Privacy Policy
and Consent to Data Processing

Please read this document carefully before accessing Nugolo services via computer or mobile application (App).

This document constitutes the "PRIVACY POLICY", designed and prepared pursuant to and in implementation of the current EU and Italian regulations concerning the protection of personal data of individuals, in particular:

• EU Regulation No. 679 of 27 April 2016 (GDPR) on the processing and free movement of personal data

Registration with Nugolo and, in any case, the beginning of the use of its services by the USER of Nugolo signifies and proves for all purposes that the USER:

• has granted consent to the processing of personal data
• has read and accepted this document and all statements, communications and conditions contained herein, as well as the appointment of Nugolo as Data Processor in the cases and within the limits indicated in Article 11 of this document
• has read and accepted the Terms and Conditions between the USER and Nugolo

The preamble forms an integral part of this document.

Registration with Nugolo and, in any case, the beginning of the use of its services attest to the granting by the USER of consent to the processing of personal data that the USER has entered and/or will enter into the Nugolo software for the use of the services.

In order for the consent so granted to be correctly informed, the following articles provide information concerning the methods by which Nugolo carries out the processing and the specific obligations placed on Nugolo and also on the USER regarding data protection.

The USER's personal data will be processed by NUGOLO S.a.s. di Luca Parolin, with registered office in Via Roma n. 16, Rivalta di Torino 10040 TO, Italy, email info@nugolo.it; Phone +39 011 3017164 — Mobile +39 334 6599191.

The USER's personal data will be specifically processed by the owner of Nugolo and by personnel authorized by them, trained and trustworthy, appropriately and legally accountable, equipped with specific and confidential authentication credentials, and in any case contractually bound to special obligations of confidentiality and secrecy.

Processing takes place in compliance with the criteria and obligations of confidentiality and protection of personal data provided for by EU and Italian regulations. Nugolo has established the obligation for its administrators and employees to hold periodic meetings on the subject of confidentiality and on the verification of the correct functioning of the internal procedures used for the processing and protection of personal data.

Nugolo uses the HTTPS security protocol for data transfer, performs a complete backup every 24 hours, and uses the following security measures:

• Product developed in-house for complete control over the data and information management process
• Backups are stored in systems separate from production servers with a retention period of 30 days
• All AWS (Amazon Web Services) services are GDPR-compliant even before its implementation into our legal system

The personal data provided by the USER are collected by Nugolo directly from the USER, who enters them independently in the appropriate fields provided in the web and mobile forms.

Nugolo processes the personal data entered by the USER for the following purposes:

• Execution of the contract between Nugolo and the USER
• Document management connected to the correct execution of Nugolo services purchased by the USER (management of the document archiving system in the USER's archives, reporting, document sharing system with third parties indicated and/or chosen by the USER, etc.)
• Contacts and correspondence between Nugolo and the USER
• Correct maintenance of Nugolo services
• Internal administrative and accounting management of the USER's personal data by Nugolo
• Fulfillment of obligations provided for by law or regulations
• Fulfillments provided by administrative measures or orders of the competent Authorities
• Uses falling within the Legitimate Interest of Nugolo as defined in Article 6 of the GDPR

In relation to the purposes described in the preceding article, the processing of personal data takes place through manual, paper, computerized and telematic tools with logic strictly related to the purposes highlighted above and, in any case, such as to guarantee the security and confidentiality of the personal data themselves.

The processing of the data indicated by the USER may continue until the USER's account has been deleted pursuant to Article 10 of the CONTRACT, provided that the retention of the same data is no longer necessary for Nugolo in order to prove a credit or legal situation that remained unpaid or unresolved with respect to the same USER.

In relation to the purposes described in the previous Article 5, Nugolo processes personal data of the USER other than "sensitive" data as referred to in Articles 9 and 10 of the GDPR (e.g., among others, data capable of uniquely linking the name of a person to genetic or health data, religious beliefs, criminal convictions, etc.).

In order to pursue the purposes described above, Nugolo needs to communicate the personal data entered by the USER to third parties, who carry out activities of transmission, enveloping, transport and sorting of communications with the USER and between the USER and third parties indicated by the USER in the data-sending and communications or sharing functions provided for in Nugolo services.

The personal data entered by the USER may also be made known to the Competent Authorities in the event of an order from them. The data processed by Nugolo is not subject to any other dissemination.

In implementation of the principles inherent in the protection of confidentiality, the USER may exercise, within the limits imposed by the criteria of reasonableness and common sense and by technical possibilities, the following rights:

• May request confirmation of the existence or not of data concerning them and in any case of data entered by them
• May request information about the purposes and methods of processing as well as the logic applied in case of processing carried out with the aid of automated electronic tools
• May request information about the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them
• May request the erasure and/or blocking of personal data processed in violation of the law
• May request, through an express written request sent to Nugolo, the erasure of data entered by them in cases where they cannot do so autonomously
• May request the updating, rectification or, when they have an interest, the integration of personal data in cases where they cannot do so autonomously
• May object, for legitimate and relevant reasons, to the processing of personal data concerning them that exceeds the processing necessary for Nugolo to perform the contract with the USER and provide the services purchased
• May object to the processing of personal data resulting from informational and promotional activities by Nugolo relating to new services
• May file, in case of repeated processing of personal data in violation of the law, a complaint with the Supervisory Authorities provided for by law pursuant to Article 13(2)(d) of the GDPR
• May request, in the event of the termination of any contractual relationship with Nugolo, the retrieval of the personal data entered by them in at least one of the commonly used structured formats readable by automated device (data portability)
• Has the right to obtain the responses to the requests provided for here in a clear, transparent and concise form

In order to make its services as efficient and easy to use as possible, Nugolo may use cookies, which are small files that, when the USER visits the website or mobile application, are saved in the web browser directory of the User's device.

