Privacy Registration and login

Privacy Policy – Registration and Login

Introduction

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter also referred to as the "GDPR"), Ridewill S.r.l., as the Data Controller (hereinafter also referred to as the "Controller" or "Ridewill"), informs users about the use of personal data collected for the purpose of registration and login of users who create a personal account on the Ridewill website and interact with their reserved area.

1. Data Controller and Data Protection Officer (DPO)

Pursuant to Article 4(7) of the GDPR, the Data Controller is Ridewill, headquartered in Via Socrate, 6 – 22070 Casnate con Bernate (Co). Tel.: +39.031.5476941, E-mail: info@ridewill.it, PEC: ridewill@pec.it

Ridewill’s Data Protection Officer (DPO) can be contacted at: E-mail: dpo@trustds.it, PEC: dpotrustds@legalmail.it

2. Purpose of Processing, Personal Data Processed and Legal Basis, Retention Period, and Nature of Data Provision

Purpose of processing: To enable user registration and login on the Ridewill website.

• Personal data processed: In the case of initial registration, the following data are processed: first name, last name, e-mail address, password, nationality, and user type (private/company). For login by an already registered user, only e-mail and password are processed. Users may also register/login using their Google, Microsoft, Apple, or Facebook accounts. In these cases, the respective platforms share with Ridewill the e-mail address associated with the user’s account and any additional personal data made available by the user or the specific platform.
• Legal basis for processing: The processing of personal data is carried out based on the user’s freely given consent (Article 6(1)(a) GDPR). Consent is provided during registration or by choosing to access the Ridewill website using Google/Microsoft/Apple/Facebook credentials.
• Data retention period: Personal data will be retained until consent is withdrawn, which can be done by contacting the Controller or the DPO via the e-mail addresses provided in section 1 of this notice. In any case, registered user data will be deleted after ten years from the last order placed or, in the absence of any orders, after three years of account inactivity, or after 7 days if registration is not confirmed. In such cases, the user will need to register again. Longer retention periods may apply for individual orders related to contractual obligations.
• Nature of data provision: Providing data is optional, and without consent, the data will not be processed for the intended purpose.

3. Processing Methods and Data Recipients

Personal data collected are processed in compliance with the principles outlined in Article 5 of the GDPR.

Processing is carried out by individuals authorized by the Controller for the purposes described above. Authorized persons are bound by professional confidentiality. Processing may also involve external parties appointed as Data Processors, who process data in accordance with the purposes and means defined by the Controller, in compliance with Article 28 of the GDPR.

Processing is carried out in compliance with fundamental rights and freedoms and adheres to the principles of fairness, lawfulness, and transparency as provided by Article 5 of the GDPR. The Controller ensures that the information processed is relevant and proportionate to the purposes pursued.

4. Data Transfer Outside the European Economic Area (EEA)

Personal data processed for the above purposes are not generally transferred to third countries outside the European Union or the European Economic Area (EEA), nor to international organizations. Should data be transferred outside the EEA, the Controller undertakes to comply with Chapter V of the Regulation to ensure adequate data protection.

5. Data Subjects’ Rights

Data subjects – i.e., natural persons to whom the data relate – may exercise the rights provided under Articles 15 et seq. of the GDPR, including the right to access their personal data, request rectification, restriction, or deletion (where applicable), object to processing, and exercise the right to data portability. Where processing is based on consent, data subjects also have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise their rights, data subjects may contact the Controller or the Data Protection Officer using the contact details provided in this notice.

If data subjects believe that the processing of their personal data by the Controller violates the GDPR, they have the right to lodge a complaint with a supervisory authority in the Member State where they habitually reside, work, or where the alleged violation occurred (Article 77 GDPR). The Italian supervisory authority is the Garante per la protezione dei dati personali, whose contact details are available at www.garanteprivacy.it.

Under Article 79 of the GDPR, data subjects also have the right to bring a judicial remedy if they believe that their rights have been infringed due to processing.

6. Changes to This Privacy Notice

Ridewill may amend, add to, or remove any part of this privacy notice. To facilitate verification of any updates, the notice includes the date of the latest revision.

Last Updated: 10 October 2025