860Book a call

Privacy Policy

Dilica S.r.l., owner of the "Mosaico" project, acting as data controller, informs you pursuant to Article 13 of EU Regulation no. 2016/679 ("GDPR") that the data provided by users (the "Data Subject" or the "User") through the website https://mosaico.dev/ (the "Site"), regardless of the method and tool used, will be processed in the ways and for the purposes described below.

1. The Data Controller

The Data Controller is Dilica S.r.l., with registered office at viale Mentana 921, 43121 Parma (PR) (hereinafter, the "Data Controller"). The Data Controller makes the following email address available for any communication: [email protected]

The Data Controller may appoint one or more data processors pursuant to Article 28 of the GDPR who, on behalf of the Data Controller, provide specific processing services or related, instrumental, or support activities, adopting all technical and organisational measures adequate to protect the rights, freedoms, and legitimate interests legally recognised to Data Subjects.

2. Description of Processing

The processing will concern individual operations, or a set of operations, on the following personal data provided by the Data Subject when using the services offered by the Data Controller through the Platform, as described in the table below (the "Personal Data" or "Data"):

Type Purpose of Processing Legal Basis Retention Period
Data voluntarily provided by the Data Subject Responding to requests from Data Subjects and/or sending (or providing access to) requested materials; Data Subjects may be re-contacted via email or other communication systems if provided by them. Performance of pre-contractual measures taken at the request of the Data Subject (Article 6(1)(b) of the GDPR). For the time necessary to fulfil the Data Subject's requests or to perform the services. In any case, this data may not be retained for a period exceeding ten (10) years from the fulfilment of the requests received from the Data Subject.
Data Subject's email address Subscription to the newsletter service.
  • Explicit consent of the Data Subject (Article 6(1)(a) of the GDPR).
  • The Data Subject may withdraw consent at any time by sending an email to the address indicated in this notice or by exercising the opt-out via the link included in the newsletter communication.
    		• Until the Data Subject withdraws consent, and in any case for a period not exceeding two (2) years from collection.
    Data Subject's contact details (email address, phone number) Conducting direct marketing activities via email to the address provided at the time of registration Expression of consent by the Data Subject (Art. 6(1)(a) of the GDPR). Until consent is withdrawn and in any case up to twenty-four (24) months from collection.
    Email address provided by the Data Subject Handling information requests and scheduling informational calls Performance of pre-contractual measures (Art. 6(1)(b) GDPR) Personal data will be retained for the strictly necessary time to manage and respond to the Data Subject's requests and, where applicable, to carry out related pre-contractual activities. In the absence of a contractual relationship being established, data will be deleted within a maximum period of 12 months from fulfilment of the request. If a contractual relationship is established, data will be processed and retained in accordance with the terms provided for managing that relationship and applicable legal obligations.
    Data Subject's Site usage data: data relating to frequency of use and feedback on the Site. Improving user experience and the operation of the Site. Performance of a contract to which the Data Subject is a party or performance of pre-contractual measures taken at the request of the Data Subject (Article 6(1)(b) of the GDPR). For the duration of the account's validity or in any case for the maximum period permitted by law.
    Browsing data of Site visitors: IP address, web pages visited, duration of visit, page interactions (e.g. scrolling, clicks, etc.), date and time of visits. Monitoring the functioning of the website, including for the purposes of improving user experience and security Legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR). Browsing data will be retained for the time necessary to carry out analysis and comparative statistical processing activities, not exceeding two (2) years.
    Cookies and other technologies for reading/storing information on the Data Subject's device No session or third-party cookies are used. No session or third-party cookies are used.

    3. Methods of Processing

    The processing of Personal Data:

    • is carried out through the operations listed in Article 4(1)(2) of the GDPR, specifically: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of Data;
    • is also performed with the aid of electronic or automated means;
    • is also conducted through the use of email or other remote communication techniques.

    4. Transfer of Personal Data

    The management and storage of Data will take place primarily in Europe, on servers of duly appointed third-party companies acting as data processors. The Data Controller may provide access to the Portal and the services indicated therein in other countries as well; in such cases, the transfer of Data to those countries is strictly limited to the actual need to access it. The Data Controller will adopt the necessary measures to protect Users' Personal Data and prevent unauthorised access.

    Personal Data may be transferred to the systems used by the Data Controller and/or duly appointed third-party companies acting as Data Processors, including outside the European Union. In the event that such transfer occurs to countries that do not provide the same level of protection required by the GDPR or applicable regulations, or in any case an adequate level of personal data protection, the Data Controller will ensure that each such recipient assumes specific contractual obligations in accordance with applicable personal data protection regulations (including the execution of Standard Contractual Clauses "SCCs" approved by the European Commission) or, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or of adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, will request, pursuant to Art. 49 of the GDPR, the possibility to transfer personal data to a Third Country upon obtaining specific consent from the Data Subject.

    With specific reference to the providers Intuit Ireland Software Limited (MailChimp) and Cloudflare Inc., it is specified that (i) any transfer of personal data is based on SCCs, including the necessary supplementary measures, and (ii) for transfers to the United States, the providers have certified compliance with the EU-US Data Privacy Framework.

