PRIVACY POLICY OF RIVELIO

Please read this Privacy Policy (hereinafter also referred to as the “Policy”) carefully to understand how Velion (hereinafter also referred to as “Rivelio” or “We”) collects and processes your personal data.
In this Policy, we explain:

 

  • Who Velion is;
  • How and why Velion collects your personal data;
  • How, for how long, and why Velion processes your data;
  • How Velion is committed to protecting your data.

INTRODUCTION

Below is a brief summary of the main sections of the Privacy Policy:

Velion’s Privacy Role:

  • Controller: Velion acts as the Data Controller of your personal data when it determines the purposes and means of processing, such as when you visit our website or when we directly provide the Rivelio Service without being instructed by a Partner or third parties.
  • Processor: Velion acts as the Data Processor of your personal data when it processes your data under the instructions and guidance of a Data Controller (a Partner, as defined below, or another third party) for specific tasks identified by the Controller. The relationship between the Controller and Processor is governed by a Data Processing Agreement (which serves as Velion’s appointment as the Data Processor) and attached to the contract between the parties.
  • This Privacy Policy applies only insofar as Velion acts as the Data Controller of your personal data while providing the Rivelio Service (as described in the Terms and Conditions).

Please therefore refer to the Partner’s Privacy Policy to understand how your data is processed by Velion as a Data Processor on behalf of the Partner (who acts as the Data Controller).

  • We process your personal data to provide our services and when you visit our website (www.rivelio.ai).
  • Under applicable data protection laws, such as Regulation (EU) 679/2016 (the “GDPR”) and Legislative Decree 196/2013 (as amended by Legislative Decree 101/2018 – the “Privacy Code”), collectively referred to as “Data Protection Laws,” we are authorized to process your personal data based on an appropriate legal basis. The legal basis for processing your personal data is explained further in this Privacy Policy.
  • We will process your personal data only in compliance with applicable laws.
  • We may share your personal data with third-party providers to ensure efficient and secure services. Unless otherwise specified in this Policy, we will not share your data with third parties without your consent unless required or permitted by law or authority.
  • We will retain your personal data only as long as necessary for its processing, in compliance with applicable regulations. The retention period depends on the purpose for which we use the data—whether to provide you with the Rivelio Service, pursue our legitimate interests (outlined below), or comply with the law.

We actively review the information in our possession, and when it is no longer necessary to retain it, we will securely delete it or, in some cases, anonymize it.

  • We will not transfer your personal data to a recipient located outside the European Economic Area.
  • You are entitled to important rights under the laws that protect your personal data. This Privacy Policy explains your rights and how you can exercise them. For further information, please refer to Section 11 on User Legal Rights.

It is also noted that you have the right to file a complaint with the Privacy Authority (Garante Privacy, Piazza Venezia 11, 00187, Rome, Italy – www.garanteprivacy.it) if you are dissatisfied with how we have processed your personal data.

TABLE OF CONTENTS

  1. About Velion
  2. Information About the Privacy Policy
  3. User Data Collected by Rivelio
  4. Methods of Collecting Personal Data
  5. How Collected Data is Used
  6. Communications
  7. Disclosure of User Data
  8. International Data Transfers
  9. Data Security
  10. Data Retention
  11. User Legal Rights
  12. Costs
  13. Additional Information We May Require
  14. Response Times

1. INFORMATION ABOUT VELION

1.1 Velion Srl is an Italian company, VAT number 01421440320, headquartered in Trieste (TS), at Salita alla Madonna di Gretta 9. The terms “you” and “your” refer to the User accessing or using the Rivelio Service.

1.2 Rivelio is a proprietary Web Cloud SaaS software developed by Velion Srl. Its primary purpose is to extract and manipulate data from paper or digital documents, making them available and usable for any downstream workflow (the “Rivelio Service”).

1.3 Partners may use and process this data to provide their own products and services or to fulfill your bilateral contractual relationship (“Partner Services”).

1.4 Rivelio facilitates the collection or receipt of your relevant personal data and shares it with the respective Partners through a secure connection, aiming to assist in concluding contracts of your interest with the Partner.

2. INFORMATION ABOUT THE PRIVACY POLICY

2.1 Respect for Privacy
Rivelio respects your privacy and is committed to protecting your personal data.
This document informs you about how we collect and manage your personal data when you visit our website (www.rivelio.ai), regardless of the device you use, or when you use the Rivelio Service. It also explains your privacy rights and how the law protects you.

