Privacy Policy

Privacy Entando

EU Regulation 679/2016 ("GDPR") 

v. May, 2021

Entando Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Entando Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

In compliance with the Privacy Shield Principles, Entando Inc. commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Entando, Inc. at:

Entando Inc. has further committed to refer unresolved Privacy Shield complaints to JAMS (Judicial Arbitration and Mediation Services, Inc), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If personal information covered by this Privacy Shield policy is to be used for a new purpose that is materially different from that for which the personal information was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, Entando Inc. will provide data subjects with an opportunity to choose whether to have their personal information so used or disclosed. To the extent required by the Privacy Shield Principles, Entando, Inc. obtains opt-in consent for certain uses and disclosures of sensitive data.

With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, Entando Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (“FTC”). In certain situations, Entando Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

In the context of an onward transfer, Entando Inc. is responsible for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on our behalf. Entando Inc. shall remain liable under the Privacy Shield Principles if our agent processes your Personal Data in a manner inconsistent with the Privacy Shield Principles, unless Entando Inc. is not responsible for the event giving rise to the damage.

ENTANDO INC. and ENTANDO S.R.L. (jointly defined as "Entando" or the "Controller") are engaged in the protection of the Personal Data entrusted to it. Management and Security of Personal Data are guaranteed with the utmost care, in accordance with the requirements of the privacy legislation pursuant to EU Regulation 679/2016 (“GDPR“).

This policy explains who we are, for what purposes we could use your data, how we manage them, to whom we can communicate your data, where they could be transferred and which are Your rights.

Premise - About Us

Entando is an international company principally involved in the development of enterprise software platforms for building web applications and solutions.   

In particular Entando provides software subscriptions and support services for their open source platforms, components and solutions.  Entando also oversees an international open source community and partner network who support in the development of the core platform and open source or proprietary solutions built using the platform.   

1. Who will treat my data?

Your data will be treated, as Data Controller, by:
ENTANDO S.R.L. (the "Controller")
Piazza Salento 9
09127 - Cagliari (Italy)
Subject to direction and coordination of Entando Inc

And from
ENTANDO INC. (the "Controller")
600 B Street, Suite 300
92101 - San Diego (CA)  - USA

The list of processor and sub-processor for the processing of personal data is available at the headquarters of the owner or by request at

2. Why do you need my data?

The Data Controller will use your data exclusively for the following purposes:

  1. Purposes related to the management of the contractual relationship and the provision of software services and other services purchased by the customer and as described on or other informative and / or contractual material of Entando. In this context your Personal Data will be processed for the following purposes: establishment, management and termination of the contractual relationship with Entando; fulfillment of accounting and tax obligations; fulfillment of legal obligations (for example: anti-terrorism checks); anti-money laundering controls; audits for tax and accounting purposes; management of disputes; provision, support, updating and information regarding the services offered and the available features; activation of online services; training courses.
  2. Purposes related to marketing activities, email marketing. In this context with your specific consent, your personal data will be processed for the following purposes: market research; economic and statistical analyzes; social, cultural and solidarity initiatives; updating on training initiatives; email marketing and updates on initiatives, promotions and offers from Entando or third-party companies that operate in collaboration with the Data Controller; communications and information on the activities of the owner and on the events in which the owner takes part.

Entando will carry out the treatment:

  • with reference to letter a) above, because it is necessary for contractual obligations; to fulfill legal obligations, to which Entando is subject (ex. accounting, compensation, social security, anti-terrorism checks); because the treatment is necessary to pursue a legitimate interest (for example, anti-money laundering checks, use of video surveillance tools to protect corporate assets, prevent fraud, safeguard strategic corporate interests and related business relationships).
  • with reference to letter b) above, on the basis of your express consent.

Therefore your personal data are necessary or mandatory for the purposes listed in letter a).

The purpose referred to in letter b), on the other hand, does not derive from a legal obligation or contract and the consent to provide such data for such purpose is optional and does not affect provision of the services.

Any partial or total failure to provide the data will result in the partial or total impossibility of achieving the aforementioned purposes.

Entando will always  use Personal Data effectively necessary for the specific purpose (minimization).

We will not use your Personal Data for any other purpose other than those described in this statement, if not by informing you in advance and, where necessary, obtaining your consent.

3. How will you use my data?

Your personal data will be processed, through the use of tools and procedures suitable to ensure maximum security and confidentiality, through archives and paper, and also through digital media, computer and telecommunications adequate and in compliance with the GDPR provisions.

The communications may take place in traditional ways (example: paper mail, phone calls with operator), automated (eg, phone calls without operator) and similar (example: fax, e-mail, sms, mms) .

