Premise

under Articles 13-14 of EU Regulation no. 679/2016

EUGENIO FALCO - FZCO, (hereinafter the "Data Controller"), in accordance with Articles 13 and 14 of EU Regulation no. 679/2016, hereby provides information regarding the processing of personal data in the provision of its services.

It is important to note from the outset that the entire information must be read with the understanding that the Data Controller provides a service exclusively aimed at selling editorial materials and training courses.

This information is also inspired by Recommendation no. 2/2001 which the European authorities for the protection of personal data, gathered in the Group established by Article 29 of Directive no. 95/46/EC, adopted on May 17, 2001, to identify some minimum requirements for the collection of personal data online, including the methods, timing, and nature of the information that data controllers must provide to users when they connect to web pages, regardless of the purpose of the connection, as following consultation of a website, data relating to identified or identifiable individuals may be processed.

This information is provided only for the Data Controller's website and not for other websites that may be consulted by the user through links.

Art. 1. Data Controller - Data processing and protection officer

The Data Controller of your data is EUGENIO FALCO - FZCO, with registered office in Dubai Silicon Oasis, DDP, Building A1, Dubai, United Arab Emirates, holder of numerous portals, email info@eugeniofalco.com. The collaborators and employees of the Data Controller (administrative, commercial personnel), as data controllers and processors, are all entrusted with specific tasks regarding data processing.

Art. 2. Location of data processing

Personal data is processed at the Data Controller's premises, as well as on IT support through software provided by various Partners and devices made available to authorized persons for processing.

The processing related to the websites' services is carried out with the help of ClickFunnels.com - an Etison Product, located at 3443 W. Bavaria St. Eagle Idaho 83616, to which its privacy policy is referred, and is managed only by technical staff responsible for processing and any maintenance personnel.

Art. 3. Types of data processed

The Data Controller exclusively processes data voluntarily provided by the user, or data acquired from third parties with explicit consent; data strictly necessary to fulfill any request, whether it be for information or service provision.

For the provision of services and/or pre-contractual activities, the Data Controller processes the following categories of data:

1. Common personal data (any information relating to an identified or identifiable natural person, even indirectly, by reference to any other information, including a personal identification number), including: personal, banking/financial, and contact information.

a) Browsing Data. The IT systems of the Website and Blog collect certain Personal Data, the transmission of which is implicit in the use of Internet communication protocols. These are pieces of information not collected to be associated with you but which, by their very nature, could, through processing and association with data held by third parties, allow for your identification. This data is used to derive anonymous statistical information about the use of the Website and to monitor its proper functioning; to allow – given the architecture of the systems used – the correct provision of the various functionalities requested by you, for security reasons, and to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Website or third parties. For example, upon accessing the Data Controller's website pages, user data will be transmitted through the internet browser and saved in server log files, the so-called server logs. The following data will be saved: date and time of access, name of the visited website, IP address, referrer URL (originating URL through which you arrived at the Data Controller's websites), amount of data transmitted, information regarding the product and version of the browser used. User IP addresses are deleted or anonymized at the end of use. In the case of anonymization, IP addresses will be modified in such a way as to not be attributable to a specific individual without excessive effort in terms of time, costs, and labor. We analyze these series of log data anonymously in order to improve our offerings, identify and eliminate errors more quickly, and to monitor server capabilities. In addition to this information on data acquired through browsing the Data Controller's portal, the data subject is invited to consult the Cookies section, which is an integral part of this information.

b) Voluntarily Provided Data. Through the Website and/or through control systems generated by our IT systems, you have the possibility to voluntarily provide images, photos, videos, identity documents, and Personal Data such as name, surname, email address, or banking data to make a payment. The Data Controller will process this data in compliance with the Applicable Regulations, assuming that they refer to you or to third parties who have expressly authorized you to provide them based on a suitable legal basis legitimizing the processing of the data in question. In relation to such hypotheses, you act as an autonomous Data Controller, assuming all legal obligations and responsibilities. In this regard, you provide the broadest indemnity with respect to any dispute, claim, request for compensation for damages resulting from processing, etc., that may be received by the Data Controller from third parties whose Personal Data have been processed through your use of the Website in violation of the Applicable Regulations.

