Privacy Policy

1. INTRODUCTION

1.1 Data Controller

Tomato S.r.l. (hereinafter "Tomato," "we," "us," or "our"), with registered office at Via Sassari n. 3, 09123 Cagliari, Italy, and operational office at Località Sa Illetta, SS195 km 2.3, 09123 Cagliari, Italy (VAT Number: IT04082770928), is the data controller responsible for the processing of your personal data collected through the website www.tomato.blue (the "Website" or "Platform").

1.2 Purpose of this Privacy Policy

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit or use our Website. It also describes your rights regarding your personal data and how you can exercise them.

1.3 Commitment to Privacy

Tomato is committed to protecting your privacy and ensuring the security of your personal data in compliance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR");
• Italian Legislative Decree No. 196/2003 (Privacy Code), as amended by Legislative Decree No. 101/2018;
• Guidelines and recommendations issued by the Italian Data Protection Authority (Garante per la protezione dei dati personali);
• All other applicable data protection laws and regulations.

1.4 Acceptance

By using our Website, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein, where such consent is required by law.

2. DEFINITIONS

For the purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion;
• "Data Subject" means you, the individual to whom the personal data relates;
• "Data Controller" means Tomato S.r.l., which determines the purposes and means of processing;
• "Data Processor" means any person or entity that processes personal data on behalf of the Data Controller;
• "Third Party" means any person or entity other than the Data Subject, the Data Controller, the Data Processor, and persons authorized to process personal data under the direct authority of the Data Controller or Data Processor.

3. PERSONAL DATA WE COLLECT

3.1 Categories of Personal Data

We may collect and process the following categories of personal data:

3.1.1 Data Provided Directly by You

• Identity Data: name, surname, date of birth, gender;
• Contact Data: email address, telephone number, postal address;
• Account Data: username, password (stored in encrypted form), profile information;
• Communication Data: messages, inquiries, feedback, or other communications you send to us;
• Transaction Data: details of orders, purchases, or services requested;
• Marketing Preferences: your preferences regarding marketing communications.

3.1.2 Data Collected Automatically

• Technical Data: IP address, browser type and version, operating system, time zone setting, browser plug-in types and versions, device information;
• Usage Data: information about how you use our Website, including pages visited, time spent on pages, links clicked, search queries, date and time of visits;
• Location Data: approximate geographic location derived from your IP address;
• Cookie Data: information collected through cookies and similar technologies (see Section 11).

3.1.3 Data from Third-Party Sources

We may receive personal data about you from third-party sources, including:

• Analytics providers such as Umami Analytics;
• Advertising networks;
• Social media platforms if you interact with our social media pages;
• Publicly available sources.

3.2 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (also known as "sensitive data"), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation, unless specifically required and with your explicit consent or as otherwise permitted by law.

3.3 Children's Privacy

Our Website is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately, and we will take steps to delete such information.

4. HOW WE COLLECT PERSONAL DATA

We collect personal data through the following methods:

4.1 Direct Interactions

You may provide personal data by:

• Filling in forms on our Website (e.g., contact forms, registration forms, subscription forms);
• Corresponding with us by email, telephone, post, or otherwise;
• Creating an account or profile on our Website;
• Requesting information, products, or services;
• Subscribing to our newsletters or publications;
• Participating in surveys, contests, or promotions;
• Providing feedback or reviews.

4.2 Automated Technologies

As you interact with our Website, we may automatically collect Technical Data and Usage Data through cookies, server logs, and other similar technologies (see Section 11 for more information).

4.3 Third-Party Sources

We may receive personal data from third-party sources as described in Section 3.1.3 above.

5. PURPOSES AND LEGAL BASIS FOR PROCESSING

We process your personal data for the following purposes and on the following legal bases:

5.1 Provision of Services (Legal Basis: Contract Performance and Pre-contractual Measures)

• To provide you with access to and use of the Website;
• To create and manage your account if any;
• To respond to your inquiries and provide customer support;
• To process and fulfill your orders or service requests;
• To communicate with you about your account or transactions;
• To provide you with information, products, or services that you request from us.

