Policy on the use of cookies
Regulation (EU) no. 2016/679 (“GDPR”)

Teory Group S.r.l. (hereinafter “TEORY”) protects the confidentiality of personal data and guarantees its necessary protection against any event that may put it at risk of violation.

As provided for in European Union Regulation no. 2016/679 (“GDPR”) and in the regulations in force regarding the processing of personal data, the user (“Interested Party”) is provided with information on cookies.

SECTION I

Who we are and what data we process (art. 13, paragraph 1, letters a-b, of the GDPR)

Through its pro tem legal representative, Teory Group S.r.l, with registered office in Via Giusuee 8 (MI), acts as the Data Controller and may be contacted at the address privacy@teorygroup.com

The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted for any information and requests at: e-mail: dpo@teorygroup.com
Telephone number: 039/6774551
For any information or requests, please contact the following address
privacy@teorygroup.com
Telephone number: 039/6774551

Cookies may collect information and personal data such as IP address, nationality, town, date/time, device, browser, operating system, screen resolution, browsing route, pages visited and number of pages, duration of the visit, number of visits made.

The use of third-party cookies is governed by the rules drawn up by said third parties; the Interested Party is therefore asked to consult the policies on the processing of personal data as published on the websites referred to in Section II below, under the heading “Third- party cookies”.

SECTION II

What are cookies?

Cookies are small strings of text that sites visited by the user send to his/her terminal (usually to the browser), where they are stored so that they can be retransmitted to those sites on the user’s next visit. When browsing a site, the user may also receive cookies on his/her terminal that are sent from different sites or web servers (so-called “third parties”), on which certain elements (such as, for example, images, maps, sounds, specific links to pages of other domains) on the site that he/she is visiting, may reside.
Two macro-categories of cookies can be distinguished: “technical” cookies and “profiling” cookies.

Technical cookies facilitate normal browsing and use of the website (for example, making it possible to make a purchase or authenticating access to restricted areas). If such cookies are not accepted, it would not be possible to carry out certain operations or these would be more complex and/or less secure; for these purposes, cookies that make it possible, for example, to identify or ensure the continued identification of the user within the session are essential.

Profiling cookies are aimed at creating profiles related to the user and can be used to send advertising messages in line with the preferences expressed by the user, or for detailed analyses or reports relating to the same in the context of browsing the network.

How we use cookies

Technical cookies, third-party cookies and, if the Interested Party has given explicit and informed consent, profiling cookies, can be installed from our website or from the corresponding subdomains.

In all cases the user may, at any time, manage or request the general disabling or deletion of cookies by altering the settings on his/her internet browser. However, this disabling may slow down or prevent access to certain parts of the site or affect how browsing functions.
The settings for managing or disabling cookies may vary depending on the internet browser used; therefore, for more information on how to carry out these operations, we suggest that the User consult the manual for his/her own device or the “Help” function on his/her internet browser.
Below are links that show how to manage or disable cookies for the most common internet browsers used:

Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies
Google Chrome: https://support.google.com/chrome/answer/95647
Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie
Opera: http://help.opera.com/Windows/10.00/it/cookies.html
Safari: https://support.apple.com/kb/PH19255

Purpose, disabling and management of cookies
(art. 13, paragraph 1, letter c, of the GDPR)

Technical, functional technical and technical analytics cookies

The use of technical cookies, i.e. cookies necessary for the transmission of communications via the electronic communications network, or cookies strictly necessary so that the supplier can provide the service required by the customer, make it possible to use our site securely and efficiently.
Session cookies may be installed to facilitate access to and continued presence in the restricted area of the portal as an authenticated user.
Technical cookies are essential for the correct functioning of our website and are used to allow users access to normal browsing and the possibility of using the advanced services available on our website. The technical cookies used are divided into session cookies, which are only stored for the duration of the visit until the browser is closed, and persistent cookies, which are saved in the memory of the user’s device until they expire or are deleted by the user.
Our site uses the following technical cookies:
• Technical browsing or session cookies, used to manage normal browsing and user authentication;
• Functional technical cookies, used to store customisation of the user’s choices, such as language;
• Technical analytics cookies, used to determine how users use our website, so that we can assess and improve its functioning, solely for optimisation purposes, for example collecting overall information on the number of users who visit the site and/or which pages are most visited.

Third-party, analytics and profiling cookies

Third-party cookies may be installed: these are the analytics and profiling cookies of Google Analytics, Google Doubleclick, Criteo, Rocket Fuel, YouTube, Yahoo, Bing and Facebook. These cookies are sent from the internet sites of aforementioned third parties outside our own site.
Third-party analytics cookies are used to gather information on user behavior on the site. Identification is done anonymously to monitor services and improve the site’s usability. Third-party profiling cookies are used to create user profiles, in order to produce advertising messages in line with the choices made by said users. Though not receiving from Aruba any data for identifying the user (in fact the user’s IP is made anonymous before transmission), third parties can nevertheless associate the data received with other data and/or information on the user already in their possession.
The use of these cookies and the corresponding disabling option are governed by rules drawn up by the third parties; therefore the Interested Party is invited to consult the policies on the processing of personal data, and the instructions for managing or disabling cookies, which are published on the web pages shown below. The said policies may be provided in a language other than that of the Interested Party; in any case the latter may contact Teory, using the reference details provided in Section I, to obtain information and/or clarification thereon in the language of said Interested Party:

