Privacy Policy
Last Updated: March 12, 2026
1. Introduction & Controller Identity
This Privacy Policy explains how OTW SRL (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit our website, contact us, or register interest in our online education programs and workshops. OTW SRL provides online professional skills education across Canada. We do not provide recruitment, job placement, immigration services, transportation, logistics, financial services, legal advice, or business consulting.
OTW SRL is the “data controller” for the personal data described in this policy, meaning we determine why and how your data is processed under applicable privacy laws, including the EU General Data Protection Regulation (“GDPR”) and Italian data protection rules.
- Legal entity name: OTW SRL
- Registered address: Via Egadi, 7, 20144 Milano, Italy
- Email: [email protected]
- Phone: +39 02 8718 4936
We do not appoint a Data Protection Officer (DPO) for our current activities. If this changes, we will update this policy with DPO contact details.
Effective Date: March 12, 2026.
2. Personal Data We Collect
We collect personal data you provide directly to us and data that is collected automatically when you use the website. The categories below describe what we may process depending on how you interact with us.
2.1 Data you provide
- Identity and contact details: name, email address, phone number.
- Registration and inquiry details: the program you select, your message, learning goals, preferred start timing, workshop topic interest, and other details you include in a form submission.
- Correspondence: content of emails or messages you send to us, and our replies.
2.2 Data collected automatically
- Technical data: IP address, device type, operating system, browser type and version, language preferences, and approximate location derived from IP (city/region level).
- Usage data: pages viewed, time spent on pages, scroll and interaction events, referring source, and click paths within our website.
- Cookies and identifiers: cookies and similar technologies described in Section 4 and in our Cookie Policy.
- Conversion events: events such as form submissions and confirmation page views that help us measure the performance of content and ads, when consent is provided for analytics and marketing.
2.3 What we do not intentionally collect
Our educational offerings do not require sensitive personal data. We do not intentionally collect special-category data (such as health data, religious beliefs, political opinions, or biometric data), financial account details, or government identification numbers through our website forms. Please do not include such information in messages.
3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)
We process personal data only when we have a lawful basis under GDPR and applicable Italian data protection rules. The main purposes and legal bases are:
3.1 Contact and registration requests
- Purpose: respond to inquiries, provide program information, handle enrollment interest, and coordinate workshop availability.
- Legal basis: performance of a contract or steps prior to entering a contract (GDPR Art. 6(1)(b)) and, where required, your consent (GDPR Art. 6(1)(a)) for being contacted based on your request.
3.2 Website analytics (consent-based)
- Purpose: understand which pages are useful, improve clarity, and measure how visitors engage with our educational content.
- Legal basis: consent (GDPR Art. 6(1)(a)).
3.3 Marketing and advertising measurement (consent-based)
- Purpose: measure advertising effectiveness, attribute conversions (for example, registrations or contact requests), and show more relevant messaging to users who have expressed interest in our programs.
- Legal basis: consent (GDPR Art. 6(1)(a)).
3.4 Security, fraud prevention, and service reliability
- Purpose: protect the website, prevent abuse, maintain availability, and detect malicious activity (for example, bot traffic and scanning).
- Legal basis: legitimate interests (GDPR Art. 6(1)(f)).
3.5 Legal compliance
- Purpose: comply with legal obligations, handle disputes, and maintain records where required by law.
- Legal basis: legal obligation (GDPR Art. 6(1)(c)).
3.6 Automated decision-making (GDPR Art. 22)
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
4. Cookies & Tracking
Cookies are small text files stored on your device that help websites function and, depending on your choices, provide analytics and advertising measurement. We also use related technologies such as pixel tags and conversion events when consent is provided. For full details, see our Cookie Policy.
4.1 Essential cookies (always active)
Essential cookies are required for core site operation, such as session continuity and saving your cookie preferences. These cookies do not require consent.
- Examples: _site_session, cookie_consent.
- Retention: session to 12 months (depending on the cookie).
4.2 Analytics (requires consent)
If you consent, we may use Google Analytics 4 (GA4) to understand aggregated website usage (for example, which pages are visited and how users move through the site). We configure analytics to reduce identifiability where possible, including IP anonymization.
- Examples: _ga, _ga_XXXXXXXXXX.
- Retention (typical): analytics event data retained for up to 14 months.
- Legal basis: consent (GDPR Art. 6(1)(a)).
4.3 Marketing and advertising measurement (requires consent)
If you consent, we may use marketing cookies and conversion tags to measure ad performance, build audiences for remarketing, and limit repetitive ads. These technologies can create identifiers that help platforms understand that a browser visited certain pages or completed a form submission.
- Examples: _gcl_au, _fbp, _fbc.
- Legal basis: consent (GDPR Art. 6(1)(a)).
4.4 Beyond cookies
Some measurement may occur through pixel tags or server-side events (for example, when a form is submitted). Where consent is required, these events are activated only after you choose analytics and/or marketing cookies. Device and browser characteristics (such as IP address and User-Agent) may be used to provide security and to support measurement in an aggregated or hashed form depending on the provider configuration.
5. Consent (EEA/UK)
Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies are activated only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie (typically up to 12 months).
You can withdraw consent at any time by selecting “Manage cookie preferences” in the website footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before it was withdrawn.
6. Sharing With Advertising & Service Partners
We use service providers to operate the website and, where consent is provided, to measure and improve marketing performance. We do not sell personal data. We share only what is necessary for the purposes described in this policy.
