Book a demo

COOKIE POLICY

EOLIANN S.R.L. SOCIETÀ BENEFIT

Pursuant to art. 122 Legislative Decree 196/2003, Regulation (EU) 2016/679 and Italian DPA Order no. 231 of June 10, 2021
Data ControllerEOLIANN S.R.L. SOCIETÀ BENEFIT, VAT no. 12457140965
Registered OfficeCorso Raffaello, 28 – 10125 Turin (TO)
Operational OfficeCorso Castelfidardo, 22 – 10128 Turin (TO)
Emailinfo@eoliann.com
PEC (Certified Email)eoliannsrl@legalmail.it
Websitewww.eoliann.com
DocumentCookie Policy — www.eoliann.com
Main legal referencesReg. (EU) 2016/679 (GDPR); art. 122 Legislative Decree 196/2003; Italian DPA Order no. 231/2021 (web doc. 9677876, OJ no. 163/2021); EDPB Guidelines 05/2020
Last updatedApril 9, 2026
Website statusExclusive use of technical/necessary cookies — no analytics, marketing or profiling cookies active as of this date
Privacy contactCARNICELLI ROBERTO

This document is the English translation of the original Italian Cookie Policy. In case of any discrepancy between this translation and the Italian original, the Italian version shall prevail.

1. Data Controller and Contacts #

The Data Controller for personal data collected through the website is EOLIANN S.R.L. SOCIETÀ BENEFIT, VAT no. 12457140965, with registered office at Corso Raffaello 28, 10125, Turin (TO) (hereinafter the “Controller” or the “Company”). Contact details: e-mail info@eoliann.com, PEC (certified email) eoliannsrl@legalmail.it EOLIANN S.R.L. SOCIETÀ BENEFIT has not appointed a Data Protection Officer (DPO) pursuant to art. 37 GDPR, as none of the mandatory conditions apply. Should such an appointment occur, the contact details will be indicated in this policy and in the website’s Privacy Notice.

2. Scope of Application #

This Cookie Policy applies to the entire institutional website of EOLIANN S.R.L. SOCIETÀ BENEFIT, including institutional pages, landing pages, the ‘Demo’, ‘Let’s Talk’, ‘Newsletter / Guide / Annual Report’ forms and pages containing links to social networks or redirecting to external platforms (‘Work with Us’), as well as the access area of the AIRIS Climate Suite SaaS and API Platform accessible from the institutional website (login, registration, public interface), limited to cookies and technical tracking tools that may be installed in that context on the browser of the not-yet-authenticated user. This policy does not govern: (i) processing carried out directly by third-party platforms to which the user is redirected via external link; (ii) processing carried out in the authenticated area of the AIRIS Climate Suite SaaS and API Platform relating to geospatial data, credentials, usage logs and climate risk outputs, which are governed by the AIRIS Climate Suite SaaS and API Client and User Privacy Notice. For cookies installed by the AIRIS Platform on authenticated users’ browsers, please refer to section 2-bis of this policy.

2-bis. AIRIS Climate Suite SaaS and API Platform Cookies (authenticated area) #

The AIRIS Climate Suite SaaS and API Platform Service is accessible to authenticated users (enterprise client contacts and employees) through a restricted area of the website, reachable after authentication with personal credentials. Unlike the public pages of the institutional website, the authenticated area may install specific cookies and tracking tools on the user’s browser, functional to providing the SaaS service and managing the application session. In this context the legal framework presents certain specificities compared to public pages: (i) the relationship between EOLIANN S.R.L. SOCIETÀ BENEFIT and the AIRIS Platform user is governed by the subscription agreement and the AIRIS Client and User Privacy Notice, which governs processing of geospatial data, credentials, usage logs and climate risk outputs; (ii) technical session and authentication cookies do not require consent pursuant to art. 122(1) Legislative Decree 196/2003, as they are strictly necessary for the provision of the service expressly requested by the user; (iii) any non-necessary cookies installed in the authenticated area require prior consent and must be inventoried, classified and communicated to users separately from any consent given for the public website pages.

