Privacy Policy

Information about personal data processing

General

The protection of personal data is a fundamental value in our business activity. In this document we provide all information you may need to understand how we protect your privacy, and to have control on how we use your data.

This information notice is about the processing of your personal data that is made:

  • Through our website www.contactlab.com (the “Website”)

Or that is otherwise made:

  • In connection with the purchase and use of Contactlab’s products and services, or when you contact us to request information (including with reference to promotions or demos and trials Demos and trials are test versions specially made for testing specific features or digital products. )

We process your data in compliance with Regulation (EU) No. 2016/679 (General Data Protection Regulation, “GDPR”) and this information is provided pursuant to article 13 and 14 of the GDPR.

Who we are, and how to contact us

In this section we specify who you should address if you wish to exercise your rights.

  • Controller
  • Data Protection Officer

Controller

Means the natural or legal person who determines why and how your personal data are processed and arranges the organizational and security measures to protect your privacy.

Contactlab S.r.l. is the Controller and its contact details are:

Controller
Contactlab S.r.l.
Via Emilio Cornalia, 11 – 20124 Milano
privacy@contactlab.com

Please remember to include your name, e-mail/postal address, and/or telephone number so that your request can be handled correctly.

Data Protection Officer

Contactlab has designated a Data Protection Officer (DPO): the DPO has the task of monitoring the compliance with regulations on the processing of personal data and of responding to your requests for clarification about how we process your data.
Furthermore, the DPO has been entrusted by the group with the task of responding to the users’ requests concerning the exercise of their right of access and of other rights as specified in the GDPR. The DPO may be reached in writing at the address of the Contactlab’s offices or by e-mail at the following address:

Data Protection Officer
Contactlab S.r.l.
Via Emilio Cornalia, 11 – 20124 Milano
EMAIL: dpo@contactlab.com

What types of personal data we process

Personal data means any information enabling, directly or indirectly, your identification.
We collect and use your personal data for the purpose of entering into, and performing, your agreement with Contactlab. We further collect and use your personal data when you visit, search, request or use any Contactlab’s service and/or product (including those available on this Website).

In some cases, we may gather your personal data also from other companies of the TeamSystem group to which Contactlab belongs, or from public databases.

Categories of personal data we collect:

    1. Identifying contact and access details
      Means data such as: name, surname, username, e-mail address, postal address, telephone number, user and password, image of the profile (if you set one)
    2. Product data
      Means data relating to the products and/or services that have been -respectively- licensed to, or subscribed by, the users, including the information contained in documents managed by means of such products or services.
    3. Invoicing and payment data
      Means data such as: VAT number, taxpayer’s code, address and (if any) business name.
    4. Navigation data
      Means data relating to the internet connection, IP addressThe IP address is the equivalent of the postal address but referred to your device (pc, mobile, tablet). In other words, it is a unique address identifying a specific device., domain names and to other parameters relating to the browser and operating system of the users.
    5. Usage data
      Means data generated in connection with the use of the purchased products or services, whether in the case of “on premises” products (i.e., when the product is installed on the user’s systems or equipment) or in the case of “in cloud” products (i.e., online services provided by Contactlab), such as: log dataThe Data log is a file that stores information on the operation of a device and that record, in particular, the occurred errors and problems., data relating to licenses, installations, and settings, data relating to the recordings that have been taken, interaction and transaction processes, performance indicators, data relating to navigation flows and page views, usage and statistics concerning specific features.

Why we collect your personal data and how long we retain them

In this section we illustrate why we use your data, i.e., which are the purposes of our processing activity.
We also specify if you are required to provide your data, what happens if you decide not to provide your data to us, and how long we retain your data.

We process your data for the following purposes:

  1. Contractual and legal purposes
  2. Service enhancement purposes and other purposes not relying on consent
  3. Soft spam purposes

1. Contractual and legal purposes

IN SHORT

  1. Do you have the obligation to provide your data?
    Yes, in the absence of your data we cannot supply our services/products to you.
  2. What happens if you do not provide your data to us?
    We will not be able to perform the contract existing between you and us and to supply the services or products as requested by you.
  3. Is your consent required to process your data?
    No, your consent is not required.
  4. What is the legal basis for processing your data?
    The processing is necessary for performing the contract that you have entered into with us, responding to your requests or carrying out the activities which are necessary to execute the contract between you and us, and for meeting the obligations placed on us by the law.
  5. How long do we retain your data?
    For as long as the requested services are supplied and for the following ten-year period (i.e., the duration of the limitation period applicable to our contractual liability).
    This is without prejudice to retention for longer periods insofar as such retention is necessary in the framework of pending litigation, or for responding to a request made by a competent authority, or pursuant to the applicable law.

