Privacy Policy

Policy on the processing of personal data
according to Articles 13-14 of EU Regulation 2016/679

Data Controller and Data Subject

Kryalos SGR S.p.A., with registered office in Milan, Via Cordusio, 1 (hereinafter, the "Company" or the "Controller“), management company of the closed-end Alternative Real Estate Investment Fund called "Pharo", as the Data Controller, in the person of its legal representative, collects and processes personal data of users (hereinafter, the "Users“) who interact with the website (hereinafter the “Website“) in the manner and for the purposes set out in this policy, and in accordance with the European Data Protection Regulation 679/2016 (hereinafter the “Privacy Regulation” or “GDPR”).

The Data Subjects are the Users of the Website

Processing purposes

Personal data will be used for the following purposes:

  • enable Users to enjoy the functionalities of the Website, including requesting information about the Company's services through the "Contacts" section;

(hereinafter referred to as the“Contractual Purposes“);“);

  • fulfil obligations arising from applicable legislation, including execution of communications to the competent Authorities and Supervisory Bodies and to comply with their requests;
  • assert or defend its right in or out of court

(hereinafter referred to as the“Legal Purposes“).”).

Legal basis for processing

The processing of Users' data is necessary, given its essential nature, in order to:

  • enable Users to enjoy the services provided by the Website;
  • comply with the provisions of applicable legislation in the case provided for in paragraph 2, points b) and c).

Should the User not provide the necessary data for the Purposes stated above, it will not be possible to use the services provided by the Website.

Processing methods

Personal data may be processed by means of electronic computers using software systems managed by third parties.

All processing is carried out in compliance with the methods pursuant to Articles 6 and 32 of the GDPR and through the adoption of appropriate security measures.

Scope of data disclosure and dissemination

The Data Subject's personal data will be processed only by personnel expressly authorised by the Controller and, in particular, by the following categories of personnel:

  • operators authorised to manage the Website;
  • Marketing department of the Controller;
  • consultants appointed by the Controller.

I dati personali potranno inoltre essere comunicati su base volontaria da parte dell’Interessato, scrivendo agli indirizzi email indicati nel Sito.

Personal data may also be disclosed on a voluntary basis by the Data Subject by writing to the email addresses indicated on the Website. In certain cases, personal data could be disclosed to third parties for the proper management of the relationship and in particular to the following categories of recipients, including duly appointed Data Processors, including web service providers for the technical management of the Website.

The Data Subject's personal data will not be disseminated in any way.

Transfer of data abroad

Users' personal data will not be transferred outside the European Economic Area.

Retention period

In compliance with the principles of lawfulness, purpose limitation and data minimisation, pursuant to Article 5 of the GDPR, the retention period of personal data is:

  • for the contractual purposes referred to in point a), paragraph 2, for a period of time not exceeding 365 days from the User's consultation of the Website, unless a different period is necessary for a regulatory compliance;
  • for the legal purposes indicated in paragraph 2, for a period of time not exceeding that necessary for fulfilment of the regulatory obligations and/or the investigation of any wrongdoing, pursuant to applicable legislation.

Once the above-mentioned periods have expired, the User's data will be deleted, anonymised and/or aggregated.


Cookies are text strings that websites visited by users (so-called Publishers, or “first parties”) or other websites or web servers (so-called “third parties”) place and store in the user's terminal device, for re-transmission to the same websites on the next visit.

Web beacons are one of several techniques used on web pages to allow visitors to be tracked in an unobtrusive (usually invisible) manner.

This Website does not use any type of cookies. Web beacons are not envisaged.

Since all browsers – and often different versions of the same browser – differ even significantly from each other, if Data Subjects prefer to act independently through the preferences of their browser, they can find detailed information on the necessary procedure in the help section of the browser itself.

Rights of Data Subjects

Data Subjects have the right to obtain from the Controller the erasure (right to be forgotten), restriction, updating, correction or portability, objection to processing of personal data concerning them and, in general, may exercise all the rights foreseen by Articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR. Data Subjects have the right to obtain confirmation of the existence of personal data concerning them, even if not yet recorded, communication of the same in an intelligible form and the possibility of lodging a complaint with the Supervisory Authority.

Without prejudice to the possibility of Users not providing their data, they may, at any time and free of charge: (i) obtain confirmation or otherwise of the existence of data concerning them; (ii) know the origin of the data, the processing purposes and its methods, and the rationale applied to the processing carried out by electronic means; (iii) request the updating, rectification or – if of interest – supplementation of data concerning them; (iv) obtain the erasure, transformation into anonymous form or blocking of any data processed in violation of the law; (v) request the Company to restrict the processing of data relating to them in the event that (1) the Users dispute the accuracy of the data, for the period necessary for the Company to verify the accuracy of such data; (2) the processing is unlawful and the Users object to erasure of the data and instead request that its use be restricted; (3) although the Company no longer needs the data for processing purposes, the data is necessary for Users to assert, exercise or defend a right in court (4) Users have objected to the processing pursuant to Article 21, paragraph 1 of the Regulations pending verification as to whether the Company's legitimate reasons prevail over those of the Users; (vi) request the erasure of the data concerning them without undue delay; (vii) obtain the portability of the data concerning them; (viii) lodge a complaint with the Data Protection Authority, where the necessary conditions are met.


To exercise the above rights, Data Subjects may at any time write to the following e-mail address: Data Subjects may also contact the Data Protection Officer (DPO), by writing to the following e-mail address:

Amendments and updates

This policy is valid from the date specified. The Company may make amendments and/or supplements to the policy, also as a consequence of regulatory updates. Any amendments to the policy will always be available at