Privacy Notice

Last Updated: May 22, 2025

At Cubbit, we consider the protection of personal data a fundamental responsibility. We are committed to processing your personal information securely, transparently, and in full compliance with Regulation (EU) 2016/679 (‘GDPR’), applicable national legislation, and all other relevant data protection laws.

This Privacy Notice (the “Notice”) describes how we collect, use, and safeguard personal data in connection with our Services (which include our products, websites, applications, and any related activities - including promotional or informational initiatives referring to this document). It also outlines your rights as a data subject and how you can exercise greater control over your personal information in a simple and informed way.Please note: This Privacy Notice does not apply to the “content” uploaded, processed, or stored by customers through Cubbit’s cloud storage services in connection with a Cubbit account.

WHO IS THE DATA CONTROLLER?

The data controller is Cubbit S.r.l., a company incorporated under Italian law, with its registered office at Via della Zecca 1, 40121 Bologna, Italy, listed in the Companies Register under no. 03562001200, Tax Code and VAT no. 03562001200 (“Cubbit”, “we” or “us”, “our”).

When you use our cloud services to store personal data, you determine the purposes and means of that processing. In this context, you act as the data controller, while Cubbit acts solely as a data processor, in accordance with Article 28 of the GDPR.

Your data is processed exclusively on your behalf and based on your documented instructions, as outlined in the applicable service agreement and Data Processing Agreement (DPA).

WHAT DATA DO WE COLLECT?

We collect various types of personal data, both provided directly by users and automatically gathered during the use of our services, or from external sources. Below is a detailed overview.

A. Data Provided Directly by You.

We collect personal data that you voluntarily provide, for example, when you create an account, contact our technical or customer support, participate in promotional activities, or attend events. This data may include:

Identification data: name, surname, tax code, VAT number, signature, identity document.
Contact data: email address, phone number, billing and shipping address.
Billing data: invoices, banking details.
Support and communication data: Information provided when you open a support ticket or contact us via other channels (including social media), such as name, email, job title, company name, and the content of your request.
Other information: any data you choose to share with us by filling out online forms, registering for events, participating in surveys, or visiting our operational locations. Personal data collected both online and offline in connection with recruitment activities are processed in accordance with our policy.

B. Data Collected Automatically.

When interacting with our services, we automatically collect certain information through technologies such as system logs, cookies, and tracking tools. This data helps us improve the services provided and ensure their security.

Usage data: information about how you use the website and Services, such as pages visited, actions taken, session duration, and interaction with features.
Device data: type of device, operating system, browser, software version, screen resolution, IP address, and approximate geolocation.
Cookies and similar technologies: unique identifiers used to analyse traffic, optimise navigation, and personalise the experience. For more details, please refer to our Cookie Policy.

C. Data Collected from Third Parties.

In some cases, we may receive personal data from external sources, such as partners, service providers, or public databases, in order to improve the quality of our Services.

Payment data: information from financial institutions or payment service providers.
Professional contact data: provided by business partners or resellers, including company references and transaction details.
Social media data: publicly available content related to interactions with our pages (e.g., comments, likes, messages).
Data obtained from third-party authentication services: when you access our services through an Identity Provider (IdP) such as Google or Microsoft, we receive essential authentication data, including your name, surname, and email address.

HOW WE USE YOUR DATA.

We process your personal data for the purposes outlined below, based on the lawful conditions set out in the GDPR. Data is stored only for as long as necessary to achieve these purposes and to comply with applicable legal obligations.

‍

Purpose	Legal Basis	Categories of data	Retention
Provision of Services. To manage and provide our products and services, create and maintain user accounts, and ensure access to the features of our platform.	Performance of a contract	Identification and contact data, service usage data.	For the duration of the contract and up to 10 years after termination, in accordance with tax and accounting obligations.
Customer Support and Assistance. To respond to your requests, provide technical or commercial support, and manage support tickets and reports.	Performance of a contract / Legitimate interest	Identification data, contact details, support request information.	Up to five years after the end of the customer's contractual relationship.
Management of Contracts with Partners. To manage contracts with partners (suppliers and service providers).	Performance of a contract / Legal obligation / Legitimate interest	Identification data, contact details, billing and payment information.	For the duration of the contract and up to 10 years after termination due to legal obligations.
Security and Abuse Prevention. To ensure the security of our Services, prevent fraudulent or unauthorised activities, and protect our IT systems.	Legitimate interest	Usage data, system logs, IP address.	Technical and usage data are retained for up to 24 months, unless required for security purposes or investigation of fraudulent activity.
Marketing, communication and commercial prospecting activities. To send you promotional communications, updates on our Services and initiatives, newsletters, invitations to events and commercial prospecting messages, including through automated tools (e.g. email, social media, notifications), based on your interests or previous interactions. These activities may target both registered users and individuals who are not yet customers, in compliance with applicable data protection laws.	Consent / Legitimate Interest	Identification and contact details. Preferences, usage data, interactions with our communications. Professional information (e.g. job title, company, industry).	Until consent is withdrawn or objection is raised, and in any case for no longer than 24 months from the last meaningful interaction or consent update.
Service Improvement To analyse the use of the platform, gather feedback, and enhance the user experience.	Legitimate interest	Usage data, system logs, IP address.	Technical and usage data are retained for up to 24 months, unless required for security purposes or investigation of fraudulent activity.
Compliance with Legal Obligations To comply with applicable regulations and respond to requests from competent authorities.	Legal obligation	Identification data, transaction data, documentation required by law.	For as long as necessary to meet applicable regulatory obligations.