4. How long will you keep my information?

Your personal data will be stored for a period consistent with the purposes of treatment indicated above.

Here below follow the duration of the different treatments:

Purpose: Candidates for job placement
Duration: Maximum 24 months after sending the candidate's Curriculum Vitae
Legal basis: art. 5 lett. e) of GDPR

Purpose: Work contract
Duration: 10 years after the termination of the employment relationship
Legal basis: art. 43 of Presidential Decree 600/73; art. 2946 of the Italian civil code on the    ordinary prescription; Title I, Chapter III, of Legislative Decree 81/08 (as amended)

Purpose: Customers, service, suppliers, partners, etc.
Duration: 10 years from the end of the contractual relationship
Legal basis: art. 2948 of the Italian Civil Code, which provides a period of 5 years for payments; art. 2220 of the Italian Civil Code, which provides a period of 10 years, for the keeping of accounting records; art. 22 of the D.P.R. September 29, 1973, n.600.

Purpose: Customers, for marketing purposes (both first-party and third-party) and profiling
Duration: In compliance with the terms prescribed by law for the type of activity and in any case until the revocation of consent or until the exercise of the right of opposition
Legal basis: art. 23 of Legislative Decree 196/03; General Provision of 15/05/13 Italian Garante Privacy; art. 21 GDPR.

5. Will you share my information with other subjects?

Your Data may be communicated to Entando partners for the management of contracts in place with You, and to third parties, (including Credit Recovery Companies, Professionals, Public Bodies, Auditing Bodies or Supervisory Bodies), to fulfill obligations deriving from the law, regulations, community regulations or for aspects concerning the management and execution of the contractual relationship.

Your personal data will not be transferred to third parties for marketing purposes unless you have expressly permitted such transfer.

For all the purposes indicated in this statement your data may be transferred also abroad, inside and outside the European Union, in compliance with the rights and guarantees provided by the current legislation, subject to verification that the country in question ensure an "adequate" level of protection.

The Data will also be processed by internal resources of the Entando offices, properly trained, which operate as authorized personnel to process the Data in accordance with art. 29 GDPR.

We also inform you that in compliance with a company policy, all company emails will be kept through an archived outsourced archiving system with adequate security measures in order to protect them.

Access to the archived Data may be carried out only by public authorities, in the cases and methods provided for by the laws in force, in the event of legal disputes.

Your personal data are not subject to dissemination.

For service, massive or marketing communication purposes, the email addresses will be included in a contact list managed by Entando through the email service offered  by, of the company HubSpot, Inc. 25 First St., 2nd floor Cambridge, Massachusetts  02141 USA, to which such data are communicated (hereinafter “Hubspot”). Privacy Policy of Hubspot concerning such service is available here:

Hubspot have declared to be GDPR compliant and here you can find links to resources Hubspot is currently included in the Privacy Shield as per the following link:

6. What are my rights?

At any time, you will have the right to ask:

  1. access to your personal data;
  2. correction of your personal data in case of inaccuracy;
  3. cancellation of your personal data;
  4. limitation of their treatment.

You will also have:

the right to oppose their treatment:

  • if processed for the pursuit of a legitimate interest of Entando, except where permitted by law;
  • if processed for direct marketing purposes;
  • the right to their portability (where applicable), meaning you can receive your personal data, which you have given to us, in a structured format, and, if possibly, through a digital tool (such as excel, pdf or similar).

We will handle your request with the utmost care to ensure the effective exercise of your rights.

Finally, you will have the right to lodge a complaint with the National Supervisory Authority (Italian Garante Privacy).

7. Can I withdraw my consent after I gave it?

Yes, you can revoke your consent at any time, without this, however this will not:

  • prejudice the lawfulness of the treatment based on the consent given before the revocation;
  • prejudice further processing of the same data based on other legal bases (for example, contractual obligations or legal obligations to which Entando is subject)

8. I still have questions ...

For more information on this privacy policy or on any privacy topic, or if you wish to exercise your rights or withdraw your consent, you can contact us directly at or visit the website of the Italian Garante Privacy at

Appendix – Definitions of certain terms referred to above:

Personal Data:
(Article 4 of the GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(Article 4 of the GDPR): means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

Legal Basis for Processing:
(Article 6 of the GDPR): At least one of these must apply whenever personal data is processed:

Consent: the individual has given clear consent for the processing of their personal data for a specific purpose.
Contract: the processing is necessary for compliance with a contract.
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests of the Data Controller unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Data Controller:
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.

Data Processor:
(Article 4 of the GDPR): means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Data Subject Rights:
(Chapter 3 of the GDPR) each Data Subject has eight rights. These are:

The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
The right of access; this is your right to see what data is held about you by a Data Controller.
The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing.