INFORMATIVA PRIVACY ESTESA
Adopting this policy, the company Sporthype S.r.l. (C.F./P.IVA: 13241470015), on behalf of its legal representative, with registered office in Turin (TO), C.so Vittorio Emanuele II, 12 (10123) (hereinafter, “Data Controller” or “Company”) defines the procedures for the acquisition of User data pertaining to the performance monitoring service provided by the Data Controller (hereinafter, the "Service"), in accordance with national legislation and Articles 13 and 14 of EU Regulation No. 2016/679.
1. DATA CONTROLLER, SUBJECT MATTER, AND PLACE OF PROCESSING
This policy is drafted pursuant to applicable national and international laws and provided to the Users of the Service supplied by Sporthype. Following authorization for processing, the Data Controller will process the transmitted Data in accordance with the provisions of the Regulation and current national legislation, including any measures of the Supervisory Authority (i.e., the Data Protection Authority) where applicable.
In the future, only in cases deemed necessary, the Data of data subjects may potentially be transferred to a country other than the one in which the data subject is located, always with a level of data protection adequate to that of Europe. For further information regarding the place of processing, the data subject may always contact the Data Controller at the contact details referred to in Articles 9 and 11 of this Policy.
The Data Controller is committed to protecting the privacy of all those who also browse its Website and therefore invites each User to review the Privacy Policy published therein.
2. PURPOSES AND METHODS OF PROCESSING AND USE
2.1. The processing operations carried out by the Data Controller and relating to the Data collected with the express consent of the Data Subjects may concern the following purposes:
2.1.1. Purposes of the Processing and Legal Basis:
The personal data provided by the User will be processed for the following purposes:
a) Essential Purposes for the Operation of the Service:
The processing is necessary to:
Legal basis: Article 6, par.1, a) GDPR (performance of a contract or pre-contractual measures).
b) Direct Marketing by the Data Controller:
Sending promotional and informative communications relating to the services and activities of the Data Controller.
Legal basis: express consent of the data subject (Article 6, par.1, a) GDPR).
c) Marketing by Partner Companies:
Sharing personal data with partner companies for marketing purposes and sending promotional communications.
Legal basis: express consent of the data subject (Article 6, par.1, a) GDPR).
d) Research and Development with Pseudonymized Data:
Use of pseudonymized data for analysis and research activities aimed at improving the Service.
Legal basis: express consent of the data subject (Article 6, par.1, a) GDPR).
2.1.2. Categories of Data Processed:
Upon registration, the following personal data shall be required by the Data Controller:
Following the installation of the application and the profile setup, the Data Controller may also process the following data:
2.1.3. Communication and Dissemination of Data:
Personal data may be disclosed to:
2.1.4. Data Retention:
The data will be retained for the period strictly necessary to pursue the indicated purposes and, in any case:
2.2. Acceptance of this policy legitimizes the Data Controller to communicate or disseminate the collected data to the aforementioned third parties, where necessary for the performance of the requested services.
The processing of personal data takes place using electronic and manual tools, in compliance with the principles of lawfulness, fairness, transparency, minimization, and with the adoption of technical and organizational measures suitable to guarantee data security.
The Data may be communicated to employees and trusted collaborators of the Data Controller present in the Italian territory. This consent is necessary for the performance of the contract, and the data subject has also been informed verbally. The trusted collaborators used by the Data Controller guarantee, under their own responsibility, that they have complied with the new legislation and are personally responsible for the statements made.
In any case, personal data are never communicated to third parties or disseminated without the prior consent of the data subject, except in cases of force majeure, for the protection of a right of the data subject, or in those expressly indicated by national legislation.
2.3. The Data Controller adopts all appropriate security measures, both practical and IT-related, aimed at preventing unauthorized access, modification, disclosure, or destruction of the data of data subjects.
The processing is carried out using organizational methods related to the indicated purposes and in agreement with the DPO, if present, or with the data processors.
You can always obtain further more information about the purposes of the processing and the Data collected for each purpose by contacting the Data Controller at the contact details indicated in Articles 9 and 11 of this Policy.
The Privacy protocols and standards used by the Company for the protection of personal data are based on the following principles:
2.3.1. RESPONSIBILITY FOR PROCESSING AND USE
The Processing of Data is managed over time by persons authorized or processors specifically trained and appointed in writing by the Company regarding privacy matters.
In certain specific cases, in addition to the Data Controller, external processors (e.g., administrative personnel, sales personnel, system administrators, hosting providers) may also have access to the data.
In any event, the data subject may always request the updated list of processors from the Data Controller.
2.3.2. TRANSPARENCY IN PROCESSING AND USE
Data are collected and processed in accordance with the principles set out in this policy.
Prior to the acquisition and/or provision of data, the data subject will have the opportunity to consult the privacy policy and to decide whether or not to give consent to their acquisition and retention.
Consent is required and may be expressly provided even when data have been acquired through automated procedures (technical or profiling cookies).
