PRIVACY POLICY

PRIVACY NOTICE
pursuant to Articles 13-14 of EU Regulation No. 679/2016FLUENCE GROUP LTD, operating as Infrastrutture AI (hereinafter referred to as the “Data Controller”), pursuant to Articles 13 and 14 of EU Regulation No. 679/2016, provides this privacy notice concerning the processing of personal data in relation to the provision of its services.This notice also draws inspiration from Recommendation No. 2/2001, adopted on May 17, 2001, by the European data protection authorities gathered within the Group established under Article 29 of Directive No. 95/46/EC, in order to identify certain minimum requirements regarding the collection of personal data online, particularly concerning the methods, timing, and nature of the information that data controllers must provide to users when they access web pages—regardless of the purpose of the connection—since data relating to identified or identifiable individuals may be processed during website consultation.This notice applies exclusively to the website managed by the Data Controller and does not cover any other websites that may be accessed by the user via external links.

Art. 1. Data Controller and Processor
FLUENCE GROUP LTD (hereinafter referred to as the “Data Controller”), with its registered office at Albion House Unit 6, High Street, Woking, Surrey, England, GU21 6BG, and reachable at the email address info@fluence-group.com, provides this notice pursuant to Articles 13 and 14 of EU Regulation No. 679/2016 (hereinafter “GDPR”).This notice describes how users' personal data is collected, used, protected, and processed, both through the corporate website and through the services offered, including processing carried out via Artificial Intelligence systems. It applies exclusively to data processed by the Data Controller and does not cover any external links on the site.The personnel of the Data Controller (including collaborators and employees assigned to administrative and commercial functions) are duly authorized and trained as data processors or appointees. Each collaborator is provided with a specific mandate for data processing, in compliance with applicable regulations.

Art. 2. Data Processing Location
Personal data is processed at the Data Controller’s registered office, located at Albion House Unit 6, High Street, Woking, Surrey, England, GU21 6BG, as well as on IT systems via software provided by technology partners and through devices made available to individuals authorized for data processing.Processing carried out using AI systems may also take place on cloud infrastructures or platforms provided by specialized third parties, which may be located outside the European Economic Area, in accordance with the safeguards provided by the GDPR. Processing is conducted in ways that ensure the security and confidentiality of personal data.

‍

 
Art. 3. Types of Data Processed\
The Data Controller processes only the personal data voluntarily provided by the user or acquired from third parties with the user’s explicit consent, as well as data strictly necessary to fulfill information requests or deliver the services offered. The categories of data processed include:

‍Common Personal Data
This includes identifying and contact information such as name, surname, address, email, phone numbers, and banking/financial data. These data are necessary for executing the requested service or for pre-contractual purposes and may also be used as input for AI systems in order to deliver or improve the services.

a) Browsing Data
When accessing the Controller’s website or blog, implicit data derived from Internet communication protocols are collected. These include:
Date and time of access
Name of the website visited
IP address
Referrer URL
Amount of data transmitted
Information about the browser and operating system used
These data are processed anonymously or in anonymized form for statistical purposes, to ensure the website functions correctly, and to maintain system security. They may also be analyzed using AI systems to identify usage patterns, optimize navigation, and detect potential anomalies or security threats. IP addresses are anonymized at the end of each session and analyzed solely to improve services or identify anomalies.
‍b) Voluntarily Provided Data
Through the website or associated IT systems, users may voluntarily provide information such as images, identification documents, banking or personal data for specific purposes (e.g., payments). The processing of such data is carried out in accordance with current regulations. The user guarantees that any data provided, including third-party data, is submitted with a proper legal basis and releases the Data Controller from any claims or liability from third parties. These data may be processed by AI systems for the specific purposes for which they were provided.
‍c) Data Processed Through Social Network Interaction
‍Users may register for services through social media profiles such as Facebook or Google. In such cases, the Data Controller automatically receives certain information (specified in the pop-up window shown at the time of registration) from the social platform providers, with no need for further data entry. These data may be used—also via AI systems—to personalize the user experience or for aggregate analysis of preferences, always in accordance with the stated purposes and obtained consent.
‍d) Special Categories of Data
Some services—such as the use of connected applications—may involve the processing of special categories of personal data (Art. 9 of EU Regulation 679/2016). This includes information such as name, surname, date of birth, email address, and other data required to deliver the requested services. The Data Controller does not actively process special categories of personal data through its AI systems, unless strictly necessary for the provision of a specific service requested by the user, and only with explicit prior consent and the adoption of appropriate technical and organizational measures to protect the confidentiality of such data.
‍e) Geolocation
The website and related applications may offer location-based services. With the user's prior consent, device location data may be processed to improve user experience or provide specific services. If consent is given, AI systems may use location data to deliver personalized, location-based services. These data are not shared with third parties, and users may revoke their consent at any time through their device settings. Any images or videos collected will not be used to identify the user without prior authorization.
‍f) Data Derived or Inferred by AI
‍During the provision of services and analysis activities, AI systems may generate new data or insights about the user (e.g., inferred preferences, customer segmentation, likelihood of interest in a specific property or service). These derived data are treated as personal data and are subject to the same safeguards, purposes, and legal bases as the original data from which they were generated.
 
