Mod. ICONT – Update Date 02/2026

Privacy Notice for the Processing of Personal Data

Pursuant to Article 13 of EUROPEAN REGULATION (EU) No. 679/2016

Dear Data Subject,

Finapp SpA, in its capacity as Data Controller pursuant to Article 13 of European Regulation (EU) No. 679/2016 “General Data Protection Regulation (GDPR)” (hereinafter the EU Regulation), laying down provisions regarding the processing of personal data, intends to inform you about the processing of your personal data.

The Regulation provides that anyone carrying out processing of personal data is required to inform the data subject regarding the data processed and the essential elements of the processing, which must in any case be carried out lawfully, fairly and transparently, as well as ensuring confidentiality and safeguarding the rights of the data subject.

Please note that “processing of data” means any operation or set of operations concerning the collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, or destruction of the data themselves.

1. Data Controller

The Data Controller is Finapp SpA, with registered office at Via del Commercio, 27 – 35036 Montegrotto Terme (PD), Tax Code and VAT No. 04600140232, contactable at the following details: telephone +39 049 0991301, e-mail: info@finapptech.com.

2. Nature of the Data Processed, Purposes and Legal Basis of Processing

Nature of the data processed. In relation to the purposes of processing indicated below, please note that only “ordinary personal data” will be processed, such as, for example:

company identification data (first name, last name, email, etc.);

Purpose of processing. Your personal data will be processed for the following purposes:

• to respond to your requests: through the voluntary completion of the appropriate form available in this contact area;
• to comply with legal obligations;
• marketing: to send you advertising material, direct sales communications, market research and commercial and promotional communications;

Legal basis of processing. Personal data, for the purposes referred to in points 2A and 2B, will be lawfully processed in order to fulfil pre-contractual and contractual obligations between us and the user (Art. 6, par. 1, letter b), and to comply with our legal obligations (Art. 6, par. 1, letter c).

Your personal data, for the purposes referred to in point 2C of this notice, may be lawfully processed exclusively upon your prior consent (Art. 6, par. 1, letter a of the EU Regulation), which must be specific, separate, explicit, documented, prior and entirely optional.

The consent you have provided may be withdrawn at any time, without affecting the lawfulness of processing based on consent given before its withdrawal (Art. 7, par. 3 EU Regulation).

Furthermore, pursuant to Article 21 of the EU Regulation, the data subject has the right to object at any time to the processing of personal data concerning him or her carried out for direct marketing purposes (including profiling) and, where the data subject objects to such processing, the personal data may no longer be processed for those purposes.

Clarification: in accordance with the principle of maximum transparency towards the Data Subject, which distinguishes our Company, we wish to inform you that if you decide to give consent under point 2C (marketing), you must be informed in advance and aware that the purposes pursued are of a specific commercial, advertising, promotional and marketing nature in a broad sense, such as:

1. sending advertising and informational material (e.g. Newsletter) of a promotional nature;
2. sending commercial information through paper-based, automated or electronic means and, in particular, by ordinary mail or e-mail, telephone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other IT channel (e.g. websites, mobile apps);
3. sending invitations to events, exhibitions and meetings of an informational and promotional nature;
4. sending update communications on promotional initiatives or technical innovations, for services, training or assistance and/or surveys measuring the level of satisfaction with quality.

3. Data Recipients and Processing Methods – Existence of an Automated Decision-Making Process, Including Profiling

The processing of your personal data will be based on principles of fairness, lawfulness and transparency and may be carried out by means of paper and electronic tools both by the personnel of the Company, duly authorised/appointed to process personal data, and by external parties entrusted with specific tasks on behalf of the Data Controller, acting as Data Processors pursuant to Article 28 of the EU Regulation, subject to our letter of appointment requiring them to ensure confidentiality and security of personal data processing and to adopt appropriate security measures to prevent data loss, unlawful or incorrect use, and unauthorised access, in compliance with current data protection legislation.

For brevity, the detailed list of such parties is available at the Data Controller’s registered office and is at your disposal.

Your personal data will not be disclosed and will not be transferred to third countries or international organisations, nor will they be communicated to third parties except where required by law or contractual obligations.

With reference to Article 13, par. 2, letter f) and Article 14, par. 2, letter g) of the EU Regulation, it is hereby stated that the Data Controller currently does not use any automated decision-making system or process.

4. Data Retention Period

Your personal data will be retained for a period not exceeding the achievement of the purposes for which they are processed, in compliance with the storage limitation principle provided for by the EU Regulation and/or for the time necessary to comply with legal and contractual obligations or until the withdrawal of the specific consent by the data subject and, therefore:

• with reference to the purposes indicated in points 2A-2B, the data will be retained for a period not exceeding the achievement of the purposes for which they are processed and/or for the time strictly necessary to fulfil legal and contractual obligations;
• with reference to the purposes indicated in point 2C, data processed for Marketing purposes will be retained for no longer than 24 months from their collection.

To ensure compliance with the declared retention periods, a periodic annual review of the processed data and the possibility of deleting them if no longer necessary for the intended purposes is provided for.