In any event, the data subject may always request from the Data Controller the specific legal basis for each processing operation, specifying, in particular, whether the processing is based on law, a contract, or is necessary for the conclusion of a contract.
2.3.3. DATA MINIMIZATION IN COLLECTION
Data are collected and processed lawfully and fairly. They are recorded only for specified, explicit, and legitimate purposes, identified in Article 2 of this policy, and for purposes not exceeding the specified aims.
2.3.4. PRINCIPLE OF VERIFIABILITY
The collected Data are kept up-to-date, organized, and stored in a manner that ensures all data subjects have the possibility to know what information has been collected and recorded, to verify its accuracy, and to request any correction, integration, erasure for breach of law, or to exercise all the rights referred to in Article 9 and in accordance with the procedures provided for in Article 9 of this policy.
2.3.5. PRINCIPLE OF SECURITY AND MEASURES ADOPTED
2.3.5.1. The collected and processed Data are protected in order to prevent their unlawful disclosure or alteration through technical and/or IT security measures aimed at minimizing the risks of destruction, loss (including accidental loss), or access by unauthorized parties.
2.3.5.2. These measures are periodically reviewed and updated based on technical progress, the nature of the data, and the specific characteristics of the processing.
2.3.5.3. Third parties, where present, who may carry out support activities of any kind for the provision of services by the sole proprietorship, in relation to which they perform personal data processing operations, are designated as data processors and are required to comply with the security and confidentiality measures for the processing.
2.3.5.4. The essential information acquired for the processing carried out for the purposes of providing the Service (physical and biometric data) is not disclosed to third parties.
Only personal data (e-mail address, telephone number, product sector/purchasing preferences) specifically subject to express consent by the data subjects may be communicated to the Data Controller's Partners for the purpose of sending commercial or marketing communications.
The full list of the Data Controller's Partners is indicated on the website:
https://www.thesporthype.com/.
3. TYPES OF DATA AND PROCESSING METHODS
Among the Data collected for the purposes of providing the Service, or, in the event of contact by Data Subjects through the Data Controller's pages on third-party social media platforms (e.g., YouTube, Facebook, Twitter, Instagram, LinkedIn, etc.), the following may be included: name, surname, telephone number, email address, connection IP address, and any other information communicated directly by Users using the links present on the dedicated web pages, aimed at contacting the Company.
In general, the data may be:
a) Data provided voluntarily by users: The Data collected and processed by the Data Controller are necessary for the provision of the Service. Consequently, in the event of failure to provide or failure to consent, the Sporthype services that require their use can no longer be provided.
Without the express consent of the data subjects to the use of the data provided (e.g., email, landline or mobile telephone number), these data will not be used for advertising, direct sales, or interactive commercial communication purposes.
In the event of the voluntary sending of e-mails to the Data Controller's addresses, the latter will acquire the sender's e-mail address and any other information contained in the message. These Data will be used to contact the sender and for the purpose of enabling the execution of any services requested.
b) Browsing data (in case of consultation of the Data Controller's website): The automated procedures of the website acquire certain Data, the transmission of which is implicit in the use of internet communication protocols.
Although this information is not intended to be associated with identified users, by its nature, if associated with other data held by third parties (e.g., internet service providers), it could allow the identification of users (e.g., IP addresses, domain names of the computers used by users connecting to the Site, URL addresses of the resources requested, time of the request, numerical code relating to the status of the response given by the server).
The Data Controller, or the designated processors, retain the connection logs for a limited period, in order to comply with any requests from the judicial authority, which is entitled to request them during the investigation of liability in the case of computer crimes.
4. DATA RETENTION PERIOD
Data, including browsing data, will be retained in compliance with the GDPR, only for the period necessary to fulfill the purposes set out in this policy, namely 2 years where the processing occurs for marketing and/or promotional initiatives, and 10 years for legal obligations.
5. DATA ACCESS
5.1. The Data processed by the Data Controller may be partially accessible to the latter's employees, collaborators, and external correspondents, in their capacity as authorized persons and/or processors and/or IT system administrators. Access to the data by these individuals will only occur if the processing is necessary for the performance of their duties, carrying out only the operations necessary for the performance of those duties.
5.2. The Data Controller shall ensure the protection of users' information against unauthorized access, unlawful processing, accidental loss, destruction, damage, and shall retain the information for the period strictly necessary for the pursuit of the purposes for which the data were collected.
6. DATA DISCLOSURE
6.1. Without the need for express consent pursuant to Article 6(1)(b) and (c) GDPR, the Data Controller may disclose the Data upon the request of Supervisory Authorities or judicial authorities, as well as to those subjects to whom disclosure is mandatory to comply with legal obligations or to assert or defend a right in court. These subjects will process the data in their capacity as independent data controllers. The Data will not be disseminated, unless the requested service requires it.
