Privacy Policy

This document (“Privacy Policy”) has been drafted to allow the user to understand how their personal data will be processed by Altamira and by their Employer as independent data controllers, within the scope of accessing and using the services offered by the App. Please read this document carefully, as it applies both in the case of a simple download of the App and in the case of registration to it. By completing the download of the App, the User declares to have read and understood this Privacy Policy.


Altamira Data Controller


(Last updated: February 2025)



Altamira S.r.l., with registered office at via G. Marradi 1, 20123 Milan, Tax Code and VAT number Registration R.I. of Milan No. 12940250157, as data controller (hereinafter, “Data Controller” or “Altamira“), informs you, in accordance with Article 13 of EU Regulation 679/2016 (“GDPR”) and applicable national legislation on data protection (“Privacy Law”), including the specific measures issued by the supervisory authority (the Italian Data Protection Authority) where applicable, on how your personal data will be processed in the context of your access to and use of the services provided by the App.

You can contact the Data Protection Officer (“DPO”) of Altamira at the following address: via G. Marradi 1, 20123 Milan, or by email at: privacy@altamirahrm.com.


1. Purpose of Processing

Altamira has developed a digital ecosystem consisting of a native iOS or Android app and a web-based version, known as the web app (hereinafter, the “App”), which, through a secure connection, interfaces with Altamira’s human resource management system (“Altamira HRM”). The services provided through the App, as well as the features and functionalities thereof, may involve the processing of data by Altamira.


2. Processed Data

Following your access to the App, we inform you that Altamira will process information concerning you, which may include, for example, an identifier such as your first name, last name, email address, identification number, online identifier, or one or more elements of your physical identity that could identify you (hereinafter referred to as “Personal Data”). Your Personal Data may be collected because voluntarily provided by you (e.g., when you access the App).

Specifically, the Personal Data processed by Altamira in the context of access to and use of the App includes the following:

  • Access Credentials. To access the App, you will be required to provide information such as email and password. These credentials will be provided by your Employer, who is responsible, as the data controller, for creating your account.
  • Navigation Data. Through your use of the App, navigation and usage data may be collected, such as system logs designed to detect user access to the App, device identifiers such as the MAC address (Medium Access Control) and other unique device codes.

3. Purposes and Legal Bases of Processing

Altamira will use your Personal Data, collected in the context of your access to and use of the App, for the following purposes:

  • To enable you to access and authenticate to the App and provide any necessary additional assistance (“App Usage”);
    • Legal basis: Performance of contractual obligations Article 6(1)(b) GDPR. Processing for this purpose is necessary to enable you to access and use the services offered by the App and, therefore, to perform the contract in place with you. Providing Personal Data for this purpose is not mandatory, but without it, you will not be able to use the App.
  • To ensure the proper functioning of the App, perform maintenance activities, checks, and send service communications if necessary to ensure the proper functioning of the App (“Maintenance”);
    • Legal basis: Performance of pre-contractual measures Article 6(1)(b) GDPR. Processing for this purpose is necessary to ensure proper use of the App and, therefore, to meet the obligations of Altamira under the contract in place with you. Providing Personal Data for this purpose is not mandatory, but without it, you will not be able to use the App.
  • To fulfill legal obligations that require Altamira to collect and/or further process certain types of Personal Data (“Compliance”);
    • Legal basis: Compliance with legal obligations Article 6(1)(c) GDPR. Processing for this purpose is necessary for Altamira to comply with any legal obligations. If you provide Personal Data to Altamira, it will be processed in accordance with applicable laws, which may involve storing and disclosing them to Authorities for accounting, tax, or other regulatory purposes.
  • To protect the rights, property, or safety of Altamira, our business partners, employees, or customers, for example, in judicial proceedings, internal investigations, and investigations by competent authorities, as well as to prevent or detect any misuse of the App or fraudulent activity (“Abuse/Fraud/Claims and/or Litigation Management”).
    • Legal basis: Legitimate interest of the Data Controller Article 6(1)(f) GDPR. Processing for this purpose is necessary to pursue a legitimate interest of the Data Controller, in particular the prevention and suppression of illegal acts, including disciplinary actions, as well as the general exercise of the Data Controller’s rights in judicial settings and the management of any litigation: the Data Controller’s interest aligns with the constitutionally guaranteed right of action (Article 24 of the Constitution) and, as such, is socially recognized as prevailing over the individual’s interests.

