Skip to content
New: connect Linkly to your favourite AI and ask about your tradeshow results and leads
Legal document · v1.0

Privacy Policy

Last updated 24 May 2026
Effective date 24 May 2026
Version 1.0
Translation provided for convenience. The Italian version prevails in case of conflict.

This Privacy Policy describes how personal data are processed through the Linkly mobile application and web platform (the "Platform"), provided by SORAIA S.R.L., and through the website linkly.events (the "Site").

This document is issued under Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended ("Privacy Code"), the Italian DPA decision no. 231/2021 on cookies, and applicable EDPB Guidelines.

SORAIA S.R.L. adopts adequate technical and organisational measures (art. 32 GDPR) to ensure that personal data are processed in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (art. 5 GDPR).

1. Data controller

For processing activities carried out directly by SORAIA S.R.L. as an autonomous Controller, the Controller is:

  • SORAIA S.R.L.
  • Registered office: Via Losana 13, 13900 Biella (BI), Italy
  • VAT no.: IT02820060024 · REA: BI-319659
  • Privacy email: privacy@soraia.io
  • Certified email (PEC): soraia@mypec.eu

For processing carried out on behalf of client companies that use Linkly to manage their commercial contacts, SORAIA acts as Processor under art. 28 GDPR, in accordance with the Data Processing Agreement (DPA) signed with each client.

2. Privacy roles and responsibilities

2.1 Client companies as autonomous Controllers

Companies that use Linkly to collect, qualify and manage contacts acquired during fairs, events and B2B networking activities act as autonomous Controllers under art. 4(7) GDPR.

Client companies independently determine:

  • purposes and means of processing
  • content and logic of the qualification questions configured
  • commercial profiling criteria
  • follow-up, communication and marketing activities
  • third-party systems that receive the data (CRM, marketing automation, ERP)
  • legal basis for processing prospects' data (typically B2B legitimate interest under art. 6(1)(f) GDPR, assessed via LIA, Legitimate Interest Assessment, under their own responsibility)

Client companies are responsible for fulfilling information obligations towards data subjects (arts. 13 and 14 GDPR), including delivery or availability of a specific privacy notice at the time of data collection (e.g. at the trade-fair stand).

2.2 SORAIA S.R.L., dual role

a) Processor (art. 28 GDPR)

On behalf of client companies, limited to the activities of:

  • scanning, acquisition and digitisation of contacts (business cards, badges, QR codes) via OCR
  • storage and technical management of data
  • data enrichment via public sources and third-party providers
  • structuring, normalisation and AI qualification
  • generation of commercial follow-ups (based on client templates and instructions)
  • technical integration with the client's CRM, ERP and marketing systems
  • post-event reporting

b) Autonomous Controller

For activities necessary to:

  • ensure the security of the Platform (arts. 32, 33, 34 GDPR)
  • ensure operational continuity
  • prevent abuse and unlawful use
  • comply with legal obligations (tax, contract, anti-money-laundering)
  • manage invoicing and the contractual relationship with the client (administrative data)

The relationship between SORAIA and each client is governed by a Data Processing Agreement compliant with art. 28 GDPR, an integral part of the supply agreement.

3. Categories of personal data processed

3.1 Technical and usage data (Controller: SORAIA)

  • IP address (anonymised or pseudonymised after 30 days)
  • access and activity logs
  • device identifiers (user agent, OS, app version)
  • browser, operating system and application version information
  • session data (authentication tokens)

3.2 Business-user data (Controller: SORAIA for authentication; Controller: client company for operational use)

  • first name and surname
  • business email
  • professional phone number (optional)
  • role and team membership
  • authentication credentials (encrypted password, bcrypt hash)
  • Platform usage data
  • permissions and configurations applied by the client's administrator

3.3 Acquired contact data, leads (Controller: client company)

Personal data of third parties acquired by client companies during B2B events:

  • identification and professional data (first name, surname, role)
  • company information (business name, sector, size)
  • professional contacts (business email, professional phone)
  • public profiles (e.g. public LinkedIn URL)
  • answers to the qualification questions configured by the client
  • notes and commercial assessments entered by the client's users
  • acquisition source (event, date, channel)

Data may be collected through:

  • business card scanning (OCR)
  • event badge scanning (OCR)
  • QR code reading
  • manual entry
  • custom forms configured by the client

SORAIA does not process special categories of data (art. 9 GDPR) nor data relating to criminal convictions (art. 10 GDPR). The client undertakes, through the DPA, not to enter data of such categories on the Platform.

3.4 Administrative and billing data (Controller: SORAIA)

  • business name, VAT no., tax code, client address
  • data of the legal representative or administrative contact
  • invoicing and payment history

4. Purposes of processing and legal bases

4.1 Platform delivery and contract management

Processing of business-user and administrative data necessary to enable the use of the Platform, deliver the service, manage the contract, invoicing and technical support.

