Privacy Notice
Privacy notice on the processing of personal data
by Plank Italy S.p.a. società benefit
Digital platform and mobile applications
Last updated: 27 March 2026
This notice describes how Plank Italy S.p.a. società benefit (“Plank”, “the Company” or “we”) collects, uses and protects personal data processed in the context of the provision of the Plank digital platform, mobile applications and related technology services (collectively, the “Services”).
Plank develops and operates a software platform primarily intended for business clients, such as energy operators and other organisations that use the platform to manage their own services and relationships with their users or customers. The platform may be used via web interfaces or via mobile applications distributed through digital stores.
This notice is published on the platform and is presented to users upon first access or registration. It is accessible at any time from the “Privacy – Legal Documents” section of the portal and mobile applications.
This notice is intended to provide users with clear and transparent information about the processing of personal data carried out by Plank as an independent data controller, in compliance with Regulation (EU) 2016/679 (“GDPR”) and applicable data protection legislation.
1. Data controller
The data controller is Plank Italy S.p.a. società benefit, with registered office at Sestiere Santa Croce 466/B, 30135 Venice (Italy), Tax Code and VAT No. 04545400279.
For any request or information regarding the processing of personal data, the Company may be contacted at the following addresses:
- Email: gdpr@plank.global
- Post: Plank Italy S.p.a. – Data Protection Officer – Sestiere Santa Croce 466/B, 30135 Venice (VE)
2. Data Protection Officer (DPO)
Plank Italy S.p.a. has appointed a Data Protection Officer (DPO) pursuant to Art. 37 of the GDPR, taking into account the nature, scope and purposes of the processing carried out as a data processor on behalf of multiple business clients on a large scale.
The DPO may be contacted at the following addresses:
- Email: dpo@plank.global (msavoldi@plank.global)
- Post: Plank Italy S.p.a. – Data Protection Officer – Sestiere Santa Croce 466/B, 30135 Venice (VE)
The DPO operates independently and may be contacted directly by data subjects for any matter relating to the processing of their personal data and the exercise of their rights.
3. Role of Plank in the context of the Services
This notice governs exclusively the processing carried out by Plank as an independent data controller, i.e. the processing that Plank carries out for its own purposes in the context of the technical management and security of the platform. It is addressed to professional users who access the platform on behalf of Plank's business clients.
Processing as Independent Controller. Plank acts as an independent controller for activities strictly related to the technical management and security of the platform, such as user authentication, session management, technical infrastructure monitoring, security log management, prevention of unauthorised access or abuse, and technical maintenance of the services.
Processing as Data Processor. Separately from the above, Plank acts as a data processor pursuant to Art. 28 GDPR when it processes personal data on behalf of its business clients, who act as data controllers for the data relating to their own users or end customers. For such processing, the business client is the party responsible for fulfilling information obligations towards its end users.
Users who interact with services provided by a Plank client through the platform are therefore invited to also consult the privacy notice of the client itself, which governs the processing of personal data carried out in the context of the services it provides.
4. Types of personal data processed
In the course of providing the Services, Plank may process, as an independent controller, the following categories of personal data relating to professional users who access the platform on behalf of business clients:
- Identification and authentication data: account identifiers, access credentials and session data necessary to enable secure access to the platform.
- Professional profile data: first name, last name, professional email address, organisation, role or job function.
- Operational and service data: information relating to the management of support requests, operational communications, documents or attachments uploaded by users or other content necessary for the operation of the platform’s features.
- Technical and diagnostic data: IP address, device type, operating system, application version, session identifiers, technical logs and diagnostic data necessary for the monitoring and correct operation of the systems.
- Data relating to mobile application usage: when using mobile applications, certain features may require access to the camera, photo library or local files, solely for the purpose of enabling the use of the relevant features.
Biometric data
Where the application allows the use of device biometric systems (e.g. facial recognition or fingerprint) to facilitate access to the user session, such mechanisms are managed exclusively by the device operating system. Plank does not store, collect or process biometric templates.
Biometric data constitutes special categories of data pursuant to Art. 9 GDPR. Since their processing takes place entirely on the user’s device through the operating system APIs, and Plank has no access to such data, the applicable legal basis is the explicit consent of the user expressed through their device settings (Art. 9(2)(a) GDPR).
Data relating to end customers of business clients
In the context of the use of the platform by business clients, personal data relating to the end customers of such clients may also be processed. In such cases, the business client acts as data controller pursuant to Art. 4(7) GDPR, while Plank acts as data processor pursuant to Art. 28 GDPR, limited to the provision of the platform and related technology services.
