Privacy Policy

Privacy Notice Pursuant to Article 13 of eu regulation 2016/679 (“regulation”) and applicable national law

Vivian S.r.l., with its registered office at Viale Abruzzi 66, Milan, Tax Code and VAT No. 09232590969 (“Vivian” or the “Controller”), is a company engaged in the development, production and marketing of innovative products and services in the field of technology and software aimed at enhancing e-commerce site performance and software for preparing websites for the Search Generative Experience (SGE) and search engines powered by conversational AI models such as Google AI Overviews, Bing Copilot and Perplexity.

Vivian regards the protection and safeguarding of personal data encountered during the course of its business as a top priority, and handles such data in full compliance with applicable legislation (including, by way of example and without limitation, EU Regulation 2016/679 and Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018, and measures issued by the Data Protection Authority—collectively “Privacy Law”).

This notice, provided pursuant to Article 13 of EU Regulation 2016/679 (the “Regulation” or “GDPR”) and Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (the “Privacy Code”), is addressed to any user, whether a client or not (hereinafter, the “Data Subjects” or individually the “Data Subject”), registering on Vivian’s platform [insert website address] (the “Platform”) in order to use the functionalities of the software made available by the Controller.

1. Data Controller

The Data Controller is Vivian S.r.l., registered office at Viale Abruzzi 66, Milan, Tax Code and VAT No. 09232590969.

Contact details of the Controller:

Certified Email (PEC): [email protected]

2. Categories of Personal Data Processed

The personal data processed are those provided by the Data Subject at the time of establishing the contractual relationship and during its course, and collected directly from the Data Subject, who communicates such data in the registration phase on the Platform.

By way of example and without limitation, the processing by the Controller may concern so-called identification data (such as: name, surname, date and place of birth, gender, native language), contact data (such as: residence/domicile address, telephone number, email address), bank data (IBAN and banking institution), tax data (tax code), username, password and IP address of residence.

3. Third Party Personal data Communicated by Data Dubjects

The Controller specifies that the personal data processed may also, based on information communicated by the Data Subject, concern legal representatives, proxies, employees, collaborators and other personnel of the Data Subject (if the Data Subject is a company).

Where the Data Subject communicates personal data relating to third parties, they are responsible for having provided the necessary information to such third parties and for obtaining any required consents. In the case of data relating to minors, the Data Subject is also responsible for possessing the necessary legal authority to provide the data, indemnifying Vivian from any liability and obligations towards such individuals.

4. Purposes and Legal Bases of Processing

Personal data provided by the Data Subject shall be processed for the following purposes:

a) Management of the contractual relationship for use of the Platform and for providing administrative, accounting and treasury services
By way of example and without limitation:

Management of the contractual relationship;
Administrative activities;
Payment monitoring;
Fulfilment of tax and accounting obligations, including issuance of accounting and tax documents;
Management of payments and receipts;
Organisation, administrative management and control.

The legal bases for processing the Data Subject’s personal data are (i) Article 6(1)(b) of the Regulation, since processing is necessary for the performance of a contract to which the Data Subject is party or for pre-contractual measures at their request, and (ii) Article 6(1)(c) of the Regulation, as processing is necessary for compliance with a legal obligation to which the Controller is subject.

Mandatory or optional nature of data provision:
The provision of personal data is optional. However, failure to provide personal data will render it impossible to establish any contractual relationship, to properly carry out pre-contractual and contractual obligations, or, where a contractual relationship has already been established, to fulfil obligations and commitments arising from that contract.

b) Protection of the rights of Data Subjects and the Controller and exercise of the Controller’s right of defence, both in pre-litigation and litigation
The legal basis for processing personal data is Article 6(1)(f) of the Regulation, as processing is necessary for the pursuit of the Controller’s or third parties’ legitimate interests in defence and exercise of rights.

c) Sending commercial and promotional communications regarding the sale of other or new services offered by the Controller
By way of example and without limitation:

Sending newsletters or commercial and promotional communications for the Controller’s services;
Sending commercial communications concerning service renewals;
Sending communications regarding the Controller’s activities.

Subscription to our newsletter involves a so-called double opt-in procedure: following registration, you will receive an email requesting confirmation. Only upon confirmation will the subscription be valid, preventing others from subscribing using your email address. During newsletter subscription, the user’s IP address is saved along with the date and time of registration. This is to prevent misuse of our services or the email address of the interested party. You may unsubscribe from the newsletter at any time; likewise, you may revoke consent to the storage of your personal data and to the sending of the newsletter at any time. Each newsletter contains a link to exercise this right. The legal basis for processing data following newsletter subscription is the user’s consent (Article 6(1)(a) GDPR).