Please also find a more detailed description of the above-mentioned contractual and legal purposes:

  1. Enabling navigation on the Website
  2. Creating and managing the user account (including possible verification of the account and recovery of the credentials) and using account-related features.
  3. Carrying out the necessary activities to execute and perform the contract for the provision of services/products requested or purchased by users, whether or not on the Website.
  4. Dealing with the requests for participating in webinarsA webinar is an educational or training seminar that is attended remotely, through an internet connection. , or events, subscribing newsletters, receiving fee quotes, and processing orders.
  5. Handling the complaints (if any) and the requests for sending service communications and product updates, either via traditional communication media, such as postal mail, or by remote communication systems, such as e-mail, chat, telephone, SMS, chatbotA chatbot is an electronic instant conversation (chat) between you and an artificial intelligence (bot). , banners, notification systems and other means of distance communication.
  6. Providing assistance, support, and training to the users of our products and services.
    In order to provide assistance to users, we may also process Usage Data relating to the product.
    For instance, the examination of the user navigation flows may enable us to identify the causes for the issues arising, if any, when using certain product’s features.
  7. Complying with the obligations arising from national or European law provisions, regulations, or rules (e.g., tax and accounting obligations) or dealing with, or responding to, the requests made by judicial authorities, or by administrative and tax authorities.

2. Service enhancement purposes and other purposes not relying on consent:

IN SHORT

  1. Is your consent required to process your data?
    No, your consent is not required.
  2. Can you object to these processing operations?
    You shall have the right to object to processing operations, on grounds relating to your particular situation, according to the formalities specified in the section “What are your rights, and how you can exercise them”. In such case, we will not process your data for this purpose, unless we can demonstrate that there are overriding legitimate grounds, or unless we are exercising or defending a legal claim pursuant to article 21 of the GDPR.
  3. What is the legal basis for processing your data?
    The processing is based on the legitimate interest of the Controller, pursuant to article 6(1), letter f) of the GDPR. In compliance with the GDPR, we have carried out a thorough balancing of interests aimed at ensuring that the privacy and fundamental rights of the users are protected and respected.
  4. How long do we retain your data?
    For as long as the requested services are supplied, and in compliance with the principle of data minimisation, save for the following exceptions:

    1. If, in case of legal claims and/or complaints, Contactlab has the necessity to retain your personal data in order to ensure legal defence (letter k) for a period of 10 years (corresponding to the limitation periodThis principle means that we only process personal data that are “adequate, relevant and limited” in relation to the purposes for which they are processed. applicable to the contractual liability of Contactlab)
    2. Or if, in case of pending litigation, further retention is due to the duration itself of the pending proceedings or to specific requests made by the competent judicial authority.

Please also find a more detailed description of the various service enhancement purposes and other purposes not relying on consent:

  1. Carrying out analysis and research activities concerning the products and services provided by us, and the way you use them, in order to enhance and develop our products and services. In compliance with the principle of data minimizationThis principle means that we only process personal data that are “adequate, relevant and limited” in relation to the purposes for which they are processed. these activities shall only be carried out on your personal data in so far as it is necessary, by ensuring that such activities are carried out fairly and correctly. Furthermore, where possible, we will anonymiseAnonymisation is a technique used to make the data subject to which personal data relate no longer identifiable. or aggregate personal data before using them.
  2. Measuring satisfaction with the products and services that you have purchased from Contactlab or dealing with problems or issues relating to the use of products or services (e.g., initiatives contributing to promoting better use of products or services, also in order to prevent returns/withdrawals from subscriptions, and to improve the users and customers experience).
  3. Enforcing and defending the rights of Contactlab, also in the framework of credit recovery procedures and assignment of credits to authorised companies, assessing the position and reliability of customers, and carrying out controls aimed at preventing and/or punishing deceitful or damaging actions.
  4. Carrying out prospective mergers, assignments of assets, transfers of business, assignments of an on-going business or financial operations, by disclosing and transferring your data to the concerned third parties.
  5. Performing customer segmentation based on non-invasive categories such as, among others, the professional category, the city/district/region of residence, the type of product/service that you have purchased, or about which you have requested information through the Website. Segmentation may also be performed on platforms of third-party providers, through the interconnectionInterconnection refers to the use of two or more combining databases. For instance, the data contained in a database may be automatically updated in case of amendments to the data contained in a second database. with the data of such third-party platforms.
  6. Managing the information resources of Contactlab, including infrastructures, websites, and technological equipment, to ensure service continuity and to guarantee IT security (for instance, to prevent cyberattacks or to perform verifications in case of cyberattacks).

