PRIVACY POLICY

Eagleprojects Logo

Privacy Policy – EAGLEARCA

(Last updated: February 27, 2026)

This policy, drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”), explains how the Joint Controllers, Eagleprojects S.p.A. (registered office at Perugia, Strada San Galgano n. 12/A, ZIP 06125, VAT no. 03489760540) and Digitarca S.r.l. (registered office at Mola di Bari (BA), Corso Umberto I n. 32, ZIP 70042, VAT no. 08005680726), jointly determine the purposes and means of processing the personal data of users who interact with the "EAGLEARCA" website and platform.

For the purposes of this policy, Eagleprojects S.p.A. will also be referred to as “Eagleprojects” and Digitarca S.r.l. as “Digitarca”; together, they will be referred to as the “Joint Controllers”.

The Joint Controllers have entered into a joint controllership agreement pursuant to Art. 26 of the GDPR, which transparently defines their respective roles and responsibilities. The essence of this agreement is available to the data subject, who may request it by contacting the Joint Controllers.

For any need or request regarding the processing of personal data, the user may contact the Joint Controllers at the following addresses:

  • for Eagleprojects S.p.A., email info@eagleprojects.it;
  • for Digitarca S.r.l., email info@digitarca.it.

The Joint Controllers have appointed a Data Protection Officer (DPO), who can be contacted at: privacy@eagleprojects.it.

1. Processing related to the EAGLEARCA website

The EAGLEARCA website is institutional and informational in nature, targeting a professional B2B audience. Personal data is processed for the following purposes and on the following legal bases:

  • Managing requests: Data voluntarily provided through contact or demo request forms (e.g., name, email, company) is processed to respond to such requests. The legal basis is the performance of pre-contractual measures taken at the data subject's request (Art. 6(1)(b) GDPR).
  • Marketing and newsletters: Subject to specific, optional consent (Art. 6(1)(a) GDPR), contact details may be used to send promotional communications and newsletters.
  • Website operation and security: Browsing data (e.g., IP addresses, logs) and data collected through technical cookies are processed to ensure the proper functioning of the site and the security of its systems. The legal basis is the legitimate interest of the Joint Controllers (Art. 6(1)(f) GDPR) to protect their corporate assets and network security.
  • Statistical analysis: The Joint Controllers use analytics tools (e.g., Umami) to collect aggregated statistical data on website usage. In accordance with the relevant guidelines, this processing is based on legitimate interest (Art. 6(1)(f) GDPR) and does not require consent, as data minimization measures are in place to significantly reduce the identifying power of the data (e.g., masking portions of the IP address) and the provider undertakes not to cross-reference the data with other information.

2. Processing related to the EAGLEARCA platform (Front-office and Back-office)

The EAGLEARCA platform, accessible to registered users, processes data for the following purposes:

  • Service provision: The identification and contact data of registered users (name, email, role) and usage data are processed for account management and the provision of contracted services. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).
  • Maintenance and support: Data is processed to ensure technical maintenance and support. The legal basis is the legitimate interest of the Joint Controllers in ensuring the efficiency and security of the platform (Art. 6(1)(f) GDPR).
  • Statistical analysis for service improvement: The Joint Controllers use a statistical analysis service (Umami) to collect aggregated data on the use of the platform, both in the Front-office (studio.eaglearca.com) and Back-office (backoffice.eaglearca.com) areas. The information collected concerns how users interact with the software (e.g., most used features, pages visited) in order to analyze performance and improve the service.
    • The legal basis for this processing is the legitimate interest of the Joint Controllers (Art. 6(1)(f) GDPR) to monitor and optimize their software platform. To protect the rights of data subjects, data minimization measures have been adopted, ensuring that the analysis is carried out exclusively on aggregated data that does not allow for the direct identification of individual users.
    • Pursuant to Art. 21 of the GDPR, the user has the right to object at any time, on grounds relating to their particular situation, to this processing. To exercise this right, the user can contact the Joint Controllers at the addresses indicated in this policy.

3. Data Retention

Data is stored for the time strictly necessary to achieve the purposes for which it was collected:

  • Data for contact or demo requests: 12 months from the last interaction, in the absence of contractual developments.
  • Data related to contractual relationships: 10 years from the termination of the contract, for civil and tax obligations.
  • Data for marketing purposes: until consent is withdrawn.
  • Log and security data: a maximum of 6 months, unless otherwise required by law.
  • Aggregated statistical analysis data: no longer than 24 months from collection.

Once the retention period has expired, the data will be deleted or irreversibly anonymized.

4. Security, Recipients, and Transfers

The Joint Controllers adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Data may be disclosed to third parties acting as data processors (Art. 28 GDPR), such as providers of hosting, IT maintenance, consulting, and statistical analysis services. An updated list of processors is available upon request.

Data is not disseminated. No transfers of data outside the European Economic Area (EEA) are planned. Should this become necessary, it will only occur with adequate safeguards in place (e.g., Standard Contractual Clauses).

5. Rights of the Data Subject

Pursuant to Articles 15-22 of the GDPR, the data subject has the right to:

  • obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data (right of access);
  • obtain the rectification of inaccurate personal data or the completion of incomplete data (right to rectification);
  • obtain the erasure of personal data (right to be forgotten);
  • obtain the restriction of processing in the cases provided for by Art. 18 of the GDPR (right to restriction of processing);
  • receive the data in a structured, commonly used and machine-readable format, and transmit it to another controller (right to data portability);
  • object at any time to processing carried out for direct marketing purposes or based on legitimate interest (right to object);
  • withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Requests can be sent to the addresses indicated in this policy. The data subject may also lodge a complaint with the competent supervisory authority.

6. Nature of Data Provision

The provision of data for managing contact requests or for the performance of a contract is necessary; without it, it will not be possible to fulfill such requests or provide the services. The provision of data for marketing purposes is optional and subject to consent.

7. Automated Decision-Making and Profiling

The Joint Controllers do not carry out fully automated decision-making processes that produce legal effects or similarly significantly affect the data subject, as defined in Art. 22 of the GDPR. The statistical analysis activities described in section 2 do not constitute profiling with decision-making effects but are aimed at improving the service. Any profiling activities for commercial purposes will only take place with the specific consent of the data subject.