2.2 Updates to the Policy
This Privacy Policy may be updated, and in the case of significant changes, you will be promptly informed. The updated version will be made available on our website.

2.3 Protection for Minors
Our website is not intended for children or individuals under the age of 18. We do not knowingly or voluntarily collect or process personal data related to minors.

2.4 Importance of Reviewing This Policy
It is important that you read and review this Privacy Policy, along with any other privacy notices we may provide on specific occasions that describe how we collect and process certain personal data. This will ensure you are fully aware of how and why we use your data.

2.5 Integration with Other Notices
This Privacy Policy supplements other notices, such as those provided by Partners, and is not intended to replace them.

2.6 Questions and Support
If you have any questions about this Privacy Policy or our privacy practices, or if you wish to exercise any of your rights as a data subject, including those provided under Articles 15-22 of the GDPR, please contact us for assistance at amministrazione@velion.it.

3. USER DATA COLLECTED BY RIVELIO

3.1 Definition of Personal Data
Personal data refers to any information related to an individual that allows them to be identified. This definition does not include data where the identity has been removed (anonymous data).

3.2 Categories of Personal Data We May Collect
We may collect, process, use, store, and transfer various types of personal data, including but not limited to:

  • Identity Data, such as name, surname, tax identification number, date of birth, and place of birth.
  • Contact Data, such as email address and phone number.
  • Employment and Compensation Data, such as employer information, employment status, salary, bonuses, benefits, and any deductions (including taxes and pension contributions), along with other details included in a payslip.
  • Technical Data, such as IP address, login data, browser type and version, time zone settings and location, browser plug-in types and versions, operating system and platform, and other technologies used on devices to access our website.
  • Usage Data, such as information about how you use our website and services.
  • Marketing and Communication Data, such as user preferences for receiving marketing communications from us and communication preferences.

3.3 Aggregated Data
We also collect, process, use, and share aggregated data, such as statistical or demographic data, for various purposes.
Aggregated data may be derived from your personal data but is not considered personal data under the law as it does not directly or indirectly reveal your identity. For example, we may aggregate usage data to calculate the percentage of users accessing a specific website feature or a Rivelio Service function. However, if we combine or link aggregated data with your personal data so you can be identified directly or indirectly, we treat the combined data as personal data and use it in accordance with this Privacy Policy.

3.4 Special Categories of Personal Data
As a Data Controller, we do not collect any “special categories of personal data” about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, health information, and genetic and biometric data.
Additionally, we do not collect or process information about criminal convictions and offenses.

3.5 Legal or Contractual Requirements for Data Collection
If it is necessary to collect personal data to comply with the law or based on the terms of a contract with you or a Partner, and you fail to provide the requested data, we may be unable to provide the Rivelio Services. This could hinder the execution of the contract between you and the Partner.

4. METHODS OF COLLECTING PERSONAL DATA

4.1 We use various methods to collect data from and about you, including:

a) Direct Interactions:
We collect personal data directly from you when you:

  • Are referred to use the Rivelio Service by your selected Partner or when you use the Rivelio Service.
  • Subscribe to our newsletter or request marketing communications from us.
  • Provide feedback or participate in a survey.
  • Fill out forms or complete documents on our website.
  • Contact us directly with inquiries or interact with us (e.g., via email or phone). In such cases, we may keep a record of the correspondence.

b) Automated Technologies or Interactions:
We automatically collect the following information:

  • Details about your use of our website (including, but not limited to, traffic data) and the resources you access in the Rivelio Service.
  • Technical information, such as the Internet Protocol (IP) address used to connect your device to the internet, plug-in types and versions, operating system, platform, browser type and version, and time zone settings.
  • Information about your website visit, including full Uniform Resource Locators (URLs), clickstream data to, through, and from our website (including date and time), page load times, errors, page visit duration, page interaction information (such as scrolling, clicks, and mouseovers).

When we collect information through the above methods, we do so based on our legitimate interest in gathering and processing this data to ensure our website operates effectively and to enhance user experience. In most cases, this data is anonymized. However, we process it to maintain website functionality and meet both customer and business expectations.

Your personal data will not be subject to automated decision-making or profiling.

c) Cookies:
You can configure your browser to reject all or some browser cookies or alert you when websites set or access cookies. If you disable or reject cookies, please note that some parts of our website may become inaccessible or not function properly. For more information about the cookies we use, please refer to our cookie policy available on our website.

d) Information Received from Other Sources:
We also work closely with third parties, including business partners, advertising networks, analytics providers, information search providers, and credit reference agencies. We may receive information about you from these sources, especially if you were referred to our services through such third parties.

