Privacy Policy

The purpose of this document (hereinafter "Privacy Policy") is to inform Users about personal data, understood as any information that allows the identification of a natural person (hereinafter "Personal Data"), collected by the website https://www.anyletters.it and the application https://app.anyletters.it (hereinafter "Application").

The Data Controller, as subsequently identified, may modify or simply update, in whole or in part, this Policy by informing Users. Changes and updates will be binding as soon as published on the Application. Users are therefore invited to read the Privacy Policy each time they access the Application.

In case of non-acceptance of changes made to the Privacy Policy, Users must cease using this Application and may request the Data Controller to remove their Personal Data.

The Controller collects the following types of Personal Data:

Content and information voluntarily provided by the User: Personal Data that the User voluntarily provides to the Application during its use, such as personal data (name, surname, company name), contact details (email, phone, billing address), access credentials to services and/or products provided, tax data (VAT number, Tax Code), payment information (managed by PCI-DSS certified external providers), contact lists and associated data, email campaign content (texts, images, templates), automation and workflow configurations, tags and segmentations applied to contacts, created forms and popups, account configuration preferences, support request content, provided attachments and screenshots, support conversation history, personal interests and preferences, and other personal content.

Personal data collected from social media: Users can share data provided to social media with the Application. Users can control the Personal Data that the Application can access through privacy settings available on the social media in question.

Failure by the User to provide Personal Data for which there is a legal or contractual obligation, or which constitutes a necessary requirement for using the service or concluding the contract, will result in the Controller's inability to provide all or part of its services.

Users who communicate third-party Personal Data to the Controller are directly and exclusively responsible for their origin, collection, processing, communication, or dissemination.

Data and content automatically acquired during Application use: The computer systems and software procedures used to operate this Application may acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified Users, but by its very nature, could, through processing and associations with data held by third parties, allow Users to be identified. This category includes IP addresses, domain names used by Users connecting to the Application, URI (Uniform Resource Identifier) addresses of requested resources, request time, method used to submit the request to the server, size of the file obtained, numerical code indicating the status of the response given by the server, browser user agent, operating system, browser type and version, screen resolution, time zone, browser language, internet service provider (ISP).

Personal Data related to the User's use of the Application may also be collected, such as pages visited, actions performed (campaign creation, sends, etc.), features and services used, time spent on the platform, frequency of use, application errors and crashes, performance and loading times, sending statistics (emails sent, delivered, bounced), open and click rates, geolocation of opens (country, city), devices used to open emails, email clients used, interaction timestamps.

Personal data collected through cookies or similar technologies: The Application uses cookies, web beacons, unique identifiers, and other similar technologies to collect Personal Data about pages, links visited, and other actions performed when using our services. They are stored to be retransmitted on the User's next visit. Users can view the complete Cookie Policy at the following address: https://www.anyletters.it/cookie-policy.

Collected Personal Data may be used for the execution of contractual and pre-contractual obligations and legal obligations as well as for the following purposes:

User registration and authentication: to allow Users to register on the Application to access and be identified, create and manage the User's account, provide access to the email marketing platform.

Support and contact with the User: to respond to User requests and help them in case of problems, provide technical support and assistance.

Storage, hosting and backend infrastructure management: to manage the technical infrastructure for storing User data, process and send email campaigns, manage contact lists and segmentations, provide analytics and reporting, manage automations and workflows, provide embeddable forms and popups.

Sending emails or newsletters and managing mailing lists: to contact Users with emails containing commercial and promotional information related to the Application, send newsletters with news and updates, communicate special offers and promotions, send educational content (guides, webinars, case studies), conduct satisfaction surveys. Users can revoke consent at any time through the unsubscribe link in emails or from account settings.

Technical infrastructure monitoring for maintenance, troubleshooting and performance improvement: to identify and resolve any technical problems and improve performance, analyze platform usage to improve features, optimize service performance, develop new features, conduct research and statistical analysis on aggregated and anonymous data.

