/privacy
General Privacy Policy
Effective from May 2, 2026
Who we are
If you are reading this General Privacy Policy (“Policy”), it means you have in some way come into contact with Quattrolinee S.r.l. (C.so Vittorio Emanuele II, 25, 10125 Turin, VAT no. 12671260011, “Quattrolinee”), Codesome S.r.l. Società Benefit (C.so Vittorio Emanuele II, 25, 10125 Turin, VAT no. 13060130013, “Codesome”) and/or the Associazione Print Club Torino (Via A. da Montefeltro, 2, Toolbox Coworking, 10134 Turin, VAT no. 11513430014, “Print Club Torino”) (collectively Quattrolinee, Codesome and Print Club Torino are the “Joint Controllers”, “we”, “us”, “our”).
This Policy is intended to help you better understand how we process your data, for what purposes, and how you can control your information. To make it easier to read, we have divided our processing activities based on how you interact with us (e.g. Visitor, Client, Supplier) and on our role (when we act collectively as Joint Controllers or when we act individually as independent Data Controllers).
At the end of this document, you will also find Definitions referring to more detailed explanations of the capitalized terms. For any questions, you can contact our DPO at dpo@quattrolinee.it.
What data we collect and process
The types of Personal Data we collect depend on how you interact with us. The following categories may be provided directly by you or by third parties:
Dati di identificazione: qualsiasi dato che ti identifichi, come il tuo nome, cognome, codice fiscale, partita IVA, codice SDI, gli estremi di un documento d’identità e i dati dei tuoi account (ad esempio, il nickname).
Identification Data: any data that identifies you, such as your first name, last name, tax code, VAT number, SDI code, details of an identity document, and your account data (e.g. username).
Contact Data: any information that allows us to contact you, such as physical address, email, phone number, and social media accounts. This category also includes IDs shared by social media platforms (e.g. Meta, Google, LinkedIn, TikTok) that allow us to show you our ads. Social media platforms act as Joint Controllers with us when we use their commercial targeting services.
Submitted Data: any information you enter into our Forms, including data provided for account registration/subscription, quote requests, or the provision of Services.
Images: images or videos that include you when you participate in our Events or visit our premises.
Access Data: your attendance at a specific Event (including through Images) or via completion of attendance Forms.
Device Data: your IP address, date, time and requested URL, Unique Identifiers, and other information such as browser or device type, the website you came from, content viewed, and any actions taken on our Pages. This information is collected through Cookies and other tracking technologies. You can find the full list of Cookies at the bottom of the page and in the privacy settings of our Pages.
Payment Data: certain payment details (e.g. IBAN) provided for invoicing Services. Any credit/debit card data is processed only by payment gateways (e.g. Stripe/PayPal) or banking institutions acting as independent Data Controllers.
Inferred Data: information based on your online and offline interactions with our Forms, Services, or Events (e.g. interest in specific design, development, or printing services). When you contact us via email or phone, we will collect and retain a record of your contact details, your communications, and our responses, allowing us to generate inferred data through Combination and/or Cross-referencing.
Third-Party Data: any Identification Data, Contact Data, or Submitted Data relating to someone other than you (e.g. referrals, partners, collaborators) that we may process in order to provide our Services. If you provide third-party data, you are responsible for having obtained authorization to share it or another valid legal basis, and you agree to indemnify us against any claims arising from the processing of such Personal Data in violation of applicable privacy laws.
Shared Data: any contact information shared by Business Partners (e.g. social media platforms, co-branding companies) to whom we request to send or display our ads. These micro-targeting and/or retargeting activities generally do not involve direct collection of Personal Data by us. They typically allow us to obtain Aggregated Data on the effectiveness of such ads. In compliance with European legislation, Joint Controllers and Business Partners make every reasonable effort to verify the lawfulness of the data before its use. You can request more information by writing to dpo@quattrolinee.it.
Public Data: publicly available data that we use to confirm or enrich information about Clients and Suppliers, collected and used in accordance with the Code for commercial information published by the Data Protection Authority.
