Privacy Policy

The purpose of this document is to inform the natural person (hereinafter the
“Data Subject”) about the processing of his/her personal data
(hereinafter the “Personal Data”) collected by the data controller,
ByteWex Srl, with registered office in Viale Timavo 85, 42121 Reggio Emilia (RE), Italy,
Tax Code/VAT No. 02896470354, e-mail address
privacy@bytewex.com
(hereinafter the “Data Controller”), via the website and the application
LaborLumen and the related domains and subdomains:
laborlumen.com, people.laborlumen.com, hub.laborlumen.com, passport.laborlumen.com,
coaching.laborlumen.com, training.laborlumen.com, recruiting.laborlumen.com
(hereinafter the “Application”).

Changes and updates will be effective as soon as they are published on the Application.
In case of non-acceptance of the changes made to this Privacy Policy, the Data Subject
shall stop using the Application and may request that the Data Controller delete his/her Personal Data.

1. Categories of Personal Data processed

The Data Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

  • Contact Data: first name, last name, address, e-mail address, phone number, pictures, authentication credentials, any further information sent by the Data Subject, etc.
  • Fiscal and payment Data: tax code, VAT number, credit card data, bank account details, etc.
  • Data on the employment relationship: data entered in the curriculum vitae, data on spouse or children, social security data, etc.
  • Authentication and third-party identity data: where the Data Subject voluntarily uses a third-party identity provider to sign in or verify identity (see section 4), the Data Controller receives basic profile data from such provider, typically: full name, e-mail address, profile picture, verified-email status, and a stable provider-specific identifier.
  • Third-party attestation data: where applicable to the use of the Application (such as professional-experience attestation in the Passport module), the Data Controller processes Personal Data of invited third parties (referees), namely: full name, e-mail address, optional role and company, provider-verified identity data (if the third party authenticates through a third-party identity provider), attestation content and outcome, IP address and user-agent at the time of attestation, and the relevant timestamps.

The Data Controller processes the following types of Personal Data collected automatically:

  • Technical Data: Personal Data produced by devices, applications, tools and protocols, such as, for example, information about the device used, IP addresses, browser type, type of Internet provider (ISP). Such Personal Data may leave traces which, combined with unique identifiers and other information received by the servers, can be used to create profiles of individuals.
  • Usage Data: such as, for example, pages visited, number of clicks, actions taken, duration of sessions, etc.
  • Data relating to the exact location of the Data Subject: for example, geolocation data that precisely identifies the location of the Data Subject, which may be collected via the satellite network (e.g. GPS) and other means, with the consent of the Data Subject. The Data Subject may withdraw consent at any time.

If the Data Subject decides not to provide Personal Data for which there is a legal or contractual obligation, or if such data is a necessary requirement for the conclusion of the contract with the Data Controller, it will be impossible for the Data Controller to establish or continue any relationship with the Data Subject.

The Data Subject who communicates Personal Data of third parties to the Data Controller is directly and exclusively liable for their origin, collection, processing, communication or disclosure.

2. Cookies and similar technologies

The Application uses cookies, web beacons, unique identifiers and other similar technologies to collect the Data Subject’s Personal Data regarding visited pages, links and other actions performed during the use of the Application.
This data is stored and then used the next time the Data Subject browses the Application.

The full Cookie Policy can be viewed at the following address:
Cookie Policy – LaborLumen HCM.

3. Legal basis and purpose of data processing

The processing of Personal Data is necessary:

  1. For the performance of the contract with the Data Subject, and especially:
    1. fulfillment of any obligation arising from the pre-contractual or contractual relationship with the Data Subject;
    2. registration and authentication of the Data Subject, in order to allow the Data Subject to register in the Application, access it and be identified in it, also via external platforms;
    3. support and contact with the Data Subject, in order to answer the Data Subject’s requests;
    4. management of payments, including by credit card, bank transfer or other methods.
  2. For compliance with legal obligations, and especially:
    1. the fulfillment of any obligation provided for by the applicable laws, regulations and rules, in particular in tax and fiscal matters.
  3. For the legitimate interest of the Data Controller, for:
    1. marketing by e-mail of the Data Controller’s products and/or services, to directly promote products or services similar to those already purchased by the Data Subject, using the e-mail address provided in the context of a previous sale;
    2. management, optimization and monitoring of the technical infrastructure, in order to identify and solve technical issues, improve the performance of the Application, and manage and organize information in a computer system (e.g. server, database, etc.);
    3. security and anti-fraud purposes, in order to guarantee the security of the Data Controller’s assets, infrastructures and networks;
    4. anonymous statistical analysis based on aggregated and anonymous data, in order to analyze the behavior of Data Subjects, improve the products and/or services provided by the Data Controller, and better meet the expectations of the Data Subject.
  4. On the basis of the Data Subject’s consent, for:
    1. retargeting and remarketing, in order to reach Data Subjects who have already visited or shown interest in the products and/or services offered by the Application with customized advertisements using their Personal Data. The Data Subject may opt out by visiting the Network Advertising Initiative page;
    2. marketing of the Data Controller’s products and/or services, in order to send information or commercial and/or promotional materials, perform direct sales activities, or conduct market research through automated and traditional methods;
    3. detection of the exact location of the Data Subject, in order to detect the presence of the Data Subject, control logins, times and presence in a specific place, etc.
    4. the recording and evidencing of professional-experience attestations
      submitted by invited third parties (referees) on the User’s professional
      passport. The invited third party expresses consent at the moment of
      submitting the attestation through the dedicated referee interface of
      the Application. The processing also relies on the legitimate interest
      of the inviting User in evidencing his/her professional history through
      third-party-confirmed records (Art. 6(1)(f) GDPR).