Legal basis: art. 6(1)(b) GDPR (performance of a contract) and art. 6(1)(c) GDPR (legal obligations relating to tax and accounting).

4.2 Lead capture, qualification and B2B follow-up activities (on behalf of clients)

Processing of contact data collected for the purposes defined by the client Controller:

  • contact digitisation and structuring
  • commercial qualification
  • information enrichment
  • activation in the corporate CRM
  • sending of commercial follow-ups

Legal basis (incumbent on the client Controller): typically art. 6(1)(f) GDPR (legitimate interest in professional networking and the continuation of a B2B commercial conversation initiated at a trade-fair context). The client company must carry out its own balancing test (LIA) and ensure information and rights are granted to data subjects.

4.3 Platform security, abuse prevention, audit

Processing of technical and log data to ensure IT security, fraud prevention, incident analysis, internal audits and compliance with authority requests.

Legal basis: art. 6(1)(f) GDPR (SORAIA's legitimate interest in the security and integrity of the service); art. 6(1)(c) GDPR (legal obligations).

4.4 Responding to data-subject requests and GDPR compliance

Processing necessary to handle requests to exercise rights (arts. 15-22 GDPR), manage complaints, carry out DPIAs or consultations with the supervisory authority.

Legal basis: art. 6(1)(c) GDPR (legal obligations).

5. Artificial intelligence (AI) technologies

5.1 How AI is used

The Platform uses artificial intelligence technologies provided by third-party providers (see section 6) for the following technical purposes:

  • Optical character recognition (OCR): reading and digitising business cards and event badges
  • Structuring and normalisation: parsing extracted data into structured fields
  • Summary and classification: automatic categorisation of the contact to support qualification
  • Generation of follow-up templates: composition of personalised email drafts based on the instructions and templates provided by the client

5.2 Explicit exclusions

The use of AI on the Platform DOES NOT involve:

  • autonomous generation of new personal data not derived from already available sources
  • solely automated decisions with legal or significant effects on the data subject under art. 22 GDPR
  • automated profiling for behavioural-advertising purposes
  • training of third-party providers' AI models on client data (see section 6 for contractual specifics)

5.3 Data enrichment, operational modalities

Enrichment of contact data (e.g. business email, phone number, LinkedIn profile) is performed via specialised external providers and is subject to the following rules:

  • enrichment is performed only where such information is not already available in the acquired contact
  • where data has already been provided (e.g. via a business card), no requests are made to external providers for those fields
  • the system may consult publicly accessible sources (search-engine results, public professional profiles) to retrieve information already publicly available
  • this process replicates manual research commonly carried out in a professional context; it does not entail access to private databases; it does not use unauthorised mass-scraping techniques

6. Recipients and sub-processors

Personal data may be processed by the following recipients, each bound by contractual obligations of confidentiality and data protection equivalent to those undertaken by SORAIA:

  • authorised SORAIA S.R.L. personnel, trained under art. 29 GDPR
  • IT infrastructure, cloud-computing and backend-platform providers
  • AI service providers for OCR, structuring and text generation
  • B2B data-enrichment service providers
  • workflow automation and orchestration services
  • public-source research services
  • technical, legal and administrative consultants
  • public authorities, where required by law

For each category, SORAIA selects providers that adopt adequate security measures and signs with each of them a Data Processing Agreement compliant with art. 28 GDPR. For sub-processors based outside the EU, SORAIA executes the Standard Contractual Clauses (SCC) approved by the EU Commission (Implementing Decision 2021/914) and, where applicable, verifies adherence to the EU-US Data Privacy Framework (DPF).

The specific and updated list of sub-processors is communicated to contracted clients and available on reasoned written request from the clients' DPOs by email to privacy@soraia.io.

7. Transfers of data outside the EU

Personal data are processed primarily on infrastructure located within the European Economic Area (EEA). Where transfers to third countries become necessary, these take place in accordance with arts. 44 and following of the GDPR.

Transfer instruments used

  • Adequacy decision (art. 45 GDPR): for countries recognised by the EU Commission as ensuring an adequate level of protection (e.g. UK, Switzerland, Japan, South Korea)
  • EU-US Data Privacy Framework (EU-US adequacy decision of 10 July 2023): for US sub-processors adhering to the DPF
  • Standard Contractual Clauses (SCC) approved by the EU Commission with Decision 2021/914: module 2 (controller-processor) or module 3 (processor-sub-processor) depending on the relationship
  • Supplementary technical and organisational measures where required by Schrems II case law (e.g. end-to-end encryption, pseudonymisation, contractual controls on government access)

Transfer Impact Assessment (TIA)

For each non-EU transfer, SORAIA has carried out a transfer impact assessment (TIA) that considers: the nature of the data, the risk of access by third-country authorities, the legal protections available to data subjects, and the technical and organisational measures adopted.