The way you interact with us determines the types of data we collect and the purposes for which we process them, as indicated in the tables below. You are not required to provide any data, but failure to do so when requested, or providing incorrect data, may impact some or all of our purposes and Services.
Visitor
If you visit our Pages or our physical spaces (labs, events, workshops, courses, exhibitions, festivals, team building), we process your data as outlined below.
By the entity that manages the Page or organizes the event, acting as an independent Data Controller:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Respond to your requests through Forms, email, or phone; organization and management of the Event (registration, access, logistics)
Identification Data, Contact Data, Submitted Data
Your request
No
Completion of your request
Staff, Processors, Authorities
Analyze and improve our Pages and develop new Services and features
Submitted Data, Aggregated Data, Inferred Data, Device Data
Our legitimate interest in creating and maintaining relevant and secure Pages and Services
No
1 year for Personal Data; 2 years for Aggregated Data
Staff, Processors
Photographic and video documentation of Events and distribution across channels
Images
Consent
No
Until consent is withdrawn; up to 5 years from publication
Staff, Processors
In Contitolarità:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Send marketing communications via email or SMS about the Joint Controllers’ Services and/or Events
Identification Data, Contact Data, Shared Data, Aggregated Data
Consent
No
2 years or until consent is withdrawn
Staff, Processors, Business Partners
Personalize marketing communications, including content that may be relevant to you
Identification Data, Submitted Data, Aggregated Data, Inferred Data, Device Data
Consent
No
1 year or until consent is withdrawn
Staff, Processors, Business Partners
Carry out retargeting on social media and other Programmatic Advertising platforms (e.g. Google)
Contact Data, Device Data, Inferred Data, Shared Data
Consent
Yes
1 year or until consent is withdrawn
Staff, Processors, Business Partners
If you have visited our Pages for a job opening or a spontaneous application, please refer to the Candidates Privacy Policy.
Clients
If you have entered into a contract with one or more of the Joint Controllers for the provision of Services (design, software development, printing, event organization), you are considered a Client (legal entity), and we process the personal data of your contact persons/representatives as outlined below.
By the entity that proposed or signed the contract, acting as an independent Data Controller:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Pre-contractual and negotiation activities (quotes, proposals)
Identification Data, Contact Data, Inferred Data, Submitted Data, Public Data
Your request
No
Completion of your request
Staff, Processors, Authorities
Performance of the contract: provision of Services, relationship management, support
Identification Data, Contact Data, Submitted Data, Payment Data
Our legitimate interest in creating and maintaining relevant and secure Pages and Services
No
1 year for Personal Data; 2 years for Aggregated Data
Staff, Processors
Invoicing and tax communications
Identification Data, Payment Data
Consent
No
As required by applicable law
Staff, Processors
Improve our Services and develop new ones
Submitted Data, Inferred Data, Aggregated Data
Consent
No
Until consent is withdrawn; up to 5 years from publication
Staff, Processors
Legal protection and dispute management
Identification Data, Contact Data, Submitted Data, Payment Data
Consent
No
Until consent is withdrawn; up to 5 years from publication
Staff, Processors
As Joint Controllers:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Send marketing communications via email or SMS about the Joint Controllers’ Services and/or Events
Identification Data, Contact Data, Shared Data, Aggregated Data
Consent
No
2 years or until consent is withdrawn
Staff, Processors, Business Partners
Personalize marketing communications, including content that may be relevant to you
Identification Data, Submitted Data, Aggregated Data, Inferred Data, Device Data
Consent
No
1 year or until consent is withdrawn
Staff, Processors, Business Partners
Carry out retargeting on social media and other Programmatic Advertising platforms (e.g. Google)
Contact Data, Device Data, Inferred Data, Shared Data
Consent
Yes
1 year or until consent is withdrawn
Staff, Processors, Business Partners
If the subscribed Services involve the processing of Personal Data for which the Client acts as Data Controller, such processing is governed by our Data Processing Agreement (“DPA”) signed between the parties.
Suppliers
If you are a Supplier who is a natural person (freelancer, consultant) or a contact/representative of a Supplier (legal entity) to whom we entrust certain activities on our behalf or on behalf of our Clients, we process your data as outlined below.
