Privacy Policy The purpose of this privacy policy is to provide all the information on the processing of personal data carried out by the ObservatoryZed association when the User accesses and browses the present website (as better indicated below).

1. INTRODUCTION - WHO ARE WE?

The ObservatoryZed association, with registered office in Via Vagliasindi 70 - 95126 Catania, Tax code/VAT no. 93240040878 (hereinafter, "Data Controller"), owner of this website (hereinafter, the "Website"), in its capacity as data controller in relation to the personal data of the users browsing the Website (hereinafter, "Users") hereby provides the privacy policy pursuant to Article 13 of the EU Regulation 2016/679 of 27 April 2016 (hereinafter, "Regulation", or "Applicable Law").

2. HOW TO CONTACT US?

The Data Controller takes the utmost account of its User’ right to privacy and the protection of personal data. For any information in relation to this privacy policy, Users may contact the Data Controller at any time, using the following methods:

By sending an e-mail to: info@observatoryzed.com By sending a certified e-mail to: creationdose@pec.impresecatania.it

The Data Controller has not identified a Data Protection Officer (DPO), since it is not subject to the obligation of designation provided in Article 37 of the Regulation.

3. WHAT DO WE DO? - PURPOSE OF PROCESSING

By browsing the Website, the User can consult the available contents and learn about the services and initiatives promoted by the Data Controller. You are free to visit our website and access the information contained therein without revealing any information about yourself. Any identifying information collected in our web traffic logs is standard anonymous domain-based information only - and may also include information such as browser type, the referring site/URL, time and duration of your visit, and pages visited, and/or possibly any of the types of data listed in (a), (b), (c), and (d) below that depend on how the User intends to carry out their browsing experience or use our Services.

Moreover, the User, from the "Registration", "Associate", "Start Now", and "Download" sections, can request membership and/or download the reports and researches made available by the Data Controller. In this context, certain categories of Users subject to the obligation to pay a membership fee will be contacted by the Data Controller, via e-mail, for the sole purpose of being able to proceed with this payment.

The Data Controller has identified the Stripe platform as the software infrastructure for managing the payment of membership fees, as better indicated in paragraph 7 below.

From the "Contact us" section, the User may contact the Data Controller for various purposes such as, purely by way of example and not limited to, obtaining more information on the services offered through the Website, requesting support from the Data Controller.

In relation to the activities that may be carried out through the Website, the Data Controller collects personal data relating to the Users.

This Website and the services eventually offered through the Website are reserved to subjects over the age of 18 years old. Hereby, the Data Controller does not collect personal data pertaining to subjects under the age of 18 years old. At request of the Users, the Data Controller will promptly delete all the personal data, involuntarily collected, pertaining to subjects under the age of 18 years old.

Users’ personal data will be lawfully processed by the Controller for the following purposes:

a) Allowing browsing of the Website. The User data collected by the Data Controller for the sole purpose of browsing the Website include all those personal data whose transmission is implicit in the use of Internet communication protocols, such as: IP addresses used by users who connect to the Website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the log file and other parameters relating to the User's operating system and computer environment.

b) Contact and/or information request. The User's data collected by the Data Controller for the purposes of any contact request and/or information request on the Website include: first name, last name, e-mail address, telephone number, as well as any personal information that the User voluntarily publishes. The User's personal data will be used by the Data Controller for the sole purpose of ascertaining the User's identity, thus avoiding possible fraud or abuse, and contacting the User for service purposes only (e.g. responding to his/her request for information). Without prejudice to what is provided for elsewhere in this privacy policy, under no circumstances will the Data Controller make Users' personal data accessible to other Users and/or third parties.

