PRIVACY POLICY

BCOM as the Data Controller(hereinafter, “BCOM” or “Data Controller”) pursuant to Regulation (EU) 2016/679 (hereinafter, “GDPR”), is committed to safeguarding the personal data of its website users. In accordance with Articles 13 and 14 of the GDPR, this Privacy Policy aims to inform users interacting with the website www.bcom.one (hereinafter, “Website”) about the purposes and methods by which personal data are processed, whether they simply browse the site or use the specific services provided. This Privacy Policy does not apply to other websites that users may access via links on this Website.

The processing of your personal data is governed by the principles of fairness, lawfulness, transparency, purpose limitation, storage limitation, data minimization, accuracy, integrity, and confidentiality, as well as the principle of accountability, as set out in Article 5 of the GDPR.
Processing of personal data refers to any operation or set of operations performed on personal data or sets of personal data, whether by automated means or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1. DATA CONTROLLER

The Data Controller is BCOM, which can be reached at info@bcom.one

2. PERSONAL DATA BEING PROCESSED

We inform you that the personal data processed through the Website mainly include identification and contact data (such as name, surname, e-mail address), information relating to your donations (such as amount, frequency and transaction reference) and technical data relating to your browsing of the Website (such as IP address and logs).
The personal data processed through the Website include the following:

a. Navigation data

Managing the Website involves the use of computer systems and software procedures that, during their normal operation, acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects; however, by its very nature, it could, through processing and association with data held by third parties, allow users to be identified.
This information includes various parameters related to the user’s operating system and computer environment when connecting to the Website, such as the IP address, location (country), domain names of the computer, URI (Uniform Resource Identifier) addresses of requested resources, request timestamps, the method used to submit the requests to the server, the size of the file obtained in response, the numerical status code of the server’s response (e.g., success, error), and other technical parameters related to the user’s operating system and computer environment.
These data are used solely for obtaining anonymous statistical information about Website usage, verifying proper functionality, and identifying any malfunctions and/or misuse of the Website. Data are deleted after processing, unless required for identifying those responsible for potential cybercrimes against the Website or third parties.

b. Data voluntarily provided by the user

Without prejudice to any specific information available in other sections of the Website, this Privacy Policy also applies to the data you voluntarily provide in the Website forms, such as the “Contact Us” section. In this section, you may provide your personal data (e.g., name and surname), contact details (e.g., email address), along with your specific request, which may include additional personal data.

We invite you to share only the personal data strictly necessary to process your request, avoiding irrelevant information and/or information that may fall within the special categories of personal data under Article 9 of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person’s sex life or sexual orientation). If you provide non-relevant or unnecessary personal data, including documents and/or images, the Data Controller will not process such data and will ensure its immediate deletion.

c. Data processed for online services

Without prejudice to specific information available in the relevant sections of the Website, this Privacy Policy also applies to data voluntarily provided for online services, including:

  • Data processed in connection with donations:If you decide to make a donation through the Website, BCOM will process the personal data necessary to manage your donation and related activities.
    In particular, the personal data processed for this purpose may include your name, surname, e-mail address and other contact details, the amount, currency, date and time of the donation, a transaction reference or similar identifier, as well as any information you may provide in connection with the donation (for example, the project or initiative you wish to support).Payment card details and other payment credentials are collected and processed directly by the payment service provider (for example, Stripe) acting as an independent data controller. BCOM does not have access to, nor does it store, your full payment card details. BCOM only receives limited information relating to the payment (such as confirmation that the transaction has been completed, the amount and basic transaction metadata) for accounting and reconciliation purposes.For more information on how the payment service provider processes your personal data, please refer to its own privacy policy, which is accessible from the payment page.

d. Third-party data voluntarily provided by the user

The use of the Website’s services may involve the processing of personal data of third parties that you communicate to BCOM (e.g., data provided in the contact or in the donation form). In such cases, you act as an independent data controller, assuming all associated legal obligations and responsibilities. Accordingly, you hereby indemnify the Data Controller to the fullest extent with respect to any disputes, claims, or requests for compensation for damages arising from the processing of such data that may be brought by third parties due to your use of the Website’s services in violation of applicable data protection regulations.

If you provide or otherwise process third-party personal data while using the Website, you represent and warrant—assuming full liability—that such processing is lawful and, where required, based on the prior acquisition of the third party’s informed consent for the processing of their personal data.
e. Cookies and other tracking technologies
The Website only uses technical cookies, which are strictly necessary to ensure its proper functioning and to provide the services you explicitly request (for example, to allow page navigation and basic security features). No analytics, profiling or advertising cookies are used through the Website at this stage. Should BCOM decide to use additional categories of cookies in the future, this section will be updated and, where required, your prior consent will be collected through an appropriate cookie banner.

3. PURPOSE OF PROCESSING, LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING

Your personal data will be processed with your consent, where necessary, for the following purposes:
a) To enable navigation of the Website, and the provision of all other services made available by the Data Controller (e.g., contact form, donation form, etc.), including the management of Website security.
b) To respond to specific requests made to the Data Controller.
c) To comply with legal obligations under applicable laws, regulations, or EU legislation, or to respond to requests from authorities.
d) To establish, exercise, or defend legal claims, both in and out of court.