5. Purposes and legal bases for processing
Personal data for which Plank is an independent controller is processed for the following purposes and on the following legal bases:
5.1 Authentication and access to the platform
Purpose: to enable user authentication, session management and use of the platform’s features.
Legal basis: performance of the contract for the provision of the Services entered into between Plank and the business client, under which professional users are authorised to access the platform (Art. 6(1)(b) GDPR).
Data provision: mandatory for access to the platform. Without such data it is not possible to use the Services.
5.2 Technical management, security and abuse prevention
Purpose: technical management of the platform, maintenance, system monitoring, detection of anomalies or vulnerabilities, prevention of IT incidents, prevention of unauthorised access or abuse, defence of the Company’s rights in the event of abusive or non-compliant use, security audits.
Legal basis: legitimate interest of Plank pursuant to Art. 6(1)(f) GDPR, consisting in ensuring the security, integrity and reliability of its digital services, protecting the data of its clients and users from unauthorised access, fraud or abuse, and ensuring the operational continuity of the platform. Plank has carried out a balancing exercise between its legitimate interests and the fundamental rights and freedoms of data subjects, concluding that such interests are not predominantly detrimental to data subjects, as the data processed for these purposes are technical system data and not sensitive or content data.
Data provision: the processing is necessary for the technical operation of the platform and is not subject to user choice. The user nevertheless has the right to object pursuant to Art. 21 GDPR (see Section 10).
5.3 Compliance with legal obligations
Purpose: to comply with legal obligations or to respond to requests from competent authorities, where such obligations arise from applicable legislation.
Legal basis: compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).
Data provision: mandatory as required by law. Failure to provide data may result in Plank being unable to fulfil its regulatory obligations.
5.4 Aggregate statistical analysis
Purpose: in aggregate and non-identifiable form, certain information relating to the use of the platform may be used for statistical analysis and to improve the performance, security and quality of the Services offered.
Legal basis: legitimate interest of Plank in improving the quality and performance of its services (Art. 6(1)(f) GDPR). Since the data is processed in exclusively aggregate and anonymous form, the impact on data subjects' rights and freedoms is negligible.
Plank does not use data collected through the platform for behavioural advertising or commercial profiling purposes.
6. Automated decision-making and profiling
Plank does not carry out automated decision-making, including profiling, that produces legal effects or similarly significantly affects data subjects within the meaning of Art. 22 GDPR.
The automated monitoring systems of the platform (e.g. detection of access anomalies) are used exclusively for technical security purposes and do not produce automated individual decisions with effects on data subjects. Any decision that may affect users is taken with human intervention.
Should automated decision-making processes relevant under Art. 22 GDPR be introduced in the future, this notice will be updated accordingly and data subjects will be provided with the additional information required by applicable legislation.
7. Disclosure of personal data
In the context of the purposes described above, personal data may be made accessible to or disclosed to the following parties:
- Authorised Plank personnel, who operate on the basis of specific instructions and in compliance with confidentiality obligations.
- Technical service providers (sub-processors pursuant to Art. 28 GDPR), such as cloud infrastructure providers, hosting services, monitoring and logging tools, technical support services. Such parties operate on the basis of specific contractual agreements governing processing instructions, applicable security measures and data management procedures.
- Plank business clients, who may access users' personal data in the context of their contractual relationship with the users themselves.
- Public bodies or competent authorities, where required by law or by orders of the authorities.
Plank does not sell or transfer personal data to third parties for commercial purposes.
8. International data transfers
Certain technical service providers used for the delivery of the platform are based in or process data outside the European Economic Area (EEA), in particular in the United States of America. Transfers of personal data to third countries are carried out in compliance with the safeguards provided for by applicable legislation, in particular through:
- Standard Contractual Clauses (SCCs) approved by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021;
- Any adequacy decisions adopted by the European Commission in relation to specific third countries.
Upon request, Plank can provide data subjects with a copy of the safeguards adopted for international transfers. Requests may be sent to gdpr@plank.global.
