This privacy notice, drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, clearly, transparently, and comprehensively explains how the Joint Data Controllers — namely Eagleprojects S.p.A., with registered office in Perugia, Strada San Galgano no. 12/A, CAP 06125, VAT no. 03489760540, and Digitarca S.r.l., with registered office in Mola di Bari (BA), Corso Umberto I no. 32, CAP 70042, VAT no. 08005680726 — jointly determine the purposes and means of processing the personal data of users who interact with the website and with the application/panel named “EAGLEARCA.”
For the purposes of this policy, Eagleprojects S.p.A. will also be referred to as “Eagleprojects” and Digitarca S.r.l. as “Digitarca”; jointly they will be referred to as “the Joint Controllers” or “the Controller.”
The Joint Controllers have entered into a joint controllership agreement pursuant to Article 26 of the GDPR, which transparently defines their respective roles and responsibilities regarding compliance with the obligations deriving from the GDPR, particularly concerning the exercise of data subjects’ rights and information duties. The essential elements of this agreement are available to the data subject, who may request a copy by sending a communication to the addresses indicated below.
For any needs or requests relating to the processing of personal data, users may contact the Joint Controllers at the following addresses:

• for Eagleprojects S.p.A., e-mail: info@eagleprojects.it, PEC: eagleprojects@pec.it;
• for Digitarca S.r.l., e-mail: info@digitarca.it, PEC: digitarcasrl@pec.it;

The Joint Controllers have appointed a Data Protection Officer (DPO), who can be contacted at: privacy@eagleprojects.it

The EAGLEARCA website has an institutional and informational nature and is aimed at a professional B2B audience composed of Public Administrations, management entities, utilities, consortia, and private companies operating in the sectors of infrastructure, energy, mobility, smart cities, agritech, and robotics, as well as technological partners and strategic stakeholders. However, visitors interested in learning about the platform, requesting a demo, or receiving institutional communications may also access it.
The website collects data voluntarily provided by the user when submitting contact or demo requests, such as name, surname, e-mail, company, role, and message content. In addition to the data provided directly, the website automatically acquires certain browsing data (such as IP addresses, technical logs, and browser information) and uses technical cookies, which are regulated in detail in the Cookie Policy.
The data collected through the site are processed to respond to user requests, organize personalized demos, provide technical or commercial information, and — where consent has been given — to send newsletters and promotional communications.
The legal basis for such processing lies primarily in the data subject’s consent, given through the appropriate banner or forms that collect the consents related to the intended purpose. Data provided for the use of EAGLEARCA or for other consultancy purposes are processed based on the performance of a contract or pre-contractual measures, and on compliance with legal obligations.
Browsing data and data collected through technical cookies are processed to ensure the proper functioning of the website and IT security, based on the legitimate interest of the Controller. EAGLEARCA does not use non-anonymized analytical cookies or profiling cookies, the processing of which is always subject to the user’s explicit consent.
Processing is mainly carried out using electronic and automated tools, in compliance with the principles of lawfulness, fairness, and transparency. Appropriate technical and organizational measures are adopted to prevent unauthorized access, loss, or unlawful use of processed data.
Specifically, pursuant to Article 6 of the GDPR:
processing related to requests sent via forms is based on the execution of pre-contractual measures taken at the data subject’s request;
processing related to fiscal and civil obligations is based on compliance with legal obligations;
processing for security and abuse prevention purposes is based on the legitimate interest of the Joint Controllers.

The EAGLEARCA application is intended for clients and registered users who, by virtue of specific contractual relationships, access the platform to use the technological modules provided (GIS, 3D, IoT, AI, robotics, and others).
To enable account creation and management, the Controller collects and processes users’ identifying data (name, surname, e-mail, role, access credentials) as well as platform usage data (activity logs, set preferences, activated modules).
The processing of registered users’ data is necessary for account management and the provision of the requested modular services, as well as for maintenance and technical assistance — whose legal basis lies in the performance of the contract, and for maintenance activities, in the legitimate interest of the Controller. Further processing, such as sending newsletters and commercial communications to registered users or analyzing usage patterns for profiling purposes, may only take place with the data subject’s express consent.
Registration for and use of the EAGLEARCA application/panel are not permitted for individuals under the age of eighteen. Any personal data provided in violation of this prohibition will be deleted as soon as the Joint Controllers become aware of it.
Pursuant to Article 6 of the GDPR, processing related to account management and the provision of modular services is based on contract performance; maintenance and security activities are based on the legitimate interest of the Joint Controllers.

Data collected through website forms are stored for a maximum of twenty-four months in the absence of further contractual developments. Data related to contractual relationships and user accounts on the platform are stored for ten years, in accordance with civil and fiscal obligations. The duration of cookies varies by type and is specified in the Cookie Policy.
Specifically:

• technical access logs are stored for up to six months, unless longer retention is required for IT security reasons or by judicial authorities;
• contact data collected for demo or information requests are stored for twelve months.

After the retention period has expired, data will be deleted or irreversibly anonymized, unless further retention is required by law or by order of an Authority.

The Controller adopts technical and organizational measures appropriate to ensure a level of security suitable to the risk, including encryption systems, backup procedures, periodic audits, and incident management protocols.
Data may be communicated to third parties providing technical support, hosting, legal or IT consultancy, and management of cookie systems and web tracking. No data transfer to non-EU countries is foreseen; should such transfer become necessary, adequate safeguards — such as the Standard Contractual Clauses approved by the European Commission — will be implemented.
An updated list of data processors and third parties to whom data may be communicated is available at the Joint Controllers’ registered offices and may be requested by the data subject at any time via the addresses indicated above.
Data will not be disseminated. The Joint Controllers ensure that any IT service providers and cloud providers act as data processors pursuant to Article 28 GDPR, bound by a specific written contract.

Pursuant to Articles 15–22 of the GDPR, the data subject has the right to:

• obtain confirmation as to whether personal data concerning them are being processed, and, if so, access such data and related information;
• obtain the rectification of inaccurate data and the updating or completion of incomplete data;
• obtain the erasure of data;
• obtain restriction of processing in the cases provided for by Article 18;
• receive the data in a structured, commonly used, and machine-readable format, and to transmit them to another controller;
• object at any time to processing carried out for direct marketing purposes or based on legitimate interest;
• withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
The exercise of these rights is free of charge; however, pursuant to Article 12(5) GDPR, if requests are manifestly unfounded or excessive, particularly due to their repetitive nature, the Joint Controllers may charge a reasonable fee or refuse to act on the request.
Requests may be sent without special formalities to the addresses indicated in this notice. The Joint Controllers undertake to respond within 30 days of receipt, extendable to 90 days in particularly complex cases, while notifying the data subject within 30 days of the reasons for the extension.
The data subject may also lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it – Piazza Venezia 11, 00187 Rome). The website and platform are not intended for individuals under the age of eighteen.

The provision of personal data by the user is optional but necessary to process requests (e.g. contact or demo requests). Failure to provide data marked as mandatory in forms will make it impossible to fulfil the request. Providing data for marketing and newsletter purposes is optional and subject to the data subject’s explicit consent.

The Controller does not carry out fully automated decision-making processes that produce legal effects or significantly affect the data subject, within the meaning of Article 22 GDPR.
Any profiling activities for commercial purposes or for analyzing platform usage preferences may only take place with the data subject’s express consent, following a specific notice detailing the logic used, the expected consequences, and the safeguards in place.