For purposes under sections a) and b):
The legal basis is Article 6, paragraph 1, letter b) of the GDPR, as the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract. Providing personal data for these purposes is optional, but failure to do so will prevent access to the requested services.
For purposes under section c)
The legal basis is Article 6, paragraph 1, letter c) of the GDPR, as processing is necessary to comply with legal obligations to which the Data Controller is subject.
For purposes under section d):
The legal basis is Article 6, paragraph 1, letter f) and Article 9, paragraph 2, letter f) of the GDPR, as processing is necessary to establish, exercise, or defend legal claims or whenever judicial authorities perform their functions.

4. RECIPIENTS OF PERSONAL DATA

For the purposes set out in section 3 of this Privacy Policy, your personal data may be shared with the following Recipients: Persons authorized by the Data Controller: Individuals authorized to process personal data pursuant to Article 29 of the GDPR (e.g., staff in sales, administration, accounting, after-sales service, CRM, information systems management, etc.). Third parties acting as data processors: Entities that provide services (e.g., technology services, accounting, administrative, legal, tax, and financial assistance and consulting, hosting providers, technical maintenance services, marketing and communication services, transport services, etc.) and typically act as data processors pursuant to Article 28 of the GDPR. The Data Controller maintains an up-to-date list of appointed data processors and ensures that data subjects can access it by visiting the offices indicated in this Privacy Policy or by submitting a written request to the contact details provided in paragraph 1. Third parties such as payment service providers that process payment transactions as independent data controllers, directly collecting your payment credentials and providing BCOM only with information necessary to confirm and reconcile the donation. Public authorities and legal entities: Entities, bodies, or authorities to whom personal data must be disclosed pursuant to legal obligations or official orders from competent authorities.

5. TRANSFERS OF PERSONAL DATA

The personal data provided through the Website will be processed and stored in the Data Controller’s information systems, with servers located within the European Economic Area (EEA).
However, some of your personal data may be shared with Recipients located outside the EEA. In such cases, the transfer will be carried out in compliance with the conditions set out in Articles 44-49 of the GDPR, such as the adoption of Standard Contractual Clauses (SCCs) approved by the European Commission, the selection of entities adhering to international frameworks for the free flow of data, or the transfer to countries deemed adequate by the European Commission in accordance with the Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board (EDPB).
Further details regarding data transfers outside the EEA can be obtained by submitting a written request to the Data Controller using the contact details provided in paragraph 1 of this Privacy Policy.

6. STORAGE OF PERSONAL DATA

Your personal data will be collected and stored in accordance with the principles of minimization and storage limitation as outlined in Article 5(1)(c) and (e) of the GDPR. Necessary security measures are implemented to prevent data loss, unlawful or improper use, and unauthorized access.
The personal data processed for the purposes referred to in sections a) and b) of paragraph 3 of this Privacy Policy will be retained for the period strictly necessary to achieve these purposes, namely the time required to perform the contract or provide legal or contractual guarantees, in compliance with the retention periods established by applicable laws.
In general, the Data Controller reserves the right to retain your data for the time necessary to comply with regulatory obligations or to address potential legal claims. Specific security measures are in place to prevent data loss, unlawful or improper use, and unauthorized access.
Further information regarding the data retention period and the criteria used to determine this period may be requested by submitting a written request to the Data Controller using the contact details provided in paragraph 1 of this Privacy Policy.

7. RIGHTS OF THE DATA SUBJECT

You, as the data subject, may exercise your rights and/or request information regarding the processing of your personal data by contacting the Data Controller using the contact details provided in section 1 of this Privacy Policy. To facilitate the process, it is recommended to include “Request to exercise privacy rights” in the subject line of your communication.
Specifically, you may exercise the following rights at any time:

  • Right to withdraw consent (Art. 7 GDPR): You have the right to withdraw any consent given at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not your personal data are being processed and to receive detailed information regarding such processing.
  • Right to rectification (Art. 16 GDPR): You have the right to request the rectification of incomplete or inaccurate personal data. However, it should be noted that for personal data collected through audio or video recording systems, the right to rectification cannot be exercised due to the intrinsic nature of the data, which pertain to objective and determined facts.
  • Right to erasure (Art. 17 GDPR): In certain circumstances, you have the right to request the deletion of your personal data from our records.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you have the right to request the restriction of the processing of your personal data.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request their transfer to another data controller.
  • Right to object (Art. 21 GDPR):
    • You may object to the processing of your personal data, providing reasons related to your specific situation. The Data Controller reserves the right to evaluate your request and may reject it if there are compelling legitimate grounds for processing that override your interests, rights, and freedoms.
    • You have the right to object, at any time and without providing justification, to the processing of your personal data for commercial, promotional, or direct marketing purposes, including profiling related to such marketing activities. You may partially exercise this right, for example, by objecting only to the use of automated means for promotional communications.
    • You also have the right to object to profiling at any time and without justification.
  • Right to lodge a complaint with the Supervisory Authority (Art. 77 GDPR): If you believe the processing of your personal data violates data protection regulations, you may lodge a complaint with the Supervisory Authority of the Member State where you reside, work, or where the alleged violation occurred.
  • Right to take legal action (Art. 79 GDPR): You have the right to seek judicial remedies if you believe your rights under the GDPR have been violated.

8. MODIFICATIONS

The Data Controller reserves the right to modify or update the content of this Privacy Policy, in whole or in part, including in response to changes in applicable legislation. For this reason, the Data Controller encourages you to regularly consult this section to stay informed about the most recent and updated version of the Privacy Policy.