c) Data processed in interaction with social networks. In addition to filling out the appropriate service request forms, you can submit such a request, if you have a Facebook or Google profile, simply by clicking on the "Sign up with Facebook" or "Sign up with Google" button. In this case, Facebook or Google will automatically send some of your data to the Data Controller, as specified in the relevant "pop-up" window displayed at the time of the request, and there will be no need for you to fill out other forms.d) Categorie Particolari di Dati. L’App si appoggia ad una piattaforma che permette di accedere in qualunque momento e luogo ai propri dati, contenuti, programmi e risultati . Ciò comporta necessariamente il trattamento, da parte del Titolare del Trattamento, di dati che, nel loro complesso, possono rivelare alcuni dettagli personali e che, pertanto, rientrano nel novero delle categorie particolari di dati personali di cui all'art. 9 del Regolamento. Infatti, l’App fornisce un servizio che comporta il trattamento di dati personali quali, a titolo esemplificativo, nome e cognome, data di nascita, indirizzo email, oltre che informazioni. A tal proposito si chiarisce che tali informazioni sono necessarie per poterLe fornire le valutazioni richieste.

e) Geolocation. Among the services offered by the Website is the possibility for the user to view their geographical location (transmitted, with prior consent, from the user's device to the application) on a map. These location data are not transmitted or made accessible outside the user's mobile device, therefore the Data Controller does not process any of this data. Conversely, the App, with your express authorization, processes data regarding your location in order to provide you with the service, as better described in the App's Terms and Conditions of Use. The user always has the option to deny the App access to their location data through the settings of their mobile device. Images and videos collected during the session will not be processed through specific technical devices suitable for identifying the data subject.

The Data Controller informs that personal data will be processed to the extent strictly necessary to fulfill the following purposes:

a) purposes related to the execution of a contract of which you are a party or to the execution of pre-contractual measures adopted at your request;

b) purposes relating to compliance with a legal obligation to which the Data Controller is subject;

c) purposes necessary to ascertain, exercise, or defend a right in court or whenever the judicial authorities exercise their judicial functions;

d) to enable browsing of the Website and the provision of the services of the Data Controller; e) to respond to specific requests addressed to the Data Controller;

f) to fulfill any obligations provided by current laws, regulations, or community legislation, or to meet requests from authorities;

g) to carry out direct marketing via email for services similar to those subscribed to by you, unless you expressly refuse to receive such communications, which you can express during registration or on subsequent occasions;

h) to carry out marketing/newsletter activities such as: conducting studies, market research, statistics; sending informative and promotional material relating to the activities, services, and products of the Data Controller and its commercial Partners (without any communication of personal data owned by the Data Controller to the aforementioned Partners); sending surveys to improve the service ("customer satisfaction"). Such communications may be made via email or SMS, through postal mail and/or the use of the telephone with operator and/or through the official pages of the Data Controller on social networks, or even through push notifications via the App; it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Provision of the Guarantor for the Protection of Personal Data "Guidelines on promotional activities and counteracting spam," of July 4, 2013; if, in any case, you wish to object to the processing of your data for marketing purposes carried out by the means indicated here, you can do so at any time by contacting the Data Controller at the contact details indicated in the "Contacts" section of this information, without prejudice to the lawfulness of the processing based on the consent given before the revocation.l) per scopi statistici o di ricerca, senza che sia possibile risalire alla Sua identità.

Art. 5. Data Processing Methods

Information systems and computer programs are configured to minimize the use of personal data and identifying data, so as to exclude processing when the purposes can be achieved through anonymous data or through appropriate methods that allow the data subject to be identified only when necessary. To access the service offered by the Data Controller, the data subject will initially provide only common personal data that will be processed by administrative personnel. Indeed, the Data Controller takes all possible security measures to prevent agents from processing data not necessary for the fulfillment of the relevant purpose.

