Privacy Policy

1) Introduction & Controller Identity

GIG IMMOBILIARE SRL is the Data Controller for the processing described in this Privacy Policy. This means we determine the purposes and means of processing your personal data when you interact with our website and when you request information about educational programs.

Data Controller: GIG IMMOBILIARE SRL
Registered address: Via Giovanni Marradi, 1, 20123 Milan (Milano), Italy
Email: [email protected]
Phone: +39 02 8736 2149

We have not appointed a Data Protection Officer (DPO) because our activities, as described here, do not require a DPO under Articles 37–39 GDPR. If this changes, we will update this Privacy Policy with the relevant contact details.

2) Personal Data We Collect

We collect personal data that you choose to provide and personal data that is generated when you use the website. The exact data depends on how you interact with us.

• Identity and contact data: name, email address, phone number, and any organization name you include in your message.
• Inquiry and form content: the message you write, your program selection, preferred format, availability questions, and any details you share about your learning needs or organizational context.
• Technical data: IP address, browser type and version, device type, operating system, language settings, and basic diagnostic data that is typically sent by browsers when loading a webpage.
• Usage data: pages viewed, time spent on pages, navigation paths on the site, referrer URLs (where available), and interactions that indicate how visitors use content.
• Cookies and identifiers: data stored through cookies and similar technologies as described in Section 4 (such as consent status and analytics identifiers).
• Conversion events: signals that an inquiry form was submitted or that a user reached a “Thank you” page after contacting us.

We do not intentionally collect special-category data (such as health data, biometric data, or political opinions), financial account details, or government identification numbers through our standard website forms. Please do not include those categories of data in your message.

3) Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only when there is a lawful basis under GDPR. The main purposes are responding to inquiries, operating the website safely, and (if you consent) measuring and improving our marketing and content.

• Handling inquiries and program information requests: to reply to your message, provide syllabi, explain formats available in Canada, coordinate registration steps, or discuss organizational training options. Legal basis: Art. 6(1)(b) (steps prior to entering a contract) and, where consent is explicitly requested through the form checkbox, Art. 6(1)(a) consent.
• Website security and fraud prevention: to protect our services against abuse, spam, and malicious activity, and to maintain availability. Legal basis: Art. 6(1)(f) legitimate interests (security and integrity of systems).
• Analytics: to understand how visitors use the website so we can improve navigation and content clarity. Legal basis: Art. 6(1)(a) consent (when required).
• Marketing measurement and remarketing: to measure advertising performance, attribute conversions, and build remarketing or lookalike audiences. Legal basis: Art. 6(1)(a) consent (when required).
• Legal compliance: to comply with applicable legal obligations (for example, record-keeping where required). Legal basis: Art. 6(1)(c) legal obligation.

Automated decision-making (Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4) Cookies & Tracking Technologies

We use cookies and similar technologies (such as pixel tags) to ensure the site functions properly and, if you consent, to measure usage and advertising performance. Cookie categories and examples below align with our Cookies Policy.

Essential (always active)

These cookies are required for core functionality and security. They include, for example, a session cookie and a cookie that stores your cookie preferences choice. Without these, features like remembering your consent selection may not work reliably.

• _site_session (first-party): session continuity and basic security. Retention: session.
• cookie_consent (first-party): stores cookie category choices. Retention: up to 12 months.

Analytics (consent required)

If you enable Analytics cookies, we may use Google Analytics 4 (GA4) with IP anonymization to better understand traffic and content performance. Analytics data helps us see which pages are helpful, where navigation is confusing, and which topics should be expanded in our learning resources. We apply an analytics retention period of 14 months.

• _ga (third-party): GA4 user identifier. Retention: up to 2 years.
• _ga_XXXXXXXXXX (third-party): GA4 session state. Retention: up to 2 years.

Marketing (consent required)

If you enable Marketing cookies, we may use Google Ads and Meta (Facebook/Instagram) technologies to measure advertising performance, understand conversions (such as form submissions), and show ads that are relevant to program information requests. These tools may rely on cookies and similar identifiers to recognize a browser, measure campaigns, and create audiences for remarketing or lookalike targeting.

• _gcl_au (third-party): Google Ads conversion linker. Retention: 90 days.
• _fbp (third-party): Meta Pixel browser identifier. Retention: 90 days.
• _fbc (third-party): Meta click identifier (when present). Retention: 90 days.

Beyond cookies, marketing and analytics tools can also use pixel tags and server-side event sharing (for example, via Meta Conversion API or server-side tag management) where configured. Where server-side sharing is used, identifiers may be hashed before transmission and are used only for measurement and attribution purposes.

5) Consent for Cookies (EEA/UK)

Users in the European Economic Area and the United Kingdom receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie (up to 12 months).

You can withdraw or change your consent at any time by selecting “Manage cookie preferences” in the footer. You can also clear cookies in your browser settings. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew consent.

