Valyo

Privacy Policy

Version 1.0 — Last updated: 28 May 2026

This policy is provided pursuant to Articles 13 and 14 of EU Regulation 2016/679 (“GDPR”) and of Legislative Decree 196/2003 as amended (“Privacy Code”) to users who visit the website and/or use the Valyo platform (hereinafter also the “Platform” or “Service”).

1. Data Controller

The Data Controller is:

  • Name: Nextgen HR S.r.l.
  • Registered office: Viale Thomas Alva Edison 110, 20099 Sesto San Giovanni (MI)
  • VAT no. / Tax code: IT14095140969
  • REA: MI-2761216
  • PEC: [email protected]
  • Email: [email protected]

(hereinafter, the “Controller” or “Valyo”).

2. Privacy contact point

For any request concerning the processing of personal data and the exercise of the rights set out in the following sections, the data subject may contact:

[email protected]

The Controller has not currently appointed a Data Protection Officer (DPO), as the conditions making it mandatory under art. 37 GDPR do not apply.

3. Categories of data subjects

This policy is addressed to three categories of data subjects:

  1. Visitors to the public website (homepage, informational pages, contact form).
  2. Registered users of the Platform (administrators, consultants, corporate users, employees accessing as end users).
  3. Employees of Client Companies whose data are uploaded to the Platform by their respective employers. For this category Valyo acts as a Data Processor pursuant to art. 28 GDPR on behalf of the Client Company, which remains the Controller. The processing is governed by the relevant Data Processing Agreement (DPA) attached to the Terms of Service. Requests to exercise rights must be addressed to the relevant employer; Valyo will provide the necessary assistance to the Controller.

4. Categories of data processed

4.1 Website visitors’ data

  • Navigation data (IP address, user-agent, pages visited, timestamp).
  • Contact data provided voluntarily by filling in the contact form (name, email, message content).

4.2 Data of registered Platform users

  • Identification and contact data: email, first name, last name, tax code (where required), any external identifier for SSO integrations.
  • Credentials: password (stored exclusively as a cryptographic hash, never in plain text).
  • Application profile data: assigned role (RBAC), associated companies/holdings/consulting firms, any API keys issued.
  • Access and audit data: login logs (date, outcome, IP), administrative impersonation session logs, logs of requests made via API key (endpoint, method, IP, status code).
  • Technical data: IP address, user-agent, tenant identifier (subdomain).

4.3 Data of Client Companies’ employees

These are processed on behalf of the Client Company. For a full description, please refer to the DPA. In summary: personal details (first name, last name, tax code, date of birth, gender, email, province of residence, job category) and contractual/remuneration data (gross annual salary, bonuses, welfare, benefits, national collective agreement, contract, job category, job title, province of employment, payroll number).

4.4 Special categories of data (art. 9 GDPR)

The Platform does not process special categories of data under art. 9 GDPR (origin, political opinions, religious beliefs, genetic data, biometric data, health data, data concerning sex life or sexual orientation, individual trade-union membership). The applied national collective agreement (CCNL) is the collective agreement applied by the employer and does not reveal the trade-union membership of the individual employee.

5. Purposes and legal basis of the processing

#PurposeLegal basis
aProvision of the Service: registration, authentication, access to Platform featuresPerformance of the contract under art. 6(1)(b) GDPR
bAdministrative management, invoicing and accounting/tax obligationsLegal obligation under art. 6(1)(c) GDPR
cIT security, fraud prevention, incident management, application and audit logsLegitimate interest under art. 6(1)(f) GDPR — the Controller’s interest in protecting the Service and its users
dAggregate statistical analysis of Platform usage (Google Analytics 4)Consent under art. 6(1)(a) GDPR (collected via cookie banner)
eResponding to contact requests received through the public formPerformance of pre-contractual measures / legitimate interest under art. 6(1)(f) GDPR
fCommercial communications and direct marketingExplicit consent under art. 6(1)(a) GDPR — not currently used

Providing data for purposes (a), (b), (c) is necessary in order to use the Service: if such data is not provided, it will not be possible to register an account or deliver the Platform. Providing data for purposes (d), (e), (f) is optional.