Art. 4. Purposes of Data Processing
The Data Controller informs that personal data will be processed strictly to the extent necessary to fulfill the following purposes:
‍a) Execution of a contract to which the user is a party, or the adoption of pre-contractual measures at the user’s request.
b) Compliance with legal obligations to which the Data Controller is subject.
c) Establishment, exercise, or defense of legal claims in judicial proceedings or in proceedings initiated by competent authorities.
‍d) Allowing navigation of the website and provision of the services offered by the Data Controller.
e) Responding to specific requests addressed to the Data Controller.
‍f) Fulfillment of obligations provided for by applicable laws, regulations, or EU legislation, as well as compliance with any requests from competent authorities.
‍g) Direct marketing activities via email, regarding services similar to those already subscribed to by the user, including via AI systems for recipient selection based on relevance criteria, unless the user expressly objects to receiving such communications. Objection can be made at the time of registration or at any time thereafter.
h) Marketing activities and newsletter distribution, subject to prior specific consent, such as:Conducting studies, research, and market statistics.Sending informational and promotional material regarding the activities, services, and products of the Data Controller and its business Partners (without sharing personal data with said Partners).
Sending surveys to improve the services offered ("customer satisfaction").
These communications may occur through various channels: email, SMS, physical mail, phone with operator, official social media pages, or push notifications via applications.
The Data Controller collects a single consent for all the marketing purposes described, in accordance with the General Provision of the Italian Data Protection Authority (“Guidelines on promotional activities and against spam” dated July 4, 2013).
The user may object at any time to the processing of their data for marketing purposes by contacting the Data Controller through the contact information provided in the "Contacts" section of this privacy notice. Such objection will not affect the lawfulness of processing carried out based on previously granted consent.
i) Use of data for statistical or research purposes, in anonymous form, also with the use of AI, without any possibility of identifying the user.
‍j) Improvement of Services and Development of New Features: Analyzing usage data and interactions (including via AI) to understand how services are used, identify areas for improvement, fix issues, and develop new features or services in the marketing and real estate sectors.
k) Personalization of the User Experience: Using AI systems to tailor content, suggestions, and offers based on the user’s preferences, behaviors, or inferred characteristics, to make the experience more relevant and effective (subject to consent where required, or based on legitimate interest with the right to object).
l) Optimization of Marketing Campaigns: Using AI systems to analyze campaign effectiveness, segment the audience more precisely, and optimize the allocation of advertising resources.m) Decision Support (Not Automated with Legal or Significant Impact): Using AI-based analysis as informational support for the Controller’s operational and strategic decisions, without such systems making automated decisions that produce legal effects or significantly affect the data subject.