Your personal data will be recorded, processed, managed, and stored using electronic computer tools and only possibly in paper form. In any case, the chosen method will not affect the security and confidentiality of the data itself, which remain guaranteed. Personal data is managed with automated tools for the time strictly necessary to achieve the purposes of the processing. Specific security measures are observed to prevent data loss, unlawful or incorrect uses, and unauthorized access.

In this regard, there is a widespread distribution of responsibilities, and possible activities on the data are defined through regulations and operational instructions to the agents. The Data Controller has committed to providing training courses and updates on privacy issues, potential dangers, and responsibilities related to data processing. Moreover, all operators accessing computer systems are identifiable, bound by professional and/or office secrecy, and in any case authorized to process data.

In cases where special laws require data processing in anonymous form (protection of victims of acts of sexual violence and pedophilia, HIV positivity, use of narcotics, psychotropic substances, and alcohol, voluntary termination of pregnancy, anonymous childbirth, services offered by family planning clinics, responsible procreation choices, etc.), data is obscured at the time of their creation in accordance with the provisions of current law and is not subject to processing. The Data Controller does not carry out profiling on the processed data.

Art. 6. Security Measures

The processing of personal data is guaranteed by the application of suitable and preventive security measures that minimize the risks of destruction or loss, including accidental, unauthorized access, or unauthorized or unlawful processing not in line with the purposes of collection.

Organizational choices and operational methods regarding security in the processing of personal data are also defined for the processing of sensitive personal data using electronic tools. The security system for personal data identifies organizational choices and operational methods regarding security in the processing of personal data, particularly regarding:

the list of personal data processing;

access to authorized personnel based on the purpose of the processing;

risk analysis on data;

measures to ensure the integrity and availability of data;

description of criteria and methods for restoring data availability following destruction or damage;

planning of training interventions for processing agents, to educate them about the risks to data, available measures to prevent harmful events, relevant aspects of personal data protection legislation in relation to their activities, resulting responsibilities, and methods for staying updated on the minimum measures adopted by the Data Controller;

description of criteria for ensuring the adoption of minimum security measures in case of personal data processing entrusted outside the Data Controller's structure or transferred abroad;

for personal data suitable for revealing health status and sexual life, identification of criteria for encryption or separation of such data from other personal data of the data subject.

Art. 7 Data Recipients

The subjects who will process your personal data are:

individuals appointed within the structure of the Data Controller, necessary for the provision of the services offered;

subjects who typically act as data processors, namely:

i) individuals, companies, or professional firms providing assistance and consultancy services to the Data Controller in accounting, administrative, legal, tax, and financial matters;

ii) subjects delegated to carry out technical maintenance activities;

iii) banks, insurance companies, and brokers;

iv) companies controlling, controlled by, or affiliated with the Data Controller, limited to the pursuit of administrative-accounting purposes related to organizational, administrative, financial, and accounting activities;

persons authorized by the Data Controller to process Personal Data who have committed to confidentiality or have a legal obligation of confidentiality; (e.g., employees and collaborators of the Data Controller);

subjects, entities, or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders from authorities;

judicial authorities in the exercise of their functions when required by Applicable Law.

The display of personal data takes place only by authorized subjects according to specific methods, related to the content of the contract signed by the data subject and in compliance with the purposes already described.

The designation is made through a "designation act" inserted in agreements, conventions, or contracts that involve the outsourcing of personal data processing outside the Company.

7.1 Internal Data Processors

Considering the complexity and multiplicity of the institutional functions of the Company, the Data Controller designates the following as Data Processors:

• each Manager in charge of a Business Unit of the Company, for paper-based databases and electronic databases of individual structures;

the Manager Responsible for the IT Service for centrally managed electronic databases;

all external subjects who, in any way, use the Data Controller's database on behalf and in the interest of the Data Controller for purposes related to the exercise of its business functions (Article 9).

