Privacy Policy

Last updated: January 15, 2025

Introduction and Data Controller

BZTK Studios, with legal headquarters in Italy, is the Data Controller of personal data pursuant to EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 (Privacy Code). This privacy notice describes how we process personal data collected through our website and services. Processing is carried out in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Categories of Personal Data Processed

We process the following categories of personal data - Identification data: first name, last name, email address, phone number, date of birth - Contact data: postal address, phone contacts, email address - Navigation data: IP address, user agent, cookies, access logs, approximate geolocation - Account data: login credentials, user preferences, security settings - Economic data: billing information, transaction history, payment methods - Usage data: purchase history, service interactions, usage metrics - Special categories: only if strictly necessary and with explicit separate consent

Purposes and Methods of Processing

We process your personal data for the following purposes - Provision of requested services and contract management - Compliance with legal, fiscal, and accounting obligations - Direct marketing and commercial communication activities (with consent) - Service quality improvement and new feature development - IT security and fraud prevention - Technical support and customer assistance - Statistical analysis and business intelligence - Complaint and dispute management. Processing is carried out using IT and telematic tools with logic strictly related to the purposes.

Security Measures and Protection

We adopt adequate technical and organizational measures pursuant to art. 32 GDPR to ensure security and confidentiality - SSL/TLS encryption for data transmissions - Multi-factor authentication systems - Access controls based on roles and minimum privileges - Encrypted backups and disaster recovery - Continuous monitoring of access and suspicious activities - Regular staff training on privacy - Data pseudonymization and minimization - Periodic security audits and vulnerability assessments. We notify any breaches according to GDPR timelines.

Data Subject Rights

Pursuant to arts. 15-22 GDPR, you have the right to - Access (art. 15): obtain confirmation of processing and copy of data - Rectification (art. 16): correct inaccurate or incomplete data - Erasure (art. 17): request data deletion (right to be forgotten) - Restriction (art. 18): restrict processing in specific cases - Portability (art. 20): receive data in structured format and transmit it - Objection (art. 21): object to processing for legitimate reasons - Withdraw consent: revoke consent without affecting prior lawfulness - Complaint (art. 77): lodge complaint with Privacy Authority. Exercise rights by contacting the DPO at the address indicated.

Cookies and Tracking Technologies

We use cookies and similar technologies in compliance with Privacy Authority Guidelines - Technical cookies: necessary for website functionality (legal basis: legitimate interest) - Analytical cookies: for anonymous usage statistics (with consent) - Profiling cookies: for personalized marketing (with specific consent) - Third-party cookies: for integrated services (with consent). You can manage cookie preferences through banner, browser settings, or privacy panel. Consent can be withdrawn at any time.

User Accounts

When you create an account on our website, we collect and store the following information - First and last name - Email address - Password (encrypted) - Preferences and settings - Activity history - Two-factor authentication data (if enabled). Your account data is protected by advanced security measures and is accessible only to you and our authorized personnel.

Payment Processing

For payments, we use certified third-party providers (such as Stripe and PayPal) that comply with PCI DSS standards. We never store credit card data on our servers. Payment providers collect and process payment information securely, and we receive only transaction confirmations and billing information necessary for service delivery.

Sensitive Data

We handle the following sensitive data with particular care - Authentication information (passwords, 2FA tokens) - Payment data (processed only through secure providers) - Personal information for technical support - Security and access logs. This data is protected by advanced encryption and limited access to authorized personnel only.

Data Retention

We retain your personal data only for as long as necessary - Account data: until account deletion - Payment data: 10 years for tax obligations - Security logs: 2 years - Newsletter data: until consent withdrawal - Support data: 3 years from resolution. Data is securely deleted upon expiration.

Data Sharing and Transfers

We never sell your personal data. We share data only with - PCI DSS certified payment providers for transactions - Technical service providers (hosting, email) with DPA agreements - Competent authorities for legal obligations - Business partners only with explicit consent. Any transfers outside the EU occur with adequate safeguards (adequacy decisions, standard contractual clauses, certifications). All recipients are bound by strict data protection agreements.

Contact and DPO

To exercise your rights or for any matter related to personal data processing, you can contact - Data Controller: BZTK Studios - Email: privacy@bztkstudios.com - Data Protection Officer (DPO): dpo@bztkstudios.com - Privacy Authority: www.gpdp.it - Response time: 30 days (extendable to 60 for complexity)