9. Data retention
Personal data is retained for the period of time necessary to achieve the purposes for which it was collected and to fulfil applicable contractual and regulatory obligations. The specific retention periods for each category of data are as follows:
| Data category | Period | Criterion |
|---|---|---|
| Account and professional profile data | Duration of the relationship + 12 months | Necessary for contract management and resolution of any disputes. |
| Technical access and authentication logs | 12 months | Proportionate to IT security and anomaly detection needs. |
| Security logs and audit trail | 24 months | Necessary for security incident investigations and compliance audits. |
| Operational data and uploaded documents | Duration of the contract with the business client + 30 days | Necessary for the provision of the service; deleted at the end of the relationship. |
At the end of the retention period, personal data is deleted or anonymised irreversibly.
10. Data security
Plank adopts appropriate technical and organisational measures to ensure the protection of personal data processed through the platform. Such measures include, among others, access control systems, communication protection, system monitoring, role-based authorisation management and backup and business continuity procedures.
While adopting technical and organisational measures appropriate to the nature of the data processed and the associated risks, Plank cannot guarantee that no IT system or data transmission over the Internet is completely risk-free. The Company therefore adopts ongoing monitoring and updating procedures for its security measures in order to reduce the risks of unauthorised access, loss or disclosure of data.
11. Data subject rights
Data subjects may exercise the following rights provided for by data protection legislation:
- Right of access (Art. 15 GDPR): to obtain confirmation as to whether or not personal data concerning them is being processed and, where that is the case, to access the data and information relating to the processing.
- Right to rectification (Art. 16 GDPR): to obtain the rectification of inaccurate personal data or completion of incomplete data.
- Right to erasure (Art. 17 GDPR): to obtain the erasure of personal data in the cases provided for by law (“right to be forgotten”).
- Right to restriction of processing (Art. 18 GDPR): to obtain the restriction of processing in the cases provided for by law.
- Right to data portability (Art. 20 GDPR): to receive their personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where the processing is based on contract or consent and is carried out by automated means.
- Right to object (Art. 21 GDPR): to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the legitimate interest of the controller (Art. 6(1)(f) GDPR). In particular, data subjects may object to the processing described in Sections 5.2 and 5.4. The controller reserves the right not to comply with the objection where there are compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Withdrawal of consent
Where the processing is based on the data subject's consent (in particular for the use of device biometric systems through the device settings), the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent relating to biometric systems may be carried out directly from the device settings.
To withdraw any consent given in the context of using the platform, please contact Plank at gdpr@plank.global.
How to exercise rights and response times
Requests to exercise rights may be sent to Plank at gdpr@plank.global or by post to Plank Italy S.p.a., Sestiere Santa Croce 466/B, 30135 Venice (VE).
Plank responds to requests within one month of receipt. In the case of particularly complex or numerous requests, this period may be extended by a further two months, subject to notification to the data subject within the first month stating the reasons for the extension (Art. 12(3) GDPR).
Where Plank processes personal data on behalf of a business client acting as data controller, requests may also be directed to such client or forwarded by Plank to the competent controller.
12. Obligation to provide data
For certain purposes, the provision of data is necessary and the consequences of failure to provide data are as follows:
| Purpose | Nature of provision | Consequences of failure to provide |
|---|---|---|
| Authentication and access to the platform | Contractual | Inability to access the platform and the Services. |
| Technical management and system security | Necessary for contract performance / Legitimate interest | The processing is inherent in the technical operation of the platform; failure to provide such data would mean being unable to use the Services. |
| Compliance with legal obligations | Legal obligation | Inability for Plank to fulfil its regulatory obligations. |
| Aggregate statistical analysis | Legitimate interest | No direct consequences for the user. |
13. Right to lodge a complaint
Data subjects have the right to lodge a complaint with the competent supervisory authority for data protection or with any other competent supervisory authority if they believe that the processing of personal data violates applicable legislation.
Garante per la Protezione dei Dati Personali (Italy):
- Address: Piazza Venezia 11, 00187 Rome
- Phone: +39 06 69677 1
- Email: garante@gpdp.it
- Website: www.gpdp.it
Alternatively, the data subject may contact the supervisory authority of the EU Member State in which they habitually reside, work, or in which the alleged infringement occurred.
14. Changes to this notice
This notice may be updated periodically to reflect any changes to the Services, legislative developments or changes in the way personal data is processed. The updated version will be published on the platform and will indicate the date of the last update and the version number.
Where changes are material within the meaning of Art. 13 GDPR, Plank will notify users with at least 30 days' notice, via in-app notification or by email to the address associated with the account. Continued use of the Services after such period constitutes acknowledgement of the changes made.
Previous versions of the notice are retained by the Company for accountability purposes under Art. 5(2) GDPR and are available upon request.