6) Sharing With Advertising & Service Partners

We share personal data only when necessary for the purposes described above and with appropriate safeguards. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage events, and conversion data used for measurement and audience building. See Google’s privacy information at policies.google.com/privacy.
• Meta Platforms (Meta Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversions, audience signals, and in some cases hashed identifiers for attribution. See Meta’s privacy policy at facebook.com/privacy/policy.
• Cloudflare (CDN and security): IP-based threat detection and performance delivery. See Cloudflare’s privacy policy at cloudflare.com/privacypolicy/.

These partners act as service providers or separate controllers depending on the context. We do not permit them to use site data for their own independent commercial purposes beyond providing their services and maintaining security.

7) International Data Transfers

Some service providers (for example, Google and Meta) may process data outside the European Economic Area, including in the United States. When we use those providers, transfers may rely on the EU–US Data Privacy Framework (DPF) where applicable (and the UK Extension / Swiss–US DPF where relevant). Where needed, we use Standard Contractual Clauses (EU 2021/914) or equivalent transfer mechanisms as a fallback.

8) Data Retention

We keep personal data only as long as necessary for the purposes described in this policy, and then we delete it or anonymize it. Retention periods can vary based on context and legal obligations.

• Contact form submissions and inquiry records: up to 2 years from the last interaction, unless a longer period is needed to handle a continuing request.
• Email correspondence: for the duration of the relationship and up to 1 year afterward for continuity and audit purposes.
• Server and security logs: typically up to 90 days, unless a longer period is required to investigate security incidents.
• Analytics data: 14 months (configured retention), plus any aggregated reports that do not identify individuals.
• Marketing cookies: per cookie lifetime (for example, 90 days), and measurement data per provider settings.
• Cookie consent record: up to 3 years for audit and compliance purposes.
• Legal and tax: where applicable, records may be retained for the period required by law (often 6–10 years depending on the record type).

9) Your Rights (GDPR & UK GDPR)

If GDPR applies to you, you have the right to request access to your personal data, to correct it, to request deletion, to restrict processing, to object to processing, and to request portability where applicable. Where processing is based on consent, you can withdraw consent at any time (Art. 7(3)).

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction (Art. 18)
• Data portability (Art. 20)
• Objection (Art. 21)
• Withdraw consent (Art. 7(3))
• Lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email [email protected]. We aim to respond within 30 days. If requests are complex, we may extend the response period by up to 60 additional days as allowed by law.

For Italy, the competent supervisory authority is the Garante per la protezione dei dati personali (Italian Data Protection Authority). You may also consult general guidance through the European Data Protection Board at edpb.europa.eu.

10) Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without appropriate consent, contact us and we will take steps to delete the information promptly.

11) Do Not Track Signals

This website does not respond to “Do Not Track” (DNT) browser signals. Some third-party providers may have their own approaches to DNT and similar signals.

12) Data Deletion Requests

You may request deletion of your personal data by emailing us with the subject line “Data Deletion Request”. We may ask for additional information to verify your identity before deleting data. Once verified, we aim to complete deletion within 30 days unless we must retain certain information to comply with legal obligations or to establish, exercise, or defend legal claims.

13) Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, or insolvency event, personal data may be transferred to a successor entity as part of that transaction. If the transfer materially changes how personal data is used, we will provide notice on the website.

14) California (CCPA / CPRA)

Visitors from the United States may have rights under state privacy laws. For California residents, the following describes our practices for the previous 12 months.

• Categories of personal information: identifiers (name, email, IP address, cookie identifiers), internet/network activity (pages viewed, interactions), and inferences (preferences derived from browsing behavior when marketing cookies are enabled).
• Purposes: responding to inquiries, analytics, security, and (with consent where applicable) advertising measurement and remarketing.
• Disclosures: to service providers and advertising partners such as Google and Meta for measurement and advertising functionality.

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising when marketing cookies are enabled. California residents can opt out by using our cookie preferences panel (via the footer “Manage cookie preferences” link).

To submit a California privacy request (Know, Delete, Correct, or Opt-Out of sharing), email [email protected] with the subject “California Privacy Request”. We will verify your request as required by law. Authorized agents may submit requests with written proof of authorization.

15) Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising. To submit a request, email [email protected] with the subject “Virginia Privacy Request”.

We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects. If we decline to take action on a request, you can appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16) Nevada

Nevada residents may submit a verified request to opt out of the sale of certain personal information by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information as defined by Nevada Revised Statutes Chapter 603A.

17) Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements. If changes are material, we will provide a notice on the website at least 14 days before the updated policy becomes effective. The “Last Updated” date at the top of this page indicates the most recent revision.

18) Contact

For privacy questions, requests, or complaints, contact:

GIG IMMOBILIARE SRL
Via Giovanni Marradi, 1
20123 Milan (Milano), Italy
Email: [email protected]
Phone: +39 02 8736 2149