PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA ACCORDING TO ARTICLES 13 AND 14 OF REGULATION (EU) 679/2016 (GDPR)

TimeFlow S.r.l. SB, (hereinafter also referred to as “Timeflow” or the “Controller”), located at Via 95° Reggimento Fanteria 9, 73100 – Lecce, is the operator of the Marketplace Platform accessible at the following link https://marketplace.timeflow.it/ (hereinafter also referred to as the “Marketplace”). This information is provided only for the Marketplace and not for other websites, apps, or social platforms that can be accessed through hyperlinks (links) present in the Marketplace, for which reference is made to their respective personal data processing policies.

The role and responsibilities of Timeflow

Timeflow acts as a data controller in accordance with Regulation (EU) 679/2016 (General Data Protection Regulation – GDPR).

Through the Marketplace, Timeflow facilitates the search for partners and the initiation of collaborations between legal entities (B2B). Specifically, the Marketplace allows users in need of support for project development (hereinafter, “Clients”) to receive quotes or applications from other users (hereinafter, “Suppliers”), as well as to consult, select, and interact with Suppliers and the professionals operating within their respective organizations (hereinafter “Professionals”). It is clarified that, although referring to legal entities, the accounts of Clients and Suppliers are created and managed by individuals, acting as corporate representatives, whose personal data is collected and processed by Timeflow from the moment of registration on the Marketplace. For the purposes of this information, such subjects (data subjects) will be referred to respectively as “Clients” and “Suppliers”. The organizations they belong to (legal entities) will be referred to as “Client Companies” and “Supplier Companies”.

Information related to Professionals is entered and published by Suppliers through the “Add profile” function. Depending on their subscription plan, Clients and Suppliers can also create accounts for other users, who may serve as project references, to whom an email invitation to access the Marketplace is sent. Therefore, it is the responsibility of the Client Companies and Supplier Companies, as independent data controllers, to identify a suitable legal basis to legitimize the provision of personal data of Professionals and users receiving an invitation to access the Marketplace (data subjects), verify its accuracy, and provide them with information on processing in accordance with Article 13 of the GDPR.

Furthermore, all operations carried out by Clients and Suppliers within the Marketplace that involve the use of personal data, constitute processing activities in accordance with Art. 4, paragraph 1, no. 2) of the GDPR. This refers, for example, to the submission of applications for the development of Time&Material projects, the modification and deletion of profiles already published, or the external sharing of the same by the Suppliers by the Suppliers, as well as the activities of consulting profiles and the curricula of Professionals, or the collection of further information related to them, through the internal messaging system of the Marketplace by the Clients.

In this perspective, individuals who carry out data processing activities are considered authorized subjects for processing, pursuant to Art. 29 of the GDPR, instructed for this purpose by Client Companies and Supplier Companies, to which the role of independent data controllers is attributable, since they act for the realization of their purposes, independently from Timeflow’s will.

The contact details of the Controller and the Data Protection Officer

For any information, clarification, or further details regarding our personal data protection policies, as described here, you can contact us:

  1. via our email: privacy@timeflow.it;
  2. writing to the address of our registered office: TimeFlow S.r.l. SB, Via 95° Reggimento Fanteria 9, 73100 – Lecce;
  3. to the email address of our Data Protection Officer: andrealisi@studiolegalelisi.it

The purposes and legal bases for processing your personal data

Below, we outline the purposes for which we process your personal data, categorized into homogeneous groups, and the legal bases for such processing.

I) Processing carried out by Timeflow for purposes related to the provision of its services through the Marketplace

Timeflow will process your personal data to:

    1. enable the proper functioning of the Marketplace, ensuring the full functionality of our services;
    2. send you transactional emails (for example, to confirm your email address for account activation, inform you about the status of actions taken through the Marketplace, etc.);
    3. send you notifications visible within the Marketplace;
    4. enable you to register and log in to access your private area of the Marketplace. It should be noted that registration is reserved for Clients and Suppliers at the time of account creation. Professionals can be enabled by Suppliers to access their account, upon verification of the email address provided at the time of profile creation. Depending on their economic plan, Clients and Suppliers also have the opportunity to create, modify, and delete additional user accounts, activatable upon verification of the email address provided at the time of account creation;
    5. if you are a Client or a Supplier, allow you to: customize, modify, and delete your personal profile; customize and modify the company profile, including through the attachment of documents;
    6. if you are an invited user to access the Marketplace or a Professional enabled to access your account, allow you to personalize and modify your profile;
    7. if you are a Client or a Supplier, process payments and record financial transactions, for the purpose of purchasing an economic plan;
    8. if you are a Supplier or a project representative, allow you to: insert, modify, and delete one or more Professional profiles; search and consult the company profiles of Clients registered in the Marketplace and the projects published, also using search filters; share projects externally; save searches performed; create a list of preferred Clients; nominate Professionals with profiles compatible with the needs of Clients for collaboration on Time&Material projects; send quotes for Fixed Price projects; interact with Clients and project representatives, through the internal messaging system of the Marketplace and view the history of conversations; organize introductory interviews with company representatives and project representatives; view and manage collaborations initiated through the Marketplace and check their progress; receive email updates on new projects published;
    9. if you are a Client or a project representative, allow you to: search and consult the profiles of Suppliers and Professionals, also using search filters; save searches related to Suppliers; share externally the profiles of Professionals; create a list of preferred Suppliers and Professionals; present and cancel availability requests to Professionals; interact with Suppliers and project representatives, through the internal messaging system of the Marketplace and view the history of conversations; organize introductory interviews with Professionals, company representatives, and project representatives, with the possibility of inviting third-party participants; view and manage collaborations initiated through the Marketplace and check their progress; publish projects and receive applications or quotes; receive email updates related to the entry of new Suppliers and the availability of new profiles;
    10. if you are a Professional:
      • collect the information necessary to create a profile, also through automated processing of data contained in your CV;
      • analyze, through automated systems, the information obtainable from your profile (including level of experience, skills, hourly rate, languages spoken, availability to collaborate in person and/or remotely) in order to determine the percentage of compatibility with the needs of Clients, as derived from published projects;
      • make available to Clients the information associated with your profile. It should be noted, in this regard, that the data accessible to Clients through the Marketplace does not include your contact details, since any communication with these Clients will be mediated by the Supplier or the project representative. Until a potential request for the availability of your profile, furthermore, Clients will only be able to view your name and the initial of your last name;
      • allow you to participate in introductory interviews with Clients and project representatives, with the support of a member of the Timeflow Team, who may take part in the interview;
      • if you are enabled to access your account, allow you to add work experiences, upload your CV, enter some additional information (such as phone number) and associate an image with your profile;
    11. provide you with all other services reserved for users of the Marketplace (among others, facilitate customer care activity through live chat service and forward your requests to the specific support team; allow you to participate in online surveys; allow you to request and provide reviews, etc.).

The legal basis for processing your data for the above purposes is determined based on the type of processing carried out, according to the criteria we outline below:

      1. all processing activities that assume your active use of the functionalities available within the Marketplace, based on your profile, are necessary to provide you with the services reserved for users of the Marketplace, pursuant to Art. 6, par. 1, lett. b) of the GDPR;
      2. in other cases, instead, Timeflow may process your personal data independently from your activity within the Marketplace. This occurs, in particular, if you are a Professional or a user invited to access the Marketplace by a Supplier or a Client, whenever we collect and process information about you (for example, when we acquire data associated with your profile from a Client or a Supplier, even through automated extraction of such data from your CV). In these cases, Timeflow acts in execution of a contract concluded with a Client Company or a Supplier Company, to the extent that it involves the provision of services entailing the processing of your personal data. The legal basis for such processing, therefore, is constituted by Timeflow’s legitimate interest in fulfilling the obligations arising from the contracts concluded with Client Companies and Supplier Companies and, reciprocally, by the legitimate interest of these latter in receiving the contractual performances with Timeflow, pursuant to Art. 6, par. 1, lett. f) of the GDPR. However, if you are a Professional, we need your approval to proceed with the automated analysis of the information obtainable from your profile, in order to determine the percentage of compatibility with the requests of Clients. In this case, the legal basis of the processing is represented by your expressed consent, pursuant to the combined provisions of Arts. 6 par. 1 lett. a) and 22 par. 2 lett. c) of the GDPR.

II) Processing carried out by Timeflow for administrative, accounting, and fiscal purposes

If you are a Client or a Supplier, Timeflow may process your personal data for the purpose of fulfilling administrative, accounting, and fiscal obligations related to purchases made through the Marketplace, such as, by way of example, the maintenance of accounting books and the issuance of invoices. It should be noted, however, that such activities represent personal data processing only if the purchase and payment operations can be traced back to a natural person.

