CHARITX PRIVACY NOTICE
Information on the Processing of Personal Data
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)
Last updated: 9 March 2026
1. Data Controller
The Data Controller responsible for the processing of personal data is CharitX S.p.A., with registered office in [●], Tax Code and VAT number [●], e-mail address [●], certified e-mail (PEC) [●] (hereinafter the “Controller” or “CharitX”).
2. Scope of Application
This Privacy Notice governs the processing of personal data carried out by CharitX S.p.A. in connection with the management and operation of the digital platform called “CharitX”, accessible through the website www.charitx.com
and through the dedicated mobile application (collectively, the “Platform”).
This Privacy Notice applies to the processing of personal data related to the registration, access to, and use of the Platform and its functionalities.
In particular, this Privacy Notice applies exclusively to the personal data of individual Users who register for and use the Platform, as well as to legal representatives, contacts, or authorized individuals acting on behalf of Third Sector Entities who access and operate on the Platform in connection with the promotion, management, and participation in charitable initiatives.
The scope of this Privacy Notice expressly excludes the processing of personal data carried out by Third Sector Entities acting as independent data controllers, including with respect to personal data received through the Platform in connection with donations (“Donations”) or for tax, administrative, or reporting purposes.
Such processing activities are governed by the respective privacy notices adopted by the relevant Third Sector Entities, with which CharitX has no involvement and for which CharitX assumes no responsibility.
3. Categories of Personal Data Processed
In the context of registration, access to, and use of the Platform, CharitX processes different categories of personal data that are strictly relevant and proportionate to the purposes pursued, as described below.
3.1 Registration and Account Management Data
CharitX processes personal data provided directly by the User during registration and during the management of the User’s Account on the Platform.
Such data may include, by way of example:
first name and last name
email address
username
authentication credentials, processed in encrypted form.
In order to verify compliance with the requirements for accessing the Platform, and in particular to verify that the User is of legal age, CharitX also processes the Italian tax identification code (codice fiscale) exclusively for this purpose and in accordance with the principle of data minimization.
Users may also choose to complete their profile by uploading a profile image (avatar).
Where available, Users may access the Platform through authentication systems provided by social networks or third-party platforms. In such cases, CharitX may receive certain identification and authentication data from the relevant third-party provider within the limits established by the applicable privacy policies.
3.2 Data Relating to Use of the Platform and Social Interactions
During use of the Platform, CharitX processes data relating to the activities carried out by Users, including, by way of example:
information regarding Challenges promoted by the User or joined by the User
interactions with other Users
comments and feedback
textual, photographic, or audiovisual content uploaded or shared.
Data relating to usage preferences and interaction with the Platform’s functionalities may also be processed in order to ensure the proper functioning of the Platform and, where applicable, to improve the overall User experience.
3.3 Data Relating to Donations
With regard to Donations made through the Platform, CharitX processes the data necessary for the technical processing of donation transactions, such as:
the amount and date of the Donation
the recipient Third Sector Entity
technical information relating to the transaction.
Where a User chooses to provide personal and tax information in order to allow transmission to the relevant Third Sector Entities for the potential issuance of tax certifications, such data will be processed by CharitX solely for the purpose of facilitating the technical transmission of such information.
The recipient Third Sector Entities act as independent data controllers for any subsequent processing activities.
3.4 Data of Representatives and Contacts of Third Sector Entities
CharitX processes the personal data of legal representatives, contacts, or delegated individuals of Third Sector Entities operating on the Platform, including:
identification and contact details
the position and role held within the organization
information necessary for creating and managing the organization’s profile and its related Challenges.
3.5 Technical and Browsing Data
CharitX also processes technical and browsing data generated through access to and use of the Platform, including:
IP address
access logs
information relating to the device used and browser type
data collected through cookies and similar technologies.
Further details regarding such processing are provided in the Cookie Policy.
4. Purposes of Processing and Legal Bases
Personal data are processed by CharitX exclusively for specific, explicit, and legitimate purposes, strictly related to the functioning of the Platform and the provision of its services, in accordance with the legal bases established under Regulation (EU) 2016/679.
Personal data are processed to enable registration on the Platform, the creation and management of the User Account, and the verification of eligibility requirements for access to the services, including verification that the User is of legal age.
Such processing is necessary for the performance of a contract to which the data subject is a party, pursuant to Article 6(1)(b) GDPR.
Personal data are also processed in order to provide the functionalities and services available through the Platform, including participation in Challenges, social interactions with other Users, and the publication and management of content and feedback. These processing activities are likewise necessary for the performance of the contractual relationship.
With regard to Donations made through the Platform, personal data are processed for the purpose of technically facilitating payment operations and for transmitting the information necessary to Payment Service Providers and to the recipient Third Sector Entities. Such processing is based on the performance of a contract and, where applicable, on compliance with legal obligations.
Personal data may also be processed to comply with legal, regulatory, or administrative obligations, or to respond to requests or orders from competent authorities. In such cases, the legal basis is Article 6(1)(c) GDPR.
Finally, CharitX processes personal data for purposes related to Platform security, the prevention and detection of unlawful or abusive use, and the protection of its rights and interests, including in judicial proceedings. Such processing is carried out on the basis of the legitimate interest of the Controller pursuant to Article 6(1)(f) GDPR, while ensuring that the rights and freedoms of data subjects are respected.
5. Processing Based on Consent
Certain processing activities carried out by CharitX are not strictly necessary for registration or for the provision of essential services and are therefore carried out only with the User’s prior consent.
