the cognitive layer of content.

This Privacy Policy is provided pursuant to Article 13 of European Regulation no. 679/2016 and applies exclusively to all Data collected through the website www.trigger.online and its subdomains. This Privacy Policy is subject to updates, which will be promptly published on the website. Along with the Terms and Conditions, any other referenced documents, and the Cookie Policy, this Privacy Policy establishes the basis on which the personal data of the Data Subject will be processed.

1. Data controller

The Data controller for Data collected through this website is: Federico Motta, Westzeedijk 505N, 3024EL Rotterdam CF/VAT: NL 004803580B74, Email address: federico@trigger.online

2. Processed personal data

"Personal Data" refers to any information concerning an identified or identifiable natural person (Data Subject). A natural person is considered identifiable if they can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more characteristics specific to their physical identity.

3. Category of processed personal data

Among the Personal Data processed by this Website, either independently or through third parties, are common data such as:

a) Personal information

First name, last name, date of birth, age, gender, etc.

b) Contact information

Email address, physical address, phone number

c) Internet browsing data

Including data derived from the use of social media icons and social login buttons (e.g., Facebook, Instagram, Twitter, LinkedIn, etc.) collected through cookies installed on a computer or mobile device (for more details, see the Cookie Policy)

d) Contact form data

When a request is sent via the "Contact" section of the Website, the provision of certain Personal Data is necessary for the Data Controller to fulfill such requests; thus, the corresponding fields in the registration form are marked as mandatory.

e) Cookies and usage data

f) Login and account information

Including username, password, and unique user ID

g) Payment or credit card information

4. Methods of processing personal data

The Personal Data provided or acquired will be processed in accordance with the principles of fairness, legality, transparency, and confidentiality protection as required by current regulations. The Data Controller processes Users' Personal Data by adopting appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of the Personal Data. Processing is carried out using IT and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.

5. Purpose of Personal Data Processing and Legal Basis

Personal Data may be collected independently by the Data Controller or through third parties. In this case, the computer systems and software procedures used to operate this Website acquire certain technical and computer-related Personal Data of Users (e.g., IP address, type of browser used, operating system, domain name and addresses of websites from which access or exit was made, etc.), the transmission of which is inherent to the normal functioning of the internet. Such Data will be processed solely to obtain anonymous statistical information on the use of the site and/or to ensure its proper functioning and will be deleted immediately after processing.

The Data that the Data Subject chooses to provide voluntarily will be processed in compliance with the lawfulness conditions under Art. 6 of the GDPR and will be processed to enable the Website to provide its services, as well as for the Purposes listed below, and will be retained for the time necessary to fulfill said Purposes. Specifically, the Purposes of the processing are:

1) Responding to requests and providing information

Data will be processed to be contacted back or to follow up on specific requests made to the Data Controller by the Data Subject for communications regarding the Services and/or Content of the same Data Controller, via email or other communication tools such as telephone.

Legal basis: this processing is optional and based on the Data Subject's consent, however providing the Data is necessary to achieve the stated purpose.

Data retention period: until the Data Subject withdraws consent.

2) Website registration

The registration procedure, through the creation of an account or using an existing social network account, is intended to allow the use of the website as a "Registered User" and to access a range of offered services.

Data will be processed to register with the Data Controller's website for the purchase of the Controller's Products.

Legal basis: The legal basis of the processing is the execution of pre-contractual measures requested by the data subject and the data subject's consent, which can always be withdrawn. However, providing the Data is necessary to achieve the stated purpose.

Data retention period: Account data will be retained until:

• Withdrawal of consent by the User for the storage of preferences.
• Deletion of the account upon User request.
• 10 years for information related to purchases, in accordance with tax and accounting obligations.

3) Pre-contractual information and obligations

Data will be processed to contact the Data Subject and follow up on specific information requests, such as informative communications about the products and services offered by the Controller, quote requests and/or pre-contractual support for purchasing products. Contact may occur via email, phone, or contact form on the website.

Legal basis: Execution of pre-contractual measures requested by the Data Subject (Art. 6.1 letter b GDPR) when processing is necessary to respond to information or quote requests.

Consent of the Data Subject (Art. 6.1 letter a GDPR) when data is collected for future commercial contacts and/or promotional offers.

Data retention period: Data provided for information or quote requests will be retained for a maximum of 12 months, unless a contractual relationship is established.

If the Data Subject has consented to being contacted for future offers, the data will be retained until consent is withdrawn.

4) Processing necessary within a contract

Data will be processed for the following purposes:

• Execution of the contract entered into between the Data Subject and the Data Controller for the sale of Products/Services on the Website.
• Management of the contractual relationship, including communications related to orders, billing and shipping.
• After-sales support, including warranty claims, withdrawal and contract termination.
• Fulfillment of legal, administrative, and tax obligations resulting from the sale of products/services.

