Privacy Policy

Through this privacy policy drafted pursuant to Art.13 European Reg. No. 679/2016 (“Regulations” or “GDPR”) and in compliance with the principles contained therein, Namirial S.p.A. intends to inform each user (“the User”) of the processing of personal data collected through its websites and platforms (including the platform for the eSignAnyWhere service).

In the event of using the eSignAnyWhere service for managing electronic signature workflows, for activities strictly related to the signing process (e.g., sending and signing envelopes), the Data Controller is the entity that uses the Platform to collect the signatures, while Namirial acts as the Data Processor pursuant to Article 28 of the GDPR.

For activities such as account creation/management, billing, support, security, and platform logging, Namirial operates as the Data Controller, in accordance with this privacy notice.

DATA CONTROLLER

The Data Controller is Namirial S.p.A. (hereinafter “Data Controller” or “Namirial”) with registered office in via Caduti sul Lavoro, 4 – 60019 Senigallia (AN), P.IVA IT02046570426.

The Data Protection Officer (DPO) can be reached at the following email address: dpo@namirial. com – (PEC) dpo.namirial@sicurezzapostale.it

TYPES OF DATA COLLECTED

As part of the activities carried out by the User on on websites and/or platforms of the Data Controller, Namirial may process the following categories of personal data, depending on the purposes:

  • Biographical data (first name, last name, social security number, gender, date of birth, place of birth, nationality);
  • Details and copy of your ID;
  • Address data (residence and/or domicile);
  • Contact information (telephone number and e-mail address);
  • Browsing data (IP, connection data, domain names, and other parameters related to the operating system and browser you use);
  • Additional data voluntarily provided by the User.

In the event of using the eSignAnyWhere service:

  • Personal and contact data of senders and signers;
  • Metadata of the cases/envelopes (e.g., envelope ID, documents, roles, and signing order);
  • Process logs (e.g., sending, opening, results, timestamps, IP address, user agent);
  • Credentials/authentication data (e.g., OTP via SMS/email, where applicable);
  • Any billing/account data.

METHODS OF PROCESSING AND ACCESS TO DATA

Namirial processes personal data in accordance with the principles of the Regulations by virtue of its legitimate interests related to the type of activity carried out and the need to execute existing contracts or pre-contractual measures requested by the data subjects.

The processing is carried out using automated and/or manual computer and telematic tools designed to guarantee the appropriate security measures to prevent access, disclosure, loss, incorrect, illegal or unauthorized use of the data.

The data are processed for the time necessary to carry out the service requested by the User, or required by the purposes described in this document, and the User can always request the interruption of the Processing or the deletion of the data. The data are accessible only by appointees, adequately trained and informed about their duties and the activities allowed to them on the collected data, who work on behalf of Namirial and who are recipients of instructions and tasks given by the Data Controller.

PLACE OF DATA PROCESSING

Personal data is processed at the Controller’s premises, as well as in the servers that host the website. Personal data is stored in servers located in the EU and will not be transferred outside the EU under any circumstances. The Data Controller ensures that when using cloud providers established outside the European Economic Area, the processing of personal data by these recipients is carried out in accordance with the principles of the GDPR. Transfers are made by means of appropriate safeguards, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other safeguards required by the GDPR.

PURPOSE OF PROCESSING THE COLLECTED DATA

We will process your personal data for the following purposes:

  1. Conclusion of contract or execution of pre-contractual measures: the legal basis for this purpose is Article 6(1) b of the GDPR – Contract;
  2. Management and response to requests for technical and commercial assistance, including online: the legal basis for this purpose is Article 6(1) b of the GDPR – Contract;
  3. Fulfilment of national or EU legal, regulatory obligations: the legal basis for this purpose is Art. 6(1) c of the GDPR – Legal Obligation;
  4. Sending emails with informational content about services similar to those already purchased: the legal basis for this purpose is Article 6(1) f of the GDPR – Legitimate interest of the Data Controller;
  5. Statistical, business and market analysis, carried out in an absolutely anonymous and aggregated form: the legal basis for this purpose is Article 6(1) f of the GDPR – Legitimate interest of the Data Controller;
  6. To improve the website by analyzing how visitors or Users navigate and/or use the website: the legal basis for this purpose is Article 6(1) f of the GDPR – Legitimate interest of the Data Controller;
  7. Judicial protection of Namirial rights: the legal basis for this purpose is Article 6(1) f of the GDPR – Legitimate interest of the Data Controller;

And for the following purposes only if you have expressly given consent:

  1. Promotional and marketing activities of the Data Controller: the legal basis for this purpose is Article 6(1)(a) of the GDPR – Consent.