6. Processing methods

The data are processed using electronic tools. The technical and organizational security measures include:

  • Encryption in transit: communications protected with TLS 1.2 or higher.
  • Encryption at rest: encrypted disks at the hosting provider level.
  • Multi-tenant isolation: logical separation of each client’s data at the PostgreSQL schema level.
  • Access control (RBAC): granular roles and permissions, principle of least privilege.
  • Audit log: recording of accesses, significant changes and administrative impersonation operations.
  • Password hashing: storage of passwords using cryptographic hashing algorithms.
  • Authentication cookies: sessions protected via httpOnly cookies with expiry.
  • Rate limiting and timeouts to mitigate automated attacks.
  • Periodic backups stored with the same provider and in the same geographic region as the main database.

7. Retention periods

Type of dataRetention period
Platform user accountFor the duration of the contractual relationship + 24 months from termination, unless longer statutory obligations apply
Authentication logs (login attempts)24 months
Administrative impersonation logs24 months
API key request logs24 months
Application error logs (server_errors)24 months
Technical session cookiesDuration of the browsing session
Analytics cookies (Google Analytics 4)See Cookie Policy
Contact data (public form)24 months from the reply, unless converted into a client
Invoicing and accounting data10 years under art. 2220 of the Italian Civil Code
Data of Client Companies’ employeesDetermined by the Client Company (Controller) — see DPA

8. Data recipients

The data are accessible to the Controller’s authorized personnel, expressly designated and trained.

The data may be processed by external Data Processors (sub-processors / suppliers), appointed under art. 28 GDPR:

SupplierServicePlace of processingNon-EU transfers
Hetzner Online GmbHServer, database and backup hostingGermany (EU)No
Hostinger International Ltd.Sending of transactional emails (SMTP)Lithuania / Cyprus (EU)No
Google Ireland LimitedAggregate statistical analysis (Google Analytics 4)Ireland (EU), with possible transfer to the USAYes — see section 9

The data are neither disseminated nor transferred to third parties for marketing purposes. They may be disclosed to judicial, administrative or supervisory authorities solely in fulfillment of legal obligations or legitimate requests.

9. Non-EU data transfers

The Platform’s technical infrastructure (database, applications, backups, transactional emails) is hosted entirely within the European Union.

A transfer of personal data to the United States occurs solely in connection with the Google Analytics 4 service, provided by Google Ireland Limited with possible transfer of the information to the United States of America. The transfer is safeguarded by:

  • Google LLC’s adherence to the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of 10 July 2023);
  • Standard Contractual Clauses (SCC) entered into between Google and the user of the Service.

Google Analytics 4 is activated only with the prior consent given by the data subject through the cookie banner. In the absence of consent, the tracking tags are not loaded.

10. Rights of the data subject

At any time the data subject may exercise the following rights provided for by Articles 15-22 GDPR:

  • Access to their data (art. 15).
  • Rectification of inaccurate data (art. 16).
  • Erasure of data in the cases provided for (art. 17).
  • Restriction of processing (art. 18).
  • Portability of data in a structured format (art. 20).
  • Objection to processing based on legitimate interest (art. 21).
  • Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (art. 7(3)).
  • Complaint to the Supervisory Authority: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it.

These rights may be exercised by writing to [email protected]. The Controller will respond within 30 days of receiving the request, which may be extended for particularly complex requests.

For the data of Client Companies’ employees, requests must be addressed to the relevant employer (Controller); Valyo, as Processor, will provide the necessary assistance.

11. Changes to this policy

The Controller reserves the right to amend this policy at any time, informing data subjects through the publication of the updated version on the Platform. For substantial changes, notice will be sent via email to registered users. The date of the last update will always be indicated.

Valyo

The Compensation Intelligence platform for objective, consistent and sustainable pay decisions. Compliant with EU Directive 2023/970.

Platform
FrameworkFeaturesJob EvaluationAction planWho it's for
Contact
Request a demoContact form[email protected]
Legal
Privacy PolicyCookie Policy
© 2026 Valyo. All rights reserved.
A product byNextgen HR S.r.l.
Nextgen HR SRL·Registered office: Viale Thomas Alva Edison 110, 20099 Sesto San Giovanni (MI)·P.IVA / C.F. 14095140969·REA MI-2761216·PEC [email protected]