Privacy Policy
This policy is provided pursuant to Articles 13 and 14 of EU Regulation 2016/679 (“GDPR”) and of Legislative Decree 196/2003 as amended (“Privacy Code”) to users who visit the website and/or use the Valyo platform (hereinafter also the “Platform” or “Service”).
1. Data Controller
The Data Controller is:
- Name: Nextgen HR S.r.l.
- Registered office: Viale Thomas Alva Edison 110, 20099 Sesto San Giovanni (MI)
- VAT no. / Tax code: IT14095140969
- REA: MI-2761216
- PEC: [email protected]
- Email: [email protected]
(hereinafter, the “Controller” or “Valyo”).
2. Privacy contact point
For any request concerning the processing of personal data and the exercise of the rights set out in the following sections, the data subject may contact:
The Controller has not currently appointed a Data Protection Officer (DPO), as the conditions making it mandatory under art. 37 GDPR do not apply.
3. Categories of data subjects
This policy is addressed to three categories of data subjects:
- Visitors to the public website (homepage, informational pages, contact form).
- Registered users of the Platform (administrators, consultants, corporate users, employees accessing as end users).
- Employees of Client Companies whose data are uploaded to the Platform by their respective employers. For this category Valyo acts as a Data Processor pursuant to art. 28 GDPR on behalf of the Client Company, which remains the Controller. The processing is governed by the relevant Data Processing Agreement (DPA) attached to the Terms of Service. Requests to exercise rights must be addressed to the relevant employer; Valyo will provide the necessary assistance to the Controller.
4. Categories of data processed
4.1 Website visitors’ data
- Navigation data (IP address, user-agent, pages visited, timestamp).
- Contact data provided voluntarily by filling in the contact form (name, email, message content).
4.2 Data of registered Platform users
- Identification and contact data: email, first name, last name, tax code (where required), any external identifier for SSO integrations.
- Credentials: password (stored exclusively as a cryptographic hash, never in plain text).
- Application profile data: assigned role (RBAC), associated companies/holdings/consulting firms, any API keys issued.
- Access and audit data: login logs (date, outcome, IP), administrative impersonation session logs, logs of requests made via API key (endpoint, method, IP, status code).
- Technical data: IP address, user-agent, tenant identifier (subdomain).
4.3 Data of Client Companies’ employees
These are processed on behalf of the Client Company. For a full description, please refer to the DPA. In summary: personal details (first name, last name, tax code, date of birth, gender, email, province of residence, job category) and contractual/remuneration data (gross annual salary, bonuses, welfare, benefits, national collective agreement, contract, job category, job title, province of employment, payroll number).
4.4 Special categories of data (art. 9 GDPR)
The Platform does not process special categories of data under art. 9 GDPR (origin, political opinions, religious beliefs, genetic data, biometric data, health data, data concerning sex life or sexual orientation, individual trade-union membership). The applied national collective agreement (CCNL) is the collective agreement applied by the employer and does not reveal the trade-union membership of the individual employee.
5. Purposes and legal basis of the processing
| # | Purpose | Legal basis |
|---|---|---|
| a | Provision of the Service: registration, authentication, access to Platform features | Performance of the contract under art. 6(1)(b) GDPR |
| b | Administrative management, invoicing and accounting/tax obligations | Legal obligation under art. 6(1)(c) GDPR |
| c | IT security, fraud prevention, incident management, application and audit logs | Legitimate interest under art. 6(1)(f) GDPR — the Controller’s interest in protecting the Service and its users |
| d | Aggregate statistical analysis of Platform usage (Google Analytics 4) | Consent under art. 6(1)(a) GDPR (collected via cookie banner) |
| e | Responding to contact requests received through the public form | Performance of pre-contractual measures / legitimate interest under art. 6(1)(f) GDPR |
| f | Commercial communications and direct marketing | Explicit consent under art. 6(1)(a) GDPR — not currently used |
Providing data for purposes (a), (b), (c) is necessary in order to use the Service: if such data is not provided, it will not be possible to register an account or deliver the Platform. Providing data for purposes (d), (e), (f) is optional.
