mobile-logo
 

Privacy Policy

PRIVACY POLICY

pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

Version 2.0 – Last updated: May 2025

 

This Privacy Policy describes how Raptech S.r.l. processes the personal data of users and clients who visit the website www.raptech.it and/or use the R-Cloud platform. All processing is carried out in full compliance with Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018, the Guidelines of the Italian Data Protection Authority (Garante per la protezione dei dati personali), and the opinions and guidelines of the European Data Protection Board (EDPB).

1. Data Controller

The Data Controller for the processing of personal data is:

Company name Raptech S.r.l.
Registered office Via Eleonora Duse 53, 00197 Rome (RM), Italy
Email info@raptech.it
Phone +39 06 64496436
PEC / Privacy contact raptech@pec.it

To exercise the rights referred to in Section 10, data subjects may contact the Data Controller at the above details, indicating in the subject line: “Privacy Request – GDPR”.

2. Data Protection Officer (DPO)

Raptech S.r.l. has assessed its position regarding the obligation to appoint a Data Protection Officer (DPO) pursuant to Article 37 GDPR, taking into account the nature, scope and purposes of the processing activities carried out.

For any questions relating to the protection of personal data, data subjects may contact the Data Controller at the details provided in Section 1.

3. Categories of Personal Data Processed and Sources

Raptech S.r.l. processes the following categories of personal data, collected directly from the data subject or from legitimate third-party sources:

3.1 Data provided directly by the data subject

  • Identification and contact data: first name, last name, job title, email address, phone number, postal address
  • Company data (for B2B clients): company name, VAT number, Tax Code, company registration number, details of the legal representative
  • R-Cloud platform access data: authentication credentials, access logs, configuration preferences
  • Technical plant data: information on photovoltaic and wind energy systems (capacity, location, POD/PDR code, production and consumption data), where attributable to identifiable natural persons
  • Banking and billing data: IBAN, payment references, data required for contractual and tax management
  • Communications: content of emails, support requests, contact forms

3.2 Data collected automatically

  • Technical browsing data: IP address, browser type, operating system, pages visited, session duration, referral URL
  • Cookies and tracking technologies: as described in Section 8
  • R-Cloud application logs: actions performed on the platform, timestamps, session data

3.3 Data obtained from third-party sources

  • Public sources: Companies Register, ATECO classification, land registries
  • Institutional bodies: GSE (Gestore dei Servizi Energetici), Terna S.p.A., e-Distribuzione (Enel Distribuzione), ARERA, in the context of meter reading, incentive management and energy desk services
  • Commercial partners and resellers: with whom commercial agreements are in place and who refer potential clients

4. Purposes and Legal Bases for Processing

Personal data is processed exclusively for the purposes set out below, each based on a specific legal ground under Article 6 GDPR:

4.1 Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR)

  • Provision of R-Cloud platform services (smart meter reading, incentive management, Energy Desk)
  • Management of platform access and credentials for business users
  • Technical support and customer care
  • Issuance of commercial offers, contracts, invoices and payment management
  • Management of relationships with suppliers and partners

4.2 Compliance with legal obligations (Art. 6(1)(c) GDPR)

  • Tax, accounting and civil law obligations (Italian Presidential Decrees 633/1972 and 917/1986, Civil Code)
  • Anti-money laundering regulations (Legislative Decree No. 231/2007)
  • Obligations connected to energy sector regulations (ARERA resolutions, GSE regulations, RES incentive framework)
  • Responding to requests from judicial or administrative authorities

4.3 Legitimate interests of the Data Controller (Art. 6(1)(f) GDPR)

Following a balancing of interests pursuant to Recital 47 GDPR, the Data Controller processes data for:

  • Internal CRM management and client portfolio analysis to improve services
  • Fraud prevention and credit risk management
  • IT security of systems and the R-Cloud platform
  • Legal defence and protection of the Data Controller’s legal rights
  • Sending commercial communications about products and services similar to those already used (soft opt-in, Art. 130 Legislative Decree 196/2003)

4.4 Consent of the data subject (Art. 6(1)(a) GDPR)

  • Sending newsletters and marketing communications, including promotional offers, product updates and informational content on the energy sector (renewables, incentives, regulations)
  • Profiling activities to personalise the platform experience and commercial communications
  • Use of marketing cookies and advanced analytics (see Section 8)

Consent is always freely given, specific, informed and revocable at any time without prejudice to the lawfulness of processing carried out prior to withdrawal.

