1. Privacy Policy of www.termogomma.it
Last updated: July 2026
1.1 Data Controller
The data controller is ATP S.p.A., VAT No. IT 00551760366, with registered office at Via Austria 12/14/16, 41122 Modena (MO) – Italy.
Controller’s email contact: atp@atpgroup.it.
Any contact details of the Data Protection Officer (DPO), if appointed, are made available upon request and/or published on the Controller’s website.
1.2 Categories of data processed
The Application collects, autonomously or through third parties, the following categories of personal data:
- Identification and contact data: name, surname, email address, username, company name.
- Website usage data: technical information about the device, access logs, interactions with pages, IP address and other online identifiers.ì
- Cookies and other trackers: necessary, experience and marketing cookies, as described in the Cookie Policy.
Data may be provided directly by the user or collected automatically during use of the website. As a rule, all requested data are necessary to provide the services; if data are optional, this is clearly indicated.
1.3 Purposes of processing and use of Artificial Intelligence (AI)
Users’ data are processed for the following purposes:
- Provision of the web service (website management, response to requests, account registration, authentication).
- Compliance with legal obligations and management of possible legal proceedings.
- Security and abuse prevention, including management of system logs.
- Analytics and compilation of aggregate statistics on website usage.
- Display of content from external platforms (e.g. Google Maps, Google Fonts, Font Awesome).
- Tag management and technical tracking tools.
In addition, the Controller uses AI systems in the corporate environment, mainly on internal data, as follows:
- AI module integrated in the Panthera management system to facilitate order entry: it processes order data and stock data coming from the ERP.
- Corporate ChatGPT account (external generative AI provider) for:
- analysis and re-elaboration of internal data (e.g. customer classifications, code analysis, market analysis);
- support in drafting textual content (e.g. document drafts, internal reports).
- Corporate Claude account, used by the Marketing department for assisted generation of marketing content, posts, website texts, internal reports and other promotional materials.
- AI-based MRP assistant: MRP data extracted from the ERP are processed by an AI system which generates Excel files for internal analysis.
With regard to the website, the use of AI is relevant for privacy purposes only to the extent that:
- personal data of website users (e.g. contact data, browsing data) are processed with the support of AI tools;
- website content (texts, images, suggestions) is generated or personalised through AI and such content affects users (e.g. profiling, automated decision-making).
In such cases, the Controller ensures:
- that AI is used in accordance with the principles of privacy by design and privacy by default;
- that the user is informed when interacting with content generated or strongly influenced by AI, in line with the transparency obligations under the GDPR and the AI Act (Reg. (EU) 2024/1689);
- that AI functionalities classified as high-risk under the AI Act are not used, unless a specific additional notice is provided.
Currently, Termogomma does not use AI for the creation of deepfakes nor for high-risk systems and does not carry out automated processing resulting in solely automated decisions with significant legal effects on the user, unless otherwise indicated in the future.
1.4 Legal bases of processing
The Controller processes users’ personal data only if at least one of the following legal bases applies:
- Performance of a contract or pre-contractual measures, for example handling user requests or registration to website services.
- Compliance with legal obligations, including tax, accounting, cybersecurity obligations and cooperation with public authorities.
- Legitimate interest of the Controller, for example:
- improving the efficiency of internal processes through AI applied to corporate data and contact data;
- preventing fraud or misuse of the website;
- carrying out internal analyses and statistics on service usage, balancing corporate interests with data subjects’ rights.
- User consent, required in particular for:
- certain marketing data processing activities;
- use of non-strictly necessary cookies/trackers, as described in the Cookie Policy.
Where AI is used on data that do not constitute personal data (purely corporate, technical or aggregated data not relating to identified or identifiable natural persons), the GDPR does not apply.
If in future AI is used for profiling or automated decision-making that significantly affects data subjects, the Controller will provide additional information describing the logic involved and the consequences for data subjects, pursuant to the GDPR.
1.5 Recipients and providers (including AI providers) – Data processors
Personal data may be accessed by:
- Internal staff of the Controller (administration, sales, marketing, legal, IT, system administration) authorised to process data.
