PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA
PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 (GDPR)

WHO WE ARE AND WHO WILL PROCESS YOUR PERSONAL DATA*

Welcome to our website https://astrorei.io/. The site is managed by Astrorei S.r.l., with registered office in Pavia (PV), Via Fratelli Cuzio 42, 27100, Tax Code/VAT No. 11539480969, email privacy@astrorei.io, acting as Data Controller of the personal data collected. The Data Controller has appointed a Data Protection Officer (“DPO”), who can be contacted at dpo@astrorei.io.
Astrorei S.r.l. considers the protection of your personal data (more generally, the Users, also referred to as “Data Subjects”) to be of fundamental importance and ensures that such processing will take place in full compliance with European Regulation No. 2016/679 on the protection of personal data (General Data Protection Regulation, hereinafter “GDPR”) and any other applicable laws, adopting the appropriate and necessary security measures to keep such data safe.

SOME IMPORTANT PRELIMINARY INFORMATION

What is meant by “personal data”? The GDPR adopts a very broad concept that refers to all information that allows you to be identified, directly or indirectly, such as your name, address, telephone number, email address, IP address, geographical location, etc. (hereinafter, the “Personal Data”).

What is meant by “processing of personal data”? Again, under the GDPR, processing Personal Data means carrying out any operation on such data, such as collecting, storing, using, modifying, sharing, or deleting it. This may take place with or without digital tools.

This Privacy Notice is important because it is intended to provide you with all information about the processing of your personal data in a clear and transparent way, so that you can manage it knowingly. If you have any doubts or would like to modify your data, you can always contact us using the contact details provided at the end of this Privacy Notice.

This Privacy Notice therefore relates exclusively to the processing of data handled as a result of browsing the website https://astrorei.io, or communicated by the User through emails, phone calls, or otherwise obtained through the use of the services offered, and not to any other websites that may be visited through links.

WHAT PERSONAL DATA DO WE PROCESS?

The Data Controller may collect the following Personal Data:

• the data you provide when requesting information in the “contact” section (first name, last name, email address, telephone number, project description, and indicative budget) and/or during calls made to the Data Controller's contacts or via email to request information;
• the data you provide by filling in the form in the “Work with us” section of the website or by spontaneously sending us your curriculum vitae (e.g. first name, last name, contact details, professional experience, education, and further information contained in the CV). If you include special categories of personal data in your CV (for example, data revealing health status, belonging to protected categories, etc.), such data will be processed only where strictly relevant and necessary for the assessment of your application and within the limits set out by Art. 9(2)(b) GDPR and applicable national employment law. In any case, we invite you not to include data that is irrelevant or excessive in relation to the recruitment purpose;
• the data we collect directly when you browse our website (browsing data): the IT systems and software procedures used to operate the Website acquire, during their normal operation, certain technical data whose transmission is implicit in the use of Internet communication protocols. This data is not collected in order to identify you personally, but only to obtain anonymous statistical information on the use of the Website, to monitor its proper functioning, ensure its updating and security, provide Users with a user-friendly browsing experience and, in any case, identify anomalies and/or misuse. However, this is information that could allow indirect identification if combined with other information held by third parties (e.g. IP addresses, domain names of the computers used by Users connecting to the Website, browser used and its version, time of request, size of information flows, etc.);
• the data we collect through Cookies, including those connected to plugins and/or buttons linking to the Data Controller's social network pages: in this regard, please refer to the information available in the Cookie Policy, which contains detailed information on their use while browsing the website.

We would like to clarify that the Personal Data indicated above is processed only to the extent necessary to achieve the purposes described in the following paragraph of this Privacy Notice.

WHAT IS THE PURPOSE AND LEGAL BASIS OF THE PROCESSING OF PERSONAL DATA?

