/

Privacy policy

PRIVACY POLICY

INFORMATION FOR THE PROCESSING OF PERSONAL DATA
(Articles 13 and following of European Regulation 679/2016)

Dear data subject,

Oxygen S.R.L. is a company specialized in the field of Information Technology.

With this document (hereinafter referred to as the "Privacy Policy"), we aim to renew our commitment to ensuring that the processing of personal data collected through this website (hereinafter referred to as the "Website"), carried out in any manner, whether automated or manual, is fully compliant with the safeguards and rights recognized by Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR" or "Regulation") and other applicable regulations regarding the protection of personal data.

The term "personal data" refers to the definition contained in Article 4, point 1) of the Regulation, which states that "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (hereinafter referred to as "Personal Data").

The Regulation requires that, before proceeding with the processing of Personal Data – understood as any operation or set of operations performed with or without the use of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction – it is necessary for the person to whom such Personal Data belongs to be informed about the reasons why such data is required and how it will be used.

In this regard, this Privacy Policy – prepared based on the principle of transparency and all the elements required by Articles 13 and following of the Regulation – aims to provide you, in a simple and intuitive manner, with all the useful and necessary information so that you can provide your Personal Data knowingly and informed, and at any time, request clarification and/or rectification.

A. DATA CONTROLLER

The company that will process your Personal Data for the main purpose described in Section B of this Privacy Policy and will therefore act as the data controller, as defined in Article 4, point 7) of the Regulation, which states that the data controller is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" is:

- Oxygen S.R.L. (hereinafter referred to as the "Data Controller"), with registered office at Via Bellosguardo, 12, VAT number 16000861001, 00134 – Rome (RM) (hereinafter referred to as the "Registered Office").

B. PURPOSES
Your personal data is collected and processed by the Data Controller for purposes strictly related to the use of the Website and its informational services. Additionally, your personal data may also be used in various processing operations (such as storage, archiving, processing, etc.) that are compatible with these purposes. In particular, your personal data may be processed for the following purposes:
a) To respond to inquiries;
b) To enable the provision of services requested by you;
c) To comply with legal obligations;
d) To send promotional and direct marketing communications, including newsletters and market research.
The legal basis for the processing of personal data for the purposes described in points a), b), and c) is Article 6(1)(b) and (c) of the GDPR, as the processing is necessary to respond to the data subject's requests, provide the requested services, and fulfill a legal obligation of the Data Controller. The provision of personal data for these purposes is optional, but failure to provide such data may result in the inability to activate the services provided by the website or respond to requests.
The legal basis for the processing of personal data for the purpose described in point d) is Article 6(1)(f) of the GDPR. The Data Controller may carry out this activity based on its legitimate interests, regardless of your consent, and until your objection or limitation (as provided in Section G, point d) of this Privacy Policy) to such processing, as further explained in Consideration 47 of the Regulation, which considers it a legitimate interest to process personal data for direct marketing purposes. This will also be possible based on the assessments made by the Data Controller regarding the potential prevalence of your interests, rights, and fundamental freedoms requiring the protection of personal data over its legitimate interest in sending direct marketing communications.
Contact methods for direct marketing activities may be both automated and traditional. However, as better specified in Section G, you will have the option to withdraw your consent, even partially, for example by consenting only to traditional contact methods.
Regarding contact methods involving the use of your phone contacts, please note that the Data Controller's direct marketing activities will be carried out after verifying your possible registration with the Register of Oppositions, as established under the provisions of Legislative Decree September 7, 2010, No. 178 and subsequent amendments.
The personal data required for the above-mentioned purposes will be those indicated in the contact form, including but not limited to: name, surname, email address, and phone numbers.
C. RECIPIENTS TO WHOM YOUR PERSONAL DATA MAY BE DISCLOSED
Your personal data may be disclosed to specific recipients who are considered to be recipients of such personal data.
Indeed, Article 4, point 9) of the Regulation defines the recipient of personal data as "a natural or legal person, public authority, agency, or another body to whom the personal data are disclosed, whether a third party or not" (hereinafter referred to as the "Recipients").
In order to correctly carry out all the processing activities necessary to achieve the purposes described in this Privacy Policy, the following Recipients may be involved in the processing of your personal data:

• Third parties who carry out part of the processing activities and/or activities connected and instrumental to the same on behalf of the Data Controller. These parties have been appointed as data processors, which, according to Article 4, point 8) of the Regulation, means "a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller" (hereinafter referred to as the "Data Processor").
• Individual persons, employees, and/or collaborators of the Data Controller, who have been entrusted with specific and/or multiple processing activities related to your personal data. These individuals have been given specific instructions regarding the security and proper use of personal data and are defined, in accordance with Article 4, point 10) of the Regulation, as "persons authorized to process personal data under the direct authority of the Data Controller or the Data Processor" (hereinafter referred to as the "Authorized Persons").

If required by law or to prevent or suppress the commission of a crime, your personal data may be communicated to public entities or the judicial authority without being considered Recipients. In fact, according to Article 4, point 9) of the Regulation, "public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be considered recipients".

D. DATA RETENTION PERIOD

One of the principles applicable to the processing of your personal data concerns the limitation of the retention period, as regulated in Article 5(1)(e) of the Regulation, which states that "personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject."