8. Data retention

The retention periods applied are as follows:

  • Acquired contact data (leads): for the duration of the contractual relationship between SORAIA and the Controller client. Upon termination, the data are made available for download for 30 days, after which they are deleted or anonymised in accordance with the client's instructions.
  • Business-user data: for the duration of the account, and for a further 12 months after deactivation (to handle post-termination requests).
  • Access logs and technical data: 12 months for security and abuse-prevention purposes (in line with the Italian DPA decision on system administrator logs).
  • Administrative and billing data: 10 years from the end of the relationship, in compliance with art. 2220 of the Italian Civil Code and tax legislation.
  • Email and PEC communications: 5 years, subject to specific evidentiary retention needs.
  • Direct-marketing data (newsletters, commercial follow-ups from SORAIA to prospects): until consent is withdrawn or the data subject objects; at most 24 months from the last active contact.

For data processed as Processor, the actual retention periods are defined by the Controller client in its Records of Processing and in the instructions documented in the DPA.

9. Data subject rights

Under articles 15-22 GDPR, data subjects have the right to:

  • Access (art. 15), obtain confirmation of processing and a copy of the data
  • Rectification (art. 16), correct inaccurate or incomplete data
  • Erasure (art. 17), the "right to be forgotten" in the cases provided
  • Restriction (art. 18), suspend processing in specific cases
  • Portability (art. 20), receive their data in a structured, machine-readable format
  • Object (art. 21), object to processing based on legitimate interest, in particular for marketing purposes
  • Not to be subject to automated decisions with significant effects (art. 22): no such decisions are made on the Platform
  • Withdraw consent at any time, without affecting the lawfulness of prior processing

How to exercise rights

Requests must be sent by email to privacy@soraia.io indicating:

  • the identity of the requestor (with a copy of an identity document for verification, where necessary)
  • the right they intend to exercise
  • the facts and reasons in support, where applicable

SORAIA replies within 30 days of receipt of the request (art. 12 GDPR), extendable to 60 days for complex requests, with reasoned communication.

Where the data subject exercises a right regarding data processed by SORAIA as Processor (e.g. leads collected through Linkly on behalf of a client), SORAIA forwards the request to the Controller client without undue delay and provides the latter with the necessary assistance (art. 28(3)(e) GDPR).

Complaint to the supervisory authority

The right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) under art. 77 GDPR remains unaffected, as does the right to refer to another competent supervisory authority based on the data subject's residence or habitual workplace.

10. Security measures

Under art. 32 GDPR, SORAIA adopts technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit via TLS 1.2+ with modern cipher suites
  • Encryption of data at rest on databases (AES-256)
  • Access controls based on individual credentials and the least-privilege principle
  • Mandatory multi-factor authentication for administrative accounts
  • Password hashing with industry-standard algorithms (bcrypt)
  • Logical separation between environments (development, staging, production) and between client data
  • Logging and monitoring of administrative access (12-month retention)
  • Daily automatic backups with tested disaster-recovery procedures
  • Incident management with an internal procedure providing for notification to the Italian DPA within 72 hours (art. 33 GDPR) and to affected clients without undue delay
  • Periodic review of accesses (quarterly review)
  • Personnel training under art. 29 GDPR (annual)
  • Penetration tests periodically on critical components
  • Timely patch management for known vulnerabilities

The Site uses only technical cookies necessary for operation, under art. 122 Italian Legislative Decree 196/2003 (for which no prior consent is required).

For details on the cookies used, their purposes, duration and management, please refer to the dedicated Cookie Policy.

12. Processing of data relating to minors

The Linkly Platform is a B2B tool intended exclusively for adult professional users. SORAIA does not knowingly collect data of minors. Should a Controller client erroneously enter data of minors, it must immediately notify privacy@soraia.io for deletion.


Data protection contacts

For any question relating to the processing of personal data, the exercise of GDPR rights, or to receive a copy of the Data Processing Agreement, please contact:

Data Protection Officer (DPO): not designated. SORAIA S.R.L. is not subject to the obligation to designate a DPO under art. 37 GDPR (the requirements set out in par. 1 letters b and c are not met). Requests from data subjects and from clients' DPOs are managed directly by the company privacy function via the contacts above.

Complaints: without prejudice to the right to contact the Controller/Processor directly, data subjects have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or with another competent supervisory authority based on their place of residence.

Updates to this document

SORAIA S.R.L. reserves the right to update this document for regulatory reasons or service evolution. Material changes will be communicated to active clients via email and published on this page with the last-updated date refreshed.

Go deeper with AI

Linkly pages are optimised to be read correctly by AI assistants. Open the conversation in your preferred one with the context already in place, or copy the prompt to use it anywhere.