Privacy Policy

Privacy Policy – Cookies Policy

Foreword

In compliance with the relevant legal obligations, this page describes how the website is managed with regard to the processing of the personal data of users who navigate it and interact with the web services accessible by electronic means from the following URL addresses published on the web: https://alpac.it, https://alpac.ch, https://alpacfrance.fr, https://alpac.es, https://heltyair.com.

Topic Index

(you can navigate through the topics by positioning the mouse over the list and clicking on the relevant text)

Data controller. Data protection officer

Data types

Logics and forms of treatmen

Purpose of processing

Legal basis for processing

Compulsory or optional provision of data and consequences of failure to provide data

Withdrawal of consent

Other site features

Data Processors

Disclosure of data to third parties

Duration of treatment

Cookie policy

Rights of the data subject

Modification of the policy

Data controller. Data protection officer

The data controllers are:

• ALPAC S.R.L. (hereinafter ALPAC), with registered office in Via Lago di Costanza n. 27, – 36015 Schio (VI), e-mail: info@alpac.it in relation to the data of users of the sites https://alpac.it, https://alpac.ch, https://alpacfrance.fr, https://alpac.es.
• HELTY S.R.L. (hereinafter HELTY), with registered office in Via Lago di Vico, 50 – 36015 Schio (VI), e-mail: info@heltyair.com, in relation to the data of users of the website https://www.heltyair.com.

In particular, unless otherwise indicated in this notice, each company acts as an autonomous data controller. In relation to the data collected by the GUARD App, ALPAC acts as HELTY’s external data controller.

Each Data Controller has designated as DPO – DATA PROTECTION OFFICER the company PIRAMIS S.R.L., with registered office in Via Mantova, 267 – 25018 Montichiari (BS), e-mail: dpo@easygdpr.it, pec: easydpopiramis@legalmail.it.

Types of Data

The data we process can be of three general categories: navigation data, data provided in an active form by the data subject and data collected from third parties, as follows.

Navigation data

When you (including via mobile via smartphone or tablet) access this website or use our services, the computer systems and software procedures used to operate the site acquire, in the course of their normal operation, certain information about you that qualifies as “personal data”, the transmission of which is implicit in the use of Internet communication protocols.

These include the hardware model, operating system and version, information on the mobile network and the country from which access is made, the time of the request, the method used to submit the request to the server, the access time, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), details of the route followed within the web pages with particular reference to the pages visited and other parameters relating to the user’s operating system and computer environment (browser used, version, geographical location, last page visited).), the details of the itinerary followed within the web pages with particular reference to the pages visited and other parameters relating to the user’s operating system and computer environment (browser used, version, geographical location, last page visited before accessing the services of the Data Controller’s Site) and the unique device identifiers (e.g. the IP address or domain names of the computers used by the users, the address in URI – Uniform Resource Identifier notation, the MAC – Media Access Control address).

This is information that is not collected in order to be directly associated with identified data subjects, but which by its very nature could, in theory, through processing and association with data held by third parties (in particular, third-party providers of Internet connectivity services), allow users to be identified.

However, this data is only used by us to obtain statistical information in aggregate and anonymous form on the use of the site, to better understand the user’s browsing behaviour in order to offer the user a better browsing experience, to make possible the technical functionalities of the site, to control and optimise its operation, to improve the quality of the services offered by the site as well as to ensure the maintenance of the relevant database and the supporting IT infrastructure.

After such anonymous processing, this surfing data is deleted within 12 months from the date of collection.

Browsing data may also be used to ascertain liability in the event of offences against the Site or committed through the Site (malware attempts, spamming, unauthorised access to computer systems, etc.) and in such cases they are stored for as long as necessary to protect the rights of the Data Controller and/or third parties.

Data actively provided by the user

They are understood as such:

• information sent by users in an optional and voluntary manner by filling in online registration and/or data collection forms or on company blogs, published on the website (e.g. email address, subject of the email, name or company name, first name and surname, etc.);
• personal data provided by users to take advantage of services accessible on the Site or to participate in initiatives promoted through the Site;
• personal data provided by users who submit requests for clarification, news and/or information material;
• personal data provided by users who send us applications (‘curriculum vitae’, etc.).

Through the web forms available on the sites, we never ask you for ‘special’ personal data (i.e. personal data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions associations or organisations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sexual orientation) or ‘relating to offences, criminal convictions and security measures’ (data concerning criminal records, or relating to the status of accused or suspected person, etc.).).

In the use of some services of the Site, the processing of Personal Data of third parties sent by you to our Company may occur. With respect to such hypotheses, you act as autonomous data controller, assuming all the obligations and responsibilities of law. In this sense, you grant us the widest indemnity in respect of any dispute, claim, request for compensation for damages from processing, etc. that may be received by our Company from third parties whose Personal Data have been processed through your use of the functions of the Site in violation of the applicable laws on the protection of Personal Data.
In any case, should you provide or otherwise process Personal Data of third parties in the use of the Site, you warrant as of now – assuming all related liability – that this particular processing hypothesis is based on a suitable legal basis pursuant to Art. 6 of the Regulation that legitimises the processing of the data in question.

Data collected from third parties

Our company collects certain personal data of the data subject from third parties, in particular:

• through the service provided by the company HUBSPOT INC. (on which see below), starting from an email address provided by our Company, collects on the Internet in an automated way data such as name and surname, country, name or company name of the company, entity or other organisation to which it belongs, company role, postcode, registered office/residence, VAT and C.F. number, sector of activity of the company, email address, telephone number, subsequently used by our Company to commercially contact the interested party;
• by means of the LINKEDIN service provided by the company MICROSOFT CORPORATION (on which see below), which collects the data of users registered with the service itself, such as first name and surname, country, name or company name of the company, body or other organisation to which it belongs, company role, location/residence, sector of activity, CV, email address, telephone number, subsequently used by our Company to contact the interested party.

Logics and forms of treatmen

The logic and forms of organisation of processing will be strictly related to the individual purposes respectively indicated above. The processing will take place electronically, telematically and/or on paper. The data during processing are subject to protection measures activated by ALPAC and HELTY in order to guarantee the data themselves against the risk of authorised access or unauthorised processing, for example, they can only be consulted by having access, to the various application software, by typing in compulsory personal passwords, by authorised personnel only, who must in any case adhere to predetermined limits of use.

Purpose of processing

The processing of personal data has the following primary purposes:

• process user requests for support and contact, e.g. concerning the sending of information material or clarifications (bulletins, newsletters, answers to queries, notices, specifications, price lists, other documentation, etc.),
• manage user registration on the site and access to services included therein and/or the purchase of products/services,
• perform the service or supply the product requested by the user and organise all management and production activities instrumental to the aforesaid supply (including relations with suppliers, and the management of payments by credit card, bank transfer or other means),
• to fulfil obligations under the law, regulations and/or EU legislation (e.g. legal obligations related to or arising from the terminated contractual relationship with the data subject and/or the organisation to which the data subject belongs);
• carry out all activities necessary or useful for the constant improvement of the technical service provided by the site, and
• for ascertaining liability and defending the rights of the Data Controller in the event of offences against the Site and/or unlawful acts committed through the Site.

The data collected will also be processed for the secondary purposes of:

• Direct marketing (execution of market surveys, sending of commercial and promotional communications, newsletters, through any automated means of communication – email, telephone with operator, sms, chat messages, social networks, etc.) or non-automated (ordinary mail); processing will only take place with the prior consent of the data subject (collected through specific on-line and/or paper forms); consent is always optional (see below).
• Basic profiling (i.e. analysis, also predictive, of substantial information:
• in the case of internal contact persons of our client or prospective client companies: name and surname of the data subject, name and sector of the organisation to which the data subject belongs, role, contact details such as the headquarters of the organisation to which the data subject belongs, the organisation’s email and telephone numbers, topics of professional or economic interest, participation of the data subject in events organised by us and/or our partners);
• in the case of consumers or sole proprietorships: first name and surname of the data subject, contact data such as residence or domicile, email and work or private telephone numbers, economic or product sector of activity, subjects of professional or economic interest, participation of the data subject in events organised by us and/or our partners).

The processing of basic profiling takes place without the need for the prior consent of the data subject (for the reasons set out in more detail in the section ‘Legal basis for processing’ below).

