Privacy

This Privacy Policy describes the methods and purposes of the processing of personal data carried out by the Data Controller as part of the provision of the services offered through the website www.aaa.it and, where applicable, through other websites, platforms, applications, products or content attributable to the Data Controller.

This Policy applies to all natural persons who:

• browse the website;

• request information or come into contact with the Data Controller;

• request, use or are recipients of the services offered by the Data Controller, including the Clients of the Aaa.it Service.

The processing of the personal data will take place in compliance with the applicable legislation, with particular reference to EU Regulation 2016/679 (hereinafter, also the “Regulation”) on the protection of individuals with regard to the processing of personal data, as well as national implementing provisions and provisions of the National Supervisory Authority (i.e. the Italian Data Protection Supervisor).

In relation to specific services or features, the Data Controller may provide dedicated privacy policies, which will complement or, if necessary, replace this Policy. In the event of a conflict, the information relating to the specific service will prevail.

Pursuant to Article 4 of Regulation (EU) 2016/679 (GDPR), the processing of personal data relating to the Aaa.it Service involves the following individuals, each according to their role and responsibilities.

Marketing Network Milano Srl, based in Milan (MI), Via Fatebenefratelli, 5, as manager of the site and the Aaa.it Service, acts as Data Controller, determining the purposes and means of processing personal data.

Incipit Holding Srl, a company belonging to the same group as the Data Controller (I&B – Innova et Bella), as the Data Controller's operating partner and reseller of the services provided by Qboxmail, acts as Data Processor pursuant to Article 28 of the GDPR, processing personal data on behalf of the Data Controller and based on the instructions given.

Qboxmail, a provider of cloud services for managing email infrastructure, acts as a Sub-Processor, pursuant to Article 28, paragraphs 2 and 4 of the GDPR, based on specific contractual arrangements.

Relations between the Data Controller, the Data Processor and the Sub-Processor are governed by agreements in accordance with Article 28 of the GDPR, aimed at ensuring adequate technical and organizational measures to protect the rights and freedoms of data subjects.

Qboxmail processes personal data exclusively for technical and security purposes, in an automated manner, and in no case uses such data for its own purposes, such as content analysis, profiling or marketing.

The Aaa.it Service is designed to ensure a high level of confidentiality and protection of the digital identity of Clients. The processing of personal data takes place in compliance with the principles of necessity, proportionality and minimization.

The Data Controller does not access, read or analyse the content of email communications, messages, attachments or information stored within the Accounts, nor does it carry out profiling activities based on such content.

The communications content, metadata, and information processed within the Aaa.it Service are not currently used for training, developing, or improving Artificial Intelligence, Machine Learning, or Large Language Models (LLM) systems, whether proprietary or third-party.

Any automated processing of communication flows is limited to what is strictly necessary for technical and security purposes, such as the prevention of spam, malware, attempts at unauthorized access, abuse of the Service, or compromise of the integrity of systems. Such processing activities take place without direct human intervention on the contents of communications.

Infrastructure providers involved in the delivery of the Service, including Sub-Processor, operate on the basis of specific contractual arrangements and do not use personal data for their own purposes, such as content analysis, profiling or marketing activities.

The contents of the communications remain in the full and exclusive availability of the Client, without prejudice to compliance with the Terms and applicable legislation.

The Data Controller processes various categories of personal data, depending on how the website and the Aaa.it Service are used.

A) Navigation data.

Through the use of the website, even for exclusively informational purposes, the computer systems and software procedures responsible for operating the site acquire personal data whose transmission is implicit in the use of Internet communication protocols.

This category includes, but is not limited to, IP addresses, hostnames of devices used by users, date and time of the request, time difference from Greenwich Mean Time (GMT), content of the request, HTTP status code, volume of data transferred, source site (referrer), browser, operating system, language, and other parameters related to the user's computing environment.

These data are processed for the sole purpose of obtaining anonymous statistical information on the use of the site and to verify its correct functioning, and are deleted after their processing, except for possible use for the establishment of liability in the event of computer crimes against the site or the Service, including at the request of the judicial authority.

B) Data provided voluntarily by the user.

The Data Controller processes the personal data voluntarily provided by users and data subjects through the contact forms on the site or as part of the contractual relationship.