Legal basis: The legal basis for the processing is:

• Contract execution (Art. 6.1 letter b GDPR) when processing is necessary to deliver the purchased product/service.
• Legal obligation (Art. 6.1 letter c GDPR) when processing is necessary to comply with tax, administrative, and accounting obligations.

Payment data

Data retention period: Personal data processed for contractual and administrative purposes will be kept for the time necessary to execute the contract and, subsequently, for a maximum of 10 years, in accordance with legal obligations in tax and accounting matters. Online payments are processed by external payment service providers (e.g. PayPal, Stripe, Shopify Payments). The Data Controller does not store the credit or payment card data of the Data Subject, but only receives confirmation of the payment from the provider.

5) Compliance with legal obligations

Data will be processed to fulfill any type of obligation provided by current laws, regulations, related regulations, commercial practices, and tax/fiscal matters, including for purposes under anti-money laundering legislation (Legislative Decree 231/2007 and subsequent amendments).

Legal basis: this processing is necessary to fulfill a legal obligation to which the Data Controller is subject.

Data retention period: period indicated by law and in any case for a maximum term of 10 years for administrative and fiscal obligations.

6) Soft spam

Data will be processed to allow the Data Controller to send via email to the Data Subject commercial and promotional communications about Products and/or Services similar to those already sold without the need for the Data Subject's prior express consent, as provided by Article 130, paragraph 4 of the Privacy Code as amended by Legislative Decree no. 101 of 2018, provided the Data Subject does not object.

Legal basis: The processing is based on the Data Controller's legitimate interest (Art. 6 letter f GDPR) to promote products or services similar to those already purchased by users. This legitimate interest is balanced with the Data Subject's right to object at any time, as provided by Recital 47 of the GDPR.

Data retention period: Personal data is retained for the purpose of sending commercial communications regarding products similar to those purchased until the Data Subject objects, following the instructions in each communication (unsubscribe link) or by writing to the Data Controller.

7) Direct marketing with prior consent

If the Data Subject has given explicit consent, data will be processed to send promotional and marketing communications via email, SMS, or other automated contact systems (e.g., newsletters, commercial offers, special promotions, market research).

Legal basis: Data Subject's explicit consent (Art. 6(1)(a) GDPR). Consent is optional and can be revoked at any time without affecting the lawfulness of the processing carried out before the revocation.

Data retention period: Until the Data Subject withdraws consent, by following the instructions in each communication (unsubscribe link) or by writing to the Data Controller.

8) Customer and contact management

Data will be processed to manage relationships with customers, prospects, and business contacts, including administration of communications and customer support requests.

Legal basis: The legal basis varies depending on the specific purpose:

• Execution of a contract (Art. 6(1)(b) GDPR) for managing existing relationships.
• Consent (Art. 6(1)(a) GDPR) when collecting contact details for future commercial purposes.
• Legitimate interest (Art. 6(1)(f) GDPR) for managing business contacts and customer support.

Data retention period: Data will be retained for the duration of the commercial relationship and, subsequently:

• Up to 12 months for prospect contacts who have not established a contractual relationship.
• Up to 10 years for data related to contractual and tax obligations.
• Until consent is withdrawn for promotional communications.

6. Data communication and dissemination

In relation to the purposes indicated above, Personal Data may be communicated to:

• Employees and collaborators of the Data Controller, in their capacity as internal data processors and/or system administrators;
• Third-party companies or other subjects (e.g., credit institutions, professional firms, consulting companies) that perform outsourced activities on behalf of the Data Controller, in their capacity as external data processors;
• Public authorities and supervisory bodies, in accordance with legal provisions;
• Subjects authorized by law, EU regulations, or supervisory authorities.

The complete and updated list of data processors is available by contacting the Data Controller at the addresses indicated in this Privacy Policy. In any case, Personal Data will not be disclosed to third parties unless with the express consent of the Data Subject or when required by law.

7. Transfer of data to third countries

Some of the third-party services used by this Website may involve the transfer of Personal Data to countries outside the European Economic Area (EEA), including the United States of America.

These transfers are carried out in compliance with applicable data protection regulations, through one of the following legal mechanisms:

• Adequacy decisions: Transfer to countries recognized by the European Commission as providing an adequate level of data protection (Art. 45 GDPR).
• Standard Contractual Clauses (SCCs): Contracts approved by the European Commission that guarantee appropriate safeguards for the protection of Personal Data (Art. 46 GDPR).
• Binding Corporate Rules (BCRs): Internal data protection policies approved by competent supervisory authorities for multinational companies.
• Certification mechanisms: Such as the EU-U.S. Data Privacy Framework, which provides a framework for transatlantic exchanges of personal data for commercial purposes between the EU and the United States.

