Kruso Kapital S.p.A., with registered office at Largo Augusto 1/A, corner Via Verziere 13 - 20122 Milan, VAT No. 10753220960 (hereinafter, the “Data Controller”), in its capacity as Data Controller, hereby informs you pursuant to Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018 (hereinafter, the “Privacy Code”), and Article 13 of EU Regulation no. 2016/679 (hereinafter, the “GDPR”), that your data will be processed according to principles of fairness, lawfulness, and transparency, in compliance with the purposes and methods indicated below, collecting them only to the extent necessary and appropriate for processing. The contact details of the Data Protection Officer (DPO) are as follows: privacy@krusokapital.com, through which you may exercise the rights provided for under Article 15 et seq. of the GDPR.

1. Subject of the Processing

This Privacy Policy concerns the methods of managing the website https://www.krusokapital.com/ with reference to the processing of users’ personal data. Please note that this Privacy Policy refers exclusively to this website (hereinafter the “Website”) and does not concern any other websites that may be accessed by the user through links. Further information may be provided where necessary at the time of requesting a specific service. “Processing of personal data” means any operation or set of operations, whether or not carried out by automated means, applied to personal data or sets of personal data, even if not recorded in a database, such as collection, recording, organization, structuring, storage, processing, selection, blocking, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure, or destruction.

2. Types of Data Collected

Pursuant to EU Regulation 679/2016 on the processing of personal data, when you use our services, you agree that our Company collects certain personal data. This notice is intended to explain which data we collect, why, and how we use it. We collect and process the following categories of personal data concerning you:

a) Data voluntarily provided by the user

Through specific sections of the Website (e.g., “Contact” forms) or by sending requests to the contact details indicated on the Website, you may voluntarily provide personal data such as:

• identification and personal details (e.g., first name, last name);
• contact information (e.g., email address, phone number);
• any other personal data directly provided by you (e.g., information entered in forms).

b) Browsing data

The IT systems and software procedures used to operate this Website acquire, during their normal operation, certain identifying data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified individuals, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category includes IP addresses or domain names of the computers used by users connecting to the Website, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the response status from the server (successful, error, etc.), and other parameters related to the user’s operating system and IT environment. Such data may be used to ascertain liability in the event of cybercrimes against the Website.

c) Data collected through cookies or similar technologies

For more information regarding the types of cookies used and how to disable them, please refer to the Cookie Policy.

3. Purposes of Processing and Legal Basis

Except for browsing data, necessary for the operation of IT and telematic protocols, we will process your personal data for:

3.1) Purposes related to the provision of requested services

For example:

• allowing users access to the website https://www.krusokapital.com/;
• allowing users to request information;
• providing assistance to users in the event of requests sent through the contact details on the Website;
• managing any disputes that may arise between us;
• performing the requested service or activity.

The legal basis for processing is the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).

3.2) Legitimate interests pursued by the Data Controller

We may also:

• collect statistical information regarding Website usage (most visited pages, number of visitors by time slot, geographical areas of origin, etc.) and improve usability for users;
• defend our legal rights and interests in court;
• manage IT infrastructure and IT security.

The legal basis is the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

3.3) Compliance with legal obligations

To comply with laws, regulations, and orders from Authorities, as well as tax and accounting obligations (e.g., provisions established by national and EU regulations or by Supervisory and Control Authorities, including determining liability in the event of cybercrimes against the Website). The legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR).

4. Methods of Processing

The processing of your personal data is carried out through the operations indicated in Art. 4 no. 2 GDPR, namely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data. Your personal data are processed both in paper and electronic and/or automated form.

5. Access to Data and Disclosure

Your data may be made accessible for the purposes referred to in section 3 to:

• employees and collaborators of the Data Controller, in their capacity as authorized persons and/or internal processors and/or system administrators;
• third-party companies or other entities (such as ICT companies, website providers, consultants, professional firms, companies/individuals used by the Data Controller for data archiving activities, etc.) carrying out outsourced activities on behalf of the Data Controller, in their capacity as external data processors.

The Data Controller may also disclose your data to Supervisory Bodies, Judicial Authorities, Police Authorities, Public Bodies, and all subjects to whom disclosure is mandatory by law for the fulfillment of the aforementioned purposes. These subjects will process the data as independent Data Controllers. Your data will not be publicly disclosed.

6. Data Retention Period

Browsing data will be stored only for the period strictly necessary to achieve the purposes for which they were collected. In particular:

• users’ IP addresses are pseudonymized using a hash function and stored for a maximum of 24 hours solely for protection against brute-force attacks, unless further retention is necessary to ascertain liability in the event of cybercrimes against the Website or to comply with requests from judicial authorities;
• in access logs, IP addresses are immediately anonymized through masking and partial storage by removing the last part of the numerical code, making users no longer identifiable;
• for users filling out contact forms, IP addresses are immediately deleted; only if the request includes an attachment, the IP address is retained for the time necessary to properly manage the attachment transmission, corresponding to 7 days.

Data voluntarily provided through contact forms will be processed and retained only for the time strictly necessary to achieve the purposes for which they were collected, after which they will be deleted or anonymized, unless further retention is necessary for legal defense purposes. In particular, such data are retained for 24 months and subsequently deleted and/or anonymized.

7. Data Transfers

Personal data may be transferred outside the European Union. In such cases, transfers to non-EEA countries will take place in compliance with applicable legal provisions:

• where the European Commission has recognized that a non-EEA country ensures an adequate level of data protection, your personal data may be transferred on this basis;
• for transfers to non-EEA countries not recognized as adequate by the European Commission, we may rely on derogations applicable to the specific situation and/or adopt the Standard Contractual Clauses approved by the European Commission for extra-EU data transfers.

In particular, please note that the hosting provider for this Website, Webflow Inc., uses data centers located in the United States of America. The provider is certified under the EU-US Data Privacy Framework agreed between the European Commission and the U.S. Department of Commerce, ensuring a level of protection consistent with EU legislation, available at https://www.dataprivacyframework.gov, and also provides the Standard Contractual Clauses adopted by the European Commission.

8. Nature of Data Provision

Providing data for the purposes referred to in section 3 is mandatory for all requirements arising from legal and contractual obligations. Therefore, refusal to provide such data, in whole or in part, may make it impossible for the Data Controller to provide its services. For the consequences of refusing and/or removing cookies, please refer to the Cookie Policy.

9. Rights of the Data Subject and Methods of Exercise

We inform you that, at any time and where applicable, you may exercise the rights provided for under Articles 15 et seq. GDPR:

• obtain confirmation as to whether or not personal data concerning you exist and receive a copy in intelligible form;
• obtain updating, rectification, or integration of your data;
• request deletion of your data, within the limits permitted by law;
• object, in whole or in part, to the processing of personal data concerning you;
• request restriction of processing in case of violations, requests for rectification, or objections;
• request portability of electronically processed data provided based on consent or contract;
• withdraw consent to the processing of your data, where applicable;
• with regard to fully automated profiling, obtain human intervention by the Data Controller in order to express your opinion and contest the decision.

If deemed appropriate, you may lodge a complaint with the Data Protection Authority. To exercise your rights, you may contact the Data Controller at the following email address: compliance&antiriciclaggio@krusokapital.com. You may also contact the Data Protection Officer (DPO) at: privacy@krusokapital.com.

INFORMATION SHEETS