This privacy notice regarding the processing of Personal Data is provided by:

White Exchange Srl, headquartered in Milan (MI), Via Durini 25, 20122 VAT number and registration number in the Milan Business Register 12380700968 (hereinafter referred to as the “Company” and “Data Controller”) informs with this document the users of the website interested in using the platform accessible via www-wexvr.com and the related Meta App “WEXVR” (the “Platform”) who qualify as “data subjects,” meaning the individuals to whom the Data processed by the Company refers.

For privacy-related matters, you may contact the Company at:
📧 dpo@whtexch.com

The Company has appointed a Data Protection Officer (DPO), who can be contacted at:
📧 dpo@whtexch.com

Categories of Data

The Company may process the following categories of personal data:

Identification data (first name, last name)
Contact data (email address)
Account authentication data (via Clerk or Google login)
Any data voluntarily provided through comments or communications
Payment-related data (processed via Stripe)

(“Data”)

Purpose of the Processing

The legal basis are:

Art. 6(1)(b) GDPR – Performance of a contract (including account creation, authentication, and user management - to manage payments made through the Platform.
Article 6(1)(c) GDPR - Compliance with the laws, including accounting and regulatory obligations
Art. 6(1)(a) GDPR - Consent by the user which is given by accessing the Platform.

Recipients of Personal Data

Personal Data may be accessed by the following categories of recipients:

External professional advisors
IT and hosting providers
Technical service providers
Contractors operating the Platform
Stripe (for payment processing)
Public authorities, where required by law

(collectively referred to as the “Recipients”).

Some of the Recipients may be located both within and outside the European Economic Area, resulting in the cross-border transfer of Personal Data. In such cases, the Company will transfer the data in compliance with the GDPR provisions governing such transfers, adopting all required safeguards.

We use Stripe as our payment service provider. Stripe is operated in Europe by Stripe Payments Europe Ltd., with its registered office in Ireland.

When you make a payment on our website, certain personal data is processed by Stripe in order to complete the transaction. This may include:

Full name
Email address
Billing address
Payment method details (e.g., credit or debit card information)
Transaction amount and details

Payment data is transmitted directly to Stripe via a secure SSL-encrypted connection. We do not store full payment card details on our servers. Stripe processes personal data on our behalf as a data processor pursuant to Article 28 of the GDPR for the purpose of facilitating payment transactions.

However, Stripe may also act as an independent data controller for certain processing activities, such as fraud prevention, anti-money laundering compliance, and other legal obligations. The legal basis for processing payment-related data is the performance of a contract pursuant to Article 6(1)(b) GDPR.

For more information on how Stripe processes personal data, please refer to Stripe’s Privacy Policy:
https://stripe.com/en-it/privacy

Retention of Personal Data

Personal Data will be retained for as long as necessary to fulfill the purposes described above, except in cases where specific legal obligations require a longer retention period.

When the user deletes its account we keep the Data for 12 months unless it is required to keep it longer for regulatory reasons.

Nature of Data Provision

The provision of personal data is necessary for the creation and management of a user account and for accessing the Platform. Failure to provide such data will make it impossible to use the Platform.

User Rights

Under the GDPR, users have the following rights:

GDPR

Rights

Descriptions

Art. 15

Right of Access

Obtain confirmation of the existence of data processing activities, as well as access to the data, its origin, purposes, retention period, recipients, and methods used.

Art. 16

Right to Rectification

Request the updating, rectification, or integration of Personal Data being processed by the Company.

Art. 17

Right to Erasure

Request deletion of Personal Data when (i) it is no longer necessary for the purpose it was collected, (ii) consent is withdrawn, (iii) processing is unlawful, or (iv) law requires deletion.

Art. 19

Right to Restriction of Processing

Request restriction of processing under specific conditions, allowing only storage or temporary limitation during verification processes related to other rights.

Art. 20

Right to Data Portability

Obtain data in a commonly used, machine-readable format (e.g., Excel file) and transfer it to another data controller.

Art. 22

Right to Avoid Automated Decisions

Request that data not be subjected to automated decision-making processes or confirm that such methods are not used.

Artt. 13+77

Right to File a Complaint

Submit a complaint to the competent supervisory authority if you believe that the Company is processing data in violation of this policy or the law.

For complaints to the Italian Data Protection Authority, use the following link:

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524#:~:text=L'apposita%20istanza%20all'Autorit%C3%A0,rpd%40gpdp.it).

In addition to the rights listed above, participants may also exercise the right to object (Art. 21 GDPR), which allows opposition, in whole or in part, to processing based on legitimate reasons.

All rights are subject to legal limitations that the Company may invoke in response to such requests.

WHTEXCH Solutions SRL

CF e PIVA: 12380700968

Sede legale: Via Durini 25, 20122, Milano (MI), Italia

Capitale Sociale: 10.000,00 Euro