 
Art. 5. Methods of Processing
The IT systems and software used by the Data Controller are configured to minimize the use of personal and identifying data. This principle also applies to the design and use of AI systems, where data minimization is pursued by processing only the data necessary for specific purposes and, where possible, favoring anonymized or aggregated data.
Data processing is carried out only when strictly necessary, prioritizing the use of anonymous data or methods that allow the identification of the data subject only in cases of actual need.
To access the services offered, the data subject is initially required to provide only the common personal data necessary. These data are processed by administrative personnel who operate in accordance with the intended purposes and in line with the principles of data minimization.
The Data Controller adopts all necessary organizational and technical measures to prevent personnel from processing irrelevant or excessive data compared to the processing purposes.Personal data are recorded, processed, managed, and stored using electronic and digital tools and, only if necessary, in paper format. Regardless of the method used, data security and confidentiality are always ensured.
The processing of personal data is carried out using automated tools, including algorithms and Artificial Intelligence systems, for the period strictly necessary to achieve the stated purposes. Specific security measures are adopted to prevent data loss, unlawful or unauthorized use, and unauthorized access, taking into account specific risks related to the use of AI (e.g., integrity of training data, model security).
Responsibilities related to data processing are clearly defined through internal regulations and operational instructions for authorized personnel. The Data Controller provides training and updates on personal data processing, raising awareness among operators about the potential risks and responsibilities associated with data handling. Each operator who accesses IT systems is identifiable, bound by professional secrecy, and formally authorized to carry out processing activities.In cases where special laws require anonymous data processing (e.g., protection of victims of sexual violence or pedophilia, HIV positivity, drug use, voluntary termination of pregnancy, anonymous childbirth, services offered by family counseling centers, responsible procreation choices, etc.), data are anonymized at the time of their creation, in compliance with applicable laws, and are not subject to further processing.

 
Art. 6. Security Measures
The processing of personal data is safeguarded by the adoption of preventive and appropriate security measures, aimed at minimizing the risks of destruction or loss—whether accidental—or unauthorized access or processing not in line with the purposes for which the data were collected. These measures also apply to data processed through AI systems, including securing the algorithms and models themselves to mitigate specific risks (e.g., unwanted bias, tampering, unauthorized access to models).
Organizational and operational security measures are extended to the processing of sensitive personal data and are implemented using secure electronic tools and strict procedures.
The security system for processing personal data is based on the following elements:
Personal Data Processing Register: Clear definition of the purposes and methods of each processing activity.
Restricted Access to Authorized Personnel: Data is accessible only to personnel specifically authorized based on the specific purpose of the processing.
Risk Analysis: Evaluation of potential risks that could compromise personal data security, followed by the adoption of appropriate mitigation measures.
Data Integrity and Availability: Implementation of measures to ensure that data remains intact and accessible only to authorized individuals, even in the event of unforeseen incidents.
Recovery Criteria and Procedures: Establishment of protocols to ensure timely data recovery in case of destruction or damage.
Staff Training and Awareness: Ongoing training programs for data-handling personnel, focusing on specific risks, available preventive measures, data protection regulations, and related responsibilities.
Minimum Security Measures for External Processing: Adoption of strict criteria to ensure compliance with security measures even when processing is outsourced or data is transferred outside the Controller’s infrastructure or abroad
.Encryption and Segregation of Sensitive Data: For data that may reveal health status or sexual life of the data subjects, specific measures such as encryption or segregation from other personal data are applied to ensure maximum protection.
The Data Controller periodically updates its security measures in accordance with technological and regulatory developments to ensure an adequate level of protection for personal data.

 
Art. 7. Data Processing Recipients
The individuals and entities that process your personal data are carefully selected to ensure the highest level of data protection and confidentiality. The recipients include:
Internal Parties within the Data Controller’s Organization: Individuals authorized within the Data Controller’s structure, who operate in compliance with specific operational instructions and are essential to the delivery of the offered services. These individuals are bound by confidentiality obligations and are trained in personal data protection.
External Data Processors: Entities that process personal data on behalf of the Data Controller, under specific contractual agreements that govern the processing.
These include:
‍i) Individuals, companies, or professional firms providing accounting, administrative, legal, tax, and financial assistance and consulting services.
ii) Providers of technical services for maintenance, updates, or support of IT systems and technological infrastructure, including providers of cloud platforms, specific software, and AI-based services.
‍iii) Banks, insurance companies, and brokers, where necessary for the management of payments, policies, or guarantees.
‍iv) Parent companies, subsidiaries, and affiliates of the Data Controller, solely for administrative and accounting purposes in accordance with Article 6 of the GDPR and for internal organizational, financial, and management activities.
‍Individuals Authorized by the Data Controller: Employees, collaborators, and other individuals acting under the direct authority of the Data Controller, who are bound by written confidentiality agreements or equivalent legal obligations.
Entities Legally Required to Receive Data :Public authorities, bodies, or agencies (such as tax or regulatory authorities) to whom the Data Controller is legally obliged to disclose personal data.J
udicial and Law Enforcement Authorities: Courts or law enforcement agencies involved in legal proceedings, investigations, or for compliance with lawful orders, where required by applicable law.

