Privacy Policy

This privacy notice is provided pursuant to Article 13 of EU Regulation 2016/679 (the “Regulation”) and is addressed to those who browse the website [http://www.helmon.com] or the landing pages connected to it (the “Website”). In accordance with the principles of the Regulation, the processing of the personal data of the user of the Website is based on the principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimisation and confidentiality, as well as on the principle of accountability referred to in Article 5 of the Regulation. This privacy notice does not apply to processing carried out by controllers of websites or platforms to which the Website may refer. Please refer to the privacy notice provided by the respective controllers in order to obtain information regarding the processing of personal data carried out by them. Who is the data controller? The data controller is helmon S.r.l. (the “Controller”) with its registered office at Viale dell’Arte, 25 – 00144 Rome, VAT No.: 177723211003. The user may contact the Controller regarding any matter connected with this privacy policy by writing to: privacy@helmon.com

1. 1. Which personal data are processed?

Browsing data The software procedures responsible for the operation of the Website acquire, during their normal functioning, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected for the purpose of being associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numeric code indicating the status of the response given by the server (successful outcome, error, etc.), and other parameters related to the user’s operating system and IT environment. These data are generally used to obtain anonymous statistical information on the use of the Website and to check that it is functioning correctly, as well as to identify anomalies and/or abuses. The data may also be used to ascertain liability in the event of possible cyber crimes against the Website or third parties. Data voluntarily provided, directly or indirectly, by the user This privacy notice also applies to the processing of data voluntarily provided by the user in communications requesting information and contact, as well as to data voluntarily provided by the user when using the Controller’s contact details indicated on the Website. In particular, in this context, the following categories of personal data may be processed, together with the following information relating to the company to which the user belongs:

1. 1. a) first name and surname of the user;

1. 1. b) email address, telephone number;

1. 1. c) company name, VAT number, name of the parent company and information relating to the turnover of the customer’s company and/or of the group of which it forms part;

1. 1. d) indication of the user’s level of experience in the field of cybersecurity.

2. 2. For what purposes is personal data processed and on what legal basis? The user’s personal data will be processed for the following purposes.

2. 2. a) Provision of the requested services: to allow browsing of the Website and manage the security of the Website, to respond to specific requests submitted through the data collection forms on the Website or through the Controller’s contact details indicated on the Website; the legal basis for such processing is Article 6(1)(b) of the Regulation, as the processing is necessary for the provision of a service to the user or in order to respond to a request from the user. For the purposes indicated here, providing a telephone number or indicating the level of experience in the field of cybersecurity is voluntary and any refusal to provide such data does not affect the possibility of pursuing the same purpose;

2. 2. b) Compliance with legal obligations: to comply with any obligations provided for by applicable laws, regulations or EU legislation, or to fulfil requests from authorities pursuant to Article 6(1)(c) of the Regulation;

2. 2. c) Sending emails about the Controller’s services: to carry out marketing activities by email relating to services similar to those requested, pursuant to Article 130, paragraph 4 of Italian Legislative Decree No. 196/2003 (the “Italian Privacy Code”), unless the user expressly objects to receiving such communications, which the user may do at any time;

2. 2. d) Sending communications regarding the company’s activities also by other means of communication: to communicate the services offered by the Controller to customers by email, and to send advertising material and commercial communications using automated methods, such as SMS, phone calls without operator assistance, messages via web applications, as well as by ordinary mail or phone calls with operator assistance. This processing activity is carried out on the basis of consent given by the data subject, pursuant to Article 6(1)(a) of the Regulation;

2. 2. e) Analysing users’ activity and improving the service offered: to carry out profiling activities of users of the Website and to use personal data, in aggregated or non-aggregated form, in order to improve existing services and products or to develop new ones. For this purpose, data may be transmitted to third-party service providers. This processing activity is carried out in order to pursue the Controller’s legitimate interest, pursuant to Article 6(1)(f) of the Regulation;

2. 2. f) Statistical purposes: for statistical purposes, without it being possible to trace the user’s identity; in this case, the processing does not fall within the scope of data protection legislation.

Specific security measures are observed to prevent data loss, unlawful or incorrect use and unauthorised access, pursuant to Article 32 of the Regulation.

3. 3. To whom may personal data be communicated? Is personal data transferred outside the EU?

For the purposes indicated above, personal data may be communicated to the following categories of recipients (the “Recipients”): (i) entities acting typically as processors pursuant to Article 28 of the Regulation, namely: i) individuals, companies or professional firms that provide assistance and consultancy services to the Controller; ii) entities entrusted with performing technical maintenance activities on the Website and IT system; iii) service providers used by the Controller to pursue the purposes indicated above (e.g. commercial partners, developers of the Website and providers of server hosting services, mailing list services, electronic communication systems); always in compliance with the principle of data minimisation, limiting processing to the personal data strictly necessary for the achievement of each specific purpose; (ii) entities, bodies or authorities to whom the user’s personal data must be communicated pursuant to legal provisions or orders of the authorities; (iii) service providers acting as independent data controllers; (iv) persons authorised by the Controller, pursuant to Article 29 of the Regulation, who are bound by confidentiality obligations or have an appropriate legal obligation of confidentiality. Personal data will not be shared with entities outside the European Economic Area. If it becomes necessary to transfer personal data to Recipients located outside the European Economic Area, such transfer will take place in compliance with Articles 44–49 of the Regulation.

4. 4. For how long may personal data be stored?

Personal data processed to Provide the requested services will be stored for the time strictly necessary to achieve the above purposes relating to browsing security and to respond to the requests submitted by the user through the Website and to provide the requested services. Personal data processed to Comply with legal obligations will be stored for the period required by the specific applicable legal obligation or provision. For the purpose of Sending emails about the Controller’s services, the user’s personal data will be processed until the user has objected to such processing. Data processed to Analyse users’ activity and improve the service offered will be stored until the user objects to the processing and, in any event, for no longer than 36 months from their collection. For the purpose of Sending communications regarding the company’s activities also by other means of communication, the user’s personal data will be processed until the user withdraws their consent and, in any event, for no longer than 36 months from the time consent is given. Without prejudice, in any case, to the Controller’s right to retain personal data for the period provided for and permitted by Italian law for the protection of its rights and interests (Article 2947(1)(3) of the Italian Civil Code).

5. 5. What are the data subject’s rights?

Pursuant to Articles 15 to 22 of the Regulation, the user has the right at any time to withdraw any consent given, without affecting the lawfulness of processing based on consent before its withdrawal; to obtain confirmation as to whether or not personal data concerning them are being processed and, if so, to access the data; to know their content and origin, verify their accuracy or request that they be completed or updated, or rectified; to request the erasure of personal data concerning them in the cases provided for in Article 17 of the Regulation; to request the restriction of processing in the cases provided for in Article 18 of the Regulation, where technically feasible; to receive, in a structured, commonly used and machine-readable format, the personal data concerning them in the cases provided for in Article 20 of the Regulation; and to object to their processing in the cases provided for in Articles 21 and 22 of the Regulation. In any case, the user always has the right to lodge a complaint with the competent supervisory authority (the Italian Data Protection Authority – Garante per la protezione dei dati personali), pursuant to Article 77 of the Regulation, if they consider that the processing of their personal data is in breach of the applicable legislation.

6. 6. Changes

The Controller reserves the right to amend or update, in whole or in part, the content of this privacy policy, including as a result of changes in the applicable regulations. The Controller therefore invites the user to visit this section regularly in order to read the most up-to-date version of the privacy policy.