Privacy Policy

1. Data controller

The controller of personal data is Dverse Studio (hereinafter the "Controller"), which operates and provides the HalloKate Service.

For any request relating to the processing of personal data and the exercise of the rights granted by the applicable legislation, you may contact the Controller at the email address [email protected].

The Controller's full identifying details (legal name, registered office and tax information) and any appointment of a Data Protection Officer (DPO) will be set out in the definitive version of this document, once legal validation has been completed.

2. Categories of data processed and sources

The Controller processes the following categories of personal data, collected directly from the data subject or generated in the course of using the Service.

Data provided through the contact and registration form on the showcase website and in the console: first name and surname, email address, business name, business sector, telephone number and any message or free text entered by the user.

Account data created in the customer console: access credentials, identifying and contact details of the business owner and of authorised operators, data relating to the business and to the related Service configurations.

Data relating to bookings managed within the console: information on appointments, on the business's end customers and on the booked services, entered by the professional user or collected through the booking forms made available by the Service.

Technical and browsing data automatically collected while using the website and the console, such as IP address, device and browser identifiers, access logs, the date and time of requests and information necessary for the security and proper functioning of the Service.

The source of the data is, as a rule, the data subject. For end-customer data entered into the console by the professional user, the source is the professional user who provides it in the course of their business activity.

3. Purposes of processing and legal bases

Personal data is processed for the purposes set out below, each based on a specific legal basis pursuant to Article 6 of the GDPR.

Responding to requests sent through the contact form and managing the related communications. Legal basis: performance of pre-contractual measures taken at the data subject's request and the Controller's legitimate interest in responding to the requests received (Article 6(1)(b) and (f)).

Creating and managing the account, providing the Service and managing the contractual relationship, including technical support. Legal basis: performance of a contract to which the data subject is party (Article 6(1)(b)).

Managing bookings and the related functionalities made available through the console. Legal basis: performance of the contract with the professional user (Article 6(1)(b)); for end-customer data, the Controller acts as a processor on behalf of the professional user, as specified in the dedicated section.

Sending transactional and service emails (for example confirmations, notifications, technical and security communications). Legal basis: performance of the contract and the Controller's legitimate interest in the proper delivery of the Service (Article 6(1)(b) and (f)).

Service security, prevention of abuse, fraud and fraudulent activities, protection of forms against automated submissions and spam. Legal basis: the Controller's legitimate interest in ensuring the security and integrity of the Service (Article 6(1)(f)).

Compliance with legal, tax, accounting and administrative obligations, as well as the management of any disputes. Legal basis: compliance with a legal obligation and legitimate interest in protecting its own rights (Article 6(1)(c) and (f)).

Any sending of promotional communications or newsletters will take place solely subject to the data subject's free, specific and revocable consent (Article 6(1)(a)), or within the limits permitted by the applicable legislation.

4. Nature of the provision of data

Providing the data marked as mandatory in the contact and registration forms is necessary in order to act on the data subject's request, to create the account and to provide the Service. Failure to provide such data makes it impossible to deliver the requested service.

Providing non-mandatory data is optional and any failure to provide it entails no consequence, save for the inability to make use of specific ancillary functionalities.

5. Recipients and processors

Personal data may be processed by the Controller's authorised personnel, suitably instructed and bound to confidentiality, and may be disclosed to third parties providing services instrumental to the delivery of HalloKate, appointed as processors pursuant to Article 28 of the GDPR.

Hosting and CDN provider: Cloudflare, Inc., which provides hosting services (Cloudflare Pages), content delivery via an edge network and infrastructure protection. The data is hosted on infrastructure with a preference for data centres located in the European Union, without prejudice to the global operation of the delivery network.

Form anti-spam service provider: Cloudflare Turnstile, used to protect forms against automated submissions and abuse, as further described in the section dedicated to cookies and similar technologies.

Transactional email provider: an external SMTP provider tasked with sending transactional and service emails (confirmations, notifications and technical communications).

The data may also be disclosed to public authorities, supervisory bodies and judicial authorities in the cases provided for by law, as well as to professional advisers (for example legal and tax advisers) to the extent necessary to comply with obligations or to protect the Controller's rights.

Personal data is not disseminated nor transferred to third parties for independent marketing purposes.

6. The Controller's role with respect to end-customer data

With regard to the personal data of end customers that the professional user enters or manages within the console for the purposes of their own business activity (for example the customer records and the booking data), the professional user acts as data controller, while Dverse Studio acts as data processor, processing such data solely on the basis of the professional user's documented instructions.

The conditions of such processing, including security measures, any recourse to sub-processors and the handling of data subjects' requests, are governed by a specific Data Processing Agreement made available to the professional user as part of the contractual relationship.

It is the professional user's responsibility to ensure that it has a valid legal basis and that it has provided data subjects with the appropriate privacy notice for the processing of its own end customers' data through the Service.