The legal basis for these processing activities is the fulfillment of legal obligations to which Timeflow is subject, pursuant to Art. 6, par. 1, lett. c) of the GDPR.

III) Processing carried out by Timeflow for the purpose of optimizing and promoting the services offered through the Marketplace With your permission, Timeflow will be able to process your data, even with fully automated systems, for profiling purposes for marketing. These processes may include, for example:

      • the collection and recording of information related to your browsing actions, in order to show you commercial communications through social networks and other web contexts;
      • tracking your behavior on the Marketplace, in order to identify the areas with which you interact most frequently. This can allow us, for example, to adapt the way content is displayed to you, making it even easier to find content of your interest;
      • sending promotional messages, mainly via email, based on specific actions performed on the Marketplace;
      • the collection of data related to the date and time you view the messages you receive at your email address and the clicks on the links contained in them, in order to determine and improve the level of effectiveness of our communications.

The treatments carried out for these purposes are based on your expressed consent, pursuant to art. 6 par. 1 letter a) of the GDPR.

The sources of collection of your personal data

Your personal data can be provided directly by you, in an active and conscious manner (for example, data provided by filling in the registration form on the Marketplace, the CV, and data related to work experiences entered by Professionals authorized to access their account, etc.).

In other cases, your data is provided indirectly, through access and interaction with the Marketplace or the use of your devices (for example, information related to your browsing actions and your behavior on the Marketplace, data related to the viewing of the messages you receive via email, etc.).

The personal data related to you can also be collected from third parties, in particular:

      • from other users registered on the Marketplace (for example, data from Professionals and users invited to access the Marketplace provided by Clients and Suppliers at the time of creation and editing of their profiles; the email address of third parties invited to participate in introductory meetings between Clients and Suppliers);
      • from Google Ireland Ltd, Google LLC, or Microsoft Corporation, in case you decide to access the Marketplace using a Google or Microsoft account.

Categories of data processed and the nature of the provision

Browsing data

During navigation on the Marketplace, some information is automatically acquired whose transmission is implicit in the use of Internet communication protocols.

This category of data includes, for example, the IP addresses or domain names of the devices you use, the addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the computer environment in use. The provision of these data is necessary to ensure the proper functioning of the Marketplace.

This category also includes data collected by Timeflow for profiling purposes for marketing, such as, for example, information related to actions performed on the Marketplace (type of action, time, frequency with which it is performed, etc.). In this case, you can choose not to consent to the collection of your data, without compromising your browsing experience.

You can find more information on the types of data belonging to this category within the choice management area, accessible via the appropriate command located in the footer of the Marketplace.

Data provided through the use of our services

Timeflow collects personal data provided or generated through interaction with the Marketplace. Such data includes:

      1. data required for registration on the Marketplace (if you are a Supplier: name and surname, phone number, business email address, role in the company, information on how you became acquainted with Timeflow, name and legal headquarters of the company you belong to; if you are a Client: information about the needs you would like to meet through the Marketplace and related timing, name and surname, phone number, business email address, role in the company, information on how you became acquainted with Timeflow, name, sector, and legal headquarters of the company you belong to). After registration, you can also access the Marketplace using your Google or Microsoft account. If you decide to make this choice, a window will open showing the data that the account manager will share with Timeflow, such as name, email address, language preference, and profile picture;
      2. data associated with your personal profile: – for all users of the Marketplace: belonging organization, name and surname, email address, phone number, city, photographic image or avatar; – for Professionals: data contained in the curriculum vitae, contractual relationship with the Supplier Company, job qualification, technical skills, work experiences (additional to those indicated in the CV), availability for potential collaborations, period of availability, daily rate, years of work experience, languages spoken, availability to work in person, full-time or part-time, feedback received from other users;– for project representatives: job qualification and belonging business unit.
      3. data related to interactions with other users (for example, potential or initiated collaborations between Suppliers, project representatives and Professionals, on one hand, and Clients, on the other; data related to conversations between users using the internal messaging system of the Marketplace; data related to the organization of introductory interviews between users and/or Professionals and any personal data communicated during the interview, etc.);
      4. data provided in interaction with the automated live chat system (name, reasons for contact and any other data entered in the chat and/or attached documents, which Timeflow can associate with your user profile);
      5. data provided for the purpose of participating in online surveys (expressed opinions, which Timeflow can associate with your user profile);
      6. accounting and billing data, if referred to an individual (among which data related to credit cards and bank accounts used and the transaction ID).