• Extended profiling (i.e. other than basic).

Processing is only carried out with the consent of the data subject. Consent is always free (see below). In this case we process the data you communicate to us when you use our services (e.g. type, price, date and frequency of purchase of the products/services you have purchased online or offline) also by associating them with:

1. – data from your navigation on our websites or social pages,
2. – data related to the use of services provided by the site (e.g. cookies, logs of access to services or relating to payments)
3. – data collected through other social communication channels;
4. – other data such as age, gender, economic-professional topics of interest, composition of your household.

The purpose of this activity is twofold: to better understand customers, both as groups and as individuals, and to analyse marketing effectiveness in order to develop and update products, services and offers in line with the preferences of our target groups.

The purpose of profiling is to align the services and goods we offer with current and potential demand, measure the results of specific promotions, take corrective action to improve business results (e.g. by reducing the risk of investing resources in marginal subject areas for the target audience) and the effectiveness of business processes (e.g. by ascertaining how many messages and promotional content we have sent you have been viewed and clicked on by you), limit the sending of promotional communications that are not relevant to your likely expectations and needs or through channels you do not like).

This means that we do not send the same offers to all interested parties, and we may send you advertising communications as close as possible to your tastes and interests or preferences, or through your preferred contact methods, improving your shopping experience, even to your own benefit.

Furthermore, if you consent to extended profiling, we use the data to advertise our services and products on social media to other people who have a similar profile to yours and who may therefore be the most interested in what we offer. However, we do not know the names of such persons.

Profiling does not result in your exclusion from specific benefits or from the possibility of freely exercising your rights in relation to the personal data we process; in particular, it does not affect the possibility for you to use our ordinary services (e.g. online pre-registration, purchase of services).

Any specific and/or further purposes relating to the individual processing operations may be identified in detail from time to time, by means of supplementary information, within the framework of the various services included in the portal.

Legal basis for processing

ALPAC/HELTY may lawfully process data for the following reasons:

• In the case of primary purposes, processing is based on the need, as the case may be, to implement pre-contractual measures taken at the request of the data subject (e.g. requests for clarifications, sending of information or commercial offers), the performance of a contract to which the data subject is a party, or to fulfil a legal or regulatory obligation of ours (e.g. to allow us to verify the correct fulfilment of legal and contractual obligations towards the data subject or third parties by administrative and tax authorities, the board of auditors or auditors, etc.) and/or based on legitimate grounds. to allow verification of the correct fulfilment of legal and contractual obligations towards the data subject or towards third parties by administrative and tax authorities, the board of auditors or auditors, etc.) and/or based on legitimate interest:

(a) of our company (overriding the interests or fundamental rights and freedoms of the data subject) to process the data in order to be able to effectively and efficiently manage the relationship with its users, customers and/or suppliers and to organise the relevant production, organisational and management processes (including the relationships with its sub-suppliers and/or with parent, subsidiary or associated companies pursuant to Article 2359 of the Italian Civil Code or with companies subject to joint control) aimed at enabling this objective; and/or

1. b) of third parties, to receive from the Data Controller and/or process personal data i) for the purpose of verifying the proper fulfilment of legal and contractual obligations existing towards the data subject or towards third parties (e.g. verification by the public authority regarding the fulfilment of tax obligations, or by the board of statutory auditors or auditors regarding the fulfilment of legal obligations, etc.) or ii) in order to be able to manage activities related to the request of the Data Controller to receive support for managing activities towards data subjects

• In the case of secondary purposes (direct marketing, profiling), processing is based:

1. a) in relation to direct marketing to customers operated exclusively by sending e-mails/newsletters only to promote goods or services similar to those that you may have already purchased: on our legitimate interest in promoting our products and/or services to current customers (so-called soft spam);
2. b) in relation to direct marketing to customers operated exclusively by sending e-mails/newsletters, to promote our goods or services other than those you may have already purchased: on your prior specific consent to the processing for this purpose, not subsequently revoked;
3. c) in relation to direct marketing to customers by automated means other than email/newsletters (e.g. text messaging, social messaging, instant messaging such as Whatsapp, etc.): on your prior specific consent to the processing for this purpose, not subsequently revoked;
4. d) in relation to basic profiling, on our legitimate interest in having a minimum set of information to plan direct marketing actions both towards potential customers and towards people who are already our customers;
5. e) in relation to extended profiling: on your prior consent to processing for that purpose, not subsequently revoked.

You must give or withhold your consent, separately, respectively for (i) the processing by us, and (ii) the communication of the data by us to third party independent data controllers for the same purposes.

In the event that the third parties to which we transmit the data are companies of the same Group to which the Data Controller belongs, for internal administrative purposes, and for the coordination of the relevant administrative, management and marketing activities, such communication constitutes a legitimate interest of the Data Controller and of the company receiving the data from it.

Compulsory or optional provision of data and consequences of failure to provide data

In the case of data processing for the fulfilment of legal and regulatory obligations, the provision of data by the data subject is mandatory and failure to provide such data will result in the impossibility of entering into the contract with you and/or the organisation to which you belong and/or performing the activities to which the aforementioned obligations relate.

In the case of processing for other purposes, you are free not to provide us with the data, but in that case this will make it impossible to carry out pre-contractual relations, and/or the provision of services or the sale of products for which the Data Controller requires the data to be provided.

Non-registered users may browse the Site and view only the content and material available without registration.

In relation to those secondary purposes which require your prior consent (direct marketing, extended profiling) as well as, separately, for the purposes of our disclosure of the data to third parties who process them for those same purposes in a capacity other than as our data processor:

• your consent is always optional (free and negotiable);
• failure to provide or consent to the processing will prevent us from processing and/or, respectively, communicating the data to third parties for such secondary purposes, while it will not interfere with our existing relationship with you or your organisation.

Are there cases of simplified consent or exceptions to the requirement of consent for direct marketing purposes?

As allowed by the General Provision of the Privacy Guarantor of 15.05.2013 – “Consent to the processing of personal data for the purpose of ‘direct marketing’ through traditional and automated means of contact“), the consent requested from you for the sub-purposes of direct marketing is unitary and comprehensive for all possible channels used by us (electronic, paper, postal) as well as for all possible sub-purposes of direct marketing (you do not need to provide us with multiple consents for each separate marketing purpose).

Does the data subject’s consent to processing for direct marketing and extended profiling purposes also apply to the disclosure of data to third parties?

We disclose some of your data to other companies in our corporate group or to third parties who by contract and in their capacity as “data processors” are delegated to process the data on our behalf and under our supervision. In this case, the communication is made because of a legitimate interest of the data Data Controller in the exchange of intra-group information, or the third parties validly use the same consent (including the consent to communicate to third parties for such purposes) already given by you to us.

We can also, but only with your separate, additional, express and optional consent, disclose or transfer the data to third parties (as a rule third party partners in the promotion of Events) who process them as co-owners or autonomous owners for the purpose of direct marketing and/or extended profiling).

How do we use telephone numbers?

We may process personal data, by means of telephone calls with an operator and the use of ordinary mail, for the aforementioned secondary purposes, without the prior specific consent of the data subject (in which case the data subject’s right to object to the processing by simplified means, including by telematic means, by entering the telephone number of which the data subject is the holder and other personal data relating to subscribers in the paper and electronic directories available to the public, in the Public Objections Register (http://www.registrodelleopposizioni.it/) provided for by Presidential Decree No. 178/2010).

NB: When we ask you – for direct marketing purposes – for your telephone number and you provide us with optional and specific consent to its use, we may use it to call you even if the telephone number is registered by you in the Public Objections Register, as the number in that case is not taken from public telephone directories.

