iGenius S.r.l. and iGenius Inc. (hereinafter referred to as the “Companies” or “Joint Controllers”) take privacy and personal data protection extremely seriously. This document has therefore been produced to provide you with information on the methods used to process your personal data, which are collected when browsing on our website (https://crystal.ai/it/ - hereinafter referred to as the “Website”), using services reserved for registered users, communicating with our operators or using our live chat system (hereinafter jointly referred to as “Crystal Services”).
For instance, we may collect information about you when:
- You request information about our services using the contact form;
- You browse our website or use services reserved for registered users;
- You communicate with us using the live chat.
In particular, we need to process the data which you provide when registering or requesting a service. With your consent, we can also use other information which you freely provide when registering or related to the methods you use to communicate with us (hereinafter jointly referred to as “Data”).
This Privacy Notice (along with our General Terms and Conditions applicable to related services, our Notice on Cookies and other notices which may be provided regarding individual services) sets out the basis on which your Data will be processed.
- Which personal Data will we use?
- Browsing data
It is possible to access the website without being asked to provide any personal Data. However, during their normal operations, the IT systems used to manage the website acquire some personal Data which are automatically sent as part of the internet communication protocols used. This information is not collected with the view to associate it with specific individuals, but due to its nature, processing and associations could be conducted to identify who is browsing on the website.
This category includes, for instance, IP addresses of the computers connecting to the website, the URL of the resources requested and the time of the request.
These Data are used anonymously for statistical purposes related to the use of the website and to check it is operating correctly, and they are deleted immediately after they are processed. This information will not be used for Data processing to directly identify individuals.
- Data collected when using Crystal Services
When you use Crystal Services, we will process the Data needed to guarantee your full enjoyment of these services, including, for example, log in data, pages visited, your requests, your communications and other additional information which you may freely provide. This information will only be used to enable you to enjoy the Crystal Services which you request, unless you give specific consent to this information being processed for other purposes.
- For what purposes will we use your Data and on the basis of which legal requirements?
We will use your Data, occasionally with the use of electronic systems:
- To allow you to use Crystal Services. Your Data will be used to provide you with the services requested and, more generally, to comply with all related contractual and administrative obligations.
- To meet legal obligations or comply with any orders from legal authorities.
Providing your Data is optional, but refusal to do so, in part or in full, may prevent us from correctly meeting your specific requests.
With your consent, we can also use your Data for the following purposes:
- sending you newsletters, information about products and services provided by the Companies (also about products or services different from those which you purchased), offers and promotions, and for carrying out market research. For example, we may send you emails or instant messages (e.g. Text messages), or an operator may contact you by phone.
- Studying your preferences and the methods you use to communicate with us. In particular, in order to gain a better understanding of your tastes and interests in our products and services, we may examine, occasionally using automated systems, the information provided when you register on the Website, your use of Crystal Services, and your interest in communications and newsletters which we send you. In any case, these profiling activities are not capable of producing legal effects in your regard or of having significant effects on you as an individual.
The provision of crystal Services and/or the handling of information which you request will not in any way be affected by whether you give consent as set out at point c) and d) above in this Section 2.
In the light of the above, the so-called “lawful basis of processing”, as per Regulation EU No. 679/2016 (General Data Protection Regulation or “GDPR”), specifically are:
(i) For the purpose as per Point 2.a) above, the lawful basis is answering your requests also for contractual or pre-contractual purposes (Article 6.1.b of the GDPR);
(ii) For purpose as per Point 2.b) above, lawful basis is the compliance with legal obligations (Article 6.1.c of the GDPR);
(iii) For purposes as per Points 2.c) and 2.d) above, lawful basis is your freely given, specific, informed and unambiguous consent (Article 6.1.a of the GDPR).
- How long will we keep your Data for?
Your Data will only be processed for the period of time strictly necessary to fulfil the purposes for which they were collected, with regard to the regulations in force.
In any case, for the purposes of marketing and/or profiling (as per points c) and d) of Section 2 above), Data regarding the details of your purchases will not be processed for a period exceeding 12 months. In the same way, the information regarding your communications with us will not be retained for a period exceeding 12 months.
- Who will we share your Data with?
Your Data may be shared, also for administrative purposes, with subsidiary, parent and partner companies of the Joint Controllers and, for purposes of delivering the Crystal Services requested, with service providers involved in activities carried out by the Joint Controllers (e.g. IT services). These parties will occupy the role of Data Processors (e.g.: Mailchimp for email marketing).
- How will the transfer of your Data to countries outside the EU be regulated?
iGenius Inc. is a company governed by US law.
As a result, your Data may be transferred outside the territory of the European Union, in particular to the USA, or to other countries where the level of data protection may be less stringent than that ensured by European regulations.
