakings outside the European Union in compliance with the adequacy decisions of the European Commission, or, if necessary, by concluding agreements ensuring an adequate level of protection;

e) personal data shall be processed in paper form, as well as by digital and telematic means of communication, without involving automated decision-making;

f) personal data shall not be disclosed to third parties not authorised to process them;

g) the Joint Controllers, in compliance with art. 32 of the GDPR, provide themselves with the appropriate security measures in relation to the Processing carried out, so as to guarantee the confidentiality, integrity and availability of the personal data, and requires the parties to whom such data is communicated to adopt the appropriate security measures in turn;

h) Data Subjects affected by the Processing, in accordance with art. 15 et seq. of the GDPR, are entitled to exercise the following rights:

• right to be informed that data processing is in progress concerning him/her and, if so, to have access to the personal data processed;
• right to rectification of personal data;
• right to erasure (right to be forgotten) of personal data concerning him/her;
• right to the restriction of the processing of personal data concerning him/her;
• right to data portability to receive, or have transmitted to another Controller, personal data concerning him/her in a structured, commonly used and machine-readable format;
• right to object to the processing of personal data;
• right to lodge a complaint with the competent authorities about a personal data processing breach.

Requests for the exercise of rights before the Joint Controllers, as well as any request relating to the Processing, may be made by e-mail to:

• [email protected]

The Data Subject may also, at any time, contact the DPO by sending an e-mail to the following address:

• [email protected]