Foreword

CHORA srl, VAT 11345650961, headquartered in viale dei mille 33, 20129 Milano (MI), as data controller, informs you in accordance with Article 13 Legislative Decree 30.6.2003 n. 196 (hereinafter, "Privacy Code") and Article 13 EU Regulation n. 2016/679 (hereinafter, "GDPR") that your data will be processed in the manner and for the purposes disclosed below.

Object of Treatment

The Holder processes personal, identifying data such as: first name, last name, company name, address, telephone, e-mail, bank and payment references (hereinafter, "personal data" or also "data") communicated by you in connection with the conclusion of contracts for the provision of goods and/or services. The owner processes the data Source IP address, logs acquired while browsing the site to ensure network and information security, protection of company assets and security of company premises and systems.

Your personal data are processed:

1. without your express consent (art. 24 lett. a), b), c) Privacy Code and art. 6 lett.b), e) GDPR), for the following Service Purposes:
   1. To conclude contracts for the Holder's services;
   2. To fulfill pre-contractual, contractual and tax obligations arising from existing relationships with you;
   3. to fulfill obligations under the law, a regulation, EU legislation or an order of the Authority (such as in the area of anti-money laundering);
   4. to exercise the rights of the Owner, such as the right of defense in court;
2. only with your specific and separate consent (Articles 23 and 130 Privacy Code and Article 7 GDPR), for the following Marketing Purposes:
   1. To send you via e-mail, mail and/or text message and/or telephone contact, newsletters, commercial communications and/or advertising material on products or services offered by the Owner and satisfaction survey on the quality of services;
   2. To send you by e-mail, mail and/or text message and/or telephone contact commercial and/or promotional communications related to our business activities.

We would like to point out that if you are already our customer, we may send you commercial communications relating to services and products of the Owner similar to those you have already used, unless you disagree (art. 130 c. 4 Privacy Code).

Method of treatment

The processing of your personal data is carried out by means of the operations indicated in Art. 4 Privacy Code and Art. 4 No. 2) GDPR and namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data.
Your personal data are subject to both paper and electronic and/or automated processing.
The Data Controller will process personal data for as long as necessary to fulfill the above purposes and in any case for no longer than 10 years after the termination of the relationship for the Service Purposes and for no longer than 2 years after data collection for the Marketing Purposes.

Data access

Your data may be made accessible for the purposes mentioned in Article 2.a. and 2.b.:

1. employees and collaborators of the Controller in their capacity as persons in charge and/or internal data processors and/or system administrators;
2. Third-party companies or other entities (by way of example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that perform outsourcing activities on behalf of the Controller, in their capacity as external data controllers.

Disclosure of data

Without the need for your express consent (ex art. 24 lett. a), b), d) Privacy Code and art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2 to other bodies of the P.A., Judicial Authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom the communication is mandatory by law for the fulfillment of the said purposes. These subjects will process the data in their capacity as autonomous data controllers. Your data will not be disseminated.

Data Transfer

Personal data are stored on servers located in MILAN (MI), within the European Union.

Provision of data and consequences of refusal to respond

The provision of data for the purposes mentioned in Art. 2.a. is mandatory.
In their absence, we will not be able to guarantee you the Services in Article 2.a.
On the other hand, the provision of data for the purposes mentioned in Article 2.b. is optional.
You may then decide not to provide any data or to later deny the possibility of processing data already provided: in this case, you will not be able to receive newsletters, commercial communications and advertising material related to the Services offered.

Rights of the data subject

In your capacity as a data subject, you have the rights under Art. 7 Privacy Code and Art. 15 GDPR, namely the rights to:

