Privacy & Data Protection

Privacy Policy

This policy governs the processing of personal data carried out through the QHSE platform and related pre-contractual, contractual, support, security, billing, and compliance activities. It is drafted pursuant to Articles 12, 13 and 14 of Regulation (EU) 2016/679, Legislative Decree 196/2003 as amended, and applicable Italian and European data protection rules.

ControllerUESE ITALIA S.p.A.

Registered officePiazza Trivulziana 4/A, 20126 Milano (IT)

Privacyprivacy@uese.eu

DPOdpo@uese.it

1. Data controller and contacts

Unless otherwise specified in a separate agreement for specific services, the data controller is UESE ITALIA S.p.A., Piazza Trivulziana 4/A, 20126 Milano (IT), VAT no. IT04398760274, REA MI 2679515, SDI 3ZJY534, LEI 815600299308A5DAE574. Contacts: privacy@uese.eu; certified email: unitedsafety@pec.it; DPO contact: dpo@uese.it; phone +39 02 5656 8416.

2. Categories of data processed

identification and contact data of company representatives, users, candidates, and technical contacts;
company, tax, billing, contractual and administrative data;
authentication credentials, access records, session data, IP addresses, device/browser metadata, audit trails, and security logs;
documents, attachments, tickets, support requests, uploaded content, and workflow information entered in the platform;
payment and transaction references managed directly or indirectly through enabled payment service providers.

3. Purposes and legal bases

Purpose	Legal basis
Account creation, authentication, user administration, workspace delivery and requested SaaS features.	Contract performance and pre-contractual measures (Art. 6(1)(b) GDPR).
Legal, accounting, tax, anti-fraud, security, traceability, and compliance obligations.	Legal obligation (Art. 6(1)(c) GDPR).
Platform hardening, vulnerability management, event correlation, incident response, business continuity, forensic preservation, and abuse prevention.	Legitimate interest of the controller and users to protect systems, data, and service continuity (Art. 6(1)(f) GDPR).
Commercial communications, newsletters, and optional profiling where enabled.	Consent and, where lawful, legitimate interest within B2B limits.

4. Nature of provision

Provision of data marked as mandatory is necessary to activate the account, execute the contract, issue invoices, manage assistance, or ensure security controls. Failure to provide such data may make it impossible to deliver the service, onboard the company, or comply with legal obligations.

5. Processing methods and security safeguards

Processing is performed using digital, telematic, and organizational tools according to confidentiality-by-design principles and role-based access control. Depending on the service layer, UESE may implement credential policies, segmentation, backup routines, logging, integrity controls, audit trails, least-privilege administration, document traceability, and incident escalation procedures proportionate to the processed data and risk exposure.

6. Recipients and authorized subjects

Data may be processed by duly authorized personnel of UESE ITALIA S.p.A., technical administrators, consultants, group companies and suppliers appointed as processors under Art. 28 GDPR, including hosting providers, mail providers, ticketing, security, payment, backup, maintenance, and professional service partners. Data may also be disclosed to competent authorities, courts, supervisory bodies, banks, insurers, or auditors where required by law or necessary to protect rights.

7. International transfers

Where some tools or infrastructures involve processing outside the EEA, UESE shall adopt one of the safeguards permitted by Articles 44 et seq. GDPR, such as adequacy decisions, Standard Contractual Clauses, transfer impact assessments, supplementary technical or organizational measures, and data minimization strategies.

8. Retention periods

contact and pre-contractual data: generally up to 12 months from the last meaningful interaction, unless further relations arise;
contractual, accounting, and billing data: normally 10 years, unless longer terms apply by law or litigation needs;
technical and security logs: normally about 6 months, subject to extension where necessary for security, forensic analysis, fraud prevention, or authority requests;
marketing data: until consent withdrawal or proven objection.

9. Rights of data subjects

Data subjects may exercise rights under Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable. UESE may request information necessary to verify the identity and entitlement of the requester, especially in the event of requests concerning corporate or multi-user environments.

10. Complaints and updates

A complaint may be lodged with the Italian Data Protection Authority pursuant to Article 77 GDPR, without prejudice to any other administrative or judicial remedy. UESE reserves the right to update this policy to reflect regulatory, technical, or organizational changes; the updated version shall be published on the platform with the relevant effective date.