LEGAL

GDPR Rights

Last updated: May 1, 2026

1. Data Protection Commitment

Davide Bollati (P.IVA 02821210024) is committed to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR) and Italian Legislative Decree 196/2003 (Personal Data Protection Code), as amended by Legislative Decree 101/2018.

2. Data Controller

Controller: Davide Bollati (P.IVA 02821210024)

Registered office: Italy

Data protection contact email: info@visualturf.ai

As data controller, VisualTurf determines the purposes and means of personal data processing in accordance with Art. 4.7 of the GDPR.

3. Your Rights as a Data Subject

Under Articles 15 to 22 of the GDPR, you have the following rights:

Right of access (Art. 15)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, access to the data and information about the processing.

Right to rectification (Art. 16)

You have the right to obtain rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed.

Right to erasure — 'right to be forgotten' (Art. 17)

You have the right to obtain erasure of personal data concerning you where one of the grounds provided for in the GDPR applies, such as when the data is no longer necessary for the purpose for which it was collected.

Right to restriction of processing (Art. 18)

You have the right to obtain restriction of processing where one of the conditions provided for in the GDPR is met, such as while the accuracy of the data is being verified.

Right to data portability (Art. 20)

You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to object (Art. 21)

You have the right to object to the processing of your personal data based on the controller's legitimate interest, including profiling.

Right not to be subject to automated decisions (Art. 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

4. How to Exercise Your Rights

To exercise any of the aforementioned rights, you can contact us at:

• Email: info@visualturf.ai

• Indicating in the subject: "GDPR Rights Request"

Upon receiving your request:

1. We will verify your identity to ensure the security of your data.

2. We will respond within a maximum of 30 calendar days from receipt.

3. In case of complexity or volume of requests, the deadline may be extended by an additional 60 days, with prior notification.

4. The exercise of these rights is free of charge, except for manifestly unfounded or excessive requests.

5. Security Measures

VisualTurf implements appropriate technical and organizational measures pursuant to Art. 32 of the GDPR:

• Data encryption in transit (TLS 1.3) and at rest.

• Passwords stored with bcrypt hash, never in plain text.

• Secure authentication managed by Supabase Auth.

• Role-based access control (RBAC).

• Automated and encrypted backups.

• Continuous infrastructure monitoring.

• Periodic Data Protection Impact Assessments (DPIA) when processing may result in high risk.

6. Data Breach Notification

In the event of a personal data breach pursuant to Art. 33 of the GDPR:

• We will notify the competent supervisory authority (Garante per la protezione dei dati personali) within 72 hours.

• If the breach is likely to result in a high risk to your rights and freedoms, we will inform you directly without undue delay (Art. 34).

7. Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Garante per la protezione dei dati personali

Piazza Venezia, 11 — 00187 Roma

www.garanteprivacy.it

Email: protocollo@pec.gpdp.it

You may also contact the data protection authority of the Member State of your habitual residence, place of work, or place of the alleged infringement.

8. Legal Framework

This page is drafted in compliance with:

• Regulation (EU) 2016/679 (GDPR)

• Legislative Decree 196/2003 (Italian Privacy Code)

• Legislative Decree 101/2018 (alignment of the Privacy Code with the GDPR)

• Guidelines of the European Data Protection Board (EDPB)

• Guidance from the Garante per la protezione dei dati personali