Withdrawal of consent

Even after you have given your consent to data processing for profiling and direct marketing purposes, as a data subject you may at any time notify the Data Controller of a different intention by one of the following alternatives:

• by clicking on the “unsubscribe/unsubscribe” button, made available to the user at the bottom of the promotional e-mails sent to the data subject, an e-mail will automatically be sent to the Data Controller and consequently the data subject’s name will be black-listed, preventing any further future direct marketing actions by the Data Controller against the data subject;
• by transmitting to the Data Controller by ordinary mail or email his declaration of withdrawal of consent (which in this case will be manually recorded in the Company’s CRM). This method of communication is always necessary in the event that the data subject wishes to express a more analytical selective will, either with regard to the use of certain individual means and not others (e.g. paper only, electronic only, refusing those sent by automated systems, etc.) for the receipt, subject to consent, of marketing communications from ALPAC/HELTY, or with regard to individual marketing purposes among those actually possible (choosing, for example, to receive only newsletters and not sent to our Events);
• by sending a clear telephone notice of revocation of consent to the Data Controller without formalities. Upon receipt of such an opt-out request, the Data Controller shall proceed to remove and delete the data from the databases used for processing for direct marketing purposes and, where possible, shall inform any third parties to whom the data have been disclosed for the same purposes of such deletion.

The mere receipt of the cancellation request will automatically count as confirmation of cancellation.

• If, on the other hand, you wish to revoke consent to any advertising communications that come to you from social channels (e.g. Facebook, Twitter, etc.), you will have to communicate your revocation directly to the individual social platform, according to the methods made available from time to time by the same and/or by the browser that you use (since our Company is not technically able to influence third-party social platforms to this end).

The aforementioned objection will have no consequence on the disbursement of any ongoing contract activities.

Other site features

Downloading e-books, whitepapers and other similar descriptive materials

The Owner may make documents such as e-books, white papers and other similar materials available for download from the Site. On this occasion the user is asked to provide certain data and consent to the processing for marketing purposes, in exchange for the right to download the document. This is therefore a real contract between the Data Controller and the interested party concerning the use of the aforementioned document download service, and whose economic consideration to be borne by the user, although not expressly stated, consists of the value of the personal data communicated to the Data Controller on the occasion by the user. Consent is therefore optional (it may be freely withheld), but failure to consent prevents the user from making use of the specific service mentioned.

Air Guard App

HELTY makes available through the online stores GOOGLE PLAY and APPLE PLAY the app called AIR GUARD (branded, according to the type of product model, HELTY, ALPAC or with the name of the client of HELTY that distributes HELTY’s products or those of such other companies (hereinafter the “App”), connected to a cloud server of the Holder.

The App ensures the purpose of product warranty management, and allows the end user to access technical services related to the product (remote user checks on the product, technical error messages, other alerts, etc.).

During the registration of the purchaser, exclusively in the case of a HELTY or ALPAC branded product, the App collects the following information, which may constitute personal data: language, first and last name, e-mail address, CPA (the provision of which is mandatory), and as optional, the telephone number and a freely editable message text. If you refuse to provide the mandatory information, you will not be able to use the App and the services provided through it.

The data will be processed for the performance of the contract with the data subject (including the fulfilment of related regulatory obligations) and for basic buyer profiling purposes, in particular to customise commercial offers based on the location/residence of the end user.

The data will be communicated to the company HUBSPOT INC. and to third party suppliers for the purposes and within the limits better indicated in the section “Communication of data to third parties” contained in this information notice. The data, limited to the purchasers of the respective product models to which the App refers from time to time, will be communicated to the company ALPAC  S.r.l. which will process them for the same purposes, as autonomous owner.

HCloud App

HELTY makes available to end-users, via the online stores GOOGLE PLAY and APPLE PLAY, the app called HCLOUD (branded, according to the type of product model, HELTY, ALPAC or with the name of the client of HELTY that distributes HELTY’s products or those of such other companies (hereinafter the “App”). The App allows the end user to access technical services related to the product (remote user controls on the product).

During the registration of the purchaser, exclusively in the case of a HELTY or ALPAC branded product, the App collects the following personal data: language, first and last name, e-mail address, CPA (the provision of which is compulsory), and as optional, geographical location (the accuracy of which is not checked by the Owner), telephone number, a photo and a freely editable message text. In the event of refusal to provide the mandatory information, it will not be possible to use the App and the services provided through it.

The HCLOUD App also collects, also via application logs, technical data on operation, including related

anomalies, of the products installed at the end customer’s premises, via the VMC gateway (type, variant and product serial number, indoor and outdoor air temperature, humidity, CO2, VOC, quantity of filtered air, system on/off status and set speed). This data is associated with the customer master data, and the dealer associated with the product, for the following purposes:

1. a) management of the after-sales technical service connected with the legal and contractual warranty relating to the product, and the sending of malfunctioning alerts or alerts relating to the expiry of periodic product maintenance deadlines by the Data Controller to the customer;

(b) communication to the customer of offers for product maintenance services and products (including the basic classification of buyers, in particular to tailor offers according to the location/residence of the end user);

(c) after anonymisation, research and development purposes aimed at the continuous improvement of the Data Controller’s products and services.

The legal basis for purposes sub a) is the need to fulfil contractual and legal obligations.

Legal basis of the purpose sub b) is the legitimate interest of the Data Controller to keep in touch with the end customer to update him/her on offers of products and services similar to those already purchased (subject to the customer’s right to object). Legal basis of the purpose sub c) is the legitimate interest of the Data Controller to develop and research and continuous improvement of the functional characteristics of its products and services.

The data will be communicated to the company HUBSPOT INC and to third-party suppliers (including third-party installers, who will place

send to, receive from the end customer any notifications) for the purposes and within the limits set out in greater detail in the section “Disclosure of data to third parties” contained in this notice.

The data, limited to the purchasers of the respective product models to which the App refers from time to time, shall be communicated to the company ALPAC  S.r.l., which shall process them for the same purposes, as autonomous owner, and to the company EQUDADRO Srl, which shall process them as manager.

The data will be retained for no longer than 10 years from the termination of the relationship for the purpose under a), until the end customer objects for the purpose under b) and indefinitely for the purpose under c).

Product registration for warranty purposes

The customer who purchases products from the Owner’s third-party resellers receives a QR Code that links him/her to a landing page through which he/she can register online using the “Register your product” form to take advantage of product warranty conditions that are more favourable than the basic warranty (e.g. 1-year extension of the legal warranty). On this occasion, the user is asked to provide certain data and consent to processing for direct marketing purposes. This is therefore a real contract between the Data Controller and the data subject concerning the use of the aforementioned document download service, and whose economic consideration to be borne by the user consists of the value of the personal data communicated to the Data Controller on that occasion by the user. Consent is therefore optional (it may be freely withheld), but failure to consent prevents the user from making use of the specific service mentioned.

Typeform

The website contains forms/questionnaires to collect data from private users, such as name and contact details (city, tel, email), the type of building, state of insulation/heating, type of technical requirement, satisfaction with the VMC solution and purchase motivations with respect to the technical problem to be solved, the building plan (from which the user must first delete the address of the building and hence of the dwelling, as well as any other information on cadastral consistency or the like, not strictly necessary for the drawing up of the technical assessment and consequent customised offer by the Data Controller). The processing under consideration involves a basic type of profiling of personal data, which is functional for the above-mentioned purposes.

The online questionnaire is managed via cloud functionality by the third-party cloud provider TYPEFORM S.L., with headquarters and data centre in Spain (EU). See the TYPEFORM privacy policy at https://admin.typeform.com/to/dwk6gt.

Hotjar

The website contains tracking/analytics features provided by the third-party provider HOTJAR, based in Malta (EU), to create attention maps designed to show how users pay attention to content on the site. See HOTJAR’s privacy policy at the link: https://www.hotjar.com/legal/policies/privacy/.

Events and Webinars

The personal data provided by you will be processed, by paper and electronic means, by ALPAC/HELTY, for the purposes of (a) registering you for and participating in ALPAC/HELTY seminars, webinars and other events; (b) sending you information about subsequent and similar activities organised by the Data Controller and/or its third party partners; (c) only with your consent, for so-called “direct marketing” activities (sending newsletters, commercial communications, promotional and advertising materials by email, telephone with operator, sms, Whatsapp-type messages, social networks, or by ordinary mail to your physical address).d) “direct marketing” (sending of newsletters, commercial communications, promotional and advertising materials by email, telephone with operator, sms, Whatsapp-type messages, social networks, or by ordinary mail to your physical address, as well as, also in the absence of your prior specific consent, for d) basic profiling purposes (as defined above).

