English Italiano Español Deutsch Français

Privacy Policy

Version 1.1 — Last updated: April 11, 2026

1. Data Controller

Almaware S.r.l.
Via Camozzi 111, 24121 Bergamo (BG), Italy
VAT Number: IT03779610165
PEC (Certified Email): almaware@legalmail.it
Phone: +39 035 0666899
Email: info@almaware.net
Contact person: Alessandro Benedetti

2. Data Protection Officer (DPO)

In light of the systematic nature of the processing of employment-related personal data, Almaware S.r.l. has assessed its obligations under Art. 37 GDPR regarding DPO appointment. For any matter relating to personal data processing or the exercise of rights, please contact:

Email: privacy@almaware.net
Alternatively, write to the Controller at the postal address above, marking the envelope “Data Protection”.

3. Controller and Processor Roles

TalentRewards operates in a dual capacity:

  • Data Controller for personal data of website visitors, prospective customers, its own employees, and business contacts.
  • Data Processor under Art. 28 GDPR for personal data of employees of client organisations using the platform. In this capacity, TalentRewards processes data solely on the documented instructions of the client organisation (data controller), pursuant to a Data Processing Agreement (DPA) executed with each client.

Employees wishing to exercise their rights regarding data processed through the platform should contact their employing organisation (data controller), which will handle the request pursuant to its own internal procedures.

4. Data We Collect

  • Identification data: first name, last name, email, phone, company name and VAT number (for business customers).
  • Browsing data: IP address, browser type, operating system, pages visited, access timestamps, referral site.
  • Voluntarily provided data: information submitted via contact, registration, and subscription forms.
  • Employment performance data (platform): MBO objectives, performance reviews, 360° feedback, 1-on-1 meeting notes, competencies, professional development plans.
  • Service usage data: activity logs, user preferences, system configurations.
  • Payment data: processed by Stripe Inc.; we do not store card details.

5. Special Categories of Data (Art. 9 GDPR)

TalentRewards does not intentionally collect or process special categories of personal data (health data, racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, sexual orientation) for its own purposes.

Where a client organisation configures the platform to process such data (e.g. sickness absences, DEI data), this is done solely on the client’s instructions, under the client’s responsibility, and subject to the client having established an appropriate legal basis under Art. 9(2) GDPR.

6. Children’s Data

TalentRewards services are intended exclusively for organisations and adult professionals. We do not knowingly collect personal data of persons under the age of 16. If such data is identified as having been inadvertently collected, it will be deleted without delay. To report: privacy@almaware.net.

7. Purposes and Legal Bases for Processing

Purpose Legal Basis (GDPR Art. 6)
Providing the TalentRewards service and contract performance Art. 6(1)(b) – contract performance
Invoicing and tax compliance Art. 6(1)(c) – legal obligation
Platform security and fraud prevention Art. 6(1)(f) – legitimate interest
Sending newsletters and marketing communications (with consent only) Art. 6(1)(a) – consent
Responding to support and contact requests Art. 6(1)(b) / Art. 6(1)(f)
Anonymous statistical analysis of website usage Art. 6(1)(f) – legitimate interest
Legal defence and protection of the Controller’s rights Art. 6(1)(f) – legitimate interest
Compliance with legal obligations Art. 6(1)(c) – legal obligation

For every processing activity based on legitimate interest (Art. 6(1)(f)), the Controller has prepared and retains a documented Legitimate Interests Assessment (LIA), available upon request.

8. Artificial Intelligence and Automated Decision-Making (Art. 22 GDPR)

TalentRewards integrates generative AI features to support certain platform functions (e.g. goal suggestions, review drafting assistance, performance analysis). AI processing is carried out via third-party providers that operate a zero data retention policy (data is not used to train models).

Safeguards in place:

  • Customer data is not used to train AI models by TalentRewards or its AI providers.
  • TalentRewards does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals, as defined in Art. 22 GDPR.
  • Every AI-generated recommendation is purely advisory and subject to human review and approval.
  • Data subjects have the right to request human intervention, express their view, and contest any assessment.

In accordance with Italian Law 132/2025 on artificial intelligence, clients using AI features for workforce management are required to proactively inform their employees about the logic, purposes, and human oversight mechanisms of the AI systems deployed.

9. How We Process Your Data

Personal data is processed using IT and electronic tools, with logic strictly linked to the stated purposes and in a way that ensures security and confidentiality. Processing is carried out by the Controller and duly appointed Data Processors. TalentRewards has conducted Data Protection Impact Assessments (DPIAs) under Art. 35 GDPR for high-risk processing activities, including systematic processing of employment performance data and processing involving AI features. Supporting documentation for customer DPIAs is available upon request.

