Privacy Policy

The data controller for personal data processing is:

Atlas Carbon Neutral Solutions S.r.l. — Benefit Corporation Registered office: Via Giuseppe Pecchio 1, 20131 Milan (MI), Italy VAT / Tax ID: IT14003650968 REA: MI - 2755833 Certified email (PEC): atlas.carbon@pec.it Privacy email: privacy@atlascarbonneutral.com

The controller has not appointed a Data Protection Officer (DPO) as the processing does not fall within the categories set out in Article 37 GDPR. For any request regarding the protection of personal data, the controller may be contacted at the email address indicated above.

The controller collects the following categories of personal data:

Data provided voluntarily by the user:

• Identification data: first name, last name, business email, phone number
• Company data: company name, industry, workforce size, annual revenue
• Data provided through assessment funnels: responses to ESG, carbon footprint, energy checkup and CSRD readiness questionnaires
• Data provided through the contact form: name, email, company, service of interest, message
• Marketing consent: expressed via checkbox in data collection forms

Data collected automatically:

• Navigation data: IP address, browser type, operating system, pages visited, session duration, access times
• Analytics data: pseudonymised navigation events collected via PostHog and Google Analytics 4, subject to cookie consent
• Technical data: error logs collected by Sentry for monitoring proper site functioning

The site does not collect special categories of personal data (Art. 9 GDPR) or data relating to criminal convictions or offences (Art. 10 GDPR).

Personal data is processed using automated tools, in compliance with the principles of lawfulness, fairness, transparency, data minimisation and storage limitation set out in Article 5 GDPR.

The controller adopts appropriate technical and organisational measures to ensure data security (Art. 32 GDPR), including:

• Encrypted communications via HTTPS/TLS protocol
• Data access restricted to authorised and instructed personnel
• Periodic encrypted database backups
• Hosting on European infrastructure (Hetzner, Germany) for application data
• Site deployment on Vercel with global CDN network

Personal data is processed for the following purposes:

• Provision of information services: responding to requests submitted through contact forms and assessment funnels. Legal basis: Art. 6(1)(b) GDPR — performance of pre-contractual measures at the data subject's request.
• Provision of contractual services: management of the ESG and carbon footprint platform, KPI calculation, report generation, blockchain certification. Legal basis: Art. 6(1)(b) GDPR — contract performance.
• Commercial communications and newsletter: sending promotional communications, ESG regulatory updates, blog articles, no more than 2-3 times per month. Legal basis: Art. 6(1)(a) GDPR — data subject's explicit consent, revocable at any time.
• Tax and accounting obligations: invoicing, accounting records, tax compliance. Legal basis: Art. 6(1)(c) GDPR — legal obligation.
• Technical site monitoring: collection of error logs via Sentry to ensure proper service functioning. Legal basis: Art. 6(1)(f) GDPR — controller's legitimate interest.
• Statistical analysis: aggregate, pseudonymised analysis of browsing behaviour via PostHog and Google Analytics 4, to improve user experience and site effectiveness. Legal basis: Art. 6(1)(a) GDPR — explicit consent via cookie banner.

Personal data may be disclosed to the following categories of recipients, who act as data processors (Art. 28 GDPR) on the basis of appropriate data processing agreements (DPA):

• Vercel Inc. (USA) — website hosting and CDN distribution
• Hetzner Online GmbH (Germany) — application server and database hosting
• PostHog Inc. (USA, data in EU) — analytics, data stored in AWS eu-central-1, Frankfurt
• Google LLC (USA) — Google Analytics 4, certified under the EU-U.S. Data Privacy Framework
• Resend Inc. (USA) — transactional email delivery (lead confirmations, notifications)
• Functional Software Inc. / Sentry (USA, EU ingest) — technical error monitoring
• Sanity AS (Norway) — blog content management (CMS)

Data is not sold, transferred or disclosed to third parties for their own purposes, except where required by law.

Some data processors are based in the United States. Transfers of personal data to the USA are made on the basis of the following safeguards:

• European Commission Adequacy Decision of 10 July 2023 (EU-U.S. Data Privacy Framework): for Google LLC and Vercel Inc., both certified in the DPF registry (dataprivacyframework.gov).
• Standard Contractual Clauses (SCCs) pursuant to European Commission Decision 2021/914: for Resend Inc. and Sentry Inc.

Note: the validity of the Data Privacy Framework may be subject to review by the Court of Justice of the European Union. In the event of invalidation, the controller undertakes to promptly update this policy and adopt alternative safeguards (SCCs, BCRs) or suspend the transfer.

PostHog stores all data in the EU (Frankfurt). Hetzner and Sanity operate entirely within EU/EEA territory.

Personal data is retained for the time strictly necessary to fulfil the purposes for which it was collected:

• Lead data (assessment funnels): 24 months from last contact, unless a contractual relationship is established
• Contact form data: 24 months from submission
• Contractual data: duration of the contractual relationship + 10 years (tax obligations under Art. 2220 Italian Civil Code)
• Data for commercial communications: until consent is withdrawn
• Navigation logs and analytics data: 14 months
• Error logs (Sentry): 90 days
• Cookie consent log: 5 years (obligation to demonstrate consent under Art. 7(1) GDPR)

After the retention period, data is deleted or irreversibly anonymised.

Under Articles 15–22 of the GDPR, the data subject has the right to:

• Access (Art. 15): obtain confirmation as to whether or not personal data is being processed and, where that is the case, obtain a copy
• Rectification (Art. 16): obtain the correction of inaccurate personal data or the completion of incomplete data
• Erasure (Art. 17): obtain the deletion of personal data ("right to be forgotten"), in the cases provided for by law
• Restriction (Art. 18): obtain the restriction of processing where one of the conditions set out in the provision applies
• Data portability (Art. 20): receive personal data in a structured, commonly used and machine-readable format, and transmit it to another controller
• Objection (Art. 21): object at any time to the processing of data based on legitimate interest
• Withdrawal of consent (Art. 7(3)): withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

To exercise their rights, the data subject may write to privacy@atlascarbonneutral.com or send a certified email (PEC) to atlas.carbon@pec.it.

The controller will respond within 30 days of receiving the request (Art. 12(3) GDPR), a period which may be extended by a further 60 days in complex cases, with a reasoned communication to the data subject.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00186 Rome — www.garanteprivacy.it.

The site and Atlas services are intended exclusively for professionals and businesses. The controller does not knowingly collect personal data from individuals under the age of 16. Should the controller become aware that data of a minor has been collected without the consent of a parent or guardian, it will proceed with immediate deletion.

The site uses technical cookies and, with consent, analytics cookies. For detailed information on all cookies used, their purposes, duration and how to manage consent, please refer to the dedicated Cookie Policy.

The controller reserves the right to update this Privacy Policy to comply with regulatory, organisational or technological changes. In the event of substantial changes, the user will be informed via a notice on the site.

The date of the last update is indicated at the top of this page. Users are advised to consult this policy periodically.

For any questions regarding this Privacy Policy or to exercise the rights provided by the GDPR:

Atlas Carbon Neutral Solutions S.r.l. — Benefit Corporation Email: privacy@atlascarbonneutral.com PEC: atlas.carbon@pec.it

Regulatory references: • EU Regulation 2016/679 (GDPR) • Italian Legislative Decree 30 June 2003, n. 196 (Privacy Code), as amended by Legislative Decree 101/2018 • European Commission Adequacy Decision of 10 July 2023 (EU-U.S. Data Privacy Framework) • European Commission Decision 2021/914 (Standard Contractual Clauses)