Commercial affiliation: to allow the Application to publish tracked links or banners to promote third-party products or services.

Personalization of User experience: to modify the Application and adapt it to User needs.

External payment management via credit card, bank transfer or other instruments: to manage User payments through external platforms that acquire payment data without the Application owner having access, process payments and manage billing.

Service communications: to send account-related notifications, communicate changes to Terms of Service or Privacy Policy, send alerts about technical or security issues, provide updates on scheduled maintenance, send payment confirmations and invoices.

Security and fraud prevention: to prevent unauthorized access, detect and prevent fraudulent activities, protect against spam and abuse, ensure compliance with Acceptable Use Policies, respond to legal requests and court orders.

Legal compliance: to fulfill tax and accounting obligations, retain documents for legally required periods, respond to requests from competent authorities, manage litigation and legal defense.

Personal Data processing is carried out using computer and/or telematic tools, with organizational methods and logic strictly related to the indicated purposes. The Controller adopts appropriate technical and organizational security measures, including SSL/TLS encryption for all communications, AES-256 encryption for data at rest, firewalls and intrusion detection systems, two-factor authentication (2FA) available, daily automatic backups with 30-day retention, continuous security monitoring, periodic penetration testing, secure password management (bcrypt hashing), data access limited to authorized personnel, staff training on data protection, security incident management procedures, confidentiality agreements with employees and collaborators, data protection impact assessments (DPIA), servers hosted in certified data centers in the European Union, physical access controls to data centers, video surveillance and alarm systems, redundant power supply and cooling systems.

In some cases, subjects involved in the Controller's organization (such as system administrators, technical support team, development team for debugging and improvements, administrative team for billing and accounting, personnel management staff, commercial area staff, etc.) or external subjects (such as hosting and cloud infrastructure providers, payment service providers, transactional email providers for system notifications, analytics providers, customer support providers, backup and disaster recovery providers, IT companies, service providers, postal couriers, hosting providers, etc.) may also have access to Personal Data. These subjects may be appointed as Data Processors by the Controller, pursuant to Article 28 of GDPR, and access Users' Personal Data whenever necessary and will be contractually obligated to keep Personal Data confidential.

The updated list of Processors can be requested via email at [email protected].

The processing of Personal Data relating to the User is based on the following legal bases:

• consent given by the User for one or more specific purposes;
• processing is necessary for the execution of a contract with the User and/or the execution of pre-contractual measures;
• processing is necessary to comply with a legal obligation to which the Controller is subject;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
• processing is necessary for the purposes of the legitimate interests pursued by the Controller or by third parties;
• processing is necessary for the protection of the vital interests of the Controller or third parties.

It is always possible to request the Controller to clarify the legal basis of each processing at [email protected].

Personal Data is processed at the Controller's operational offices and in any other place where the parties involved in processing are located. Data is hosted on servers located in the European Union. Some service providers may be located outside the EU. In such cases, the Controller ensures that standard contractual clauses approved by the European Commission are adopted, adequate security measures are implemented, and a level of protection equivalent to GDPR is guaranteed. For more information, contact the Controller at [email protected].

Processing is carried out using methods and tools suitable for ensuring the security and confidentiality of Personal Data, with the Controller having adopted adequate technical and organizational measures that guarantee, and allow to demonstrate, that Processing is carried out in compliance with applicable regulations. In case of personal data breach (data breach), the Controller will assess the impact and risks for data subjects, notify the Supervisory Authority within 72 hours if required, inform affected Users if the risk is high, and document the incident and measures taken.

Users are responsible for keeping their access credentials confidential, using strong and unique passwords, enabling two-factor authentication (2FA), immediately notifying unauthorized access, and protecting their devices with antivirus and firewall.

Personal Data will be retained for the time necessary to fulfill the purposes for which it was collected.

