Privacy Policy

    Effective Date: November 25, 2025

    Welcome to the Privacy Policy of Delphyros Group S.r.l., operating under the brand Delphyros ("we", "our", "us"). The protection of personal data and the confidentiality of communications are fundamental priorities for us. This notice explains how we collect, use, and protect personal data in strict compliance with Regulation (EU) 2016/679 ("GDPR").

    Given the sensitive nature of our behavioral analysis and protective intelligence services, we implement the highest standards of data security and discretion.

    1. Data Controller

    The data controller is:

    • Delphyros Group S.r.l.
    • Via Giorgio e Guido Paglia 17
    • 24122 Bergamo (BG), Italy
    • VAT Number: 04433030162
    • Tax Code: 04433030162
    • REA: BG-462675
    • Legal Representative: Ferrari Federico
    • Contact email: team@delphyros.com
    • PEC: ilcerchiodellavitasrl@pec.it

    2. Scope of Application

    This privacy policy applies to the processing of personal data carried out through:

    • the website delphyros.com
    • the platform accessible at profiling.delphyros.com
    • direct communications with our team

    This policy concerns two distinct categories of data subjects: clients and users who interact directly with us, and third-party subjects who are the subject of behavioral analyses requested by our clients. Processing methods differ based on category and are described in the respective sections.

    3. Client and User Data

    3.1 Types of Data Collected

    Through the website and platform, we collect data that you voluntarily provide. This includes:

    • Identification data: first name, last name, email address, phone number
    • Access data: credentials for using the profiling.delphyros.com platform
    • Billing data: company name, VAT number, address, bank details
    • Content of analysis requests: information you submit through the platform
    • Usage data: access logs, request timestamps, and IP addresses for security and compliance purposes

    3.2 Methods of Collection

    Personal data is collected through:

    • the contact form available on the delphyros.com website
    • registration and use of the profiling.delphyros.com platform
    • direct email communications
    • automatic logging systems for security purposes

    3.3 Purposes and Legal Basis

    Client data is processed for the following purposes:

    • Delivery of behavioral analysis services: processing necessary for the performance of a contract to which you are party pursuant to Article 6(1)(b) of the GDPR.
    • Platform account management: processing necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR.
    • Invoicing and tax compliance: processing necessary for compliance with legal obligations pursuant to Article 6(1)(c) of the GDPR.
    • Evaluation of consultation requests: processing necessary for the performance of pre-contractual measures at your request pursuant to Article 6(1)(b) of the GDPR.
    • Platform security and abuse prevention: processing based on our legitimate interest in protecting systems and preventing unlawful use pursuant to Article 6(1)(f) of the GDPR.
    • Documentation for potential legal defense: processing based on our legitimate interest in protecting rights in legal proceedings pursuant to Article 6(1)(f) of the GDPR.
    • Commercial communications and service updates: processing that occurs only with your explicit prior consent pursuant to Article 6(1)(a) of the GDPR.

    We do not use client data for automated decision-making or profiling, nor for sharing with third parties for commercial purposes.

    4. Data of Analyzed Subjects

    This section concerns the processing of personal data of third-party subjects who are the subject of behavioral analyses requested by our clients through the profiling.delphyros.com platform.

    4.1 Nature of the Service

    The behavioral analysis service consists of formulating an expert professional opinion based exclusively on publicly available information. It does not constitute investigative activity, background check, or screening for employment purposes. The analysis represents a professional opinion formulated by applying behavioral science methodologies to publicly available data.

    4.2 Types of Data Processed

    Processing concerns exclusively publicly available information relating to analyzed subjects:

    • profiles on publicly accessible social networks and professional platforms
    • photographs published online
    • public content and statements
    • other publicly available information

    We do not collect data through unlawful means, unauthorized access, or non-public sources. We do not conduct investigative activities, surveillance, or direct contact with analyzed subjects.

    4.3 Legal Basis

    The processing of publicly available data of analyzed subjects is based on the legitimate interest of the data controller and clients pursuant to Article 6(1)(f) of the GDPR. This legitimate interest consists of providing professional consulting services for legitimate commercial purposes such as:

    • evaluation of potential business partners
    • investment due diligence
    • strategic negotiation preparation
    • relational risk assessment

    The balance between the legitimate interest pursued and the rights of analyzed subjects takes into account the following elements: • the data processed is exclusively in the public domain and already accessible to anyone • the processing does not involve automated decisions with legal effects on the subjects • the analysis constitutes a professional opinion and not a determination of facts • measures are implemented to prevent unlawful use of the service

    4.4 Rights of Analyzed Subjects

    Subjects of analysis retain all rights provided by the GDPR. In particular, they have the right to:

    • be informed of the processing
    • access data concerning them
    • object to processing pursuant to Article 21 of the GDPR
    • request erasure of data

    In case of exercise of the right to object by an analyzed subject, we will evaluate the request and, in the absence of compelling legitimate grounds that override the subject's interests, we will cease processing their data for future analyses. To exercise these rights, interested subjects may contact us at team@delphyros.com or via PEC at ilcerchiodellavitasrl@pec.it.

    4.5 Limitations on Disclosure

    We do not disclose to analyzed subjects the identity of the client who requested the analysis, as this information is covered by contractual confidentiality and its disclosure could prejudice the client's legitimate commercial interests.

