Privacy Policy (GDPR Articles 13–14 Notice)

The Business Game – app.thebusinessgame.it

Last updated: 6 February 2026 — Version: 1.1

This Privacy Policy explains how The Business Game Srl (also “TBG”, “we”, “us”) processes personal data of users who register for and use the web platform available at app.thebusinessgame.it (the “Platform” or the “Service”).

TBG is a company established in Italy. The Service can be accessed via the web also by users residing outside Italy and/or outside the European Economic Area (“available worldwide”). Global accessibility does not necessarily mean that TBG actively markets the Service in every country; however, we process personal data in line with GDPR standards and, where required, we provide additional regional disclosures (see “Regional Notices”).

Digital services: TBG provides digital services and software licenses. We do not ship physical products. To purchase and activate a license, you must have a registered account (no guest checkout). Licenses are activated after the purchase is verified.

1) Data Controller and contact details

The Data Controller is The Business Game Srl, VAT No. 02511570307, with registered office at Via Gemona 35, 33100 Udine (UD), Italy.

Privacy contact: privacy@thebusinessgame.it

2) Privacy roles when the Platform is used via Organizations

The Platform may also be used as part of activities managed by third-party organizations (e.g., universities, training providers, business schools, companies, etc.).

the organization determines the purposes and rules of the program (e.g., educational/training purposes, organizational criteria and access to results) and acts as an independent Controller for processing activities under its responsibility;
for processing necessary to provide the Service and make tools and reports available through the Platform, TBG may act as a Processor on behalf of the organization;
TBG remains the Controller for its “Platform-level” processing activities (e.g., technical account management, security, support, invoicing and legal compliance), as described in this Privacy Policy.

If you use the Platform through an organization, you may also need to consult the organization’s own privacy notice.

3) Categories of personal data we process

A. Registration and account data

First name
Last name
Email
Login credentials (password stored in encrypted/hashed form)

B. Platform usage data (business games, questionnaires, assessment/training tools)

Answers and inputs provided during activities
Scores, results, progress, completions and reports
Association to classes/projects (if applicable)

Please do not enter special categories of data (GDPR Art. 9) or data relating to criminal convictions and offences (GDPR Art. 10) into the Platform. If such information is nonetheless provided, we may limit its use and/or remove it to the extent possible and necessary to operate the Service and protect security.

C. Purchase and invoicing data (software licenses)

Data needed for checkout and order management (e.g., license purchased, amount, currency)
Invoice details only when required: billing name/company name, Italian Tax Code (Codice Fiscale) and/or VAT number (Partita IVA) if applicable, and any information required by tax law to issue an invoice
Transaction identifier and outcome (information needed for reconciliation and administrative management, refunds and disputes)

D. Technical data and logs

IP address, device/browser identifiers (where available)
Access and security logs (e.g., date/time, technical events, login attempts, license-activation events)

4) Sources of personal data (GDPR Article 14)

Personal data may be collected:

directly from you (e.g., registration, purchases and use of the Platform); or
when you use the Platform through an organization, it may be provided by the organization (typically first name, last name, email, and class/project association) and any additional data strictly necessary to manage the class/project, if applicable.

5) Purposes and legal bases (GDPR Article 6)

5.1 Account registration and management, authentication and access

Purpose: enable registration, login and use of the Service (including purchases, which require an account).

Legal basis: performance of a contract / provision of the Service (GDPR Art. 6(1)(b)).

5.2 Provision of the Service (activities, questionnaires, reports)

Purpose: enable activities, calculate scores/results and generate reports.

Legal basis: performance of a contract / provision of the Service (GDPR Art. 6(1)(b)).

Note: in “Organization” contexts, certain purposes and rules (e.g., access to results) may be determined by the organization (see section 2).

5.3 Purchase of software licenses, payment verification and activation

Purpose: manage purchases, verify payment outcome, generate/assign and activate the license on your account, and manage refunds/disputes where applicable.

Legal basis: performance of a contract / provision of the Service (GDPR Art. 6(1)(b)).

5.4 Invoicing and legal obligations

Purpose: accounting and tax compliance and other legal obligations (e.g., record retention).

Legal basis: compliance with a legal obligation (GDPR Art. 6(1)(c)).

5.5 Support and service communications

Purpose: handle support requests and technical/organizational communications related to the Service (e.g., communications about licenses, technical changes, security).

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and/or legitimate interests (GDPR Art. 6(1)(f)) in maintaining Service quality and continuity.