In particular, Personal Data will be retained for the entire duration of the contractual relationship, for the execution of related and consequent obligations, for compliance with applicable legal and regulatory obligations, as well as for defensive purposes of the Controller or third parties. Account data is retained for the entire duration of the contractual relationship and until account deletion by the User. After account deletion, data is retained for 30 days to allow account recovery; after 30 days, all data is permanently and irreversibly deleted. Data necessary for tax and accounting compliance (invoices) is retained for 10 years from the date of the last transaction, as required by Italian law. System logs and security data are retained for 12 months for security and fraud prevention purposes.

If Personal Data processing is based on User consent, the Controller may retain Personal Data until consent is revoked. Data collected for marketing purposes is retained until consent is revoked by the User or for a maximum of 24 months from the last interaction.

Personal Data may be retained for a longer period if necessary to comply with a legal obligation or by order of an authority.

All Personal Data will be deleted or retained in a form that does not allow User identification within 30 days of the end of the retention period. After this deadline, the right of access, deletion, rectification, and the right to data portability can no longer be exercised.

All collected Personal Data will not be subject to any automated decision-making process, including profiling, that may produce legal effects for the person or significantly affect them. The platform uses automated systems to detect and block spam and abuse (without legal effects), suggest campaign optimizations (suggestions, not decisions), and analyze campaign performance (reporting), but these systems do not make automated decisions that affect User rights.

Users can exercise certain rights with respect to Personal Data processed by the Controller. In particular, Users have the right to:

• revoke consent at any time;
• object to the processing of their Personal Data;
• access their Personal Data and obtain confirmation whether or not personal data concerning them is being processed and, if so, obtain access to the data and the following information: purposes of processing, categories of personal data processed, recipients to whom the data has been or will be communicated, expected retention period, existence of automated decision-making processes;
• verify and request rectification of inaccurate personal data and completion of incomplete data;
• obtain restriction of processing when contesting data accuracy, processing is unlawful but the User opposes deletion, data is necessary to establish, exercise or defend a legal claim, the User has objected to processing pending verification;
• obtain deletion of their Personal Data in the following cases: data is no longer necessary for the purposes, the User revokes consent and there is no other legal basis, the User objects to processing, data has been processed unlawfully, data must be deleted to comply with a legal obligation;
• receive their Personal Data in a structured, commonly used and machine-readable format, and transmit it to another controller without hindrance (right to data portability);
• lodge a complaint with the supervisory authority for the protection of Personal Data (Italian Data Protection Authority: website https://www.garanteprivacy.it, email [email protected], address Piazza Venezia 11, 00187 Rome) and/or take legal action.

To exercise their rights, Users can send a request to the Controller's contact details indicated in this document. Requests are processed free of charge within 30 days of receipt. In complex cases, the deadline may be extended by an additional 60 days, with reasoned communication to the User.

AnyLetters is not intended for minors under 18 years of age. We do not knowingly collect personal data from minors. If we become aware of having collected data from a minor, we will proceed with immediate deletion. Parents or guardians who believe a minor has provided personal data can contact us to request deletion.

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of such sites. We recommend reading the privacy policies of each site visited.

When the User uses AnyLetters to send email campaigns to their contacts, the User acts as Data Controller and AnyLetters acts as Data Processor pursuant to Art. 28 GDPR. The User is responsible for obtaining explicit consent from recipients before sending, providing a privacy policy to their contacts, ensuring lawfulness of processing, respecting data subject rights (access, rectification, deletion), providing a functional unsubscribe mechanism, and maintaining consent records.

The relationship between the User (Controller) and AnyLetters (Processor) is governed by the Data Processing Agreement (DPA) available at https://www.anyletters.it/dpa, which defines the nature and purpose of processing, type of data processed, categories of data subjects, obligations and rights of the parties, implemented security measures, management of sub-processors, assistance in case of data subject requests, and notification of data breaches.