Privacy & Cookie Policy

UPGRADE SRL  PERSONAL DATA PROCESSING POLICY PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679

This policy is provided in accordance with the European General Data Protection Regulation (EU) 2016/679 (“GDPR”), as subsequently amended and/or supplemented, and national laws or regulations on the processing of personal data, as applicable from time to time (“Privacy Legislation”), to ensure that the processing of personal data is carried out in accordance with the rights and freedoms of persons with particular regard to the protection of personal data.

The term “personal data” means any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, including a personal identification number.

The term “processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The term “data subject” refers to the natural person to whom the personal data relate.

  1. Data controller

Upgrade srl having its registered office at via Roma 78, 23900 Lecco, Tax code and VAT no 02513010138. Upgrade srl is the Data Controller (“Data Controller” or “Upgrade”) for the purposes described in paragraph 3 below and is part of the Impresoft Group. The list of companies belonging to the Impresoft Group can be found in the following section of the website of Impresoft S.p.A. (“Group Companies”). The Data Controller can be contacted at the following e-mail address: privacy@impresoftgroup.com

In accordance with Article 37 of the GDPR, the Data Controller has also appointed a Data Protection Officer (“DPO”), who can be contacted at the following addresses: by e-mail: info@upgradesrl.com; by post: Strada Statale 36 – Km 36 – Civ 10 23846 Garbagnate Monastero (LC) – Italy

  1. Sources and Type of data processed

The data processed by the Data Controller and collected directly from Upgrade  website may include personal information and contact information (first name, surname, e-mail, telephone number, address, role, company name, CV and data on professional life in the case of an application and any other information voluntarily provided by the data subject).

  1. Purpose and legal basis of the processing carried out by the Data Controller

The Data Controller may process the personal data of the data subject for the processing purposes set out below:

  1. Purposes strictly connected with and ancillary to the conclusion and performance of a contract to which the data subject is party, in accordance with Article 6(1)(b) of the GDPR. The provision of personal data does not require consent, but is necessary for the establishment, performance or continuation of the contractual relationship with the Data Controller.
  2. Management of the relationship with the data subject resulting from the data subject’s request to use additional content (whitepapers, gated content, webinar) offered within the Data Controller’s website. The provision of personal data is not compulsory, but refusal to provide them may make it impossible for the data subject to obtain the services and/or products and/or content requested, to receive the functions, information and informative material requested from the Data Controller or for webinar subscription. The provision of personal data does not require consent as the processing is necessary for the performance of a free contract to which the data subject is a party, as set out in Article 6(1)(b) of the GDPR.
  3. Profiling cookies, if accepted by the user via a cookie banner, are used to carry out profiling activities consisting of analysing the interests and preferences of users in relation to the type of content downloaded from the website in order to carry out profiled marketing activities. The provision of data is not compulsory and their processing requires the consent of the data subject. These data will only be displayed and processed by the other Group Companies if the consent referred to in 9) below has been given.
  4. Responding to requests for information made by the data subject to the Data Controller. In order to execute these requests, the owner may make use of other partners and Group Companies whose product is the subject of the data subject’s request for information. The provision of personal data does not require consent as the processing is necessary to carry out pre-contractual measures taken at the request of the data subject, in accordance with Article 6(1)(b) of the GDPR.
  5. Fulfilment of legal obligations, regulations, EU legislation, provisions issued by authorities empowered to do so by law or by supervisory and control bodies pursuant to Article 6(1)(c) GDPR. The provision of personal data for the purposes set out in this point is obligatory and does not require consent.
  6. Purposes of business analysis in an anonymous form: to improve the business and own services (for example, to measure customer satisfaction with the quality of the services provided and the activities carried out by the Data Controller, by carrying out studies and market research). The provision of personal data is not compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out business analysis activities in accordance with Article 6(1)(f) of the GDPR.
  1. Marketing purposes for the promotion and sale of products and services similar to those already purchased by the data subject (so-called soft spam), through commercial communications sent by e-mail. The provision of data is not compulsory and their processing does not require consent due to the existence of a legitimate interest of the Data Controller in carrying out marketing activities towards its customers, in accordance with Article 6(1)(f) GDPR.
  1. Own marketing purposes: through the use of automated contact tools (such as automated calls, e-mails) or through traditional contact tools (cold calling), directly or through third party companies, with reference to their products and services i) sending and/or proposing by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest, on the basis of the information obtained following the activity referred to in point 3 above ii) sending newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires consent, which may be given and withdrawn, even for only some of the above activities, by writing to the e-mail address below. If the data subject does not provide personal data, he/she will not be able to receive information about the products and/or services offered by the Data Controller, but there will be no consequences for the data subject’s ability to consult the website and for any contractual relationship with the Data Controller.
  2. Communication of data to the Group Companies which, with reference to their products and services and those of the Group Companies belonging to the ICT and consultancy sector, may, directly or through third parties, using automated contact tools (such as automated calls, e-mails) or traditional contact tools (cold calling), i) send and/or propose by telephone informative, commercial, advertising and promotional material, also personalised/of specific interest, on the basis of the information obtained following the activity referred to in point 3 above ii) send newsletters and invitations to events and initiatives. The provision of data is not compulsory and their processing requires the consent of the data subject, which may be withdrawn at any time without prejudice to the processing carried out prior to the withdrawal.
  3. Management of the website(s) (statistical analysis). The provision of personal data is not compulsory and their processing does not require consent due to the existence of a legitimate interest of the Data Controller in managing its own website, in accordance with Article 6(1)(f) of the GDPR.
  4. Personnel recruitment and selection activities. The provision of personal data is not compulsory, but refusal to provide them may prevent the Data Controller from assessing the professional profile of the data subject for the purpose of establishing an employment relationship. The relevant processing does not require the consent of the data subject in order to carry out pre-contractual measures taken at the request of the data subject, in accordance with Article 6(1)(b) of the GDPR.
  5. Communication of candidates’ data to Group Companies for the purposes of recruitment and selection by them. Their processing requires the consent of the data subject, which may be withdrawn at any time without prejudice to the processing carried out prior to the withdrawal.
  6. Legal defence: where necessary to establish, exercise or defend one’s rights in a court of law. The provision of personal data is compulsory and the relevant processing does not require consent due to the existence of a legitimate interest of the Data Controller, in accordance with Article 6(1)(f) GDPR.
  7. Transmission by the Controller of marketing newsletters to the e-mail address provided by the data subject in the appropriate section of the site. The provision of data is optional and its processing requires the consent of the data subject, which is necessary in order to take advantage of the service of receiving newsletters from the Owner.
  1. Where and how personal data are processed

In relation to the aforementioned purposes, personal data will be processed using manual, computerised and electronic tools, with logic strictly related to these purposes and in any case in such a way as to guarantee the security and confidentiality of the data.

Upgrade will process the personal data of the data subject exclusively with technical personnel in charge of such processing, using mainly automated and computerised methods suitable to guarantee, in relation to the purposes for which the data are processed, the security and confidentiality of the data, as well as to prevent unauthorised access to the data. Automated decision making processes are not performed by Upgrade.

The processing of the data collected takes place on the premises of Upgrade and of the service providers identified by it and appointed, where necessary, as data processors in accordance with Article 28 of the GDPR.

The data collected and processed on the website are stored in the CRM shared by the Group Companies, which is hosted in HubSpot’s servers in Europe (“HubSpot CRM”).

  1. Storage of personal data

The data subject’s personal data will only be stored for as long as necessary to achieve the purposes for which they have been collected, in accordance with the principle of minimisation pursuant to Article 5(1)(c) of the GDPR.

In particular, with regard to processing for marketing purposes, the data will be processed and stored until the data subject withdraws his or her consent. In any event, the data subject may at any time request that the processing cease or that the data be erased, as provided for below.

The Data Controller may store some data even after the termination of the relationship, depending on the time required to manage specific contractual or legal obligations as well as for administrative, tax and/or contribution purposes for the period of time required by laws and regulations in force, as well as for the time required to enforce any rights in a court of law.

In any case, the data will be processed not only in accordance with the regulations in force, but also in accordance with the standards of confidentiality to which the Data Controller has always been bound.