4. Processing Methods

Personal data will be processed by the Data Controller and authorized parties using computer systems in accordance with the principles of fairness, lawfulness, and transparency set out by the applicable Privacy Law, protecting the confidentiality of the data subject and their rights by adopting appropriate technical and organizational measures to ensure a level of security appropriate to the risk (such as access segregation, encryption of personal data, the ability to restore access to data in case of physical or technical incidents, etc.).


5. Data Retention

Personal Data processed for the purpose of App Usage and Maintenance will be retained by Altamira for the time strictly necessary to pursue the aforementioned purposes. Since such Personal Data is processed to allow you to use the App, Altamira may retain them for up to 24 months from the last use of the App, especially as necessary to protect the Data Controller’s interests from potential liabilities related to the use of the App.

Personal Data processed for the purpose of Compliance will be retained by Altamira for the period prescribed by specific legal obligations or applicable regulations and, in any case, for up to 10 years from the last use of the App.

Personal Data processed to prevent Abuse/Fraud/Claims and/or Litigation Management will be retained by Altamira for the time strictly necessary for the aforementioned purpose and, therefore, until Altamira is required to retain them to protect itself in court or to disclose such data to the competent Authorities, and in any case, for up to 10 years from the last use of the App.

At the end of the retention period, the Data will be permanently deleted from Altamira’s systems.


6. Access to Data

Your Data may be made accessible for the purposes described above to:

  • employees and/or collaborators of the Data Controller, in their capacity as data processors and/or internal data controllers and/or system administrators;
  • third-party companies or other entities (e.g., suppliers, affiliates, professional firms, etc.) that perform outsourced activities on behalf of the Data Controller, in their capacity as external data processors.

7. Communication of Data

Your Personal Data may be communicated, even without your consent, to control bodies, law enforcement, or the judiciary Ministry of Finance, Revenue Agency, government bodies, and competent Authorities, Local Authorities (regions, provinces, municipalities), regional and provincial tax commissions, upon their express request, which will process them as independent data controllers for institutional purposes and/or under the law during investigations and audits.

Your Personal Data may also be communicated to third parties (e.g., partners, client companies, freelancers, etc.), as independent data controllers, for performing activities instrumental to the purposes described above.


8. Data Transfer

Your Personal Data collected through the App may be transferred to recipients located in non-EU countries, specifically the United States, where the involved providers are established, a country deemed adequate by the European Commission under the “EU-US Data Protection Framework” of July 10, 2023.

In any case, transfers of Personal Data to third countries will be carried out after verifying adequate safeguards under Article 46 of the GDPR, ensuring that the recipients process the data in compliance with the GDPR. If the recipients of the data are located in a “third country” without an adequacy decision, Standard Contractual Clauses (SCC) pursuant to Article 46(2)(c) of the GDPR will be executed.

For more information on the extra-EU transfer of your Personal Data by Altamira in connection with the use of the App and the safeguards adopted, please contact the Data Controller at: privacy@altamirahrm.com.


9. Data Subject Rights and Exercise of Rights

The Data Controller informs you that, as a data subject, you have the right to:

  • obtain confirmation as to whether or not your Personal Data is being processed and, if confirmed, obtain access to such Personal Data, including a copy thereof;
  • obtain, without undue delay, the updating and rectification of inaccurate data or, where applicable, the completion of incomplete data;
  • obtain the erasure, anonymization, or blocking of Personal Data in cases provided by the GDPR. The Data Controller may refuse the erasure only in the case of: a) exercise of the right to freedom of expression and information; b) compliance with a legal obligation, performance of a task carried out in the public interest or in the exercise of official authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research, or statistical purposes; e) exercise of a right in judicial proceedings;
  • obtain the restriction of processing in cases of: a) contestation of the accuracy of the Personal Data; b) unlawful processing by the Data Controller to prevent erasure; c) exercise of a right in judicial proceedings; d) assessment of the possible prevalence of the legitimate interests of the Data Controller over those of the data subject;
  • object, in whole or in part, for legitimate reasons related to their particular situation, to the processing of their Personal Data;
  • withdraw consent previously given;
  • file a complaint with the Data Protection Authority.

