Privacy Policy

The website https://www.upstood.com (the "Website") is owned by Upstood (hereinafter "Upstood")

At Upstood, we are committed to protecting the personal data you share with us. It is essential for us to guarantee and safeguard your privacy, confidentiality, and the proper handling of your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website https://www.upstood.com (the "Website") or interact with our services.

The Website is adapted to the requirements of the following laws:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
• Italian Data Protection Code (Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018).
• Legislative Decree No. 70/2003 on Information Society Services and Electronic Commerce.
• Italian Consumer Code (Legislative Decree No. 206/2005), where applicable.

1. Data Controller

The Data Controller of the personal data collected on this Website is:

• Upstood
• Registered Office: Via Cufra 17, Milano, Italy
• VAT: IT14214770969
• Email: legal@upstood.com
• Phone: +39 344 750 4971

2. Principles Applied to Personal Data

In processing your personal data, Upstood applies the following GDPR principles:

• Lawfulness, fairness, transparency: data is processed lawfully, fairly, and transparently.
• Purpose limitation: data is collected only for specified, explicit, and legitimate purposes.
• Data minimisation: only strictly necessary data is processed.
• Storage limitation: data is kept only as long as necessary for the purposes identified.
• Integrity and confidentiality: appropriate measures are implemented to ensure security, confidentiality, and prevent unauthorised access.

3. Categories of Personal Data Processed

We may collect and process the following categories of personal data:

• Identification data: name, surname, company name.
• Contact details: email address, phone number
• Technical data: IP address, browser type, operating system, device information, access times, pages viewed.
• Usage data: Website navigation behavior, cookies, and analytics.
• Contractual data: information necessary to provide services, manage accounts, and process payments.

4. Purposes of Processing

Your personal data may be collected and processed for the following purposes:

1. Service provision and contractual relationship: to manage service requests, accounts, or contractual relations with users.
   Legal basis: Regulation (EU) 2016/679: Art. 6(1)(b) GDPR – performance of a contract.
2. Contact forms and inquiries: to respond to user queries via email, forms, or phone.
   Legal basis: Regulation (EU) 2016/679: Art. 6(1)(a) GDPR – consent; Art. 6(1)(b) GDPR – pre-contractual steps.
3. Newsletter and marketing communications: to send newsletters, promotions, and updates, provided you consent.
   Legal basis: Regulation (EU) 2016/679: Art. 6(1)(a) GDPR – consent.
4. Analytics and navigation data: to analyse Website usage and improve services (cookies, IP address, device info).
   Legal basis: Regulation (EU) 2016/679: Art. 6(1)(f) GDPR – legitimate interest.
5. Legal and compliance: to meet tax, accounting, and regulatory obligations.
   Legal basis: Regulation (EU) 2016/679: Art. 6(1)(c) GDPR – legal obligation.

5. Cookies

The Website uses cookies and similar technologies to personalise content, provide social media features, and analyse traffic. Information is shared with analytics, advertising, and social media partners.

Users may manage cookie preferences through their browser settings or via the Website's cookie banner. More detailed information is available in our Cookie Policy.

6. Data Sharing and Recipients

Data may be communicated to:

• Hosting and IT providers;
• Email and communication service providers;
• Payment and accounting providers (if applicable);
• Legal, tax or regulatory authorities where required.

Whenever third-party providers are located outside the EEA, transfers will be made under GDPR safeguards (adequacy decisions or Standard Contractual Clauses).

We do not sell personal data.

7. International Data Transfers

If personal data are transferred outside the European Economic Area (EEA), we ensure an adequate level of protection in compliance with GDPR (Art. 44 et seq.), including use of European Commission adequacy decisions and Standard Contractual Clauses.

8. Data Retention (Storage Period)

In accordance with GDPR, data will be retained only for the time necessary to fulfill processing purposes:

• Contractual/account data: 10 years (legal obligations).
• Contact form data: 12 months.
• Newsletter data: until consent is withdrawn.
• Analytics data: per cookie retention settings.

9. Rights of Data Subjects

Under Articles 15-22 GDPR, Users have the right to:

• Access their personal data;
• Request rectification or erasure;
• Restrict processing;
• Data portability;
• Object to processing (including marketing);
• Withdraw consent at any time.

Requests can be sent to: legal@upstood.com

10. Right to Lodge a Complaint

Users may lodge a complaint with the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) or with their local EU supervisory authority.

11. Minors

The Website and services are not intended for individuals under 18 years of age. Upstood does not knowingly collect personal data from minors.

12. Amendments

This Privacy Policy may be updated in line with legal or regulatory changes. Users are advised to review it periodically.

13. Contact

For any questions or concerns regarding this Privacy Policy, please contact:

• Upstood
• Via Cufra 17, Milano, Italy
• Email: legal@upstood.com

14. Last Updated

This Privacy Policy was last updated on 10 September 2025.