5. Processing for Marketing Purposes

5.1 Direct marketing to existing clients (soft opt-in)

In accordance with Article 130(4) of Legislative Decree No. 196/2003, Raptech S.r.l. may send commercial communications regarding products and services similar to those already purchased, to the email address provided at the time of contracting. The data subject may object at any time, free of charge, via the unsubscribe link included in every communication or by contacting the Data Controller.

5.2 Newsletter (with explicit consent)

The newsletter is sent exclusively to users who have expressly given their consent through a double opt-in procedure, in accordance with EDPB Guidelines 05/2019. Consent may be withdrawn at any time via the unsubscribe link in every email or by writing to info@raptech.it.

5.3 Profiling

Where the user has given specific consent, Raptech S.r.l. may carry out profiling activities to personalise commercial communications and R-Cloud platform features. The data subject has the right to object to profiling at any time (Art. 21 GDPR) and not to be subject to decisions based solely on automated processing that produce significant legal effects or similarly affect them (Art. 22 GDPR).

6. Recipients of Personal Data

Personal data may be disclosed to the following categories of recipients, strictly to the extent necessary for the purposes indicated:

6.1 Data Processors (Art. 28 GDPR)

  • Cloud infrastructure and hosting providers (e.g. Amazon Web Services EMEA SARL, based in the EU; Microsoft Azure): where transfers outside the EEA occur, these take place in compliance with Arts. 44-49 GDPR, through Standard Contractual Clauses adopted by the European Commission and, where applicable, on the basis of an Adequacy Decision
  • Software providers for CRM, helpdesk and operational management
  • Legal, tax and accounting consultancy firms
  • Banks and payment institutions for the management of financial transactions
  • Communication and marketing agencies for promotional activities (only with consent or legitimate interest)

6.2 Independent Data Controllers

  • Public authorities and supervisory bodies: Revenue Agency, INPS, Guardia di Finanza, Data Protection Authority, Judicial Authority, where required by law
  • GSE, Terna S.p.A., e-Distribuzione: in the context of the provision of energy and meter reading services, pursuant to the respective measurement contracts and applicable sector regulations
  • Commercial partners: exclusively within the limits of existing contractual relationships and with adequate safeguards

Raptech S.r.l. does not sell, transfer or disclose personal data to third parties for their own purposes without the explicit consent of the data subject.

7. Transfers of Data to Third Countries

Personal data is processed primarily within the European Economic Area (EEA). Where a transfer to third countries becomes necessary (for example, when using cloud services with servers located outside the EEA), Raptech S.r.l. ensures that such transfer takes place exclusively:

  • To countries recognised as adequate by the European Commission pursuant to Art. 45 GDPR
  • Where adequate safeguards exist pursuant to Art. 46 GDPR, in particular through Standard Contractual Clauses (SCCs) in the version approved by Commission Implementing Decision (EU) 2021/914
  • Subject to a Transfer Impact Assessment (TIA) where required by EDPB Guidelines 05/2021

Upon request, the Data Controller will provide a copy of the safeguards adopted for transfers outside the EEA.

8. Cookies and Tracking Technologies

The Raptech S.r.l. website uses cookies and similar technologies in compliance with the Italian Data Protection Authority’s Provision of 10 June 2021 (“Cookies and other tracking tools”) and EDPB Guidelines 05/2020 on consent.

8.1 Technical cookies (strictly necessary)

These do not require the user’s consent (Art. 122(1) of Legislative Decree No. 196/2003). They include:

  • Session cookies: necessary for the operation of the site and authentication on the R-Cloud platform
  • Preference cookies: store user settings (language, interface configuration)
  • Security cookies: protect against CSRF attacks and ensure session integrity

8.2 Analytical cookies

These require consent if they lead to profiling or cross-site tracking. If configured with IP anonymisation and without sharing with third parties, they may be treated as technical cookies. Raptech S.r.l. uses analytics tools (e.g. Google Analytics with IP anonymisation) to analyse website usage and improve performance.

8.3 Marketing and profiling cookies

These require the user’s explicit consent before installation. They may be used to display personalised advertisements, for retargeting and to measure the effectiveness of advertising campaigns. Consent is collected via a Cookie Banner compliant with the requirements of the Italian Data Protection Authority.

8.4 Cookie consent management

Upon first accessing the site, the user is shown a Cookie Banner which allows them to:

  • Accept all cookies
  • Reject all non-technical cookies
  • Customise preferences by category

Consent may be modified or withdrawn at any time via the “Cookie Settings” link in the website footer. For more details, please refer to our full Cookie Policy available on the website.