1. Obtain confirmation of the existence or non-existence of personal data concerning you, even if not yet registered, and their communication in intelligible form;
2. Getting the indication:
   1. of the origin of personal data;
   2. of the purposes and methods of processing;
   3. of the logic applied in the case of processing carried out with the aid of electronic instruments;
   4. of the identification details of the owner, managers, and designated representative in accordance with Art. 5, paragraph 2 Privacy Code and Art. 3, paragraph 1, GDPR;
   5. of the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, as managers or appointees;
3. To obtain:
   1. updating, rectification or, when interested, integration of data;
   2. the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
4. certification that the operations referred to in paragraphs 8.c.i. and 8.c.ii. above have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves a manifestly disproportionate use of means compared to the protected right;
5. Oppose in whole or in part:
   1. for legitimate reasons to the processing of personal data concerning you, even if relevant to the purpose of collection;
   2. to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated calling systems without the intervention of an operator by e-mail and/or through traditional marketing methods by telephone and/or paper mail.
   3. It should be noted that the data subject's right to object, set out in section 8.e.ii. above, for direct marketing purposes by automated means extends to traditional ones and that, in any case, the possibility for the data subject to exercise the right to object even partially remains unaffected. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
6. Where applicable, it also has the rights under Articles 16-21 GDPR (Right to rectification, right to be forgotten, right to restrict processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.

What are cookies?

Cookies are short text fragments (letters and/or numbers) that allow the web server to store on the client (the browser, e.g. Internet Explorer, Chrome, Firefox, Opera...) information to be reused during the same visit to the site (session cookies) or later, even days later (persistent cookies). Cookies are stored, based on user preferences, by the individual browser on the specific device used (computer, tablet, smartphone).

A cookie cannot retrieve any other data from the user's hard drive nor transmit computer viruses or acquire email addresses. Each cookie is unique to the user's web browser. Some of the functions of cookies may be delegated to other technologies. The term 'cookies' is intended to refer to cookies and all similar technologies.

Depending on the characteristics and use of cookies, various types of cookies can be distinguished:

1. Strictly necessary technical cookies.
   These are cookies that are essential for the proper functioning of a website and are used to manage various services related to websites (such as a login or access to restricted functions on sites).
   The duration of cookies is strictly limited to the working session or they may use a longer dwell time in order to remember the visitor's choices. Disabling strictly necessary cookies may affect the user and browsing experience of the website.
2. Analytics (analytics) and performance cookies.
   These are cookies used to anonymously collect and analyze website traffic and usage.
   These cookies, while not identifying the user, allow, for example, detection of whether the same user returns to log on at different times.
   They also allow the system to be monitored and improve its performance and usability.
   functionality and will be discussed in detail later.
3. Profiling cookies (not operational on this Site).
   These are permanent cookies used to identify (anonymously and non-anonymously) user preferences and improve the user's browsing experience.
   For more information about these cookies not used by the Web Site, please visit the appropriate section on the www.garanteprivacy.it/cookie

Purposes of processing and purposes of technical session cookies.

The cookies used on the Site are solely for the purpose of performing computer authentication or session tracking and the storage of specific technical information regarding users accessing the servers of the Data Controller operating the Site.
With this in mind, some operations on the Site could not be accomplished without the use of cookies, which are therefore technically necessary in such cases.
By way of example, access to any restricted areas of the Site and the activities that may be performed there would be much more complex to perform and less secure without the presence of cookies to identify you and maintain your identification within the session.
According to Article 122, paragraph 1, of the Privacy Code (in the current wording following the entry into force of Legislative Decree 69/2012), "technical" cookies may be used even without the consent of the person concerned.
Among other things, the same European body that brings together all the Privacy Authorities of the various Member States (the so-called "Article 29" Group ) clarified in Opinion 4/2012 (WP194) entitled "Exemption from Consent for the Use of Cookies" that cookies for which it is not necessary to acquire the user's prior and informed consent are:cookies with data filled in by the user (session identifier), lasting one session or persistent cookies limited to a few hours in certain cases;

1. Authentication cookies, used for the purpose of authenticated services, lasting one session;
2. User-centered security cookies, used to detect authentication abuse, for a limited persistent duration;
3. Session cookies for load balancing, lasting one session;
4. Persistent cookies for user interface customization, lasting one session (or slightly more);

The Data Controller therefore informs that only technical cookies (such as those listed above) necessary to navigate within the Site are operational on the Site as they allow essential functions such as authentication, validation, management of a browsing session and fraud prevention and allow, for example: to identify whether the user has regularly accessed areas of the site that require prior authentication or user validation and session management related to the various services and applications or data storage for secure mode access or control and fraud prevention functions.
For maximum transparency, a number of technical cookies and instances of specific operation on the Site are listed below:

