Privacy Policy

Information on the processing of personal data relating to the website:

1: Foreword

This information notice will attempt to explain who and how processes the data of the person concerned (also referred to as the User), what their data are, and what their rights are and how they can exercise them. For particular clarifications, where the User does not understand or does not consider what is included in the information notice to be sufficient, he or she is invited to write to the following address:

2: Some important notions about personal data

What is meant by personal data? Personal data is any information that relates to an identifiable natural person. An email address is personal data. The text of a message, if it reveals information about a person, is personal data. A nickname is personal data, etc.

What does it mean to process data? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organisation, storage, consultation, processing, modification, selection, retrieval, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data. Practically everything, therefore, that can be done with user data is processing. Already, therefore, collecting or reading data for instance, i.e. consulting them, is processing.

Why are they important to the data subject? Data tell who the data subject is and what he does. They are his, therefore, precisely because they are 'his', they are important, and it is also clear that because they are 'his', the data subject has the right to decide whether to let third parties process them - including this website - and to know how this is done.

Why are they important to the Data Controller? They are important because they allow Glenforest Ltd to have information about users.

3: Who processes the data

3.1 - The data controller is the person who makes the decisions on how to process the data, i.e. - among other things - what precautions to take to protect them, where to store them (whether on a server or in the cloud, etc.), what data to ask from the user, what to process and for what purpose, what and to whom to pass them on, how to manage the users' relationships and rights, who to choose as collaborator, manager or simple appointee to process the data, what instructions to give to collaborators, etc. Therefore, since the data controller is very important, let the user know that this is:

Glenforest LTD
16 Muir Street, Hamilton, ML3, Scotland

Then, with regard to any ancillary functions, Glenforest Ltd may make use of internal parties authorised to process the data (also known as data processors) or external parties, mostly as data controllers, autonomous data controllers or joint data controllers, as the case may be.

3.2 - The data are communicated to persons within the Controller (employees) who collaborate in the executive and administrative management of the service.
They may be further communicated in compliance with disclosure obligations in the event of a request by a public authority (e.g. request by a court, tax assessment, etc.).
In addition, the data are disclosed to the hosting service, the newsletter service provider, and third-party operators of cookies installed via the site (see the relevant notice).

It is important to know that Glenforest Ltd can manage and dominate only the data stored and processed within its own system: data transferred or disclosed to third parties will be, in the manner and to the extent, independently processed by the third parties to whom they are disclosed according to their own privacy policies. In any event, where Glenforest Ltd ceases to process a user's personal data, it will also give notice of the cessation to the parties to whom such data has been disclosed, but cannot guarantee the cessation of processing by those parties.

4. Where it processes them

Glenforest Ltd processes Users' personal data in a cloud located in the EU.

5. What data is processed

Based on the meaningful quality of the data, one can identify:

  • Contact data: email;
  • Identifying Data: first name, last name.
  • Content Data: the content of the communication sent by the User through the form.
  • Navigation data.

6. For what purposes are data processed, and indication of the legal basis and retention period

Glenforest Ltd processes user data for the following purposes:
Responding to requests sent by the user (information, exercising rights, etc.): this consists of responding to contacts made by the customer/user (by email or other form of contact).
Legal basis: performance of the service requested by the user in the communication (such as exercising a right);
Duration: ten years (obligation to keep business correspondence).
Data processed: contact, identification and other data depending on the content of the request (e.g. information contained in the text of the request may refer to persons, and as such is personal data).
Creating member database: Glenforest Ltd creates an internal database of contacts received via forms on the site. The database is used for the following purposes
as a backup copy of the addresses from which communications are received;
Legal basis:
A) legitimate interest of the data controller in the storage of contact data (deemed to prevail over contrary interests in that it ensures the availability of the data to Glenforest Ltd and conversely - as it is data of little danger and significance - does not prejudice the user).
B) consent of the data subject expressed with a flag at the bottom of the contact form (or by entering the email address in the appropriate field);
A) until removal request (see clause on exercising rights) by sending an email to;
B) until revocation of consent;
Data processed:
A) email, identification, content
B) email, identification, content.

Please note: consent may always be revoked. Withdrawal of consent means that the processing of data for the purpose for which consent was given ceases from that moment on.

Social sharing: The service hosts functions (widgets, buttons or similar) that enable the user to quickly share a web page or other event. It is up to the user to share such events, but sharing alone involves the transmission of data to the social, and in particular the navigation and subscription to Glenforest Ltd, as well as in some cases the device and IP address from which the subscription or sharing is made. This data is then managed by the social according to its own logic and policies.
Data processed: shared event, social account, IP or connection device used to subscribe or share social,
Legal basis: execution of the sharing service and legitimate interest of the Owner in the dissemination of the event and - indirectly - the consequent promotion of its service. The legitimate interest is deemed to prevail over the interests and rights of users for the following reasons
- the event being shared is of little importance (only the page or other event can be shared);
- The event is shared with positive and conscious action on the part of the user;
- The event is shared on social platforms to which the user is already subscribed;
- The user has the option to delete the shared social post whenever he/she wants (according to the settings of most of these platforms);
Duration: instantaneous as far as Glenforest Ltd is concerned. The duration of the processing carried out by the social depends on the relevant policies regarding the processing of personal data.
Sending newsletters for own marketing purposes: The user's email address is used to send periodic emails with operational and promotional content about services provided by Glenforest Ltd.
Data used: contact details, possibly personal preferences or qualities where emails are intended for a selected audience.
Legal basis: consent given during the registration phase by entering the e-mail in the form provided.
Duration: until cancellation from the newsletter service using the appropriate function. The data will be retained after this revocation solely for the purpose of proving the revocation.
Email sending frequency: quarterly;
Statistics: processing of statistics based on the categories of users in order to optimise the Controller's business (to assess the most interested categories, etc.).
Legal basis: legitimate interest of the Data Controller to assess market sectors of interest, effectiveness of the sales system.
Duration: statistics are carried out in real time, but only the aggregated and therefore anonymised data is stored.

