Privacy Policy

This Privacy Policy describes how Black Bytes SA ("Black Bytes", "we") collects, uses and protects the personal data of users of the website ari.bytes.black ("Site"), as data controller pursuant to art. 4(7) GDPR and art. 5 letter j FADP.

Black Bytes is a company incorporated under Swiss law operating primarily on the Italian and European market. We process your data in accordance with GDPR, the revised Swiss FADP (in force since 1 September 2023) and the Italian Privacy Code. Switzerland benefits from the adequacy decision adopted by the European Commission pursuant to art. 45 GDPR.

Please read this document carefully before providing us with any personal data or using the Site.

The data controller is:

Black Bytes SA
Via Pretorio 13A
6900 Lugano, Switzerland
Email: marketing@bytes.black

Black Bytes has not appointed a Data Protection Officer (DPO) as it does not fall within the cases of mandatory appointment under art. 37 GDPR. All requests regarding the processing of your data may be addressed to the email above.

Pursuant to art. 27 GDPR, as a controller established outside the European Union offering goods or services to data subjects in the EU, Black Bytes has designated its EU Representative:

Giangiacomo Galliani
Via degli Abeti, Seveso (MB), Italy
Email: giangiacomo.galliani@bytes.black

The EU Representative may be contacted on any matter relating to the processing of your personal data, as an alternative to the controller. Supervisory authorities and data subjects may address themselves to the EU Representative on all matters related to processing.

Depending on your interaction with the Site, we may process the following categories of personal data:

• Identification and contact data: first name, last name, email address, telephone number. Provided voluntarily through demo request, contact or job application forms.
• Business data: company name, VAT number, business role, industry sector. Provided voluntarily in B2B forms.
• Job application data: curriculum, cover letter, professional experience. Provided by candidates through the "Careers" form.
• Navigation data: IP address, browser type, operating system, language, date and time of access, pages visited, traffic source, session identifiers. Automatically collected by servers and analytics systems subject to consent.
• Cookies and similar technologies: technical, analytics and marketing cookies. For details see the Cookies Policy.
• Booking data: if you use the integrated booking system (Calendly), we process your name, email, time zone and selected meeting date/time.

We do not collect special categories of personal data (art. 9 GDPR) or data relating to criminal convictions (art. 10 GDPR). Please do not include them in our forms.

We process your personal data exclusively for the purposes listed below, each based on a specific legal basis:

• (a) Responding to contact, information and demo requests — legal basis: pre-contractual measures at the request of the data subject (art. 6.1.b GDPR; art. 31.1.a FADP).
• (b) Handling job applications — legal basis: pre-contractual measures (art. 6.1.b GDPR).
• (c) Sending direct marketing communications (newsletter, product updates, events) — legal basis: free, specific and revocable consent (art. 6.1.a GDPR; art. 31.1 FADP).
• (d) Aggregate statistical analysis of Site usage through analytics cookies — legal basis: consent (art. 6.1.a GDPR), unless cookies qualify as technical cookies under the Italian Garante 10 June 2021 Guidelines.
• (e) Behavioral marketing and remarketing via Google Ads — legal basis: consent (art. 6.1.a GDPR).
• (f) Compliance with legal, accounting and tax obligations — legal basis: legal obligation (art. 6.1.c GDPR; art. 31.1.c FADP).
• (g) Legal defense or accountability — legal basis: legitimate interest of the controller (art. 6.1.f GDPR; art. 31.1.d FADP).
• (h) IT security of the Site, fraud and abuse prevention — legal basis: legitimate interest of the controller (art. 6.1.f GDPR).

Consent given for purposes (c), (d) and (e) may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Data is processed with electronic and organizational tools suitable to guarantee security, confidentiality, integrity and availability (arts. 5.1.f and 32 GDPR; arts. 7-8 FADP; art. 3 Swiss Data Protection Ordinance).

Main security measures adopted include:

• Encryption of data in transit via TLS/HTTPS
• Hosting servers located in the European Union
• Access control based on credentials and least-privilege principle
• Periodic encrypted data backups
• Internal procedures for incident management and data breach notification (art. 33 GDPR; art. 24 FADP)
• Training of personnel authorized to process data

Data is not disseminated and is accessible exclusively to authorized personnel and external processors listed in section 8.

Personal data is retained for the time strictly necessary to pursue the above purposes and, in any case, for the following terms:

• Contact and demo requests: up to 24 months from the last interaction, unless the relationship becomes a contractual one.
• Unsuccessful job applications: up to 12 months from submission, unless explicit consent to longer retention for future selections is given.
• Accounting and tax data: 10 years pursuant to Swiss and Italian civil and tax obligations.
• Marketing data: until consent is withdrawn and for a maximum of 24 months from the last interaction by the data subject (Italian Garante 4 July 2013 Guidelines).
• Analytics and marketing cookies: the duration of each cookie is indicated in the Cookies Policy.
• Server technical logs: 12 months for security purposes, unless needed to ascertain offences.
• Data processed for legal defense: for the entire duration of the dispute and until the expiry of the time limits for appeal.