The legal basis of the processing for purposes (a), (b) and (d) is the legitimate interest of the Data Controller in managing the data subject’s requests, keeping him/her informed about ALPAC/HELTY’s training activities, as well as having an elementary profile of him/her that is useful for directing marketing actions. The legal basis of the processing for the purpose sub (c) is instead the prior specific consent of the data subject (consent, however, not necessary if you have already communicated it to ALPAC/HELTY on a previous occasion for the same purposes; moreover, it is not necessary if you are already an ALPAC/HELTY customer, without prejudice to your right to inform us at any time of any objection to further processing for the same purposes.

The provision of the data – and the consent of the data subject to the processing sub c) – are optional. Failure to provide data for the purpose sub a) will make it impossible for ALPAC/HELTY to process the data subject’s request. Conversely, failure to provide separate and specific consent for the purpose sub c) will only result in the impossibility for the Data Controller to send direct marketing communications, but will not affect your right to participate in the event in which you have requested to be registered.

The data may be communicated to: i) other natural or legal persons in charge of the technical or organisational management of the aforesaid services (e.g. direct e-mailing companies, ii) companies providing videoconferencing services, iii) maintainers of the Data Controller’s databases and systems, iv) web marketing companies appointed to provide consultancy to the Data Controller, for the same purposes, as well as to parties to whom communication is necessary to fulfil legislative and/or regulatory obligations connected therewith.

The data will be processed for the following duration: for the purposes under (a) until your request has been processed and until the Owner’s civil and tax obligations connected to the provision of our services have been fulfilled; for the purposes under (c) until your possible subsequent withdrawal of consent to the direct marketing purposes by the data subject, without prejudice to the lawfulness of the processing carried out previously; for the purposes under (b) and (d) until your possible objection.

Data Processors

The data collected are processed by the Data Controller’s internal delegates who need to have knowledge of them in the course of their activities (e.g. sales office, marketing office, administrative office, call centre, technical staff for the maintenance of the company computer system, etc.).

The Data Controller has also appointed as data processors certain third parties to whom the Company discloses data.

Communication of data to third parties

The data collected are processed by the internal delegates of ALPAC/HELTY who need to have knowledge of them in order to carry out their activities (e.g. sales department, marketing department, administrative department, technicians for the maintenance of the company computer system, etc.).

ALPAC/HELTY only communicates your personal data to third party recipients when this is necessary and functional to achieve the data processing purpose pursued in relation to the service or product you have requested, and in any case only after having informed you and, where necessary, obtained your consent to do so. Communication to third parties will always be limited to the data strictly necessary for the respective purposes.

I terzi destinatari dei dati – di seguito meglio individuati – tratteranno i dati, secondo il caso, a) in veste di “responsabili esterni” (cioè per ns. conto e in base a ns. direttive scritte dirette a garantire il rispetto della normativa privacy durante il trattamento e sotto la ns. supervision), or b) in their capacity as joint data controllers (i.e. on the basis of a written agreement regulating their respective activities and responsibilities in relation to the personal data), or as autonomous controllers (in which case they will provide the data subject with all the necessary legal information on the respective processing, unless they are bound by professional secrecy under the applicable legislation).

Within the scope of the primary purposes and in particular when the data subject enters into a contract with our company, the data may be communicated by ALPAC/HELTY to all third parties whose intervention in the processing is useful on the basis of the services requested by the data subject and/or legal obligations or obligations deriving from regulations or other EU legislation, for example: parent companies, subsidiaries or affiliates of ALPAC/HELTY and/or third party partners who carry out activities that are functional or complementary to the supply of products or services requested by the data subject (e.g. management of requests for information, estimates, orders, contracts, after-sales service, third parties responsible for carrying out activities connected and/or instrumental to the processing (such as commercial agents, banks for managing collections and payments, etc.). management of requests for information, quotations, orders, contracts, after-sales), third parties tasked with carrying out activities connected with and/or instrumental to the processing (such as commercial agents, banks for the management of collections and payments, commercial information companies, debt collection companies, credit transfer companies, companies providing electronic payment services, couriers, carriers and forwarding agents, factoring companies, insurance companies, lawyers and law firms, accountants, auditors and auditing firms, members of supervisory bodies pursuant to Legislative Decree 231/2001 in relation to the processing of personal data, and members of the supervisory body pursuant to Legislative Decree 231/2001 in relation to the processing of personal data).Legislative Decree 231/2001 in relation to organisational models aimed at preventing the commission of certain categories of offences, statutory auditors, third parties appointed to carry out web hosting services and/or maintenance of this website and/or the computer systems used by it and/or the electronic archives connected to the site; carriers and forwarding agents appointed to transport goods; public security authorities and computer forensics companies in the event of requests relating to criminal and civil investigations and/or suspected offences or other abuses or offences committed to the detriment of ALPAC/HELTY and/or third parties.

In the case of processing for secondary purposes (profiling, direct marketing), in accordance with the General Provision of the Guarantor of 4 July 2013 containing the “Guidelines for combating spam” we inform you that we will also communicate the data – subject to your specific prior consent, on which see below – to the following product or economic categories of third party recipients: companies controlled by or connected to ALPAC/HELTY, advertising agencies, marketing analysis companies, communication and/or public relations companies and/or public authorities. specific prior consent, on which see below – also to the following categories of third-party recipients: companies controlled by or connected to ALPAC/HELTY, advertising agencies, marketing analysis companies, communication and/or public relations companies, companies in charge of the design, printing and maintenance of advertising or promotional publishing materials and/or their on-line management, website production companies, web marketing companies, direct e-mailing service companies (e.g. Mail-up or similar), consultants and/or other entities to which we entrust functional activities for such purposes; companies in charge of maintaining the computer systems on which our databases reside or through which they are processed; suppliers of electronic communication and ICT services; third party commercial partners with whom ALPAC/HELTY activates any co-marketing actions (e.g. influencers, retailers, training companies, agents).

The data will not be disseminated.

Social Channels

The owner operates the following social channels:

Social network functionalities and co-ownership of processing

Our website may use Social Network Features, such as the Instagram “like” button, and other sharing widgets (“Social Network Features”), which may allow you to:

• publish information about the user’s activities on the website on external platforms and social networks, or
• click ‘like’ on content shared on such platforms by the Data Controller, or
• highlight information that we have published on the site or on the Data Controller’s official pages in social networks.

Social Network Features can be hosted by each individual social platform or directly on our website. In the former case, if you click on Social Network Features hosted on our website, the platform may receive information showing that you have visited our sites.

If you are logged into your social account, it is also possible that the social network can link your visit to our website with your social network profile.

Our website may also allow you to login to it using authentication services (e.g. Facebook Connect). These services authenticate your identity and provide you with the option of sharing certain Personal Data from these services such as your name and e-mail address with us to pre-fill our login form.

The Data Controller may also share some data (name, surname, e-mail) with third party social media platforms (e.g. Facebook, Google) that use them for the sole purpose of identifying other people similar to the user who may be interested in our services and/or products, in order to advertise them via social media platforms. More information on remarketing policies (behavioural advertising) can be found in our Cookie Policy.

In relation only to the operations of collection on our website and automatic transmission to the social platforms of the personal data of the user of our website, whether registered or not on the same social platforms, the Data Controller assumes the role of co-processor within the meaning of Article 26 of the GDPR.

With regard to the Instagram pages https://www.instagram.com/alpac_monoblocchi/ and https://www.instagram.com/heltyair/?hl=it, the Data Controller is also Co-Processor of the statistical data jointly with Facebook Ireland Limited (‘Facebook Ireland’).

For its social Pages (e.g. https://www.facebook.com/alpacofficial), Facebook offers Page Insights, a function that provides aggregated data to help understand how people interact with Facebook Pages.

With regard to the Facebook page, ALPAC/HELTY is Co-Processor of the statistical data together with Facebook Ireland.

At this link you can consult the appendix on the data Data Controller for Facebook Page Insights, which indicates the division of responsibilities between Facebook Ireland and the data Data Controller as administrator of the pages https://www.facebook.com/alpacofficial, https://www.facebook.com/Alpacfranceofficial and https://it.facebook.com/HeltyOfficial/.

At this link you can read Facebook’s Privacy Policy. You can read Facebook’s Cookie Policy at this link.