For each service that involves data transfer to third countries, the relevant privacy policy is provided in the sections below, where you can verify the legal basis and safeguards adopted.

The Data Subject has the right to obtain information about the specific safeguards applied to the transfer of their Personal Data by contacting the Data Controller at the addresses indicated in this Privacy Policy.

8. Data subjects' rights

In relation to the processing described in this Privacy Policy, as a Data Subject, you have the following rights under the GDPR:

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether or not Personal Data concerning you is being processed and, if so, to access such data and information about the processing (purposes, categories of data, recipients, retention period, etc.).

Right to rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate Personal Data concerning you and to have incomplete Personal Data completed.

Right to erasure ("right to be forgotten") (Art. 17 GDPR)

You have the right to obtain the erasure of your Personal Data when:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw consent and there is no other legal ground for processing.
• You object to the processing and there are no overriding legitimate grounds.
• The data has been unlawfully processed.
• The data must be erased to comply with a legal obligation.

Right to restriction of processing (Art. 18 GDPR)

You have the right to obtain restriction of processing when:

• You contest the accuracy of the Personal Data (for the period necessary to verify accuracy).
• The processing is unlawful and you oppose erasure, requesting restriction instead.
• The Data Controller no longer needs the data, but you need it for legal claims.
• You have objected to processing pending verification of whether legitimate grounds override your interests.

Right to data portability (Art. 20 GDPR)

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, when:

• The processing is based on consent or contract.
• The processing is carried out by automated means.

Right to object (Art. 21 GDPR)

You have the right to object to processing of your Personal Data when:

• The processing is based on legitimate interest (Art. 6(1)(f) GDPR) or is carried out for public interest purposes.
• Your Personal Data is processed for direct marketing purposes (including profiling related to direct marketing).

Right to withdraw consent (Art. 7(3) GDPR)

When processing is based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.

How to exercise your rights:

To exercise any of the above rights, you can contact the Data Controller:

• By email at: federico@trigger.online
• By mail at: Westzeedijk 505N, 3024EL Rotterdam

The Data Controller will respond to your request without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

9. Automated decision-making and profiling

This Website does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning the Data Subject or similarly significantly affect them, except where such processing is:

• Necessary for entering into, or performance of, a contract between the Data Subject and the Data Controller.
• Authorized by Union or Member State law to which the Data Controller is subject.
• Based on the Data Subject's explicit consent.

If automated decision-making or profiling is implemented in the future, the Data Subject will be informed and provided with meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing.

10. Data security

The Data Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR, including:

• Pseudonymization and encryption of Personal Data where appropriate.
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures.

Access to Personal Data is restricted to authorized personnel only, who have been trained on data protection and are bound by confidentiality obligations.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, the Data Controller will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk. If the breach is likely to result in a high risk to individuals, affected Data Subjects will also be notified without undue delay.

11. Third-party services and data processors

This Website uses third-party services that may process Personal Data on behalf of the Data Controller. Below is a list of the main categories of services used, with details on the purposes of processing and links to the respective privacy policies.

Analytics

The services contained in this section enable the Data Controller to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics 4 (Universal Analytics) (Google Ireland Limited)

Google Analytics is a web analysis service provided by Google Ireland Limited ("Google"). Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services.

Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

Personal Data collected: Cookies and Usage Data.

This Website uses Google Analytics 4 with IP anonymization enabled, meaning that IP addresses are truncated before being stored or processed by Google, in accordance with GDPR requirements.

Legal basis for processing:

• Data Subject's consent (Art. 6(1)(a) GDPR) when tracking cookies are used for marketing or detailed behavioral analysis.
• Controller's legitimate interest (Art. 6(1)(f) GDPR) when data is collected in anonymous or aggregated form solely for statistical purposes to improve the Website's functionality.

The Data Subject can object to Google Analytics tracking through:

• The cookie management banner present on the site.
• Installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
• Their browser settings to block or delete cookies.

Data retention period: Google Analytics retains user-level and event-level data for a default period of 2 months (can be configured up to 14 months), after which it is automatically deleted. Aggregated reporting data is retained indefinitely.

Place of processing: USA - Ireland - Privacy Policy

Social Network Interaction

These services allow interaction with social networks directly from the pages of this Website. The interactions and information acquired by this Website are in any case subject to the Data Subject's privacy settings for each social network. In the event that a social network interaction service is installed, it is possible that, even if Users do not use the service, it collects traffic data relating to the pages where it is installed.

