Privacy policy.

PRIVACY POLICY GREN Italia S.r.l. — Corporate Informational Website Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) and Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018Version 1.0 — March 2026

1. Data Controller

The Data Controller for personal data collected through this website is GREN Italia S.r.l., with registered office at Viale Luigi Schiavonetti, 270 Pal. E, 00173 Roma (RM), VAT Number 18286421005, registered in the Rome Companies Register under REA No. RM-1774515. For any request relating to the processing of personal data, the data subject may contact the Data Controller at legal@grenfinance.com.

2. Data Protection Officer (DPO)

GREN Italia S.r.l. has assessed the requirement to appoint a Data Protection Officer pursuant to Articles 37–39 GDPR. As of the date of publication of this Policy, the appointment of a DPO is not mandatory based on the Company's current processing activities, which do not involve large-scale processing of sensitive data or systematic monitoring of data subjects. Should processing activities evolve in a way that makes such appointment mandatory, the Data Controller will update this Policy accordingly.

3. Categories of Personal Data Processed

3.1 Browsing data

Technical information automatically transmitted by the user's browser in the normal course of website operation, including IP address, device identifiers, log files, browser type and version, pages visited, referral URLs, and session duration. This data is used solely for technical, statistical, and security purposes.

3.2 Data voluntarily provided by the user

Personal data submitted voluntarily through contact forms or email communications, which may include: first and last name, email address, company name and professional role, phone number, and any additional information freely provided by the user.

3.3 Cookies and tracking technologies

The website uses technically necessary cookies required for its proper functioning. Analytics and profiling cookies are only activated upon the user's explicit prior consent. Full details on cookie types, purposes, duration, and how to manage or withdraw consent are available in our Cookie Policy, accessible at all times via the dedicated link at the bottom of this page.

3.4 Special categories of data

GREN Italia S.r.l. does not collect, through this website, special categories of personal data within the meaning of Article 9 GDPR (health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning sexual orientation or sex life). Should such data be inadvertently communicated by the user, the Data Controller will arrange for its immediate deletion.

4. Purposes of Processing and Legal Basis

Personal data collected through this website is processed for the following purposes, each grounded in a specific legal basis under Article 6 GDPR. The handling of contact requests and user communications is based on the performance of pre-contractual measures or the legitimate interest of the Data Controller pursuant to Article 6(1)(b)(f) GDPR, and data is retained for 12 months from receipt unless a longer period is required by law. Technical administration and website security is carried out on the basis of the Data Controller's legitimate interest in proper functioning and IT security pursuant to Article 6(1)(f) GDPR, with navigation logs retained for 6 months and technical cookies for the duration of the session. Aggregated and anonymised statistical analysis is performed on the basis of the legitimate interest of the Data Controller in improving the service pursuant to Article 6(1)(f) GDPR, with analytics data retained for up to 26 months where applicable. Profiling and direct marketing activities are based exclusively on the explicit consent of the data subject pursuant to Article 6(1)(a) GDPR and data is processed until consent is withdrawn. Compliance with legal and regulatory obligations is based on a legal obligation pursuant to Article 6(1)(c) GDPR, with data retained for the periods required by applicable law. Where processing is based on legitimate interest, the Data Controller has carried out a balancing test between that interest and the fundamental rights and freedoms of data subjects, concluding that its interest prevails for the purposes indicated above.

5. Data Retention

Personal data is retained only for the time strictly necessary to fulfil the purposes for which it was collected, and in any case no longer than the periods indicated in Section 4 above. Upon expiry of the applicable retention period, data will be deleted or irreversibly anonymised. Exceptions apply where retention is required by law (such as tax, anti-money laundering, or corporate law obligations), where retention is necessary to establish, exercise, or defend a legal claim for the duration of the relevant proceedings and limitation periods, or where the data subject has consented to a longer retention period.

6. Data Disclosure and Sharing

Personal data is not disseminated to the public. Data may be disclosed, to the extent strictly necessary, to technical service providers — such as hosting, website maintenance, and cloud infrastructure providers — acting as Data Processors pursuant to Article 28 GDPR under appropriate data processing agreements; to legal, tax, and professional advisors assisting the Data Controller in its activities; to public authorities, supervisory bodies, and courts where required by applicable law or regulatory order; and to other GREN group entities to the extent necessary for internal administrative and management purposes, subject to the guarantees provided under the GDPR. Personal data is never sold, transferred, or otherwise made available to third parties for their own commercial purposes.