Processing for these purposes is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

5.2 Legal and Regulatory Compliance (Legal Basis: Legal Obligation)

• To comply with applicable laws, regulations, and legal processes;
• To respond to requests from public and government authorities;
• To enforce our Terms and Conditions and other agreements;
• To protect our rights, privacy, safety, or property, and that of our users and the public;
• To detect, prevent, and address fraud, security, or technical issues.

Processing for these purposes is necessary to comply with legal obligations to which we are subject.

5.3 Legitimate Interests (Legal Basis: Legitimate Interests)

• To improve, personalize, and enhance your experience on the Website;
• To develop new products, services, features, and functionality;
• To conduct analytics and research to understand how users interact with our Website;
• To monitor and analyze trends, usage, and activities;
• To send you administrative information, such as updates to our Terms and Conditions or this Privacy Policy;
• To maintain the security and integrity of our Website and systems;
• To prevent, detect, and investigate illegal activities, fraud, or violations of our Terms and Conditions.

Processing for these purposes is necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms.

5.4 Marketing Communications (Legal Basis: Consent or Legitimate Interests)

• To send you marketing communications about our products, services, offers, promotions, and events that may be of interest to you;
• To personalize and target our marketing communications;
• To measure the effectiveness of our marketing campaigns.

Where required by law, we will obtain your prior consent before sending you marketing communications. In other cases, we may rely on our legitimate interests to send you marketing communications, subject to your right to opt out at any time.

5.5 Other Purposes with Your Consent (Legal Basis: Consent)

We may process your personal data for other purposes with your explicit consent, which you may withdraw at any time.

6. DATA RETENTION

6.1 Retention Principles

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, including to satisfy any legal, accounting, or reporting requirements, and to establish, exercise, or defend legal claims.

6.2 Retention Periods

The specific retention periods depend on the nature of the personal data and the purposes for which it is processed:

• Account Data: Retained for the duration of your account and for up to 10 years after account closure for legal and regulatory compliance purposes;
• Transaction Data: Retained for up to 10 years in accordance with Italian tax and accounting regulations;
• Communication Data: Retained for up to 5 years from the last communication;
• Marketing Data: Retained until you withdraw your consent or opt out of marketing communications, and for up to 2 years thereafter for statistical purposes;
• Technical and Usage Data: Retained for up to 24 months from collection;
• Cookies and Similar Technologies: See Section 11 for specific retention periods.

6.3 Deletion

At the end of the applicable retention period, we will securely delete or anonymize your personal data in accordance with applicable laws and regulations. You may also request deletion of your personal data as described in Section 8 below.

7. DATA SHARING AND DISCLOSURE

7.1 Internal Disclosure

Your personal data may be accessed by authorized employees and collaborators of Tomato who need to know such data to perform their duties and who are bound by confidentiality obligations.

7.2 Third-Party Service Providers (Data Processors)

We may share your personal data with carefully selected third-party service providers who perform services on our behalf, including:

• IT and Cloud Service Providers: hosting, data storage, backup, and technical support services;
• Analytics Providers: website analytics and performance monitoring using cookieless, privacy-respecting tools (e.g., Umami Analytics);
• Marketing and Advertising Partners: email marketing services, advertising platforms, and social media management tools;
• Payment Processors: processing of payments and transactions;
• Customer Service Providers: customer support and help desk services;
• Professional Advisors: lawyers, accountants, auditors, and consultants.

These third-party service providers are contractually bound to process your personal data only on our instructions and in compliance with this Privacy Policy and applicable data protection laws. They are required to implement appropriate technical and organizational security measures.

7.3 Business Transfers

If Tomato is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy, or other business transaction, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

7.4 Legal Requirements and Protection of Rights

We may disclose your personal data to third parties if we are required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or legal processes;
• Enforce our Terms and Conditions or other agreements;
• Protect and defend our rights, property, or safety, or that of our users or the public;
• Prevent, detect, or investigate fraud, security breaches, or illegal activities;
• Respond to requests from government or regulatory authorities.