The storage period will vary according to the type of data processed, but in general, Upgrade refers to these criteria to determine the storage period:

  • If there is a legal or contractual need to store the data.
  • If the data are needed to provide its services.
  1. Categories of parties to which the data may be disclosed

The Data controller may disclose the personal data of the data subject to third parties in order to comply with legal obligations and to service providers who act as autonomous Data Controllers or are designated as Data Processors in accordance with Article 28 of the GDPR if they have to process data on behalf of the Data Controller and essentially fall into the following categories, which are listed by way of example but are not limited to:

  • entities performing banking services, including those involved in operating payment systems;
  • persons, companies, associations or professional firms providing services or activities of assistance and consultancy to the data controllers, in particular but not exclusively in relation to accounting, administrative, legal, tax and financial, commercial matters;
  • business, marketing, legal partners, technical service and/or software platform providers, system administrators, hosting providers, IT companies, communication agencies;
  • parties that carry out the control, the audit and the certification of the activities carried out;
  • Group Companies that provide services of an IT nature (e.g. the provision of the HubSpot CRM or the support, maintenance, assistance and development of the HubSpot CRM itself);
  • all the Group Companies, only if the data subject has given his or her consent for the purposes set out in points 9) and/or 12) of paragraph 3 above.
  • all the Group Companies, only in the event that it is necessary to execute a request made by the data subject as indicated in point 4) of paragraph 3 above.

The updated list of parties to which the personal data of data subjects may be communicated and/or transferred is available from Upgrade by contacting us at: info@upgradesrl.com.

  1. Transfer of data outside the EU

Any transfer of data to Third Countries, outside the EU, for the purposes indicated in paragraphs 3 and 4 above, may take place, in accordance with the methods permitted by the laws in force and in particular in accordance with the provisions of the GDPR set out in: i) Article 44 – General principle of transfer; ii) Article 45 – Transfer on the basis of an adequacy decision; iii) Article 46 – Transfer subject to adequate safeguards; iv) Article 49 – Exceptions in specific situations.

The data subject’s data will be shared with Group Companies in the HubSpot CRM with the specific consent of the data subject. Group Companies include Kipcast Corp, which is based in Canada. The transfer of data to this Company is guaranteed by the European Commission’s Adequacy Decision 2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data under the Canadian Personal Information Protection and Electronic Documents Act.

  1. Rights of the data subject

Articles 15-22 of the GDPR provide data subjects with specific rights. In particular, the data subject may obtain from the Data Controller: access, rectification, erasure, restriction of processing, withdrawal of consent, and portability of data concerning them. The data subject also has the right to object to processing on legitimate grounds and/or for commercial purposes.

The Data Controller undertakes to reply to the data subject as soon as possible after verifying the identity of the data subject, where necessary.

Where the right of objection is exercised, the Data Controller reserves the right not to process the request and thus to continue processing if there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject.

With respect to marketing purposes, this is without prejudice to the possibility of the data subject having given their consent:

  • to request, at any time and free of charge, to receive communications only by traditional contact methods, such as cold calling;
  • to object, at any time and free of charge, to the processing of data for the above-mentioned purposes. In this case, the right to object to the processing of data via automated contact methods (such as e-mail and automated calls) extends to traditional contact methods (such as cold calling);
  • to object, at any time and free of charge, to the processing of data for the above-mentioned purposes only in part, i.e. by expressly choosing how to be contacted.

The aforementioned rights may be exercised by sending a written communication to the Data Controller at the following e-mail address: info@upgradesrl.com.

The data subject is informed that, pursuant to Article 12 of the GDPR, if the data subject’s requests are found to be manifestly unfounded or excessive, in particular due to their repetitive nature, the Data Controller may a) charge a reasonable fee, taking into account the administrative costs incurred in providing the information or communications or in taking the requested action, or b) refuse to comply with the request.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority.

  1. Links to other websites

The website may contain links to other websites. However, once the data subject has used these links and left this website, Upgrade will have no control over the other websites. Upgrade will in no way be responsible for the protection and confidentiality of the information provided when visiting such other sites. We recommend that you carefully read the privacy policy applicable to the website in question.

