H1 Finance S.r.l., in qualità di titolare del trattamento, informa ai sensi dell’Articolo 13 Regolamento UE n. 2016/679 (“GDPR”) che i dati forniti dagli utenti (l’“Interessato” o l’“Utente”) tramite il sito https://www.withless.com/ (il “Sito”), indipendentemente dalle modalità e dallo strumento utilizzato, saranno trattati con le modalità e per le finalità seguenti.

1. Il Titolare del trattamento dei dati personali

Titolare del trattamento è H1 Finance S.r.l., con sede legale in Via Amilcare Ponchielli 51 - 24125, Bergamo (di seguito, il “Titolare del Trattamento”).

Il Titolare del Trattamento mette a disposizione il seguente indirizzo di posta elettronica per ogni comunicazione: privacy@h1card.com.

Il Titolare del Trattamento potrà designare uno o più responsabili del trattamento dei Dati Personali ai sensi dell’articolo 28 del GDPR, che, per conto del Titolare del Trattamento, forniscono specifici servizi elaborativi o attività connesse, strumentali o di supporto adottando tutte quelle misure tecniche e organizzative adeguate a tutelare i diritti, le libertà e i legittimi interessi che sono riconosciuti per legge agli Interessati.

2. Descrizione del trattamento

Il trattamento avrà ad oggetto singole operazioni, o un complesso di operazioni, dei seguenti dati personali forniti dall’Interessato in occasione della fruizione dei servizi resi dal Titolare del Trattamento, tramite il Sito, come descritto nella seguente tabella (i “Dati Personali” o i “Dati”):

Please note that, with reference to browsing data, the information collected, while not intended to be associated with identified individuals, by its nature, if associated with other Data held by third parties (e.g. internet service providers), could allow the identification of the Data Subjects (e.g. IP addresses, domain names of the PCs used, URL addresses of the resources requested, time of the request, numeric code relating to the status of the response given by the server).

3. Processing modalities

The processing of Personal Data:

1. is carried out by means of the operations indicated in Article 4, co. 1, no. 2 of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of Data;
2. is also carried out with the aid of electronic or otherwise automated means;
3. is also carried out through the use of electronic mail or other remote communication techniques.

4. Transfer of Personal Data

The management and storage of the Data shall take place primarily in Europe, on servers of third-party companies duly appointed as data processors.

The Data Controller may provide access to the Website and the services therein also in other countries, in which case the transfer of Data to such countries is strictly limited to the actual need to be aware of it. The Data Controller will take the necessary measures to protect Users' Personal Data and prevent unauthorised access.

In the event that Personal Data is transferred to the systems used by the Data Controller and/or third-party companies entrusted and duly appointed as Data Processors even outside the European Union, the Data Controller guarantees the application of the European Commission's standard contractual clauses to ensure a secure international transfer of Personal Data, based on Articles 44, 45 and 46 of the GDPR.

In the event that such transfer takes place to countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any event an adequate level of protection for personal data, the Data Controller will ensure that each such recipient undertakes specific contractual obligations in accordance with applicable data protection legislation (including the signing of the Standard Contractual Clauses "SCC" approved by the European Commission). Alternatively, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, the Data Controller will request, pursuant to Art. 49 GDPR, the possibility of transferring personal data to a third country after obtaining specific consent from the Data Subject. In any case, the User may request further information regarding the transfer of Personal Data by contacting the e-mail address privacy@h1card.com.

4. Security Measures

The Data Controller has adopted a variety of security measures to protect Data against the risk of loss, misuse or alteration, consistent with the measures expressed in Article 32 of the GDPR. Processing is carried out using IT and/or telematic tools, with organisational methods and logics strictly related to the purposes indicated.

5. Consequences of non-disclosure of Personal Data

Without prejudice to the Data Subject's right to provide Personal Data to the Data Controller, the provision of Personal Data may be:

1. compulsory in order to provide the services accessible through the Website and for purposes related to the fulfilment of obligations provided for by applicable laws and/or regulations, as well as by provisions issued by the competent authorities/supervisory and/or control bodies;
2. optional with reference to data voluntarily provided by the Data Subject.

Should the Data Subject refuse to provide Personal Data to the Data Controller, this may make it impossible for the Data Controller to provide the requested services and make access to the Website available.