Acting as an independent Data Controller:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Pre-contractual and negotiation activities
Identification Data, Contact Data, Inferred Data, Submitted Data, Public Data
Legitimate interest in establishing a relationship with the Supplier
No
10 years
Staff and Processors
Contract relationship management: performance of the contract, orders, payments
Identification Data, Contact Data, Submitted Data, Payment Data
Contract and legal obligations
No
10 years from termination of the relationship (art. 2220 c.c.)
Staff, Processors and Authorities
Invoicing and tax communications
Identification Data, Payment Data
Legal obligations
No
10 years from issuance
Staff, Processors and Authorities
Improve our Services and develop new ones
Submitted Data, Inferred Data, Aggregated Data
Legitimate interest
No
1 year
Staff and Processors
As Joint Controllers:
Purpose
Data
Legal Basis
Fully automated means
Retention Period
Recipients
Present the Supplier’s services/products to the Joint Controllers in order to carry out group offers or comparisons
Identification Data, Contact Data, Public Data, Payment Data
Legitimate interest in creating useful Services for the Joint Controllers and commercial opportunities for the Supplier
No
10 years unless objected
Staff and Processors
Regardless of whether you are a Visitor, Client, or Supplier, we process the data you provide as required by applicable laws and regulations. In addition, we process your data to prevent conduct or activities that are contrary to our contractual terms, as well as fraudulent and illegal activities that may affect you, us, or the Services. These processing activities are based on legal obligations and our legitimate interest. Except for the retention periods described in the tables above or those required by law, we may process your data for these purposes for a period not exceeding 10 years (art. 2946 c.c.).
Where your data is stored
Your data may be stored, accessed, used, processed, and disclosed outside your jurisdiction, including within the European Union, the United States of America, or any other country where our Processors and sub-Processors are located, or where their servers or cloud computing infrastructures may be hosted.
We take steps to ensure that the processing of your data by our Recipients complies with applicable data protection laws, including the Italian laws to which we are subject. Where required by Italian and/or European Union law, transfers of your data to Recipients outside the European Union will be subject to appropriate safeguards (such as the European Union’s standard contractual clauses) and/or other legal bases in accordance with European Union legislation. For more information on the safeguards we have implemented, you can write to: dpo@quattrolinee.it.
How you can control your data and your choices
Depending on how you have interacted with us, you may request at any time to:
Accedere ai tuoi Dati Personali: forniremo i dati in nostro possesso su di te, come i dati di identificazione, i dati di contatto e qualsiasi altra informazione che ti riguardi.
Access your Personal Data: we will provide the data we hold about you, such as identification data, contact data, and any other information relating to you.
Exercise your right to data portability: we will provide you with an interoperable file so that you can easily transfer your data to another Data Controller.
Correct your Personal Data: for example, you may ask us to update your email address or phone number.
Restrict the processing of your Personal Data: for example, when you believe that the processing of your data is not compliant with the law.
Delete your Personal Data: for example, when you no longer want your data to be processed for purposes for which it is no longer necessary.
Update your preferences for processing based on your consent or legitimate interest: you may, among other things:
Withdraw your consent for the purposes for which it was collected;
Unsubscribe from marketing communications by clicking “unsubscribe” in our emails;
Object to processing based on legitimate interest
Contact the competent Supervisory Authority (Italian Data Protection Authority – www.garanteprivacy.it
In accordance with applicable data protection laws, we will respond to your request within one month of receipt (extendable by a further two months in cases of particular complexity). Please note that some of your rights may not be available or may be subject to restrictions where permitted by applicable law.
You may exercise any of the above rights:
by writing to our DPO (dpo@quattrolinee.it)
by sending a written communication to Quattrolinee S.r.l., C.so Vittorio Emanuele II, 25 – 10125 Turin, for the attention of the DPO.
You also retain the right to exercise your rights against each Joint Controller, regardless of the designation of a single contact point (art. 26, para. 3, GDPR), from whom you may also request the essential content of the joint controllership arrangement.