7. Transfers of data to third countries

Some of the providers used by the Controller, in particular Cloudflare, are entities whose infrastructure may entail the processing of data outside the European Economic Area. Where this occurs, the transfer takes place in compliance with Articles 44 et seq. of the GDPR.

In particular, transfers to third countries are carried out on the basis of an adequacy decision of the European Commission, where applicable, or by adopting appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission, supplemented by any additional measures aimed at ensuring a level of data protection essentially equivalent to that guaranteed within the European Union.

The data subject may request further information about the safeguards adopted and obtain a copy thereof by contacting the Controller at the address [email protected].

8. Retention period

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected and, thereafter, for the time required by legal obligations or for the protection of the Controller's rights.

Contact data collected through the form: retained for the time necessary to handle the request and, in the absence of a subsequent contractual relationship, for a period not exceeding 24 months from the last contact, unless a different documented need exists.

Account and Service usage data: retained for the entire duration of the contractual relationship and, after its termination, for the period necessary to comply with legal obligations.

Data relating to bookings and end customers: retained in accordance with the instructions of the professional user acting as controller and for the duration of the contractual relationship, subject to the technical backup terms and legal obligations.

Data processed for tax, accounting and legal compliance purposes: retained for the terms provided for by the applicable legislation, as a rule 10 years.

Upon expiry of the retention periods, the data is deleted or irreversibly anonymised.

9. Data subject's rights

In relation to the personal data processed, the data subject may at any time exercise the rights granted by Articles 15 to 22 of the GDPR.

Right of access: to obtain confirmation as to whether processing is taking place and to access their own personal data and the information relating to the processing.

Right of rectification: to obtain the correction of inaccurate data and the completion of incomplete data.

Right to erasure: to obtain the deletion of data in the cases provided for by the legislation (the so-called right to be forgotten).

Right to restriction: to obtain the restriction of processing in the cases provided for by Article 18 of the GDPR.

Right to object: to object at any time, on grounds relating to their particular situation, to processing based on the Controller's legitimate interest.

Right to portability: to receive, in a structured, commonly used and machine-readable format, the data processed on the basis of consent or of the contract, and to transmit it to another controller.

Right to withdraw consent: to withdraw at any time any consent given, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise their rights, the data subject may write to the address [email protected]. The Controller will respond without undue delay and in any event within the time limits provided for by law.

Right to lodge a complaint: without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with the competent supervisory authority, which for Italy is the Garante per la protezione dei dati personali (www.garanteprivacy.it), or with the authority of their State of residence or work.

10. Cookies and similar technologies

The showcase website and the console use cookies and similar technologies necessary for the proper functioning and security of the Service (technical and session cookies), for which the data subject's consent is not required.

To protect the contact and registration forms against automated submissions, spam and abuse, the Service uses Cloudflare Turnstile, a solution that verifies the human nature of interactions without resorting to invasive advertising tracking activities. In order to function, Turnstile may collect technical information relating to the visitor's device and session and may make use of cookies or local storage technologies necessary for that security purpose.

Where cookies that are not strictly necessary are used (for example statistical or third-party cookies), their use takes place subject to the user's appropriate consent, collected through a dedicated banner, in compliance with the applicable legislation and the guidelines of the Garante.

The user can manage their cookie preferences through their browser settings and, where available, through the dedicated consent management panel made available on the website.

11. Data security

The Controller adopts appropriate technical and organisational measures, pursuant to Article 32 of the GDPR, to ensure a level of security appropriate to the risk and to protect personal data from unauthorised access, loss, destruction, alteration or disclosure.

Such measures include, by way of example, the encryption of data in transit, access control and user authentication, the logical separation of data, the protection of the infrastructure through the hosting and CDN provider's services, the adoption of backup procedures and the training of authorised personnel.

Notwithstanding the ongoing commitment to adopting appropriate security measures, no system can guarantee absolute security. In the event of a personal data breach that entails a risk to the rights and freedoms of data subjects, the Controller will carry out the notifications provided for by Articles 33 and 34 of the GDPR.

12. Minors

The Service is aimed at professionals and businesses and is not intended for minors. The Controller does not knowingly collect minors' personal data for its own purposes. Should it become aware of the processing of a minor's data provided in the absence of a valid basis, it will proceed to its prompt deletion.

13. Changes to this policy

The Controller reserves the right to amend or update this Policy at any time, including as a result of regulatory developments or changes to the Service.

Changes will be made available on this page with an indication of the date of the last update. In the event of substantial changes, the Controller may provide specific notice through the channels deemed most appropriate. The data subject is therefore invited to consult this Policy periodically.

14. Contact

For any question relating to this Policy or to the processing of personal data, and to exercise their rights, you may contact the Controller at the following email address: [email protected].

Data controller: Dverse Studio.