Privacy policy

This privacy policy describes the processing of personal data carried out in relation to the products and services provided by Pluribus One S.r.l. to its clients, including pre-contractual activities (collectively referred to as the "Services"). In accordance with EU Regulation 2016/679 ("GDPR") and applicable national data protection laws, Pluribus One S.r.l., with its registered office at Via Bellini, 9 – 00128, Cagliari (Italy), VAT number 03621820921, as the data controller (hereinafter "Controller" or "Pluribus One"), informs you that your personal data will be processed for the following purposes.

Unless otherwise indicated, the information contained in this privacy policy applies to the personal data processed in the context of the Services provided to clients.

For questions regarding this Privacy Policy or our use of your personal information, cookies, or similar technologies, please contact us via email at privacy[at]pluribus-one.it.

PREAMBLE
‍Pluribus One is a research-intensive company that transforms basic research results into commercial products and provides innovative solutions based on artificial intelligence and secure machine learning products.

More details about Pluribus One's products and services are available on the website www.pluribus-one.it or in any presentation documents provided to the Controller's clients.

DATA CONTROLLER
‍The data controller is:
Pluribus One S.r.l.  Via Bellini, 9  00128 - Cagliari (Italy)
VAT no. 03621820921 
Email: privacy@pluribus-one.it
Website: www.pluribus-one.it 

‍1. CATEGORIES OF PERSONAL DATA PROCESSED 
The Controller processes identifying personal data and other personal data (not belonging to special categories under Article 9 GDPR) that are processed by the Controller in the provision of the Services. 

In particular, personal data includes, but is not limited to: 

- First and Last Name
- Phone number, residence
- IP address
- Tax code/VAT number
- Email 

2. PURPOSES AND LEGAL BASIS OF PROCESSING 
Personal data may be processed for the following purposes and legal basis: 

A) "Service Purposes" related to the product or service provided, including any negotiation and pre-contractual activities. The processing of data for this purpose does not require the consent of clients, as it is based on the contractual or pre-contractual relationship (Article 6, paragraph 1, letter b) of the GDPR). 

B) Purposes related to the pursuit of a legitimate interest of the Controller, in particular:
- Preventing and repressing unlawful acts, as well as exercising the Controller's rights in judicial proceedings and handling complaints: the Controller's interest lies in the constitutional right to take legal action (Article 24 of the Constitution) and, as such, is socially recognized as prevailing over the interests of the individual concerned;
- Managing and maintaining active Services: the Controller's interest lies in the general interest of a company to ensure its operability, including through the functioning of the Services, as well as in implementing any improvements to the service offered;
- Preventing or detecting fraudulent activities or harmful abuses related to the Services (also to verify the legitimacy of clients acting on behalf of third parties): the Controller's interest lies in the legitimate, effective, and current interest of not suffering harm as a result of unlawful conduct by third parties;
- Sending commercial communications via email related to services and products similar to those already used by the client, if the client is already a customer of Pluribus One: the Controller's interest lies in the general interest of a company to promote its Services and is considered legitimate because it is in line with the reasonable expectations of the individuals concerned, in light of the relationship between them and the Controller.

For the purposes described in this letter B), personal data will be processed to pursue a legitimate interest of the Controller, without the need to obtain prior consent from the client (Article 6, paragraph 1, letter f) of the GDPR). 

C) "Marketing Purposes":
Contacting the client via communications and/or newsletters regarding the Controller's activities, initiatives, and commercial offers, as well as conducting research and market surveys or other activities aimed at measuring the quality of the services offered (also by mail, phone, email, SMS notifications, Whatsapp).For the marketing purposes described in this letter C), personal data will be processed only with the express consent of the client (Article 6, paragraph 1, letter a) of the GDPR). 

3. METHODS OF PROCESSING
The processing of personal data is carried out, both electronically and on paper, through collection, registration, updating, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, restriction, deletion, and destruction of personal data. Personal data is protected in such a way as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use, or use incompatible with the initial purpose for which the personal data was collected. This is achieved through the technical and organizational security measures implemented by the Controller. 

4. STORAGE OF PERSONAL DATA
‍Purpose: Service Provision
Retention: Clients' personal data will not be stored for a period exceeding 10 years from the termination of the contract or pre-contractual relationship concerning the Services.

Purpose: Legitimate Interest
Retention: Clients' personal data will not be stored for a period exceeding 10 years from the termination of the contract or pre-contractual relationship concerning the Services.

Purpose: Marketing
Retention: Data will be processed in full compliance with the consents provided by the client until the consent is revoked, which can be done at any time by the client.

