INFORMATION NOTICE UNDER ARTICLES 13-14 EU REG. NO. 2016/679 ON THE PROCESSING OF PERSONAL DATA

Last updated: 07-04-2026

Purposes of mandatory processing

Data Controller

The Data Controller of your personal data, pursuant to art. 13 of EU Regulation 2016/679 (GDPR), is:

STUDIO 09 S.R.L
Via Pietro Borgognoni 15, 51100 Pistoia (PT), Italy
VAT: 01710080472
Email: info@studio09.it

The Data Controller is the entity that determines the purposes and means of personal data processing.

Purpose of the processing

The personal data expressly provided by users who send requests of any kind through direct emails or contact forms are used to follow up on them and are communicated only to third parties involved in fulfilling such requests.

Optional, explicit and voluntary sending of email to the addresses indicated on this website implies the subsequent acquisition of the sender's address, necessary to reply to communications, and any other personal data spontaneously included in the email.

Legal basis of processing

The processing of your personal data is based on the following legal bases under art. 6 GDPR:

• Consent (Art. 6(1)(a)): you have consented to the processing of your personal data for one or more specific purposes (e.g. newsletter, profiling, marketing).
• Contract performance (Art. 6(1)(b)): processing is necessary for the performance of a contract to which you are a party or to take steps prior to entering into a contract.
• Legal obligation (Art. 6(1)(c)): processing is necessary to comply with a legal obligation to which the Controller is subject.
• Legitimate interest (Art. 6(1)(f)): processing is necessary for the legitimate interests pursued by the Controller or a third party, provided your rights and freedoms do not override them.

Who processes your data

Internal recipients: only persons who need access for the indicated purposes may access the data; their names, roles and permissions are documented in the company's GDPR records.

External recipients: we transmit personal data to external recipients only if necessary for processing your request, if there is legal authorization or obligation, or with your explicit consent.

• Data Processors — external suppliers we use for services or for the provision of contractually relevant content. They are carefully selected and monitored by us.
• Public bodies — Authorities and government institutions such as prosecutors, courts or tax authorities, pursuant to art. 6(1)(c) GDPR.

Transfers to third countries

Your personal data may be transferred to countries outside the European Economic Area. In that case, the transfer will take place with appropriate safeguards under GDPR, such as:

• Adequacy decisions of the European Commission
• Standard contractual clauses approved by the European Commission
• Binding corporate rules
• Approved certifications

Important notices

Changes to this notice — This notice may be subject to changes. It is recommended to consult this page regularly.

Data security — We adopt appropriate technical and organizational measures to protect your personal data against accidental loss, unauthorized access, disclosure, alteration or destruction.

Data retention — Your personal data will be kept for the time necessary to fulfil the purposes for which they were collected, and no longer than the terms provided by current legislation.

Rights of the data subject

As a data subject, pursuant to articles 15-22 GDPR, you have the right to:

• Access (Art. 15): obtain confirmation of whether personal data concerning you are being processed and, if so, access them.
• Rectification (Art. 16): obtain rectification of inaccurate personal data concerning you.
• Erasure (Art. 17): obtain erasure of personal data ("right to be forgotten").
• Restriction (Art. 18): obtain restriction of processing in certain conditions.
• Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21): object at any time to processing based on legitimate interest.
• Withdraw consent (Art. 7): withdraw your consent at any time without affecting prior lawful processing.

Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence. In Italy, the supervisory authority is the Italian Data Protection Authority.

To exercise your rights, please send a request to the contacts indicated in this notice.

Data retention period

Your personal data will be kept for the time strictly necessary to fulfil the purposes for which they were collected, in compliance with the principles of minimization and storage limitation (art. 5(1)(e) GDPR).

• Contract data: kept for the entire duration of the contractual relationship and for the following 10 years for tax and accounting purposes.
• Consent data (cookie, newsletter, marketing): kept until consent is withdrawn and in any case for a maximum of 5 years from collection.
• Navigation data and logs: kept for a maximum of 6 months, unless otherwise required by law.
• Data for direct marketing purposes: kept until consent is withdrawn and in any case for a maximum of 24 months from the last interaction.
• Data for profiling purposes: kept until consent is withdrawn and in any case for a maximum of 12 months.

Purposes of non-mandatory processing

Profiling

With your free and optional consent (art. 6(1)(a) GDPR), we will process your personal data for profiling purposes, in order to send you personalized promotional communications consistent with your profile, to perform statistical analyses on your personal characteristics for "clustering" activities, and to create "target groups" for internal analysis and monitoring.

Newsletter

To subscribe to our newsletter you must enter your contact details and accept the specific consent. We will only send the newsletter after registration and your consent under art. 6(1)(a) GDPR.