    In any case, the User may request further information regarding the transfer of Personal Data by writing to the email address [email protected]

    5. Security Measures

    The Data Controller has adopted a variety of security measures to protect Data against the risk of loss, misuse, or alteration, consistent with the measures set out in Article 32 of the GDPR. Processing is carried out using IT and/or telematic tools, with organisational methods and logic strictly related to the purposes indicated.

    6. Consequences of Failure to Provide Personal Data

    Without prejudice to the Data Subject's right to provide Personal Data to the Data Controller, the provision of Personal Data may be:

    • mandatory for the purpose of providing the services accessible through the Portal and for purposes related to compliance with obligations imposed by applicable laws and/or regulations, as well as by provisions issued by the competent supervisory and/or control authorities/bodies;
    • optional with respect to Data voluntarily provided by the Data Subject through the Site.

    Any refusal by the Data Subject to provide Personal Data to the Data Controller may result in the Data Controller being unable to provide the requested services and make access to the Portal available.

    Furthermore, please note that the withdrawal of one or more permissions and/or consents not granted by the User may have consequences on the proper functioning of and/or the ability to access and/or correctly use the Site and/or the Data Controller's ability to provide its services.

    7. Retention and Erasure of Data

    The retention period for Personal Data is indicated in the table in section 2 above. At the end of the retention period, Personal Data will be erased or anonymised. Therefore, upon expiry of that period, the right of access, erasure, rectification, and the right to data portability may no longer be exercised by the User.

    Personal Data will be stored using IT archives, including portable devices, adopting appropriate measures to ensure their security and to restrict access exclusively to personnel authorised by the Data Controller and strictly within the scope of the purposes indicated above.

    8. Third-Party Partners

    In order to provide certain services, the Data Controller may use third-party partners who will process the User's Personal Data as independent data controllers; we therefore recommend reviewing the privacy notices of such parties before providing them with Personal Data.

    These notices are available below:

    9. To Whom We May Disclose Personal Data

    For the purposes indicated above, Personal Data may be made accessible or disclosed to:

    • employees and collaborators of the Data Controller, in their capacity as authorised processing personnel, within the scope of their respective duties and in accordance with the instructions received. Such individuals are in any case subject to confidentiality and privacy obligations;
    • third parties carrying out outsourced activities on behalf of the Data Controller whose activities are connected, instrumental, or in support of those of the Data Controller (e.g. management software providers);
    • all public and/or private parties, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, private pension and welfare funds or schemes, judicial offices, chambers of commerce), where disclosure is necessary or functional to the proper fulfilment of contractual obligations undertaken, as well as obligations arising from law;
    • all parties (including Public Authorities) who have access to Personal Data by virtue of legislative or administrative provisions;

    In any case, collected Personal Data will not be subject to dissemination.

    10. Rights of the Data Subject

    The Data Subject may exercise the rights provided for in Chapter III of the GDPR within the limits and under the conditions set out therein ("Rights of the Data Subject"):

    • right of access to Data (Art. 15): the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning them is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information about the processing (e.g. purposes, categories of Data processed, recipients, extra-EU transfers, profiling activities, etc.);
    • right to rectification of Data (Art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning them without undue delay and/or the completion of incomplete Personal Data, including by providing a supplementary statement;
    • right to erasure or "right to be forgotten" (Art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning them without undue delay, and the Data Controller is obliged to erase Personal Data without undue delay;
    • right to restriction of processing (Art. 18): the Data Subject has the right to obtain from the Data Controller restriction of processing;
    • right to data portability (Art. 20): the Data Subject has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning them that they have provided to a Data Controller, and has the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom the Data was provided;
    • right to object to processing (Art. 21): the Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of Personal Data concerning them pursuant to Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions.

    11. How to Exercise Rights

    The Data Subject may exercise their rights at any time by sending:

    • an email to [email protected];
    • a registered letter with acknowledgement of receipt to Dilica S.r.l., with registered office at viale Mentana 92, 43121 Parma (PR).

    The Data Controller undertakes to provide the Data Subject with information on the action taken regarding a request to exercise their rights without undue delay and, in any case, no later than thirty (30) days from receipt of the request, which may be extended to three (3) months only in cases of particular complexity.

    Any rectifications, erasures, or restrictions of processing carried out at the explicit request of the Data Subject will, unless this proves impossible or involves disproportionate effort, be communicated by the Data Controller to each of the recipients to whom the Personal Data was transmitted.

    The Data Controller may communicate the recipients' details to the Data Subject upon request.

    12. Right to Lodge a Complaint

    Data Subjects who believe that the processing of Personal Data is in violation of the GDPR have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali):

    • i) via email, at the address [email protected] or [email protected];
    • ii) via fax at 06.696773785; or
    • iii) by post to the registered office at Rome (Italy), Piazza Venezia n. 11 – Postcode 00187, or alternatively by applying to the judicial authority.

    13. Data Processors and Authorised Personnel

    The updated list of data processors and authorised processing personnel is kept at the Data Controller's registered office.

    14. Amendments to This Notice

    This notice may be modified and/or updated at any time. Should the Data Controller intend to process your Personal Data for purposes other than those indicated in this Privacy Policy, it undertakes to provide, prior to such further processing, adequate information regarding those different purposes and to carry out such further processing in compliance with applicable regulations, collecting the Data Subject's specific consent where required.

    Last updated: March 2026