In particular, CharitX may process personal data for marketing and communication purposes, including sending newsletters, updates, promotional communications, and informational messages relating to the Platform, its functionalities, active or future Challenges, and charitable initiatives promoted through CharitX.
Such processing is carried out exclusively on the basis of the User’s consent pursuant to Article 6(1)(a) GDPR.
Subject to separate consent, CharitX may also process personal data for profiling and personalization purposes, including the analysis of preferences, interactions, service usage patterns, and participation in Challenges, in order to provide content and suggestions consistent with the User’s interests and to improve the user experience.
Where expressly provided and subject to additional specific consent, personal data may also be used to facilitate the transmission, through CharitX, of informational or promotional communications from Third Sector Entities present on the Platform regarding their initiatives, projects, or activities.
Providing such consent is entirely optional. Failure to provide consent or the withdrawal of consent will not affect the User’s ability to register on the Platform or to use its essential services.
Users may withdraw consent at any time through the settings of their Account or by contacting CharitX using the contact details provided in this Privacy Notice.
6. Nature of Data Provision
Providing personal data required for registration, Account management, verification of eligibility requirements, and the provision of Platform services is necessary.
Failure to provide such data may prevent CharitX from allowing registration, access to the Platform, or the performance of the contractual relationship with the User or the relevant Third Sector Entity.
Conversely, providing personal data for marketing, promotional communications, profiling, personalization of the user experience, or communications from Third Sector Entities is entirely optional.
Users may modify their preferences regarding data provision and consent at any time through their Account settings or by contacting CharitX.
7. Processing Methods and Security Measures
Personal data are processed primarily through electronic and telematic means, in accordance with the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality established by the GDPR.
CharitX implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.
Such measures may include:
authentication and access authorization systems
credential management procedures
encryption or pseudonymization techniques
monitoring and protection of the technological infrastructure.
Processing is carried out by personnel authorized by CharitX or by third-party service providers acting as data processors pursuant to Article 28 GDPR, based on contractual agreements ensuring confidentiality and security.
CharitX develops and manages its services according to the principles of privacy by design and privacy by default.
8. Recipients of Personal Data
Personal data collected through the Platform may be communicated, within the limits strictly necessary for the purposes described above, to:
Payment Service Providers, acting as independent data controllers
Third Sector Entities receiving Donations, acting as independent data controllers
technology, cloud, and IT service providers, appointed as data processors pursuant to Article 28 GDPR
judicial, administrative, or supervisory authorities, where required by law.
9. Transfers of Personal Data Outside the EU
Where personal data are transferred to countries outside the European Union or the European Economic Area, such transfers will take place in compliance with Articles 44–49 GDPR.
In particular, transfers will occur only where:
an adequacy decision adopted by the European Commission exists, or
appropriate safeguards are implemented, such as Standard Contractual Clauses approved by the European Commission.
Users may request additional information regarding such transfers by contacting CharitX.
10. Data Retention
Personal data are retained for no longer than necessary to achieve the purposes for which they were collected.
Personal data relating to registration, Account management, and service provision are retained for the duration of the contractual relationship between the User and CharitX.
Following termination of the relationship, personal data may be retained where necessary to comply with legal, administrative, accounting, or tax obligations, or to protect the legitimate rights and interests of CharitX, including in the event of disputes or legal proceedings.
Personal data processed on the basis of User consent for marketing or profiling purposes are retained until such consent is withdrawn.
After the applicable retention period has expired, personal data will be deleted, anonymized, or irreversibly de-identified, unless further retention is required by law.
11. Rights of Data Subjects
Users may exercise at any time the rights provided by Articles 15–22 GDPR, including:
the right of access
the right to rectification
the right to erasure (“right to be forgotten”)
the right to restriction of processing
the right to object to processing
the right to data portability.
Where processing is based on consent, Users may withdraw consent at any time.
Users may exercise their rights by contacting CharitX using the contact details provided in this Privacy Notice.
Users also have the right to lodge a complaint with the competent Data Protection Authority or seek judicial remedies if they believe that the processing of their personal data violates applicable law.
12. Role of Third Sector Entities and Payment Service Providers
Third Sector Entities that access and operate on the Platform process personal data received through CharitX as independent data controllers, for their own purposes, including the management of Donations, compliance with legal obligations, and the possible issuance of tax certifications or acknowledgements.
CharitX does not determine the purposes or means of such processing and does not exercise control over how such entities process personal data. Consequently, CharitX cannot be held responsible for such processing.
Similarly, Payment Service Providers used through the Platform act as independent data controllers with respect to personal data relating to payment transactions, including authentication data, transaction execution, fraud prevention, and compliance with applicable financial regulations.
CharitX does not access, store, or process payment instrument data, which are collected and managed directly by the Payment Service Providers through their own technological infrastructure.
Users are therefore encouraged to review the privacy policies and contractual terms provided by the relevant Third Sector Entities and Payment Service Providers.
13. Updates to this Privacy Notice
CharitX reserves the right to modify, supplement, or update this Privacy Notice at any time, in whole or in part, in order to comply with changes in applicable laws or regulations, decisions of competent authorities, developments in the services offered through the Platform, or organizational or technical changes.
Updated versions of this Privacy Notice will be made available through publication on the Platform and will indicate the date of the latest update.
Where required by applicable law, Users will be informed of significant changes through appropriate means, including direct communications.
Unless otherwise required by law, continued use of the Platform after the publication of the updated Privacy Notice will be deemed acceptance of the updated version, without prejudice to the rights granted to Users under applicable data protection law.