The Data Controller will process your Personal Data for:
a) “Pre-contractual / contractual purposes”: responding to requests submitted, assessing applications and managing staff selection activities in the event of CV submission, as well as allowing the data subject to use the services made available by the Data Controller and/or to manage the contractual relationship to which the data subject is a party - Legal basis: Art. 6(1)(b) GDPR;
b) “Website management purposes”: making the Website's functionalities available as a consequence of the User's access and browsing - Legal basis: Art. 6(1)(f) GDPR;
c) “Purposes of establishing, exercising and/or defending rights”: the personal data we collect through the Website may be necessary to assert and protect the Data Controller's rights of defense before any competent authority - Legal basis: Art. 6(1)(f) GDPR;
d) “Purposes of compliance with legal obligations”: the personal data collected through the Website may be used to comply with legal obligations, including tax obligations (in the event of contractual agreements), as well as to respond to legitimate requests (e.g. access requests) or requests for transmission of information by Authorities and authorized parties - Legal basis: Art. 6(1)(c) GDPR;
e) “Marketing”: only subject to freely given consent, sending commercial, promotional, and advertising communications by the Data Controller, through electronic means, relating to its services and activities - Legal basis: Art. 6(1)(a) GDPR;
f) “Soft spam”: sending communications relating to services similar to those already used by the client/user to the email address provided in the context of a previous contractual relationship - Legal basis: Art. 6(1)(f) GDPR and Art. 130(4) of the Italian Privacy Code (Legislative Decree 196/2003).

TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED AND WHO MAY PROCESS IT?

Your Personal Data may be disclosed, in order to properly carry out all processing activities necessary to pursue the purposes set out in this Privacy Notice, to our collaborators, expressly authorized, or to consultants and service providers of a professional and technical nature, who may also carry out processing activities on our behalf (purely by way of example and not limitation: IT service providers, website/booking management, direct marketing service providers, etc.). Where required by law or by the Authorities, the data may be disclosed to public bodies and entities or to the Judicial Authority.
Personal Data is not otherwise disclosed to other third parties, unless required by law, in connection with legal action or legal proceedings, or where otherwise necessary to protect the rights or interests of the Data Controller.
Personal Data will not be disseminated. Moreover, unless expressly consented to, it will not be subject to profiling.

WHERE AND HOW IS YOUR PERSONAL DATA PROCESSED?

We will process your Personal Data within the territory of the EU; should it become necessary, for technical and/or operational reasons, or in pursuit of legitimate interests, to use entities located outside the EU, for example because one of the parties listed in the paragraph “TO WHOM MAY YOUR PERSONAL DATA BE DISCLOSED AND WHO MAY PROCESS IT?” is located outside the European Union, we hereby inform you in advance that the transfer of Personal Data to such parties will take place only for the performance of specific activities. Any transfer to non-EU countries, in addition to the cases in which this is guaranteed by adequacy decisions of the European Commission, will be carried out so as to provide appropriate safeguards pursuant to Arts. 45, 46, 47, and 49 GDPR.
Personal Data will not be disseminated, nor will it be subject to fully automated decision-making processes.
The processing of your Personal Data will in any case be carried out by automated and non-automated means, with logic strictly related to the purposes themselves and, in any event, in such a way as to ensure the security and confidentiality of the data. In order to guarantee the security of Users' personal data, we will adopt adequate and appropriate technical and organizational measures, in compliance with Art. 32 GDPR.

HOW LONG WILL PERSONAL DATA BE PROCESSED?

We will process your Personal Data for the period necessary to fulfill the Purposes listed above for which the data was collected, as set out in this Privacy Notice. In particular:
a) for the “pre-contractual / contractual purposes” referred to in letter a), with specific reference to potential clients (mere requests for information), the data will be retained for the time strictly necessary to provide the requested responses, unless further retention is necessary to comply with contractual or legal obligations in the specific case of a contractual relationship; with specific reference to CVs, the data will be retained for a period not exceeding 24 months from their receipt or, if later, from the conclusion of the application selection procedure; browsing data will be deleted at the end of the browsing session, unless it is necessary for the exercise or defense of rights. Only in the event of a subsequent contractual relationship will the data be retained for 10 years from the conclusion of the contract, for tax and legal protection purposes;
b) for the “website management purpose”, for the period strictly necessary to ensure the functioning of the Website, without prejudice to any retention periods required by laws and regulations;
c) for the “purposes of establishing, exercising and/or defending rights” referred to in letter c), in the event of any dispute, the data will be retained for 10 years from the end of the judicial/extrajudicial dispute, without prejudice to further retention in the event of interruption of the limitation period, as provided by law;
d) for the “purpose of compliance with legal obligations”, the data will be retained for the time necessary based on the relevant legal obligation, including with regard to tax regulations;