  1. Changes to this privacy policy

Upgrade reserves the right to make changes to this policy at any time by notifying the data subjects on this page. If the data subject does not accept the changes made to this policy, the data subject shall cease to use this website and may request Upgrade to remove his or her personal data.

Cookie Policy of www.upgradesrl.com

This document informs Users about the technologies that help this Application to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with this Application.

For simplicity, all such technologies are defined as “Trackers” within this document – unless there is a reason to differentiate.
For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User’s consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

This Application uses Trackers managed directly by the Owner (so-called “first-party” Trackers) and Trackers that enable services provided by a third-party (so-called “third-party” Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.
The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User’s browsing session.
In addition to what’s specified in the descriptions within each of the categories below, Users may find more precise and updated information regarding lifetime specification as well as any other relevant information – such as the presence of other Trackers – in the linked privacy policies of the respective third-party providers or by contacting the Owner.

Activities strictly necessary for the operation of this Application and delivery of the Service

This Application uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

First-party Trackers

Registration and authentication provided directly by this Application

By registering or authenticating, Users allow this Application to identify them and give them access to dedicated services. The Personal Data is collected and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the service requested by the Users.

Direct registration (this Application)

The User registers by filling out the registration form and providing the Personal Data directly to this Application.

Personal Data processed: academic background, billing address, budget, city, company name, country, county, date of birth, email address, fax number, field of activity, first name, gender, house number, language, last name, number of employees, password, phone number, physical address, picture, prefix , profession, profile picture, Social Security number (SSN), state, Tax ID, Trackers, Twitter handle, Usage Data, User ID, username, various types of Data, VAT Number, website, workplace and ZIP/Postal code.

Third-party Trackers

Traffic optimisation and distribution

This type of service allows this Application to distribute their content using servers located across different countries and to optimise their performance.
Which Personal Data are processed depends on the characteristics and the way these services are implemented. Their function is to filter communications between this Application and the User’s browser.
Considering the widespread distribution of this system, it is difficult to determine the locations to which the contents that may contain Personal Information of the User are transferred.

Cloudflare (Cloudflare Inc.)

Cloudflare is a traffic optimisation and distribution service provided by Cloudflare Inc.
The way Cloudflare is integrated means that it filters all the traffic through this Application, i.e., communication between this Application and the User’s browser, while also allowing analytical data from this Application to be collected.

Personal Data processed: Trackers and various types of Data as specified in the privacy policy of the service.

Place of processing: United States – Privacy Policy.

Spam and bots protection

This type of service analyses the traffic of this Application, potentially containing Users’ Personal Data, with the purpose of filtering it from unwanted parts of traffic, messages and content that are recognised as spam or protecting it from malicious bots activities.

Cloudflare Bot Management (Cloudflare Inc.)

Cloudflare Bot Management is a malicious bot protection and management service provided by Cloudflare Inc.

Personal Data processed: app information, Application opens, browser information, browsing history, city, clicks, country, county, custom events, device information, device logs, geography/region, interaction events, IP address, keypress events, language, latitude (of city), launches, longitude (of city), metro area, motion sensor events, mouse movements, number of sessions, operating systems, page events, page views, province, scroll position, scroll-to-page interactions, search history, session duration, session statistics, state, touch events, Trackers, Usage Data, video views and ZIP/Postal code.

Place of processing: United States – Privacy Policy.

  • Storage duration:
    • __cf_bm: 3 seconds
    • __cfruid: duration of the session
    • cf_ob_info: 3 seconds
    • cf_use_ob: 3 seconds
    • cfmrk_cic: 3 months

Other activities involving the use of Trackers

Functionality

This Application uses Trackers to enable basic interactions and functionalities, allowing Users to access selected features of the Service and facilitating the User’s communication with the Owner.

Contacting the User

Contact form (this Application)

By filling in the contact form with their Data, the User authorises this Application to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

Personal Data processed: Trackers and various types of Data.

