4Books Privacy Notice

pursuant to Articles 13 and 14 of EU Regulation 2016/679 on the protection of personal data (GDPR)

This notice describes the information collected, how it is used and shared, and how the Data Controller manages your privacy and your rights. The processing of your personal data will be carried out in compliance with the principles of lawfulness, transparency, fairness and protection of confidentiality and of your rights, always in accordance with the national and European legislation currently in force (GDPR, Legislative Decree 196/2003 as amended, Legislative Decree 101/2018).

In this Notice, 4books S.r.l., with registered office at Via del Tiratoio 1, 50124 Florence, Italy (hereinafter the “Controller”), owner of the website 4books.com and the 4books App (hereinafter, the “Platforms”), as Data Controller of personal data, provides information on how personal data are processed both for Users (“Standard Users”)—who visit and browse the Platforms—and for Business Customers—as well as for the users authorised by them (“Authorised Users”)—who enter into agreements with 4books, both for the purpose of using the service offered through the Platforms (hereinafter, respectively, the “Service” and the “Users”; and where conditions of this Notice apply only to Users authorised by the Business Customer, the term “Authorised User” will be used), pursuant to Article 13 of the GDPR.

1. Data Controller

The Data Controller is 4books S.r.l. (VAT no. 10655340965), with registered office at Via del Tiratoio 1, 50124 Florence, Italy (hereinafter, the “Controller”).

For certain processing activities, as further specified below, the Controller may act as Data Processor (pursuant to Article 28 GDPR: an entity delegated to process personal data on instructions and on behalf of the Controller) for the Customer (who instead acts as the Controller as mentioned above). In such case, the provisions of a separate data processing agreement executed with the Customer shall apply.

In accordance with Article 14 of the General Data Protection Regulation (GDPR), this notice is also provided to Authorised Users, i.e., employees authorised by Business Users, whose personal data have been partly provided by third parties, specifically employers, and not collected directly from the data subject. In such case, the source from which the personal data concerning Authorised Users are collected is the employer, which provided them to 4books for purposes related to the use of the Platforms. The collection of such data is necessary for accessing and using the App under the subscription purchased by the Business Customer.

The Platforms and any services offered through them are reserved for individuals who have reached eighteen (18) years of age. The Controller therefore does not collect personal data relating to persons under 18. The Controller will promptly delete any personal data inadvertently collected relating to persons under 18.

The Controller places the utmost importance on the right to privacy and the protection of its Users’ personal data. For any information regarding this privacy notice, Users may contact the Controller at any time using the following methods:

- Sending a registered letter with return receipt to the Controller’s registered office: 4books S.r.l., Via del Tiratoio 1, 50124 Florence, Italy

- Sending an email message to: [email protected]

The Controller has appointed a Data Protection Officer, who can be contacted at: [email protected].

2. What data do we process?

Within the scope of the relationship with 4books as Controller and Processor, the following categories of personal data (so-called common data) will be processed:

  • Data you provide directly through the various sections/forms on the website and in the App (e.g., first and last name, email address). Such data are used exclusively to handle your requests.
  • Data you send voluntarily, explicitly and optionally to the email addresses indicated on the website. In this case, the sender’s email address is acquired, which is necessary to respond to the request, as well as any other personal data included in the message. Such data are used exclusively to handle your requests.
  • Browsing data. The IT systems and software procedures used to operate this website acquire, during their normal operation, personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subjects; however, by its nature it could, through processing and association with data held by third parties, allow users to be identified. This category includes IP addresses or domain names of the computers used by users connecting to the site, URI addresses (Uniform Resource Identifier) of requested resources, the browser, the time of the request and other parameters relating to the operating system and the user’s IT environment. Such data are used solely to obtain anonymous statistical information on use of the site and to check its correct functioning, and are deleted immediately after processing.
  • Data collected during use of the platform by the Authorised User. Please note that for the Authorised User—where 4books acts as Data Processor pursuant to an explicit agreement between the parties in accordance with Article 28 GDPR—during the use of Content on 4books, personal data relating to the learning experience and use of the platform are collected. Such data are collected on behalf of and in the interest of the Business Customer’s Authorised User, who remains the Data Controller of the data in question. These data include:
    • Details on the user’s learning process, such as the answers provided, session duration, progress made, results achieved, account creation date and preferred language. These data are processed to provide a personalised experience and improve the effectiveness of the training courses offered.
    • Information about the user’s sessions, including access times, the type of browser and operating system used, as well as the user’s IP address. Such information is collected to ensure platform security and improve service usability.For the implementation of the processing activities described above, there is an appointment deed designating 4books as Data Processor, executed in accordance with Article 28 GDPR, which sets out 4books’ rights and obligations in managing personal data on behalf of the Business Customer’s Authorised User.
    • Coach AI (Premium+AI) specific data. While using the Coach AI feature (a conversational assistant based on artificial intelligence models), we process:
      • Texts typed in the chat and the generated response texts;
      • Feedback (e.g., like/dislike) and aggregated usage metrics (number of interactions, session duration, errors);
      • Minimum technical metadata necessary for delivery (date/time, request status);

