INFORMATION ON THE PROCESSING OF PERSONAL DATA 

BELLANOVA VALERIA, in the person of its legal representative, with registered office in via Mariano Tuccella, 27, 47890, Italy/San Marino with company email address egosecret11@gmail.com, as data controller, informs you pursuant to art. 13 of Legislative Decree no. 196 of 30 June 2003 (hereinafter, the "Privacy Code") and art. 13 of EU Regulation no. 2016/679 (hereinafter, the "GDPR") that your data will be processed in the manner and for the following purposes: 

1. Introduction

The owner undertakes to guarantee the protection of your personal data.

With this notice, we wish to provide you with a clear and transparent overview of the information we collect and process about our customers as part of our contractual relationship.

In the following paragraphs, we will explain how we use your personal data, for what purposes, and for how long. We will also remind you how we guarantee your rights and compliance with data protection regulations.

2. Object of the Treatment 

The Data Controller processes personal, identifying data (for example, name, surname, company name, address, telephone number, email address, bank and payment details) hereinafter, "personal data" or also "data", communicated by you when entering into contracts for the Data Controller's services. 

3. Purpose of the processing 

Your personal data are processed: 

A) without your express consent (Article 24, letters a), b), and c) of the Privacy Code and Article 6, letters b), and e) of the GDPR), for the following Service Purposes: 

– conclude contracts for the Data Controller's services; 

– fulfill pre-contractual, contractual and tax obligations arising from existing relationships with you; 

– fulfill obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as for example in anti-money laundering matters); 

– exercise the rights of the Data Controller, for example the right to defense in court; 

B) Only with your specific and distinct consent (Articles 23 and 130 of the Privacy Code and Article 7 of the GDPR), for all the data referred to in Article 9 of the aforementioned GDPR.

4. Treatment methods  

Your personal data is processed using the operations indicated in Article 4 of the Privacy Code and Article 4(2) of the GDPR, specifically: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Your personal data is processed both on paper and electronically, including through data acquired through the website. The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes and in any case for no longer than 10 years after the termination of the relationship.

5. Data Access 

Your data may be made accessible for the purposes set out in Article 2: 

– to employees and collaborators of the Data Controller, in their capacity as persons in charge and/or internal data processors and/or system administrators; 

– to third-party companies or other entities (for example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors. 

6. Data communication 

Without the need for express consent (pursuant to Article 24, letters a), b), and d) of the Privacy Code and Article 6, letters b) and c) of the GDPR), the Data Controller may communicate your data for the purposes referred to in Article 2.A) to supervisory bodies (such as IVASS), judicial authorities, insurance companies for the provision of insurance services, as well as to those parties to whom communication is required by law for the fulfillment of the aforementioned purposes. These parties will process the data in their capacity as independent data controllers. Your data will not be disclosed. 

7. Data transfer abroad

Currently not planned.

8. Rights of the interested party 

• Right of access – you have the right to obtain confirmation as to whether or not your data is being processed, as well as the right to receive any information relating to such processing. • Right to rectification – you have the right to obtain the rectification of your data if it is incomplete or inaccurate. • Right to erasure (so-called “right to be forgotten”) – in certain circumstances, you have the right to obtain the erasure of your data in our archives if it is not relevant to the continuation of the contractual relationship or

necessary by law. • Right to restriction of processing – under certain conditions, you have the right to obtain restriction of processing, if it is not relevant to the continuation of the contractual relationship or necessary by law. • Right to portability – you have the right to obtain the transfer of your data to a different controller. • Right to object – you have the right to object, at any time, for reasons relating to your particular situation, to the processing of data concerning you based on legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority, including profiling. • Right to withdraw consent – ​​you have the right to withdraw your consent – ​​where applicable – to the processing of your data at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal. • Right to lodge a complaint with the Supervisory Authority – you have the right to submit requests to exercise your rights at any time. In any case, if you wish to lodge a complaint regarding the way your data is processed, or regarding the handling of a complaint you have lodged, you have the right to submit a request directly to the Supervisory Authority.

9. European data protection legislation, in particular Regulation (EU) 2016/679 (GDPR), provides specific provisions for the processing of minors' personal data, with the aim of protecting their online privacy.

Minimum age for consent

• Minimum age of 16 : According to Article 8 of the GDPR, the processing of personal data of a minor is lawful if the minor is at least 16 years old.

• Possibility of national derogation : Member States may establish a lower age, provided it is not less than 13 years.

• In Italy : The Privacy Code establishes that only from the age of 14 can a minor independently express consent to the processing of his or her personal data. Personal Data Protection Authority .

Parental consent

• Requirement for consent : For minors under the minimum established age, it is necessary to obtain the explicit consent of their parents or legal guardians for the processing of personal data.

• Verification of consent : The data controller must take reasonable steps to verify that consent has been given or authorised by the holder of parental responsibility over the child, taking into account available technologies GDPR .

Application to e-commerce

• Data Collection : E-commerce sites that offer services directly to minors must ensure they obtain appropriate consent before collecting or processing their personal data.

• Protective measures : It is essential to implement adequate protective measures to ensure the safety of minors' data and comply with applicable regulations.

For further details and specific guidelines, it is advisable to consult the official website of the Italian Data Protection Authority.

How to exercise your rights 

You may exercise your rights at any time by sending a registered letter or an email to the owner at the addresses indicated in the narrative. 

The updated list of data processors is kept at the Data Controller's registered office.

ALSO DECLARES

■ that you have read the privacy policy and give your consent to carry out direct marketing activities, such as sending – including via email, SMS and MMS, telephone calls, sending communications by post – advertising material and communications with informative and/or promotional content in relation to the activities carried out by the Data Controller or its partners.