Privacy Policy according to the European Data Protection Regulation No. 679/2016

This policy provides methods by which GELLIFY as “Controller”, with registered office in Casalecchio di Reno (BO), via Isonzo n. 55/2, 40033, P.I. 03561101209, and Cariplo Factory S.r.l. Società Benefit, with registered office in Milan (MI), Via Manin n. 23, P.I. 09440060961 (hereinafter “Companies” or “Controllers”), process personal data collected through the website Personal data are provided by users interested to apply to the acceleration program “Frontech” (hereinafter, the “Program”) dedicated to startups developing digital services to innovate through Web 3.0, Metaverse, Generative AI.

The Controllers shall evaluate the startups application forms submitted by users (hereinafter “Applicants” or “Users“), together with the relevant documentation, in order to evaluate the existence of all the requirements and consequently select the participating startups. This evaluation process is carried out by a limited number of subjects, expressly identified by the Controllers.

Attention to privacy, confidentiality and protection of Users’ personal data are our precise commitment; therefore, personal data are processed with highest standards of accuracy and in compliance with the relevant privacy and security regulations (EU General Data Protection Regulation no. 679/2016, hereinafter “GDPR” or “Regulation“; Legislative Decree 196/2003 as amended and supplemented).

Which personal information do we collect?

The processing of personal data concerns information that Applicants voluntarily decide to provide in order to apply to the Program, on their own behalf or on behalf of the startup of which they are partners or directors, for an evaluation and a possible contact request. When Applicants submit a request through the appropriate form, they are invited to provide certain identification and contact data (such as first name, last name, job title, e-mail address and telephone number) in order to better manage their needs and to easily provide direct feedback.

Such data relate mainly to the members’ work background, as well as details regarding the figures involved in the development of the business idea that the Applicants intend to pursue during their participation in the Program.

Applicants who upload and/or share data relating to people other than themselves hereby declare that they have obtained the prior consent of such third parties and have shared with them the purposes of the data processing.

To protect your rights, we ask you to limit the information to what is strictly necessary for the purpose of filling out the cited form. Therefore, we kindly ask you not to release any further information, especially of a sensitive nature (Art. 9 of the GDPR) that cannot be processed, unless you have given your explicit consent, nor to send files containing information in excess of what is necessary for the main purposes and for the management of related requests.

All information related to the initiative/project, once communicated, may be shared by the Controller within the circuit identified for the valorization of the activities, within the limits and in compliance with the purposes for which they were acquired.

Purpose and Legal Basis

The Controllers will process Applicant’s data automatically, to collect, manage and process personal data provided in the application forms, in order to select startups for the Program. Data processing is based on the voluntary application to the Program submitted by Users through positive action (click on the dedicated button), for the purpose of the participation to the Program itself and for the fulfilment of precontractual obligations.

Please note that the provision of data is optional, however, refusal to provide your identification data for this purpose will make it impossible for us to manage your application and to grant you the opportunity to apply for the Program.

Who processes your personal information?

Personal data shall be processed by the Controller and partners involved in the Program (e.g., Cariplo Factory, Fondazione Sardegna, Innois, Microsoft, Algorand, Bper and FPZ, hereinafter “Partners”) who will process them as “Independent Data Controllers” for the same purposes related to the management of the Program itself and in accordance with their respective Privacy Policies.

How is this information shared?

Personal data may be communicated to employees and/or collaborators, in their capacity as authorized subjects for processing, within the scope of their respective functions and according to the instructions given by the Controller.

Furthermore, the data may be processed by:

  1. Partners / Promoters for the management of the Program itself;
  2. third party service providers necessary to ensure the operation of the site (by way of example: company that provides hosting services);
  3. third parties, contractually bound to the Controllers, necessary for the running of the Program;
  4. third parties who perform site analysis services;
  5. third parties who provide site navigation data analysis services.

These subjects, if the prerequisites are met, will be appointed as “External Data Processors” pursuant to Article 28 of the GDPR.

Processing methods

The data processing is carried out in automated and/or manual form and/or with electronic tools.

Personal data will be stored both in a physical archive and in the company’s electronic database for the aforementioned purposes in compliance with the provisions of Art. 32 of the GDPR regarding security measures, by specially appointed persons and in compliance with the provisions of Art. 29 of the GDPR.

Data Transfer

For the provision of some services Controllers’ personal data may be subject to international transfer to third parties located in countries outside the European Economic Area. In such case, the transfer of such data will be regulated using data transfer mechanisms according to the provisions of the GDPR and approved by the European Commission, such as Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries under the GDPR, including measures to supplement these SCCs and ensure compliance with the EU level of protection according to the Recommendations 01/2020 published by the European Data Protection Board.

Data Retention

Personal data shall be retained only for the time necessary to carry out the purpose for which they were collected such as the management of applications to the Program. However, the Controllers may retain personal data for an additional period as required under applicable laws and for legal, tax or regulatory reasons. The criteria used to determine the retention period is in accordance with the terms permitted by applicable laws and the principles of data minimization. Data may also be retained for a period of 10 years (or even longer) for the purpose of any legal proceedings in accordance with the laws and regulations in force, as well as in the event of legal proceedings or requests by the Authorities.

Upon expiry of these terms, personal data will be automatically deleted or irreversibly transformed into anonymous information.

How do we protect your data?

The Controllers employ a variety of appropriate technical and organizational measures to protect Users’ personal data, including the use of secure servers, firewalls, encryption of application data and communications. Appropriate security measures are implemented to prevent the loss of data, unlawful or incorrect use and unauthorized access.

Links to other websites

This website may include links to other websites that we do not control and to which this Privacy Policy does not apply. We are not responsible for the content or any processing of personal data on such sites. We suggest you examine the Privacy Policy of each linked website to determine the processing of personal data.

Your rights

Users can exercise all the rights set forth by the GDPR. Users may, at any time and free of charge, exercise their rights to access (Art. 15), to rectify (Art.16), to erasure (Art.17), to restrict the processing (Art. 18), to request the portability of their personal data (Art.20) and to object to the processing of their personal data (Art.21). As well as the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Art. 22).

To exercise the rights listed above, as well as for any clarification, Users may contact the Controllers, at any time, by sending an email to the following email address: 

If Users considers that the Companies have infringed, or may have infringed, its rights under the applicable data protection regulations, Users may lodge a complaint before the corresponding supervisory authority “Garante per la protezione dei dati personali”, pursuant to Art. 77 of the GDPR.

Use of cookies

This website may collect some data in order to offer its services. Please see the Cookies Policy for details:


The Companis may occasionally make changes to this privacy policy, for example to comply with new requirements imposed by applicable laws or technical requirements. We will post the updated privacy policy on our website. We therefore encourage you to review this page every so often.

The Privacy Policy was last updated: April 2024.