Privacy Policy

Personal data protection notice pursuant to Art. 13 of EU Regulation 2016/679 (GDPR)

Last updated: March 2026

This notice describes how personal data is processed by EXSAFE S.r.l. as Data Controller, with reference to browsing the website www.exsafe.it, using the EXSAFE platform, and all contractual and pre-contractual relationships with clients, suppliers, partners, and candidates.

Personal data processing is carried out in compliance with the principles of lawfulness, fairness, and transparency set forth in Regulation (EU) 2016/679 (GDPR). By browsing this website and/or providing personal data, the user accepts the conditions described in this notice.

1. Data Controller

EXSAFE S.r.l.

Piazza Marconi n. 25/1, 45014 Porto Viro (RO), Italy

VAT No.: 01394280299

Business Registry: Rovigo

Share Capital: € 20,000 fully paid-up

E-mail: [email protected]

PEC: [email protected]

2. Data Processors

The Controller may engage external parties appointed as Data Processors pursuant to Art. 28 of the GDPR, including:

Accountant, for tax and accounting purposes
IT company, for system maintenance and updates
CRM provider, for data storage in management software
Marketing company, for email marketing services
Software house, for website and EXSAFE platform management
Hosting provider, for web service delivery
Email marketing service provider

3. Authorized Processing Personnel

Data recipients include: company employees managing the EXSAFE platform, administrative and commercial staff, and external collaborators (e.g., engineers). All have received appropriate instructions regarding personal data processing, pursuant to Art. 29 of the GDPR.

4. Disclosure of Data to Third Parties

Personal data is not disseminated but may be communicated to third parties as required by law or contract, in particular to:

Banks, for the fulfillment of payment obligations
Insurance companies, in the event of accidents or claims
Public entities and authorities, for mandatory regulatory compliance
Lawyers, law enforcement, and judicial authorities, in the event of disputes or unlawful conduct

5. Minors

This website does not offer services directly to individuals under fourteen years of age. Responsibility for any data collection from minors rests with parents or legal guardians. Any data from minors collected inadvertently will be deleted immediately.

6. Purposes and Legal Bases of Processing

6.1 Website Browsing

Purpose: To enable website browsing and the proper functioning of online services.

Legal basis: User consent (Art. 6(1)(a) GDPR) or legitimate interest of the Controller (Art. 6(1)(f) GDPR). For details on cookies, please refer to the Cookie Policy.

Retention: Browsing data is collected through implicit protocols and cookies; it is not directly identifiable unless associated with other data. For cookie retention periods, please refer to the Cookie Policy.

6.2 Clients and Partners – Quotes and Contracts

Purpose: Preparation of quotes, drafting and execution of contracts, database entry, issuance of fiscal documents, and all communications related to the contractual relationship.

Legal basis: Execution of pre-contractual and contractual measures (Art. 6(1)(b) GDPR).

Retention: Rejected quotes are deleted when disinterest is expressed. Accepted contracts are retained for a maximum of 10 years after termination of the contractual relationship, for tax and legal compliance.

6.3 Suppliers – Quotes and Contracts

Purpose: Evaluation of contractual opportunities, telephone and email contact, management of contractual activities.

Legal basis: Execution of pre-contractual and contractual measures (Art. 6(1)(b) GDPR).

Retention: Rejected quotes are retained for a maximum of 1 year. Accepted contracts are retained for a maximum of 10 years after termination of the relationship.

6.4 Compliance with Legal Obligations

Purpose: Compliance with tax, accounting, and regulatory obligations under national, European, and supranational legislation.

Legal basis: Fulfillment of a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).

Retention: Retention depends on applicable legislation.

6.5 Establishment, Exercise, or Defense of Rights

Purpose: To establish, exercise, or defend the Controller's rights in judicial proceedings.

Legal basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR).

Retention: Data is retained only if there is a reasonable probability of judicial action, and in any case until a final judgment is rendered.

6.6 Information Requests and Technical Support

Purpose: To respond to information requests, technical support inquiries, or collaboration proposals submitted via the website's contact forms.

Legal basis: Execution of pre-contractual measures at the user's request (Art. 6(1)(b) GDPR).

Retention: Data is deleted upon completion of the requested service. If the relationship results in a contract, data is retained for a maximum of 10 years after termination of the contractual relationship.

6.7 Newsletter and Marketing Communications

Purpose: Sending advertising materials, commercial communications, offers, promotions, direct sales, market research, surveys, and industry updates.