In the event of using the eSignAnyWhere service:

  1. Provision of the signing service, account management and submissions, technical support; the legal basis for this purpose is Article 6(1)(b) of the GDPR – Contract;
  2. Fulfilment of regulatory, fiscal, and archiving obligations, where applicable; the legal basis for this purpose is Article 6(1)(c) of the GDPR – Legal obligation;
  3. Platform security and abuse prevention, judicial protection of rights, and aggregated technical analyses for service improvement; the legal basis for this purpose is Article 6(1)(f) of the GDPR – Legitimate interest of the Data Controller

PROVISION OF DATA

The provision of the data referred to in points a), b), c), g), as well as i) and j) in the case of use of the eSignAnyWhere service, is mandatory in order to allow the conclusion of the contract or the provision of the requested services and performances.

The provision of the data referred to in the other points is optional: you may, at any time, ask the Data Controller to stop the processing activities without this having any consequence on the services provided to you.

SCOPE OF COMMUNICATION AND POSSIBLE DISSEMINATION

The personal data processed may be disclosed to third parties appointed as external data processors (the complete list is available from the Data Controller), business consultants for administrative and accounting purposes, as well as legal consultants for possible litigation management.

The data of clients and Users may be disclosed to public administrations or public service providers when submitting applications to participate in procedures for the selection of a contractor, for the purpose of awarding contracts or concessions for the supply of goods or services, in accordance with public procurement regulations, for technical qualification purposes.

The data may also be disclosed to law enforcement bodies or judicial authorities for the purposes of identifying or prosecuting crimes committed by users of telematic services, where necessary.

Furthermore, we inform you that the data may also be processed, within the limits of the purposes described in this notice, by third parties (such as companies controlled by and/or affiliated with Namirial S.p.A.) formally appointed by Namirial as external data processors or sub-processors.

The data may be communicated to private entities or public administrations, including those outside the European Union, acting in their legitimate interest and exercising a right expressly granted to them by the specific applicable legislation, requesting verification of the identity of the Data Controller of the service provided by Namirial for investigative purposes or otherwise for the protection of their own legitimate interest.

The data may be communicated to clients using the eSignAnyWhere service (limited to processing for which they act as Data Controllers), to suppliers appointed as Processors or Sub-processors for infrastructure, support, and maintenance services, as well as to competent authorities where required by law.

The data are not disseminated, except for data of companies and enterprises used for business reference purposes.

STORAGE AND DELETION OF PERSONAL DATA

Namirial will retain the data of the data subjects in a form that allows their identification for a period no longer than necessary to achieve the purposes for which the data were collected.

In any case, the user profile – including the account related to the eSignAnyWhere service – will be deactivated, and all personal data will be deleted after 18 (eighteen) months of non-use of the service.

Data strictly necessary for fiscal and accounting obligations, once the purpose for which they were collected has ceased, will be retained for a period of 10 (ten) years, as required by the applicable regulations.

Technical logs will be stored for the time strictly necessary for security purposes, within the limits established by current legislation.

Data acquired through the use of the signature verification service (available at https://www.verificafirma.it ) will be processed exclusively to achieve the purposes for which they were collected and will not be stored.

Data collected for marketing purposes will be retained until the consent is revoked by the data subject.

After these periods, Namirial will proceed with the deletion of the data of the data subjects.

EXERCISE OF RIGHTS BY USERS

The User may exercise all rights under Articles 15-21 of the GDPR at any time and without unjustified restriction by contacting the Controller at dpo@namirial.com.

Requests are filed free of charge and processed by the Controller within 30 days.In particular, the data subject may:

  • Obtain confirmation that treatment is in progress (Art.15);
  • Obtain rectification of inaccurate or incomplete data (Art. 16);
  • Obtain deletion of data without undue delay (Art. 17);
  • Restrict processing to only part of personal data (Art. 18);
  • Receive copies of personal data held by the Data Controller in a commonly used, machine-readable format; obtain unimpeded transfer to another Data Controller (Art. 20);
  • Object at any time to the processing of personal data. (Art. 21);

With regard to the purposes of processing that are based on consent, revoke it at any time. The data subject also has the right, pursuant to Article 77 of Regulation (EU) 2016/679, to lodge a complaint with the Data Protection Authority.

CHANGES TO THIS PRIVACY POLICY

The Data Controller reserves the right to modify and update the following Privacy Policy as a result of any new provisions of national or European data protection laws.

Last update: 16/10/2025