Privacy Policy

1. Data Controller

The Data Controller for personal data is:

2. Types of Data Collected

The Controller collects the following types of personal data:

2.1 Data provided voluntarily by the user

• Contact data: name, surname, email address, phone number
• Access data: username, password (encrypted with bcrypt)
• Communication content: messages sent via contact form

2.2 Data collected automatically

• Browsing data: IP address, browser type, operating system, pages visited, date and time of access
• Technical cookies: session data necessary for service operation (see Cookie Policy)
• System logs: operation timestamps, security events, access attempts

3. Purposes of Processing

Personal data are processed for the following purposes:

3.1 Without consent (legal bases: contract execution, legal obligation, legitimate interest)

• Provision of the LineSkid queue management service
• User account management and authentication
• Compliance with legal, accounting and tax obligations
• Handling of support and assistance requests
• Fraud prevention and IT security

3.2 With user consent

• Sending promotional communications and newsletters
• Advertising campaigns and remarketing through third-party platforms (Google Ads, Meta/Instagram Ads)
• Statistical analysis of marketing campaigns to measure communication effectiveness

4. Legal Basis for Processing

The processing of personal data is based on the following legal grounds:

• Art. 6(1)(a) GDPR: Consent of the data subject (promotional communications, marketing cookies, advertising campaigns)
• Art. 6(1)(b) GDPR: Performance of a contract (service provision, account management)
• Art. 6(1)(c) GDPR: Compliance with legal obligations (tax document retention)
• Art. 6(1)(f) GDPR: Legitimate interests of the Controller (IT security, fraud prevention)

5. Third-Party Services

For service provision and marketing activities, the Controller uses the following third-party services:

Google Fonts

Service by Google Ireland Limited for loading typefaces. When using the site, the user's browser connects to Google servers transmitting the IP address. Google states it does not use this data for profiling.

Google Privacy Policy

YouTube (Google)

Service by Google Ireland Limited for embedding video content in the waiting room display. YouTube may collect usage data and set its own cookies when videos are viewed.

Google Privacy Policy

Instagram (Meta)

Service by Meta Platforms Ireland Limited for embedding social content in the waiting room display. Instagram/Meta may collect usage data and set its own cookies when content is viewed.

Meta Privacy Policy

jsDelivr CDN

Content delivery network used for loading JavaScript libraries (Chart.js, HLS.js). During loading, the user's IP address is transmitted to CDN servers.

jsDelivr Privacy Policy

wttr.in

Weather service used in the waiting room display to show weather conditions. Receives the user's IP address and the configured city name.

Google Ads and Google Analytics

Services by Google Ireland Limited used for search and display advertising campaigns, remarketing, conversion analysis, and traffic measurement. These services may collect browsing data, IP address (anonymized), and site behavior through cookies and tracking pixels. They are activated only with user consent.

Google Privacy Policy | Google Ads Opt-out

Meta Pixel (Facebook/Instagram Ads)

Service by Meta Platforms Ireland Limited used for advertising campaigns on Facebook and Instagram, remarketing, and conversion analysis. The Meta Pixel may collect browsing data, IP address, and site interactions through cookies and tracking pixels. It is activated only with user consent.

Meta Privacy Policy | Meta Ads Opt-out

6. Marketing and Advertising Activities

The Controller may carry out marketing and advertising activities through the following methods:

• Email marketing: sending promotional communications and newsletters to users who have given consent. Users can withdraw consent at any time via the unsubscribe link in each email.
• Google Ads campaigns: advertising on Google Search, Google Display Network, and YouTube. May include remarketing activities targeting users who have previously visited the site.
• Meta/Instagram Ads campaigns: advertising on Facebook and Instagram. May include remarketing activities and creation of Custom Audiences based on site interactions.
• Conversion analysis: monitoring actions taken by users after interacting with an advertising campaign, to measure its effectiveness.

All marketing activities require prior user consent and are subject to withdrawal at any time. Data collected for marketing purposes is not used for other purposes.