In the cases above, where necessary, the Data Controller will inform third parties to whom your Personal Data has been communicated of any exercise of your rights, except in specific cases (e.g., when such compliance proves impossible or requires the use of manifestly disproportionate means to the protected right).

You can exercise these rights at any time by sending a registered letter to the address of the Data Controller or an email to: privacy@altamirahrm.com.


10. Updates to this Policy

This Privacy Policy may be updated to inform you of changes to the methods of collecting and processing your Personal Data related to the use of the App or changes to the relevant laws. The update date of this document is reported at the beginning of this Privacy Policy.



Employer Data Controller


(Last updated: February 2025)



Your Employer, as the data controller (hereinafter, “Data Controller” or “Employer“), informs you, in accordance with Article 13 of EU Regulation 679/2016 (“GDPR”) and applicable national data protection legislation (“Privacy Law”), including the specific provisions of the supervisory authority (the Italian Data Protection Authority) where applicable, as well as Article 4, paragraph 3, of Law No. 300/1970, Workers’ Statute (“Stat. Lav.”), how your personal data will be processed in connection with your access to and use of the services offered by the App.

If appointed, you can contact the Data Protection Officer (“DPO”) of the Data Controller using the contact details provided by your Employer at the time of hiring and/or listed in the privacy notice provided to you by your Employer.


1. Purpose of Processing

By using the native iOS or Android app, or the web app version (hereinafter, the “App”), you will interface via a secure connection with the Altamira HRM human resource management system. Your personal data will be stored within the HRM system according to the processes and specific business needs of your Employer. You may use the App to update some of your personal data or manage processes that your Employer has digitalized on the Altamira HRM platform.


2. Processed Data

Following your use of the App, we inform you that your Employer will process information concerning you, which may consist of identifiers such as your name, identification number, online identifier, or one or more elements of your physical identity capable of identifying you (hereinafter referred to as “Personal Data”). Your Personal Data may be collected because voluntarily provided by you (e.g., when you access the App).

Specifically, your Employer processes the following categories of Personal Data that you provide during your use of the App:

  • Access Credentials. Username and password necessary to access the App’s features. These credentials will be provided by your Employer, who is responsible, as the data controller, for creating your account;
  • Identification Data. Identifying data such as your name, role, email address, and phone number as configured by your Employer in the App;
  • Other Data. Through your interaction with the App, you may receive and/or transmit additional Personal Data to your Employer, such as IBAN, contractual salary situation, pay slips, medical visits, etc., which will be processed by the Data Controller according to the HR processes managed by your Employer on Altamira HRM;
  • Photos. The device camera may be used to collect your photo if required or requested by your Employer.
  • Geolocation Data. If required by your Employer, the App may collect geographic coordinates to determine if you are in an area valid for time tracking. Your device will not transmit specific geographic coordinates to the Data Controller, and at any time, you can choose not to allow the collection of geolocation data via your device.
  • Authentication Tokens. To enable access to the platform, you may, if desired, use biometric authentication available on your device to access protected areas of the App. Only a token confirming your access to the App will be transmitted to your Employer. Your biometric data will remain strictly on your device in accordance with the device’s specifications.
  • Calendar Information. Through the App, information about calendar events and data related to meetings on Google Meet, Microsoft 365, or Zoom may be obtained to allow your Employer to schedule meetings and events on your behalf.

3. Purposes and Legal Bases of Processing

Your Personal Data, collected during the use of the App, is processed by your Employer to allow you to access and use the services provided by the App in the course of your employment and, with respect to the services made available to you by the Data Controller, to provide any necessary further assistance (“Use of the App Services”). Processing for this purpose is necessary to enable you to benefit from the services offered by your Employer via the App and, therefore, for the performance of the contract in place with you. Providing Personal Data for this purpose is not mandatory, but without it, you will not be able to use the App.

We inform you that your Employer may process your Personal Data collected during the use of the App for other and different purposes. In this case, please consult and refer to the privacy policy provided by your Employer. In case of discrepancies between the information in this policy and that provided by your Employer, the policy provided by your Employer shall prevail.


4. Processing Methods

Personal data will be processed by the Data Controller and authorized parties using computer systems in accordance with the principles of fairness, lawfulness, and transparency set out by the applicable Privacy Law, ensuring the confidentiality of the data subject and their rights by adopting appropriate technical and organizational measures to ensure a level of security appropriate to the risk (such as separating common personal data from health-related data in separate archives – or databases –, encrypting personal data, the ability to restore access to data in case of physical or technical incidents, etc.).


