PRIVACY POLICY – WEBSITE DATA

Updated in accordance with EU Regulation 2016/679
(European Regulation on the protection of personal data)

1) Introduction
IDROCORP sas di IDH srl takes the user’s privacy seriously and is committed to respecting it. This privacy policy (“Privacy Policy”) describes the personal data processing activities carried out by IDROCORP sas di IDH srl through the website www.idorgrow.com and the related commitments undertaken by the Company. IDROCORP sas di IDH srl may process the user’s personal data when the user visits the Site and uses the services and features available on the Site. In the sections of the Site where the user’s personal data are collected, a specific notice pursuant to Articles 13/15 of EU Regulation 2016/679 is normally published. Where required by EU Regulation 2016/679, the user’s consent will be requested before proceeding with the processing of their personal data. If the user provides personal data relating to third parties, the user must ensure that the disclosure of such data to Idrogrow and the subsequent processing for the purposes specified in the applicable privacy notice comply with EU Regulation 2016/679 and applicable law.

2) Identifying details of the Data Controller, Processor and Privacy Officer IDROCORP sas di IDH srl, Via Lombardia, 23, 41012 Carpi (MO)
3) Types of data processed
Visiting and browsing the Site generally do not entail the collection and processing of the user’s personal data, except for browsing data and cookies as specified below. In addition to so-called “browsing data” (see below), personal data voluntarily provided by the user when interacting with the Site’s features or requesting to use the services offered on the Site may be processed. In compliance with the Privacy Code, Idrogrow may also collect the user’s personal data from third parties in the course of its business activities.

4) Cookies and browsing data
The Site uses “cookies”. By using the Site, the user consents to the use of cookies in accordance with this Privacy Policy. Cookies are small files stored on the user’s computer hard drive. There are two macro-categories of cookies: technical cookies and profiling cookies. Technical cookies are necessary for the proper functioning of a website and to enable user navigation; without them, the user may not be able to view pages correctly or use certain services. Profiling cookies are used to create user profiles in order to send advertising messages in line with the preferences expressed by the user while browsing. Cookies can also be classified as:
_ “session” cookies, which are deleted immediately when the browser is closed; _ “persistent” cookies, which remain in the browser for a certain period of time. They are used, for example, to recognize the device connecting to a site, facilitating authentication operations for the user;
_ “first-party” cookies, generated and managed directly by the operator of the website the user is browsing; _ “third-party” cookies, generated and managed by parties other than the operator of the website the user is browsing.
5) Cookies used on the Site
The Site uses the following types of cookies:
1) first-party cookies, session and persistent, necessary to allow navigation on the Site, for internal security purposes and system administration;
2) third-party cookies, session and persistent, necessary to allow the user to use multimedia elements on the Site, such as images and videos;
3) third-party cookies, persistent, used by the Site to send statistical information to the Google Analytics system, through which Idrogrow S.r.l. can perform statistical analyses of access/visits to the Site. The cookies used pursue exclusively statistical purposes and collect information in aggregated form. Through a pair of cookies, one persistent and one session (expiring when the browser is closed), Google Analytics also stores a log of the start time of the visit to the Site and the exit time. You can prevent Google from detecting cookie data and the subsequent processing of such data by downloading and installing the browser plug-in from the following address: http://tools.google.com/dlpage/gaoptout?hl=it

4) third-party cookies, persistent, used by the Site to include on its pages the buttons of certain social networks (Facebook, Twitter and Google+). By selecting one of these buttons, the user can publish the contents of the Site page they are visiting on their personal page of the relevant social network.
Below is a detailed list of the cookies present on the Site:
Cookie name: _utma
Purpose: Number of visits
First or Third party: Third party
Web reference: www.google.it

Cookie name: _utmb
Purpose: Website access timestamp
First or Third party: Third party
Web reference: www.google.it

Cookie name: _utmc
Purpose: Website exit timestamp
First or Third party: Third party
Web reference: www.google.it

Cookie name: _utmz
Purpose: Visitor source
First or Third party: Third party
Web reference: www.google.it

Cookie name: _utmz
Purpose: Anonymous statistics
First or Third party: Third party
Web reference: www.google.it

Cookie name: _PHPSESSION
Purpose: Browsing session
First or Third party: First party
Web reference: www.idrogrow.com

The Site may contain links to other sites (so-called third-party sites). Idrogrow does not access or control cookies, web beacons and other user-tracking technologies that may be used by third-party sites to which the user may access from the Site; Idrogrow does not control the contents and materials published by or obtained through third-party sites, nor their methods of processing the user’s personal data, and expressly disclaims any related liability for such circumstances. The user is required to check the privacy policy of the third-party sites accessed through the Site and to inform themselves about the applicable conditions for the processing of their personal data. This Privacy Policy applies only to the Site as defined above.