Such data may include, by way of example, identification and contact data (first name, surname, date of birth, company name, address, telephone contact details and email addresses), as well as data necessary for invoicing and payments relating to the requested services.

The provision of personal data may be a necessary requirement for the provision of services. Any failure to provide certain data could result in the Data Controller being unable to provide the requested services.

C) Technical and service data relating to the Account.

As part of the provision of the Aaa.it Service, the Data Controller processes technical and service data necessary for managing the Account, ensuring the proper functioning of the Service, and ensuring system security.

This category includes, for example, data relating to logins, IP addresses, technical device identifiers, timestamps, system logs, security events, spam, malware and abuse prevention activities, as well as other technical information strictly necessary for the operation of the email infrastructure.

Such data does not include the content of email communications.

D) Contents of email communications.

The contents of the email communications, messages, attachments and information stored within the Accounts are treated exclusively to allow the provision of the email Service requested by the Client.

The Data Controller does not access, read or analyse such content, nor use it for profiling or marketing purposes, except as strictly necessary for technical and security needs, as indicated in the chapter dedicated to the Service's Privacy Principles.

The personal data of data subjects shall be processed by the Data Controller for the purposes set out below, in compliance with the principles of lawfulness, correctness, transparency, minimisation and proportionality provided for in Regulation (EU) 2016/679 (GDPR).

A) Performance of the contract and provision of the Service.

Personal data is processed to enable the request, activation, management, and use of the Aaa.it Account and related services, as well as to carry out the technical, administrative, and security activities necessary to provide the Service.

This includes, for example, the management of login credentials, requests to purchase services, payment transactions, and the issuance of administrative and tax documentation.

The legal basis for processing is represented by Article 6, paragraph 1, letter b) of the GDPR (execution of a contract or pre-contractual measures).

B) Fulfillment of legal obligations.

Personal data may be processed to fulfil legal obligations, regulations or orders of the competent authority, in particular in tax, accounting and administrative matters.

The legal basis for the processing is represented by Article 6, paragraph 1, letter c) of the GDPR

C) Institutional and relational communications reserved for Triple-A.

The Data Controller may process personal data to send selective, institutional, and relational communications, closely related to the nature of the Aaa.it Service, such as updates on the Service, confidential initiatives, and relationship opportunities with selected Partners operating in the luxury, personalized services, high-level consulting, or financial services sectors dedicated to HNWI and UHNWI Clients.

These communications are not massive or indiscriminate in nature and are based on criteria of relevance, discretion and added value.

The legal basis for the processing is represented by the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, letter f) of the GDPR. The data subject may object at any time to the receipt of such communications.

D) Limited profiling.

Subject to the express and specific consent of the Data Subject, the Data Controller may carry out limited and non-invasive profiling activities, aimed exclusively at an aggregate understanding of the general interests of Triple-A Clients, in order to propose initiatives or content consistent with the Service's excellence profile.

In any case, no profiling is carried out based on the content of email communications.

The legal basis for processing is represented by Article 6, paragraph 1, letter a) of the GDPR. Consent may be withdrawn at any time.

E) Selective communication to Partners of Excellence.

Subject to the express and specific consent of the Data Subject, the Data Controller may communicate certain identification and contact data of the Client to carefully selected Partners, exclusively to allow the proposition of value opportunities consistent with the Triple-A profile.

The communication takes place according to criteria of necessity, proportionality and confidentiality and does not involve the indiscriminate transfer of data.

The legal basis for processing is represented by Article 6, paragraph 1, letter a) of the GDPR. Consent is optional and may be withdrawn at any time.

F) Technical management of the site and analysis tools.

Personal data may be processed for technical, statistical and website operation purposes, including through the use of analysis and tag management tools provided by third parties.

These data processing take place in compliance with the minimization configurations and, where applicable, with the user's consent. The legal basis is represented by the consent of the Data Subject or the legitimate interest of the Data Controller, depending on the type of instrument used.

As part of the provision of the Aaa.it Service, the Data Controller may use limited and strictly necessary automated processes to ensure the proper functioning of the Service, the security of the systems and the prevention of abuse.