Your interactions with the Social Network Features are governed both by this policy (limited to the processing as above under co-ownership) and by the policy published on each individual Social Platform (for any aspect of the processing of personal data not included in the above co-ownership regime).

Data transfer abroad

Part of the processing may take place in foreign countries, within or outside the EU, to the extent that a transfer to suppliers with data centres or offices in those countries takes place (e.g. for the purpose of technical operation of the site and the technical operation of the database or for the purpose of managing direct marketing and profiling activities related thereto in various ways).

The cloud providers with headquarters or datacentres outside the EU used by the Data Controller (so-called ‘importers’ of personal data) are the following:

• The Rocket Science Group, LLC, headquartered at The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 (Georgia – U.S.A.), which operates on behalf of the owner the Mailchimp address management and email messaging service, which uses a database of email contacts, telephone contacts, or other contacts to send bulk email communications (e.g., newsletters, offers, and other commercial communications). This service may also collect data on the date and time the user views the messages, as well as the user’s interaction with them, such as information on clicks on links in the messages. See MAILCHIMP’s privacy policy at the URL www.mailchimp.com/privacy/
• Microsoft Corporation, headquartered at 1 Microsoft Way, Redmond, WA 98052, USA, which operates the service called LINKEDIN. You can view Microsoft Corporation’s privacy policy at the following address: https://privacy.microsoft.com/it-it/privacystatement. Microsoft Corporation participates in the Privacy Shield mechanism. You can view Microsoft Corporation’s privacy policy at the following address: https://privacy.microsoft.com/it-it/privacystatement.
• Google Inc., headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043 – USA, as provider of the “G-SUITE” services (e.g. e-mail, video conferencing services “Meet”), editing/document storage “Google Drive”). It is possible that data may be transferred from the EU to the USA on a non-occasional basis. See the Privacy Policy “CURRENT DATA TRANSFER REGULATIONS” at https://policies.google.com/privacy/frameworks?hl=it.
• HubSpot Inc., headquartered at 25 First Street, 2nd Floor, Cambridge, MA 02141, USA, a CRM (‘customer relationship management’) service provider. https://legal.hubspot.com/privacy-policy
• Momentive Inc., located at 1 Curiosity Way, San Mateo, California 94403, USA, provider of the online survey service SURVEYMONKEY. https://it.surveymonkey.com/mp/legal/privacy/
• Meta Platforms, Inc. (‘Meta’), headquartered in Menlo Park – San Francisco Bay, California (USA), which provides the social networking services Facebook and Instagram, the instant messaging services WhatsApp and Messenger. https://about.facebook.com/actions/protecting-privacy-and-security/
• Visa INC. headquartered at Visa Global Privacy Office 900 Metro Center Blvd. Foster City, CA, 94404 USA. Personal data may be transferred to other countries, which may not have similar privacy or data protection laws. However, your data will be protected as described in the following Privacy Policy: https://www.visaitalia.com/termini-di-utilizzo/informativa-sulla-privacy-globale-di-visa.html
• Mastercard Europe SA – Italian branch and Mastercard Incorporated based in 18, Piazza del Popolo – 00187 Rome (RM) is authorized by the Guarantor pursuant to art. 44, paragraph 1, lett. a) of the GDPR to transfer, within the Mastercard Group, the personal data relating to the categories of data subjects from Italy to entities belonging to the Mastercard Group based in non-EU countries, according to the modalities set forth in the Binding Corporate Rules BCR MASTERCARD FOR CONTROLLER and for the sole purpose stated therein; registered office of Mastercard USA: Miami, FL 33131 USA. https://www.mastercard.it/it-it/vision/essere-azienda-responsabile/privacy.html
• Apple Distribution International Limited – Ireland, based in Hollyhill Industrial Estate Hollyhill Cork, IRELAND. https://www.apple.com/it/legal/privacy/
• Apple Payments Inc. (USA). Personal information may be transferred to or accessed by entities around the world, including companies affiliated with Apple, to perform processing activities. The Apple entity that controls your personal information may differ depending on where you are located. If you are not located in the US, your personal information may be processed by Apple Inc. and other Apple affiliated companies on behalf of the Apple entity that controls the personal information for your jurisdiction. https://www.apple.com/legal/privacy/
• American Express Italia Srl (American Express Group), with registered office in Viale Alexandre Gustave Eiffel n. 15, 00148, Rome (Italy) may transfer the data subject’s data to non-EU/EEA countries where the main operational data centres are located), e.g. to the World Financial Center, 200 Vesey St, New York, NY 10285, USA. Standard contractual clauses are adopted to ensure an adequate level of protection in these countries. Data transfers within the American Express Group are made in accordance with the Binding Corporate Rules (BCRs) approved by the relevant supervisory authorities, which can be viewed in the privacy section of the website https://www.americanexpress.com/content/dam/amex/it/staticassets/pdf/accept-card-forms/Informativa__0115_RF.pdf.pdf as well as at the link https://www.americanexpress.com/content/dam/amex/it/staticassets/pdf/terms-and-conditions/Informativa-privacy.pdf.
• Paypal (Europe) s.a.r.l. et cie, s.c.a. – headquartered at 22-24 Boulevard Royal, L-2449, Luxembourg (EU). PayPal’s operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, among others, third party service providers that may be located in countries outside the EU-EEA. For transfers of your Personal Data within PayPal’s affiliated companies, PayPal relies on the Binding Corporate Rules (BCRs), which have been approved by the relevant regulatory authorities. Other transfers may be based on standard contractual clauses https://www.paypal.com/it/webapps/mpp/ua/privacy-full
• MongoDB, Inc. based in New York – USA – which provides database services; https://www.mongodb.com/legal/privacy/privacy-policy
• AWS – AMAZON WEBSERVICES – In this case, the transfer of data takes place in the context of the Holder’s use of AWS microservices which, through the test and production environment, enable the provision of the functions of the App called “HCLOUD”.

A complete list of these services and their applicable SLA Service Level Agreements can be found at the following link.

We have applied the following appropriate safeguards to these extra-EU transfers, in accordance with the relevant requirements of the GDPR, which vary depending on the country of the importer, as follows:

1. S.A.: the guarantee is the EU Commission’s Adequacy Decision of 13 July 2023 on the US data protection framework, as amended by the conclusion between the EU and the U.S. of the Trans-Atlantic Data Protection Framework (TADPF) bilateral convention
2. Countries other than the U.S.A.: the guarantee consists of written agreements whereby the recipient of the personal data located in the foreign country, in relation to the processing operations for which it is responsible, undertakes to us, for itself and its employees, to comply with privacy obligations that are substantially equivalent to those provided for by EU law to be borne by the Data Controller; these agreements use as a minimum the standard texts of the EU Commission (so-called Standard Contractual Clauses or “CCS”).

Our Company may share some data (first name, last name, e-   mail) with social media platforms (e.g. FACEBOOK, GOOGLE, INSTAGRAM) that use them to identify other people similar to you who may be interested in ALPAC/HELTY’s services and/or products, in order to advertise them via the social media platforms.

Duration of  Treatment

In the case of processing for primary purposes, personal data are as a rule processed for the duration of the pre-contractual and/or contractual relationship established with the data subject, in particular:

1. a) in the pre-contractual phase, for the time necessary to process the data subject’s requests received by the Data Controller (e.g. requests for documentation, brochures, information, etc.) and to track and manage the successful completion of the responses sent by the Company to the data subject; this duration is 5 years from the date of collection of the personal data, without prejudice to the data subject’s right to object to the processing at any time prior to this deadline;
2. b) in relation to the contract entered into with the data subject, for the entire duration of the contractual relationship established with the data subject (in particular, for the 2 years of ordinary warranty under the Consumer Code, or, in the case of an extension, 5 years of warranty); in the case of data collected through the AIR GUARD App, processing shall take place until the user registered for the services provided through the App itself uses them or objects to the processing;
3. c) after the termination of the contractual relationship established with the data subject, for the time necessary to fulfil all the legal obligations connected with the terminated contractual relationship (in particular proving the fulfilment of tax and civil law obligations to the supervisory authorities) and in any case until the expiry of the civil law term of the action for damages to which the data subject is entitled pursuant to Article 2946 of the Civil Code, for 11 years from the termination of the contract).
4. d) Personal data that are processed for IT security purposes (e.g. logs) are retained for the time necessary to carry out the relevant security checks and evaluate the results (1 year from the time of collection).
5. e) In the event of any extrajudicial or judicial dispute arising with the data subject and/or third parties, the data shall be processed for as long as is strictly necessary for the data subject to exercise the full protection of his rights.
6. f) Processing for secondary purposes as described above (direct marketing, profiling), data processing will continue:
7. if you are not already our customer, until such time as you revoke your previously given consent for the respective processing purpose, or
8. if you are already our customer, until you object to further processing for the aforementioned purposes (by using the “unsubscribe” button placed at the bottom of each promotional email message you receive, or by communicating this wish clearly by means of a communication to the email address mentioned below).