The cookies that may be used by Nugolo serve to improve the USER's use of Nugolo services because:

The installation of cookies and other tracking systems operated by third parties cannot be technically controlled; any specific reference to cookies and tracking systems installed by third-party web operators is to be considered merely indicative.

Whenever traffic analysis services such as Google Analytics or other tools from other web operators are expressly in operation on Nugolo pages, the USER, in order to view the relative privacy policy and possibly avoid any tracking, must use the appropriate tools made available by that specific web operator.

Taking into account also the particular operating methods of the services offered by Nugolo, the USER is responsible for all data of third parties entered and processed by them in the use of the services purchased from Nugolo, also and above all in terms of protecting the confidentiality of the personal data of those same third parties.

The USER is the sole Data Controller and responsible for the entry and Processing of personal data entered in their own reserved spaces in Nugolo and in documents created therein (e.g.: invoices, archives, lists, address books, emails, etc.) concerning third parties (clients, suppliers, collaborators, etc.). Therefore, they assume exclusively all legal obligations applicable under EU and Italian law regarding the protection and security of personal data, including:

• The obligation to inform the third parties concerned
• The prior acquisition of the consent of the third parties concerned where mandatory
• Any impact assessment on the risks of processing
• Response and fulfillment of any requests, by the third parties concerned, for information on the processing carried out, blocking or revocation of consent, objection to processing or erasure of personal data

The USER guarantees in any case that, when entering personal data of third parties into Nugolo, they have already obtained from those same third parties the authorization and express consent, where necessary, to the processing of personal data and also the authorization, where necessary, to the entry of the data itself into third-party infrastructures such as Nugolo.

Nugolo reserves in any case the right not to process personal data of third parties entered by the USER when it realizes that the entry and/or processing are in violation of EU or Italian regulations on confidentiality and/or protection of personal data; in this case it will give notice to the User.

11.1 Appointments by Nugolo
For the USER, registration with Nugolo also means having consented to Nugolo being able to appoint its own specific Data Processors, who naturally carry out processing with adequate technical and organizational measures and, in any case, only within the limits of what is necessary for the provision of the services.

Nugolo's use and transfer of information received from Google APIs to any other app complies with the Google API Services User Data Policy, including the Limited Use requirements.

12.1 Data accessed
The Nugolo application, with the explicit authorization of the user via Google OAuth 2.0 consent, accesses exclusively:

• Google Calendar API (scope: https://www.googleapis.com/auth/calendar) — specifically: events of the calendar selected by the user (title, description, location, start/end date and time, attendees, status)

12.2 How the data is used
Google Calendar events are used solely to:

• Display the user's appointments and activities within the management dashboard (CRM, projects, agenda)
• Create, modify or delete events on the Google calendar in response to equivalent operations carried out by the user in the management software (bidirectional synchronization)
• Aggregate events from shared group calendars (e.g. work teams) for operational planning

12.3 Data retention

• OAuth 2.0 tokens (access token and refresh token) are stored in encrypted form in the database of the user's ERP instance, hosted on private cloud infrastructure with access limited to authorized technical personnel only
• Google Calendar events are NOT copied in bulk to the Nugolo database: they are retrieved in real time upon each display. In case of synchronization (creation/modification from Nugolo), only the Google event ID (GoogleEventId) is stored to allow subsequent update/deletion operations
• The user can revoke access at any time from the "Google Account → Security → Third-party apps" section or disconnect Google Calendar from the Nugolo settings. In that case, the tokens are immediately deleted from our database

12.4 Sharing with third parties
Google data accessed through Nugolo is NOT sold, leased or shared with third parties. It remains exclusively within the user company's ERP instance and is accessible only to authorized users of the same instance.

No Google data is transferred to analytics, marketing, AI/machine learning services or data brokers.

12.5 Security

• HTTPS/TLS 1.2+ connection for all communications with Google APIs
• Tokens stored in an isolated tenant database per instance
• Access tracked via application log
• GDPR compliance (EU Regulation 2016/679)

The Nugolo application integrates the WhatsApp Business Cloud API service by Meta Platforms, Inc. to enable business users (management software operators) to communicate with their customers via WhatsApp directly from within the management software. The processing of data received from Meta APIs complies with the WhatsApp Business Messaging Policy, the Meta Platform Terms and Meta's Developer Policy, as well as with EU Regulation 2016/679 (GDPR).