5. PROVISION OF PERSONAL DATA
In the context of the provision of the Services, the provision of personal data:
- For "Service Purposes" is necessary. Such personal data is required for the relationship with the Controller and for the use of the Services. The client may decide not to provide personal data, but in that case, they will not be able to use the Services;
- For "Marketing Purposes" in the context of using the Services is optional. Failure to provide personal data does not prevent the client from using the Controller's services, but the client will not receive information and offers from the Controller and will not be contacted for participation in market research, surveys, or activities aimed at measuring the quality of the services offered; 

6. ACCESS TO PERSONAL DATA
Personal data will be processed by our personnel authorized to process personal data and by the following categories of subjects (including, but not limited to):
- Employees and/or collaborators of the Controller in their capacity as data processors and/or persons in charge of processing personal data and/or system administrators (for example, consultants authorized to manage the Services and related applications);
- Employees and consultants of the legal, marketing (if you have consented to Marketing Purposes), finance, administration, and accounting functions, and other functions, in their capacity as data processors and/or authorized persons to process personal data;
- Third parties to whom the Controller outsources certain services, including processing services, as external data processors (e.g., IT service providers, hosting providers, etc.). 

7. DISCLOSURE OF PERSONAL DATA
In the context of the provision of the Services, the Controller may disclose clients' personal data:

Without the client's consent:
- To third parties in their capacity as independent data controllers for the fulfillment of the "Service Purposes" and to allow the data processors of Pluribus One to provide their respective services. The client may request more information about the subjects to whom their personal data may be disclosed at any time by writing to the address provided in the subsequent Section 10 (Methods for Exercising Rights);
- To supervisory bodies, law enforcement agencies, or judicial, financial, and tax administrations, ministerial bodies and competent authorities, local authorities (regions, provinces, municipalities), upon their express request, who will process personal data in their capacity as independent data controllers for institutional purposes and/or in accordance with the law in the context of investigations and controls.

The updated list of third-party independent data controllers to whom clients' personal data may be disclosed is kept at the Controller's office and can be requested at the contact details provided in the subsequent Section 10 (Exercising Data Subject Rights). 

‍8. TRANSFER OF PERSONAL DATA
‍In the context of using the Services, for certain activities (e.g., traffic data analysis, IP address masking of the website, etc.), Pluribus One may use external providers based in countries outside the European Union and/or the European Economic Area. In such cases, all necessary technical, IT, and contractual safeguards will be taken to ensure that the transfer to third parties and the processing by them takes place with a level of personal data protection that is adequate and at least equivalent to that guaranteed by the GDPR, as well as in compliance with the conditions established by the GDPR. 

9. DATA SUBJECT RIGHTS 
As a data subject, subject to legal limitations, you have the right to: 
- Obtain confirmation of the existence or otherwise of your personal data, even if not yet recorded, and that such data is made available to you in an intelligible form;
- Receive an indication and, where applicable, a copy of: a) the origin and category of personal data; b) in the case of automated processing carried out with the aid of electronic tools, the logic applied; c) the purposes and methods of processing; d) the identification details of the data controller and data processors; e) the recipients or categories of recipients to whom personal data may be disclosed or who may otherwise become aware of it, particularly if recipients from third countries or international organizations; f) where possible, the period of retention of personal data or the criteria used to determine this period; g) the existence of an automated decision-making process and, in such cases, the logic applied, as well as the significance and expected consequences of such processing for the data subject; h) the existence of adequate safeguards in the event of the transfer of personal data to a non-EU country or international organization;
- Obtain, without undue delay, the updating and rectification of inaccurate personal data or the integration of incomplete personal data;
- Revoke at any time, easily and without impediment, any consent previously given, using, if possible, the same channels used to provide such consents;
- Obtain the deletion, anonymization, or blocking of data: a) processed unlawfully; b) no longer necessary for the purposes for which it was collected or subsequently processed; c) if the consent on which the processing is based has been revoked and if there is no other legal basis, d) if the client has objected to the processing and there is no overriding legitimate reason to continue the processing; e) in case of compliance with a legal obligation; f) in the case of data related to minors. The data controller may oppose deletion only if necessary: (1) for the exercise of the right to freedom of expression and information; (2) for compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; (3) for reasons of public interest in the area of public health; (4) for archiving in the public interest, scientific or historical research, or statistical purposes; (5) for the establishment, exercise, or defense of legal claims;
- Obtain the restriction of processing in case of: a) contestation of the accuracy of personal data; b) unlawful processing by the Controller aimed at preventing deletion; c) exercise of a client's right in judicial proceedings; d) verification if the legitimate reasons of the Controller prevail over those of the data subject;
- If the processing is carried out by automated means, receive in a structured, commonly used, and machine-readable format the personal data concerning you, to transmit it to another data controller or – if technically feasible – to obtain direct transmission from Pluribus One to another data controller;
- Object, in whole or in part, to the processing of personal data: a) for legitimate reasons related to the client's particular situation; b) for the purpose of sending communication material, through automated call systems without the intervention of an operator via email and/or traditional methods via telephone and/or mail;
- Lodge a complaint with a supervisory authority (e.g., the Italian Data Protection Authority).

Where necessary, in the cases mentioned above, the Controller will inform the recipients to whom the client's personal data has been disclosed of the exercise of rights by the latter, except in specific cases (e.g., when this proves impossible or involves disproportionate efforts).

10. EXERCISING DATA SUBJECT RIGHTS
The client may exercise their rights mentioned in the previous Section 9 (Data Subject Rights) at any time by:
- Sending a registered letter to the address of the data controller indicated at the beginning of this Privacy Policy; and/or
- Sending an email to