2-bis.1 Technical cookies of the AIRIS Climate Suite SaaS and API Platform (documented) #

Based on available documentation (GDPR Assessment, AWS eu-central-1 architecture), the AIRIS Climate Suite SaaS and API Platform installs the following strictly necessary technical cookies for service delivery:
  • Session and authentication cookies: necessary for maintaining the authenticated user’s session, managing the access token (JWT or equivalent) and CSRF protection of application forms. Session cookies, deleted on browser close, or short-term persistent (up to 30 days for ‘remember me’). Legal basis: art. 122(1) Legislative Decree 196/2003 (technically necessary); art. 6(1)(b) GDPR (performance of the subscription contract).
  • Security and anti-CSRF cookies: application request protection tokens, AWS load balancing cookies (e.g. AWSALB), session integrity cookies. All technically necessary, no consent required.
  • Interface preference cookies: any technical user preferences relating to the AIRIS Platform interface (e.g. language, GIS display, dashboard layout), if stored via cookie. Legal basis: art. 122(1) Legislative Decree 196/2003.

2-bis.2 Third-party cookies and tools in the authenticated area #

Available documentation does not contain a complete technical inventory of cookies and third-party tools that may be loaded in the authenticated area of the AIRIS Platform.

2-bis.3 Technical verification and update obligation #

Personal data processing carried out in the authenticated area of the AIRIS Climate Suite SaaS and API Platform (geospatial data of assets, user credentials, access and usage logs, climate risk outputs) is not governed by this Cookie Policy but by the AIRIS Client and User Privacy Notice, issued pursuant to arts. 13 and 14 GDPR, which governs the relationship between EOLIANN S.R.L. SOCIETÀ BENEFIT and authenticated users in the context of the Climate Suite subscription agreement.

3. Applicable Legal Framework #

The applicable regulatory framework derives from the combined provisions of the following sources:
  • Regulation (EU) 2016/679 (GDPR), in particular arts. 4, 5, 6, 7, 13, 25 and Recital 30.
  • Art. 122 of Legislative Decree 196/2003 (Privacy Code), as substituted by Legislative Decree 101/2018: conditions the storage of information on the terminal on prior consent, except for strictly necessary technical tools.
  • Italian DPA Order no. 231 of June 10, 2021 (web doc. 9677876, Official Gazette no. 163/2021, in force from January 10, 2022): classifies cookies, banner requirements, symmetry of controls, prohibition of scrolling, cookie walls, consent renewal, fingerprinting and passive tools. This constitutes the main regulatory reference of this policy.
  • EDPB Guidelines 05/2020 on consent, adopted on May 4, 2020: supplement the requirements for valid consent under the GDPR (freedom, specificity, information, unambiguity).
  • Italian DPA FAQs on Cookies and related interpretative clarifications.
Storage of information on the user’s terminal or access to information already stored is permitted without consent exclusively when strictly necessary to provide a service expressly requested by the user (art. 122(1) Privacy Code). Any other purpose requires prior, free, specific, informed, granular and revocable consent.

4. Definitions #

4.1 Cookies #

Small text strings that websites visited by the user (so-called publishers or ‘first parties’) or different sites or web servers (‘third parties’) place and store within a terminal device available to the user. The browser memorises the cookies and retransmits them to the site on subsequent visits. The information encoded in cookies may include personal data (IP address, username, unique identifier) or non-personal data (language settings, device type).

4.2 Other tracking tools: including fingerprinting #

The same result as cookies can be achieved through other tools, divided into ‘active’ identifiers (local storage, session storage, pixels, SDK, scripts) and ‘passive’ ones. The latter includes fingerprinting: a technique that identifies the user’s device by collecting information about its specific configuration (browser, OS, plug-ins, resolution, fonts) without storing anything on the terminal. The user cannot independently remove fingerprinting, unlike cookies. Pursuant to Italian DPA Order no. 231/2021, fingerprinting and all passive tools are subject to the same rules as cookies.