Providing this data is necessary to allow you to register on the Marketplace and use our services.

In particular, the possible refusal to provide the requested data at the time of account registration and the creation of profiles referring to Professionals or other users invited to access the Marketplace, results in the inability to complete the registration and creation of profiles. Similarly, refusing to provide the data required for the purchase of a subscription plan through the Marketplace, results in the inability to conclude the purchase contract.

Moreover, if you are a registered user on the Marketplace, you can provide your personal data to complete your profile (e.g., photograph, work experiences, etc.) or to use additional features reserved for users (such as, for example, the automated live chat service, participation in surveys, exchanging messages with other users, etc.). Providing data for these purposes is optional, meaning there is no legal or contractual obligation to provide them, but it is a necessary requirement to integrate or update the information visible to other users, or to use the services available to you.

To whom your personal data may be communicated

Your personal data may be communicated to:

      1. employees and collaborators of Timeflow specifically authorized and instructed, who need to access it in the performance of their duties;
      2. users registered on the Marketplace;
      3. external entities that provide specific services or carry out instrumental activities on behalf of Timeflow, as data controllers or processors: for the updated list of such entities, we invite you to consult the attached table to this information;
      4. external entities that act as independent data controllers or, in some cases, as joint data controllers, for ancillary and related purposes to the provision of our services: in this category of recipients are included, in particular, banking institutions for payment operations carried out by Clients and Suppliers for the purchase of a subscription plan.

Outside of the cases mentioned above, personal data will not be communicated, disseminated, transferred or otherwise moved to third parties for illicit or unrelated purposes to the collection purposes and, in any case, without providing adequate information to the interested parties and obtaining their consent, where required by Law. Personal data will not be transferred abroad, to countries or international organizations not belonging to the European Union that do not guarantee an adequate level of protection, recognized, pursuant to Art. 45 GDPR, on the basis of an adequacy decision of the EU Commission. In the event that it becomes necessary for the provision of the Site’s services, the transfer of personal data to countries or international organizations outside the EU, for which the Commission has not adopted any adequacy decision pursuant to Art. 45 GDPR, will take place only in the presence of adequate guarantees provided by the recipient Country or Organization, pursuant to Art. 46 GDPR and provided that the interested parties have enforceable rights and effective legal remedies. In the absence of an adequacy decision by the Commission, pursuant to Art. 45 GDPR, or of adequate guarantees, pursuant to Art. 46 GDPR, including binding corporate rules, the cross-border transfer will take place only if one of the conditions indicated in Art. 49 GDPR occurs.

How long we keep your personal data Timeflow will retain the collected data for different periods, depending on the purposes of processing:

      1. data necessary for registration on the Marketplace, the data associated with your personal profile and data related to interactions with other users will be retained until 12 months after the deletion of your account or your profile; it should be noted, in this regard, that the deletion of a Customer’s or Supplier’s account will lead to the deletion of Professional profiles and of users invited to access the Marketplace, created by them;
      2. data provided in the interaction with the automated live chat system will be retained for a maximum period of 24 months;
      3. data provided for the purpose of participating in online surveys will be retained for a maximum period of 24 months;
      4. accounting and billing data will be retained for 10 years from collection.

TimeFlow will, after the expiration of the retention terms, according to the indicated criteria, take measures aimed at the deletion or anonymization of the data that should not be retained for specific legal obligations or for other legitimate reasons (e.g., pending litigation).

To know the retention time of navigation data, we invite you to consult the information available in the management of choices area, accessible through the specific command located in the footer of the Marketplace.

What are your rights

As a data subject, you have the right to access your personal data, to request its correction, update, deletion, or restriction if incomplete, incorrect, or collected in violation of the law, as well as to object to processing for legitimate reasons or to obtain its portability.

In particular, you have the right to obtain confirmation of the existence or absence of personal data concerning you, even if not yet registered, and their communication in an intelligible form.

You also have the right to obtain information about:

      1. the purposes and methods of processing;
      2. the logic applied in the case of processing carried out with the aid of electronic tools;
      3. the identity of the Data Controller, the Data Processors, and the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as processors.