5. for “marketing”, the data is retained until consent is expressly withdrawn, and in any case for a maximum period of 24 months from the User's last significant interaction;
6. for “soft spam” referred to in letter f), the data is retained until the User expressly objects to receiving update emails about similar services, by sending an email to the address provided.

After the above retention periods have elapsed, we will adopt measures aimed at deleting or anonymizing data that does not need to be retained for further specific legal obligations.

IS IT POSSIBLE TO WITHDRAW THE CONSENT GIVEN?

You have the right to withdraw, at any time, any consent given for marketing purposes (pursuant to Art. 7(3) GDPR). The withdrawal takes effect from the moment it is made and has no retroactive effect. The methods for withdrawing consent are very simple: simply contact us using the contact channels indicated in this Privacy Notice (e.g. by writing to privacy@astrorei.io, or, where provided, by selecting the “unsubscribe” option from services based on consent in the emails received).

WHAT ARE YOUR RIGHTS?

You have the right to ask the Data Controller, pursuant to Arts. 15-22 GDPR, for access to your personal data (you may contact us to know whether your personal data is being processed and to obtain the legally required information on the processing), rectification (correction of inaccurate data or completion of incomplete data), erasure - the right to be forgotten - of such data (to obtain deletion of personal data, in the cases provided by law), restriction of processing (to obtain the storage only of the data, excluding other activities, in the cases provided by law), to object to its processing (to stop further processing of personal data for reasons related to your particular situation, unless overriding compelling legitimate grounds apply, in the cases provided by law), as well as data portability (where applicable in the specific case, to obtain the data in a structured, commonly used, and machine-readable format and also obtain its direct transmission to another Data Controller, in the cases provided by law). Related requests may be sent to our contacts indicated below, attaching an identity document for proper identification. For further information, you may visit the website of the Italian Data Protection Authority https://www.garanteprivacy.it/Regolamentoue/diritti-degli-interessati

Without prejudice to your right to take action before any other administrative or judicial authority, you always have the right to lodge a complaint with the Italian Data Protection Authority, the supervisory authority for the protection of Personal Data (see https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali), if you believe that the processing we carry out has taken place in violation of applicable law.

WHERE CAN YOU CONTACT US TO EXERCISE YOUR RIGHTS?

You may contact us at any time in order to exercise the rights provided for by the GDPR by sending a communication to the contact details indicated above and repeated below: Astrorei S.r.l., with registered office in Pavia (PV), Via Fratelli Cuzio 42, 27100, Tax Code/VAT No. 11539480969, email privacy@astrorei.io. It is also possible to contact the DPO at dpo@astrorei.io.

IS THE USER OBLIGED TO PROVIDE PERSONAL DATA?

The User must provide Personal Data for the “Pre-contractual / contractual purposes” referred to in the paragraph on processing purposes, letter a), as well as for the related and connected purposes (letters b, c, d), as such data is necessary to receive the requested information and obtain the requested service. If the User does not wish the personal data to be processed for these purposes, the User will not be able to use the requested services and/or receive the requested information. Conversely, providing Personal Data for the purposes referred to in letter e) is always optional: failure to provide such data and/or to consent will only make it impossible for the Data Controller to carry out marketing activities. With reference to Soft Spam, the User always has the right to object to the use of the email address provided when purchasing the service for the purpose of receiving update communications.

CHANGES AND UPDATES

Please note that this Privacy Notice may be amended due to the introduction of new personal data protection laws and, accordingly, Users are invited to periodically review this page.

Last updated: May 2026