 

Art. 7.1 – Internal Data Processors
Given the complexity and variety of the Company's institutional functions, the Data Controller designates the following parties as Data Processors:
Heads of Operational Units:
Each Head responsible for an Operational Unit of the Company is the Data Processor for the paper and electronic databases related to their specific area of responsibility.
Head of the IT Department:
The manager responsible for the IT Department oversees the centralized electronic databases, ensuring their security and proper operation.
Authorized External Parties:
All external individuals who, on behalf of the Data Controller, use the Company's database for purposes related to the exercise of the Company’s institutional functions, as outlined in Art. 9.The appointment of internal Data Processors is formalized through the assignment associated with their organizational role. This appointment is considered accepted upon signing the contract, which outlines their obligations and responsibilities in accordance with the General Data Protection Regulation (GDPR).
Obligations of Internal Data Processors
Each Internal Data Processor is required to:
Ensure full and accurate compliance with the obligations under current legislation, including the Privacy Code and the security-related provisions;Adhere to the Company’s internal regulations and specific instructions provided by the Data Controller;Interact with the Data Protection Authority in case of information requests or investigations;Adopt appropriate measures to protect the rights, fundamental freedoms, and dignity of data subjects, including professional confidentiality and compliance with Company policies on the handling of sensitive data and minimum security standards.
Specific Duties of Internal Data Processors Regarding Data Security
As part of security measures, Internal Data Processors must:Draft and update the record of processing activities (Art. 30 GDPR);
Collaborate with the Head of the IT Department to assign each data processor a unique, non-reusable personal identification code for data access;
Safeguard user credentials (passwords) of the authorized personnel, ensuring secure and controlled use;
Verify, together with the IT Department, the effectiveness of protection and antivirus systems and implement suitable measures to restrict access to premises and prevent unauthorized intrusions;
Ensure the application of all security measures related to the processing of personal data, both within the Company and in external environments when data is accessible by third parties appointed as Data Processors;Promptly inform the Data Controller in the event of detected risks or breaches.
Independent Data Controllers
‍If internal or external parties manage personal data of third parties independently and separately from their assigned structure or mandate, they qualify as independent "Data Controllers," bearing full responsibility and obligations accordingly.

 

Art. 7.2 – External Data Processors
‍All external parties who carry out data processing operations on the Company’s personal data, on behalf of and in the interest of the Company, in relation to corporate purposes—including providers of AI technologies or platforms—are formally appointed as “External Data Processors” in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
‍Obligations of External Data Processors
‍External Data Processors are required to comply with the following obligations:
‍Lawful and Fair Processing:
Process personal data in compliance with applicable legislation, ensuring the lawfulness, fairness, and transparency of processing toward data subjects.
‍Data Security:
Adopt all appropriate technical and organizational measures to prevent:Destruction or accidental loss of personal data;
Unauthorized access or unlawful processing;Improper disclosure or communication of personal data.
These measures must comply with the GDPR and national privacy regulations, including minimum security standards.
Designation of Authorized Personnel:
Formally appoint individuals within their own organization to handle the data and ensure that only authorized and adequately trained personnel have access to personal data.
Specific Purposes:
Process personal data, including sensitive and health-related data (if applicable), strictly for the purposes set out in the contract or agreement with the Data Controller.
Compliance with Instructions:
Strictly follow the instructions provided by the Data Controller, ensuring that every processing operation aligns with the established purposes and complies with applicable laws.
Data Location Transparency:
Specify the physical locations where data processing takes place, providing transparency on the management methods and the security of the infrastructures used.
Consequences of Non-Compliance
If External Data Processors fail to comply with the above obligations or act contrary to the contract, they will be considered independent Data Controllers. In such cases, they:Will be directly and independently responsible for any violations of current data protection laws;Will be solely liable for any damages caused to data subjects or for penalties arising from unlawful data processing.
‍Formalization of the Appointment
The appointment of each External Data Processor is formalized through a “Data Processing Agreement” or specific contractual clauses, which clearly define:
The purposes and duration of the processing;The categories of data processed;
The security obligations and methods of processing;
The duties of cooperation with the Data Controller, including the prompt notification of any personal data breaches.