1. cookies implanted in the user's/contractor's terminal directly (which will not be used for further purposes) such as session cookies used to "fill the cart" in online reservations on the Site, authentication cookies, personalization cookies (e.g., for choosing the navigation language, recall ID and complete password by typing the first characters, etc.);
2. cookies used to statistically analyze accesses/visits to the site (so-called "analytics" cookies), which pursue only statistical purposes (and not also profiling or marketing) and collect information in aggregate form without the possibility of tracing the identification of the individual user.
   In these cases, since the current legislation requires that for analytics cookies the interested party be provided with a clear and adequate indication of the simple ways to oppose (opt-out) their implantation (including any mechanisms for anonymizing the cookies themselves), we specify that it is possible to proceed to deactivate analytics cookies as follows: open your browser, select the settings menu , click on internet options, open the tab related to privacy and choose the desired level of cookie blocking.
   Should you want to delete cookies already saved in memory, simply open the security tab and delete the history by checking the "delete cookies" box.

Third-party cookies

By visiting a website, you may receive cookies from sites operated by other organizations ("third parties") that may reside in Italy or abroad.
An example found on most websites is the presence of YouTube videos, Google APIs, use of Google Maps, and the use of "social plugins" for Facebook, Twitter, Google+, and LinkedIn.
aforementioned sites and integrated into the page of the host site.
The most common use of social plugins is aimed at sharing content on social networks in order to increase the visitor's user experience.
The presence of these plugins results in the transmission of cookies to and from all sites operated by third parties.
The management of information collected by "third parties" is governed by the relevant disclosures to which please refer.

Liability for Operation of Third Party Cookies

Reference is made in this regard to the provisions of the General Provision of the Privacy Guarantor on Cookies of May 8, 2014:
"There are multiple reasons why it does not appear possible to place an obligation on the publisher to provide information and acquire consent for the installation of cookies within its site even for those installed by "third parties."
First, the publisher should always have the tools and the economic-legal ability to take charge of the third parties' compliance, and should therefore also be able to verify from time to time the correspondence between what the third parties state and the purposes they actually pursue with the use of cookies.
This is made very arduous by the fact that the publisher often does not directly know all the third parties that install cookies through its site and, therefore, neither does it know the rationale behind their processing.
In addition, not infrequently between the publisher and third parties are parties who play the role of licensees, resulting in de facto very complex for the publisher to control the activities of all parties involved.
Third-party cookies could, then, be modified over time by the third-party vendors, and it would be impractical to ask publishers to keep track of these later changes as well."
As indicated by the Privacy Guarantor, this Site does not have the ability to control third-party cookies should it use third-party services (YouTube, Google Maps, "social buttons") for which the third parties are solely responsible.
In addition, we recall the possibility for the user to delete and block the operation of cookies at any time by also using browser plugins and changing the settings as indicated in the various manuals contained in the browsers.

Mandatory or optional consent for the operation of cookies that do not pursue marketing purposes

It is not mandatory to acquire consent to the operation of only technical cookies or third-party or analytical cookies assimilated to technical cookies.
Their deactivation and/or denial of their operation will result in the impossibility of proper navigation on the Site and/or the inability to enjoy the services, pages, features or content available therein.

Use of rights by the data subject

With particular reference to users' rights regarding cookies, some links are provided below for further study:

1. AboutCookies.org: for more information about cookies and how they affect your browsing experience.
2. Youronlinechoices.com: for a broad view on cookies, best practices, and the enjoyment of targeted advertising through the use of cookies
3. Cookies section at www.garanteprivacy.it/cookie to learn about best practices provided by the Data Protection Authority.

At any time it will be possible - without any formality - to exercise the rights set forth in Article 7 of the Privacy Code (also by using the special application form made available by the Guarantor at www.garanteprivacy.it) , which for usefulness is reproduced in full below.
The use of the rights is not subject to any form constraints.

Data Controller and Data Processors

The identification details of the Company as the Data Controller of the data subject are as follows:
CHORA srl, VAT 11345650961, con sede in viale dei mille 33, 20129 Milano (MI) - ITALY
The updated list of Data Processors (if appointed), can be found at the headquarters of the above-mentioned Company.

Latest revision 04/06/2022