    5. Retention Period

    Data is retained according to differentiated criteria based on type and purpose of processing.

    • Active client data: retained for the entire duration of the contractual relationship and for the following 10 years for tax and accounting compliance, as well as for potential protection of rights in legal proceedings.
    • Contact requests that do not result in a contractual relationship: retained for 12 months from initial contact, then permanently deleted.
    • Behavioral analysis reports produced: retained for 24 months from delivery to the client for potential legal defense purposes, then securely deleted.
    • Data relating to analyzed subjects: retention limited to the time strictly necessary for producing the requested report. Raw data is deleted within 30 days of analysis delivery, while the final report follows the retention periods indicated above.
    • Security and platform access logs: retained for 24 months.

    At the end of retention periods, all data is securely deleted or irreversibly anonymized.

    6. Data Recipients

    Personal data may be disclosed exclusively to the following categories of recipients:

    • Authorized internal personnel: team members directly involved in client evaluation, service delivery, and platform management, all bound by confidentiality obligations.
    • IT service providers: entities that maintain hosting infrastructure, the platform, and secure communication systems, bound by data processing agreements pursuant to Article 28 of the GDPR.
    • Legal and tax advisors: when necessary for regulatory compliance, legal obligations, or protection of rights.
    • Competent authorities: when required by law.

    We do not share data with advertising or marketing platforms, third-party analytics services, or any entity not strictly necessary for service delivery. Behavioral analysis reports are delivered exclusively to the client who requested them. We do not communicate the existence or content of analyses to analyzed subjects, except in case of exercise of rights by the latter.

    7. Data Transfer Outside the EU

    The primary data processing infrastructure is located within the European Union.

    In the exceptional circumstance that data transfer outside the EU becomes necessary, we ensure adequate protection through:

    • standard contractual clauses approved by the European Commission
    • adequacy decisions where applicable
    • additional safeguards appropriate to the sensitivity of the data processed

    Any transfers to third countries will be communicated in advance.

    8. Security Measures

    We implement technical and organizational security measures appropriate to the sensitivity of the data processed and the nature of the services offered.

    Technical measures:

    • encryption of communications and stored data
    • secure server infrastructure with strict access controls
    • robust authentication systems for platform access
    • regular backups and disaster recovery procedures
    • continuous system monitoring to detect unauthorized access

    Organizational measures:

    • binding confidentiality agreements for all personnel that exceed standard GDPR requirements
    • ongoing personnel training on security and data protection
    • verification procedures for analysis requests to prevent unlawful use
    • data access limited to strictly necessary personnel according to the need-to-know principle
    • documented procedures for security incident management

    9. Automated Decision-Making

    We do not employ fully automated decision-making processes that produce legal effects or significantly affect data subjects.

    Behavioral analyses are prepared by qualified professionals through human review. Any technological support tools do not replace human professional judgment.

    10. Data Subject Rights

    Under the GDPR, data subjects have the following rights:

    • Right of access (Article 15): obtain confirmation of processing and a copy of your data.
    • Right to rectification (Article 16): request correction of inaccurate data.
    • Right to erasure (Article 17): request deletion of data in certain circumstances.
    • Right to restriction (Article 18): request restriction of processing.
    • Right to data portability (Article 20): receive your data in a structured, machine-readable format.
    • Right to object (Article 21): object to processing based on legitimate interest.
    • Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

    To exercise these rights, you may submit requests: • via email to team@delphyros.com • via PEC to ilcerchiodellavitasrl@pec.it • by mail to Via Giorgio e Guido Paglia 17, 24122 Bergamo (BG), Italy We will respond within 30 days of receiving the request. In complex cases, we may extend this period by an additional 60 days with appropriate communication. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Roma, www.garanteprivacy.it.

    11. Confidentiality Beyond GDPR

    Our commitment to confidentiality extends beyond minimum legal requirements.

    All client communications are treated as strictly confidential.

    We do not disclose client identities, engagement details, or the content of analyses produced. The engagement evaluation process is conducted with complete confidentiality.

    This enhanced confidentiality framework reflects the sensitive nature of the services offered and our commitment to preserving the privacy and reputation of all parties involved.

    12. Use of Cookies

    The delphyros.com website and the profiling.delphyros.com platform use exclusively technical cookies necessary for operation and session management.

    We do not use profiling cookies, advertising cookies, or tracking technologies for marketing purposes.

    Any changes to this cookie policy will be communicated through the appropriate information banner.

    13. Changes to This Policy

    We reserve the right to update this policy to reflect changes in processing practices, legal or regulatory developments, or evolution of services offered.

    Material changes will be prominently posted on the website and communicated via email to clients registered on the platform. Changes will be effective from the date of publication unless otherwise indicated.

    Last Updated: November 25, 2025

    14. Contact

    For any questions, requests, or communications regarding this policy or the processing of personal data:

    • Email: team@delphyros.com
    • PEC: ilcerchiodellavitasrl@pec.it
    • Address: Via Giorgio e Guido Paglia 17, 24122 Bergamo (BG), Italy
    • Suggested subject line: "Privacy Inquiry - Confidential"

    This is a courtesy translation. In case of discrepancies, the Italian version shall prevail for legal purposes.