4.3 First-party / Third-party Cookies #

First-party cookies are installed directly by the domain of the visited website. Third-party cookies are installed, through the website, by domains or providers different from the Controller, which connect directly to the user’s terminal and are able to collect cross-site browsing data.

4.4 Session / Persistent Cookies #

Session cookies are automatically deleted when the browser is closed or the session ends. Persistent cookies remain stored on the device for a set period and are reused in subsequent visits.

4.5 Technical or strictly necessary cookies #

Cookies or tools whose installation does not require consent pursuant to art. 122(1) Legislative Decree 196/2003: used solely to carry out the transmission of a communication over an electronic network or to the extent strictly necessary to provide a service expressly requested by the user. This category includes: session cookies, security tokens, privacy preference storage cookies, load balancing cookies. Analytics cookies are not included, except where the assimilation conditions under par. 7.2 are verified.

4.6 Analytics / Statistical Cookies #

Cookies or tools used to measure website visitors, traffic and performance. Third-party analytics cookies always require consent (Italian DPA Order 2021). First-party analytics cookies may be treated as technical only if all the conditions under par. 7.2 are cumulatively met.

4.7 Profiling and Marketing Cookies #

Cookies or tools aimed at building individual profiles based on behaviour and preferences, including for personalised advertising, remarketing or lead tracking. Always require prior, free, specific and granular consent.

4.8 Consent #

Pursuant to arts. 4(11) and 7 GDPR and EDPB Guidelines 05/2020: any freely given, specific, informed and unambiguous indication of wishes, expressed by a statement or clear affirmative action (opt-in). The following do not constitute valid consent: silence, mere continuation of browsing (scrolling), pre-selections, any ambiguous action, or consent conditioned on access to the website (cookie wall without alternative).

5. Conservative Approach and Current Website Status #

This Cookie Policy is drafted with a documentary and conservative approach. The completed final GDPR Assessment (‘Cookie’ sheet) certifies that the institutional website of EOLIANN S.R.L. SOCIETÀ BENEFIT does not currently install analytics cookies, remarketing pixels, profiling cookies, social plugins with automatic release on page load, third-party chats, heat maps, session replay, fingerprinting or behavioural tracking.
  • The document precisely describes the applicable legal framework for the entire website.
  • It certifies the use of only technical/necessary tools in the documented and verified state.
  • It does not attribute as certainly active any non-necessary tools in the absence of technical certification.
  • It sets out the operating rules for the possible future introduction of additional tools.

6. Personal Data Processed through Cookies and Technical Tools #

Through technical cookies and strictly necessary tools, the website may process: online identifiers; IP address or portions thereof; date, time and duration of the request; technical session parameters; user-agent (browser and device); technical browsing preferences; status of consent or refusal expressed in the banner; security logs; temporary tokens; information necessary for the provision of the requested service. Technical browsing data and server-side logs are stored for a period not exceeding ninety (90) days, in accordance with the security measures adopted by EOLIANN S.R.L. SOCIETÀ BENEFIT and the website’s Privacy Notice. In the documented configuration, such data are not used for individual profiling, automated decisions with significant effects or behavioural marketing.

7. Legal Bases for Processing #

7.1 Technical and strictly necessary cookies #

The lawfulness basis for accessing the terminal is art. 122(1) Legislative Decree 196/2003. The related processing of personal data takes place on the basis of:
  • The Controller’s legitimate interest in ensuring security, integrity and proper functioning of the website (art. 6(1)(f) GDPR).
  • The necessity to execute pre-contractual measures or to provide a requested service (art. 6(1)(b) GDPR) for session management.

7.2 Analytics cookies treated as technical (if introduced) #

Italian DPA Order no. 231/2021 permits first-party analytics cookies to be treated as technical, and therefore used without consent, only if all the following conditions are cumulatively met:
  • a) They are exclusively first-party.
  • b) The IP address is masked before any processing.
  • c) The provider contractually waives cross-referencing and any further use.
  • d) The creation of individual profiles is not permitted. The Controller must document verification of these conditions before qualifying any analytics cookie as technical.