7.5 Third-Party Links

Our Website may contain links to third-party websites, plugins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party websites you visit.

7.6 International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including countries that may not provide the same level of data protection as your home country.

When we transfer your personal data outside the EEA, we ensure that appropriate safeguards are in place to protect your personal data, including:

• Standard Contractual Clauses: We use standard contractual clauses approved by the European Commission;
• Adequacy Decisions: We may transfer data to countries for which the European Commission has issued an adequacy decision;
• Binding Corporate Rules: Where applicable, we rely on binding corporate rules;
• Your Consent: In certain circumstances, we may obtain your explicit consent for such transfers.

You have the right to request information about the safeguards we have in place for international data transfers by contacting us at the details provided in Section 13.

8. YOUR RIGHTS AS A DATA SUBJECT

Under the GDPR and applicable Italian law, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not we are processing your personal data and, if so, to access your personal data and receive information about:

• The purposes of processing;
• The categories of personal data concerned;
• The recipients or categories of recipients;
• The retention period;
• Your rights regarding your personal data;
• The right to lodge a complaint with a supervisory authority;
• The source of the data (if not collected directly from you);
• The existence of automated decision-making, including profiling.

8.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.

8.3 Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)

You have the right to request deletion of your personal data in certain circumstances, including:

• The personal data is no longer necessary for the purposes for which it was collected;
• You withdraw your consent (where processing was based on consent);
• You object to processing and there are no overriding legitimate grounds;
• The personal data has been unlawfully processed;
• The personal data must be erased to comply with a legal obligation.

This right is not absolute and may be limited by legal requirements to retain data or other legitimate grounds.

8.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing of your personal data in certain circumstances, including:

• You contest the accuracy of the personal data;
• The processing is unlawful, but you do not want the data erased;
• We no longer need the personal data, but you need it for legal claims;
• You have objected to processing pending verification of our legitimate grounds.

8.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where:

• The processing is based on your consent or on a contract; and
• The processing is carried out by automated means.

8.6 Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to processing of your personal data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You also have the right to object at any time to processing of your personal data for direct marketing purposes, including profiling related to such marketing.

8.7 Right to Withdraw Consent (Article 7 GDPR)

Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if you believe that our processing of your personal data violates applicable data protection laws.

8.9 Exercising Your Rights

To exercise any of your rights, please contact us using the contact details provided in Section 13. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We will respond to your request without undue delay and in any event within one month of receipt of your request, unless the request is complex or we receive a high volume of requests, in which case we may extend this period by a further two months. We will inform you of any such extension and the reasons for the delay.

We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

9. DATA SECURITY

9.1 Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption: Personal data is encrypted in transit using SSL/TLS protocols and, where appropriate, at rest;
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis;
• Authentication: Strong password policies and multi-factor authentication where appropriate;
• Regular Security Assessments: Periodic security audits, vulnerability assessments, and penetration testing;
• Employee Training: Regular training for employees and contractors on data protection and security best practices;
• Incident Response: Procedures for detecting, responding to, and recovering from security incidents;
• Physical Security: Physical access controls to our offices and data centers;
• Contractual Safeguards: Data processing agreements with third-party service providers requiring them to implement appropriate security measures.

9.2 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. We will also notify the Italian Data Protection Authority as required by law.

The notification will include:

• The nature of the personal data breach;
• The categories and approximate number of data subjects concerned;
• The likely consequences of the breach;
• The measures taken or proposed to be taken to address the breach and mitigate its effects.

9.3 Your Responsibility

While we take appropriate measures to protect your personal data, the security of your personal data also depends on you. You are responsible for:

• Keeping your account credentials confidential and not sharing them with others;
• Using a strong, unique password for your account;
• Logging out of your account after each session;
• Notifying us immediately if you suspect unauthorized access to your account;
• Ensuring that your devices and software are secure and up to date.