3. Soft spam purposes

IN SHORT

  1. Do you have the obligation to provide your data?
    No, you are under no obligation to provide your data.
  2. Can you object to processing?
    At any time.
  3. What happens if you do not provide your data to us?
    We will not process your data for these purposes, without detriment of the contract relationship with us and of the provision of our services.
  4. Is your consent required to process your data?
    No.
  5. What is the legal basis for processing your data?
    The processing is carried out pursuant to article 130(4) of the Legislative Decree No. 196/2003 (“Privacy Code”), without prejudice to your right to object to the processing.
  6. Change of preferences and withdrawal of consent
    If you do not wish to receive further commercial communications by us, you may unsubscribe by following the special link available at the end of the commercial communications sent via e-mail. In such cases, we will limit the storage of personal data only to the minimum data that are necessary to record your withdrawal and to avoid contacting you again.
  7. How long do we retain your data?
    For a period of 24 months from the purchase of a new Contactlab product or service.

These are further details on different soft spam purposes:

    1. Sending marketing communications via emails concerning products or services that are similar to those representing the object of the contract between you and us. You may opt-out from such communications at any time.

How and whit whom we share your data

We may disclose your data to other person or entities carrying out service activities that are integral and necessary for the provision of our products or services. When sharing your data, we comply with the principles of purpose limitation, and of data minimizationThe principles of purpose limitation requires that the processing is only carried out for specified, explicit and legitimate purposes. established in the GDPR.

The recipients of your data shall carry out the processing by acting as independent controllers, as processors or as other processors in charge of processing operations. If you wish to receive the list of all processors carrying out processing operations, please contact us at the address privacy@contactlab.com.

We disclose your data to the following recipients:

  1. Third-party providers of assistance and consulting services in the field of (without limitation) technology, accounting, administration, legal, insurance.
  2. Companies of the TeamSystem group to which Contactlab belongs.
  3. If there are business partners involved in the performance of the contract, we may disclose part of your personal data to our distributors, retailers and other partners participating in the products/services distribution chain of the TeamSystem group to which Contactlab belongs.
  4. Banks and financial institutions.
  5. Debt-recovery agencies.
  6. Entities and public authorities whose right to receive personal data is expressly granted by law, regulations or by an act issued by a competent authority.
  7. Prospective buyers and other entities arising from a merger, or any other company restructuring, or conversions.
  8. Public databases and credit reporting information systems.
Do we transfer personal data abroad?
Personal data may be freely transferred within the European Union. Should Contactlab need to transfer personal data, for the specified purposes, outside the European Union to countries not considered adequate by the European Commission (e.g., United States), Contactlab shall take the necessary measures to protect the personal data.
We will act in compliance with the safeguards required by the law, pursuant to the applicable regulations and in particular to article 45 and 46 of the GDPR.
If you wish to have further information about the existing safeguards, and to receive a copy of such safeguards, please contact the Data Protection Officer at the address: dpo@contactlab.com

How we process your personal data

Contactlab carries out the processing of your personal data by electronic and manual systems, according to the principles of fairness, honesty, and transparency, and protecting your privacy by the implementation of technical and organisational measures appropriate to ensure an adequate level of security.

The processing operations are performed at the Contactlab’s premises and/or at the premises of the independent Processors who carry out the processing on behalf of Contactlab.

As concerns the Usage Data and the Navigation Data, in compliance with the above-stated purposes and based on your express consent (where required), we may perform analytic activities, also through the interconnectionInterconnection refers to the use of two or more combining databases. For instance, the data contained in a database may be automatically updated in case of amendments to the data contained in a second database. of data relating to the various products and services purchased by you from the companies of the TeamSystem group to which Contactlab belongs, by collecting Usage Data and Navigation Data relating either to products installed on the user’s equipment (“on premises” products) or to “in cloud” products, that is by collecting data during the online use of such services. As concerns usage statistics, we avail ourselves of tools enabling the collection of Usage Data.

