Privacy policy

In accordance with current legislation (Article 13 of Regulation (EU) 2016/679, hereinafter also referred to as the GDPR), Rexilience S.r.l., represented by its current legal representative, provides users of the mySCORE service (hereinafter also referred to as the “Platform”) with information regarding the processing of their data.

Furthermore, before using the Platform, we invite you to also read the “Terms and Conditions of Use”.

1.1 Data controller

The Data Controller is Rexilience S.r.l., VAT No. IT12011490963, with registered office at Corso Venezia, 54 – 20121, Milan (hereinafter the “Data Controller” or “Rexilience”). To receive information regarding the processing, please write to: privacy@rexilience.eu.

1.2. Scope of application

This Privacy Policy applies to the processing, carried out by Rexilience, of personal data relating to users (hereinafter referred to as “Users”) of the mySCORE Platform who use the service to (i) analyse the cybersecurity posture of their own organisation or (ii) analyse the cybersecurity posture of third-party organisations (also referred to as “Targets”).

1.3. Categories of data processed

The data processed includes browsing data, identification and contact details provided by the User when completing the mySCORE questionnaire (“Questionnaire”), as well as any additional data subsequently provided via the members’ area or the specific functions reserved for authenticated Users.

– Browsing data
The IT systems and software procedures used to operate the Platform acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.

Data provided voluntarily by the user
This category includes all personal data provided by the user on an optional basis. In particular, the identification and contact details provided by the User when accessing the platform by completing the relevant questionnaire are processed; this may also require the inclusion of details of other individuals belonging to the User’s organisation, as well as any further data provided, including subsequently, via their personal account or the specific functions dedicated to authenticated Users.

Information collected via cookies and other tracking systems
The website uses technical cookies, namely session cookies (non-persistent) necessary for the secure and efficient browsing of the websites.

1.4 Purpose and legal basis for processing

Personal data collected via the Platform is processed for the following purposes and on the following legal grounds:

a. To take steps prior to entering into a contract or to perform a contract at the User’s request (Article 6(1)(b) of the GDPR)
Personal data provided by the User on an optional basis is used solely to process the requests made by the User. In particular, personal data is used to enable the User to access the Platform and make use of the services reserved for authenticated Users, and to proceed with completing the questionnaire, in accordance with the Terms and Conditions of Use, to which reference is made.

b. Consent of the data subject (Article 6(1)(a) of the GDPR)

Where expressly consented to, personal identification and contact details may be processed for the purpose of sending advertising or direct marketing material, or for carrying out market research or commercial communications regarding the activities and services offered by the Data Controller via traditional means, such as telephone contact with an operator, as well as automated means, such as email (including via newsletters) or text messages;

Please note that any consent given for the sending of commercial and promotional communications, pursuant to Article 130, paragraphs 1 and 2, of Legislative Decree 196/2003 (“Privacy Code”), implies the receipt of such communications not only via automated means of contact (text messages, emails and other types of messages), but also via traditional methods (such as post or calls via an operator).

Consent may be withdrawn, including separately for different purposes, at any time, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.

 c. Legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR)

Browsing data is collected to enable the website to function properly, for security purposes and to monitor its correct operation, and may be used to establish liability in the event of any cybercrimes committed against the website.

The data provided by the User may be used in the legitimate interest of the Data Controller to carry out defensive activities or to assert or defend a right in court.

Finally, the data provided by the User by completing the Questionnaire may be used, in aggregated form, for scientific research purposes with the sole aim of improving the service offered to the Data Controller.

1.5 Nature of data provision and consequences of refusal

The provision of data for the purposes set out in this Privacy Policy is not mandatory. However, failure to provide such data, even in part, will prevent the User from using the services offered and from entering into any contractual relationships.

Please also note that failure to provide or the withdrawal of consent for the analysis of interests and/or for the performance of commercial and promotional activities will prevent us from keeping the User updated on news, offers or initiatives promoted by Rexilience.

1.6 Methods of data processing, retention period and location

Users’ data is processed using the IT systems and software employed by Rexilience, to the extent strictly necessary to achieve the stated purposes and, in any event, in such a way as to minimise the processing of identifying and contact details.

Appropriate security measures are in place to prevent data loss, unlawful or improper use, and unauthorised access.

The data is stored in electronic archives located at the Data Controller’s premises and on servers controlled by the Data Controller, all of which are located within the European Economic Area.

Personal data provided by Users who wish to use the mySCORE service will be retained for the entire duration of the contractual relationship and, following its termination, only for the time necessary to ensure compliance with all legal obligations.

The browsing data of Users accessing the Website is collected and stored for 18 (eighteen) months and in any case in accordance with legal obligations.

Data collected with the user’s consent and processed for the purpose of sending the newsletter and/or commercial communications will be stored for 24 months and in any case until such time as the aforementioned consent is revoked.

Once the retention periods have expired, personal data will be destroyed, erased or anonymised, in accordance with the technical procedures for erasure and backup, subject to any legal defence requirements, in which case the data may be retained beyond the periods indicated.

1.7 Recipients of the data

The data will be processed by the Data Controller, including through authorised staff.

The data will be accessed by the companies used by the Data Controller to provide hosting services and manage the email associated with the website, by companies providing support and maintenance for the IT systems used, by any resellers, and by consultants for the management of litigation and for legal assistance in the event of any disputes requiring their involvement. The data may also be disclosed to the competent authorities in the event of specific requests which the Data Controller is required by law to comply with.

It should be noted that some of the entities listed act as Data Processors, pursuant to Article 28 of the GDPR, whilst others act as independent Data Controllers. In the latter case, data is disclosed because (i) it is required by law, (ii) it is necessary to fulfil obligations arising from a contractual relationship, or (iii) it is in the Data Controller’s legitimate interest to maintain the security of IT systems and to carry out defensive activities through legal advisers.

In any case, the disclosure is limited to the categories of data whose transmission is necessary for the achievement of the stated purposes.

The data subject may request from the Data Controller a list of external parties acting as data processors.

1.8 Rights of data subjects

Users of the platform may, at any time, exercise the rights granted to them under Articles 15 et seq. of the GDPR.

In particular, the User may exercise:

  • Right of access: they may request information regarding the processing of their data or confirmation that their personal data is being processed. In such cases, they may request a copy of the data via email and verify any data held by Rexilience.
  • Right to rectification: they may rectify their personal data if it is incorrect (for example, because it differs from that provided when the report was completed), including the right to request the completion of incomplete data.
  • Right to erasure: they may request the erasure of data (or part thereof) concerning them.
  • Right to restriction: you may request that the processing of your personal data be restricted where the legal grounds apply.
  • Right to data portability: you may request to receive, in a structured, commonly used and machine-readable format, the personal data concerning you and transmit it to another data controller of your choice.
  • Right to object: you may object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling; in such cases, Rexilience will cease further processing of your personal data unless there are overriding legitimate interests. Should you object to processing for marketing purposes, your data may no longer be processed for such purposes.
  • Withdrawal of consent: in all cases where the legal basis for processing is the User’s consent, they may withdraw it at any time, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.
  • Right to lodge a complaint with the Data Protection Authority: without prejudice to any other administrative or judicial remedy, the User may lodge a complaint with the Data Protection Authority, following the procedures and guidelines published on the Authority’s official website at www.garanteprivacy.it.

You may exercise the above rights at any time by contacting us at the following email address: privacy@rexilience.eu.

1.9 Changes and updates to the Privacy Policy

Any changes to this policy will be communicated to the User.

A copy of the most up-to-date version of this policy is always available on the Platform.

Date last updated: May 7, 2026