6.2. If necessary, in relation to specific services or products requested, the Data may also be disclosed to third parties who, where necessary, act as independent data controllers and perform functions strictly connected and instrumental to the provision of the services, given that without such disclosure, these services and products could not be effectively provided.
6.3. Except as provided for in Article 7, the Data Controller does not transfer personal data to third countries outside the EU or to international organizations.
7. DATA COLLECTION AND TRANSFER
7.1. Personal data collected for the purposes of the Service are stored, where necessary, on the following media:
- personal computers owned by the Data Controller;
- proprietary server provided by Aruba S.p.A.
7.2. It is in any case understood that the Data Controller, should it become necessary, shall have the right to move the server or to use a different Cloud, even outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU, where necessary, will take place in accordance with the applicable legal provisions, with notification to the Data Subjects and after the execution of standard contractual clauses provided by the European Commission.
In any case, any further information regarding the retention of their data may be requested from the Data Controller, using the contact details referred to in Article 11 of this Policy.
8. RIGHTS OF THE DATA SUBJECTS
8.1. The data subject has the rights pursuant to Article 15 GDPR, specifically the right to obtain:
i. confirmation as to whether or not personal data concerning him or her exist, even if not yet recorded, and the communication of such data in an intelligible form;
ii. indication of:
a) the origin of the personal data;
b) the purposes and methods of the processing;
c) the logic applied in the case of processing carried out with the aid of electronic instruments;
d) the identification details of the data controller, the processors, and the representative designated pursuant to Article 3(1) GDPR;
e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representative in the territory of the State, processors, or persons authorized to process the data;
iii.
a) the updating, rectification or, where there is interest, integration of the data;
b) the erasure, anonymization or blocking of data processed unlawfully, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c) certification to the effect that the operations referred to in letters a) and b) have been notified, as also related to their content, to the entities to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
the right to object:
iv. in whole or in part:
a) on legitimate grounds to the processing of personal data concerning him or her, even if pertinent to the purpose of the collection;
b) to the processing of their personal data for purposes related to the sending of advertising materials, direct sales, market research, or commercial communications, whether through automated means (such as automated calling systems without operator involvement, and/or email) or through traditional means (such as telephone calls and/or postal mail).
The Data Subject’s right to object to processing for direct marketing purposes by automated means shall also extend to traditional methods. In any case, the Data Subject may exercise this right either wholly or partially.
Accordingly, the Data Subject may choose to receive communications solely through traditional methods, solely through automated means, or to opt out of receiving any marketing communications altogether.
Please, note that data subjects always have the right to object to the processing of their Data for direct marketing purposes, without the need to provide any justification.
Where applicable, the Data Subject is also entitled to exercise the rights provided under Articles 15 to 21 of the GDPR, including the right to rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection to processing, as well as the right to file a complaint with the relevant Supervisory Authority.
8.2. Where permitted by law, the user may have the right to obtain a copy of the Data held by us.
8.3. Prior to responding to any specific request, the User may be asked to provide optional information, such as:
(i) verification of identity;
(ii) further details necessary to best respond to the request.
8.4. The Data Controller will provide individual responses within a reasonable period and, in any event, within the time period required by law. If the User wishes to exercise this right, they must contact us using the contact details provided in Articles 9 and 11 of this Policy.
9. PROCEDURES FOR EXERCISING RIGHTS
Users and data subjects may exercise the rights provided for by EU Regulation 2016/679 at any time and free of charge by sending a communication to
e-mail: info@thesporthype.com or to certified email address: sporthype.legalmail.it.
10. DATA CONTROLLER, DATA PROCESSORS AND AUTHORIZED PERSONS
Data Controller is: Sporthype S.r.l. (C.F./P.IVA: 13241470015), on behalf of its legal representative, with registered office in Turin (TO), C.so Vittorio Emanuele II, 12 (10123). The updated list of data processors and authorized persons is kept at the Company's registered office and can be accessed by submitting a specific request in accordance with the procedures indicated above.
11. CONTACT INFORMATION
The processing operations related to the Service take place at the Company's registered office, or at any other location where the parties involved in the processing are situated, including the addresses indicated by the Data Subjects and the Processors.
For further information, the Data Controller can always be contacted.
Any comments, questions, or requests relating to the Data Controller's use of the User's information should be sent to e-mail: info@thesporthype.com or to certified email address: sporthype.legalmail.it.
12. FUTURE AMENDMENTS TO THE PRIVACY POLICY
The potential entry into force of new sector regulations, as well as the constant review and updating of services to users, may necessitate changes to these procedures.
It is therefore possible that this privacy policy may undergo further modifications over time, and we therefore invite Data Subjects to periodically consult the specific section of the Website relating to the privacy policy.
To this end, the policy indicates the date of the last update at the bottom.
It is specified that, should the modifications concern processing operations for which the legal basis is the Data Subject's consent, the Data Controller will ensure to collect the consent of the Data Subject again, where necessary.