Privacy Policy
Last updated: 15 May 2026
This notice is provided under articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and of Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (“Privacy Code”) to those who interact with the website, forms and digital channels of OTREB S.R.L. and describes the means, purposes and legal bases for the processing of personal data.
1. Data Controller
The Data Controller is OTREB S.R.L., with registered office at Via Flavio Gioia 11, 64026 Roseto degli Abruzzi (TE), Italy — VAT and Tax ID 02222120673.
- Email: info@otrebsrl.it
- Certified email: otreb@pec.it
The Controller has not appointed a Data Protection Officer (DPO), the requirements for mandatory appointment under art. 37 GDPR not being met. Any data protection request should be sent to the contacts above.
2. Categories of personal data processed
2.1 Browsing data
The IT systems that operate the website acquire, in the course of their normal operation, data whose transmission is implicit in the use of Internet protocols (e.g. IP addresses, URIs/URLs of requested resources, request time, method, status code, computing environment). This data is used to derive anonymous statistical information and to ensure security and proper functioning.
2.2 Data provided through the website form
Through the booking form the user voluntarily provides: first and last name and email (mandatory) and, if entered, company, phone number, preferred date and time slot and the content of the free-form message. Users are asked not to enter data belonging to special categories (art. 9 GDPR).
2.3 Data collected through external forms (e.g. Google Forms)
The Controller may also collect data through forms hosted on third-party platforms (for example Google Forms, provided by Google Ireland Limited, or similar tools), accessible via links published on the site or sent through other channels. In such cases the data entered (e.g. personal and contact data, information about the company and the request) is processed by the Controller for the purposes set out at point 3 below and by the providing platform, in its capacity as data processor under art. 28 GDPR, in accordance with its own terms and security measures. Submitting the external form is equivalent in all respects to providing the data to the Controller.
2.4 Data from social networks and social login
If the user interacts with the Controller's official pages/profiles on social networks (e.g. LinkedIn, Meta/Facebook/Instagram, X/Twitter, YouTube) or uses any social login or contact features, the Controller may process the data made available by those platforms based on the user's account settings and the privacy policies of the respective providers, such as name, profile picture, contact details, message content and interactions (comments, likes, shares). Platform operators act as independent controllers for the processing performed on their own infrastructure.
2.5 Data for marketing and advertising purposes
Subject to an appropriate legal basis (consent or, where allowed, legitimate interest/“soft spam”), the Controller may process contact data and data relating to interaction with the site and campaigns (e.g. advertising identifiers, conversion events, pages visited) for commercial communication activities, online advertising, retargeting/remarketing and campaign measurement, including through third-party platforms (see points 6, 7 and 8).
2.6 Cookies and tracking tools
For cookies and equivalent technologies please refer to the Cookie Policy, which forms an integral part of this notice.
3. Purposes, legal bases and retention periods
| Purpose | Legal basis | Retention |
|---|---|---|
| Responding to requests (site form or external forms) and managing the call | Pre-contractual measures at the data subject's request (art. 6.1.b GDPR) | Time needed for the request and 24 months from the last contact, except contractual relationship |
| Site operation, security and diagnostics | Legitimate interest of the Controller (art. 6.1.f GDPR) | Time technically required, normally no more than 12 months |
| Management of interactions on the Controller's social channels | Legitimate interest in managing its channels (art. 6.1.f GDPR) | According to the platform rules; content remains unless removed |
| Direct marketing, newsletters and commercial communications | Consent (art. 6.1.a GDPR) or “soft spam” on similar products (art. 130(4) Privacy Code) | Until consent is withdrawn/objection and in any event no more than 24 months from the last contact |
| Online advertising, retargeting/remarketing and campaign measurement (e.g. Google Ads, Meta Ads) | Consent (art. 6.1.a GDPR) | Until consent is withdrawn and according to the durations set out in the Cookie Policy |
| Compliance with legal, accounting and tax obligations | Legal obligation (art. 6.1.c GDPR) | Statutory terms (usually 10 years) |
| Establishment, exercise or defence of a legal claim | Legitimate interest of the Controller (art. 6.1.f GDPR) | Duration of the litigation and limitation periods |
Data is retained for the periods set out above or, in the absence of a fixed term, for the time strictly necessary to achieve the relevant purpose, based on the duration of the relationship, legal obligations and applicable limitation periods. After the retention period, personal data is irreversibly deleted or anonymised, except for further retention required by law or necessary for the establishment, exercise or defence of a legal claim.