7. How data is conferred

Data are conferred directly by the User by filling in the appropriate form on the site.

8. Which data are mandatory and which are optional (and the consequences of a refusal to give data)

The contact and identification data of the User is mandatory.
Failure to provide it will make it impossible to perform the requested service (reply to contact).
Furthermore, data that is formed in the drafting of the communication (e.g. what is written in the communication text) is optional, but essentially physiological. With regard to the latter, it is not possible to discriminate between compulsory and optional, as they are formed as a natural consequence of the drafting of the communication.

9. How the service will "disturb" you

Glenforest Ltd will "disturb" the User in the following ways:
You may receive emails from Glenforest Ltd: these will be operational communications or otherwise in response to the communication sent by the User. These communications are essential for the regular management of the relationship with the User.
Newsletter: frequency: quarterly; content: operational, promotional relating to products or services of Glenforest Ltd or third party companies; service provider: Register;

10. What are the rights of users

Users are beneficiaries of a number of rights.
Rights to information about:

  • Categories of data being processed (see point no. 2 and 5);
  • Origin of the data, i.e. to know from where the service has obtained its data (see point no. 7);
  • Purpose of data processing, i.e. for what purposes the data are processed (see point no. 6);
  • Contact details of the data controller and of any data processors (see point no. 3.1);
  • Persons to whom the data are disclosed (see point no. 3.2);
  • Storage and processing time of the data (see point no. 6);
Right to lodge a complaint before the Privacy Guarantor by accessing the following link:

  • Existence or non-existence of profiling process;
  • Legal basis of processing (see point no. 6);
Then there are rights that are not merely informative but operational. They are of various kinds. In summary:
You have the right to have a copy of the data you have provided. If the data have been processed by automated methods and on the basis of your consent or a contract, you may request - if technically possible - that the data be passed on to the same data subject or even to a possible new data controller (portability), provided that this operation does not infringe the rights (and data) of other persons. This right cannot therefore be exercised in this case in relation to communications containing data of third parties, trade secrets or otherwise protected content. In such a case, he may also request the deletion of the data (unless the law requires the Controller to retain it, as in the case of commercial communications).
If the personal data are inaccurate or incomplete, the data subject may ask for them to be corrected or completed, providing indications to this effect. If the Controller has to verify the accuracy of the data contested by the data subject, the data subject may in the meantime obtain the restriction of the contested data (restriction means that the data is only stored and no further processing is carried out except with the specific consent of the data subject or if it serves to exercise or defend a right in court).
If personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the data subject may request their deletion. If, however, the data is needed by the data subject to exercise his or her right in court, he or she may request its restriction (i.e. storage only).
If the processing is unlawful because the data are processed in the absence of consent, a legitimate interest on the part of the data controller, a contract for the performance of which the processing is necessary, or a legal obligation to process the data on the part of the data controller, the data subject may request their erasure or restriction.

11. How he can exercise them

Procedure for exercising rights: The user's rights may be exercised by sending an e-mail to
The Controller must reply within thirty days (which may be extended by a further two months, but in this case the Controller must give the user reasoned notice of the delay).
The Controller may refuse, if he has reason to do so, to comply with the user's request (which must be communicated to the user within one month) only in the case of manifestly unfounded or repetitive requests. He must give a reasoned answer in that case. In any case, the user may appeal to the "Garante Privacy" (see link below) or to the Judge.

The Data Controller must reply using the same channel (email, telephone, etc.) used by the user for the request, unless the user himself requests a reply by a different route. In the event of a request coming from an email address other than the one indicated in the account, the requester must prove that he/she is the interested party.

Where the Controller has doubts as to the identity of the person making the request or exercises one of the rights listed below, the Controller may request further information to confirm the identity of the applicant. In the event of a request coming from an email address other than the one indicated in the account, the applicant will have to prove that he/she is the person concerned.

Requests and replies are free of charge, unless they are repetitive. In the latter case, the Data Controller may charge the costs it incurs for the reply (i.e. personnel costs, material costs, etc.).
In any event, the interested party may contact the Garante ( or the competent Jurisdictional Authority to exercise his/her rights.

12. Users' duties and obligations

It is the User's obligation to communicate truthful data.
It is the User's duty to notify the Controller of any changes made to the personal data previously communicated. Finally, it is the User's responsibility, where the functionalities allow, not to enter excessive data. For example, if the form requires you to enter non-compulsory data (usually marked with an asterisk), it is recommended that you enter them only if you consider it necessary. Similarly, if writing a message through the service, it is recommended to avoid explicit references to identifiable persons, if not necessary.

13. Data breach scenarios

In the event that one or more of the following events should occur with respect to Users' data: unauthorized access, theft, loss, destruction, disclosure, modification (so-called data breach) Glenforest Ltd, without prejudice to the urgent technical measures to be put in place to block (as far as possible) the event and to reduce its damaging effects undertakes to:

  • Restore the service as soon as possible in an efficient manner, recovering the available data from the last useful backup made;
  • Informing Users, directly if circumstances permit or generically (by means of a notice on the website home page or by means of a communication sent to all users, including those for whom there may have been no data events) of the type of event, the time at which it occurred, the measures adopted (without going into detail so as not to facilitate any new attacks) to reduce the damage and to avoid new similar events, as well as the measures and expedients that the user should - on his/her part - put in place to reduce the likelihood of new events and limit the consequences of those that have already occurred.

Information valid from 2023 September 1th