Privacy Policy

1. Data Controller

The Data Controller of personal data is:

BLENDX S.R.L.
Registered office: Via della Balduina 96, 00136 Rome (RM), Italy
VAT / Tax code: 15299231009
REA: RM-1581087
Share capital: EUR 186,566.91 fully paid-in
Registered in the Rome Business Register under the special section for innovative startups.
PEC: [email protected]
Email: [email protected]

To exercise your rights or for any request regarding data processing, you can contact us at [email protected].

2. Types of data collected

Depending on the type of interaction with the website, app or service, we may collect the following categories of personal data:

2.1 Data provided voluntarily

Through contact forms, requests for information, sign-ups and — where the platform provides for them — the creation of a user account or the completion of a purchase, we collect:

• First and last name
• Email address
• Phone number (optional, except where required for contractual purposes)
• Company name and job role (for B2B requests)
• Postal address (where required for billing or shipping)
• Payment data (where the platform supports economic transactions; handled by PCI-DSS compliant providers)
• Access credentials (where a user account is provided)
• Content of the message or request
• Any further data the user chooses to share

2.2 Browsing data

The IT systems and software procedures used to operate our services acquire, during normal operation, certain data whose transmission is implicit in the use of Internet communication protocols (IP addresses, browser type, operating system, pages visited, date and time of access, referrer).

2.3 Cookies and tracking technologies

We use technical cookies and, subject to consent, any third-party cookies. Consent management is handled by Cookiebot. For web tracking we use Plausible Analytics, a privacy-friendly service that does not use cookies and does not collect personally identifiable information. You can change or withdraw your consent at any time via the cookie banner. For detailed information, see our Cookie Policy.

3. Purposes and legal bases of processing

Personal data is processed exclusively for the purposes listed below. Each purpose applies only to the projects that actually involve it.

• Response to contact and information requests — processing and responding to requests submitted via forms. Legal basis: performance of pre-contractual measures at the data subject’s request (art. 6.1.b GDPR).
• Service delivery and management of the contractual relationship — providing the requested services, managing user accounts where applicable, handling orders and payments. Legal basis: performance of the contract (art. 6.1.b GDPR).
• CRM management and commercial follow-up — recording and managing commercial relationships in the CRM system. Legal basis: legitimate interest of the Controller (art. 6.1.f GDPR).
• Direct marketing / Newsletter / Lead nurturing — sending informational and commercial communications, potentially profiled on consulted content, subject to explicit consent. Legal basis: consent (art. 6.1.a GDPR), revocable at any time.
• Statistical analysis and service improvement — aggregated and anonymized analysis of the use of our services. Legal basis: legitimate interest (art. 6.1.f GDPR).
• Legal, accounting and tax obligations — compliance with obligations under law, regulations, European legislation and orders of public authorities. Legal basis: legal obligation (art. 6.1.c GDPR).
• Protection of the Controller’s rights — establishment, exercise or defence of legal claims. Legal basis: legitimate interest (art. 6.1.f GDPR).

4. Methods of processing and retention

Data is processed using electronic tools and stored in a way that ensures security and confidentiality, through technical and organizational measures appropriate to the risk (encryption, access controls, backups).

The retention periods applied are as follows:

• Contact data and information requests: for the time needed to handle the request and up to 24 months from collection.
• Data relating to contractual relationships and user accounts: for the entire duration of the relationship and up to 10 years after its conclusion, for tax and accounting obligations under Italian law.
• Data collected for marketing purposes: until consent is withdrawn or the right to object is exercised.
• Browsing data: no longer than 13 months.

Once the periods above expire, data is deleted or irreversibly anonymized, unless a legal obligation to retain it applies.

5. Data Processors (Sub-Processors)

Personal data may be communicated, strictly to the extent necessary for the stated purposes, to the following data processors (the actual list of sub-processors used for a specific project is available upon request):

• CloudPepper — hosting provider for the Odoo ERP system used for CRM management and data collected through forms. European data centers.
• Plausible Analytics — privacy-friendly web analytics service, without cookies and without personally identifiable information.
• Cookiebot (Cybot A/S / Usercentrics) — cookie consent management platform.
• Mailgun (Sinch Email) — transactional and marketing email delivery service (where used).
• Payment providers (e.g. Stripe, PayPal) — management of economic transactions where the platform supports purchases, in a PCI-DSS compliant environment.
• Infrastructure hosting providers — IaaS/PaaS providers for the technical delivery of services.

The suppliers listed above act as Data Processors and are bound by contractual agreements compliant with the GDPR (art. 28). Data is not transferred to third parties for their own marketing purposes.

6. Transfer of data outside the EU

Where service providers may transfer data outside the EU (e.g. United States), such transfers take place in compliance with the safeguards set out in the GDPR (arts. 44-49), in particular through Standard Contractual Clauses approved by the European Commission or under adequacy decisions (e.g. EU-U.S. Data Privacy Framework).

7. Data subject rights

Under Articles 15-22 of the GDPR, you have the right to:

• Access (art. 15) — obtain confirmation of processing and a copy of your data
• Rectification (art. 16) — correct inaccurate or incomplete data
• Erasure (art. 17) — request erasure of your data ("right to be forgotten")
• Restriction (art. 18) — restrict processing in certain cases
• Portability (art. 20) — receive your data in a structured, machine-readable format
• Objection (art. 21) — object to processing based on legitimate interest
• Not be subject to automated decisions (art. 22) — including profiling, where applicable
• Withdrawal of consent — at any time, without affecting the lawfulness of processing based on consent before withdrawal

To exercise your rights, please contact us at [email protected].

You also have the right to lodge a complaint with the competent supervisory authority. In Italy: Italian Data Protection Authority (Garante), www.garanteprivacy.it.

8. Data security

We adopt technical and organizational measures appropriate to protect personal data from accidental loss, unauthorized access, disclosure, alteration or destruction. Such measures are periodically reviewed and updated in line with technological developments and emerging risks.

9. Processing of minors’ data

The services are not intended for minors under 14 years of age (art. 2-quinquies of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018). We do not knowingly collect personal data from minors of that age. Should we become aware of such processing, we will proceed with immediate deletion.

10. Changes to this policy

BlendX S.r.l. reserves the right to change this policy at any time. Changes will be published on this page with an updated date at the top of the document. In case of substantial changes, we may notify you by email if you have an active relationship with us.

11. Contact

BLENDX S.R.L.
Via della Balduina 96, 00136 Rome (RM), Italy
PEC: [email protected]
Email: [email protected]