c) Registration request. The User's personal data collected and processed by the Data Controller for the sole purpose of processing the request regarding the possibility of subscribing to the initiative and the possibility of downloading reports and researches relating to the service offered through the Website, include: first name, last name, e-mail address, company name, role. The User's personal data will be used by the Data Controller for the sole purpose of ascertaining the User's identity, thus avoiding possible fraud or abuse, and contacting the User for service reasons only (e.g. in the event that the User is subject to payment of the membership fee, sending the e-mail containing the link for the payment). No other processing will be carried out by the Data Controller in relation to Users' personal data. Notwithstanding the provisions elsewhere in this privacy policy, under no circumstances shall the Data Controller make the personal data of the Users accessible to other Users and/or third parties;

d) Administrative and accounting purposes, i.e. to carry out activities of an organisational, administrative, financial and accounting nature, such as internal organisational activities and activities functional to the fulfilment of contractual and pre-contractual obligations;

e) Legal obligations, i.e. to fulfil obligations laid down by law, by an authority, by a regulation or by European legislation.

The provision of personal data for the processing above-mentioned purposes is optional but necessary, since failure to provide such data will make it impossible for the User to browse and use the services offered by the Data Controller on the Website.

4. FURTHER PROCESSING PURPOSES

4.1 Newsletter

Where the related consent is requested, the User's personal data (i.e. name, surname, address, e-mail address) may also be processed by the Data Controller for marketing purposes. Therefore, the User will receive a periodic newsletter from the Data Controller to promote the purchase of products and/or services offered by the Data Controller and/or by third parties, to present offers, promotions and commercial opportunities.

If consent is not given, the possibility of using the services on the Website will not be affected in any way.

In the event of consent, the User may withdraw it at any time by making a request to the Data Controller in the manner indicated in paragraph 8 below.

The User may also easily object to further sending of promotional communications by clicking on the appropriate link for the withdrawal of consent, which is present in each e-mail containing the newsletter. Once consent has been withdrawn, the Data Controller will send the User an e-mail message confirming that consent has been withdrawn.

5. LEGAL BASIS FOR PROCESSING

Contractual obligations and fulfilment of the User's request (as described in para. 3(a), (b), (c) and (d) above): the legal basis is Art. 6(1)(b) of the Regulation, i.e. the processing is necessary for the performance of a contract to which the User is party or for the performance of pre-contractual measures taken at the User's request.

Legal obligations (as described in para. 3, lett. e) above): the legal basis is Art. 6(1)(c) of the Regulation, as the processing is necessary to fulfil a legal obligation to which the Data Controller is subject.

Further processing purposes: for the processing relating to the activities of sending the commercial newsletter (as described in Section 4.1 above), the legal basis consists in Article 6(1)(a) of the Regulation, i.e. the provision by the data subject of consent to the processing of his/her personal data for one or more specific purposes. For this reason, the Data Controller asks the User for the provision of a specific free and optional consent, in order to pursue such processing purpose.

6. PROCESSING METHODS AND DATA RETENTION PERIODS

The Data Controller will process the Users’ personal data by means of manual and computerised tools, with logics strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data.

The personal data of the Website's Users will be retained for the time strictly necessary to carry out the primary purposes set out in paragraph 3 above, or in any case, as necessary for the protection in civil law of the interests of both the Users and the Data Controller.

In the case referred to in paragraph 4.1 above, the Users' personal data will be retained for the time strictly necessary to fulfil the purposes set out therein and, in any event, until the User withdraws his/her consent. Under the Data Protection Act, if we have no legitimate reason to continue storing your data, you have the right to be forgotten.

In any case, any retention periods provided for by law or the Regulation shall remain unaffected.

7. TRANSMISSION AND DISSEMINATION OF DATA

The personal data of the Users may be disclosed to the employees and/or collaborators of the Data Controller in charge of managing the Website and the Users' requests. These subjects, who have been instructed to do so by the Data Controller pursuant to art. 29 of the Regulation, will process Users' data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Law.

The User ’s personal data may also be disclosed to third parties who may process personal data on behalf of the Data Controller in their capacity as “Data Processors” pursuant to Article 28 of the Regulation, such as, by way of example, IT and logistical service providers, functional to the functioning of the Website; suppliers of outsourcing or cloud computing services; professionals and consultants.