5.6 Security, abuse prevention and protection of rights

Purpose: protect accounts, infrastructure and the Service; prevent unlawful activity/abuse; defend rights in and out of court.

Legal basis: legitimate interests (GDPR Art. 6(1)(f)).

Our legitimate interests: ensuring Service security, preventing unauthorized access and abuse, and protecting TBG and users.

Right to object: you may object on grounds relating to your particular situation (see “Your rights”).

5.7 Newsletter and promotional communications (if enabled)

Purpose: send updates and promotional content.

Legal basis: consent (GDPR Art. 6(1)(a)).

Consent is optional and can be withdrawn at any time (e.g., via the unsubscribe link or by contacting us). Where required by applicable law, obtaining consent may require involvement of a parent/legal guardian.

6) Payments (Stripe / PayPal) — roles and data

Payments for software license purchases may be processed through Stripe or PayPal (the choice may change over time).

TBG does not store full card details or payment credentials: such information is processed directly by the payment provider.
TBG processes and retains certain payment outcome and reconciliation information (e.g., transaction identifier, amount, currency, payment status) needed to manage the order, any refunds/disputes, and administrative/accounting compliance.
The payment provider may also process some data for its own purposes (e.g., fraud prevention, risk management and compliance), under its own privacy notice. Depending on the services used, the context and the applicable contractual documentation, the provider may act as a Processor for payment execution on TBG’s behalf and/or as an independent Controller for specific activities (e.g., regulatory/anti-fraud obligations).

Please consult the payment provider’s privacy notice available at the time of the transaction.

7) Data recipients

Personal data may be processed by or disclosed to:

Authorized personnel of TBG (internal staff).
Technical service providers supporting infrastructure and Service delivery (e.g., hosting and IT services).
Hosting: TBG hosts the Platform on AWS – Milan Region (eu-south-1).
Payment providers (Stripe or PayPal) to execute transactions and related services (including dispute/chargeback handling).
Advisors (e.g., accounting/tax/legal) and public authorities where necessary for legal obligations or lawful requests.

Where required, such providers are appointed as Processors under GDPR Art. 28. In other cases, they may act as independent Controllers (e.g., payment providers for their own activities), under their respective privacy notices.

8) Retention

We keep personal data for as long as necessary for the purposes described above and in compliance with legal requirements. In particular:

Account data: for as long as your account is active and the relationship continues; if you request deletion, we handle data as described below (“Deletion”).
Usage data (scores/reports/progress): up to 24 months from creation/update, unless different contractual/organizational needs apply (e.g., use via Organizations) or legal obligations require otherwise.
Purchase and invoicing data: up to 10 years for accounting and tax compliance (or a different period required by applicable law).
Technical and security logs: typically up to 24 months, unless longer retention is necessary in case of security incidents, abuse investigations or disputes.

Deletion and restriction

If your account is deleted, we delete or de-identify data that is no longer needed, except for information we must keep to comply with legal obligations (e.g., accounting) or to protect our rights in case of disputes, for the strictly necessary period.

9) International transfers (outside the EEA/UK)

Personal data is mainly processed within the European Economic Area, including through hosting in AWS Milan (eu-south-1).

However, some providers (in particular payment providers and Google reCAPTCHA, as well as their sub-processors/support) may process personal data outside the EEA and/or the United Kingdom. Where required, we implement appropriate safeguards, such as:

Adequacy decisions where available; and/or
Standard Contractual Clauses (SCCs) for transfers outside the EEA; and, for the UK, the IDTA or the UK Addendum to the SCCs;
where required, supplementary measures and assessments (e.g., a Transfer Impact Assessment).

You can request information about the safeguards we use by contacting TBG at the details above.

10) Security measures

We implement appropriate technical and organizational measures to protect personal data, including (by way of example) access controls, infrastructure-level protections, monitoring and security logging. No system is completely secure; if a personal data breach occurs, we will take the actions required by applicable law.

11) Cookies and technical tools (session, security and reCAPTCHA)

The Platform uses cookies and similar technologies to ensure core functionality and security.

11.1 Technical cookies (strictly necessary)

We use technical/strictly necessary cookies to:

manage authentication sessions and enable access to restricted areas;
ensure security and integrity of the Service (e.g., prevent unauthorized access and abuse).

These cookies are not used for advertising profiling and generally last for the session or as long as strictly necessary for operation.