7. Processing Methods and Security

Personal data are processed using electronic means, with logic strictly related to the purposes indicated above and, in any case, in a manner that guarantees the security and confidentiality of the data.

The security measures implemented include:

• Encryption of sensitive data (passwords with bcrypt)
• Secure connections using HTTPS/TLS protocol
• Session cookies with Secure, HttpOnly, and SameSite=Strict flags
• CSRF (Cross-Site Request Forgery) protection on all forms
• Firewall and perimeter protection systems
• Periodic data backups
• Data access limited to authorized personnel
• Access and operation logs

8. Data Retention Period

Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected:

• Account data: for the entire duration of the contractual relationship and for 10 years thereafter (tax obligations)
• Browsing data and logs: 24 months
• Contact requests: 24 months from the request
• Billing data: 10 years (tax obligations)
• Marketing data: until consent is withdrawn by the user, and in any case no longer than 24 months from the last interaction

9. Data Disclosure and Transfer

Personal data may be disclosed to:

• Employees and collaborators of the Controller, as authorized processors
• Technical service providers (hosting, maintenance) as Data Processors pursuant to Art. 28 GDPR
• Google Ireland Limited, for Google Fonts, Google Ads, and Google Analytics services
• Meta Platforms Ireland Limited, for Instagram and Meta Pixel/Ads services
• Competent authorities, upon request and within legal limits

Data will not be disseminated to unspecified parties.

10. Data Transfer to Third Countries

Some of the third-party services used (Google, Meta, jsDelivr) have servers located in the United States or other countries outside the European Economic Area (EEA).

Data transfers to the United States are based on the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and/or Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR.

Users may obtain a copy of the safeguards or information about transfers by contacting the Data Controller at privacy@itland.it.

11. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, data subjects have the right to:

• Access (Art. 15): obtain confirmation of processing and a copy of the data
• Rectification (Art. 16): correct inaccurate or incomplete data
• Erasure (Art. 17): obtain deletion of data ("right to be forgotten")
• Restriction (Art. 18): restrict processing in certain cases
• Portability (Art. 20): receive data in a structured, machine-readable format
• Objection (Art. 21): object to processing for legitimate reasons, including direct marketing
• Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal

To exercise your rights, please contact the Controller at privacy@itland.it or via certified email (PEC) at info@pec.itland.it.

The request is free of charge and the Controller will respond as soon as possible, in any case within one month of receiving the request, as required by Art. 12(3) GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

12. Complaint to Supervisory Authority

Data subjects have the right to lodge a complaint with the Italian Data Protection Authority:

13. Changes to Privacy Policy

The Controller reserves the right to modify this Privacy Policy at any time. Changes will be published on this page with an indication of the last update date. In case of substantial changes, users will be informed via email or notice on the site. We recommend checking this page periodically.

14. Definitions and Legal References

• Personal Data (or Data): any information that directly or indirectly, including in conjunction with any other information, makes an identified or identifiable natural person.
• Usage Data: information collected automatically through the Website, including: IP addresses, browser type, operating system, pages visited, time of request, and other parameters related to the User's IT environment.
• User: the individual who uses the Website and the Service, who coincides with the Data Subject unless otherwise specified.
• Data Subject: the natural person to whom the Personal Data refers.
• Data Processor: the natural or legal person who processes personal data on behalf of the Controller, pursuant to Art. 28 GDPR.
• Data Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
• Service: the service provided by the Website (LineSkid queue management platform) as defined in the Terms of Service.
• Tracking Tool: any technology (Cookies, localStorage, web beacons, scripts, tracking pixels) that enables the tracking of Users by collecting or saving information on the User's device.
• Cookie: small portions of data stored within the User's browser.
• localStorage: a web storage technology that allows websites to save data in the User's browser persistently, without being sent to the server with every request.

Unless otherwise specified, this privacy policy applies exclusively to the lineskid.com Website and the LineSkid Service.