How we handle your data

3.1 Navigation data

Computer systems automatically acquire technical data transmitted by browsers: IP address, browser and OS, requested URL, date and time. These data are necessary for security, proper functioning and technical diagnostics. They are not used for user profiling.

3.2 Voluntarily provided data

When you submit a contact request via the website form, we collect: name, email address, company name (optional), professional role (optional), province (optional) and message text. These data are necessary to reply to your request.

When you access the Ecosystem platform as a registered user, data necessary for service delivery are processed (company details, users, waste form and invoice data). These are governed by the Service Agreement and DPA entered into at account activation.

3.3 RENTRI Check

The RENTRI Check on the website is a self-assessment tool that processes user selections exclusively in the local browser. No data entered in the Check is sent to our servers or any third party.

• Responding to contact requests - pre-contractual measures or legitimate interest (Art. 6(1)(b)/(f) GDPR).
• Providing the Ecosystem service - contract performance (Art. 6(1)(b) GDPR).
• Security and abuse prevention - legitimate interest of the Controller (Art. 6(1)(f) GDPR).
• Legal obligations - legal obligation (Art. 6(1)(c) GDPR), where applicable.

We do not use data for direct marketing, automated profiling or automated decisions with legal effects on data subjects.

• Technical navigation logs: retained for the minimum time necessary for security and diagnostics, in any case no longer than 12 months unless legally required.
• Contact requests: retained for the time necessary to handle the request and subsequent communications, no longer than 2 years from the last exchange.
• Platform data: retained for the duration of the contract and for any additional periods required by applicable tax and accounting regulations (e.g. 10 years for fiscal documents).

We do not share personal data with third parties for marketing or profiling purposes. Data may be shared with:

• Technical service providers (e.g. hosting, cloud infrastructure) acting as Data Processors under the Controller's instructions;
• Public authorities where required by law.

Where part of the technical infrastructure involves entities established outside the European Economic Area (e.g. Hong Kong), the transfer is made with adequate safeguards under Chapter V GDPR (standard contractual clauses or equivalent recognised mechanisms).

As a data subject you have the right to:

• Access - obtain confirmation of processing and a copy of your data (Art. 15 GDPR);
• Rectification - update or correct inaccurate data (Art. 16);
• Erasure - request removal of data in applicable cases (Art. 17);
• Restriction - request restriction of processing (Art. 18);
• Portability - receive data in a structured format (Art. 20);
• Objection - object to processing based on legitimate interest (Art. 21);
• Complaint - lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or the supervisory authority of your country of residence.

Requests may be sent to privacy@intheeu.com. We will respond within 30 days.