What are your rights, and how you can exercise them

You have control of your own personal data. Here you can find a list of your rights with regard to the processing of your personal data:

  1. Right of access
    You are entitled to obtain confirmation as to the existence of personal data relating to you, and to have access to the relevant contents.
  2. Right to rectification
    You are entitled to obtain the updating, amendment and/or rectification of your personal data.
  3. Right to be forgotten and to restriction of processing
    You are entitled to obtain the erasure, or the restriction of processing, of personal data that are unlawfully processed, including where they do no longer require retention in relation to the purposes for which they have been collected or are otherwise processed.
    This is without prejudice to any overriding public interest, or legal obligation to retain the concerned data.
  4. Right to object
    You are entitled to object to the processing.
    This is without prejudice to the case when there are overriding legitimate grounds allowing Contactlab to continue the processing.
  5. Right to withdraw the consent
    You are entitled to withdraw your consent, if previously given.
  6. Right to lodge a complaint
    You are entitled to lodge a complaint with a supervisory authority in the Member State where you have your habitual residence, where you work, or where the alleged infringement has occurred. In Italy, the competent supervisory authority is the Garante per la protezione dei dati personaliThe website of the Authority for the Protection of Personal Data (the “Garante”) is available at: www.garanteprivacy.it.
    This is without prejudice to any other administrative or judicial remedy.
  7. Right to data portability
    You are entitled to receive a copy in electronic form of the personal data relating to you.
    You are entitled to transfer such data to another service provider, where Contactlab is processing the personal data based on your consent or based on the necessity to carry out the processing for providing services upon your request, and where the processing is carried out by automated means.

If you wish to exercise the above-mentioned rights with regard to the protection of personal data you may address, at any time and free of charge, to the Data Protection Officer by sending an e-mail at the following address: dpo@contactlab.com.
When you contact us, please remember to include your name, e-mail address, postal address, and/or telephone number so that your request can be handled correctly.

What happens if you die?

In case of decease, article 2-terdecies of the Privacy Code shall apply, stating that these rights relating to your personal data can be exercised by a data subject who has an interest in your protection, or acts on your behalf as an agent, or for family reasons worthy of protection.
You may expressly forbid that the above-mentioned representatives exercise one or more of the rights above, by sending a written statement to the Controller, at the contact details specified in the section “Who we are, and how to contact us”.
You shall be entitled to successively withdraw or amend this statement according to the same formalities.

Amendments and updates

We may amend this policy, also as a consequence of amendments in the applicable law.
We will provide prior notice to you in case of any amendments to this privacy policy.
The updated policy will be available on the Website.

Contacts for privacy matters

Should you have questions or requests about this privacy policy, please contact the Controller by using the following contact details:

Controller
Contactlab S.r.l.
Via Emilio Cornalia, 11 – 20124 Milano
privacy@contactlab.com

Please remember to include your name, e-mail/postal address, and/or telephone number so that your request can be handled correctly.

Explanatory references

This is the list of the articles mentioned in this privacy policy with the description of the relevant contents made simple:

  1. Art. 13 GDPR Information to be provided to data subjects.
    It specifies what information the controller must give to the data subjects, being the persons to which personal data relate, at the time when such personal data are collected.
  2. Art. 14 GDPR Information to be provided to data subjects.
    It specifies what information the controller must give to the data subjects, being the persons to which personal data relate, where such personal data have been obtained from sources other than the same data subject.
  3. Art.130 (4) Legislative Decree No. 196/2003 (“privacy code”) Promotional communications not relying on the consent of the data subject.
    In the event that an e-mail address has been supplied by a data subject in the context of the sale of a product or service, then the controller may use this address to send communications for promotional purposes or relating to market surveys, with or without the data subject’s consent. These communications must concern products or services that are similar to those that have been sold, and the data subject is entitled to object at any time to such communications.
  4. Art. 45 GDPR Transfers based on an adequacy decision.
    It enables the transfer of personal data to a third country or an international organization offering, according to a decision of the European Commission, an adequate level of protection for personal data.
    Furthermore, it lays down the requirements based on which the decision is to be taken.
  5. Art. 46 GDPR Transfers subject to appropriate safeguards
    Personal data may be transferred to a third country or an international organisation if the controller has adopted appropriate safeguards to ensure the protection of personal data.
  6. Art. 6 (1), letter f GDPR Lawfulness of processing based on the legitimate interests
    The processing of personal data is lawful where it is necessary for the purposes of the legitimate interests of the controller, or of third parties, provided that there are no overriding interests or fundamental rights and freedoms of the data subjects.
  7. Art. 21 GDPR Right to object
    The data subject shall have the right to object, at any time, on grounds relating to his or her particular situation, to processing of his or her personal data where it is carried out to pursue a legitimate interest. In this case, the controller shall no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the exercise or defence of legal claims.