Please be aware that the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of data transmitted to our Website; any transmission is at your own risk.

10. AUTOMATED DECISION-MAKING AND PROFILING

10.1 Automated Decision-Making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, except where such processing is:

• Necessary for entering into or performance of a contract between you and us;
• Authorized by applicable law; or
• Based on your explicit consent.

10.2 Profiling

We may use profiling techniques for marketing purposes, such as analyzing your preferences and behavior to personalize our communications and offers. You have the right to object to such profiling at any time by contacting us or by using the opt-out mechanisms provided in our marketing communications.

10.3 Your Rights

If we engage in automated decision-making or profiling that has legal or similarly significant effects, you have the right to:

• Obtain human intervention;
• Express your point of view;
• Contest the decision;
• Request an explanation of the decision and the logic involved.

11. COOKIES AND SIMILAR TECHNOLOGIES

11.1 What Are Cookies?

Cookies are small text files that are stored on your device (computer, tablet, smartphone) when you visit a website. They allow the website to recognize your device and remember certain information about your visit.

11.2 Types of Cookies We Use

We use the following types of cookies on our Website:

11.2.1 Strictly Necessary Cookies (Technical Cookies)

These cookies are essential for the operation of our Website and enable you to navigate and use its features. They include cookies that allow you to log into secure areas. Without these cookies, certain services cannot be provided.

Legal Basis: These cookies are necessary for the performance of the service you have requested.

Examples:

• Session management cookies
• Authentication cookies
• Security cookies
• Load balancing cookies

Retention: Session cookies (deleted when you close your browser) or up to 24 hours.

11.2.2 Performance and Analytics Cookies

These cookies collect information about how visitors use our Website, such as which pages are visited most often and whether users receive error messages. These cookies do not collect information that identifies you personally; all information is aggregated and anonymous.

Legal Basis: Your consent (where required) or our legitimate interests in analyzing and improving our Website.

Examples:

• Aggregated browsing statistics (pages visited, session duration, device type, country of origin)

Retention: Up to 24 months.

Analytics tool in use: Umami Analytics (cloud.umami.is). Umami is a cookieless web analytics tool: it sets no cookies in your browser and collects no personally identifiable data (no IP address stored, no unique identifiers). It collects only aggregated, anonymised statistics. No GDPR consent is required for the use of Umami. Umami Privacy Policy: https://umami.is/privacy

11.2.3 Functionality Cookies

These cookies allow our Website to remember choices you make (such as your language preference or region) and provide enhanced, personalized features.

Legal Basis: Your consent or our legitimate interests in providing you with a better user experience.

Examples:

• Language preference cookies
• Region or location cookies
• User interface customization cookies

Retention: Up to 12 months.

11.2.4 Targeting/Advertising Cookies

These cookies are used to deliver advertisements that are relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and to measure the effectiveness of advertising campaigns. They remember that you have visited our Website and share this information with advertising networks.

Legal Basis: Your consent.

Examples:

• Google Ads cookies
• Facebook Pixel
• Retargeting cookies

Retention: Up to 12 months.

Third-Party Cookies: We may use third-party advertising networks such as Google Ads and Facebook Ads, which set their own cookies. These third parties may use cookies to track your browsing activity across multiple websites. You can manage your preferences for these cookies through the respective platforms or by using opt-out tools such as:

• Your Online Choices: www.youronlinechoices.eu
• Network Advertising Initiative: www.networkadvertising.org/choices

11.3 Other Tracking Technologies

We may also use similar technologies such as:

• Web Beacons (Pixels): Small graphic images embedded in web pages or emails to track page views or email opens;
• Local Storage: HTML5 local storage and other browser storage mechanisms;
• Software Development Kits (SDKs): Code libraries used in mobile applications.

These technologies may be used for similar purposes as cookies and are subject to the same consent and opt-out mechanisms.

11.4 Managing Cookies

You can control and manage cookies in various ways:

11.4.1 Browser Settings

Most browsers allow you to:

• View what cookies are stored on your device and delete them individually;
• Block third-party cookies;
• Block cookies from specific websites;
• Block all cookies from being set;
• Delete all cookies when you close your browser.