7.3 Non-necessary cookies (if introduced) #

For analytics cookies not equivalent to technical, profiling, marketing, remarketing cookies and non-necessary third-party tools, the legal basis is the user’s prior consent (arts. 6(1)(a), 7 GDPR and art. 122 Legislative Decree 196/2003). In the absence of valid consent, such tools cannot be activated.

8. Inventory of Cookies and Tracking Tools #

The following table shows the inventory by category.
Name / IdentifierProviderDomainPurposeDurationCategory
CATEGORY A — Technical/Necessary Cookies (art. 122(1) Legislative Decree 196/2003 — no consent required)
wpEmojiSettingsSupportsFirst partywww.eoliann.comWordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user’s browser can display emojis properly.SessionTechnical/Necessary
cookieyes-consentFirst partywww.eoliann.comCookieYes sets this cookie to remember users’ consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about the site visitors.1 yearTechnical/Necessary
_cfuvidFirst partywww.eoliann.comCloudflare sets this cookie to track users across sessions to optimize user experience by maintaining session consistency and providing personalized servicesSessionTechnical/Necessary
VISITOR_PRIVACY_METADATAYouTubewww.eoliann.comYouTube sets this cookie to store the user’s cookie consent state for the current domain.6 monthsTechnical/Necessary
CATEGORY B — Non-Necessary Cookies — Not currently active — Require prior consent (art. 122 Privacy Code and Italian DPA Order no. 231/2021)
__Secure-YNIDThird partyYouTubeYouTube cookie used to protect user security and prevent fraud, especially during the login process.6 monthsAdvertisement
__SecureROLLOUT_TOKENThird partyYouTubeYouTube sets this cookie to manage feature rollout and experimentation. It helps Google control which new features or interface changes are shown to users as part of testing and staged rollouts, ensuring consistent experience for a given user during an experiment.6 monthsAdvertisement
__Secure-YECPastAdvertisement
_clckThird partyMicrosoft ClarityMicrosoft Clarity sets this cookie to retain the browser’s Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.1 yearAnalytics
_clskThird partyMicrosoft ClarityMicrosoft Clarity sets this cookie to store and consolidate a user’s pageviews into a single session recording.1 dayAnalytics
_ga_*Third partyGoogle AnalyticsGoogle Analytics sets this cookie to store and count page views.1 year 1 month 4 days 1 minuteAnalytics
_gaThird partyGoogle AnalyticsGoogle Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.1 year 1 month 4 days 1 minuteAnalytics
YSCThird partyYoutubeYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.sessionAnalytics
wp-wpml_current_languageFirst partywww.eoliann.comWordPress multilingual plugin sets this cookie to store the current language/language settings.sessionFunctional
VISITOR_INFO1_LIVEThird partyYouTubeA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.6 monthsFunctional

9. Cookie Banner and Preference Centre: Requirements of Italian DPA Order no. 231/2021 #

Italian DPA Order no. 231/2021 sets out binding requirements for the consent acquisition mechanism. The website must comply with the requirements outlined below.

9.1 First-level banner requirements #

  • Immediate and visible display on first access to the website, without the need to scroll the page.
  • Brief, clear and understandable notice, with explicit reference to this extended Cookie Policy.
  • Symmetry of controls (fundamental requirement of Order 2021): the buttons for acceptance and refusal of all non-necessary cookies must have the same graphic prominence, size and ease of interaction. It is not permitted to make the ‘Accept all’ button more prominent than the ‘Reject’ or ‘Continue without accepting’ button.
  • No pre-selections for non-necessary cookies: no pre-ticked boxes on non-technical categories.
  • Access to granular settings: the banner must allow independent selection by category (analytics, functional, marketing).
  • A ‘Close’ or ‘X’ option alone is not permitted if that action does not unambiguously equate to refusal of all non-necessary cookies.