The designation of internal Data Processors is linked to the assignment of the structure and is considered accepted upon the signing of the contract. The Data Controller must inform each Data Processor, as identified by the Regulation, of the responsibilities entrusted to them in relation to the provisions of the current regulations. Each Processor must ensure:

timely and complete compliance with the Company's duties as provided by the Code, including the security profile;

compliance with the provisions of this Regulation as well as specific instructions issued by the Data Controller;

interaction with the Supervisory Authority in case of requests for information or other inquiries;

adoption of suitable measures to ensure, in the organization of services and performances, respect for the rights, fundamental freedoms, and dignity of the data subjects, as well as professional secrecy, without prejudice to what is provided for by current legislation and the company's security system concerning the processing methods of sensitive data and minimum security measures.

The Data Processing Manager, in relation to the implementation of security measures, has the following tasks:

• draw up and update the list of types of processing carried out (census – art. 16);

• request the IT Service Manager to assign each Data Processor a personal individual identification code that is not reusable for accessing the data;

• safeguard the passwords for data access by the Data Processors;

• verify with the IT Service Manager the effectiveness of protection programs and antivirus as well as define access measures to premises and security measures against the risk of intrusion;

• ensure that all security measures concerning the Company's data are applied both within the Company itself and externally, in case third-party subjects such as Data Processors have access to them;

• inform the Controller in the event of identified risks.

• All those who, in any way, manage, individually and separately from the individual structure they belong to, personal data of third parties, assume individually the role of autonomous "Data Controllers."

7.2 External Data Processors

All external subjects who carry out processing operations on the Company's databases, on behalf and in the interest of the Company, for purposes related to the exercise of business functions, are appointed "External Data Processors."

External Data Processors are obliged to:

• process data lawfully, fairly, and in full compliance with the current privacy regulations;

• comply with the security measures provided by the privacy Code and adopt all measures that are suitable to prevent and/or avoid the disclosure or dissemination of data, the risk of destruction or loss, even accidental, unauthorized access, or unauthorized or non-compliant processing with the purposes of collection;

• appoint within their organization the persons responsible for processing;

• ensure that the processed data are made known only to personnel entrusted with processing;

• process personal data, including sensitive and health-related data, of Patients exclusively for the purposes provided for by the contract or agreement;

• comply with the provisions issued by the Data Controller;

• specify the locations where the data processing physically takes place.

In case of non-compliance with the aforementioned provisions, External Data Processors are to be considered autonomous "Data Controllers" and therefore subject to their respective obligations and therefore are directly and exclusively liable for any violations of the law.

7.3 Data Processors

Every employee assigned to a specific service and required to perform technical processing operations is considered, for all intents and purposes, a "Data Processor" pursuant to art. 30 of the privacy Code.

The Data Processor, in carrying out operations strictly related to the fulfillment of their functions, must scrupulously adhere to the instructions issued by the Data Controller and the Manager, undertaking to adopt all security measures provided by this Regulation as well as any other measures that are suitable to prevent and/or avoid the disclosure or dissemination of data, the risk, even accidental, of destruction or loss, unauthorized access, or unauthorized or non-compliant processing with the purposes of collection.

The Data Processor collaborates with the Controller and the Manager by reporting any risk situations in data processing and providing all necessary information for the performance of control functions.

In particular, the Data Processor must ensure that, during processing, the data are:

- processed lawfully and fairly;

- collected and recorded for specific, explicit, and legitimate purposes, and used in other processing operations in a manner compatible with these purposes;

- accurate and, if necessary, updated, relevant, complete, not excessive, and, if sensitive data, indispensable with respect to the purposes for which they are collected or subsequently processed;

- stored in a form that allows the identification of the data subject for a period not exceeding that necessary for the purposes for which they were collected or subsequently processed.

The Data Processor is obliged to maintain complete confidentiality regarding the data they become aware of during the performance of their activity, undertaking to disclose the data exclusively to the subjects indicated by the Controller and the Manager, only in cases provided for by law and/or in the course of business activities.

