Nextbit privacy notice
Nextbit S.r.l. (registered company number 1826777 at the Milan Chamber of Commerce, VAT number IT01145050454) is
committed to protecting your privacy. At all times we aim to respect any personal information you share with us,
or that we receive from other organisations, and keep it safe. This Privacy Notice (‘Notice’) sets out our data
processing practices when you interact with us and your rights and options regarding the ways in which your personal
information is used. It aims to inform you according to the art. 13 EU Regulation n. 2016/679 (hereinafter, “GDPR”) on how your
data will be processed.
identifiable information about you.
This notice contains important information about your personal rights to privacy.
Please read it carefully to understand how we use your personal information. The provision of your personal
information to us is voluntary. However, without providing us with your personal information, your use of some of our
services may be impaired.
1. We collect information about you:
- When you give it to us directly
For example, personal information that you give us by contacting us by email, phone or letter.
- When we obtain it indirectly
For example, your personal information may be shared with us by third parties including, for example, our business
partners; analytics providers and search information providers. To the extent we have not done so already, we will
notify you when we receive information about you from them and tell you how and why we intend to use that
- When it is available publicly
Your personal information may be available to us from external publicly available sources. For example, depending
on your privacy settings for social media services, we may access information from those accounts or services
(for example when you choose to interact with us through platforms such as Facebook, LinkedIn or Twitter).
- When you visit our website, we automatically collect the following types of personal
- Technical information, including the internet protocol (IP) address used to connect your device to the
internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems
- Information about your visit to the websites, including the uniform resource locator (URL) clickstream to,
through and from the site (including date and time), services you viewed or searched for, page response times,
download errors, length of visits to certain pages, referral sources, page interaction information (such as
scrolling and clicks) and methods used to browse away from the page.
sources for the purposes set out in this notice.
2. What personal information do we process?
We may collect, store and otherwise process the following kinds of personal information:
- your name and contact detail, including postal address, telephone number, email address and, where applicable,
social media identity;
- information about your computer/mobile device and your visits to and use of this website, including, for example,
your IP address and geographical location;
2.2 Do we process special categories of personal information?
The General Data Protection Regulation (‘GDPR’) recognises certain categories of personal information as sensitive
and therefore requiring more protection, for example information about your health, ethnicity and political opinions.
In certain situations, Nextbit may collect and/or use these special categories of your personal information. We will
only process these special categories of your personal information if there is a valid reason for doing so and where
the GDPR allows us to do so.
3. How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes specified in this notice.
In particular, we may use your personal information.
- to provide you with services, products or information you have requested;
- to enable you to participate in our projects / events;
- to process your application for an open position;
- to provide further information about our work, services, activities or products (where necessary, only where you
have provided your consent to receive such information);
- to answer your questions/requests and communicate with you in general;
- to manage relationships with our clients and suppliers;
- to analyse and improve our work, services, activities, products or information (including our website);
- to report on the impact and effectiveness of our work
- to run/administer our website, keep the website safe and secure and ensure that content is presented in the
most effective manner for you and for your device;
- to audit and/or administer our accounts;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law
enforcement bodies with whom we may work;
- for the prevention of fraud or misuse of our services; and/or
- for the establishment, defence and/or enforcement of legal claims.
4. Clients/supporter research
We may also analyse your personal information to create a record of your interests and preferences. This allows us to
ensure communications are relevant and timely, to contact you in the most appropriate and relevant way and in general
to provide you with an improved user experience. It also helps us to understand the backgrounds of our clients/supporters.
5. Communications for marketing
We may use your contact details to provide you with information about our work, events, services and/ or products
which we consider may be of interest to you (for example, about services you previously used, or updates about
training events and/or volunteering opportunities via our email newsletter). Where we do this via email (if you are
registered with the Email Preference Service), we will not do so without your prior consent. Should you receive a
marketing email form Nextbit, you can opt out of receiving emails from Nextbit at any time by clicking the
‘unsubscribe’ link at the bottom of our emails.
6. How long do we keep your personal information?
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we
remove your personal information from our records six years after the date it was collected. However, if before that
- your personal information is no longer required in connection with such purpose(s),
- we are no longer lawfully entitled to process it or
- you validly exercise your right of erasure (please see section 11 below), we will remove it from our records at the
relevant time. If you request to receive no further contact from us, we will keep some basic information about you on
our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
8. Lawful bases
The GDPR requires us to rely on one or more lawful bases to process your personal information. We consider the grounds
listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we will
ask for your consent to use your personal information to send you promotional or fundraising material by email, and we
may ask for your explicit consent to collect special categories of your personal information).
- Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are
obliged to share your personal information with regulatory bodies which govern our work and services).
- Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to
entering a contract (for example, if you apply to work for/ volunteer with us). d. Where it is in your/someone else’s
vital interests (for example, in case of a medical emergency).