10. Data Sharing and Sub-processors

We do not sell personal data. Data may be shared with:

  • IT and cloud infrastructure providers.
  • Payment processors (Stripe Inc.).
  • Email and communication providers.
  • Application performance monitoring tools.
  • AI service providers for platform features.
  • Professional advisors (legal, tax, accounting) bound by confidentiality obligations.
  • Public authorities, where required by law.

All providers acting as Data Processors are bound by contractual agreements compliant with Art. 28 GDPR. An up-to-date list of sub-processors (name, country, service provided) is available upon request at privacy@almaware.net. Customers will be notified at least 30 days in advance of any changes to the sub-processor list and may object to the appointment of new sub-processors within that period.

11. International Data Transfers

Some providers may process data outside the European Economic Area (EEA). In such cases, transfers are conducted with the safeguards required under GDPR Arts. 44–49 (standard contractual clauses, adequacy decisions). Copies of applicable safeguards are available upon request.

12. Retention Periods

Data Category Purpose Retention Period Legal Basis
Customer account and contract data Contract performance Duration of contract + 12 months, then deletion on request Art. 28 GDPR / DPA
Employee performance data (platform) Service delivery Duration of contract + 6 months Art. 28 GDPR / DPA
Billing and accounting data Tax compliance 10 years Italian Civil Code art. 2220
Marketing and newsletter contacts Commercial communications 24 months from last contact / until consent withdrawn Italian DPA guidelines
Access and security logs IT security 12 months (longer periods subject to DPIA) Italian DPA guidelines
Job applicant data (internal hiring) Recruitment 12 months, unless extended with consent Italian DPA guidelines
Analytics cookies Website usage analysis Maximum 13 months Italian DPA Cookie Guidelines (2021)
Data for legal defence Legal claims Up to 10 years (standard limitation period) Italian Civil Code art. 2946

13. Your Rights (GDPR Arts. 15–22)

You have the right to:

  • Access (Art. 15): obtain confirmation of processing and a copy of your data.
  • Rectification (Art. 16): correct inaccurate or incomplete data.
  • Erasure (Art. 17): request deletion of your data where applicable.
  • Restriction (Art. 18): restrict processing in certain circumstances.
  • Data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interest or for direct marketing.
  • Not to be subject to automated decisions (Art. 22): not to be subject to decisions based solely on automated processing producing significant effects. See Section 8.
  • Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise your rights, contact privacy@almaware.net or via certified email at almaware@legalmail.it. We respond within 30 days (extendable by a further 60 days in complex cases).

Note for employees of client organisations: rights relating to data processed through the TalentRewards platform must be exercised directly with your employing organisation (data controller).

14. Right to Lodge a Complaint

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it, Piazza Venezia 11, 00187 Rome, Italy — or with the supervisory authority of the EU member state where you habitually reside or work.

15. Data Breach Notification

In the event of a personal data breach:

  • As data controller: TalentRewards will notify the Garante within 72 hours of becoming aware (Art. 33 GDPR), and will notify affected individuals without undue delay where the breach is likely to result in high risk (Art. 34 GDPR).
  • As data processor: TalentRewards will notify the client organisation within 36 hours of becoming aware, providing all information necessary to enable the controller to meet its notification obligations.

To report security incidents: security@almaware.net

16. Cookies and Tracking Technologies

This website uses the following cookie categories:

  • Strictly necessary: required for the website to function; no consent needed.
  • Analytics / Performance: measure usage in anonymised or aggregated form; require prior consent.
  • Functional: store user preferences (e.g. language); require prior consent.
  • Marketing / Profiling: used to deliver personalised content or advertisements; require explicit prior consent.

Under Italian DPA Cookie Guidelines (2021), consent for non-technical cookies must be obtained before they are set (opt-in). Consent can be withdrawn at any time via the cookie preference panel. For a detailed list of cookies (name, provider, duration, purpose), please see our Cookie Policy.

17. Data Security

We implement appropriate technical and organisational measures including: TLS encryption in transit and at rest, role-based access control (RBAC), multi-factor authentication, regular security audits, and documented incident response procedures. TalentRewards is pursuing internationally recognised security certifications.

18. Changes to This Policy

We reserve the right to update this Privacy Policy. Material changes will be notified by email to registered users and/or via a prominent notice on the website at least 15 days in advance. The current version is always available at this address. Previous versions are available upon request at privacy@almaware.net.

19. Applicable Law

  • Regulation (EU) 2016/679 (GDPR)
  • Italian Legislative Decree 196/2003 (Privacy Code), as amended by Decree 101/2018
  • Italian Law 132/2025 (AI in the workplace)
  • Italian DPA Cookie Guidelines (10 June 2021)
  • Rulings of the Italian Data Protection Authority (Garante)
  • EDPB (European Data Protection Board) guidelines
  • Italian Workers’ Statute (Law 300/1970, Art. 4, as amended by Legislative Decree 151/2015)