The appointment of the Data Processor is made by appointing the employee, by means of an employment contract or service order, to the individual service unit for which the scope of processing is identified through data census cards.

Data Processors must receive suitable and detailed instructions, even for homogeneous groups of functions, regarding the activities on the entrusted data (entry, update, deletion, etc.) and the obligations they are required to fulfill.

Art. 8 Nature of Data Provision and Consent

Consent to the processing of personal data is both voluntary and indispensable for the provision of the requested service, i.e., the main purpose of data processing (including related administrative activities), since the lack of consent would prevent the use of the service.

Below are some special cases of obtaining consent for data processing based on special laws or related to specific categories of reports:

a) Minors

Consent to the processing of data of a minor under the age of 16 must be signed by at least one parent exercising parental authority.

b) Persons Under Guardianship

The guardian submits the consent form for data processing on behalf of the protected user, naming the user and completing it with their personal data and signature; to this form, the documentation issued by the Judicial Authority is attached, or alternatively, a self-declaration of guardianship authority.

c) Person Unable to Sign

The user who cannot sign the consent form due to illiteracy, temporary or permanent physical impairment, lack of a legal representative, can express their consent verbally or through other means (gestures), of which the operator takes note (perhaps with the help of a family member who knows the patient's ways of expressing themselves) with the aid of audiovisual recording tools that will be archived and used exclusively in the event of disputes.

8.1 Marketing Purposes

In case the customer explicitly consents, the contact details provided may be used by the Data Controller for the promotion of products or services similar to those purchased or adhered to by the customer, for the sending of advertising material exclusively related to the aforementioned services, or for conducting commercial communications.

By providing consent to Processing for Marketing Purposes, pursuant to art. 6, paragraph 1, letter a) of the Regulation, the data subject specifically acknowledges the promotional, commercial, and marketing purposes broadly defined of the processing and expressly authorizes such processing whether the means used for Processing for Marketing Purposes are by telephone with operator or other non-electronic, non-telematic means, or not supported by automatic, electronic, or telematic mechanisms and/or procedures or if the means used for Processing for Marketing Purposes are by email, fax, SMS, MMS, automatic systems without operator intervention, and similar, including electronic platforms and other telematic means.

In accordance with the General Provision of the Privacy Authority dated May 15, 2013, entitled "Consent to the processing of personal data for purposes of 'direct marketing' through traditional and automated contact tools," the attention of data subjects is specifically drawn to the following:

1. the consent given for the sending of commercial and promotional communications through electronic or telematic means will imply the receipt of such communications not only through said automated contact methods but also through traditional methods, such as postal mail or calls through an operator;

2. the collection of consent, whenever required, will be comprehensive and unitary and will refer to all possible means of marketing processing. To proceed with Processing for Marketing Purposes, it is mandatory to obtain specific, separate, express, documented, and entirely optional consent.

3. the possibility of freely revoking consent to the processing of personal data for purposes of "direct marketing," even partially with respect to certain means or treatments;

4. the aforementioned revocation can be exercised by writing to info@eugeniofalco.com and that opposition to such processing will have no consequences on the provision of services.

Furthermore, the Data Controller informs the data subject that the data may also be disclosed to third-party commercial partners. Consent to Processing for Marketing Purposes – if provided by the data subject – does not cover the different and additional marketing processing represented by the communication to third parties of data for the same purposes. To proceed with such communication outside, it is mandatory to obtain additional, separate, additional, documented, express, and entirely optional consent from the data subject, in compliance with the General Provision of the Authority dated July 4, 2013, containing the Guidelines for countering spam.

In accordance with the General Provision of the Authority dated July 4, 2013, containing the Guidelines for countering spam, the third parties who are recipients of communications of personal data of data subjects for subsequent Processing for Marketing Purposes are identifiable with reference to the following subjects and economic or merchandise categories:

a) Third-party subjects belonging to the merchandise sectors of publishing, sports companies, suppliers of electronic communication goods and services, Internet service providers, communication agencies, companies providing insurance and financial services, companies in the food and catering sector, clothing, ICT hardware and software, banks and credit institutions, travel agencies, companies offering services in the tourism sector, companies offering services and goods for individuals, companies supplying goods and services in the energy and gas sector.