9. Data Retention

Personal data is retained for the time strictly necessary to fulfil the purposes for which it was collected, in compliance with the principles of data minimisation and storage limitation (Art. 5 GDPR):

Contractual and tax data 10 years from the end of the contractual relationship (tax and civil law obligations)
Browsing data and technical logs 12 months (unless required for investigations or disputes)
Marketing data (with consent) Until withdrawal of consent or a maximum of 24 months from the last interaction
Data for legal defence For the entire duration of proceedings and until prescription of rights
R-Cloud access data For the duration of the contract + 12 months for security purposes
Analytical cookies 13 months (in line with the Italian Data Protection Authority requirements)

Upon expiry of the retention periods, data is deleted or irreversibly anonymised.

10. Rights of Data Subjects

As a data subject, pursuant to Arts. 15-22 GDPR, you have the right to:

10.1 Right of access (Art. 15 GDPR)

Obtain confirmation as to whether personal data concerning you is being processed and, if so, access that data and obtain information on the purposes, categories of data, recipients and retention periods.

10.2 Right to rectification (Art. 16 GDPR)

Obtain the rectification of inaccurate or incomplete personal data concerning you.

10.3 Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

Obtain the erasure of your personal data in the cases provided for by law (e.g. data no longer necessary, withdrawal of consent, unlawful processing), unless legal obligations or overriding legitimate interests exist.

10.4 Right to restriction of processing (Art. 18 GDPR)

Obtain the restriction of processing of your data in the cases provided for (e.g. contestation of the accuracy of data, objection to processing pending verification).

10.5 Right to data portability (Art. 20 GDPR)

Receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller, where processing is based on consent or a contract.

10.6 Right to object (Art. 21 GDPR)

Object at any time to the processing of your data based on the legitimate interest of the Data Controller or for direct marketing purposes (without any obligation to provide reasons in the latter case).

10.7 Right not to be subject to automated decision-making (Art. 22 GDPR)

Not be subject to decisions based solely on automated processing, including profiling, which produce significant legal effects or similarly affect you, except in the cases provided for by law.

10.8 Right to withdraw consent (Art. 7 GDPR)

Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of the rights listed above, the data subject may send a written request to:

  • Email: info@raptech.it
  • Post: Raptech S.r.l., Via Eleonora Duse 53, 00197 Rome (RM), Italy

The Data Controller will respond within 30 days of receiving the request, with a possible extension of a further 60 days in cases of particular complexity (Art. 12 GDPR). The response is free of charge, unless requests are manifestly unfounded or excessive.

The data subject also has the right to lodge a complaint with the competent supervisory authority:

  • Garante per la protezione dei dati personali (Italian Data Protection Authority) – www.garanteprivacy.it – Piazza Venezia 11, 00187 Rome, Italy

11. Data Security

Raptech S.r.l. implements appropriate technical and organisational measures to ensure a level of security proportionate to the risks of processing, pursuant to Art. 32 GDPR, including:

  • Encryption of data in transit (TLS 1.2/1.3) and at rest
  • Role-based access control (RBAC) for the R-Cloud platform
  • Two-factor authentication (2FA) for platform and internal tools access
  • Data Breach Management procedures compliant with Arts. 33-34 GDPR (notification to the supervisory authority within 72 hours; communication to data subjects in cases of high risk)
  • Periodic vulnerability assessments and penetration testing
  • Backup and disaster recovery procedures
  • Regular staff training on data protection

12. Mandatory or Optional Nature of Data Provision

The provision of personal data necessary for the performance of the contract and compliance with legal obligations is mandatory. Failure to provide such data may make it impossible to enter into or perform the contract and to provide the services.

The provision of data for marketing, profiling or newsletter purposes is optional and does not in any way condition access to Raptech S.r.l.’s services.

13. Changes to this Privacy Policy

Raptech S.r.l. reserves the right to amend this Privacy Policy at any time, in particular to comply with regulatory changes, new processing activities or guidance from supervisory authorities. Substantial changes will be communicated to data subjects via a notice on the website or, where necessary, by email. The updated version will always be available on the dedicated page of the website.

Date of last update: May 2025

Raptech S.r.l. | Via Eleonora Duse 53, 00197 Rome, Italy | info@raptech.it | +39 06 64496436 | www.raptech.it

Raptech srl

Via di Settebagni 390

00139 Rome (Italy)

VAT Number IT08392741008


Privacy Policy

Copyright © Raptech srl, Via di Settebagni 390, 00139 Rome (Italy)