- Technical service providers and consultants (hosting providers, IT companies, communication agencies, ERP/MRP solution providers) appointed, where necessary, as data processors pursuant to Article 28 GDPR.
- AI service providers (e.g. providers of ChatGPT, Claude and AI modules integrated in the ERP and MRP assistant), acting as processors or sub-processors for personal data processing activities on behalf of the Controller.
- Public and judicial authorities, when required by law or by administrative or judicial orders.
The up-to-date list of data processors and AI providers can be requested from the Controller at any time.
1.6 Data transfers to third countries
When the use of AI systems or digital services involves a transfer of personal data to countries outside the European Union or to international organisations, the Controller ensures that the conditions of Chapter V of the GDPR are met, by adopting one of the adequacy mechanisms or safeguards provided for (adequacy decisions, standard contractual clauses, supplementary measures, etc.).
The Controller informs the user, within this notice, if data are transferred to third countries and, where applicable, provides references to the safeguards adopted for such transfers.
1.7 Methods of processing and security (including AI – privacy by design)
Data are processed by electronic and/or automated means, according to organisational procedures and logic strictly related to the stated purposes. The Controller adopts appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with the following principles:
- Privacy by design and privacy by default, integrating data protection into the design of systems and processes, including AI-based systems.
- Data minimisation, limiting processing to data strictly necessary for the purposes indicated.
- Accountability, with ongoing monitoring of the effectiveness of protection measures and risk assessment in relation to technological developments.
Depending on the circumstances, such measures may include pseudonymisation, access restrictions, encryption, database segmentation and staff training.
1.8 Place of processing
Data are processed at the Controller’s operating premises and at the premises of other parties involved in the processing (providers and processors). AI-based processing may be carried out on the cloud infrastructures of AI providers or on the Controller’s local systems, in compliance with the safeguards described above.
1.9 Retention period
Personal data are retained for the time necessary to achieve the purposes for which they were collected. In particular:
- data processed for contractual purposes: retained for the duration of the relationship and, thereafter, for the period required by civil, tax and accounting legislation;
- data processed on the basis of legitimate interest: retained for the time necessary to pursue such interest, in line with the principles of minimisation and proportionality;
- data processed on the basis of consent: retained until consent is withdrawn;
- technical and security logs: retained for the period necessary to ensure system security and to establish potential liabilities, in accordance with internal policies and sector regulations.
Once the retention period has expired, data are deleted or anonymised; after that point, rights of access, erasure, rectification or portability can no longer be exercised with respect to non-existent data.
1.10 Data subjects’ rights
Within the limits of the law, users may exercise the following rights:
- Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to object to processing based on legitimate interest, including objection to processing for direct marketing purposes.
- Right of access, to know whether processing is being carried out and to receive a copy of the data.
- Right to rectification of inaccurate or incomplete data.
- Right to restriction of processing, in specific circumstances.
- Right to erasure (right to be forgotten), in the cases provided for by the GDPR.
- Right to data portability, to receive data in a structured format and transfer them to another controller.
- Right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if they consider their rights to have been infringed.
Users may also request clarification on the legal basis for any data transfers to third countries and on the measures adopted to protect their data in such contexts.
1.11 Exercising rights
Requests to exercise the above rights may be sent to the Controller using the contact details indicated in this policy. Such requests are free of charge and will be handled within one month, subject to extension in complex cases, with appropriate communication to data subjects.
1.12 Further information on AI use and system logs
Personal data may be used by the Controller for judicial protection in the event of misuse of the website or related services.
The Controller may collect system logs and other technical data (e.g. IP address) for maintenance, security and analysis of website operation.
If additional AI-based assistants that interact directly with website users are developed (e.g. chatbots, dynamic recommendations, personalised content generation), the Controller will update this notice by specifying:
- that the user is interacting with an AI system;
- the logic governing the system and its potential impact on the user’s rights, in accordance with the GDPR and the AI Act.
1.13 Changes to this privacy policy
The Controller reserves the right to amend this privacy policy at any time, by giving notice on this page and, where technically and legally feasible, through the Application or by notifying users using the available contact details.
Where changes are based on user consent, the Controller will, where required, collect new consent.