Mandatory or optional nature of data provision:
Provision of personal data is required only where processing is imposed by a legal obligation. Nonetheless, provision of personal data by the Data Subject is necessary; lack of such provision will make it impossible to establish any contractual relationship, to properly carry out pre-contractual and contractual obligations, or, where a contractual relationship has already been established, to fulfil obligations and commitments arising from such contract.

5. Retention Period for Personal Data

The personal data of the Data Subject will be retained only for the period strictly necessary to achieve the purposes for which they are collected. In particular, the Controller will keep strictly necessary personal data for the entire duration of the relationship with the Data Subject and for the period following termination until all legal obligations are discharged (including, by way of example, the statutory requirement to retain invoices and accounting/fiscal documentation for at least 10 years), taking care to adopt appropriate security measures for data protection and retention. At the end of this period, personal data will be permanently deleted.

6. Data recipients and location of processing

Personal data may be shared with those defined by the Regulation as “Recipients”, duly appointed by the Controller as Data Processors or Authorised Persons, based on the specific processing activities entrusted. Specifically:

Internal staff of the Controller, duly appointed as persons responsible for personal data processing, or collaborators and/or consultants of the Controller, appointed as Data Processors and bound to confidentiality or subject to an adequate legal duty of confidentiality;
Individual or associated consultants and professionals (accountants, statutory auditors, lawyers);
Companies, consultants or professionals possibly engaged for installation, maintenance, updating and general management of hardware and software used by the Controller or required for provision of its products and/or services, including appointment as system administrators. In this regard, Data Subjects’ personal data will be accessible to system administrators solely for security control purposes;
Suppliers and third parties as required by contractual obligations;
Agencies or public bodies relevant for the management of collaborative relationships, such as the Revenue Agency;
Companies, consultants or professionals assisting the Controller in fulfilling specific legal obligations (for example, labour consultants, lawyers, accountants);
Insurance companies for the provision of insurance services, supplementary funds, banks or credit institutions, and, following inspections or audits, all regulatory bodies responsible for verifying compliance with statutory obligations;
Supervisory bodies, insurance companies for insurance services, banks or credit institutions, and, following inspections or audits, all regulatory authorities responsible for verifying and ensuring compliance with statutory obligations;
Third-party companies with which Vivian has contractual relationships.

Personal data is processed within Italy or in countries that are part of the European Economic Area.

7. Methods of Processing

Data Subjects’ personal data may be processed both on paper and electronically using suitable measures to ensure their security and confidentiality, with access permitted only to authorised individuals who have been previously appointed as Data Processors or Authorised Persons, assisting the Controller in operating its business activities (e.g. employees, external consultants, collaborators or partners needing to know such data).

Although data may be disclosed to external processors identified above, it will not be sold to third parties.

8. Data Subjects’ Rights and How to Exercise them

Privacy Law grants each Data Subject the following rights:

the right to access their personal data in accordance with Article 15 of the Regulation;
the right to obtain rectification or completion of personal data in accordance with Article 16 of the Regulation;
the right to the erasure of personal data in accordance with Article 17 of the Regulation (unless processing is necessary for a. exercising the right to freedom of expression and information; b. compliance with a legal obligation under European Union or Italian law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; c. reasons of public interest in public health; d. archiving in the public interest, scientific or historical research or statistical purposes under Article 89(1) of the Regulation, if erasure would render impossible or seriously impair achievement of the objectives of such processing; e. the establishment, exercise or defence of legal claims by Vivian);
the right to restriction of processing of personal data, within the limits of Article 18 of the Regulation;
the right to data portability, meaning the right to receive personal data provided to the Controller in a structured, commonly used and machine-readable format and to transmit such data to another controller as provided for in Article 20 of the Regulation;
the right to object at any time, within the limits of Article 21 of the Regulation, on grounds relating to their particular situation, to processing of personal data concerning them;
the right to withdraw any consent given at any time, without prejudice to the lawfulness of processing carried out based on consent prior to withdrawal, pursuant to Article 7 of the Regulation.

Each Data Subject may exercise their rights at any time by sending:

a registered letter with return receipt to the Controller’s registered office at Viale Abruzzi 66, Milan;
or
a certified email (PEC) to: [email protected]

In any case, the Data Subject always has the right to lodge a complaint with the Data Protection Authority, pursuant to Article 77 of the Regulation, or to refer to the ordinary judicial authorities, should they consider that processing of their personal data is contrary to applicable law.