Cookie policy

The Garante della Privacy with Provvedimento of 8 May 2014 transposed, with effect in Italy from 2 June 2015, European Directive 2009/136/EC, which requires web page administrators to publish information on the cookie policy of the site that visitors are browsing.

This policy also complies with the requirements of the 2020 EDPB European Data Protection Board Guidelines on retargeting, and the new Cookie Guidelines issued by the Garante Privacy on 10 June 2021

On this page you can find the necessary information on the use of cookies carried out on each of the Data Controller’s websites, and how to identify and disable or delete them.

The Site may contain links to other websites that have their own privacy policy, which may be different from the one adopted by the Site’s positioning-seo and which are therefore not responsible for these sites.

What cookies are and how they are used

Cookies are short strings of information (text files) concerning the user’s activity on the website, which websites (so-called “publishers” or “first party”) visited by the user or different websites or web servers (so-called “third parties”) place and store inside a terminal device available to the user browsing the Internet (e.g. a personal computer, tablet, smartphone, or any other device capable of storing information), to then be retransmitted to the same sites that generated them on the next visit by the same user, allowing our website to be used by the user at a later date. a personal computer, a tablet, a smartphone, or any other device capable of storing information), to then be retransmitted to the same sites that generated them on any subsequent visit by the same user, enabling our site to automatically recognise the user (or other users who use the same device) after the first visit and thus improve their user experience.

Their operation is totally dependent on the navigation browser the user is using and may or may not be enabled by the user.

Cookies can perform a variety of important functions, including performing computer authentication, session tracking, storing information about specific configurations of users accessing the server, facilitating the enjoyment of online content, etc. They can, for example, be used to keep track of items in an online shopping cart or information used to fill out a computer form. So-called ‘authentication’ cookies are of particular importance whenever verification is needed as to who is accessing certain services, such as payment.

The same result can also be achieved through the use of other online tracking tools (so-called ‘active’ and ‘passive’ identifiers), which enable processing similar to the above.

Among the ‘passive’ tools, fingerprinting is increasingly used, i.e. the technique of identifying the device used by the user by collecting information on the specific device configuration adopted by the data subject.

This technique can also be used to achieve the same profiling purposes aimed at displaying customised behavioural advertising and analysing and monitoring the behaviour of website visitors.

Fingerprinting and other tracking tools are included in the scope of this Policy.

In order to ensure the best possible navigation at all times, our site offers the best performance with cookies enabled.

Cookies can be:

• first party‘ when they are implemented and managed directly by the website manager, i.e. the data Data Controller (thus without the intervention of third parties);
• third-party‘ when cookies are set and managed by third parties, i.e. outside the first-party website visited by the user.

Third-party cookies fall under the direct and exclusive responsibility of the respective operator, and in relation to their installation the Owner (operator of the first-party site) assumes the role of a mere technical intermediary.

• Persistent or ‘persistent’ cookies: these cookies remain stored on the device even after leaving the website or closing the browser: in particular, they remain until they expire or are manually deleted by the user. Persistent cookies fulfil many functionalities in the interest of surfers (such as storing passwords), but in some cases they may also be used for promotional purposes.
• Session (or temporary) cookies: these have a limited duration during the visit and are deleted when the browser is closed, which ends the ‘session’ of access to the website. As a rule, they allow the user to access personalised services and to make full use of the site’s functionalities, avoiding the use of other IT techniques potentially prejudicial to the confidentiality of users’ browsing.

Purpose of Cookies

In general practice, a website may also use the following categories of cookies in combination:

• Technical-functional (or “necessary”) cookies, e.g. for the transmission of session identifiers necessary to enable the safe and efficient exploration of the site. These cookies avoid the use of other information technology techniques that could potentially prejudice the confidentiality of users’ browsing.

For the use of technical cookies, the law requires the mere provision of information to the data subject, as is the case with this communication.

By default, no cookies other than technical cookies are placed on the user’s device when the user first accesses the Data Controller’s website.

• Analytical cookies (so-called “analytics”): these cookies may be either temporary or permanent, and allow the aggregate and/or disaggregated collection and analysis of statistical information relating to access (e.g. geographical area of origin of the user, access tool used, age, etc.) and in general to user behaviour on the site and thus to improve the experience and content provided.

Analytical cookies can only be assimilated to technical cookies if they are made and used directly by the first party site (without, therefore, the intervention of third parties), and:

• are only used to produce aggregate statistics (i.e. without direct and unambiguous identification of the data subject, so called single out) and in relation to a single site or mobile application, so as not to allow the tracking of the navigation of the person using different applications or browsing different websites;

• provision is made for the cookie to be referable not only to one, but to several devices, so as to create reasonable uncertainty as to the computer identity of the person receiving it (e.g. at least the fourth component of the IP address within the cookie is masked for third-party ones);
• third parties receiving them refrain from combining them, even as minimised above, with other processing (customer files or statistics of visits to other sites, for example) or passing them on to third parties.

For example, the first-party site makes use of log files (i.e. it records the history of operations as they are performed) and log files (which include IP addresses, browser type, operating system used by the user’s device, Internet Service Provider (ISP), date, time, entry and exit page and the number of clicks, but also the pages visited on the site, the third-party sites from which the user came).

This is done in order to analyse trends in user behaviour and to administer and optimise the site. The information collected in this way has no personal value as the data is collected and analysed anonymously.

If, on the other hand, analytical cookies are made and/or used by third parties (i.e. other than the first party website owner), they cannot be assimilated to technical cookies and have a different legal treatment.

• Profiling (or advertising) cookies (always permanent). These cookies are used to link specific actions or behavioural patterns of the user recurring in the use of the offered functionalities (patterns) to specific identified or identifiable subjects, in order to group the different profiles (aggregated, i.e. anonymous or not) within homogeneous clusters of different sizes, so that targeted advertising messages can be sent, i.e. in line with the preferences expressed by the user while surfing the web (instead of general advertising offered indiscriminately to all) (so-called “behavioral advertising”).
• Social cookies: these cookies are third party cookies i.e. provided directly by the domains of the most common social media networks that are linked to the first party Site (e.g. the Owner’s) via links to official pages, content sharing buttons and links. The use of such buttons and features implies the exchange of information (e.g. text, photographs, videos, etc.) with such sites. The interactions and information acquired by this website are in any case subject to the user’s privacy settings relating to each individual social network. In the event that a social network interaction service is installed, it is possible that, even if users do not use the service, it will collect navigation data relating to the pages where it is installed.

The aforementioned premise does not mean that this website of the Data Controller actually uses all the categories of cookies indicated above. For a list of these active cookies, see below in the LIST OF ACTIVE COOKIES section.

Legal basis for processing

The installation of technical-functional cookies is possible by the Data Controller even without the need for the user’s prior consent, since it is based on the legitimate interest of the Data Controller to make the Website function smoothly, making it possible to access and use the various services published on it, also in the interest of the user himself.

The installation of all non-technical cookies, on the other hand, is subject to the user’s prior consent.

Such consent is given in the simplified forms provided for by the Garante’s Provision of 8.5.2014 as supplemented by the Garante’s Guidelines on Cookies of 10 December 2020 on the use of cookies and other tracking tools, also in the light of EDPB European Data Protection Bard Guidelines No. 5/2020, namely) by using the functions offered by a synthetic banner viewable by the user when first “landing” on our Site.

