Privacy Policy

1. Data Controller The Data Controller is Growth Capital S.r.l., with its registered office at Piazza Armando Diaz 5, 20122 Milan, Italy (“Data Controller”, “we”, “our”, “us”), in accordance with Article 13 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This Privacy Policy informs you that your personal data will be processed for the purposes and in the manners described below. This Privacy Policy applies to the processing of personal data of users who, like you, browse, interact, or register for the services offered by the website (“Site”). Please read this Privacy Policy and any other privacy notices provided on the Site before interacting with our services.

2. Purposes and Legal Basis for Processing In compliance with the GDPR, the processing of your personal data will be based on the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.

2.1 Main Purposes The Data Controller processes your personal data for the following main purposes: (a) To comply with legal, regulatory, or national/european obligations, including, for example, obligations resulting from court orders and other competent authorities. (b) To send you communications related to the Data Controller’s products, services, events, including market research, statistical analysis, and surveys via email (“marketing purposes”). (c) To pursue our legitimate interests in protecting our rights, enforcing or defending them in competent jurisdictions (e.g., judicial, arbitration, administrative), protecting our assets, preventing fraud, managing potential extraordinary corporate transactions, and improving the services offered on the Site.

Providing personal data for marketing purposes, as described in point (b), is optional. If you choose not to provide this data, we will not be able to send you commercial communications, but there will be no negative consequences for you. If you are already our customer, or have previously used services from the Data Controller and provided your email in the relevant section of the Site, we may send you commercial communications related to, for example, newsletters or similar products/services based on our legitimate interest in carrying out such promotional activities. You can object to receiving commercial communications at any time by following the instructions provided below or in each communication.

3. Categories of Personal Data Processed The Data Controller processes the following personal data using both automated and manual methods in accordance with the purposes outlined above:

  • Data voluntarily provided by you, such as your name, surname, email (e.g., when you request a service or product).
  • Navigation data collected by the information systems used to operate the Site, which transmission is implicit in the use of Internet communication protocols. These are data that are not collected to be associated with identified individuals but could, through processing and association with data held by third parties, allow the identification of users (e.g., IP addresses, browser type, operating system, domain names, addresses of websites from which users accessed or exited, information on pages visited, access times, time spent on specific pages, internal navigation analysis, and other parameters related to the operating system and user’s environment). These data are collected and used in an aggregated and anonymous manner solely to improve the quality of services offered on the Site, optimize Site functionality, and compile statistical information on Site use.
  • Data collected via cookies (as the Site uses cookies to collect personal data, we invite you to review the Cookie Policy, which describes the cookies used on the Site and the purposes of their use).

The Data Controller does not process personal data falling under special categories of personal data (e.g., health data), nor personal data of individuals under 18 years old.

If you provide personal data of third parties, you will act as an independent data controller and must ensure that such communication and our subsequent use of the data for the specified purposes complies with applicable data protection regulations (e.g., you must obtain informed consent from the third party before providing their personal data to us). You agree to indemnify the Data Controller from any dispute, claim, or request that may arise due to the provision of personal data in violation of applicable laws.

4. Data Retention For the purposes outlined in points (a), (b), and (c) above, the Data Controller retains your personal data only for the time necessary to achieve the specified purposes, in accordance with civil, fiscal, and legal retention requirements. Specifically, personal data processed to fulfill any contractual obligation with you may be retained for the entire duration of the contract and for a further 10 years from the end of the relevant fiscal year to address any audits and/or tax disputes. Regarding marketing purposes, personal data will be retained for no longer than 24 months from collection unless you revoke your consent earlier, and subject to any extension of the term with your consent. Navigation data will be stored at the Data Controller’s location for the time prescribed by applicable regulations, in accordance with the proportionality principle, and only for the period necessary to achieve the purposes for which the data was collected. Once the retention period has elapsed, personal data will be deleted or anonymized, unless further processing is required to pursue other legitimate purposes (e.g., resolving pre-existing disputes or legal claims, or complying with investigations by judicial or other competent authorities).

5. Data Collection and Communication Your personal data is collected directly from you. For the purposes mentioned above, your personal data may be accessible to the Data Controller's personnel, including consultants who are duly authorized and trained in data processing, and to third parties (e.g., providers of technical, management, or organizational services outsourced by the Data Controller for efficiency purposes). These third parties have signed an agreement with the Data Controller and act as data processors. They are provided with only the personal data necessary to perform their duties and are committed to using the personal data received solely for the purposes outlined above, ensuring confidentiality, security, and compliance with applicable regulations.

For the purposes mentioned above, it may be necessary for the Data Controller to share your personal data with the following categories of recipients:

  • Third-party companies providing accounting, administrative, legal, and tax services to the Data Controller or operating as intermediaries in banking, financial, and insurance processes, including parties involved in service/product provision or in subsequent stages (e.g., couriers, postal services).
  • Third-party companies assisting in consultancy or providing other services to the Data Controller, even in the case of corporate restructuring operations (e.g., mergers, sales, or transfers of business divisions).
  • Third-party companies performing audits, reviews, or certification of the Data Controller’s activities.
  • Judicial authorities and other competent public authorities/offices.

You can request an updated list of data processors and recipients by contacting the Data Controller using the methods described below. The Data Controller also clarifies that some of the aforementioned recipients may be located outside the European Economic Area (EEA), in countries that do not offer an adequate level of data protection. In such cases, the Data Controller will allow access to your personal data for the aforementioned purposes only after adopting the necessary safeguards required by the GDPR (e.g., entering into standard contractual clauses with the European Commission for the transfer of personal data outside the EEA).

6. Data Subject Rights You have the right to exercise the following rights at any time:

  • Right of access to personal data and related information, such as the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data may be communicated, the retention period (if possible), and information on the source of the data if not collected directly from you.
  • Right to rectify inaccurate personal data.
  • Right to request the deletion of your personal data, where applicable.
  • Right to request the restriction of processing, where applicable.
  • Right to receive or request the transfer of your personal data in a structured, commonly used, and machine-readable format, for personal use or to provide it to another data controller.
  • Right to object to processing, where applicable.
  • Right not to be subjected to a decision based solely on automated processing of your personal data that produces legal effects or significantly affects you, where applicable.
  • Right to withdraw consent, even for marketing purposes (only for future processing).

Please note that some rights may be subject to limitations if their exercise could harm the legitimate interests of the Data Controller. Exercising your rights is free of charge, but the Data Controller reserves the right to charge a fee for manifestly unfounded or excessive requests.

You can also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) according to the instructions on their website: .

To exercise your rights or for any inquiries about the processing of your personal data by the Data Controller, you can contact the Data Controller at:

7. Third-Party Websites Since the Site may link to websites owned and operated by third parties, we clarify that this Privacy Policy does not apply to third-party websites, and the Data Controller is not responsible for the data processing activities of these third parties, who operate as independent data controllers. In such cases, we suggest you read the privacy policies of these third-party sites.

8. Changes and Updates The Data Controller reserves the right to modify or update this Privacy Policy, in whole or in part, due to changes in applicable law or regulations. Modifications will be published on the Site and, if substantial, communicated to you via email. We encourage you to regularly visit this section to stay informed about how your personal data is processed. Previous versions of this Privacy Policy can be requested from the Data Controller using the contact methods above.

Version updated in September 2025