4. Nature of the provision
The provision of browsing data is connected to the use of Internet protocols. The provision of data through forms (internal or external) is optional; failure to provide data marked as mandatory makes it impossible to follow up on the request. The provision for marketing and advertising purposes is always optional and any refusal does not affect the use of services.
5. Processing methods and security
Data is processed by electronic means and with logic strictly connected to the stated purposes, applying technical and organisational measures appropriate to the risk (art. 32 GDPR), including access control, encryption of communications in transit and minimisation. No IT or transmission system can be considered absolutely secure: the Controller adopts adequate measures but does not guarantee the absolute inviolability of data and, within the limits allowed by law, is not liable for events not attributable to it, such as unauthorised access by third parties, cyber attacks, force majeure, malfunctions of third-party platforms or acts of third parties.
5.1 Data subject's responsibility for the data provided
The data subject guarantees the accuracy, currency and lawfulness of the data provided through any channel, internal or external form. Should they provide data relating to third parties (e.g. colleagues or company contacts), they declare to be entitled to do so and undertake to indemnify and hold harmless the Controller from any claim by such third parties connected with the provision or processing carried out at their request.
6. Disclosure to third parties; data processors
Data may be processed by authorised personnel of the Controller and communicated, within the limits of the stated purposes, to entities performing related activities, appointed as data processors under art. 28 GDPR, including:
- hosting and email providers;
- online form providers (e.g. Google Ireland Limited for Google Forms);
- newsletter and marketing tool providers;
- advertising and campaign analysis platforms (e.g. Google, Meta);
- consultants, professionals and providers of technical/legal services, each within their respective competences;
- authorities, supervisory and judicial bodies, where required by law or for the defence of a right.
Social network operators act as independent controllers for the processing performed on their platforms. Personal data is not disseminated and is not transferred or disclosed to third parties for purposes other than those set out in this notice, except where required by law or with the data subject's consent. An up-to-date list of data processors is available on request by writing to info@otrebsrl.it.
7. Transfer of data outside the EU
Data is normally processed within the European Economic Area. The use of third-party platforms (e.g. Google, Meta) may involve a transfer to third countries: such transfers take place only in the presence of adequate safeguards under arts. 44 et seq. GDPR, such as an adequacy decision (including, where applicable, the EU–US Data Privacy Framework) or the European Commission's Standard Contractual Clauses, together with supplementary measures.
8. Marketing, advertising profiling and withdrawal
Personalised advertising, retargeting/remarketing and measurement activities through third-party platforms are activated only with express consent through the cookie banner or specific forms; consent can be withdrawn at any time, without prejudice to the lawfulness of prior processing. The user may also manage their advertising preferences through:
- Your Online Choices (EDAA)
- Google Ads Settings
- the advertising and privacy settings of the respective social networks and accounts.
An unsubscribe link is always provided in commercial email communications; alternatively, the user may object by writing to info@otrebsrl.it.
9. Automated decision-making and profiling
The Controller does not adopt automated decision-making processes producing legal effects under art. 22 GDPR. Any profiling activities for advertising purposes are limited to those described at point 8 and carried out exclusively with prior consent.
10. Data relating to minors
The site, forms and services are not directed at persons under 18. The Controller does not knowingly collect data of minors; should it become aware of such data, it will proceed to delete it.
11. Data subject's rights
The data subject may exercise, within the limits of arts. 15–22 GDPR, the rights to:
- access their personal data;
- rectify or supplement the data;
- erase (“right to be forgotten”);
- restrict processing;
- object to processing, including direct marketing at any time;
- data portability;
- withdraw consent, without prejudice to the lawfulness of prior processing.
Requests should be addressed to info@otrebsrl.it. The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — garanteprivacy.it).
12. Changes to this notice
The Controller reserves the right to modify or update this notice, including as a result of regulatory changes or the introduction of new tools (forms, social, advertising). The current version is the one published on this page, with the date of the last update.