Privacy Policy

Privacy Notice – Clients General Notice pursuant to Article 13 of EU Regulation679/2016
Pursuant to Article 13 of Regulation 679/2016 EU and the current legislation in Italy regarding the processing of personal data, we hereby inform you of the following.

a1) Data Controller and Contact Details
The Data Controller is Twini S.R.L., headquartered at Via Pietro Paleocapa 7, 20121, Milan (MI), Italy, e-mail: davide@twini.ai, PEC (certified email): twini@pec.it.

a2) Data Protection Officer (DPO)
The Data Protection Officer (DPO) appointed pursuant to Article 37 of Regulation 679/2016 EU is co-founder Andrea Vitali, based in Modena (MO) Via Divisione Acqui n. 120, contactable via e-mail at: andrea@twini.ai.

b) Purpose of Data Processing
Your personal data, either explicitly collected or otherwise acquired by the Data Controller during the engagement process or contract signing, will be processed exclusively for pre-contractual purposes (quotes, meetings, evaluations), contractual and payment purposes, as well as for mandatory tax and fiscal compliance required by applicable Italian laws at the time of processing. After the termination of the contractual relationship, your data will continue to be processed to comply with applicable legal obligations regarding the retention of fiscal documentation, as well as for the legitimate interest of the Data Controller in retaining data for protection against legal disputes and possible use for communications under Article 130, paragraph 4, of Legislative Decree 196/2003.

c) Legal Bases for Processing
Your data will be processed:
- on a contractual legal basis, regarding processing aimed at entering into and fulfilling the contract and its related obligations;
- on a statutory legal basis, for compliance with legal obligations concerning taxation and fiscal matters;
- based on the legitimate interest of the Data Controller, as detailed in the following point d).
Currently, no data processing based on consent is carried out. Should consent-based processing begin in the future, you will have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

d) Legitimate Interest of the Data Controller
Your data may also be processed based on the legitimate interest of the Data Controller. Specifically, this includes purposes related to company security, IT and data security, video surveillance, and post-contract communications under Article 130, paragraph 4, of Legislative Decree 196/2003. If processing is based on the Controller's legitimate interest, it will only proceed after careful evaluation of any overriding interests or fundamental rights and freedoms of the data subject that require personal data protection. In any case, you retain the right to object to processing based on legitimate interest. You may exercise this right by writing to: davide@twini.ai.

e) Recipients of Personal Data
Your personal data will only be disclosed to:
- individuals authorized by the Controller under Article 29, paragraph 4, GDPR, due to their inclusion in the company staff and the existence of a hierarchical relationship;
- third parties appointed as data processors under Article 28 GDPR who are systematically involved in employee data processing;
- entities legally entitled to access such data due to general legal provisions or lawful orders from a public authority.
A complete list of external processors is held by the company. Your data will never be publicly disclosed.

f) Data Transfers to Third Countries
Your personal data is not transferred to third countries, i.e., outside the European Economic Area (EEA). If access to your data by such countries is allowed, the strictest logistical and IT security measures will be adopted to prevent and avoid unauthorized access or use for purposes other than those indicated in point b). In any case, no data processing by third-country entities will take place without prior compliance with Articles 44 and following of the GDPR.

g) Data Retention Period
The data you provide will be processed and retained for the duration strictly necessary for the establishment and execution of the contractual relationship and, after its termination, for fulfilling all related or resulting obligations and compliance with current legal requirements. In any case, no personal data will be kept beyond the maximum period of 10 years.

h) Data Subject Rights
As a data subject, you have the right to exercise all the rights provided by Articles 12 and following of the GDPR in relation to the Data Controller. Specifically, you may request information about your data, access it, request rectification, deletion, restriction of processing, or object to its processing. You also have the right to data portability. To exercise these rights, you can submit a request to the Data Controller or DPO using the contact details provided above.

i) Right to Withdraw Consent
Your personal data has been collected in a pre-contractual and contractual context aimed at fulfilling obligations toward the data subject based on the ongoing work relationship, as well as legal, regulatory, and normative obligations. Therefore, in general, no further data processing based on the subject’s consent is foreseen, and accordingly, there is typically no consent to withdraw. However, should any additional processing based on consent occur, you would not only have the right to refuse consent, but, if given, you would also retain the right to withdraw it at any time.

l) Right to Lodge a Complaint
You may lodge a complaint with the Data Protection Authority, based in Rome, or with the competent judicial authorities, regarding the processing or the methods of processing of your data.

m) Mandatory Nature of Data Provision
Providing your data in the pre-contractual and contractual phase is mandatory, as it is necessary for establishing and carrying out the employment relationship, for fulfilling obligations in tax, social security, and insurance matters, as well as compliance with occupational health and safety requirements and other related functions. If the data is not provided, the contractual relationship cannot be established or continued.

n) Automated Decision-Making
The Data Controller does not carry out any data processing based on automated decision-making.

Additional Information regarding Data Processing by Twini S.R.L. as Processor(or Sub-Processor) under Article 28 of Regulation 679/2016 EU
If you use the ChatBot service provided by Twini S.R.L., and unless otherwise specified in the contract, Twini S.R.L. will assume the role of:

A) Data Processor, under Article 28(1) GDPR, if you act as the Data Controller;
B) Sub-Processor, under Article 28(2) GDPR, if you act as a Data Processor under Article 28(1) GDPR on behalf of the Data Controller.

Details about the personal data processing carried out by Twini S.R.L. in the role of Processor or Sub-Processor are provided in the relevant Data Processing Agreement (DPA), which forms an integral part of the terms and conditions of the service and is available on this website: www.twini.ai.

Download DPA