6. Processing methods
The data are processed using electronic tools. The technical and organizational security measures include:
- Encryption in transit: communications protected with TLS 1.2 or higher.
- Encryption at rest: encrypted disks at the hosting provider level.
- Multi-tenant isolation: logical separation of each client’s data at the PostgreSQL schema level.
- Access control (RBAC): granular roles and permissions, principle of least privilege.
- Audit log: recording of accesses, significant changes and administrative impersonation operations.
- Password hashing: storage of passwords using cryptographic hashing algorithms.
- Authentication cookies: sessions protected via
httpOnlycookies with expiry. - Rate limiting and timeouts to mitigate automated attacks.
- Periodic backups stored with the same provider and in the same geographic region as the main database.
7. Retention periods
| Type of data | Retention period |
|---|---|
| Platform user account | For the duration of the contractual relationship + 24 months from termination, unless longer statutory obligations apply |
| Authentication logs (login attempts) | 24 months |
| Administrative impersonation logs | 24 months |
| API key request logs | 24 months |
| Application error logs (server_errors) | 24 months |
| Technical session cookies | Duration of the browsing session |
| Analytics cookies (Google Analytics 4) | See Cookie Policy |
| Contact data (public form) | 24 months from the reply, unless converted into a client |
| Invoicing and accounting data | 10 years under art. 2220 of the Italian Civil Code |
| Data of Client Companies’ employees | Determined by the Client Company (Controller) — see DPA |
8. Data recipients
The data are accessible to the Controller’s authorized personnel, expressly designated and trained.
The data may be processed by external Data Processors (sub-processors / suppliers), appointed under art. 28 GDPR:
| Supplier | Service | Place of processing | Non-EU transfers |
|---|---|---|---|
| Hetzner Online GmbH | Server, database and backup hosting | Germany (EU) | No |
| Hostinger International Ltd. | Sending of transactional emails (SMTP) | Lithuania / Cyprus (EU) | No |
| Google Ireland Limited | Aggregate statistical analysis (Google Analytics 4) | Ireland (EU), with possible transfer to the USA | Yes — see section 9 |
The data are neither disseminated nor transferred to third parties for marketing purposes. They may be disclosed to judicial, administrative or supervisory authorities solely in fulfillment of legal obligations or legitimate requests.
9. Non-EU data transfers
The Platform’s technical infrastructure (database, applications, backups, transactional emails) is hosted entirely within the European Union.
A transfer of personal data to the United States occurs solely in connection with the Google Analytics 4 service, provided by Google Ireland Limited with possible transfer of the information to the United States of America. The transfer is safeguarded by:
- Google LLC’s adherence to the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of 10 July 2023);
- Standard Contractual Clauses (SCC) entered into between Google and the user of the Service.
Google Analytics 4 is activated only with the prior consent given by the data subject through the cookie banner. In the absence of consent, the tracking tags are not loaded.
10. Rights of the data subject
At any time the data subject may exercise the following rights provided for by Articles 15-22 GDPR:
- Access to their data (art. 15).
- Rectification of inaccurate data (art. 16).
- Erasure of data in the cases provided for (art. 17).
- Restriction of processing (art. 18).
- Portability of data in a structured format (art. 20).
- Objection to processing based on legitimate interest (art. 21).
- Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (art. 7(3)).
- Complaint to the Supervisory Authority: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it.
These rights may be exercised by writing to [email protected]. The Controller will respond within 30 days of receiving the request, which may be extended for particularly complex requests.
For the data of Client Companies’ employees, requests must be addressed to the relevant employer (Controller); Valyo, as Processor, will provide the necessary assistance.
11. Changes to this policy
The Controller reserves the right to amend this policy at any time, informing data subjects through the publication of the updated version on the Platform. For substantial changes, notice will be sent via email to registered users. The date of the last update will always be indicated.