User database management

This type of service allows the Owner to build user profiles by starting from an email address, a personal name, or other information that the User provides to this Application, as well as to track User activities through analytics features. This Personal Data may also be matched with publicly available information about the User (such as social networks’ profiles) and used to build private profiles that the Owner can display and use for improving this Application.
Some of these services may also enable the sending of timed messages to the User, such as emails based on specific actions performed on this Application.

HubSpot CRM (HubSpot, Inc.)

HubSpot CRM is a User database management service provided by HubSpot, Inc.

Personal Data processed: country, email address, first name, last name, phone number, profession, Trackers, Usage Data and various types of Data as specified in the privacy policy of the service.

Place of processing: Germany – Privacy Policy.

Storage duration:

    • __hs_gpc_banner_dismiss: 6 months
    • __hssc: 30 minutes
    • __hssrc: duration of the session
    • __hstc: 2 months
    • hubspotutk: 2 months
    • messagesUtk: 2 months

Experience

This Application uses Trackers to improve the quality of the user experience and enable interactions with external content, networks and platforms.

Displaying content from external platforms

This type of service allows you to view content hosted on external platforms directly from the pages of this Application and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

Font Awesome (Fonticons, Inc. )

Font Awesome is a typeface visualisation service provided by Fonticons, Inc. that allows this Application to incorporate content of this kind on its pages.

Personal Data processed: Trackers and Usage Data.

Place of processing: United States – Privacy Policy.

Measurement

This Application uses Trackers to measure traffic and analyse User behaviour to improve the Service.

Analytics

The services contained in this section enable the Owner to monitor and analyse web traffic and can be used to keep track of User behaviour.

Google Analytics 4 (Google Ireland Limited)

Google Analytics 4 is a web analysis service provided by Google Ireland Limited (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

Personal Data processed: number of Users, session statistics, Trackers and Usage Data.

Place of processing: Ireland – Privacy Policy– Opt Out.

Storage duration:

    • _ga: 2 years
    • _ga_*: 2 years

How to manage preferences and provide or withdraw consent

There are various ways to manage Tracker related preferences and to provide and withdraw consent, where relevant:

Users can manage preferences related to Trackers from directly within their own device settings, for example, by preventing the use or storage of Trackers.

Additionally, whenever the use of Trackers is based on consent, Users can provide or withdraw such consent by setting their preferences within the cookie notice or by updating such preferences accordingly via the relevant consent-preferences privacy widget, if available.

It is also possible, via relevant browser or device features, to delete previously stored Trackers, including those used to remember the User’s initial consent preferences.

Other Trackers in the browser’s local memory may be cleared by deleting the browsing history.

With regard to any third-party Trackers, Users can manage their preferences via the related opt-out link (where provided), by using the means indicated in the third party’s privacy policy, or by contacting the third party.

Locating Tracker Settings

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

Consequences of denying the use of Trackers

Users are free to decide whether or not to allow the use of Trackers. However, please note that Trackers help this Application to provide a better experience and advanced functionalities to Users (in line with the purposes outlined in this document). Therefore, if the User chooses to block the use of Trackers, the Owner may be unable to provide related features.

Owner and Data Controller

Upgrade srl, via Roma 78, 23900, Lecco (LC)

CF e P.I.02513010138 REA Lecco Lecco  290653

Owner contact email: info@upgradesrl.com

Since the use of third-party Trackers through this Application cannot be fully controlled by the Owner, any specific references to third-party Trackers are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by this Application.

Definitions and legal references

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilised by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilised to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilised by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

User

The individual using this Application who, unless otherwise specified, coincides with the Data Subject.

Data Subject

The natural person to whom the Personal Data refers.

Data Processor (or Processor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

This Application

The means by which the Personal Data of the User is collected and processed.

Service

The service provided by this Application as described in the relative terms (if available) and on this site/application.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Cookie

Cookies are Trackers consisting of small sets of data stored in the User’s browser.

Tracker

Tracker indicates any technology – e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting – that enables the tracking of Users, for example by accessing or storing information on the User’s device.

Legal information

This privacy policy relates solely to this Application, if not stated otherwise within this document.

Latest update: 24 November 2023

iubendahosts this content and only collects the Personal Data strictly necessary for it to be provided.