Your data may be disclosed to third parties acting as data processors appointed pursuant to art. 28 GDPR and art. 9 FADP, who act exclusively on our instructions and with adequate security guarantees. We list below the categories of recipients, with examples of the providers currently in use:

• Online analytics and advertising service providers — used to measure use of the Site and run advertising campaigns (currently Google Ireland Limited, Ireland, for Google Tag Manager, Google Analytics 4 and Google Ads; any sub-transfers to the USA are covered by the EU-US Data Privacy Framework).
• Online form providers — used to collect contact and demo requests (currently Tally Forms BV, Netherlands).
• CRM (Customer Relationship Management) platforms — used to manage commercial contacts and track interactions with prospects (currently Attio Ltd., United Kingdom, with transfers covered by Standard Contractual Clauses).
• Business messaging and collaboration platforms — used internally to notify the team of incoming requests and coordinate responses (currently Slack Technologies LLC, USA, with transfers covered by Standard Contractual Clauses and Data Privacy Framework).
• Appointment booking service providers — used to manage calls and demos (currently Calendly LLC, USA, with transfers covered by Standard Contractual Clauses and Data Privacy Framework).
• Email forwarding and transactional communication services — used to receive messages sent through the Site's forms (currently FormSubmit, with transfers covered by Standard Contractual Clauses).
• Web font providers and CDN resources — used for the correct typographic rendering of the Site (currently Adobe Inc., USA, Typekit service, with transfers covered by Standard Contractual Clauses and Data Privacy Framework).
• Hosting and cloud infrastructure providers with servers located in the European Union.
• Professional advisors (legal, tax, accounting) and public authorities when required by law.

The specific providers listed above are provided by way of example and may be replaced over time with others in equivalent categories. The complete and updated list of data processors may be requested at any time at marketing@bytes.black.

Some providers listed in section 8 are based in the United States. The transfer of personal data to third countries takes place exclusively on the basis of one of the following guarantees provided by Chapter V GDPR:

• Adequacy decision by the European Commission — for US providers certified under the EU-US Data Privacy Framework (EU decision 2023/1795 of 10 July 2023).
• Standard Contractual Clauses (SCC) adopted by the European Commission with decision 2021/914 — for providers not certified DPF or as additional safeguard.
• Supplementary technical and organizational measures (encryption, pseudonymization) where applicable, in line with EDPB Recommendations 01/2020.

The transfer of data from Switzerland to the EU takes place on the basis of the Swiss adequacy decision (EU) 2000/518/EC, confirmed after the entry into force of the revised FADP 2023. For transfers from Switzerland to the USA, the Swiss-US Data Privacy Framework applies.

You may request a copy of the safeguards adopted by writing to marketing@bytes.black.

As a data subject, you may exercise the following rights provided by arts. 15-22 GDPR and arts. 25-32 FADP at any time:

• Right of access to your personal data and information on its processing
• Right of rectification of inaccurate data or completion of incomplete data
• Right to erasure ("right to be forgotten") in the cases provided for by art. 17 GDPR
• Right to restriction of processing in the cases provided for by art. 18 GDPR
• Right to data portability in a structured, machine-readable format
• Right to object to processing based on legitimate interest or for direct marketing purposes (art. 21 GDPR)
• Right to withdraw consent at any time, without affecting the lawfulness of previous processing
• Right not to be subject to automated decisions with significant legal effects (art. 22 GDPR) — see section 11

To exercise your rights you may write to marketing@bytes.black. We will respond within 30 days, extendable by a further 60 days in case of particular complexity (art. 12.3 GDPR).

You also have the right to lodge a complaint:

• with the Italian Data Protection Authority (Garante) — Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it — if you reside in Italy or the violation occurred in Italy;
• with the Swiss Federal Data Protection and Information Commissioner (FDPIC) — Feldeggweg 1, 3003 Bern — www.edoeb.admin.ch — if you prefer to address the authority of the controller's establishment country;
• with the supervisory authority of your EU Member State of habitual residence, place of work or the place of the alleged violation.

Black Bytes does not adopt decisions based solely on automated processing, including profiling, that produce significant legal effects on you pursuant to art. 22 GDPR and art. 21 FADP.

The analytics and marketing systems used on the Site may perform aggregate statistical and segmentation processing, but no decision producing effects for the data subject is taken on an exclusively algorithmic basis.

Providing your personal data is optional. However, failure to provide the data marked as mandatory in our forms (typically: name, business email and request subject) makes it impossible for us to respond to your request or provide the requested service.

Providing data for marketing purposes (section 5, letters c-e) is always optional and any refusal does not affect the use of the Site or the response to your contact requests.

This Policy may be updated to reflect regulatory, organizational or technological changes. Please review this page periodically. In case of substantial changes we will inform you by email (if available) or through a clearly visible notice on the Site.

The date of the last update is indicated at the top of the document.

For any questions regarding this Policy or the processing of your personal data, please write to:

Black Bytes SA
Via Pretorio 13A — 6900 Lugano, Switzerland
Email: marketing@bytes.black