You have the right to obtain:

      1. the update, rectification, or integration of your data;
      2. the deletion, anonymization, or blocking of data processed in violation of the law, including data that does not need to be retained for the purposes of processing;
      3. restriction of processing, in cases provided for by Article 18 of the GDPR;
      4. certification that the operations referred to in letters a), b), and c) have been made known to those to whom the data have been communicated or disseminated, except in the case where such fulfillment proves impossible or involves a use of means manifestly disproportionate to the protected right;
      5. the transmission of the data concerning you, provided to the Controller and processed on the basis of a contract, in a structured, commonly used, and machine-readable format. Under Article 20 of the GDPR, you also have the right to transmit such data to another Controller without hindrance and, if technically feasible, to obtain the direct transmission of personal data from one controller to another.

You have the right to object, in whole or in part:

      1. for legitimate reasons to the processing of personal data concerning you, even though they are relevant to the purpose of the collection;
      2. to the processing of personal data concerning you for the purpose of sending advertising material or direct selling or for carrying out market research or commercial communication;
      3. to automated decision-making processes that significantly affect you.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Data Protection Authority.

Automated decision-making processes

Timeflow uses automated processes applied to a set of personal data of Professionals that can produce effects on their legal sphere or otherwise significantly affect them.

The legal basis for such processing is the expressed consent of the Professional, pursuant to the combined provisions of Articles 6(1)(a) and 22(2)(c) of the GDPR.

In particular, Timeflow uses an algorithm to analyze information obtainable from the profiles of Professionals (including level of experience, skills, hourly rate, languages spoken, availability to collaborate in person and/or remotely) in order to determine the percentage of compatibility with the needs of Clients, as can be inferred from the projects published. Consequently, the profile of individual Professionals will be more easily manageable for the purposes of presenting applications for the development of Time&Material projects and proposing professional collaborations.

If you are a Professional, you may at any time write to Timeflow to request:

      • information about the mechanisms underlying the automation;
      • information about the periodic assessments carried out to verify the reliability of the automated tool used;
      • details on the forms of data access;
      • human intervention and/or to express your opinion and/or to contest the decision.

How you can exercise your rights

You can exercise your rights by sending an email to privacy@timeflow.it. We will respond within one month of the request. If it is not possible to satisfy your request, we will provide the reasons why we cannot do so.

To exercise your rights, you can also make use of bodies, organizations, or associations without profit motive, whose statutory objectives are of public interest and which are active in the field of protecting the rights and freedoms of data subjects with regard to the protection of personal data, by giving, for this purpose, suitable mandate. You can also choose to be assisted by a trusted person.

To know your rights and always be updated on the legislation regarding the protection of individuals with respect to the processing of personal data, you can turn to the Data Protection Authority, consulting the website at http://www.garanteprivacy.it/.

Last revision April 2024

Recipients of personal data collected through the Timeflow Marketplace

Below, we list the service providers with whom Timeflow may share its users’ data, with an indication of their respective role.

Marketplace Recipients List
Recipient Role Purpose of Processing Other Processors
Controller Owner
Amazon Web Services EMEA SARL X Data storage
Hubspot Inc. X Online chat management; web content management (CMS); sending emails for commercial purposes; user relationship management; marketing and sales campaign automation Refer to the dedicated page on the supplier's site
Intuit Inc. X Transactional email sending; management of support and contact requests received through email contact forms Refer to the dedicated page on the supplier's site
Pendo.io Inc. X User interaction tracking with content on Marketplace and email messages to measure the effectiveness of marketing campaigns and provide personalized service updates Refer to the dedicated page on the supplier's site
Typeform SL X Collecting user feedback on Marketplace service quality; conducting opinion surveys and market research Amazon Web Services Inc., Cloudflare Inc.
Calendly LLC + X Meeting scheduling Refer to the dedicated page on the supplier's site
Zoom Video Communications, Inc. X X Videoconference organization Refer to the dedicated page on the supplier's site
Google Ireland Limited (Google Calendar) X X Appointment management
Google Ireland Limited X Remarketing and behavioral targeting Refer to the dedicated page on the supplier's site
Meta Platforms Ireland Limited X Remarketing and behavioral targeting Refer to the dedicated page on the supplier's site
LinkedIn Corporation X Remarketing and behavioral targeting Refer to the dedicated page on the supplier's site
Chargebee Inc. X Payment management Refer to the dedicated pages on the supplier's site:
https://www.chargebee.com/privacy/dpa/#sub_processors
https://www.chargebee.com/privacy/sub-processors/
https://www.chargebee.com/receivables/privacy/sub-processors/

Last update: February 2024