      4Books does not send direct identifying data (e.g., name or email) to AI providers; texts are transmitted detached from the account;

3. Purposes of processing

Users’ personal data will be lawfully processed by the Controller pursuant to Article 6 of the Regulation for the following purposes:

a) contractual obligations and provision of the Service, to enable browsing of the Platforms and use of the Service (including by individual users authorised by the Business Customer), or to perform the relevant Terms of Use of the Platforms, which are accepted by the User during trial and/or purchase of the Service and/or upon signing the commercial proposal by the Business User;

b) to fulfil specific requests from the User. The User data collected by the Controller to allow use of the Service include the email address and Billing Data (namely: first name, last name, company, address, city, ZIP/postal code, country, province/state, email). Any additional data required for payment purposes will not be processed by the Controller but by different and autonomous controllers who operate the chosen payment circuit.

Unless the User provides the Controller with specific and optional consent for processing their data for the additional purposes set out in the following sections, the User’s personal data will be used by the Controller exclusively to verify the User’s identity (also through validation of the email address), thereby preventing possible fraud or abuse, and to contact the User only for service reasons (e.g., sending notifications relating to the Service). Without prejudice to what is stated elsewhere in this notice, in no case will the Controller make Users’ personal data accessible to other Users and/or third parties.

Access to and browsing of the Platforms where the Controller offers its services are free; however, use of such services is allowed only after registration of Users and Authorised Users of the Business Customer. The registration process consists of filling in a form in which the User (including those authorised by the Business Customer) is required to provide their personal data—some of which are mandatory—to activate authentication credentials (login + password) with which subsequently be able to access the Platforms and use the services offered by the Data Controller.

c) marketing purposes, subject to the User’s explicit consent, in order to send news about products, services or offers promoted by the Controller.

d) administrative and accounting purposes, i.e., to perform organisational, administrative, financial and accounting activities, such as internal organisational activities and activities functional to fulfilling contractual and pre-contractual obligations;

e) legal obligations, i.e., to comply with obligations provided by law, by an authority, by a regulation or by European legislation.

f) Provision of the Coach AI feature: to provide personalised answers and suggestions through artificial intelligence models; legal basis: Article 6(1)(b).

g) Quality improvement, security and abuse prevention related to Coach AI (aggregated/anonymised analyses or, where necessary, pseudonymised analyses of feedback/metrics): Article 6(1)(f); the User may object at any time to processing that is not strictly necessary (Article 21 GDPR).

Coach AI does not make solely automated decisions that produce legal effects on the User.

h) As Data Processor on behalf of the Business Customer’s Authorised User, 4books collects personal data relating to the learning experience and the use of the platform by the Authorised User during access to training courses or assessment activities. This collection is carried out pursuant to the deed appointing 4books as Data Processor, executed between 4books and the Business Customer in accordance with Article 28 GDPR. The collected personal data include: (I) details on the user’s learning process, such as answers provided, session duration, progress made, results achieved, account creation date and preferred language; (II) information on the user’s sessions, including access times, the type of browser and operating system used, and the user’s IP address.

These data are collected solely to enable 4books to provide the service commissioned by the Business Customer and to support the Business Customer, as employer of the Authorised User, in integrating and effectively using the learning Platform within its organisation. This includes sharing platform-usage data with the Business Customer for the agreed purposes, in compliance with the GDPR and the Data Processor appointment deed.

By signing the Agreement with 4books, the Business Customer confirms and assumes full responsibility for obtaining the Authorised User’s required consent, where applicable, or warrants that the processing is based on a lawful legal basis. This assurance is an integral part of the responsibilities assumed by the Business Customer under the Agreement, releasing 4books from any direct liability relating to the collection of such consents. Therefore, before sharing the Authorised User’s data with the Business Customer, 4books relies on the confirmations and guarantees provided by the Business Customer, in compliance with personal data protection laws and ensuring respect for the rights of Authorised Users.

Providing the Controller with the personal data requested on the various occasions of collection may be necessary to pursue the purposes identified in the specific notice, or it may be optional. The mandatory or optional nature of providing the data is specified from time to time at the moment of collection, by marking mandatory information with a specific symbol (*). Any refusal to provide certain data marked as mandatory makes it impossible to pursue the main purpose of the specific collection: such refusal could, for example, make it impossible for the Controller to provide the available services. Providing additional data is optional and has no consequences for pursuing the main purpose of the collection.

Subject to the User’s explicit consent, personal data may be processed by the Controller for commercial and promotional purposes.

4. Processing methods and data retention periods

The Controller will process Users’ personal data using manual and IT tools, with logic strictly related to the purposes, and in any case in a way that ensures the security and confidentiality of the data.

Data are processed for the time necessary to perform the service requested by the User or, in general, to achieve the purposes for which they were collected. The User may always request that processing be stopped or that data be deleted. Please note that Users’ personal data are stored for the entire period necessary to provide the services and products requested. In addition, some data will be stored for longer periods due to tax-administrative/accounting obligations (10 years pursuant to Article 2220 of the Italian Civil Code). For marketing purposes, the retention period is 24 months.