Such a banner allows for the generation of a further unique action of use of the Site (based on which a click on an option presented as a link/text) with which the user can communicate his/her consent, or, alternatively, access to an analytical (i.e. complete) cookie information, against which the user can express his/her consent or disagreement, with reference to general categories of cookies and/or specific producers and/or intermediaries (third parties) with which our Site has established business relations (so-called “granular consent”).

In particular, when dealing with cookies other than technical ones, the Data Controller uses an immediately appearing banner of appropriate size that contains:

(a) the minimum indication that the site uses technical cookies and, only with the user’s consent, profiling cookies or other tracking tools, indicating their purpose (so-called ‘short information’);

(b) the link to the privacy policy containing the full information on a second layer, including any other recipients of personal data, data retention periods and the exercise of rights under the Regulation;

(c) a command to accept the placement of all cookies or the use of other tracking techniques;

1. d) a link to another dedicated area where you can analytically choose the functionalities, third parties and cookies, possibly also grouped by homogeneous categories, that you wish to install and, by means of two further commands, you can give your consent to the use of all cookies if not previously given or revoke it, even in a single solution, if already expressed; this user choice is also adequately documented by the owner.
2. e) a command (e.g. an X in the top right-hand corner) or a hypertext/link shown to the user as a specific option, to close the banner without giving consent to the use of cookies or other profiling techniques by maintaining the default settings.

Any action by the user based on the aforementioned selection of an element of the banner, such as an image or hypertext/link, which can be qualified as a positive action capable of unequivocally manifesting the will to give consent to processing, generates a more articulated process in which the system automatically determines a log, which can be recorded and documented with a guarantee of integrity at the site server.

NB: It is not necessary to reiterate the user’s consent to the installation of cookies when this has previously been given, validly acquired (and the owner is able to prove this) and there has been no change in the cookies from the list of those for which consent has previously been given or when it is impossible for the site operator (e.g. because the cookies have been deleted by the user or are blocked by the operating system or browser), to know whether a cookie has previously been stored in the device in order to be transmitted again, on a subsequent visit by the same user, to the site that generated it e.g. in the event that the user chooses to delete cookies legitimately installed on his device and the owner has not adopted any other system to keep track of the consent given.

In any case, the user is guaranteed the right to revoke his or her consent to cookies at any time by means of the specific dashboard made available to the user by clicking on the cookie banner published on the home page of the Data Controller’s website. From this restricted area the user will be able to make detailed choices both with regard to the types of cookies and the list of possible third party recipients of the cookies themselves.

The Data Controller refrains from applying any “take it or leave it” mechanism, i.e. whereby the user is obliged to express his or her consent to receiving profiling cookies, failing which he or she will be unable to access the site.

List of active Cookies

The list of cookies actually used by the Data Controller in relation to the site(s) referred to in this Cookie Policy is published within the second-level cookie banner that appears to the user when they first land on a page of the site.

By way of example only, some of the above-mentioned active cookies are listed below.

Storage of preferences and settings.

Settings may be stored on the user’s device that allow products to function properly or maintain preferences over time. For example, if a user specifies a login application setting, ALPAC/HELTY may store that data in a cookie to allow the user to view relevant local information when they return to the site. In addition, ALPAC/HELTY saves preferences, such as language settings.

Access and authentication.

When logging in to a site with a personal account, a unique ID number and login time may be identified in an encrypted cookie on the user’s device. This cookie allows the user to move between pages on the site without having to log in again on each page. In addition, the user can save their login information so that they do not have to log in each time they return to the site.

Social media.

Some of our websites include social media cookies, including those that allow users connected to a social media service to share content through that service.

Performance.

In some web applications, load balancing cookies are used to ensure that websites are always operational.

Statistical analytical cookies

The Site uses Google Analytics cookies, which is a web analysis service provided by Google Inc. (an American company, third party, based in 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), for the purpose of tracking history, counting visits, navigation statistics concerning the users of our website. Google Analytics does not collect any strictly personal information, but only, in aggregate statistical form, data on the age, gender, and interest preferences of our users (in order to better evaluate the use of our website and the activities carried out by the visitor and to better target the services provided, based on the behaviour as noted above).

The ‘Analytics’ feature is in fact configured by default, so as to significantly mask final portions of the user/visitor’s IP address, and therefore the data relating to the IP address thus collected and visible to us is already anonymised at the source and therefore the analytical cookie does not allow our Company to trace even indirectly – in particular, through further processing – the identity of the user/visitor.

These Google cookies are stored on servers located in the United States or other countries. Google reserves the right to transfer the information collected with its cookie to third parties where this is required by law or where the third party processes information on its behalf.

Google may use personal data to contextualise and personalise ads in its advertising network.

The privacy notices concerning the operation and consent to the use of Google cookies are available at the following links:

• Information and general notes on Google’s marketing services http://www.google.it/analytics/learn/privacy.html, https://policies.google.com/technologies?hl=en
• How Google uses data when using Google partner sites or applications https://policies.google.com/privacy/google-partners
• Google Analytics cookie policy https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage,

https://policies.google.com/privacy?hl=en

For the Privacy Policy of Google Analytics, see: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Other active analytics tools (all anonymous aggregate statistics):

• FACEBOOK ANALYTICS,
• LINKEDIN ANALYTICS,
• INSTAGRAM ANALYTICS,
• YOUTUBE ANALYTICS.

Named profiling cookies. Remarketing and behavioural targeting

The remarketing and/or behavioural targeting activity enables a website and its third party partners to communicate, optimise and serve online advertisements based on the user’s past use of this website. This activity is carried out through the tracking of browsing data and the use of cookies, which information is passed on to the third party partners to which the remarketing and behavioural targeting activity is linked.

This site use named profiling cookies, i.e. based on personal identification data.

Our site use:

• remarketing lists on the AdWords search network and Google Display Network ads, i.e. online advertisements based on general interest categories expressed by categories of users through previous web browsing;
• the following advertising functions of Google Analytics:
• Remarketing with Google Analytics
• Google Display Network impression reports (if used via AdWords)
• Integrations with the DoubleClick for Publishers platform (this is an advertising service provided by Google Inc. with which ALPAC/HELTY may conduct advertising campaigns in conjunction with external advertising networks with which ALPAC/HELTY, unless otherwise specified herein, has no direct relationship)
• Google Analytics demographics and interest reports

which enable additional functionalities that are not available through standard implementations of Google Analytics and the associated cookies (in particular, in addition to the data already collected by a standard implementation of Google Analytics, the collection of user traffic data through Google advertising cookies and anonymous identifiers).

For more information on online behavioural advertising and some tips on how to deactivate the display of interest-based advertisements online: www.youronlinechoices.eu/it.

For information on the advertising functions of Google Analytics: https://support.google.com/adwords/answer/117120?hl=it

Other advertising cookies are processed by ALPAC/HELTY through the following services:

• Monitoring Google Ads conversions

Google Ads conversion tracking is a statistical service provided by Google Inc. – U.S.A that links data from the Google Ads ad network with actions taken within this Web Site. With this technology, cookies are set when you interact with one of our ads, e.g. click on it. This service uses navigation data and cookies. Cookies are used to analyse what happens after you interact with an advert, e.g. whether you have purchased our product, viewed the advert from a mobile phone, downloaded our app or subscribed to a newsletter. Google’s Privacy Policy: https://policies.google.com/privacy?hl=it

For how to deactivate the customisation of Google advertisements see the URL: https://adssettings.google.com/authenticated?hl=it.

• Facebook Remarketing

Facebook Remarketing is a remarketing and behavioral targeting service provided by Meta, Inc. that connects the activity of this Website with the Facebook advertising network in order to provide you with relevant advertisements on the Facebook network, based on the content you have shown interest in on this website. Personal data collected: Cookies; Usage data. Place of processing: U.S.A. – Privacy Policy.

• Linkedin Website Retargeting

LinkedIn Website Retargeting is a remarketing and behavioral targeting service provided by LinkedIn Corporation that links the activity of this Application with the LinkedIn advertising network. Personal data collected: Cookies and Usage Data. Place of processing: U.S.A. – Privacy Policy

• Linkedin Conversion Monitoring

LinkedIn’s conversion tracking is a statistical service provided by LinkedIn Corporation that links data from the LinkedIn ad network with actions taken within this Application. Personal data collected: Cookies and Usage Data. Place of processing: U.S.A. – Privacy Policy.