Please note that if you block or delete cookies, some features of our Website may not function properly, and your user experience may be degraded.

Instructions for managing cookies in popular browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

11.4.2 Cookie Consent Manager

When you first visit our Website, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time by clicking on the "Cookie Settings" link in the footer of our Website.

11.4.3 Opt-Out Links

You can opt out of specific tracking technologies using the following tools:

• Your Online Choices (EU): www.youronlinechoices.eu
• Network Advertising Initiative: www.networkadvertising.org/choices
• Digital Advertising Alliance: www.aboutads.info/choices

11.5 Do Not Track Signals

Some browsers have a "Do Not Track" feature that signals to websites that you do not want to have your online activity tracked. Our analytics tool (Umami) respects this signal: if your browser sends "Do Not Track", Umami will not record your visit.

11.6 Cookie Policy Updates

We may update this section of our Privacy Policy from time to time to reflect changes in the cookies we use or changes in applicable laws. We encourage you to review this section periodically.

12. THIRD-PARTY SERVICES

12.1 Third-Party Service Providers

We use various third-party service providers to support our Website and business operations. These may include:

• Umami Analytics: For website analytics and performance monitoring (cookieless, no personal data collected). Privacy Policy: https://umami.is/privacy
• Netlify: Website hosting and CDN. Privacy Policy: https://www.netlify.com/privacy/
• Supabase: Cloud database for storing contact form submissions. Data collected includes email address, message, and consent timestamps. Supabase acts as a Data Processor under GDPR and provides a compliant DPA. Privacy Policy: https://supabase.com/privacy
• SMTP2GO: Email delivery service used to forward contact form submissions. Receives email address and message content for notification purposes. Privacy Policy: https://www.smtp2go.com/privacy/
• Google Ads: For online advertising. Privacy Policy: https://policies.google.com/privacy
• Facebook/Meta: For social media integration and advertising. Privacy Policy: https://www.facebook.com/privacy/explanation
• Mailchimp/Email Service Providers: For email marketing (if applicable). Privacy Policy varies by provider.
• Payment Processors: For processing payments (if applicable). Privacy Policy varies by provider.

12.2 Social Media Plugins

Our Website may include social media features and widgets (e.g., Facebook "Like" button, Twitter "Tweet" button, LinkedIn "Share" button). These features may collect your IP address, the page you are visiting on our Website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Website. Your interactions with these features are governed by the privacy policies of the companies providing them.

12.3 Third-Party Links

As stated in our Terms and Conditions, our Website may contain links to third-party websites. We are not responsible for the privacy practices or content of such third-party websites. We encourage you to review the privacy policies of any third-party websites you visit.

13. CONTACT INFORMATION

13.1 Data Controller

If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us at:

13.2 Response Time

We will respond to your inquiry or request within a reasonable time and in any event within the timeframes required by applicable law (generally within one month of receipt of your request).

14. CHANGES TO THIS PRIVACY POLICY

14.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last Updated" date;
• Sending you an email notification (if you have provided us with your email address);
• Displaying a prominent notice on our Website.

14.2 Effective Date

Any changes to this Privacy Policy will become effective when we post the revised Privacy Policy on the Website. Your continued use of the Website after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

14.3 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

15. SPECIAL PROVISIONS

15.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, disclose, and sell;
• The right to delete your personal information;
• The right to opt out of the sale or sharing of your personal information;
• The right to correct inaccurate personal information;
• The right to limit the use of sensitive personal information;
• The right to non-discrimination for exercising your rights.

To exercise these rights, please contact us at info@tomato.blue. We do not sell or share personal information as defined by the CCPA/CPRA.

15.2 Other Jurisdictions

If you are located in a jurisdiction with specific data protection laws (such as the UK, Switzerland, Brazil, or other countries), you may have additional rights under those laws. Please contact us for more information about your rights and how to exercise them.