7. International Data Transfers

The Data Controller does not ordinarily transfer personal data to countries outside the European Economic Area (EEA). Where, due to operational requirements or the use of specific technical providers, personal data must be transferred to third countries, the Data Controller ensures that an adequacy decision by the European Commission is in place pursuant to Article 45 GDPR, or that appropriate safeguards pursuant to Article 46 GDPR are adopted — including Standard Contractual Clauses (SCC) approved by the Commission, approved Codes of Conduct, or Binding Corporate Rules (BCR) — or that one of the derogations set out in Article 49 GDPR applies. Data subjects may request information on the safeguards adopted for international transfers by contacting legal@grenfinance.com.

8. Security Measures

The Data Controller implements appropriate technical and organisational measures to ensure a level of security commensurate with the risk, pursuant to Article 32 GDPR. These measures include transmission of data via encrypted HTTPS/TLS protocol; access control systems based on strong authentication; data backup and recovery procedures; internal procedures for managing security incidents and data breaches, including notification obligations pursuant to Article 33 GDPR; periodic training of staff involved in personal data processing; and selection of providers offering adequate guarantees pursuant to Article 28 GDPR.

9. Rights of Data Subjects

Pursuant to Articles 15–22 GDPR, data subjects have the right to obtain confirmation of whether personal data concerning them is being processed and to access such data and related information (Article 15); to obtain the rectification of inaccurate personal data and the completion of incomplete data (Article 16); to obtain the deletion of personal data concerning them in the cases provided for by applicable law (Article 17); to obtain restriction of processing in the circumstances provided for by law (Article 18); to receive personal data provided to the Data Controller in a structured, commonly used, machine-readable format where technically applicable (Article 20); to object at any time, on grounds relating to their particular situation, to processing based on legitimate interest (Article 21); to withdraw consent previously given at any time without affecting the lawfulness of prior processing (Article 7(3)); and to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia n. 11, 00187 Roma, www.garanteprivacy.it, or with the supervisory authority of the EU Member State where they habitually reside, work, or where the alleged infringement took place (Article 77). Requests to exercise any of the above rights may be submitted to legal@grenfinance.com. The Data Controller will respond within 30 days of receipt, extendable to 60 days in cases of particular complexity, with prior notice to the data subject.

10. Nature of Data Provision

Provision of browsing data is inherent to the technical operation of the website and failure to provide it prevents access. Provision of data through contact forms is voluntary; however, failure to provide mandatory fields will make it impossible to process the user's request. Provision of data for profiling or direct marketing is entirely optional and refusal will have no consequence on access to the website or its services.

11. Data Relating to Minors

This website is not directed at individuals under the age of 18. The Data Controller does not knowingly collect personal data relating to minors. Should the Data Controller become aware that such data has been inadvertently collected, it will arrange for its immediate deletion. Any person who believes that data relating to a minor has been collected is invited to contact legal@grenfinance.com.

12. Automated Decision-Making and Profiling

The Data Controller does not carry out processing involving solely automated decision-making, including profiling, which produces legal effects concerning data subjects or similarly significantly affects them, within the meaning of Article 22 GDPR.

13. Updates to This Policy

The Data Controller reserves the right to modify or update this Privacy Policy at any time, including to reflect regulatory changes or new processing activities. The most recent version is always available on this page, together with the date of last update. In the event of material changes, the Data Controller will inform users through a prominent notice on the website or, where applicable, via direct communication.

14. Applicable Law and Regulatory Framework

This Policy is drafted in accordance with Regulation (EU) 2016/679 (GDPR); Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018; provisions, guidelines, and recommendations of the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali); guidelines of the European Data Protection Board (EDPB); Legislative Decree No. 70/2003 on electronic commerce where applicable; and Legislative Decree No. 65/2023 transposing the NIS2 Directive as regards information security measures.

15. Contact

For any information, request, or enquiry relating to this Policy or to the processing of personal data, please contact GREN Italia S.r.l. at legal@grenfinance.com. The registered office is located at Viale Luigi Schiavonetti, 270 Pal. E, 00173 Roma (RM), Italy. Additional information is available at www.grenfinance.com.

GREN Italia S.r.l. — Privacy Policy — Version 1.0 — March 2026