When we receive information from other sources, we rely on these third parties to have adopted appropriate measures to explain how they collect data and with whom they share it. We carefully review our sources to ensure we receive your data only when it is lawful to do so.

5. HOW COLLECTED PERSONAL DATA IS USED

5.1 Legal Basis for Using Your Data
We use your personal data only when the law permits us to do so. Specifically, we use your personal data in the following circumstances:

  • When you have given us your consent for the specific purposes we have indicated.
  • When it is necessary to provide the Rivelio Service.
  • When it is necessary to fulfill a contract entered into with you or with the Partner.
  • When required to comply with a legal obligation or a mandate from an Authority.

5.2 Processing as a Data Processor on Behalf of Partners
When acting as a Data Processor for Partners, we process your personal data on behalf of your selected Partner to provide the Rivelio Service. This means we may process the following types of data (by way of example and not limitation) from your payslip (and any other information contained in your payslip) and share it with the Partner to deliver the Rivelio Service:

  • Identity Data, including name, surname, date of birth, tax identification number, and place of birth.
  • Contact Data, including email addresses and phone numbers.
  • Employment and Compensation Data, including employer details, employment status, salary, bonuses, benefits, and any deductions (such as taxes and pension contributions), along with other details included in the payslip.

5.3 Data Retention Period for Processing on Behalf of Partners
Rivelio processes this personal data for the period specified by the Partner, who acts as the Data Controller.

5.4 Additional Information on Processing for Partners
For further details regarding the types of data processed by Rivelio as a Data Processor, as well as the methods and purposes of processing, please refer to the Privacy Policy of the selected Partner.

6. COMMUNICATIONS

6.1 Marketing Communications:
We will use your personal data to send you marketing messages only if you have given specific consent for this purpose.
We aim to ensure that you are fully informed and aware of the best services we can offer. If you consent to receive additional communications from us via email, we will process your personal data in accordance with this Privacy Policy.

If you have consented to receive marketing communications from us but later change your mind, you can modify your preferences or unsubscribe at any time by sending an email to amministrazione@velion.it. If you choose not to receive these communications, we will not be able to keep you informed about new services that may interest you.
For sending and managing our marketing communications, we may use the services of third-party partners.

6.2 Service Communications:
We may send you service-related communications, such as updates about our services. We believe we are entitled to send you these communications based on our legitimate interest in providing you with the best possible service under the contractual agreements in place and in supporting the growth of our business.

7. DISCLOSURE OF USER PERSONAL DATA

7.1 Sharing Personal Data
We may share your personal data with the parties listed below for the purposes outlined in this Privacy Policy.

7.2 External Third Parties:

  • Service Providers: Acting as Data Processors or Data Controllers, these entities provide IT and system administration services as well as application or infrastructure services, such as cloud services.
  • Professional Advisors: Acting as Data Processors or Joint Data Controllers, these include lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
  • Authorities and Regulatory Bodies: This includes entities such as HM Revenue & Customs, regulatory authorities, and other competent bodies based in Italy that may require reporting of processing activities in specific circumstances.
  • Other Competent Authorities: As necessary to comply with applicable laws, government requests, legal proceedings, court orders, or legal processes.

We may also share your personal data with third parties in cases of business restructuring:

  • Potential Business Transactions: Third parties to whom we may decide to sell, transfer, or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. In the event of such changes, new owners may use your personal data in the same manner as described in this Privacy Policy.

We do not allow third-party service providers to use your personal data for their own purposes. They are authorized to process your personal data only for specific purposes and in accordance with our instructions.

8. INTERNATIONAL DATA TRANSFERS

8.1 External Third Parties Outside Italy
Some of our external third parties are located outside Italy. Consequently, their processing of your personal data may involve transferring data outside the European Economic Area (EEA).

8.2 Ensuring Adequate Protection
Whenever we transfer your personal data outside the EEA, we ensure a similar level of protection by implementing at least one of the following safeguards:

  • We will transfer your personal data only to countries deemed to provide an adequate level of data protection.
  • In cases where we use certain service providers, we may rely on specific contracts approved for use in Europe, ensuring the same level of data protection as within the EEA.

If you would like more information about the specific mechanisms we use when transferring your personal data outside the EEA, please feel free to contact us.

9. DATA SECURITY

9.1 Security Measures
We implement appropriate security measures to prevent your personal data from being accidentally lost, accessed, used, altered, or disclosed without authorization.