Such automated processes may include, by way of example, anti-spam and anti-malware filtering systems, abnormal or unauthorized access detection mechanisms, and technical infrastructure monitoring tools.

The automated processes described above do not involve decisions based solely on automated processing that produce legal effects against the data subject or that similarly significantly affect his or her person, pursuant to Article 22 of the GDPR.

In particular, the Data Controller does not adopt automated decisions that result in the suspension, limitation or termination of the Account without adequate human intervention, except in cases provided for by law or necessary to prevent serious or immediate damage to the security of the Service.

The personal data of data subjects are not subject to indiscriminate dissemination. The Data Controller communicates personal data to third parties only within the limits necessary for the provision of the Aaa.it Service, the fulfillment of legal obligations, or with the specific consent of the Data Subject.

In particular, personal data may be communicated to entities operating as Data Processors or Sub-Processors, pursuant to Article 28 of the GDPR, such as suppliers of technological, infrastructure, administrative or technical support services, appointed by the Data Controller on the basis of adequate guarantees of reliability and security.

Subject to the express consent of the Data Subject, certain identification and contact data may be communicated to selected Partners, exclusively to enable the proposal of opportunities consistent with the profile and positioning of the Aaa.it Service, according to criteria of necessity, proportionality, and confidentiality.

In the event of extraordinary corporate transactions, such as mergers, acquisitions, corporate reorganisations or transfers of a business or business units, personal data may be transferred to the entities involved in such transactions, including during the preliminary evaluation phase, in compliance with applicable law and subject to the implementation of appropriate safeguards for the protection of data subjects.

Personal data may also be communicated to judicial authorities, police forces or other public administrations in cases provided for by law or at the legitimate request of the competent authority. These entities will process the data as independent data controllers.

The updated list of Data Processors and Sub-Processors can be requested at any time by writing to privacy@aaa.it.

The personal data of data subjects are processed predominantly within the European Economic Area (EEA).

Where, for technical, operational or support needs, certain personal data are to be transferred to countries located outside the EEA, the Data Controller shall ensure that such transfers take place in compliance with the provisions set out in Articles 44 et seq of Regulation (EU) 2016/679 (GDPR).

In particular, the transfer of data to third countries takes place exclusively in the presence of an adequacy decision by the European Commission or subject to the adoption of appropriate safeguards, such as standard contractual clauses approved by the European Commission or other protection instruments provided for by applicable legislation.

Where provided, the data subject may obtain information on the guarantees adopted for the transfer of personal data to third countries, as well as a copy thereof, by contacting the Data Controller at the contact details indicated in this Policy.

The possible use of tools or services provided by entities established outside the EEA shall in any case take place in compliance with the principles of data minimisation and purpose limitation.

The processing of personal data is carried out by the Data Controller using IT and telematic tools and, on a residual basis, also using paper media, with organizational and logical methods closely related to the purposes for which the data are processed, in compliance with the principles of lawfulness, correctness, transparency and minimization established by applicable legislation.

The Data Controller shall take appropriate measures to ensure that personal data are processed in a way that ensures their security and confidentiality, avoiding unauthorized access, disclosure, modification or unauthorized destruction.

Personal data shall be kept for a period of time not exceeding that necessary for the pursuit of the purposes for which it was collected and processed, taking into account legal obligations and the requirements for the protection of the rights of the Data Controller and data subjects.

In particular:

• the data processed for contractual purposes and for the provision of the Service are stored for the entire duration of the contractual relationship and, subsequently, for the period necessary to fulfill legal obligations or protect the rights of the Data Controller;

• data processed for administrative, accounting and tax purposes are stored for the periods provided for by applicable legislation;

• data processed for the purposes of institutional and relational communications based on legitimate interest are retained until the data subject exercises his right to object;

• data processed for profiling purposes are stored for a period not exceeding 36 months, unless consent is revoked in advance.

At the end of the contractual relationship, for any cause, the Account may be kept in a deactivated state for a limited period, in order to allow for any technical, administrative or requested checks by the Data Subject. After this period, the personal data associated with the Account are deleted or anonymized, unless the retention is necessary to fulfill legal obligations or for the protection of the rights of the Data Controller.

The email address associated with the Account, once the deletion process has been completed, may be made available again for reassignment to third parties, without this in any case resulting in access to the data or content attributable to the previous Account holder.