 

Art. 7.3 – Data Processing Appointees
Each employee or collaborator designated to carry out technical operations involving the processing of personal data—including the use of AI-based tools—is, for all legal purposes, considered a “Data Processing Appointee,” in accordance with Article 29 of Regulation (EU) 2016/679 (GDPR) and Article 30 of the Italian Privacy Code.
Obligations of Data Processing Appointees
While performing tasks directly related to their roles, Appointees must:
Follow Given Instructions:
Strictly adhere to the instructions provided by the Data Controller and Data Processor, respecting the defined limits and methods for data processing activities.
Implement Security Measures:
Apply all technical and organizational measures required by company policies and applicable laws to prevent:Improper disclosure or dissemination of personal data;Destruction or accidental loss of data;
Unauthorized access or processing that does not align with the intended purposes.
Report Risks and Anomalies:
Collaborate with the Controller and Processor by promptly reporting any identified risks or issues encountered during data processing activities.
Principles for Data Processing by Appointees
‍Appointees must ensure that, during processing, personal data are:
Processed lawfully and fairly:
In accordance with principles of transparency and good faith toward data subjects.
Collected and used for legitimate purposes:
Data must be gathered and recorded for specific, explicit, and legitimate purposes, with no use incompatible with those purposes.
‍Accurate and up-to-date:
Data must be relevant, complete, not excessive, and—in the case of sensitive data—strictly necessary for the stated purposes.
Securely stored:
In a manner that allows identification of the data subject only for the time strictly necessary to achieve the declared purposes, in compliance with storage limitation principles.
‍Confidentiality and Data Disclosure
‍Appointees are strictly bound to maintain the highest level of confidentiality regarding any personal data they access in the course of their duties. It is forbidden to share data with unauthorized third parties unless explicitly instructed by the Data Controller or when required by law.
Appointment of Data Processing Appointees
‍The designation of Appointees is formalized through:An employment order or service assignment that defines the scope of data processing allowed for the employee or collaborator;
Data mapping forms that specify the permitted operations and the limits of the data processing tasks.
Training and Operational Instructions
‍Appointees must receive:
Detailed and specific instructions about the assigned processing activities, including tasks like data entry, updates, deletions, etc.;
Periodic training on data protection regulations and internal procedures to ensure compliant and secure processing.

 
Art. 8 – Nature of Data Provision and Consent
‍Consent to the processing of personal data is voluntary but essential for the provision of the requested service. Without consent, it is not possible to access the service, as data processing is necessary to pursue the main purposes, including related administrative activities.
For certain specific AI-based processing activities—such as advanced personalization or the analysis of particular data (where applicable)—specific and informed consent may be required, clearly explaining how AI will be used and which data will be processed.
Special Cases of Consent Acquisition:
a) Minors
Consent for processing personal data of a minor under the age of 16 must be provided by at least one parent or legal guardian.
‍b) Persons under legal guardianship
Consent must be given by the legal guardian using a form issued in the name of the data subject, completed with the guardian’s personal information and signature. This form must be accompanied by documentation issued by the judicial authority or, alternatively, a self-declaration of legal guardianship.
‍c) Persons unable to sign
If the data subject is unable to sign the form due to illiteracy, physical disability, or other reasons, consent may be given verbally or through other means (e.g., gestures). The operator shall record the consent, possibly with the help of a family member familiar with the subject’s communication method, using audiovisual tools. Such recordings will be stored and used solely in case of disputes.

Art. 8.1 – Marketing Purposes
Personal data may be processed for marketing purposes only with the data subject’s explicit consent.
Types of Processing for Marketing Purposes:Direct promotion by the Data Controller:
With the subject’s consent, data may be used to:
Promote products or services similar to those purchased or requested;Send advertising materials related to the Data Controller’s services;Send commercial communications through traditional means (postal mail, operator calls) or automated means (email, fax, SMS, automated systems, electronic platforms, etc.).
Unified Consent and Revocation:
‍Marketing consent is unified and comprehensive, covering all communication methods used.
The data subject may revoke consent at any time, even partially, for specific channels or types of processing, without affecting the provision of primary services. Revocation can be exercised by writing to info@fluence-group.com.
Disclosure to Third Parties:Marketing-related processing does not automatically include the sharing of personal data with third parties.
To authorize the disclosure of personal data to third parties for marketing purposes, an additional, separate, explicit, and optional consent is required, in compliance with the Italian Data Protection Authority's Guidelines of July 4, 2013, against spam.
Categories of Third-Party Data Recipients:
With the data subject’s consent, personal data may be shared with:Publishers
Sports organizationsProviders of electronic goods and servicesCommunication and advertising agenciesInsurance and financial companies
Companies in the food, restaurant, fashion, tourism, ICT, energy, and gas sectors
Optional Nature and Consequences of Non-Participation:
Providing data for marketing purposes is optional and revocable. However:Lack of consent may limit access to services involving promotional activities;
Refusal to allow marketing-related processing does not affect other contractual or commercial relationships, unless such processing is essential for the requested service.