The Data Subject’s Personal Data may also be used by the Data Controller to protect its rights in judicial proceedings before the competent courts.

4. Data processing methods and recipients of Personal Data

The processing of Personal Data is performed by means of paper-based and computer tools, with methods of organization and logic strictly related to the specified purposes, and through the adoption of appropriate security measures.

Personal Data are processed exclusively by:

– persons authorized by the Data Controller to process Personal Data who have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality;

– subjects acting independently as separate data controllers, or subjects designated as data processors by the Data Controller in order to carry out all processing activities necessary to pursue the purposes set out in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);

– subjects or bodies to whom Personal Data must be communicated by law or by order of the authorities;

– third-party identity providers and authentication services that the Data Subject — or, in specific workflows, a duly invited third party (such as a professional referee invited to attest a work experience on a User’s professional passport) — voluntarily authorizes to share authentication and basic profile data with the Data Controller. These providers currently include Google (Sign in with Google) and LinkedIn (Sign in with LinkedIn using OpenID Connect, also used for third-party identity verification within attestation workflows on the Service), and may include Microsoft (Sign in with Microsoft) in the future. The data shared by these providers is limited to the OAuth/OIDC scopes consented to by the data subject at the moment of authentication (typically: full name, e-mail address, profile picture and a stable provider-specific identifier) and is processed in accordance with the privacy terms of the relevant provider, available at the following URLs:
https://policies.google.com/privacy (Google),
https://www.linkedin.com/legal/privacy-policy (LinkedIn),
https://privacy.microsoft.com/privacystatement (Microsoft).

Where authentication or identity verification through a third-party provider is initiated by an invited person who is not a registered User of the Application (for example, a former employer, manager or senior peer invited to attest a professional experience declared on a User’s professional passport), the Data Controller processes only the minimum data strictly necessary to record the attestation and to ensure its integrity, namely: the invited person’s full name and e-mail address (as provided by the inviting User and confirmed by the invited person), the public profile identifier and verification status returned by the third-party provider where such provider is used, the attestation outcome, the IP address and user-agent at the time of attestation, and the relevant timestamps. Such data is retained for the period set out in section 6 and is subject to the rights of the data subject set out in section 7.

The subjects listed above are required to use appropriate measures and safeguards to protect Personal Data and may only access the data necessary to perform their duties.

Personal Data will not be indiscriminately shared in any way.

5. Place of processing

Personal Data is primarily processed within the European Economic Area (EEA).

Where the Data Subject — or, in specific workflows, a duly invited third party (see section 4) — voluntarily authorizes authentication or identity verification through a third-party identity provider, limited authentication and profile data may be transferred to the United States as part of such provider’s standard service operations. Such transfers take place under appropriate safeguards, namely:

– the EU-US Data Privacy Framework (DPF) adequacy decision of 10 July 2023, where the recipient provider is DPF-certified. Google LLC, LinkedIn Corporation and Microsoft Corporation are currently DPF-certified;
– and, as additional safeguard, the European Commission’s Standard Contractual Clauses (SCCs) incorporated in the privacy terms of the relevant providers referenced in section 4.

The Data Subject can verify the current DPF certification status of any provider at https://www.dataprivacyframework.gov/list.

No other transfer of Personal Data outside the EEA is performed by the Data Controller.

6. Personal Data storage period

Personal Data will be stored for the period of time required to fulfill the purposes for which it was collected. In particular:

  • For purposes related to the execution of the contract between the Data Controller and the Data Subject,
    Personal Data will be stored for the entire duration of the contractual relationship and, after termination,
    for the ordinary limitation period of 10 years. In the event of legal disputes, Personal Data will be stored for the entire duration of such disputes, until the time limit for appeals has expired.
  • For purposes related to the legitimate interests of the Data Controller, Personal Data will be stored until such legitimate interest has been fulfilled.
  • For compliance with legal obligations, by order of an authority and for legal protection, Personal Data shall be stored according to the relevant timeframes provided for by such obligations and regulations, and in any case until the expiry of the applicable limitation period.
  • For purposes based on the consent of the Data Subject,
    Personal Data will be stored until consent is revoked.
  • For Personal Data of invited third parties processed in connection with attestation workflows (see sections 1 and 4), data will be stored for the entire lifetime of the attested record on the inviting User’s professional account, plus a grace period of twelve (12) months after the deletion of such record, for audit and integrity-of-evidence purposes. The invited third party may at any time request rectification or erasure of his/her Personal Data by writing to privacy@bytewex.com.

At the end of the storage period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.

7. Rights of the Data Subject

Data Subjects may exercise specific rights regarding the Personal Data processed by the Data Controller.
In particular, the Data Subject has the right to:

  • be informed about the processing of his/her Personal Data;
  • withdraw consent at any time;
  • restrict the processing of his/her Personal Data;
  • object to the processing of his/her Personal Data;
  • access his/her Personal Data;
  • verify and request the rectification of his/her Personal Data;
  • obtain the erasure of his/her Personal Data;
  • transfer his/her Personal Data to another data controller;
  • file a complaint with the competent Personal Data protection supervisory authority and/or take legal action.

The rights set out above may also be exercised by invited third parties whose Personal Data is processed in connection with attestation workflows (see sections 1 and 4), even where such third parties are not registered Users of the Application. Such third parties may exercise their rights by writing to privacy@bytewex.com, providing reasonable identification and the reference to the relevant attestation. The exercise of the right to erasure by an invited third party will result in the corresponding attestation being marked as “withdrawn” on the inviting User’s professional record, without affecting the User’s other declarations.

In order to exercise these rights, Data Subjects may send a request to: privacy@bytewex.com.
Requests will be handled by the Data Controller and processed as soon as possible, in any case within 30 days.

Last update: 01/05/2026