Privacy Policy of our website - XTN Cognitive Security

Privacy Policy

PRIVACY NOTICE GDPR (art. 13 and 14 Reg. EU 679/2016 GDPR)

In compliance with Articles 13 (for data collected from the Data Subject) and 14 (for data not collected from the Data Subject) of Regulation (EU) 2016/679 (GDPR), the following notice is provided to the Users of this Web Site, Data Subjects, that refer exclusively to the processing carried out through this Website and not through other websites that may be visited through links, for which please see the relevant information provided by the respective Data Controllers.

Data Controller and contact details

XTN Cognitive Security S.r.l., with registered office in 38062 Arco (TN), Via Santa Caterina n. 95, C.F./P.IVA 04395340286, registered in the Register of Companies of Trento with n. REA TN- 201845, tel.  +39 04641984420, e-mail 

Data Protection Officer (DPO) and contact details

The Data Protection Officer (DPO) of the Data Controller, Colin & Partners S.r.l a Socio Unico, can be contacted at the address

Categories of data processed and sources

The Data Controller may process general browsing data, as well as cookies, for which it invites you to read the specific Cookie Policy.

The Data Controller may also process personal data voluntarily provided by the User, for example by means of the contact form or by sending of communications via e-mail, including common personal data (identification data, personal data, tax data, and the like), special categories of personal data pursuant to art. 9 GDPR, exceptionally to the extent required by the request.

Data may come from automatic sources or from voluntary sources, as well as from public sources. For example, they may come from the User’s browsing, which may bring information related to previous browsing of other sites, including in particular cookies and other similar technologies, for which please see again the specific Cookie Policy. Data may also be provided voluntarily by the User or related parties. Other data may come from public sources, such as those processed in the context of searches on public registers and from records, certificates, public registrations and the like.

In any case, the canons of maximum confidentiality and professional secret on the User’s information falling under legal and deontological obligations are scrupulously observed.

Purpose of the processing

Personal data of the Users, as described above, will be processed in the ways and forms required by the GDPR, generally for the purpose of performing the Website’s own functions, consulting its contents and using its services.

In particular, the processing of personal data pursues the following purposes:

  1. to visit the Website, to consult the information and contents published therein and to use the related services;
  2. to manage browsing data and for functional or technical reasons that allow the same use of the contents, also through technical cookies, to aggregate statistics, also through analytics cookies, to provide personalized content or services, also through profiling cookies, if applicable and subject to prior consent; in any case, under the conditions set out in the Cookie Policy, referring to the Guidelines of the Italian Data Protection Authority of 10 June 2021, published on 9 July 2021;
  3. to check the requests made by the User through the Website and its communication tools (contact forms, information request forms and the like) and for any subsequent, related, connected, consequential and similar communication and processing, for the better management of the same request;
  4. to subscribe to the newsletter, where applicable, as well as to generate lead and the consequent sending of informative communications concerning the field in which the Data Controller operates;
  5. for legal compliance and other mandatory purposes, such as billing profiles or anti-money laundering profiles;
  6. for other purposes ancillary or related or consequential to those indicated above and falling within the activities of the Website;
  7. to process the e-mail address, provided by the User in the context of a previous sale relationship (such as for example supply, delivery, and the like) of goods or services, also aimed at sending, without further consent, communications for subsequent similar information, pursuant to and within the limits of art. 130 paragraph 4 of the Italian Personal Data Protection Code (d.lgs. 196/2003); in any case the Data Subject can express his or her refusal and oppose to such processing, both initially and subsequently, simply and free of charge, by following the instructions given in each such subsequent communication;
  8. to receive Curriculum Vitae from candidates wishing to apply to the Data Controller.

Legal bases for processing

The processing of all personal data is based on the following lawfulness conditions (legal basis):

      art. 6 par. 1 lett. a) GDPR = consent: for the management of profiling cookies as per purpose no. 2 and for other processing subject to consent, including the purposes ancillary to the main ones that do not fall under the other legal bases, as per purpose no. 6; for the subscription to the newsletter and the lead generation as per purpose no. 4, if ancillary or additional to other processing;

      art. 6 par. 1 lett. b) GDPR = contractual or pre-contractual obligation: for the same browsing of the Website or for access to services also of an informative nature published on the Website itself and for the processing of related information, as well as for all related services of sale of goods and services as offered on the Website, delivery and the like, as per purpose no. 1; for the management of cookies as per purpose no. 2 other than profiling cookies; for the processing of the requests made by the Data Subject and the relative answers as per purpose n. 3; for subscribing to the newsletter when this is the sole or main purpose of providing personal data, in particular the e-mail address, as per purpose no. 4; for other processing operations related, functional and consequential to those just mentioned, as per purpose no. 6; for the management of Curriculum Vitae and related requests, as per purpose no. 8;

      art. 6 par. 1 lett. c) GDPR = fulfilment of a legal obligation: for the processing of all data necessary to comply with legal obligations, including the processing of tax data related to invoicing profiles or other processing required by law, such as those relating to anti-money laundering, as per purpose no. 5; for other processing operations related, functional and consequential to those just mentioned, as per purpose no. 6;

      art. 6 par. 1 lett. f) GDPR = legitimate interest, for all processing operations included in information society services, as well as for information purposes of the Data Controller. In this regard, the Data Controller invokes the legitimate interest for further communications sent to the e-mail address of the Data Subject pursuant to art. 130 par. 4 of the Italian Personal Data Protection Code as per purpose no. 7, except for the Data Subject’s right of free opposition as explained therein.