During the deactivation period, the data subject may request the reactivation of the Account. Reactivation is not guaranteed and is left to the discretionary assessment of the Data Controller, based on technical, organizational and security considerations. In any case, during the deactivation period personal data remain subject to the same protection and confidentiality measures provided for in this Policy.

After the applicable retention period, personal data are deleted or anonymized, subject to technical requirements and any legal obligations.

Residual copies of personal data may remain within backup systems for a limited period, solely for security, operational continuity and system recovery purposes, in accordance with internal data protection policies and applicable law.

The Data Controller shall take appropriate technical and organisational measures to ensure a level of security of personal data proportionate to the risks involved in the processing, in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR).

These measures are aimed, in particular, at preventing the destruction, loss, modification, unauthorized disclosure or access to personal data processed, whether accidentally or unlawfully.

Security measures include, by way of example, access control systems, authentication procedures, technological infrastructure protection mechanisms, as well as organizational measures aimed at limiting access to personal data to authorized entities only and for permitted purposes only.

The Data Controller periodically checks the adequacy of the measures taken and updates them, where necessary, also taking into account technological developments, the nature of the data processed and the methods of providing the Service.

The Data Processors and Sub-Processors involved in the delivery of the Service are selected on the basis of appropriate security safeguards and are contractually bound to compliance with protective measures consistent with those adopted by the Data Controller.

Data subjects may exercise at any time the rights recognised in Articles 15 et seq. of Regulation (EU) 2016/679 (GDPR), within the limits and under the conditions set out in the applicable legislation.

In particular, the data subject shall have the right to

• obtain confirmation that personal data concerning him or her is being processed and that he or she is accessing such data;

• request the rectification of inaccurate personal data or the integration of incomplete data;

• obtain the deletion of personal data, in the cases provided for by law;

• request restriction of processing, in the cases provided for by law;

• oppose the processing of personal data, particularly when the processing is based on the legitimate interest of the Data Controller;

• receive personal data in a structured, commonly used and machine-readable format and, where technically feasible, transmit it to another controller (right to portability);

• revoke any consent given at any time, without affecting the lawfulness of the processing based on consent prior to revocation.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority, if he/she considers that the processing of personal data concerning him/her takes place in violation of the applicable legislation.

To exercise their rights or to request information on the processing of personal data, the data subject may contact the Data Controller by writing to privacy@aaa.it. The Data Controller may request additional information necessary to verify the identity of the applicant, in order to protect the confidentiality of personal data.

The website www.aaa.it uses cookies and similar technological tools to ensure the site's proper functioning, improve the browsing experience, and, with the user's consent, for statistical and analytical purposes.

Detailed information regarding the types of cookies used, their purposes, the legal basis for processing, as well as how to give or withdraw consent, is available in the Cookie Policy, which can be consulted via the appropriate link on the site.

The website www.aaa.it may contain links to third-party websites or services.

The Data Controller does not exercise any control over the contents, operating methods or policies for processing personal data adopted by such third parties, who operate as autonomous data controllers.

Access to third-party websites is done under the responsibility of the user. The user is therefore invited to carefully consult the conditions of use and privacy statements published on the sites visited.

The Aaa.it Service is not intended for individuals under 18. The Data Controller does not knowingly collect personal data of minors.

If the Data Controller becomes aware of the processing of personal data relating to minors, it will proceed without delay with their deletion, unless the retention is necessary to fulfill legal obligations or for the protection of its rights.

For reports or requests relating to personal data of minors you can write to privacy@aaa.it.

The Data Controller is Marketing Network Milano Srl, based in Milan (MI), Via Fatebenefratelli, 5.

For any request relating to this Policy, to exercise the rights provided by the GDPR or to obtain the updated list of Data Processors and Sub-Processors, you can contact the Data Controller by writing to privacy@aaa.it.

The Data Controller may modify or update this Privacy Policy, also as a consequence of regulatory changes, evolutions of the Service or updates of the methods of processing personal data.

Changes will be published on the website www.aaa.it and, where necessary or appropriate, can be communicated to data subjects through available contact channels.

The effective date of the latest version is indicated at the beginning of this Policy.