Privacy Policy

1. Data Controller
   Bioallergen SRL – Via San Camillo de Lellis, 13 – 37053 – Cerea (VR) – Tel. +39.0442.321286 – Fax. +39.0442.617668 – VAT No. 03639570237 (Italy) (the “Company” or the “Controller”) guarantees compliance with personal data protection regulations by providing the following information regarding the processing of data communicated or otherwise collected while browsing this website.

2. Data Processed, Purposes, and Legal Basis of Processing
   Data generated by accessing the website
   The IT systems and software procedures used to operate this website acquire, during their normal operation, certain personal data, the transmission of which is implicit in the use of Internet communication protocols.
   These data (such as domain names, IP addresses, operating systems used, type of device or browser used for the connection) are not accompanied by any additional personal information and are used for the purpose of:
   i) obtaining anonymous statistical information on the use of the website;
   ii) managing needs related to the control of how the website is used;
   iii) determining liability in the event of possible computer crimes.

The legal basis for processing such data is the necessity to make the website’s functionalities usable following the user’s access.

Data voluntarily provided by the user
Personal data provided by the user through forms are collected and processed for the following purposes:
a) to manage customer relations activities based on contractual agreements;
b) for administrative purposes and to comply with legal obligations such as accounting, tax, or judicial authority requests;
c) with specific consent, for the periodic sending of newsletters and advertising material by email;
d) with specific consent, to receive updates on our activities and notifications about new blog posts;
e) with specific consent, to receive promotional communications and invitations to events, training courses, webinars, special promotions, or to participate in surveys and market research;
f) in the case of CV submissions, exclusively for recruitment purposes;
g) in the presence of a shop/online sales area, to fulfill sales and contractual activities, and to be able to ship products or services, gifts, catalogs, or reports.

The legal basis for processing is the performance of a contract to which the data subject is party, or the execution of pre-contractual measures taken at the data subject’s request. In the cases expressly indicated, the legal basis is the consent freely given by the data subject.

3. Nature of Data Provision
   Except for browsing data and data collected through the website:
   A) With regard to the contact form, providing data is mandatory. If the privacy policy is not accepted, it will not be possible to submit the request form;
   B) For newsletter subscription, providing data is optional. Without consent, newsletters, advertising materials, and invitations to events or initiatives from the Controller cannot be received.

4. Methods of Processing and Data Retention Period
   The data collected will be processed using electronic or otherwise automated tools, IT and telematic systems, or manual processing with logics strictly related to the purposes for which the personal data were collected, and in any case in a way that ensures their security.
   Data are retained for the time strictly necessary to manage the purposes for which they were collected, in compliance with applicable regulations and legal obligations.

In any case, the Controller applies rules that prevent data from being retained indefinitely, thereby limiting the retention period in compliance with the principle of data minimization.

5. Authorized Personnel, Processors, and Data Disclosure
   The processing of collected data is carried out by the Company’s internal staff, identified and authorized for processing according to specific instructions provided in compliance with applicable regulations.

If necessary or instrumental to the purposes indicated above, data may be processed by third parties appointed as external Data Processors, or communicated to them as independent Controllers, specifically:

• individuals, companies, associations, or professional firms providing assistance and consulting services to our Company;

• companies, entities, or associations providing related and instrumental services for the execution of the above purposes (e.g., market research and analysis services, credit card payment processing, IT system maintenance).

In any case, personal data will never be sold or disseminated.

6. Rights of the Data Subject
   At any time, it is possible to access the data, object to processing, or request the deletion, modification, or updating of all personal information collected by the Controller, by exercising the right to restrict processing and the right to data portability, by sending an email to privacy@cronosmedia.i.

The data subject has the rights set out in Art. 7 of the Privacy Code and Art. 15 GDPR, specifically:
A) To obtain confirmation of whether or not personal data concerning them exists;
B) To obtain information on:

• the source of personal data;

• the purposes and methods of processing;

• the logic applied in case of processing carried out with the help of electronic means;

• the identifying details of the Controller, Processors, and the representative designated under Art. 5, para. 2 of the Privacy Code and Art. 3, para. 1 GDPR; as well as the entities or categories of entities to whom personal data may be communicated or who may become aware of it as designated representatives in the State, Processors, or persons in charge;

C) To obtain:

• the updating, rectification, or, when interested, integration of data;

• the erasure, transformation into anonymous form, or blocking of data processed unlawfully, including those whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;

• certification that the operations referred to in Art. 8.A) and B) have been notified, also as regards their content, to those to whom the data were communicated or disseminated, except where this proves impossible or involves the use of means manifestly disproportionate to the right protected;

D) To object, in whole or in part:

• on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;

• to the processing of personal data concerning them for the purpose of sending advertising material or direct sales, or for carrying out market research or commercial communication, through automated calling systems without the intervention of an operator, email, and/or traditional marketing methods such as telephone and/or postal mail.

Please note that the right of the data subject to object, as indicated in point B), with regard to direct marketing using automated methods, also extends to traditional methods, and in any case the possibility remains for the data subject to exercise the right of objection even in part. Therefore, the data subject may choose to receive only traditional communications or only automated communications, or neither type of communication.

Where applicable, the data subject also has the rights under Articles 16–21 GDPR (Right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.

7. How to Exercise Rights
   You may exercise your rights by sending a registered letter to the address indicated in point 1), or an email to info@bioallergen.co.