Furthermore, please consider that the revocation of one or more permissions and/or consents not given by the User may have consequences on the proper functioning and/or on the possibility to access and/or use the Website properly and/or provide the services by the Data Controller.

6. Retention and deletion of Data

The retention period of the Personal Data is set out in the table in point 2 above.

At the end of the retention period the Personal Data will be deleted. Therefore, at the end of this period, the User will no longer be able to exercise the right to access, delete, rectify and the right to portability of Personal Data.

Personal Data will be stored by means of computerised archives, including portable devices, adopting appropriate measures to guarantee their security and to limit access to them exclusively to personnel authorised by the Data Controller and strictly for the purposes indicated above.

7. Third Party Partners

In order to provide certain services, the Data Controller may use the services of third-party partners, who will process the User's Personal Data as independent data controllers, therefore we recommend that you read the personal data processing notices available below:

• Treezor Sas: https://www.treezor.com/privacy-policy/.

8. Who we may disclose Personal Data to

For the purposes set out above, Personal Data may be made accessible or communicated to:

1. employees and contractors of the Data Controller, in their capacity as authorised processors, within the scope of their respective duties and in accordance with their instructions. These individuals are in any case subject to the obligations of confidentiality and privacy;
2. to third parties performing outsourced activities on behalf of the Data Controller and whose activities are connected, instrumental or in support of those of the Data Controller (e.g. management software)
3. to all those public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or funds, including private welfare and assistance funds, Judicial Offices, Chambers of Commerce), if the communication is necessary or functional to the proper fulfillment of the contractual obligations undertaken, as well as the obligations arising from the law
4. to all those entities (including Public Authorities) that have access to Personal Data by virtue of regulatory or administrative measures.

In any case, the Personal Data collected will not be disclosed.

9. Rights of the Data Subject

The Data Subject may exercise the rights provided for by Chapter III of the GDPR within the limits and under the conditions provided therein:

1. access to the Data (art. 15): the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him or her is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information on the processing (e.g. purposes, categories of Data processed, recipients, transfers outside the EU, implementation of profiling activities, etc.);
2. rectification of the Data (art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him/her without undue delay and/or the integration of incomplete Personal Data, also by providing a supplementary declaration;
3. erasure of Data or "right to be forgotten" (Art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning him/her without undue delay and the Data Controller has the obligation to erase without undue delay the Personal Data;
4. restriction of processing (Art. 18): the Data Subject has the right to obtain from the Data Controller the restriction of the processing;
5. portability of the Data (Art. 20): the Data Subject has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning him/her that he/she has provided to a Data Controller and has the right to transmit such Data to another Data Controller without any hindrance from the Data Controller to whom he/she has provided them;
6. objection to processing (Art. 21): the Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her in accordance with Article 6(1)(e) or (f) of the GDPR, including profiling on the basis of these provisions.

10. Procedures for exercising rights

The Data Subject may exercise his/her rights at any time by sending:

1. an e-mail to the address privacy@h1card.com;
2. a registered letter A/R to H1 Finance S.r.l., with registered office in Via Amilcare Ponchielli 51 - 24125, Bergamo.

The Data Controller undertakes to provide the Data Subject with information on the action taken in respect of a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request, which may be extended to 3 (three) months only in particularly complex cases.

Any rectification or cancellation or limitation of the processing carried out at the explicit request of the Data Subject shall be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted, unless this proves impossible or involves a disproportionate effort for the Data Controller. The Data Controller may inform the Data Subject of the contact details of the recipients if so requested.

11. Right to complain

Data Subjects who believe that the processing of their Personal Data is in breach of the provisions of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority: i) by e-mail, at garante@gpdp.it or urp@gpdp.it; ii) by fax at 06.696773785; or iii) by post at the registered office located in Rome (Italy), Piazza Venezia n. 11 - Cap 00187, or alternatively by recourse to the Judicial Authority.

12. Managers and appointees

The updated list of data processors and persons in charge of processing is kept at the Data Controller's registered office.

13. Amendments to this information notice

This information notice may be amended and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those indicated in this Privacy Policy, it undertakes to provide you, prior to such further processing, with adequate information regarding such different purposes and to carry out such further processing in compliance with the regulations in force, collecting the specific consent of the Data Subject when required.

‍

‍