Skip to main content

Privacy Policy

Last Updated: March 14, 2026

This Privacy Policy explains how ESB SERVICES SRL (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit our website and when you contact us about our online workplace skills education programs delivered to learners across Canada. This policy is written for transparency and is intended to help you understand what information is collected, why it is collected, and what choices you have.

1) Introduction & Controller Identity

ESB SERVICES SRL is the Data Controller for personal data processed in connection with this website. That means we determine the purposes and means of processing your personal data under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Italian data protection law.

Data Controller: ESB SERVICES SRL
Address: Piazza della Repubblica, 32, 20124 Milano (MI), Italy
Email: [email protected]
Phone: +39 02 8295 7431

We do not appoint a Data Protection Officer (DPO) because our activities do not require one under GDPR Articles 37–39. If that changes, we will update this policy and provide DPO contact details.

Effective date: March 14, 2026.

2) Personal Data We Collect

We collect personal data in three main ways: (a) information you provide directly, (b) technical data generated when you use the website, and (c) cookie and tracking identifiers (depending on your consent preferences).

  • Identity and contact data: full name, email address, phone number (if provided).
  • Form content: the program or workshop you select, your messages, scheduling notes, and any other details you choose to share.
  • Technical data: IP address, browser type and version, device type, operating system, language preferences, and approximate location derived from IP (city/region level).
  • Usage data: pages viewed, time spent on pages, navigation paths, referrer URL, and interaction events (for example, clicking a registration button).
  • Cookies and identifiers: first-party cookies required for basic website operation, plus analytics and marketing cookies if you consent (details in Section 4).
  • Conversion events: whether a registration request was submitted and related attribution signals (when marketing cookies are enabled).

We do not intentionally collect special-category personal data (for example, health information, religious beliefs, political opinions), financial account details, or government-issued identification numbers through our standard registration and contact forms. Please do not include such information in your messages.

3) Why We Process Personal Data & Legal Bases (GDPR Article 6)

We process personal data only when there is a lawful basis under GDPR. The legal basis depends on the purpose of processing:

  • Responding to registration requests and inquiries: to review your message, answer questions, and coordinate enrollment steps. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering a contract) and, where required, Art. 6(1)(a) (consent).
  • Website analytics (optional): to understand how visitors use the site and improve navigation, content clarity, and performance. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Marketing and measurement (optional): to measure advertising performance, create remarketing audiences, and attribute conversions when you consent. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Security and abuse prevention: to protect the website and our systems from spam, fraud, and malicious activity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests).
  • Legal obligations: to comply with applicable laws and respond to lawful requests. Legal basis: GDPR Art. 6(1)(c).

Automated decision-making (GDPR Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. If we use advertising audiences (for example, remarketing lists), they are used for marketing measurement and relevance and do not produce legal or similarly significant effects.

4) Cookies & Tracking

Cookies are small text files stored on your device. Some cookies are essential for the website to function; others are used for analytics and marketing, and those categories require your consent. In addition to cookies, advertising and analytics partners may use pixel tags and similar technologies to recognize a browser or device.

Essential cookies (always active)

Essential cookies are required for the website to operate and for you to manage consent preferences. They cannot be disabled via our cookie controls because they are necessary for core functionality and security.

  • _site_session (first-party): supports session continuity and basic site operation.
  • cookie_consent (first-party): stores your cookie category choices.

Retention: session to 12 months for essential cookies (depending on cookie type).

Analytics cookies (consent required)

If you opt in to analytics cookies, we may use Google Analytics 4 (GA4) to understand website usage and improve content and user experience. Where configured, IP anonymization is applied and reporting is aggregated. Analytics data retention is configured for 14 months.

  • _ga (third-party): GA4 user identifier; typical retention 2 years.
  • _ga_XXXXXXXXXX (third-party): GA4 session state; typical retention 2 years.

Marketing cookies (consent required)

If you opt in to marketing cookies, advertising partners may place cookies or similar identifiers to measure advertising performance and to help show relevant messages. These tools are commonly used for remarketing, conversion attribution, and audience creation (such as custom or lookalike audiences).

  • _gcl_au (third-party): Google Ads conversion linker; typical retention 90 days.
  • _fbp (third-party): Meta Pixel browser identifier; typical retention 90 days.
  • _fbc (third-party): Meta Pixel click identifier (set when a click ID exists); typical retention 90 days.

In addition to cookies, partners may process device and event information (such as page views and conversions). If server-side integrations are used in the future (for example, Meta Conversion API or server-side tag management), they may transmit limited event data and hashed identifiers, subject to your consent choices.

5) Consent and Your Choices (EEA/UK)

Users in the European Economic Area (EEA) and the United Kingdom receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Consent is recorded in the cookie_consent browser cookie for up to 12 months.