What is not covered by this Policy
This Policy explains and covers the processing activities we carry out as Joint Controllers and as independent Data Controllers, as described above.
The Policy does not cover processing carried out by entities other than those identified here as Joint Controllers, and in particular does not cover processing carried out by our Business Partners, Clients, and Suppliers acting as independent Data Controllers, including processing carried out by social media platforms within our Pages. In this regard, we do not assume any responsibility for the processing of your data not covered by this Policy.
Changes to this Policy
This Policy comes into effect on the date indicated at the beginning of the document. We reserve the right to modify or update this Policy, in whole or in part, at our discretion or as a result of changes in applicable laws. We will inform you of any material changes through your contact details or by notice on our Pages.
Definitions
Aggregated Data: statistical information that does not contain Personal Data, used for analysis, service improvement, and internal reporting.
Authority: refers to any government, whether supranational, federal, state, or local, any statutory, administrative, or regulatory body, any court, any agency, including law enforcement authorities, or any other authority whose regulations, orders, or rulings are binding on us and require us to disclose your Personal Data.
Browser: refers to programs used to access the Internet (e.g. Safari, Chrome, Firefox).
Business Partners: third-party entities with which we carry out joint marketing activities, including social media platforms and selected partners.
Client: the legal entity that has entered into a contract with one or more of the Joint Controllers for the provision of Services.
Combination and/or Cross-referencing: the set of operations, both automated and non-automated, that we use to create Inferred Data. We may combine and/or cross-reference information from different sources.
Cookies: a small text file downloaded onto your Device when you access our Pages, which allows the Device to be recognized and stores information about your preferences or past actions. Cookie management is handled by the Iubenda platform under the responsibility of the Joint Controllers.
Device: the electronic device (e.g. smartphone, computer) that you use to visit our Pages or access our Services.
DPO (Data Protection Officer): the Data Protection Officer appointed by the Joint Controllers, Avv. Nicola Franchetto, reachable at dpo@quattrolinee.it.
Events: any physical or digital event organized or managed by one or more of the Joint Controllers, including workshops, courses, exhibitions, festivals, and team-building activities.
Form: any form through which we may directly collect your data (e.g. contact forms, event registrations, quote requests).
Independent Data Controller: each of the Joint Controllers when processing Personal Data for its own contractual, administrative, accounting, and tax purposes, or a third party that processes your Personal Data for its own purposes.
IP Address: a unique number used by your Browser or Device to connect to the Internet, which allows identification of the internet service provider and/or the approximate geographic area in which you are located.
Joint Controllers: Quattrolinee S.r.l., Codesome S.r.l. Società Benefit, and Associazione Print Club Torino, as indicated in the “Who we are” section.
Other tracking technologies: pixel tags (trackers used in conjunction with Cookies and embedded in web page images to track certain activities, such as content views or email reads) or Unique Identifiers embedded in links within promotional communications.
Pages: includes the websites of the Joint Controllers (quattrolinee.it, codesome.it, printclubtorino.it) and their respective social media pages.
Personal Data: any information relating to an identified or identifiable natural person, directly or indirectly. For example, an email address, IP addresses, and Unique Identifiers are considered Personal Data.
Processors: entities that process Personal Data on behalf of the Joint Controllers based on written instructions. You may request the updated list by writing to dpo@quattrolinee.it.
Programmatic Advertising: platforms that share information collected about you with entities that display personalized content, based on your prior consent provided through the cookie banner.
Services: collectively, all services offered by the Joint Controllers: design, branding, communication (Quattrolinee); software development, web and mobile platforms, data & analytics, automation (Codesome); fine art printing, courses, workshops, organization of cultural events (Print Club Torino).
Staff: employees and collaborators of the Joint Controllers who are bound by confidentiality obligations and comply with specific rules regarding the processing of Personal Data, including system administrators.
Supplier: a natural or legal person who provides goods or services to one or more of the Joint Controllers.
Unique Identifiers: information that can uniquely identify you through your Browser and your Device. On the Browser, IP Address and Cookies are considered Unique Identifiers.
Visitor: a natural person who visits our Pages (digital visitor) or our spaces and events (physical visitor).