Facebook (Meta Platforms, Inc.)

Facebook buttons are services for interaction with the Facebook social network, provided by Meta Platforms, Inc. Personal Data collected: Cookies and Usage Data.

Legal basis for processing: The integration of these services might involve the processing of Personal Data, which is based on:

• Data Subject's explicit consent (Art. 6(1)(a) GDPR) If the site uses tracking cookies for marketing or personalization purposes.
• Controller's legitimate interest (Art. 6(1)(f) GDPR) If data is collected only to allow interaction with social networks without further tracking.

The Data Subject can revoke consent and limit social network tracking through:

• The cookie management banner present on the site.
• Their privacy settings on their social network account.
• Their browser settings, which allow blocking third-party cookies.

Place of processing: Ireland - Privacy Policy

Instagram (Meta Platforms, Inc.)

Instagram buttons are services for interaction with the Instagram social network, provided by Meta Platforms, Inc. Personal Data collected: Cookies and Usage Data.

Legal basis for processing: The integration of these services might involve the processing of Personal Data, which is based on:

• Data Subject's explicit consent (Art. 6(1)(a) GDPR) If the site uses tracking cookies for marketing or personalization purposes.
• Controller's legitimate interest (Art. 6(1)(f) GDPR) If data is collected only to allow interaction with social networks without further tracking.

The Data Subject can revoke consent and limit social network tracking through:

• The cookie management banner present on the site.
• Their privacy settings on their social network account.
• Their browser settings, which allow blocking third-party cookies.

Place of processing: Ireland - Privacy Policy

Remarketing and Retargeting

These services allow this Website to communicate, optimize and serve advertisements based on the Data Subject's past use of this Website. This activity is performed by tracking Usage Data and using Cookies. This Website uses the following services:

Facebook Remarketing (Meta Platforms, Inc.)

The site uses the Facebook Remarketing service, provided by Meta Platforms, Inc., which links user activity on the website with the Facebook and Instagram advertising network. The site uses Facebook Pixel to:

• Show personalized ads to users who have visited the site.
• Create audience groups to target specific ads.
• Analyze conversions and measure the effectiveness of advertising campaigns.

Personal Data collected:

• Cookies and Tracking Tools.
• Usage data (user interactions with the site and with ads).

Legal basis for processing:

The use of Facebook Remarketing is based on:

• Data Subject's explicit consent (Art. 6(1)(a) GDPR) The Facebook Pixel is activated only with user consent through the cookie banner.
• Controller's legitimate interest (Art. 6(1)(f) GDPR) If data is collected only in anonymous form for statistical analysis.

The information collected by the Facebook Pixel is anonymous to the site owner, but Facebook can link it to the user's profile. Facebook may use this data for its own advertising purposes, including on third-party sites, in accordance with its Privacy Policy (https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0). The Data Controller has no direct control over how Facebook uses the data.

Data retention period: Data collected by the Facebook Pixel is retained for a maximum of 180 days, unless otherwise set by Meta.

The Data Subject can revoke consent and disable Remarketing through:

• The cookie management banner present on the site.
• Their Facebook account settings, in the "Ad Preferences" section.
• Facebook's opt-out tool: Manage Ad Preferences (https://www.facebook.com/settings/?tab=ads).

Place of processing: Ireland - Privacy Policy

External Platform Content

These services allow displaying content hosted on external platforms directly from the pages of this Website and interacting with them. In the event that a service of this type is installed, it is possible that, even if Users do not use the service, it collects traffic data relating to the pages where it is installed. This Website uses:

Google Fonts

Google Fonts is a typeface visualization service provided by Google Ireland Limited that allows this Website to incorporate such content within its pages. Personal Data collected: Usage Data; various types of Data as specified in the privacy policy of the service. Place of processing: Ireland - Privacy Policy

Payment Management

Payment management services allow this Website to process payments by credit card, bank transfer or other means. The Data used for payment is acquired directly by the requested payment service provider without being processed in any way by this Website. Some of these services might also allow scheduled sending of messages to the Data Subject, such as emails containing invoices or notifications concerning the payment.

12. Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by notifying Users on this page. Therefore, it is recommended to frequently check this page, taking the last modification date as a reference. If the Data Subject does not accept the changes to this Privacy Policy, they must discontinue using this Website and can request that the Data Controller remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to the Personal Data collected up to that point. The Data Controller is not responsible for updating all links displayed in this Privacy Policy. Therefore, whenever a link is not functional and/or updated, Users acknowledge and agree that they should always refer to the document and/or section of the websites referenced by such link.

Privacy Policy updated in January 2026