9.2 Second-level preference centre #

Accessible at any time from the website footer or equivalent area reachable with a single click. It allows users to revoke or modify preferences as easily as consent was given. It displays cookie categories with descriptions of purposes and providers involved.

9.3 Evidence and retention of consent #

The CMP must retain evidence of consent given by each user: date and time; version of the banner and Cookie Policy; preferences selected per category; anonymous technical identifier of the user. Such evidence must be maintained for a period sufficient to demonstrate the lawfulness of processing in case of supervisory authority inspection.

9.4 Re-presentation of the banner #

The banner must not be systematically re-presented to a user who has already expressed their preferences, except in the following exhaustive cases provided by Italian DPA Order 2021: (a) substantial change in the purposes or types of cookies; (b) expiry of the consent storage cookie; (c) use of different devices or browsers not linkable to the already identified user.

9.5 CMP Provider #

The consent management platform (CMP) provider currently used is: CookieYes.

9.6 Prohibition of scrolling as consent mechanism #

Italian DPA Order no. 231/2021 has definitively established that the mere continuation of browsing (scrolling) does not constitute valid consent to the installation of non-necessary cookies. The website of EOLIANN S.R.L. SOCIETÀ BENEFIT does not and will not adopt scrolling as a method of acquiring consent.

9.7 Repeated requests and prohibition of dark patterns #

Repeated re-presentation of the banner after a refusal and the use of dark patterns (dissuasive messages, deceptive interfaces, inappropriate incentives) violate the freedom of consent requirement (art. 7(4) GDPR) and the privacy by default principle (art. 25(2) GDPR). The Controller is required to avoid any psychological or technical pressure aimed at steering the user’s choice towards acceptance of non-necessary cookies.

10. Withdrawal of Consent and Preferences Management #

The data subject may withdraw or modify their preferences at any time, as easily as consent was given (art. 7(3) GDPR), through: (i) the preference centre accessible from the footer (‘Cookie Management’); (ii) their own browser settings (see Section 14). Withdrawal does not affect the lawfulness of processing carried out before such withdrawal. Following withdrawal, non-necessary cookies for which consent has been withdrawn must be immediately deactivated.

11. Cookie Wall — Rules and Limitations #

A cookie wall is the practice of conditioning access to the website or a section thereof on consent to non-necessary cookies, without offering any alternative. Pursuant to Italian DPA Order no. 231/2021 and EDPB Guidelines 05/2020, a cookie wall without a reasonable alternative renders consent lacking the freedom requirement (art. 7(4) GDPR) and, therefore, invalid. The Italian DPA has clarified that mechanisms conditioning access to the website on consent may be admissible only if a reasonable alternative not conditional on consent is offered (e.g. paid access, registration, reduced version of the service). The alternative must be concrete, accessible and not merely symbolic. The website of EOLIANN S.R.L. SOCIETÀ BENEFIT does not adopt cookie walls or mechanisms that condition browsing on consent to non-necessary cookies.

12. Social Networks, Social Buttons and Embedded Content #

The website contains links to EOLIANN S.R.L. SOCIETÀ BENEFIT’s social pages on LinkedIn, Instagram and YouTube. The mere presence of text links or redirect buttons to external URLs does not automatically install third-party cookies: contact with the social network’s servers is only established when the user intentionally clicks on the link. The embedding of plugins, widgets, players, feeds or embedded content that establishes automatic contact with the third party’s servers upon page load, regardless of any user interaction, constitutes indirect installation of third-party cookies, subject to the requirements of Italian DPA Order 2021. Such content must be blocked in advance and activated only after consent (the so-called ‘two-click solution’ or equivalent system). In the absence of contrary technical evidence, this policy assumes a configuration based on simple external redirects. For processing carried out by social networks, please refer to their respective privacy policies:

13. Forms, Newsletter, Demo and Profiling: Relationship with Cookies #

Forms for newsletter subscription, receipt of the Guide or Annual Report, Climate Suite Demo booking, requests via ‘Let’s Talk’ and newsletter profiling are not, in themselves, equivalent to the use of non-necessary cookies. Such processing is carried out through data voluntarily provided and transmitted to the Controller via HubSpot Inc. (USA), designated as data processor pursuant to art. 28 GDPR, covered by Standard Contractual Clauses. However, HubSpot and other marketing automation providers may install cookies, pixels or tracking scripts on the browser of users visiting pages containing the forms. The Controller is required to concretely verify the technical behaviour of the loaded scripts and, if such scripts install non-necessary cookies, to: (a) inventory them; (b) classify them; (c) block them preventively; (d) collect consent before allowing their release.

