Privacy Policy - SocialWall Workplace

Last updated: July 29, 2025

Who We Are

This notice explains how Trainect S.r.l. ("Trainect", "we") processes the personal data of users who use:

• the SocialWall Workplace app (employees/members of client organizations),
• the back-office (administrators designated by the client).

Privacy contacts: [info@trainect.it] – [Trainect S.r.l., Via Calatafimi 21, 00185 RM]. If appointed, DPO: [loris.nanni@trainect.it].

Privacy Roles (GDPR)

For data processed on behalf of the client company (e.g., content, users, groups, messages, comments, reactions, settings): Data Controller = the client company; Trainect acts as Data Processor pursuant to Art. 28 GDPR, based on a Data Processing Agreement (DPA).

For certain independent purposes (e.g., platform security, technical telemetry and product improvement, legal compliance, accounting administration, store management): Data Controller = Trainect (Art. 6.1.f/b/c GDPR). In this context, Trainect may share usage data only with the client company associated with the user (see “Who We Share Data With”).

What Data We Process

• Account data: first name, last name, corporate email, role/function, legal entity/organization, manager (if any), user ID, profile settings.
• Content data (UGC): posts, photos/videos, links, comments, reactions, surveys and responses, metadata (date/time, author, channel).
• Technical/telemetry data: access logs, IP address, device/OS, app version, crashes and performance, usage events (e.g., opens, clicks, reading time).
• Administration data: role assignments, user management, communications sent from the back-office (emails, notifications).
• Support communications (if any).

We do not request special categories of data (Art. 9 GDPR). Users must not publish content containing such data; if it occurs, the client company is responsible for ensuring a valid legal basis.

How We Collect Data

• Registration/Provisioning: (i) self-sign-up with domain/"company code"; (ii) provisioning by client Admins; (iii) bulk import by Trainect upon client instruction (initial setup phase).
• App use: when you post/view content, add reactions/comments.
• Telemetry and security: via SDK/cookies/technical tools (see Cookie Policy).

Purposes and Legal Bases

Purpose	Legal Basis
Service delivery (access, feed, surveys, community, service notifications)	Contract with user/organization (Art. 6.1.b)
User administration and support	Contract (6.1.b)
Security, anti-fraud, operational continuity, audit	Legitimate interest (6.1.f) and/or legal obligation (6.1.c)
Usage telemetry, product analytics, feature improvement	Legitimate interest of Trainect (6.1.f)
Messages sent by Admins to their company population	Contract (6.1.b) / Data Controller's legitimate interest (6.1.f)
Promotional communications from Trainect (if provided)	Consent (6.1.a) – revocable
Legal compliance, accounting, responses to authorities	6.1.c

Legitimate interest balancing: Trainect evaluates to ensure that user rights are not overridden.

Who We Share Data With

• Client company associated with the user: usage reports (adoption, engagement, usage events), aggregated and/or per user as configured; never with other companies.
• External providers/Data Processors (hosting, email, crash analytics, performance monitoring, customer support), bound by Art. 28 agreements.
• Authorities when required by law.

Extra-EU transfers: where providers process data outside the EEA, Trainect adopts Standard Contractual Clauses and supplementary measures.

Retention

• Accounts and content: for the entire duration of the relationship with the client company; deletion/anonymization within 12 months of closure, except for backups (max 90 days) and legal obligations.
• Technical logs: 12 months (security); crashes/performance up to 24 months in aggregated form.
• Admin communications: for as long as necessary for traceability.

User Rights

Access, rectification, deletion, restriction, portability, objection; withdrawal of consent (where used). Requests via [info@trainect.it]. You retain the right to lodge a complaint with the Data Protection Authority.

Minors

The service is intended for corporate contexts; it is not aimed at individuals under 16 years of age.

Security

Encryption in transit and at rest, access control, tenant segregation, logging, business continuity. Data breach notification as per Art. 33–34 GDPR.

User-Generated Content

Users are responsible for the content they post. Unlawful, offensive, discriminatory content or content containing special/health data is prohibited, unless otherwise legally justified by the Data Controller.

Changes

We may update this notice; we will inform users via in-app communications or email. The current version is always available in the app.