MANAGER

COOKIES

DATA COLLECTED

MANAGER PRIVACY LINK

LINK INCLUDED IN THE CODE

LINK TO DISABLE COOKIES

Google

_ga

Records a unique ID used to generate statistics on how the visitor uses the website. Records IP and demographics, where possible, to display user-targeted advertisements and TransactionID for orders placed (not all on all sites)

https://www.google.com /intl/en/policies/privacy/

https://www.google- analytics.com/analytics.js

https://support.google.com/acco unts/answer/61416?hl=en

_gid

Records a unique ID used to generate statistics on how the visitor uses the website.

VisitorStatus

Used to collect statistical data on user- defined parameters in Google Analytics.

ads/ga- audiences

Pixel

collect

Pixel

r/collect

Pixel

IDE

Used by Google DoubleClick to record and produce reports on user action on the site after displaying or clicking on one of the ads produced by the advertiser, in order to measure the effectiveness of the advertising and to present the user with targeted advertising.

YouTube

PREF

Records a unique ID used by Google for statistics on how the visitor to the site uses YouTube videos on different internet sites.

https://www.youtube.co m/intl/en/yt/about/polici es/#community- guidelines

https://www.youtube.com/e mbed/b-m0r-xx0jy?rel=0

https://support.google.com/acco unts/answer/61416?hl=en

GPS

Records a unique ID on mobile devices to facilitate tracking on the basis of GPS geographical positioning.

visitor-id

YSC

Records a unique ID for statistics on what

MANAGER

COOKIES

DATA COLLECTED

MANAGER PRIVACY LINK

LINK INCLUDED IN THE CODE

LINK TO DISABLE COOKIES

YouTube videos have been watched by the user.

Matomo

_pk_id#

Collects anonymous statistics on access to the website, such as the number of visits, average time spent on the website and what pages have been read.

https://matomo.org/priv acy-policy/

wa.aruba.it (Web Analytics Platform on local proprietary Server)

https://wa.aruba.it/index.php?m odule=CoreAdminHome&action= optOut&language=en

_pk_ses#

Used by the Piwik Analytics platform to track the visitor’s page requests during the session.

piwik.php

Pixel

Yahoo.com

B

Collects anonymous data on the user’s website visits, including the number of visits, the average time spent on the site and the pages downloaded. The data recorded is used to classify users’ interests and to define demographic profiles in order to customise the website according to the visitor.

https://policies.oath.com /ie/en/oath/privacy/inde x.html

N.D.

https://policies.oath.com/ie/en/ oath/privacy/controls/index.html

Rocket Fuel Sizmek

eud

Records anonymised data on users, such as IP addresses, geographical location, websites visited and which ads the user has clicked on, with the aim of optimising the ads shown, based on user movements on websites that use the same ad network.

http://rocketfuel.com/it/ privacy/

rfihub.com

http://rocketfuel.com/it/cookie- policy/

euds

Records anonymised data on the user’s visits to the site, such as the number of visits, the average time spent on the site and the pages downloaded, in order to display targeted advertising.

rud

Records anonymised data on users, such as IP addresses, geographical location, websites visited and

MANAGER

COOKIES

DATA COLLECTED

MANAGER PRIVACY LINK

LINK INCLUDED IN THE CODE

LINK TO DISABLE COOKIES

which ads the user has clicked on, with the aim of optimising the ads shown, based on user movements on websites that use the same ad network.

ruds

Records anonymised data on users, such as IP addresses, geographical location, websites visited and which ads the user has clicked on, with the aim of optimising the ads shown, based on user movements on websites that use the same ad network.

smd

Records anonymised data on users, such as IP addresses, geographical location, websites visited and which ads the user has clicked on, with the aim of optimising the ads shown, based on user movements on websites that use the same ad network.

Bing

MUID

Used widely by Microsoft as a unique user ID. The cookie makes it possible to track the user by synchronising the ID on various Microsoft domains.

https://privacy.microsoft. com/en- us/privacystatement

https://bat.bing.com/bat.js

https://privacy.microsoft.com/en -us/privacystatement

MUIDB

bing.com – MUIDB

Facebook

fr

Used by Facebook to provide a series of advertising products such as real time offers from third-party advertisers.

https://www.facebook.co m/privacy/explanation

facebook.com – fr

https://www.facebook.com/help /cookies/

tr

facebook.com – tr

Twitter

i/jot/syndicati on

Pixel

https://twitter.com/er/pr ivacy

https://platform.twitter.com/ widgets.js

https://help.twitter.com/en/rule s-and-policies/twitter-co

SECTION III

Communication to third parties and categories of recipients (Article 13, paragraph 1 GDPR)

The Interested Party’s personal data is primarily communicated to third parties and/or recipients whose activity is necessary for carrying out operations involved in the processing of data and for meeting certain legal requirements, such as:

Categories of recipients

Companies belonging to the Teory Group S.r.l (“TEORY”)

Third party providers and companies belonging to the Aruba Teory Group S.r.l*

Judicial Authorities, Monitoring and Inspection Authorities

Formally mandated subjects or those with recognized legal rights

* The Controller requires its own third party providers and Data Processors to adhere to security measures that are equal to those adopted for you by restricting the Data Processor’s scope of action to processing directly related to the requested service.
The Controller will not transfer your personal data to countries where the GDPR is not applicable (countries outside the EU) except where specifically indicated otherwise, in which case you will be first notified, and if necessary asked for your consent.