Coach AI (Premium+AI):

  • Coach AI chat content (texts and responses): stored by 4books for a period not exceeding 30 days from the end of the conversation; once that period has elapsed, the data are deleted or irreversibly anonymised.
  • Coach AI provider technical logs: the provider may retain data strictly necessary for security/anti-abuse purposes for up to 30 days; if the Zero Data Retention (ZDR) option is configured, such content is not retained beyond the technical processing time.
  • Feedback and quality telemetry (e.g., like/dislike; metrics): preferably processed in aggregated/anonymised form; where not possible, in pseudonymised form. Pseudonymised logs are retained for up to 90 days; anonymised/aggregated datasets for up to 12 months for quality analysis and service improvement.
  • Backups: backup copies are encrypted, not used for operational purposes, and follow technical rotation cycles.

5. Scope of communication and disclosure of data

The Controller’s employees and/or collaborators in charge of managing the Platforms may become aware of Users’ personal data. Such persons, formally appointed by the Controller as “persons authorised to process”, will process User data exclusively for the purposes set out in this notice and in compliance with applicable privacy laws.

In addition, third parties may become aware of Users’ personal data where they may process personal data on behalf of the Controller as “External Data Processors”, such as, by way of example, providers of IT and logistics services functional to the operation of the Platforms, outsourcing or cloud computing providers, professionals and consultants.

Users have the right to obtain a list of any data processors appointed by the Controller, by requesting it from the Controller using the methods indicated in the following paragraph 6.

Where necessary, the Authorised User’s personal information may be communicated to certain external entities, including their employer. It is important to note that the specific answers provided during assessments will never be shared with the employer. However, the employer may access details about learning activity carried out, such as unique app logins, the number of sessions of all Authorised Users, reading/listening data for the various contents for everyone, the updates read, any certifications obtained and whether a learning path has been completed—excluding, as stated, the specific results obtained.

Coach AI Provider (Premium + AI): to provide Coach AI, 4books uses artificial intelligence models supplied by OpenAI (typically OpenAI Ireland Ltd for EEA customers), appointed as Data Processor (Article 28 GDPR) under a Data Processing Addendum (DPA). The transmitted contents are processed solely to provide the service and not for the provider’s own purposes, in accordance with the agreement. Similar wording is used in notices by other operators integrating an AI chat to support search/user assistance.

Data may be processed on servers located also outside the European Economic Area. In such case, the Controller ensures that transfers take place in compliance with Articles 44 et seq. GDPR (e.g., Standard Contractual Clauses), with adequate supplementary measures (upstream pseudonymisation, data minimisation, encryption in transit).

An updated list of Data Processors is available upon request, by contacting the Controller using the contact details provided.

6. Data subjects’ rights

Users may exercise the rights granted to them by the Applicable Legislation by contacting the Controller as follows:

  • by sending a registered letter with return receipt to the registered office of the Data Controller (4books S.r.l., Via del Tiratoio 1, 50124 Florence, Italy);
  • by sending an email message to: [email protected]

Pursuant to applicable privacy legislation, the Controller informs Users that they have the right to obtain information on: (i) the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied where processing is carried out with electronic tools; (iv) the identity details of the Controller and Data Processors; (v) the subjects or categories of subjects to whom personal data may be communicated or who may become aware of them as processors or authorised persons.

In addition, Users have the right to obtain:

a) access to, updating, rectification or, where they have an interest, integration of the data;

b) deletion, transformation into anonymous form or blocking of data processed in violation of law, including those whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;

c) certification that the operations referred to in letters a) and b) have been brought to the attention, as regards their content, of those to whom the data were communicated or disclosed, except where such requirement proves impossible or involves the use of means manifestly disproportionate to the right protected.

Users also have:

d) the right to withdraw consent at any time, where processing is based on their consent;

e) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format), the right to restriction of processing of personal data and the right to deletion (“right to be forgotten”);

f) the right to object:

i) in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;

ii) in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising material or direct selling or for carrying out market research or commercial communication;

iii) where personal data are processed for direct marketing purposes, at any time, to the processing of their data carried out for that purpose, including profiling to the extent that it is related to such direct marketing.

g) where they believe that the processing concerning them violates the Regulation, the right to lodge a complaint with the supervisory authority (in the Member State of their habitual residence, place of work or place of the alleged infringement). The Italian supervisory authority is the Garante per la protezione dei dati personali, with offices at Piazza di Monte Citorio 121, 00186 Rome (http://www.garanteprivacy.it/).

The Controller is not responsible for updating all the links displayed in this Notice; therefore, whenever a link is not working and/or updated, Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by such link.

This notice is a document that is constantly updated: the Data Controller reserves the right to make changes at any time, also in light of amendments to the laws or regulations governing this matter and protecting your rights. Changes will apply from the date of publication on the Platforms/website. We therefore invite you to consult this section regularly to check for publication of the most up-to-date Privacy Policy.