13.1 Data Accessed
Through the WhatsApp Business Cloud APIs, Nugolo accesses exclusively the following types of data, provided by Meta in relation to messages exchanged between the business USER and their interlocutors (end customers) who have voluntarily initiated or accepted a conversation with the company:

• Phone number of sender/recipient in E.164 format (e.g. 393401234567)
• WhatsApp profile name as exposed by the interlocutor in their WhatsApp settings
• Text content of messages exchanged in the conversation
• Media attachments (images, audio, video, documents, voice notes) and related mime_type when the interlocutor voluntarily sends them
• Unique message identifier (WaMessageId) and timestamp of sending/receiving
• Delivery status of sent messages (sent, delivered, read, failed) and related error codes provided by Meta

13.2 Data Use
WhatsApp data is used exclusively for the following operational purposes, consistent with the business messaging service requested by the USER:

• Display in the USER's management dashboard the list of conversations with customers and the history of exchanged messages
• Allow the USER's authorized operators to reply to received messages and send new communications (appointment confirmations, service notifications, after-sales support, etc.)
• Perform automatic matching via phone number with the customer/supplier registry already present in the USER's management software, for the sole purpose of associating the conversation with the correct customer profile
• Show delivery/read status indicators for sent messages (checkmarks)
• Notify the operator in real time of incoming new messages via authenticated HTTP polling

13.3 Data Retention

• WhatsApp messages (text, id, timestamp, status, metadata) are stored in the database of the USER's ERP instance, isolated per tenant, for the entire duration of the contractual relationship between the USER and the end customer and for the time necessary to fulfill legal obligations (e.g. commercial documentation, disputes, warranties)
• Media attachments received via WhatsApp are retained only if the USER explicitly saves them; Meta does not allow unlimited re-download of media
• The Meta API access credentials (WHATSAPP_ACCESS_TOKEN, WHATSAPP_PHONE_NUMBER_ID, WHATSAPP_VERIFY_TOKEN, WHATSAPP_BUSINESS_ACCOUNT_ID) are stored solely in the configuration table of the USER's ERP instance, accessible only to authorized tenant administrators
• The business USER can at any time delete individual conversations or individual messages from the management software interface. Deletion is immediate and definitive from the Nugolo database
• Upon request of the end customer who has communicated via WhatsApp, the Data Controller (business USER) is obliged, pursuant to Art. 17 GDPR, to delete the data concerning them. Nugolo provides bulk deletion tools for this purpose
• Backups of WhatsApp data follow the same 30-day lifecycle described in Art. 3
• In case of revocation of the WhatsApp integration by the USER (removal of access tokens from the configuration), the sending and receiving of new messages are immediately suspended. Historical data remains accessible to the USER until an explicit deletion request

13.4 Data Sharing
WhatsApp data processed by Nugolo is NOT sold, leased or shared with third parties for autonomous marketing, analytics or commercial purposes.

The only data flows to third parties are those strictly necessary for the provision of the service:

• Meta Platforms Ireland Ltd. (provider of WhatsApp Business Cloud APIs) — receives messages sent by the USER to deliver them to the final recipient, according to Meta's policy and terms
• Amazon Web Services, Inc. (cloud hosting described in Art. 3) — as Data Processor for the infrastructure layer
• Competent Authorities exclusively in case of a motivated order from them

13.5 Legal Basis
The processing of data deriving from the WhatsApp Business Cloud APIs finds its legal basis in:

• Performance of the contract between the USER (company) and the end customer (Art. 6.1.b GDPR), when the customer has voluntarily initiated a conversation with the company
• Legitimate interest of the company in responding to requests from its customers (Art. 6.1.f GDPR)
• Consent of the end customer (Art. 6.1.a GDPR) for marketing or promotional communications, which must comply with the WhatsApp Business Messaging Policy and be obtained in advance by the business USER before contacting the recipient

13.6 Data Security

• All communications with Meta APIs take place exclusively via HTTPS/TLS 1.2+
• Meta webhooks are authenticated through a secret verify token specific to each USER instance and validated on each request
• WhatsApp conversations are stored in dedicated tables isolated per tenant (WA_Contatti, WA_Conversazioni, WA_Messaggi), accessible only to authorized operators of the instance
• Every operational access to Nugolo's WhatsApp API endpoints is authenticated through the operator's application SessionID
• Meta applies end-to-end encryption between WhatsApp devices and, for the Business Cloud APIs, retains messages in transit according to its own security policies
• In case of a data breach involving WhatsApp data, Nugolo fulfills the notification obligations provided for in Articles 33 and 34 GDPR

13.7 Data subject rights and revocation
End customers who have exchanged WhatsApp messages with a Nugolo business USER may, within the limits described in Art. 9 of this document:

• Request from the Data Controller (the business USER they interacted with) confirmation of the existence of the data, access, rectification and erasure
• Request cessation of further communications by sending the STOP command (or equivalent) or by blocking the company's number in the WhatsApp settings
• Revoke at any time their consent to processing, using the methods provided by the business USER
• File a complaint with the Data Protection Authority