Features Pricing MSP
Documentation Changelog Learning Hub
Sign in

Customer Privacy Policy

Back to Privacy and GDPR

In compliance with Articles 13 (data collected from the data subject) and 14 (data not obtained from the data subject) of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), this privacy notice provides information on the processing of personal data in the context of the existing service provision and supply relationship with the Data Controller (hereinafter referred to as the “Relationship”).

Data Controller and contact details

The Data Controller is SUBSTRING DI MATTEO CONTRINI, VAT no.: IT02632420226, with registered office at Via della Provvidenza 18, 38062 Arco (TN), Italy, contact email: support@dmarcwise.io.

Data Protection Officer (DPO)

Based on an assessment of the current processing activities, the controller has determined that a Data Protection Officer is not mandatory under Article 37 of the GDPR.

Categories of personal data processed and sources

The Data Controller processes the following categories of personal data.

  • Common Personal Data: such as contact data, addresses, telephone numbers, email addresses, and the like.

The data are generally provided voluntarily by the Data Subject.

However, the data may also be collected or obtained from third-party entities or public sources. This includes information retrieved from social security institutions, insurance providers, tax authorities, and other similar public bodies or registers.

Purposes of processing

The processing of personal data is grounded on the following purposes:

  1. to establish and manage the Relationship;
  2. to fulfil all statutory obligations to which the Data Controller is subject, including - but not limited to - legal, fiscal, and security requirements;
  3. to manage communications, including those involving third-party recipients, insofar as they are necessary for the effective management of the Relationship.

The processing of data shall be restricted to what is necessary to achieve these purposes.

Furthermore, processing activities may be carried out through both automated electronic systems and traditional paper-based formats.

The processing of personal data is carried out in accordance with the following legal bases:

  • Article 6(1)(b) of the GDPR – Contractual or pre-contractual necessity: processing is necessary for the performance of a contract to which the Data Subject is party, or to take specific steps at the request of the Data Subject prior to entering a contract. This legal basis applies to the purposes described in points (a), (b), and (c) above, insofar as the processing activities involve data strictly required to execute the terms of the Relationship or to implement pre-contractual measures before the formalization of such a Relationship;
  • Article 6(1)(c) of the GDPR – Compliance with a legal obligation: processing is necessary to comply with a legal obligation to which the Data Controller is subject. This legal basis applies to the purposes described in points (a), (b), and (c) above, insofar as the processing activities require to fulfil statutory obligations of the Data Controller. Such obligations include, but are not limited to, compliance with tax and accounting regulations and social security, and any other similar legal duties to which the Data Controller is bound;
  • Article 6(1)(f) of the GDPR – Legitimate Interests: processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party. This legal basis applies to the processing activities conducted in pursuit of the Data Controller’s institutional and statutory objectives. Such interests consist specifically of the fulfilment of these corporate and organizational goals, provided that they are not overridden by the interests or fundamental rights and freedoms of the Data Subject requiring the protection of personal data.

Mandatory vs. optional nature of data provision

Provision of personal data is mandatory insofar as such data are strictly necessary for the establishment and performance of the Relationship, as well as for related services and legal obligations. Consequently, any refusal to provide such data, whether in whole or in part, may result in the Data Controller being partially or entirely unable to initiate or administer the Relationship, or to discharge the related contractual and statutory duties.

Recipients of personal data and international transfers

Personal data may be disclosed, within the scope of the Relationship, to persons authorized to process data under the authority of the Data Controller, as well as to Data Processors. These recipients may include collaborators, professionals, and consultants providing ancillary or related services essential to the Relationship or otherwise connected to the purposes of processing.

Furthermore, the Data Controller may communicate personal data to external recipients who may operate as independent Data Controllers. Such recipients may include, for example, legal entities, associations, professionals, and public authorities. Any such disclosure shall be strictly limited to the data necessary to activities effectively supporting the achievement of the purposes of processing listed in this notice.

Data retention period

Personal data shall be retained for the entire duration of the Relationship and for any subsequent period necessary to comply with the applicable statutes of limitations or expiration periods for the enforcement of related rights. Furthermore, data will be retained as required to fulfil ongoing legal obligations, including - but not limited to - accounting, fiscal, social security and the like.

Automated decision-making and profiling

The Data Controller does not engage in any automated decision-making processes, including profiling.

Data transfers to third countries and international organizations

Personal data may be transferred to countries outside the European Economic Area or to international organizations, provided that such transfers are conducted in compliance with the GDPR.

Transfers shall occur only to jurisdictions for which an adequacy decision has been issued by the European Commission or where appropriate safeguards have been implemented, most notably Standard Contractual Clauses (SCCs).

In the absence of an adequacy decision or appropriate safeguards, transfers may only take place based on the data subject’s explicit consent or under the specific derogations set forth in Article 49 of the GDPR.

All such processing activities are performed in accordance with the principles established by the Court of Justice of the European Union in its “Schrems II” judgment of July 16th, 2020.

Rights of the Data Subject

Pursuant to Articles 15-22 of the GDPR, the Data Subject is entitled to exercise the following rights:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to data portability;
  • right to object;
  • right not to be subject to a decision based solely on automated processing, including profiling.

These rights may be exercised in accordance with the procedures and timeframes established under Article 12 of the GDPR by sending a written communication to the Data Controller via the email address provided above.

The Data Controller shall provide a response without undue delay and, in any event, within one month of receipt of the request, except in cases of justified extension or refusal as per Article 12 of the GDPR.

Right to lodge a complaint and judicial redress

Pursuant to Article 77 et seq. of the GDPR, the Data Subject has the right to lodge a complaint with a competent supervisory authority. For the Italian territory, the designated supervisory authority is the Data Protection Authority.

The specific procedures, formats, and statutory time limits for lodging such a complaint are governed by the national legislation in force and the regulations established by the Data Protection Authority.

The exercise of this right is without prejudice to any other administrative or non-judicial remedy.

Within the Italian jurisdiction, any action for damages must be brought before the territorially competent civil Court.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

If there are significant changes to this Privacy Policy, we will notify you via email or through our service.

Last updated: 2026-01-20