Other processing

In all other cases in which you provide us with personal data, this will always be on a voluntary basis. Your information will be processed to handle your request under art. 6(1)(b) or (f) GDPR, and may be transmitted to third parties only to fulfil your request.

Google Fonts

This website uses Google Fonts to dynamically load typefaces. When you visit a page, your browser establishes a connection to Google servers (fonts.googleapis.com and fonts.gstatic.com) to download the fonts necessary to display the page.

Data processed: IP address, browser User-Agent, URL of the visited page.
Purpose: correct display of site content with selected fonts.
Legal basis: user consent under art. 6(1)(a) GDPR.
Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Extra-EU transfer: data is transferred to the US. Google adheres to the EU-US Data Privacy Framework.
For more info: Google Privacy Policy.

Consent Database (Proof of Consent)

When you fill out a form on our site, we collect and store the following information as proof of consent, under Art. 7.1 GDPR:

• Identification data: name, surname, email address
• Consent preferences: which consents were accepted or refused
• Accepted legal documents: version of the privacy policy and terms of service displayed at the time of consent
• Contextual data: IP address, user-agent, URL of the page, date and time
• Form proof: HTML snapshot of the submitted form (excluding sensitive data like passwords)

Retention period: consent proofs are kept for 5 years from collection, in compliance with GDPR best practices.

Access to data

Your data may be made accessible for the purposes above to:

• Employees and collaborators of the Controller, as persons authorized to process data and/or system administrators;
• Third-party companies (e.g. professional firms, consultants, software houses, banks, insurance companies) performing outsourced activities on behalf of the Controller as external data processors.

Data communication

The Controller may communicate your data to Public Administration, Supervisory Bodies and/or Judicial Authorities, and to any other entities where communication is mandatory or required by law. Your data will not be disseminated.

How to exercise your rights

You can exercise your rights at any time by contacting the Controller at: info@studio09.it

External processors and persons in charge

The updated list of external processors and persons in charge of processing is kept at the Controller's registered office.

Amendments to this notice

This notice was drafted on 07-04-2026 and may change over time in line with legislative and regulatory integrations or changes. You are invited to consult this page frequently.

Terms of Use (EULA) — User-Generated Content

By using the commenting, interaction and content-publishing features (collectively, "User Content") available on the Sanalife website and mobile apps, you expressly accept these Terms of Use and agree to comply with them.

Absolute prohibition of offensive or inappropriate content

It is strictly forbidden to post, transmit or distribute through the service any User Content that, at the Controller's sole discretion, is offensive, inappropriate or infringes third-party rights. In particular, the following is prohibited:

• obscene, pornographic or sexually explicit material, or content otherwise unsuitable for a general audience;
• content inciting hatred, discrimination or violence based on race, ethnicity, nationality, religion, gender, sexual orientation, gender identity, age, disability or social status;
• defamatory, libellous, threatening, harassing, intimidating content or anything harming the dignity, reputation or privacy of others;
• insults, vulgar language, bullying or cyberbullying;
• promotion or facilitation of illegal activities, drug use, self-harm, suicide or eating disorders;
• spam, unauthorized advertising, phishing, scams, pyramid schemes or links to harmful content;
• infringement of copyrights, trademarks, patents, trade secrets or other intellectual property rights;
• disclosure of third parties' personal data without their consent;
• malware, viruses or malicious code;
• false, misleading content or health-related misinformation;
• anything contrary to law, public morals or public order.

User responsibility

You are solely responsible for the User Content you post and for the consequences of its distribution. By posting User Content, you represent and warrant that you hold all necessary rights and that it does not infringe any third-party rights.

Moderation and removal of content

All User Content is subject to moderation. The Controller reserves the right, at its sole discretion and without prior notice, to:

• reject publication or remove User Content deemed to violate these Terms;
• suspend or close the accounts of users responsible for violations, even for a single serious violation;
• report content and involved accounts to the competent authorities where required by law.

The Controller enforces a zero-tolerance policy toward abusive content and behaviour: clearly offensive content is removed within 24 hours of reporting or detection, and authors may be permanently banned.

Reporting abusive content

Any user may report User Content deemed offensive or inappropriate by writing to info@studio09.it, indicating the URL of the page, the author and a short description of the reason. Reports will be reviewed promptly.

Blocking other users and deleting your account

Users can at any time request the blocking of an abusive user by writing to info@studio09.it, or delete their own account (and all associated content) independently through the "Account" section of the mobile application, or by contacting the Controller.

Disclaimer of liability

The Controller is not responsible for User Content posted by users, which does not necessarily reflect the Controller's position. You agree to indemnify and hold the Controller harmless from any third-party claims arising out of your User Content.