Legal basis: Optional user consent (Art. 6(1)(a) GDPR); Art. 130(4) of the Italian Privacy Code for communications regarding similar services previously purchased; legitimate interest of the Controller (Art. 6(1)(f) GDPR, Recital 47). This processing is prohibited for users registered in the Opposition Registry.

Retention: Until consent is revoked or the right of objection is exercised pursuant to Art. 21 of the GDPR.

Consent given for automated systems (email, SMS, fax, social media, push notifications) also legitimizes the use of traditional methods (postal mail, operator calls). The user may object to any unwanted communication method.

6.8 EXSAFE Platform Registration

Purpose: To enable access to risk management questionnaires and online shopping on the EXSAFE platform.

Legal basis: Execution of pre-contractual or contractual measures (Art. 6(1)(b) GDPR) and user consent (Art. 6(1)(a) GDPR).

Retention: Questionnaire use only: 3 months. Product purchases: maximum 10 years after termination of the contractual relationship.

6.9 Online Purchases (E-commerce)

Purpose: Management of online product and service purchases.

Legal basis: Execution of contractual measures at the user's request (Art. 6(1)(b) GDPR).

Retention: Maximum 10 years after termination of the contractual relationship, for tax, legal, and accounting compliance.

6.10 Risk Management Service

Purpose: Execution of the risk management questionnaire and related services via the EXSAFE platform.

Legal basis: Contract execution (Art. 6(1)(b) GDPR).

Retention: Maximum 10 years after termination of the contractual relationship, for tax, legal, and accounting compliance.

Within this service, the data of the client company's employees is processed exclusively for service delivery. In this context, EXSAFE S.r.l. acts as a Data Processor pursuant to Art. 28 of the GDPR.

6.11 Job Applications and Recruitment

Purpose: Evaluation of the candidate's professional profile for potential employment.

Data collected: name, surname, email, phone, educational background, tax code, and any data from candidates under 18. Candidates are advised not to provide sensitive data (Art. 9 GDPR: health status, political opinions, criminal convictions). Judicial data (Art. 10 GDPR) is strictly prohibited.

Legal basis: Execution of pre-contractual measures at the user's request (Art. 6(1)(b) GDPR). Explicit consent is required for sensitive data.

Retention: Non-selected profiles: immediate deletion. Profiles of interest but not immediately needed: maximum 15 months. Hired candidates: according to the specific notice provided upon hiring.

Social media profiles are only considered if relevant and necessary for the job role (e.g., social media manager). Private-use profiles are not examined. Unsolicited CVs are not shared with third parties.

7. Processing Methods

Personal data processing is carried out using digital tools (email, certified email, online platforms, management software, CRM) and paper-based systems (printed documents, postal mail), in compliance with the security measures required by the GDPR.

Providing data is generally optional, except when necessary for the execution of contractual or legal obligations. Failure to provide data may result in the inability to use the requested services.

8. Data Transfers to Third Countries

The Controller commits not to disclose or transfer user data to countries outside the EU. Should a transfer become necessary, it will be carried out in compliance with the safeguards set out in Articles 44 et seq. of the GDPR. For information, contact: [email protected].

9. Data Subject Rights

As a data subject, the user providing personal data has the right to exercise the following rights under the GDPR:

Right of access (Art. 15 GDPR): Obtain confirmation from the Controller as to whether or not personal data is being processed and, if so, obtain access to such data.
Right to rectification (Art. 16 GDPR): Obtain rectification of inaccurate personal data or the completion of incomplete data.
Right to erasure (Art. 17 GDPR): Obtain the erasure of personal data in the cases provided for by the GDPR.
Right to restriction (Art. 18 GDPR): Obtain restriction of processing of personal data in the cases provided for by the GDPR.
Right to data portability (Art. 20 GDPR): Receive personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
Right to object (Art. 21 GDPR): Object at any time to the processing of personal data on legitimate grounds.
Right to withdraw consent (Art. 7 GDPR): Withdraw consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal.
Right to lodge a complaint (Art. 77 GDPR): Lodge a complaint with the Data Protection Authority in the event of violations.

Requests may be addressed to the Data Controller, without any particular formality, at the following email address: [email protected]

10. Cookies

For detailed information on cookies used by the website, please refer to the Cookie Policy available in the website footer.

11. Changes to This Notice

This notice may be amended following the introduction of new regulations or changes to the services offered. Users are advised to periodically consult this page to check for any updates.