The Data Controller has identified the Stripe platform as the software infrastructure for managing membership fee payments. The privacy policy of the platform, which will process the payment data of the Users in its capacity as Autonomous Data Controller, can be found at the following link https://stripe.com/it/privacy

Users have the right to obtain a list of any data processors appointed by the Data Controller, by making a request to the Data Controller in the manner indicated in paragraph 8 below.

The Data Controller makes every reasonable effort to ensure the absolute security of all systems that comprise our website, database, and e-commerce mechanisms, as well as the workstations that access these systems for administration and analysis.

We take all necessary steps to ensure that our own systems and those of our service providers are physically and electronically secure. All Company and affiliated systems are password-protected. Any and all transmissions of sensitive information from customer workstations to web and e-commerce servers, as well as from processing and storage systems and business systems to administration workstations - are fully encrypted.

For safety and security purposes, we inform you that we use information about you and your use of the Service to verify accounts and activity, to monitor suspicious or fraudulent activity, and to identify violations of Service policies. To protect our legitimate business interests and legal rights, where required by law or where we believe it is necessary to protect our legal rights, interests, and the interests of others, we use information about You in connection with legal inquiries, compliance, regulatory and audit functions, and disclosures in connection with the acquisition, merger, or sale of a business.

With your consent, we use information about you where You have given us consent for a specific purpose not listed above. For example, testimonials or featured customer stories to promote the Services, with your permission.

8. RIGHTS OF THE DATA SUBJECTS

Users may exercise the rights granted by the Applicable Law by contacting the Data Controller in the following ways:

By sending an e-mail to: info@observatoryzed.com By sending a certified e-mail to: creationdose@pec.impresecatania.it

The Data Controller has not identified a Data Protection Officer (DPO), as it is not subject to the obligation of designation provided for by Article 37 of the Regulation.

Pursuant to Applicable Law, the Data Controller informs that Users have the right to obtain indication of (i) the origin of personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) of the identification details of the data controller and data processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may come to aware of them as data processors or agents.

Furthermore, Users have the right to obtain: a) Access, updating, rectification, or, when interested, integration of data; b) Cancellation, transformation into anonymous form or the restriction of data processed in breach of the law, including data that do not need to be stored in relation to the purposes for which the data was collected or subsequently processed; c) Certification that the operations referred to in points a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except where this proves impossible or involves a manifestly disproportionate effort compared with the right protected.

Moreover, the Users have: a) The right to withdraw consent at any time, if the processing is based on their consent; b) The right to data portability (the right to receive all personal data concerning them in a structured format, commonly used and readable by automatic device); c) The right to oppose to: i) in whole or part, for legitimate reasons, the processing of personal data concerning them for legitimate reasons even pertinent to the purpose of collection; ii) in whole or in part, the handling of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication; iii) if personal data are processed for direct marketing purposes, at any time, to the processing of data for this purpose, including profiling in so far as it is related to such direct marketing. d) If it is deemed that the processing concerning their personal data violates the Regulation, the right to lodge a complaint with a Supervisory authority (in the Member State in which they usually reside, in the one in which they work or in the one in which the alleged violation has occurred). The Italian Supervisory Authority is the Data Protection Authority, with registered offices in Piazza Venezia No. 11, 00187 – Rome (http://www.garanteprivacy.it/).

9. DEFINITION OF "THIRD PARTY"

For the sake of clarity, a "third party" is defined as anyone who is neither part of the Owner's Organization nor directly affiliated with it. Directly affiliated parties include service providers (who, in providing services such as hosting and processing mechanisms for our websites, have access to information held on their systems) and affiliated retailers and sales partners (who collect customer information on our behalf). Under no circumstances will parties directly affiliated with the Owner use the information disclosed to them for any purpose other than to provide the information to the Owner for the use described in the preceding sections.

The Data Controller is not responsible for updating all links viewed in this Privacy Policy, therefore, whenever a link does not work and/or is not updated, the Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by this link.