11.2 Google reCAPTCHA v2 (registration only)

To protect the registration form against spam and abuse, we use Google reCAPTCHA v2 (checkbox). reCAPTCHA may collect technical information (e.g., IP address, device and browser information, interaction events) and may use cookies or similar technologies for security/anti-abuse purposes.

Purpose: security and abuse/spam prevention during registration.
Legal basis: legitimate interests (GDPR Art. 6(1)(f)) in protecting the Service and preventing misuse.
Third party/recipient: Google, as the provider of reCAPTCHA.
Transfers: use of reCAPTCHA may involve processing outside the EEA/UK; where required, we apply the safeguards described in “International transfers”.

The registration page includes a notice linking to Google’s Privacy Policy and Terms of Service.

11.3 Analytics and profiling cookies

At this time, we do not use advertising profiling cookies or tracking tools for advertising or analytics purposes. If we introduce analytics tools in the future (e.g., Google Analytics) or other non-essential technologies, we will update this Privacy Policy and, where required (e.g., EEA/UK), we will collect consent through a banner and preference center before activation.

11.3-bis Cookies summary table

Category	Provider	Purpose	Duration (indicative)
Strictly necessary / session	TBG (first party)	Login, session management, basic security	Session / short
Security / anti-abuse	Google (reCAPTCHA)	Protect registration form against spam and abuse	Varies (per Google)

11.4 How to manage cookies

You can manage or disable cookies through your browser settings. Disabling technical cookies may affect core Platform functionality (e.g., access to restricted areas).

12) Your rights (GDPR Articles 15–22)

Users may exercise rights provided by the GDPR, including: access, rectification, deletion, restriction, portability, objection, and withdrawal of consent (where applicable).

How to exercise your rights: email privacy@thebusinessgame.it describing your request and providing information needed to identify it.

Timing and verification: we generally respond within one month, subject to lawful extensions. We may request additional information to verify identity or clarify the request.

12-bis) Minors and capacity to purchase

The Service is primarily educational and may be used by minors, particularly within programs managed by Organizations (see section 2).

Purchases: purchasing licenses and entering into a contract requires legal capacity under applicable law. If we become aware that a purchase was made by a minor without the necessary authorization, we may take appropriate measures (e.g., cancellation and handling the request via a parent/guardian), to the extent permitted by law.

Where certain features require consent (e.g., newsletter or promotional communications, if enabled), such consent must be provided in accordance with applicable law, including, where required, involvement of a parent/legal guardian.

If a parent/guardian believes a minor has provided personal data in a manner not compliant with applicable law, they may contact us at privacy@thebusinessgame.it.

13) Complaints

If you believe our processing violates applicable data protection law, you may lodge a complaint with the competent supervisory authority. For Italy: the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali). If you are in another EEA country, you may also contact the authority in your country of habitual residence/workplace or the place of the alleged infringement. If you are in the United Kingdom, you may also lodge a complaint with the Information Commissioner’s Office (ICO).

14) Automated decision-making and profiling

TBG does not carry out solely automated decision-making under GDPR Art. 22 that produces legal or similarly significant effects on users based on Platform data.

Payment providers may apply automated checks (e.g., fraud prevention) under their own privacy notices and responsibilities.

15) Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to the Service, our practices or legal requirements. If we make material changes, we will provide appropriate notice (e.g., an in-Platform notice and/or by updating the date/version). Continued use of the Service after publication of an update means you have reviewed the most recent version.

16) Regional Notices (only if applicable)

The sections below apply only to users residing in certain jurisdictions, where required by local law and in relation to the activities effectively carried out by TBG in those markets. These notes are not intended to create additional obligations where local law does not apply.

16.1 United States (e.g., California) — brief notice (if applicable)

Depending on applicability thresholds and state laws (e.g., CCPA/CPRA), you may have additional rights (access, deletion, correction and other protections). You can exercise them by contacting us at privacy@thebusinessgame.it.

As a general matter, we do not sell personal data in exchange for money. If we introduce practices that qualify as “sharing”/“targeted advertising” under applicable definitions, we will update this Privacy Policy and provide the relevant opt-out mechanisms.

16.2 Brazil (LGPD) — brief notice (if applicable)

If you reside in Brazil, you may have additional rights under the LGPD. For requests and information (including local legal bases and transfers), contact us at privacy@thebusinessgame.it.

16.3 Canada (PIPEDA) — brief notice (if applicable)

If you reside in Canada, you may have additional rights and protections. You can contact us at privacy@thebusinessgame.it to exercise access/correction rights and for information about transfers and service providers.