You can change your preferences at any time by clicking “Manage cookie preferences” in the footer. You can also withdraw consent by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6) Sharing With Advertising & Service Partners

We share personal data only as needed to operate the website, respond to inquiries, and (if you consent) measure marketing performance. We do not sell personal data.

These providers act as processors or independent controllers depending on the service and configuration. Where required, we use appropriate contractual protections. We do not permit these providers to use site data for their own independent commercial purposes beyond providing and improving their services under their terms and applicable law.

7) International Transfers

Some service providers may process data outside the EEA/UK, including in the United States. Where applicable, transfers rely on the EU–US Data Privacy Framework (DPF) (and the UK Extension to the DPF) and, where necessary, Standard Contractual Clauses (EU 2021/914) as a fallback mechanism. Additional safeguards may apply depending on the provider and transfer pathway.

8) Retention

We keep personal data only for as long as needed for the purpose it was collected for, plus any required retention period for legal, security, or dispute-resolution reasons. Typical retention periods include:

  • Contact and registration submissions: up to 2 years from the last interaction.
  • Email correspondence: for the duration of the relationship, plus up to 1 year.
  • Server logs and security records: typically up to 90 days (may be longer for incident investigation).
  • Analytics data: 14 months (where enabled).
  • Marketing cookies: per cookie lifetime (for example, 90 days), where enabled.
  • Consent records: up to 3 years where needed for compliance and audit.
  • Legal/tax retention: as required by applicable law (for example, invoice-related records may require longer retention).

9) Your Rights (GDPR & UK GDPR)

Depending on your location and applicable law, you may have the right to request access to your personal data, rectification, erasure, restriction of processing, data portability, and to object to processing. You also have the right to withdraw consent at any time where processing is based on consent.

  • Right of access (GDPR Art. 15)
  • Right to rectification (GDPR Art. 16)
  • Right to erasure (GDPR Art. 17)
  • Right to restriction (GDPR Art. 18)
  • Right to data portability (GDPR Art. 20)
  • Right to object (GDPR Art. 21)
  • Right to withdraw consent (GDPR Art. 7(3))
  • Right to lodge a complaint (GDPR Art. 77)

To exercise your rights, contact us at [email protected]. We typically respond within 30 days. For complex requests, this may be extended by up to 60 additional days as permitted by law.

Supervisory authority (Italy): Garante per la protezione dei dati personali (“Garante”). Website: https://www.garanteprivacy.it/. You can also consult the European Data Protection Board (EDPB) for general information: https://edpb.europa.eu/.

10) Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data without appropriate consent, contact us and we will take steps to delete the data promptly.

11) Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own approaches to DNT or similar signals.

12) Data Deletion Requests

You may request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. For security, we may need to verify your identity before completing the request. We aim to complete deletion within 30 days, except where retention is required by law or necessary to establish, exercise, or defend legal claims.

13) Business Transfers

If ESB SERVICES SRL is involved in a merger, acquisition, asset sale, financing, reorganization, or insolvency, personal data may be transferred to a successor or affiliated entity as part of that transaction. If such a transfer materially changes how personal data is used, we will provide notice on the website.

14) California (CCPA / CPRA) Notice

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. For the preceding 12 months, we may have collected the following categories of personal information:

  • Identifiers: name, email, IP address, cookie identifiers.
  • Internet or network activity: browsing interactions and usage events (if analytics/marketing are enabled).
  • Inferences: interests or preferences inferred from site interactions (used for advertising relevance if marketing is enabled).

We do not sell personal information as defined by the CCPA. We may share personal information for cross-context behavioral advertising when marketing cookies are enabled. You can opt out of such sharing through our cookie preferences controls (see Section 5) where applicable.

California rights may include: the right to know, delete, correct, and opt out of sale/sharing, as well as non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We may require identity verification. Authorized agents may submit requests with appropriate written authorization.

15) Virginia (VCDPA)

If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act (VCDPA), including access, correction, deletion, portability, and the right to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we decline your request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We respond to appeals within 60 days.

16) Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information as defined by Nevada Revised Statutes Chapter 603A.

17) Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. If we make material changes, we will post a notice on the website at least 14 days before the changes take effect when feasible. The “Last Updated” date at the top of this page indicates the most recent revision.

18) Contact

If you have questions about this Privacy Policy, your personal data, or consent preferences, contact:

ESB SERVICES SRL
Piazza della Repubblica, 32, 20124 Milano (MI), Italy
Email: [email protected]
Phone: +39 02 8295 7431

Scope note

ESB SERVICES SRL is an education provider only. We provide online learning and informational materials related to workplace skills. We do not provide financial services, investment advice, legal services, accounting, immigration assistance, employment placement, IT services, software development, management consulting, or government-recognized certification services.