5. Data Retention

Personal Data processed for the above purposes will be retained according to the policies established by your Employer, in compliance with retention obligations required by applicable laws (e.g., the statutory obligation to retain accounting records and other business correspondence for 10 years).

User data related to their Google Meets and calendars, Microsoft calendars, or Zoom calendars will be retained for the time strictly necessary to provide the service, after which they will be securely deleted. Users may request the early deletion of their Personal Data at any time by contacting their Employer.

We inform you that your Employer may process your Personal Data collected during the use of the App for other and different purposes, with corresponding retention periods. In this case, please consult and refer to the privacy policy provided by your Employer. In case of discrepancies between the information in this policy and that provided by your Employer, the policy provided by your Employer shall prevail.


6. Access to Data

Your Data may be made accessible for the purposes described above to:

  • employees and/or collaborators of the Data Controller, in their capacity as data processors and/or internal data controllers and/or system administrators;
  • third-party companies or other entities (e.g., suppliers, affiliates, professional firms, etc.) that perform outsourced activities on behalf of the Data Controller, in their capacity as external data processors.

7. Communication of Data

Your Personal Data may be communicated, even without your consent, to control bodies, law enforcement, or the judiciary Ministry of Finance, Revenue Agency, government bodies, and competent Authorities, Local Authorities (regions, provinces, municipalities), regional and provincial tax commissions, upon their express request, which will process them as independent data controllers for institutional purposes and/or under the law during investigations and audits.

Your Personal Data may also be communicated to third parties (e.g., partners, client companies, freelancers, etc.), as independent data controllers, for performing activities instrumental to the purposes described above.


8. Data Transfer

The Personal Data collected through the App may be transferred to recipients located in non-EU countries. For more information on the presence or absence of extra-EU transfers of your Personal Data made by the Data Controller in connection with the use of the App and the safeguards adopted (such as adequacy decisions, Standard Contractual Clauses, or other considered adequate guarantees), we suggest you contact your Employer.


9. Data Provision

The provision and updating of certain of your Personal Data related to access to the integration service with Google Meet for service purposes is mandatory due to the employment relationship with the Data Controller. However, you may choose not to provide the Personal Data, but in this case, you will not be able to establish or continue the contractual relationship with the Data Controller. Refusal of optional processing will not affect the services you use or the existing contractual relationship.


10. Rights of the Data Subject and Exercise of Rights

The Data Controller informs you that, as a data subject, you have the right to:

  • obtain confirmation as to whether or not your Personal Data is being processed and, if confirmed, obtain access to such Personal Data, including a copy thereof;
  • obtain, without undue delay, the updating and rectification of inaccurate data or, where applicable, the completion of incomplete data;
  • obtain the erasure, anonymization, or blocking of Personal Data in cases provided by the GDPR. The Data Controller may refuse the erasure only in the case of: a) exercise of the right to freedom of expression and information; b) compliance with a legal obligation, performance of a task carried out in the public interest or in the exercise of official authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research, or statistical purposes; e) exercise of a right in judicial proceedings;
  • obtain the restriction of processing in cases of: a) contestation of the accuracy of the Personal Data; b) unlawful processing by the Data Controller to prevent erasure; c) exercise of a right in judicial proceedings; d) assessment of the possible prevalence of the legitimate interests of the Data Controller over those of the data subject;
  • object, in whole or in part, for legitimate reasons related to their particular situation, to the processing of their Personal Data;
  • withdraw consent previously given;
  • file a complaint with the Data Protection Authority.

In the cases above, where necessary, the Data Controller will inform third parties to whom your Personal Data has been communicated of any exercise of your rights, except in specific cases (e.g., when such compliance proves impossible or requires the use of manifestly disproportionate means to the protected right).

You can exercise these rights at any time by sending a registered letter or email to the Data Controller or the HR Department or Privacy Officer of your Employer.


11. Updates to this Policy

This Privacy Policy may be updated to inform you of changes to the methods of collecting and processing your Personal Data related to the use of the App or changes to the relevant laws. The update date of this document is reported at the beginning of this Privacy Policy.