14. How to Disable Cookies #

14.1 Through the website’s preference centre #

The user may modify or revoke their preferences at any time through the preference centre accessible from the website footer (‘Cookie Management’).

14.2 Through browser settings #

Disabling technical cookies may impair the proper functioning of the website. Instructions for the main browsers:

15. Data Recipients and Transfers Outside the EEA #

Data collected through cookies and technical tools may be processed by: (i) the Controller’s authorised personnel; (ii) hosting, security, content delivery, website management and CMP providers, designated as data processors pursuant to art. 28 GDPR. The main infrastructure is at AWS EMEA SARL, eu-central-1 region (Frankfurt, Germany), in the EEA. HubSpot Inc. (USA), data processor for newsletter automation and CRM, is subject to transfer to the USA covered by Standard Contractual Clauses (art. 46(2)(c) GDPR), with a Transfer Impact Assessment carried out by the Controller pursuant to the Schrems II judgment (C-311/18) and EDPB guidance. Should additional providers with extra-EEA transfers be introduced, such transfers will be governed in accordance with arts. 44 et seq. GDPR and described in an update to this policy.

16. Protection of Minors #

The institutional website of EOLIANN S.R.L. SOCIETÀ BENEFIT is intended for an adult audience and does not offer services specifically directed at minors under sixteen (16) years of age pursuant to art. 8 GDPR and art. 2-quinquies of Legislative Decree 196/2003. The Controller does not knowingly collect personal data of minors through the institutional website. Should the Controller wish to collect consent from minors in relation to information society services, including non-technical cookies, the consent of minors under sixteen must be given or authorised by the holder of parental responsibility, with appropriate age verification of the user. Should the Controller become aware of having installed non-necessary cookies on a minor’s device without parental consent, it will proceed to the immediate deletion of the data.

17. Data Subject Rights #

The data subject may exercise at any time the rights provided by arts. 15-22 GDPR, within the limits applicable to processing through cookies: right of access (art. 15); rectification (art. 16); erasure (art. 17); restriction of processing (art. 18); objection (art. 21); data portability (art. 20, where technically applicable). They also have the right to withdraw consent for non-necessary cookies (art. 7(3) GDPR) and to lodge a complaint with the supervisory authority. Requests may be addressed to the Controller by writing to: info@eoliann.com or by post to EOLIANN S.R.L. SOCIETÀ BENEFIT, Corso Raffaello 28, 10125, Turin (TO). A response will be provided within 1 month of the request, extendable by a further 2 months in the cases provided for by art. 12(3) GDPR. Requests are handled according to the internal procedure implemented by EOLIANN S.R.L. SOCIETÀ BENEFIT and responded to within 30 days of receipt, extendable to 90 days in cases of complexity or a high number of requests (art. 12(3) GDPR). Competent supervisory authority: Garante per la protezione dei dati personali, www.garanteprivacy.it

18. Cookie Policy Updates #

This Cookie Policy must be updated whenever: regulatory changes or new orders from the supervisory authority occur; providers or data processors change; cookies or tools are activated or deactivated; the banner/CMP changes; new landing pages, scripts, pixels, embedded content or plugins are introduced; the website’s Privacy Notice is updated. Substantial changes will be communicated through a notice on the homepage or in the cookie banner, with the update date and document version. In particular, before activating analytics, marketing or profiling tools, the Controller must update this policy, the Privacy Notice and the Record of Processing Activities, and ensure that the banner/CMP meets the requirements of Italian DPA Order no. 231/2021.