In light of this principle, your personal data will be processed by the Data Controller only for the time necessary to achieve the purposes described in Section B of this Privacy Policy.

In particular, regarding the purposes described in Section B points a), b), and c), your personal data, subject to legal obligations, will be processed for a period of time equal to the minimum necessary, as indicated in Consideration 39 of the Regulation, which is 3 months from the contact request.

Regarding the processing carried out for the purpose described in Section B point d) of this Privacy Policy, the Data Controller may lawfully process your personal data for one year.

E. WITHDRAWAL OF CONSENT

As provided by the Regulation, if you have given your consent to the processing of your personal data for one or more purposes for which it was requested, you may revoke it in whole or in part at any time without affecting the lawfulness of the processing based on consent before its withdrawal.

The methods for revoking consent are very simple and intuitive. You just need to contact the Data Controller using the contact channels provided in this Privacy Policy, specifically in Section G point g).

G. RIGHTS

As provided in Article 15 of the Regulation, you have the right to access your personal data, request its rectification and updating if incomplete or inaccurate, request its erasure if the collection was made in violation of a law or regulation, as well as object to the processing for legitimate and specific reasons.

In particular, we hereby inform you of all your rights that you may exercise at any time against the Data Controller.

a. Right of access

You have the right, in accordance with Article 15(1) of the Regulation, to obtain from the Data Controller confirmation of whether or not your personal data is being processed and, if so, access to such personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom your personal data has been or will be disclosed, particularly recipients in third countries or international organizations; d) where possible, the envisaged retention period for the personal data or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You can find all this information within this Privacy Policy, which will always be available to you in the Privacy section of the Website.

b. Right to rectification

You can

obtain, in accordance with Article 16 of the Regulation, the rectification of your personal data that is inaccurate. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

c. Right to Erasure

You have the right, in accordance with Article 17(1) of the Regulation, to obtain the erasure of your personal data without undue delay, and the Data Controller shall have the obligation to erase your personal data if one of the following reasons applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) you have withdrawn your consent on which the processing is based, and there is no other legal ground for the processing; c) you have objected to the processing pursuant to Article 21(1) or (2) of the Regulation, and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the erasure of personal data is required to comply with a legal obligation under EU or Member State law.

In some cases, as provided in Article 17(3) of the Regulation, the Data Controller is entitled not to proceed with the erasure of your personal data if their processing is necessary, for example, for the exercise of the right to freedom of expression and information, for the performance of a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, or for the establishment, exercise, or defense of legal claims.

d. Right to Restriction of Processing

You have the right to obtain the restriction of processing, in accordance with Article 18 of the Regulation, in the following cases: a) if you contest the accuracy of your personal data (the restriction will be in place for the period necessary for the Data Controller to verify the accuracy of the personal data); b) if the processing is unlawful, but you oppose the erasure of your personal data and request the restriction of their use instead; c) even if the Data Controller no longer needs the personal data for processing purposes, they are required for the establishment, exercise, or defense of legal claims; d) if you have objected to the processing pursuant to Article 21(1) of the Regulation, pending the verification whether the legitimate grounds of the Data Controller override yours.

In case of restriction of processing, your personal data will be processed, except for storage, only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest. You will be informed before the restriction is lifted.

e. Right to Data Portability

You can, at any time, request and receive, in accordance with Article 20(1) of the Regulation, all your personal data processed by the Data Controller in a structured, commonly used, and machine-readable format or request their transmission to another data controller without hindrance. In this case, it is your responsibility to provide us with all the exact details of the new data controller to whom you intend to transfer your personal data, providing us with written authorization.

f. Right to Object

In accordance with Article 21(2) of the Regulation and as reiterated in Consideration 70, you can object, at any time, to the processing of your personal data when it is carried out for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

g. Right to Lodge a Complaint with the Supervisory Authority

Without prejudice to your right to seek administrative or judicial remedies, if you believe that the processing of your personal data carried out by the Data Controller is in violation of the Regulation and/or the applicable law, you can lodge a complaint with the competent Supervisory Authority for the Protection of Personal Data.

To exercise all your rights as identified above, you simply need to contact the Data Controller using the following methods:
- Sending an

email to the email address info@toprent.app;
- Sending a registered letter to the legal address of Oxygen S.R.L.

H. DATA PROCESSING LOCATIONS

Your personal data will be processed by the Data Controller within the territory of the European Union.

If, for technical and/or operational reasons, it becomes necessary to involve entities located outside the European Union, we inform you in advance that such entities will be appointed as Data Processors in accordance with Article 28 of the Regulation, and the transfer of your personal data to such entities, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation.

All necessary precautions will be taken to ensure the total protection of your personal data, basing such transfers on: (a) adequacy decisions of the recipients' third countries expressed by the European Commission; (b) appropriate safeguards expressed by the third-party recipient in accordance with Article 46 of the Regulation; (c) the adoption of binding corporate rules; (d) the use of standard contractual clauses approved by the European Commission.

In any case, you can request further details from the Data Controller if your personal data has been processed outside the European Union by requesting evidence of the specific safeguards implemented.