In any event, such transfers shall take place in compliance with appropriate guarantees for the
protection of your Data and, in particular, the standard contractual clauses approved by the EU
Commission in Decision No. 2010/87/EC (also for Data transferred to iGenius Inc.).
Specifically, the transfer of Data to providers based in the USA (such as Mailchimp) will therefore
take place in compliance with the EU Commission Implementing Decision of 12 July 2016 (see
Privacy Shield or subsequent amendments).
- Which rights can you exercise?
You have the right to request access to your Data, to correct or delete your Data, to restrict the processing of your Data and to object to their use by us, as well as the right to request your Data to be sent to you.Rights of the Data Subject:Right to access
The data subject has the right to obtain confirmation from the data controller as to whether his/her personal Data is being processed and, if so, to obtain access to the personal Data and the following information:
Right of correction
- the purposes of the processing;
- the categories of personal Data in question;
- the recipients or categories of recipients with which the personal Data have been or will be shared, especially if they are recipients in third countries or international organizations and, if so, the appropriate guarantees in place;
- where possible, the planned period of retention of the personal Data or, if not possible, the criteria used to determine this period;
- the right of the data subject to request the data controller to correct or delete his/her personal data, restrict the processing of his/her personal data or to object to it being processed;
- the right to file a complaint with a supervisory authority;
- if the Data were not collected from the data subject, all information available on their source;
The data subject has the right to demand the correction of inaccurate personal data about him/her from the data controller without any unjustified delay.Right to deletion
The data subject has the right to demand the deletion of his/her personal data without any unjustified delay and the data controller must delete the personal data without any unjustified delay, if any of the following situations apply:
Rights to restrict processing
- the personal data are no longer necessary with regard to the purposes for which they were collected or otherwise processed;
- the data subject withdraws his/her consent on which the data processing is based and there is no other legal basis for it;
- the data subject objects to the data processing, and there is no legitimate prevailing reason to continue the processing;
- the personal data have been illegitimately processed;
- the personal data must be deleted in order to comply with a legal obligation set out by the law of the European Union or the law of a Member State to which the data controller is subject;
The data subject has the right to request the data controller to restrict the data processing in any of the following cases:
Right to object
- the data subject challenges the accuracy of the personal data, for the time period necessary for the data controller to check the accuracy of the personal data in question;
- the processing is illegitimate and the data subject objects to the deletion of the personal data and instead requests for their use to be restricted;
- although the data controller no longer needs them for the purposes of processing, the personal data are necessary for the data subject to establish, exercise or defend a right in court;
- the data subject objects to the data processing, for the time period necessary to check whether the data controller has any legitimate reasons to continue the processing which prevail over those of the data subject.
The data subject has the right to object to the processing of his/her personal data at any time based on the legitimate interests of the data controller, including profiling. The data subject also has the right to object to the processing of his/her personal data carried out for direct marketing purposes, including profiling when it is connected to direct marketing.Right to data portability
The data subject has the right to receive his/her personal data in a structured, commonly used and machine-readable format from the data controller and has the right to send this data to another data controller without hindrance from the data controller to which the data have been provided if:
- the processing is based on consent or a contract; and
- the processing is carried out using automated methods.
By exercising his/her rights to the portability of data, the data subject has the right to request the direct transmission of personal data from one data controller to another, if technically feasible.
- How can you modify your preferences or withdraw your consent?
You can check, modify or withdraw your consent with regard to the purposes set out in letters (c) and (d) at Section 2 above at any time.
You just need to modify the settings in your reserved area or contact the Companies.
- How can you contact the Joint Controllers in order to exercise your rights?
You can exercise your rights by writing to the Joint Controllers, iGenius S.r.l. and iGenius Inc. using the details below:
Via Manin, 3
Operational headquarters: Via Principe Amedeo, 5 – 20121 Milan
Certified email: firstname.lastname@example.org
75 E Santa Clara St
San Jose, CA 95113
Certified email: email@example.com
iGenius S.r.l. also occupies the role of representative in the European Union appointed by iGenius Inc. in accordance with Article 27 of Regulation (EU) 2016/679.
- How can you contact the competent supervisory authority to make a complaint?
Any complaints can be filed with the Italian Data Protection Authority (Autorità Garante per la Protezione dei Dati Personali) which can be contacted using the details below or with your competent supervisory authority:
Garante per la Protezione dei Dati Personali
Piazza Venezia, 11
Fax: (+39) 06.69677.3785
Tel: (+39) 06.696771
Certified email: firstname.lastname@example.org
- Changes to this privacy notice
This privacy notice may be amended or updated, in full or in part, which may be as a result of changes to the applicable law. We will keep you informed of any substantial changes which affect how your Data are processed.
In any case, we invite you to periodically consult the updated privacy notice published on the Website.