6) How to disable cookies in browsers
It is possible to disable cookies on websites by downloading specific software such as Ghostery (https://www.ghostery.com) for the browser in use and disabling the use of individual cookies. Alternatively, it is possible to activate “private browsing” mode: this is a feature that allows browsing without leaving traces of browsing data in the browser.
Alternatively, it is possible to disable/delete cookies by accessing the browser configuration panel.

7) Retention of personal data
Personal data are stored and processed through IT systems owned by IDROCORP sas di IDH srl and managed by IDROCORP sas di IDH srl or by third-party technical service providers; for further details please refer to the section “Scope of communication and access to data” below. Data are processed exclusively by specifically authorized personnel, including personnel assigned to carry out extraordinary maintenance operations.

8) Purposes and methods of data processing
Idrogrow S.r.l. may process the user’s common and sensitive personal data for the following purposes: users’ use of services and features available on the Site, management of requests and reports from users, sending newsletters, management of applications received through the Site, etc. Furthermore, with the additional and specific optional consent of the user, IDROCORP sas di IDH srl may process personal data for marketing purposes, i.e. to send the user promotional material and/or commercial communications related to the Company’s services, to the contact details provided, either through traditional contact methods and/or means (such as postal mail, calls with an operator, etc.) or automated means (such as internet communications, fax, e-mail, SMS, applications for mobile devices such as smartphones and tablets – so-called APPS –, social network accounts – e.g. via Facebook or Twitter –, calls with an automatic operator, etc.). Personal data are processed both in paper and electronic form and entered into the company information system in full compliance with EU Regulation 2016/679, including security and confidentiality aspects, and inspired by the principles of fairness and lawfulness of processing. In accordance with EU Regulation 2016/679, the data are safeguarded and stored for 5 years.

9) Security and quality of personal data
IDROCORP sas di IDH srl is committed to protecting the security of the user’s personal data and complies with the security provisions set out by applicable law in order to prevent data loss, unlawful or improper use of data, and unauthorized access, with particular reference to the Technical Regulation on minimum security measures. Moreover, the information systems and software used by IDROCORP sas di IDH srl are configured to minimize the use of personal and identifying data; such data are processed only to achieve the specific purposes pursued from time to time. IDROCORP sas di IDH srl uses multiple advanced security technologies and procedures to help protect users’ personal data; for example, personal data are stored on secure servers located in areas with protected and controlled access. The user can help IDROCORP sas di IDH srl update and keep their personal data accurate by communicating any changes related to their address, role, contact information, etc.

10) Scope of communication and access to data
The user’s personal data may be disclosed to:
- all parties to whom the right of access to such data is granted by virtue of legal provisions;
- our collaborators and employees, within the scope of their respective duties;
- all those natural and/or legal persons, public and/or private, when disclosure is necessary or functional to carrying out our activities and in the ways and for the purposes illustrated above.

11) Nature of providing personal data
The provision of certain personal data by the user is mandatory in order to allow the Company to manage communications, requests received from the user, or to contact the user in order to follow up on their request. This type of data is marked with an asterisk [*], and in such cases provision is mandatory to allow the Company to follow up on the request; failing this, the request cannot be processed. Conversely, the collection of other data not marked with an asterisk is optional: failure to provide such data will not entail any consequences for the user. The provision of personal data by the user for marketing purposes, as specified in the section “Purposes and methods of processing”, is optional and refusal to provide them will have no consequences. Consent given for marketing purposes is understood to be extended to the sending of communications carried out through both automated and traditional contact methods and/or means, as exemplified above.

12) Data subject’s rights
12.1 Art. 15 (right of access), 16 (right to rectification) of EU Regulation 2016/679. The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right of the data subject to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

12.2 Right under Art. 17 of EU Regulation 2016/679 – right to erasure (right to be forgotten). The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of EU Regulation 2016/679.

12.3 Right under Art. 18 – Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) although the controller no longer needs the personal data for the purposes of the processing, the personal data are required by the data subject for the establishment, exercise or defense of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of EU Regulation 2016/679 pending verification whether the legitimate grounds of the controller override those of the data subject.

12.4 Right under Art. 20 – Right to data portability
The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

13. Withdrawal of consent to processing
The data subject has the right to withdraw consent to the processing of their personal data by sending a registered letter with return receipt (raccomandata A/R) to the following address: IDROCORP sas di IDH srl, Via Lombardia, 23, 41012 Carpi (MO), enclosing a photocopy of their identity document, with the following text: --withdrawal of consent to the processing of all my personal data--. At the end of this operation, the data subject’s personal data will be removed from the archives as soon as possible.
If the data subject wishes to obtain further information about the processing of their personal data, or to exercise the rights referred to in the previous point 7, they may send a registered letter with return receipt (raccomandata A/R) to the following address: IDROCORP sas di IDH srl, Via Lombardia, 23, 41012 Carpi (MO). Before being able to provide or change any information, it may be necessary to verify the data subject’s identity and answer some questions. A response will be provided as soon as possible.