6.1 Google (Analytics and Ads)
If enabled by your cookie choices, Google LLC may receive cookie identifiers, usage data, and conversion events for analytics and advertising measurement. Privacy policy: https://policies.google.com/privacy.
6.2 Meta (Advertising measurement)
If enabled by your cookie choices, Meta Platforms may receive page view and conversion event signals, cookie identifiers, and audience membership signals used for measurement and relevant messaging. Privacy policy: https://www.facebook.com/privacy/policy.
6.3 Cloudflare (security and performance)
We may use Cloudflare as a content delivery network (CDN) and security layer to protect and speed up the website. Cloudflare may process IP addresses and request metadata for threat detection and performance. Privacy policy: https://www.cloudflare.com/privacypolicy/.
We do not permit these providers to use site data for their own independent commercial purposes beyond providing services to us in accordance with their terms and our configurations.
7. International Transfers
OTW SRL is based in Italy, and we provide online education services across Canada. Some of our service providers may process data outside the European Economic Area (EEA) and the United Kingdom, including in the United States (for example, Google and Meta).
When transfers occur, we rely on appropriate safeguards, which may include:
- EU–US Data Privacy Framework (DPF) and, where applicable, the UK Extension to the DPF.
- Standard Contractual Clauses (EU Commission Decision 2021/914) as a fallback mechanism.
- UK International Data Transfer Addendum (IDTA) or similar UK transfer tools where applicable.
8. Data Retention
We keep personal data only as long as needed for the purposes described above, unless a longer retention period is required or permitted by law. Typical retention periods are:
- Contact and registration submissions: up to 2 years from the last interaction.
- Email correspondence: for the duration of the relationship plus 1 year (unless a longer period is required for dispute handling).
- Server and security logs: typically up to 90 days, unless needed longer for investigation.
- Analytics data: typically up to 14 months (subject to provider settings).
- Marketing cookies: retained according to cookie lifetime (for example, 90 days) unless you withdraw consent sooner.
- Cookie consent record: up to 3 years for audit and compliance purposes.
- Legal and tax records: retained as required by applicable law (often 6–10 years depending on the record type).
9. Your Rights (GDPR & UK GDPR)
If you are in the EEA/UK (and in many cases elsewhere), you may have rights regarding your personal data. These include:
- Right of access (GDPR Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent at any time (Art. 7(3))
- Right to lodge a complaint with a supervisory authority (Art. 77)
To exercise your rights, email us at [email protected]. We typically respond within 30 days. For complex requests, the response time may be extended by up to 60 additional days as permitted by law.
Supervisory authorities:
- Italy (Garante per la protezione dei dati personali): https://www.garanteprivacy.it/
- European Data Protection Board (EDPB): https://edpb.europa.eu/
- UK Information Commissioner’s Office (ICO): https://ico.org.uk/
10. Children
This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.
11. Do Not Track Signals
Some browsers offer a “Do Not Track” (DNT) setting. This website does not respond to DNT signals in a uniform way. Third-party providers may have their own DNT handling and opt-out tools.
12. Account & Data Deletion Requests
OTW SRL does not require user accounts for basic browsing. If you would like us to delete personal data you submitted through forms or correspondence, email [email protected] with the subject line “Data Deletion Request”.
We may ask for additional information to verify your identity before completing the request. We aim to complete deletion within 30 days after verification, unless retention is required by law or needed for legitimate purposes such as dispute resolution.
13. Business Transfers
If OTW SRL is involved in a merger, acquisition, asset sale, financing, reorganization, insolvency, or similar event, personal data may be transferred to a successor or affiliated entity. If a transfer materially changes how personal data is used, we will provide notice on the website.
14. California (CCPA / CPRA)
This section applies if you are a California resident and the California Consumer Privacy Act (as amended by the CPRA) applies to our processing.
In the past 12 months, we may have processed the following categories of personal information:
- Identifiers: name, email address, IP address, and cookie identifiers (shared with service providers and, with consent, advertising partners).
- Internet or network activity: browsing interactions with our site (shared with analytics and advertising providers where consent is provided).
- Inferences: interests or preferences inferred from site usage (used for advertising measurement and audience creation when consent is provided).
We do not “sell” personal information as defined by CCPA. We may “share” information for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out using our cookie preferences panel (“Manage cookie preferences” in the footer).
You may have the right to Know, Delete, Correct, and Opt-Out of sale/sharing, as well as the right to Non-Discrimination. To submit a request, email us at [email protected] with the subject “California Privacy Request”. We will verify your identity before responding. Authorized agents may submit requests with proof of authorization.
15. Virginia (VCDPA)
If you are a Virginia resident and the Virginia Consumer Data Protection Act (VCDPA) applies, you may have rights to Access, Correct, Delete, and Port your personal data, and to opt out of targeted advertising.
Submit requests by emailing [email protected] with the subject “Virginia Privacy Request”. We do not sell personal data and do not engage in profiling that produces legal or similarly significant effects.
If we decline to take action on a request, you may appeal by emailing the subject “Appeal of Refusal — Privacy Request”. We respond to appeals within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.
16. Nevada
Nevada residents may submit a verified opt-out request by emailing us at [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or services. If we make material changes, we will post a notice on the website at least 14 days before the changes take effect, where practical.
The “Last Updated” date at the top of this page indicates when the latest version became effective.
18. Contact
If you have questions about privacy, data requests, or this Privacy Policy, contact us:
- OTW SRL
- Address: Via Egadi, 7, 20144 Milano, Italy
- Email: [email protected]
- Phone: +39 02 8718 4936