For special categories of personal data pursuant to art. 9 of the GDPR that may be voluntarily provided by Data Subjects through browsing and through contact forms or the like, the Data Controller indicates the following additional conditions of lawfulness pursuant to art. 9 of the GDPR:

      art. 9 par. 2 lett. a) GDPR: consent, for processing for which it has been expressly given;

      art. 9 par. 2 lett. e) GDPR: data made manifestly public by the Data Subject, for data independently communicated or disclosed by the Data Subject;

      art. 9 par. 2 lett. f) GDPR: establishment, exercise, or defense of a right in court or whenever the courts exercise their judicial functions, for the exercise of a right by the Data Controller.

Legitimate interest

The processing of personal data is also based on the legitimate interest of the Data Controller pursuant to art. 6 par. 1 lett. f) of the GDPR, such as the exercise of its information rights in the information society context, the performance of the services indicated on the Website or the possible implementation of direct marketing operations pursuant to Recital 47 of the GDPR.

The Data Controller also invokes the right to make use the processing of the e-mail address of the Data Subjects provided in the context of a sale of goods and services, for the sending of further communications addressed to the Data Subject and relating to similar goods or services pursuant to art. 130 par. 4 of the Italian Privacy Code, without prejudice to the Data Subject’s free right to object, as per purpose no. 7. 

Mandatory or optional nature of data provision

The provision of browsing data by Users, for the purposes set out above, depends on the degree of privacy that the Users have enabled or disabled through their browser, or that they have managed through the appropriate Cookie Banner commands regarding cookie management. For technical cookies, disabling them may affect the browsing of the Website.

The provision of certain data is in any case necessary for the very structure of the Website and for the provision of some of its services. In particular, for example:

      to send messages via the contact form or to subscribe to the newsletter, the minimum data required therein, such as name/surname and/or e-mail address and/or other identification data of the sender and/or USERNAME, are mandatory in any case; the contact form indicates which data are mandatory (with an asterisk “*”) and which not;

      In any case, the USERNAME and PASSWORD are mandatory for registration and access to any reserved area of the Website.

The provision of all other data is optional. 

Consequences of failure to provide data

Failure to provide mandatory personal data prevents the Data Controller from sending the requested information or performing the further processing requested by the User or, in some cases, from being able to provide the services offered by the Website.

Failure to provide optional personal data does not have these consequences, but it could affect the processing of the request made by the User or the browsing of the Website. 

Recipients of any communications and data transfers

The data may be communicated to companies, professionals and other consultants operating in connection to the purposes set out in this notice or related purposes, both intra and extra EU (in the latter case, it will be exclusively to subjects for which an adequacy decision is in force or adequate safeguards are in place, including Standard Contractual Clauses, or consent has been provided or further exemptions are provided pursuant to art. 49 of the GDPR, according to the Schrems II Judgment of the Court of Justice of 16 July 2020).

In any case, the data may be communicated to Data Processors and to persons authorized to process personal data, for the same purposes as the Website or for purposes related to the services offered by the Website, as well as any other Data Controllers within the limits of the related purposes.

Recipients include in particular: the Data Controller’s operators as persons authorized to process data, its Data Processors and related personas authorized to process data for related purposes, such as a managerial or tax nature, Google Ireland for Google Analytics, Google Ireland Ltd for Google Ads, WordPress for the management of this Website and related services, HubSpot, Inc. for lead generation.

No generalized communication of data for further purposes will be carried out and no dissemination of personal data will take place.

Browsing data and the like (for which please refer to the above), as well as third-party profiling cookies (for which please refer to the Cookie Policy), will be disclosed to the respective third parties concerned, where these do not already manage them directly as independent Data Controllers, within the limits of the consents given.

Data retention period

The data provided voluntarily by the Data Subject will be retained until the consent given by the Data Subject is revoked, or until the actions that the Data Subject can carry out on his or her browser, including cleaning cookies.

Browsing data and technical cookies will be stored for the technical time required to perform the functions for which they were collected.

For the retention times of cookies in general, please refer to the specific information note available from the Cookie Banner.

For any other personal data, the retention period is limited to the period of prescription of the relevant rights or the end of the relevant legal or contractual obligations, including those relating to billing and the like.

Rights of the Data Subject

The Data Subject has the right of access, rectification, cancellation (oblivion), restriction, receipt of notification in the event of rectification, cancellation or restriction, portability, objection and not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way, pursuant to Articles 15 to 22 of the GDPR.

These rights can be exercised in the forms and within the terms set out in art. 12 of the GDPR, by means of written communication sent to the Data Controller by e-mail to the above e-mail address.

The Data Controller will make an appropriate response as soon as possible and in any case within 1 month from receipt of the request, except in cases of extension or justified refusal as provided for in art. 12 of the GDPR.

Right to withdraw any consent given

Where the processing is based on consent, the Data Subject may revoke it at any time by sending an e-mail to the above e-mail address of the Data Controller, or through the appropriate controls on the Website for the management of profiling cookies, as well as in any case by express communication at the Data Controller’s headquarter.

Right to lodge a complaint

The Data Subject has the right to lodge a complaint pursuant to Articles 77 et seq. of the GDPR to a supervisory authority, which for the Italian State is identified in the Data Protection Authority.

The forms, methods and time limits for lodging complaints are provided for and governed by the national legislation in force, for Italy by a specific regulation of the Data Protection Authority.

The complaint is without prejudice to any other administrative or judicial remedy; for actions for damages, in Italy the action is brought before the territorially competent Court.


The personal data provided through browsing this website may be profiled by third-party providers through third-party profiling cookies, subject to the User’s consent expressed by means of the appropriate Banner Cookie commands.

For further information please read the Cookie Policy.