For more information on online behavioural advertising and some tips on how to deactivate the display of interest-based advertisements online, see www.youronlinechoiches.eu/it or http://optout.networkadvertising.org/?c=1#!/

Retention period of Cookies

Cookies are stored by the Data Controller for the durations respectively indicated in the Cookies List in the second layer of the cookie banner published on our Website.

How cookies work and how to disable them

Accepting or rejecting cookies is your right.

Browser Settings

By default, browsers generally accept the use of cookies both from our site and from third-party sites.

In order to allow the site to function properly, take advantage of its functionality and use it in its entirety, we recommend that you accept the use of cookies.

The user is enabled, however, to change the default configuration at any time.

In order to manage the way cookies work, as well as the options for restricting or blocking cookies, it is in fact sufficient for the user to change the settings of his or her Internet browser via its toolbar.

You can choose between

• unconditional acceptance of all cookies,
• the indiscriminate rejection of all cookies, or
• the display of a pop-up window (warning) in order to be able to assess whether or not to accept an individual cookie through an explicit user action.

We provide links to the configuration of the most popular browsers that describe how cookies are handled:

• Chrome: https://support.google.com/accounts/answer/61416?hl=it
• Firefox: https://support.mozilla.org/it/kb/Gestione%20dei%20cookie
• Internet Explorer: http://windows.microsoft.com/it-it/windows-vista/block-or-allow-cookies
• Opera: https://www.opera.com/help/tutorials/security/privacy/
• Safari: https://support.apple.com/it-it/HT201265
• Microsoft Edge: https://support.microsoft.com/it-it/microsoft-edge/eliminare-i-cookie-in-microsoftedge-63947406-40ac-c3b8-57b9-2a946a29ae09

To change cookie settings in browsers other than those listed, please refer to the help documentation provided by the manufacturer of the specific browser.

Remember that you have to set cookie preferences for each browser and each different device (desktop PC, laptop, tablet, smartphone) used to browse the Internet (also refer to the device’s user manual).

For more information on cookies and privacy, please consult the specific document prepared by the Garante della Privacy at the following link:

http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/2142939

Social networking site settings

The management of personal data and how to delete such social cookies is regulated by the social media sites themselves: users are invited to consult the respective privacy policies of each of them at the following links:

• Facebook information: https://www.facebook.com/about/privacy, https://www.facebook.com/legal/FB_Work_Privacy, https://www.facebook.com/help/cookie/ and https://www.facebook.com/policies/cookies/
• Linkedin information: https://www.linkedin.com/legal/cookie-policy, https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy,
• Instagram info: https://help.instagram.com/402411646841720
• Youtube information: https://policies.google.com/privacy?fg=1

The use of such cookies is purely anonymous, no personal information is collected unless the user explicitly wishes to provide it by sending contact and/or enquiry forms.

Further information on privacy and the use of social cookies can be found directly on the websites of the respective third-party operators.

Using the user area

Some registered users can update their user settings and profiles, organisation settings and event registrations by logging into their accounts and directly editing their settings or profiles.

Disabling Google Analytics

The user can also selectively disable the action of Google Analytics by downloading and installing the opt-out add-on specially provided by Google for their browser at the following link: https://tools.google.com/dlpage/gaoptout?hl=it.

Disabling the DoubleClick cookie

Users can deactivate DoubleClick’s use of cookies by visiting the DoubleClick deactivation page or the Network Advertising Initiative deactivation page.

More information on cookies

For more information on the Italian rules on cookies, you can consult the Garante della Privacy Guidelines at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9501061

Rights of the data subject

With regard to the processing of personal data, the data subject, by contacting the Data Controller without any particular formalities at the addresses indicated in this Policy, may exercise the rights set out in Articles 13 to 22 of the GDPR, which are set out below:

• request confirmation as to whether or not personal data concerning him/her are being processed and, if so, to obtain access to the personal data and the following information:
  • the purposes of the processing;
  • the categories of personal data in question;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;
  • where possible, the intended period of retention of personal data or, if this is not possible, the criteria used to determine that period;
  • the existence of the data subject’s right to request from our Company the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her, or to object to their processing;
  • the right to lodge a complaint with a supervisory authority;
  • if the data are not collected from the data subject, all available information on their origin;
  • the existence of an automated decision-making process, including profiling and, at least in such cases, meaningful information on the logic used, as well as the importance and expected consequences of such processing for the Data Subject.
• where personal data are transferred to a third country or international organisation, the data subject has the right to be informed of the existence of appropriate safeguards relating to the transfer;
• request, and obtain without undue delay, the rectification of inaccurate data; taking into account the purposes of the processing, the integration of incomplete personal data, also by providing a supplementary declaration;
• request deletion of data if
  1. personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the Data Subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  3. the Data Subject objects to the processing, if there is no overriding legitimate reason for processing, or objects to processing for direct marketing purposes (including profiling for such direct marketing);
  4. personal data have been unlawfully processed;
  5. personal data must be deleted in order to comply with a legal obligation under the law of the Union or of the Member State to which the Data Controller is subject;
  6. personal data were collected in connection with the provision of information society services from the Data Controller’s database;
• request the restriction of processing concerning the Data Subject, when one of the following cases occurs:
  1. the Data Subject disputes the accuracy of the personal data; in this case, the restriction of processing (i.e. suspension of processing) may take place for the period necessary for the Data Controller to verify the accuracy of such personal data;
  2. the processing is unlawful (e.g. because the data subject was not provided with the prior information required by law) and the data subject objects to the deletion of his or her personal data (i.e. he or she prefers that we keep them in our paper and/or computer archives) and instead requests that their use be restricted as above;
  3. although our company no longer needs them for processing purposes, the personal data are required by the data subject for the establishment, exercise or defence of a legal claim;
  4. the Data Subject has objected to the processing carried out for direct marketing purposes, pending verification as to whether the Data Controller’s legitimate reasons prevail over those invoked by the Data Subject;
• obtain from the Data Controller, upon request, the communication of the categories of third party recipients to whom personal data have been transmitted;

Notwithstanding the foregoing, the data subject may request from the Data Controller the full name list of third party recipients who have been appointed by the Data Controller as data processors pursuant to Article 28 of the GDPR;

• revoke at any time consent to the processing of personal data where previously communicated for one or more specific purposes; the lawfulness of processing based on consent given before revocation shall remain unaffected.
• Right to portability, which can be exercised by requesting the Data Controller to be able to receive in a structured, commonly used and machine-readable format the personal data concerning the Data Subject that he or she has provided to our Company and, if technically feasible, to have such data transmitted directly to another Data Controller without hindrance on our part, if the following (cumulative) condition is met
  1. the processing is based on the consent of the data subject for one or more specific purposes, or on a contract to which the data subject is party and for the performance of which the processing is necessary; and
  2. the processing is carried out by automated means (software);

[NB: The exercise of the right to portability is without prejudice to the right to cancellation provided for above];

• not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or significantly affects him in a similar way. NB: The Data Controller does not operate any automated decision of the aforementioned kind.
• lodge a complaint with the competent supervisory authority under the GDPR (that of your place of residence or domicile). In Italy: Garante per la protezione dei dati personali, Piazza Venezia n. 11, 00187 ROMA (garante@gpdp.it, tel. +39 06 69677.1, fax +39 06 69677.3786).

We try to respond to all legitimate requests within one month and will contact you if we need more information to follow up your request or verify your identity. In some cases it may take longer than one month, taking into account the complexity and number of requests we receive.

Modification of the policy

This Policy from the date of its publication supersedes any previous version thereof. Unless otherwise notified by the Owner, the new Policy shall be effective from the date of publication on the Site indicated therein.

The Data Controller reserves the right to make changes to this Policy at any time by notifying users on this page, therefore, it is recommended to regularly consult this page to check the most recent version of the Policy, taking as reference the date of last modification indicated at the bottom of the relevant text.

In the event of non-acceptance of future changes, the data subject must cease using the website or functionalities to which the privacy change relates, and in the absence of such abstention, the changes shall be deemed to have been accepted (except for those that modify the conditions for obtaining consent, where mandatory, for processing).

Rev 4.0 of 20.05.2024