Art. 9 – Transfer of Data Abroad
‍Your personal data may be transferred to countries both within and outside the European Union, exclusively for purposes related to the execution of the contract, to enable authorized personnel to perform their work duties, and for the use of technological services, including those based on Artificial Intelligence.
Transfer Within the European Union
Transfers to EU member states are carried out in compliance with the GDPR, ensuring the same level of protection as provided by European legislation.
Transfer to the United States
Your personal data may be transferred to the United States, a non-EU country, solely for the execution of the contract. Such transfer is safeguarded by the European Commission’s adequacy decision regarding the data protection framework (e.g., the Data Privacy Framework, where applicable).
The transfer of sensitive data to the United States is excluded.
Transfer to the United Arab Emirates
The transfer of personal data to the United Arab Emirates—a country for which the European Commission has not issued an adequacy decision—will occur only under specific contractual safeguards, such as Standard Contractual Clauses (SCCs) or other measures provided under Article 46 of the GDPR, to ensure an adequate level of data protection.In all cases, the Data Controller is committed to protecting your personal data by adopting all necessary technical and organizational measures to ensure the security and confidentiality of data during transfer and processing.
 
Art. 10 – Data Subject Rights
As a data subject, you have the right to exercise, at any time, the rights provided under Articles 15–22 of Regulation (EU) 2016/679 (GDPR).
‍Recognized Rights:Right of Access
Obtain confirmation as to whether or not your personal data is being processed.Access your personal data and receive information about its processing.
Right to Rectification
Correct or update inaccurate or incomplete personal data.
Right to Erasure (“Right to be Forgotten”)
Request the deletion of personal data when:The data is no longer necessary for the purposes for which it was collected.
Consent has been withdrawn and there is no other legal basis for processing.
The processing is unlawful or required to be stopped under applicable law.
Right to Restrict Processing
Restrict processing of personal data in the following cases:Accuracy of the data is contested, for the time needed to verify it.
Processing is unlawful, and restriction is requested instead of deletion.Data is needed for legal defense.
Objection to processing is raised, pending verification of overriding interests.
Right to Data Portability
‍Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.
‍Right to Object
Object to the processing of your personal data for legitimate reasons or for direct marketing purposes.
Right to Withdraw Consent
Withdraw consent to processing for:
Primary purposes: Withdrawal may prevent the provision of services but does not affect the lawfulness of processing carried out before withdrawal.
Secondary purposes (marketing and newsletters): Withdrawal does not affect access to core services and does not impact the lawfulness of prior processing.
Right to Lodge a Complaint
‍File a complaint with the Data Protection Authority in case of regulatory violations, without prejudice to any other administrative or judicial remedy.
How to Exercise Your Rights:
To exercise your rights, you may send a request via email to info@fluence-group.com.

The Data Controller is committed to responding within 30 days of receiving the request, except in cases of justified extensions due to the complexity of the request.

 
Art. 11 – Data Retention Period
The Data Controller retains your personal data for a maximum period of 10 years from the last legally relevant processing or from the time consent was obtained, unless legal obligations require a different retention period.
The retention period is determined based on the following criteria:
Purpose of Processing:
For contractual and administrative purposes, data will be retained for the entire duration of the contractual relationship and subsequently for the period required by applicable laws (e.g., tax, accounting, and legal obligations).
Marketing Purposes:
‍Data processed for marketing purposes will be retained until the data subject withdraws consent.
‍Legal Obligations or Legal Defense:
‍Data may be retained for a longer period solely when necessary to comply with legal obligations or to defend a right in legal proceedings.
‍At the end of the retention period, personal data will be:
Securely deleted using irreversible deletion systems;
Or, where possible, anonymized so that the data subject can no longer be identified.
‍