‍

Once the applicable retention periods have elapsed, personal data will be deleted or anonymised, where technically feasible.

‍

WHO DO WE SHARE YOUR DATA WITH?

Your personal data may be shared only with selected third parties, for the purposes set out in this Notice and in compliance with the legal basis under the GDPR. Specifically, data may be shared with:

Service providers and technology partners: We work with third-party providers to ensure the operation, management, and improvement of our Services and digital solutions (e.g. infrastructure, technical support, analytics, communication, and marketing tools). These partners process data solely to perform the agreed activities and are bound by confidentiality and data processing agreements.
Commercial partners and authorised resellers: Where access to our Services is facilitated through a partner or reseller, certain data necessary for the provision and management of the service may be shared with such parties. These parties may act as independent or joint controllers, depending on the context.
Consultants and professionals: Personal data may be shared with legal, tax, accounting consultants, or entities in charge of audits and compliance, solely for purposes related to legal obligations or internal business management.
Public authorities or competent bodies: Where required by law or pursuant to official requests, we may disclose personal data to public entities, judicial authorities, or supervisory bodies.
Administrators: Administrators designated by the Customer may access personal data of service users, under the Customer’s responsibility.
Public: With your consent, we may publish testimonials or feedback on our public channels, such as websites and social media platforms. Please be aware that information shared in these contexts may be visible to anyone.
Corporate transactions: In the event of a merger, acquisition, or other corporate transaction, data may be transferred to the relevant parties, always in accordance with applicable law.

Under no circumstances will your personal data be sold or disclosed to third parties for unauthorised commercial purposes or without a valid legal basis.

WHERE DO WE TRANSFER YOUR DATA?

Your personal data is primarily stored in Italy or, in any case, within the European Union (EU) and the European Economic Area (EEA). We are committed to minimising data transfers to third countries and only carrying them out when strictly necessary for the purposes described in this Notice.

Where it is necessary to transfer your personal data outside the EU/EEA, we implement the safeguards required by European data protection law to ensure an adequate level of protection for your rights. In particular, we rely on legal mechanisms such as:

European Commission adequacy decisions
Binding Corporate Rules (BCRs), and
Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914/EU.

Where appropriate, we also supplement these safeguards with additional technical, contractual, and organisational measures to ensure the security and integrity of personal data transferred internationally.

HOW DO WE PROTECT YOUR DATA?

We implement technical and organisational security measures to ensure the confidentiality, integrity, availability, and resilience of our systems, software, and services. These measures are designed in accordance with advanced security standards and are proportionate to the nature of the data processed and the specific characteristics of our offerings.

Cubbit is also certified under the ISO/IEC 27001:2022 standard, which demonstrates the adoption of an Information Security Management System (ISMS) that meets the highest international cybersecurity requirements.

All our employees undergo continuous training on cybersecurity and personal data protection.

In particular, the measures we have adopted include, but are not limited to:

Internal security policies, which define operational standards, responsibilities, and procedures for data protection within our services.
Access control and secure authentication, to ensure that only authorised users can access data and services, through technologies such as multi-factor authentication (MFA) and role-based access management.
Application security, ensuring that our software is designed, developed, and maintained according to best security practices, including regular audits and vulnerability testing.
Continuous monitoring, to detect suspicious or anomalous activities promptly and to take proactive action in case of incidents.
Data encryption, both in transit and at rest, to protect information from unauthorised access, even on third-party infrastructures.
Secure supplier management, selecting technology partners who comply with applicable data protection regulations and adopt appropriate security measures.
Incident management procedures, enabling us to detect, contain, and promptly notify any personal data breaches, in compliance with the GDPR.
Regular and secure backups, carried out in protected environments, to ensure data availability and recovery in the event of loss or malfunction.

WHAT ARE YOUR RIGHTS?

Under the GDPR, you have the right to exercise a range of actions concerning your personal data at any time. In particular, you can:

Access the personal data we hold about you and obtain confirmation of whether your data is being processed, as well as a copy of the data we hold.
Request the portability of your data, receiving it in a structured, commonly used, and machine-readable format, so that you can transmit it to another controller.‍
Request the rectification of inaccurate data or the completion of incomplete data.
Object to the processing of your data, particularly for direct marketing purposes or where there is no overriding legitimate interest.
‍Restrict the processing under certain circumstances, such as during the verification of data accuracy or if you contest the lawfulness of the processing.‍
Request the deletion of personal data when it is no longer necessary, you have withdrawn consent, you have objected to the processing, or the data has been processed unlawfully.‍
Withdraw consent at any time, where the processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal.
‍Lodge a complaint with the competent supervisory authority, if you believe your rights under data protection laws have not been respected.

If you wish to exercise any of the rights listed above, please contact us at privacy@cubbit.io. We will respond to you within 30 days. Please note, before we comply with your request we may need to verify your identity.

To exercise any of these rights, you can contact us by emailing privacy@cubbit.io

We will respond within 30 days of receiving your request. In some cases, we may need to verify your identity before we can proceed.

If, after contacting us, you believe your request has not been handled correctly, you can file a complaint with the relevant data protection authority.

UPDATES TO THE PRIVACY NOTICE.

We may update this Privacy Notice from time to time, for instance, to reflect regulatory changes, developments in our services, or organizational changes. In the event of significant updates, we will inform you via email or through a visible notice on our websites. However, we encourage you to periodically review this page to stay informed about how we process your personal data.

Continued use of our Services after the updates are published will be deemed as acceptance of these changes.

Insert an email address to receive notifications about changes in our list of Subprocessor.