9.2 Encryption and Access Control
We use the widely recognized Secure Socket Layer (SSL) method along with the highest level of encryption supported by your browser. Additionally, we restrict access to your personal data to employees, agents, contractors, and other third parties who have a legitimate need to know in order to fulfill our obligations. These individuals or entities will process your personal data only according to our instructions and are bound by confidentiality obligations.

9.3 Handling Data Breaches
We have established procedures to address any suspected personal data breaches. If a breach occurs, we will notify you and any applicable regulatory authorities as required by law.

10. DATA RETENTION

10.1 Retention Period
We will retain your personal data only for as long as reasonably necessary to fulfill the purposes for which it was collected, including compliance with legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period if a claim is made or if we reasonably believe there is a prospect of litigation related to our relationship with you.

10.2 Factors Determining Retention Period
To determine the appropriate retention period for personal data, we consider:

  • The amount, nature, and sensitivity of the personal data.
  • The potential risk of harm from unauthorized use or disclosure of your personal data.
  • The purposes for which we process your personal data and whether these purposes can be achieved through other means.
  • Applicable legal, regulatory, tax, accounting, or other requirements.

10.3 End of Retention
When we no longer have a legitimate purpose for processing your personal data, we will delete or anonymize it. If deletion is not possible (for example, because your data is stored in backup archives), we will securely store your personal data and isolate it from further processing until deletion becomes possible.

10.4 Data Retention as a Processor
When acting as a Data Processor to provide the Rivelio Service, we will retain your personal data for the period specified by the Partner, who acts as the Data Controller. At the end of that period, we will securely delete or return the personal data to the Partner unless we are required to retain a copy to comply with legal, regulatory, tax, accounting, or reporting obligations.

11. USER LEGAL RIGHTS

11.1 Your Rights Under Data Protection Laws
Under certain circumstances, you have the rights provided by data protection laws concerning your personal data. These include the right to:

  • Request Access to Your Personal Data: This is commonly known as a “data subject access request” and allows you to receive a copy of the personal data we hold about you and verify that we are processing it lawfully.
  • Request Correction of Your Personal Data: You have the right to request that incomplete or inaccurate data we hold about you be corrected. However, we may need to verify the accuracy of the new data you provide.
  • Request Erasure of Your Personal Data: You have the right to request the deletion or removal of your personal data if there is no valid reason for us to continue processing it. You may also request this if you have successfully exercised your right to object to processing (see below), if we have processed your data unlawfully, or if we are required to erase your personal data to comply with legal obligations. Please note, however, that we may not always be able to comply with your request for specific legal reasons, which will be communicated to you, if applicable, at the time of your request.
  • Object to Processing of Your Personal Data: You may object to the processing of your personal data when we rely on a legitimate interest (or those of a third party) if there is something specific about your situation that makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data that override your rights and freedoms.
  • Request Restriction of Processing of Your Personal Data: This allows you to request the suspension of the processing of your personal data in the following scenarios:
    a) If you want us to establish the data’s accuracy.
    b) Where our use of the data is unlawful but you do not want us to erase it.
    c) Where you need us to hold the data even if we no longer require it, as you need it to establish, exercise, or defend legal claims.
    d) If you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the Transfer of Your Personal Data: You have the right to request the transfer of your personal data to you or a third party. We will provide your data in a structured, commonly used, machine-readable format. This right applies only to automated information that you initially provided consent for us to use or where the data was used to perform a contract with you.
  • Withdraw Consent: Where we rely on your consent to process your personal data, you can withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. However, if you withdraw your consent, we may not be able to provide certain products or services to you. We will inform you if this is the case at the time you withdraw your consent.

11.2 Exercising Your Rights as a Data Controller
If you wish to exercise any of the above rights when we act as the Data Controller for your personal data, please contact us using the details provided above.

11.3 Exercising Your Rights as a Data Processor
If you wish to exercise any of the above rights when we act as the Data Processor for the Rivelio Service, we kindly ask you to contact the selected Partner directly.

12. COSTS

12.1 Accessing your personal data (or exercising any of your other rights) is generally free of charge. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

13. ADDITIONAL INFORMATION REQUIRED BY RIVELIO

13.1 Identity Verification
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it.

13.2 Additional Clarification
We may also contact you to request further information regarding your request to expedite our response.

14. RESPONSE TIME

14.1 We aim to respond to all legitimate requests within one month. However, in certain cases, it may take longer than one month if the request is particularly complex or if multiple requests have been made. In such instances, we will inform you of the delay and keep you updated on the progress.

Last Updated: November 6, 2024