PRIVACY NOTICE
pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)
This Privacy Notice describes the methods of processing personal data of users who interact with the website maximobility.it
1. Data Controller
The Data Controller is:
Maxi Mobility S.r.l. Società Benefit
Registered Office: Via Cadore 13, 20135 Milan (MI), Italy
VAT No.: 12137830969
E-mail: info@ma-xi.it
(hereinafter, the “Controller”).
2. Categories of Data Processed
The Controller processes users’ personal data (“Data Subjects”) such as:
- Identification and contact data: name, surname, e-mail, phone number, address.
- Data required for the provision of Maxi Mobility services (e.g. fleet configuration, vehicle availability, preferences).
- Payment and transactional data relating to purchased services or mobility fees, also in connection with external payment systems (e.g. Stripe, financial institutions, leasing companies).
- Technical browsing data: IP addresses, access logs, device identifiers, and data collected through cookies, as further detailed in the Cookie Policy.
- Interaction data with the Platforms, including contact forms and support requests.
The Controller does not request or process special categories of personal data under Article 9 GDPR, unless strictly necessary and based on explicit consent.
3. Purposes and Legal Bases for Processing
| Purpose | Legal Basis | Notes |
|---|---|---|
| a) Enable navigation and access to requested services | Performance of pre-contractual or contractual measures (Art. 6(1)(b) GDPR) | Includes access to reserved areas |
| b) Manage mobility, rental, leasing, and support contracts, including administrative and accounting activities | Contract performance (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) | Includes relations with financial partners |
| c) Respond to contact and technical support requests | Performance of pre-contractual measures (Art. 6(1)(b)) | |
| d) Fulfil tax, legal, and regulatory obligations | Legal obligation (Art. 6(1)(c)) | |
| e) Send informational and/or commercial communications, newsletters, and updates on Maxi services | Consent of the Data Subject (Art. 6(1)(a)) | Optional and revocable at any time |
| f) Protect the Controller’s rights (e.g. in case of disputes) | Legitimate interest (Art. 6(1)(f)) |
4. Processing Methods
Data are processed through electronic and/or manual means, using appropriate technical and organizational measures to ensure security, integrity, and confidentiality.
5. Data Disclosure and Recipients
Data may be shared with:
- Employees and collaborators authorized by the Controller;
- IT and cloud service providers, hosting providers, CRM platforms (e.g. Odoo);
- Payment and leasing companies (e.g. Stripe, credit institutions, partner firms);
- Legal, tax, and administrative consultants;
- Public authorities where required by law.
All such entities act as Data Processors or independent Controllers, as applicable.
An updated list of Data Processors is available upon request.
6. Data Transfers Outside the EU
Where the use of tools or suppliers entails transfers to non-EU countries, such transfers will comply with Articles 44–49 GDPR (e.g. through Standard Contractual Clauses or adequacy decisions).
7. Data Retention Periods
| Data Type / Purpose | Retention Period |
|---|---|
| Contractual and administrative data | 10 years after contract termination (for accounting/tax obligations) |
| Contact data for commercial inquiries | 24 months from last contact |
| Marketing/newsletter data | Until consent is withdrawn |
| Technical browsing data | As specified in the Cookie Policy |
8. Data Provision
Providing data required for contractual services is mandatory; failure to provide such data makes it impossible to deliver the requested services.
Providing data for marketing purposes is optional.
9. Data Subject Rights
Data Subjects may exercise the following rights:
- Right of access (Art. 15 GDPR)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of consent (Art. 7(3))
Requests may be submitted to info@ma-xi.it
10. Complaint to the Supervisory Authority
Data Subjects may lodge a complaint with the Italian Data Protection Authority: www.garanteprivacy.
11. Updates
This Privacy Notice may be updated from time to time. In case of substantial changes, the Controller will duly inform the Data Subjects.
Last update: November 2025
12. Biometric Processing and Facial Recognition
The Controller informs users that, for certain functionalities of the digital mobility platform and rental service (“Service”), an optional facial recognition feature may be provided to verify user identity during onboarding or prior to vehicle collection, as well as for fraud prevention and security checks.
Categories of Data Processed
- Biometric data (facial template generated from images captured by the device’s camera);
- Technical metadata (verification results, timestamps, confidence scores);
- Identification data linked to the user profile necessary for biometric matching.
Raw images are not stored beyond the time strictly necessary to generate and verify the biometric template.
Legal Basis for Processing
Biometric data are processed solely based on the explicit consent of the Data Subject pursuant to Art. 9(2)(a) GDPR. Consent is optional and may be withdrawn at any time without affecting the lawfulness of prior processing.
If consent is not given or is withdrawn, users may rely on alternative authentication methods (e.g. document verification or OTP).
Processing Methods and Security Measures
Processing is carried out through automated systems with appropriate technical and organizational security measures.
Where technically possible, biometric templates are processed and matched directly on the user’s device (“on-device”). Otherwise, processing takes place on secure servers located within the EU/EEA.
Biometric data are encrypted both in transit and at rest, logically separated from other personal data, and accessible only to authorized personnel.
Retention Period
Biometric templates are retained only for the time necessary to verify identity and, in any case, no longer than 12 months from the last biometric authentication or until consent is withdrawn.
Associated technical logs and metadata are retained for a maximum of 24 months for security, audit, and legal defense purposes.
Recipients and Service Providers
Processing may be supported by specialized biometric and liveness-detection providers appointed as Data Processorsunder Art. 28 GDPR.
An updated list of such providers is available upon request via info@ma-xi.it.
Data Transfers Outside the EU
Data are primarily processed within the European Economic Area (EEA). Where transfers to third countries are necessary, EU Standard Contractual Clauses and additional security safeguards will be implemented.
Data Subject Rights
Data Subjects may exercise their rights under Articles 15–22 GDPR at any time, including access, erasure, objection, and withdrawal of consent, as well as request the deletion of their biometric data.
Requests can be sent to info@ma-xi.it.
Minors
Biometric functionalities are not intended for individuals under 18 years of age and must not be activated by minors.