SECTION IV

How we process your data (Article 32, GDPR)

TheController makes use of appropriate security measures to preserve the confidentiality, integrity and availability of your personal data, and requires the same security measures from third party providers and the Processors.

Where we process your data

Your data is stored in hard copy, electronic and remote archives located in countries where the GDPR is applicable (EU countries).

How long is your data stored? (Article 13, paragraph 2 (a) GDPR)

The length of time for which the information gathered via cookies is stored depends on the type of cookies involved:

  • –  Technical cookies: Teory does not store data relating to technical cookies because this is stored in the user’s terminal equipment. The Interested Party may at any time delete this type of cookie by means of the processes described in this policy;
  • –  Profiling cookies: profiling data is not stored, but its management must be carried out by the user directly with the third parties, depending on the instructions received from them and by means of the instruments specified in this policy.

What are your rights? (Articles 15 – 20 GDPR)

You have the right to obtain the following from the Data Controller:
a) confirmation on whether your personal data is being processed and if so, to obtain access to your personal data and the following information:

        1.the purposes of the processing;
2.the categories of personal data in question;
       3.the recipients or categories of recipients that have received or will receive your personal data, in particular if these recipients are in third party
countries or are international organizations;
       4. when possible, the anticipated storage period of your personal data or, if not possible, the criteria used to determine this period;
       5. whether you have the right to ask the Data Controller to correct or delete your personal data or the limits on processing your personal data or to
oppose the processing of the data;
       6. the right to file a claim with a supervisory authority;
       7.in the event the data is not collected from you, all of the information available regarding its source;
       8.whether there is an automated decision process, including profiling, and, at lease in these cases, significant information on the logic used, as well as
the importance and consequences to you for this processing.
       9. the suitable guarantees provided by the third party country (outside EU) or international organization to protect any transferred data

b) the right to obtain a copy of the personal data processed, again given that this right does not affect the rights and freedoms of others; for extra copies requested by you, the Data Controller may assign a reasonable fee based on administrative costs.
c) the right to edit any of your incorrect personal data from the Data Controller without unjustified delay
d) the right to have the data processor delete the personal data relating to the Interested Party without undue delay, if the grounds contemplated in art. 17 of the GDPR apply, which includes situations in which the data is no longer necessary for processing purposes, or if this is seen as unlawful, and provided the legal conditions for this apply; and in any case if processing of the data is not justified for any other similarly legitimate purpose;
e) the right to obtain limits on the processing from the Data Controller, in those cases outlined in Art. 18 of the GDPR, for example where you have disputed the correctness, for the period necessary for the Data Controller to verify the data’s accuracy. You must be notified, within an appropriate time, even when the suspension period has passed or the cause of limiting the processing has been eliminated, and therefore the limitation itself has been withdrawn;
f) the right to obtain information from the Data Controller on the recipients who have received the requests for any corrections or deletions or limits on the processing implemented, except when this is impossible or would create a disproportionate effort.
g) the right to receive your personal data in a structured format, commonly used and readable by automatic devices as well as the right to forward this data to another Data Controller without obstruction from the original Data Controller, in those cases outlined by Art. 20 of the GDPR, and the right to obtain direct forwarding of your personal data from one Data Controller to another, if technically feasible.
To obtain further information and to submit your request, you must contact the Data Controller at privacy@teorygroup.com To guarantee that the above rights are exercised by the Interested Party and not by unauthorised third parties, the Data Controller may ask the former to provide further information necessary for this purpose.

How and when can you oppose the processing of your personal data? (Art. 21 GDPR)

For reasons connected with the Interested Party’s particular circumstances, the latter may at any time refuse the processing of its personal data if this is justified on legitimate grounds or if it is carried out for commercial promotion purposes, by sending its request to the Data Controller at privacy@teorygroup.com

You have the right to have your own personal data deleted if the Data Controller has no legitimate reason prevailing over such request, and in any case, where you have opposed the processing for business promotional activities.

Who can you file a claim with? (Art. 15 GDPR)

Recognising the possibility of any other administrative or judicial action, the Interested Party may lodge a complaint with the competent monitoring authority in Italy (the Italian Data Protection Authority) or to the agency that performs this role and exercises the corresponding powers in the Member State in which violation of the GDPR has occurred.

Any updates to this information shall be communicated in a timely manner and through suitable means, and will be notified to you if the Data Controller processes your data for purposes other than those outlined in this notice prior to proceeding and after you have given your consent, if necessary.