5. Access to Data (Categories of Recipients to Whom Data May Be Communicated)

We further inform you that the data collected will never be disclosed and will not be communicated without your explicit consent, except for necessary communications that may involve the transfer of data to public authorities, consultants or other parties for the fulfilment of tax and legal obligations or for the fulfilment of the authorised purposes, subject to our letter of appointment requiring them to ensure confidentiality and security of personal data processing.

With reference to Article 13, par. 1, letter e) of the EU Regulation, we indicate the subjects or categories of subjects (duly identified and instructed) who may become aware of the user’s personal data as processors or authorised persons, and we provide the following list by categories:

• Shareholders, employees, collaborators and suppliers of the Data Controller in Italy and abroad, in their capacity as authorised persons and/or data processors (e.g. departments: commercial, technical, administrative, legal, press; system administrators, external professionals, various service providers, etc.);
• Partner companies and/or companies directly connected with the Company, whose activities are essential for the completion/execution of what you have requested.

Your personal data may also be communicated to external parties who are recipients of the procedures concerning you, in the performance of activities and to external parties interacting with the Company, always and exclusively for activities functional to the purposes described above, acting as Data Processors pursuant to Article 28 of the EU Regulation.

For brevity, the detailed list of such parties is available at our registered office and is at your disposal.

6. and 7. Communication and Transfer of Data

Without the need for express consent (Art. 6, par. 1, letters b), c) and f) of the EU Regulation), the Data Controller may communicate your data for the purposes referred to in points 2A to 2B to supervisory bodies, judicial authorities, as well as to those parties to whom communication is mandatory by law for the fulfilment of the above-mentioned purposes.

Such parties will process the data in their capacity as independent Data Controllers.

Personal data are stored on devices located at the Data Controller’s premises or at providers within the European Union.

Your data will not be disclosed.

To ensure the security of such transfers, we rely exclusively on parties that provide the necessary guarantees to implement appropriate technical and organisational measures to ensure that processing complies with EU Regulation 679/2016.

Both with regard to data stored on our own devices and any data stored with providers, the Data Controller has implemented appropriate technical and organisational measures to ensure an adequate level of security, in full compliance with the EU Regulation.

8. Consequences of Failure to Provide Data

The personal data referred to in points 2A-2B of this notice are necessary; without such data it would be impossible to proceed and fulfil contractual and legal obligations.

Personal data referred to in point 2C, however, are optional; refusal to provide them will have no consequences and will not affect your request to proceed with registration or to fulfil contractual and legal obligations. You may therefore decide not to provide any data or subsequently deny at any time the possibility of processing data already provided.

9. Rights of the Data Subject

In your capacity as data subject, you have the rights set out in Articles 15 to 22 of the EU Regulation, namely the right to:

• obtain confirmation of the existence and processing of personal data concerning you and, where that is the case, access to your data (right of access);
• obtain information regarding the purposes of processing, the categories of data concerned, the recipients or categories of recipients to whom the data have been or will be disclosed, in particular recipients in third countries or international organisations, the envisaged period for which the data will be stored or the criteria used to determine that period; and where the data are not collected from the data subject, all available information as to their source;
• obtain rectification of personal data concerning you (right to rectification);
• obtain erasure of personal data concerning you (right to be forgotten);
• obtain restriction of processing (right to restriction of processing);
• obtain data portability, namely receive the data from a data controller in a structured, commonly used and machine-readable format and transmit those data to another data controller without hindrance (right to data portability);
• object at any time to processing (right to object). In particular, as required by Article 21 of the EU Regulation, where personal data are processed for direct marketing purposes (including profiling), the data subject has the right to object at any time to such processing and, where the data subject objects, the personal data shall no longer be processed for those purposes;
• be informed (with the possibility to object) of the existence of automated decision-making concerning natural persons, including profiling;
• withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
• lodge a complaint with a supervisory authority (Italian Data Protection Authority).

Please note that conditions or limitations may apply to the rights of the data subject. Therefore, it is not certain that, for example, the right to data portability applies in all cases, as this depends on the specific circumstances of the processing activity.

Another example: if you decide to object to the processing of data, the Data Controller has the right to assess your request, which may not be accepted where there are compelling legitimate grounds for processing that override your interests, rights and freedoms.

10. Methods for Exercising Rights

Without any formalities, you may at any time exercise your rights clearly and explicitly by sending:

• a registered letter with return receipt to the Company;
• an e-mail to info@finapptech.com

Or by contacting the Data Controller directly at: +39 049 0991301.

11. Minors

The services offered by the Data Controller and the relationship in place with you do not involve the intentional acquisition of personal information relating to minors. Should information concerning minors be inadvertently recorded, the Data Controller will promptly delete it upon request or notification by the data subject.

12. Authorised Persons – Data Processors

Below we provide certain information that must be brought to your attention, not only in order to comply with legal obligations, but also because transparency and fairness towards Data Subjects are fundamental elements of our activity.

Authorised Persons. The updated list of authorised persons for processing is kept at the Data Controller’s registered office.

Data Processors. For brevity, the detailed list of such parties is available at our registered office.