- Where there is a ‘legitimate interest’ in us doing so.
8.2 Legitimate interests
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or
others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights).
In broad terms, our ‘legitimate interests’ means the interests of running Nextbit as a business entity and pursuing
our aims and ideals; for example providing information about our projects, involving you in our research and
development projects, administering events and advertising our services. However, ‘legitimate interests’ can also
include your interests, such as when you have requested information or certain goods/ services from us, and those of
third parties (for example, beneficiaries of our work and services). When we process your personal information to
achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative),
and your rights under data protection laws. We will not use your personal information for activities where our
interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for
instance, we are otherwise required or permitted to by law).
9. Will we share your personal information?
Occasionally we share your personal information with third parties in order to deliver services, such as mailing houses
(Poste Italiane), booking systems (Eventbrite) or e-news providers (Mailchimp). We undertake regular due diligence
checks on third party processors to ensure they are acting within the GDPR. We do not share personal information for
any other purpose than to carry out communications about our business activities. We may need to disclose your personal
information upon request to regulatory and government bodies as well as law enforcement agencies. We may also merge or
partner with other organisations and, in so doing, acquire or transfer personal information but your personal
information would continue to be used for the purposes set out above.
10. Security storage of and access to your personal information
- Nextbit is committed to keeping your personal information safe and secure and we have appropriate and proportionate
security policies and organisational and technical measures in place to help protect your information. For example,
your personal information is only accessible by appropriately trained staff and contractors, and stored on secure
servers with features enacted to prevent unauthorised access.
- In general, the personal information that we collect from you will be stored at a destination within the European
- Please note that some countries outside of the EU may have a lower standard of protection for personal information,
including lower security requirements and fewer rights for individuals. Should your personal information ever be
transferred, stored and/or otherwise processed outside the EU in a country that does not offer an equivalent
standard of protection to the EU, we will take all reasonable steps necessary to ensure that the recipient
implements appropriate safeguards (such as by entering into standard contractual clauses) designed to protect your
personal information and to ensure that your personal information is treated securely and in accordance with this
- Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure –
however, once we have received your personal information, we will use strict procedures and security features to try
and prevent unauthorised access.
11. Exercising your Rights
- Right of access: you can write to us to ask for confirmation of what personal information we hold about you and
to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested
and we have successfully confirmed your identity, we will provide you with your personal information subject to any
exemptions that apply.
- Right of erasure: at your request and where you are entitled to, we will delete your personal information from
our records as far as we are required to do so. In many cases we would propose to suppress further communications
with you, rather than delete it.
- Right of rectification: if you believe our records of your personal information
are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal
information we hold about you if you are unsure whether it is accurate/ up to date.
- Right to restrict processing: you have the right to ask for processing of your personal information to be
restricted if there is disagreement about its accuracy or legitimate usage.
- Right to object: you have the right to object to processing where we are (i) processing your personal information
on the basis of the legitimate interests ground, (ii) using your personal information for direct marketing or (iii)
using your information for research or statistical purposes.
- Right to data portability: to the extent required by the GDPR, where we are processing your personal
information by automated means and either (i) because we have obtained your consent, or (ii) because such processing is
necessary for the performance of a contract to which you are party or to take steps at your request prior to entering
into a contact, you may ask us to provide your personal information to you – or another service provider – in a
- Rights related to automated decision-making: you have the right not to be subject to a decision based solely on
automated processing of your personal information which produces legal or similarly significant effects on you,
unless such a decision (i) is necessary to enter into/ perform a contract between you and us/ another data controller;
(ii) is authorised by EU or Member State law to which Nextbit is subject (as long as that law offers you sufficient
protection); or (iii) is based on your explicit consent. We may ask you for additional information to confirm your
identity and for security purposes, before disclosing personal information requested to you.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you
contact us using the details in section 14 below. You are further entitled to make a complaint about us or the way we
have processed your data to the data protection supervisory authority in your home country. In the UK this is the
Information Commissioner’s Office. For further information on how to exercise this right, please contact us using the
12. Changes to this notice
We may update this Notice from time to time so please check back periodically. We will notify you of significant
changes by contacting you directly and by placing a notice on our website. This notice was last updated on
9 December 2019.
13. Links and third parties
In the future we may link our website directly to other sites. This notice does not cover external websites and
we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy
notices of any external websites you visit via links on our website.
Please let us know if you have any questions or concerns about this notice or about the way in which Nextbit processes
your personal information by contacting us at the following channels:
- Email: firstname.lastname@example.org
- Telephone: +39 02 4549 8472
- Post: Nextbit S.r.l., Via San Vittore 3, 20123 Milano, Italy
Please mark the message for the attention of / ask for the Data Privacy Manager.