Privacy Policy

pursuant to Article 13 of Regulation (EU) 679/2016 - GDPR

Summary of Key Information

Purpose of Processing: Handling requests, contractual and legal compliance, service improvement, newsletter distribution, and commercial communications.
Legal Bases: Contract performance, legitimate interest, legal obligations, and explicit consent, illustrated with practical examples.
Data Subject Rights: Access, rectification, deletion, objection, restriction, portability, and withdrawal of consent. Simplified online forms are available to facilitate the exercise of rights.
Security and Retention: Technical and organizational measures compliant with international standards (e.g., ISO 27001, where applicable), with retention criteria periodically reviewed.
International Transfers: Only carried out to countries or providers that ensure an adequate level of protection, with details on the guarantees implemented.

Users are encouraged to review the full document for further details.

1. General Information

In compliance with national regulations (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree 101/2018) and EU regulations (GDPR - Regulation (EU) No. 679/2016), this policy describes the processing of personal data of users of the website www.plottybot.com.
The policy is structured into two levels: an initial summary for quick understanding and a detailed section providing all technical and operational information.
This policy applies exclusively to the specified website and does not extend to other websites that may be linked via hyperlinks.

2. Data Controller

Surf Publishing S.r.l.
Via Rignano 17/B – 52011 Bibbiena (AR), Italy
VAT No. 02485200519 – REA AR 220177
Share Capital: €10,000
Email: privacy@plottybot.com

3. Types of Data Processed

The personal data collected is limited to what is strictly necessary for the use of the website and its related services, including:

Browsing Data: Anonymous statistical information collected to improve the website’s functionality and user experience.
Voluntarily Provided Data: Name, surname, email address, and expressed preferences (e.g., newsletter subscription).
Data for Newsletter and Marketing Purposes: Email address and preferences regarding received content.

Automated Processing:
User data will not be subjected to automated decision-making processes, ensuring human involvement in processes that may have significant impacts.

4. Purpose and Legal Basis of Processing

The collected data will be processed for the following purposes, with practical examples illustrating the application of legal bases in daily operations:
Handling Requests and Contacts:

Responding to user inquiries and requests.
Legal basis: Contract performance and legitimate interest.
Example: Using user-provided data to respond to a technical inquiry submitted via the contact form.

Contractual and Legal Compliance:

Managing contractual relationships and fulfilling legal obligations.
Legal basis: Contract performance and legal obligations.
Example: Retaining data necessary for invoicing and accounting purposes.

Service Improvement:

Optimizing user experience and website functionality.
Legal basis: Legitimate interest.

Newsletter Distribution:

Sending updates, news, and information related to the website and services offered.
Legal basis: Contract performance and/or explicit consent.

Promotional and Commercial Communications:

Sending promotional communications, offers, and other commercial messages related to products and services.
Legal basis: Explicit consent.

5. Data Retention Logic

Data retention varies based on the purpose for which they were collected, and is periodically reviewed to minimize risks:

Contractual Data and Data for Legal Obligations: Retained for the time necessary to manage the contractual relationship and comply with regulatory obligations, even beyond 24 months if required by law.
Contact and Marketing Data: Retained for a maximum of 24 months from the last interaction, unless otherwise explicitly consented by the user. Retention periods are determined taking into account contractual, regulatory obligations, and operational needs, with a periodic review of associated risks.

6. Data Processing Methods and Security

Personal data are processed electronically and/or in paper form, adopting appropriate technical and organizational measures to ensure security and protection against unauthorized access, loss, destruction, or alteration.
Among the measures adopted are:

Encryption: Protection of data in transit and at rest through advanced encryption techniques.
Access Control: Limited and monitored access, reserved exclusively for authorized personnel.
Periodic Backups: Regular execution of backups to ensure data recovery.
Continuous Monitoring: Automated systems for detecting anomalies and suspicious activities.

Procedures in Case of Violation:
In the event of a data breach, the Data Controller will activate a protocol that includes:

Timely Intervention: Identification and containment of the incident within 72 hours.
Notification: Immediate communication to the competent authorities and affected users, in accordance with Articles 33 and 34 of the GDPR, using defined channels (e.g., email and website notices).
Corrective Actions: Adoption of corrective measures to prevent recurrence of the incident, with detailed documentation of operational processes.

7. Data Access, Communication, and Transfer

Personal data will not be made public or accessible to unauthorized persons and will be shared only with specific parties for legitimate purposes. In particular, data may be accessible to:

Employees and Collaborators of the Data Controller: Access reserved to authorized personnel (e.g., IT managers, customer service operators, system administrators), in full compliance with confidentiality.
Competent Authorities: Data will be communicated to the authorities, when required by law.
Technical or Cloud Service Providers: Data may be shared with selected providers who meet high security standards and who, through specific contracts, undertake to protect the information.

Exercise of Rights: Users can exercise the following rights by sending a request to the Data Controller via the indicated email address or using the contact form available on the website. To facilitate this process, simplified online forms are provided and can be consulted in the "Exercise Your Rights" section. Rights include:

Access to Personal Data
Rectification of Data
Erasure of Data
Objection to Processing
Restriction of Processing
Data Portability
Withdrawal of Consent

8. International Transfers

If the processing involves the transfer of data to third countries, the Data Controller undertakes to:

Verify Protection Guarantee: Transfers will be made exclusively to countries that guarantee an adequate level of data protection or, alternatively, through the adoption of standard contractual clauses approved at the community level.
Provide Detailed Information: Where possible, a list of the main suppliers involved will be indicated and direct links to their respective Privacy Policies will be provided, to allow users to verify the guarantees adopted.

9. Accessible Language

This information is drafted in a clear and simple language to ensure maximum comprehensibility even for less experienced users. To further facilitate understanding, a glossary of the technical terms used is available on the website.

10. Special Categories of Personal Data

Special categories of personal data (e.g., data relating to racial or ethnic origin, political opinions, or religious beliefs) will not be processed through our services. If the processing concerns special categories of data, the Data Controller will provide specific information regarding:

The specific purposes of the processing;
The additional security measures adopted;
The legal basis and specific rights of users in relation to such data.

Our services are not intended for minors, and the collection or storage of such data is not included in the adopted policies.

11. Policy Updates

This Privacy Policy will be reviewed periodically, at least once a year or in the event of significant regulatory or operational changes.
Communication of Changes: Users will be clearly and promptly informed of any changes through notifications on the website and, if necessary, through dedicated communications via email.
Last updated date: 19.02.2025