The provision of personal data to the Data Controller and the provision of consent to Processing for Marketing Purposes, as well as the separate consent for communication to third parties for Processing for Marketing Purposes for the purposes and in the manners described above, are absolutely optional and always revocable.

Since some purposes of the processing pursued are of a specific commercial, advertising, promotional, and marketing nature and since the forms on the Site by default pursue such purposes, if the data subject does not intend to give consent to Processing for Marketing Purposes, the consequence will be the inability to use the services of the Data Controller. Failure to provide consent to Processing for Marketing Purposes will interfere with and/or affect other existing business, contractual, or other types of relationships with the user.

Art. 9 Transfer of Data Abroad

Your personal data may also be subject to transfer to other countries within the European Union, solely to allow the appointed employees of the Data Controller to perform their work duties in execution of the contract.

Your personal data may also be subject to transfer to the United States (a country not belonging to the European Union) solely to allow the appointed employees of the Data Controller to perform their work duties in execution of the contract. For this reason, no sensitive data will be transferred abroad. The transfer of personal data to the United States is further guaranteed by the European Commission's "adequacy decision" on the privacy regulations of said country.
Your personal data may also be subject to transfer to the United Arab Emirates (a country not belonging to the European Union) solely to allow the appointed employees of the Data Controller to perform their work duties in execution of the contract. The transfer of personal data to the United Arab Emirates is not further guaranteed by the "adequacy decision" of the European Commission regarding the privacy regulations of said country.

Art.

10 Rights of the Data Subject

As a data subject of personal data processing, you may at any time exercise the rights provided for in art. 13(2) letters a) b) c) d) and e) of EU Regulation 679/2016.

In particular, you have the right to:

- Obtain confirmation of whether or not personal data concerning you exist;

- Access, i.e., receive communication of the data concerning you upon simple request;

- Object to the processing of your personal data for legitimate reasons;

- Rectify, i.e., modify and update the data;

- Be forgotten, i.e., have the data concerning you deleted. For the implementation of the right to be forgotten, the following distinction is necessary:

  - If data processing requires express consent, the mere revocation of the latter will be sufficient to obtain automatic deletion of the data;

  - If data processing requires implicit consent, deletion can be carried out, upon request, only if the personal data are no longer necessary for the purposes for which they were collected or processed.

- Restrict processing, which minimizes the use of data processing to what is necessary for its purposes. However, this right is only provided in the following specific cases:

  - Where the data subject contests the accuracy of personal data for the time strictly necessary to verify its accuracy;

  - Where, in the presence of unlawful processing, the data subject opposes the deletion of data;

  - Where, if the Controller no longer needs to retain the data, the data subject has an interest in their retention for the purposes of exercising or defending a legal right;

  - In case of objection to processing, but only for the time necessary to determine the primacy between the Controller's interest in processing and the data subject's right.

The restriction may be revoked at any time, and before the revocation takes effect, the Controller will inform the data subject.

- Data portability, which allows the data subject to receive their personal data in a commonly used format.

- Withdraw consent to the processing of data for the primary purposes of processing at any time. However, the revocation of consent may result in the inability to provide the service and, in any case, does not affect the lawfulness of processing based on consent given before the revocation;

- Withdraw consent to the processing of data for secondary marketing and newsletter purposes at any time. The revocation of consent does not prevent the data subject from using the services of the Data Controller. In any case, such revocation does not affect the lawfulness of processing based on consent given before the revocation;

- Lodge a complaint for violation of regulations with the privacy supervisory authority, without prejudice to any other legal action.

Requests should be addressed via email to: info@eugeniofalco.com

Art. 11 Data Retention Period

The data retention period is set by the Data Controller at 10 years from the last legally relevant processing or from the acquisition of consent to the same processing.

For any further clarification, the data subject can refer to http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1812198