PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA OF CUSTOMERS AND USERS BY CHIMPA AND ERMETIX PURSUANT TO ART 13 EU REG. 679/16.
XNOOVA S.r.l., Via dei Mille 3, 29121 Piacenza (PC), Tel./Fax 05237901660, E-mail:info@xnoova.com, certified e-mail: xnoova@legalmail.it , Tax Code/VAT No. 01698590336, ID CODE CEE IT01698590336, registration in the Company Register of Piacenza 01698590336, Chamber of Commerce Economic and Administrative Index (REA) No. 184332, as the Data Controller of your personal data in the person of the Legal Representative pro tempore , provides you with the following information regarding the processing of personal data collected and processed in the context of the activation, setting up and use of Ermetix and Chimpa functions.
The related domain for Chimpa is www.chimpa.eu and the relate website privacy policy can be found at the following url https://www.chimpa.eu/en/privacy-cookie/ and the related domain per Ermetix is www.ermetix.eu and the relate website privacy policy can be found at the following url https://www.ermetix.eu/en/privacy-cookie/
The Data Protection Officer is Lawyer Rossella Calicchio who can be reached at the following e-mail address: dpo@xnoova.com, certified e-mail: rossella.calicchio@ordineavvocatipc.it .
A. DESCRIPTION AND PURPOSE OF PROCESSING.
The legal basis for the processing of user data is the legitimate interest of the Data Controller.
3 Application of blockages and restrictions. Chimpa and Ermetix allow the Customer to block certain functions of a device or devices (e.g. set a blocking code, block the camera, etc.). Chimpa and Ermetix allow the Customer to apply filters that prevent the user from carrying out certain activities (e.g. accessing certain sites or social pages). The activation of these specifications implies the generation and saving of personal data: logs relating to the activation or removal of blocks and filters. The legal basis is the fulfilment of contractual obligations undertaken at the request of the Customer pursuant to Art. 6.I point b) of EU Reg. 679/16. The legal basis for the processing of user data is the legitimate interest of the Data Controller.
4.Device monitoring. Chimpa and Ermetix allow to activate the monitoring function which allows to collect data on the use of the device.
Activation of the function implies the creation and saving of a series of indirectly personal data such as the volume of traffic generated by applications, the access logs of the applications installed on the device, the IP address from which access is requested, the type/quantity of bandwidth used by each application placed within Chimpa and Ermetix, and the history of requests to the browser. The app does not generate data on the user's activities within the individual applications installed on the device. The legal basis for the processing of Customer data is the fulfilment of contractual obligations pursuant to Art. 6.I point b) of EU Reg. 679/16. The legal basis for the processing of user data is the legitimate interest of the Data Controller.
5 Uploading and removal of content in Chimpa folder documents/Ermetix Folder documents, downloads and sites. Chimpa and Ermetix allow the transfer of files to three different folders on Chimpa: an Ermetix documents folder, b.downloads, c.sites. Chimpa and Ermetix also allow files to be uploaded via external links within folders. The Customer may remove content but not view the content of folders and files. Within Chimpa document folder/ Ermetix document folder, Customer can view the list of files present. Within the download and site folders, the display of the document list is not possible. Neither the client nor the developer can view the contents of the files. Activation of this specification implies the creation and preservation of logs relating to the uploading and removal of files by the Customer. The legal basis is the fulfilment of contractual obligations undertaken at the request of the Customer pursuant to Art. 6.I point b) of EU Reg. 679/16. The legal basis for the processing of user data is the legitimate interest of the Data Controller.
6 Creation of links to external resources by the user by using Chimpa and Ermetix. Chimpa Bazaar and Ermetix Private Catalog allow links to external resources to be uploaded. User can benefit the content of the resources. Developer does not access, view nor deal in any way with the contents of the resources nor the activities performed by the user with the resources.
This processing involves the following data: logs of access to Chimpa Bazar/Ermetix Private Catalog, logs of downloads made by the user. The legal basis for the processing of Customer data is the fulfilment of contractual obligations pursuant to Art. 6.I point b) of EU Reg. 679/16. The legal basis for the processing of user data is the legitimate interest of the Data Controller.
7. Use of Google API
7.1Safe Browsing Api.
Google Web Risk is used to activate the Safe Browsing API. The Safe Browsing API makes it possible to check whether the user is surfing to malicious sites. In particular, it enables the user to check if web resources (most commonly URLs) are safe. The Safe Browsing APIs are for non-commercial use only. If you need to use APIs to detect malicious URLs for commercial purposes - meaning 'for sale or revenue-generating purposes' please refer to the Web Risk API.
Essential to check whether the client is browsing to malicious sites.
The activation of this function involves the following data: Google Cloud API
key, devices on which is possible to enable the function, IP and hostname.
Processing does not in any way imply downloading personal data of Google users onto the Developer's systems.
7.2. Ermetix Firebase Android/Chimpa Firebase Android
Ermetix Firebase Android and Chimpa Firebase Android use the Android Device Verification service which allows to verify that the functionality of the operating system has not been affected. The verification service requested from Google involves the following categories of data: serial number of the device to which the verification request refers. This serial number is displayed by the developer as part of the service activity only.
Chimpa Firebase Android and Ermetix Firebase Android use the Cloud Messaging service which allows push communication from servers to Android APPs. Activation of this service requires the generation of a Firebase token by Google that is correlated to a device to enable the service to function.
The developer uses the given data only to provide the requested service. There are no secondary purposes and no downloading of Google data takes place.
7.3 Ermetix Firebase iOS/Chimpa Firebase iOS
Ermetix Firebase IOS and Chimpa Firebase iOS use the Cloud Messaging service which allows push communication from servers to IOS APPs. Activation of this service requires the generation of a Firebase token by Google which is correlated to a device to enable the service to function.
The developer uses the given data only to provide the requested service. There are no secondary purposes and no downloading of Google data takes place
7.4.Ermetix Google Connect
Ermetix Google Connect and Chimpa Google Connect are used to take advantage of the following Google services:
7.4.1.Oauth.
Oauth is used to obtain user identifiers during SSO authentication or when activating Factory Reset Protection: email, Google id. Function initiated at the request of the administrator with the action Enable Factory Reset Protection or when activating SSO.
The scopes described involve the metadata of the user's account and do not imply downloading the data contained in Google accounts.
7.4.2.Admin SDK API
Admin SDK API is used to synchronise users, aliases, domains, departments from Google Workspace. Function initiated if the administrator enables Google Workspace Directory Sync.
It enables the following Google scopes.
The scopes described involve the metadata of the user's account and do not imply downloading the data contained in Google accounts.
The activation of the SDK API requires the authentication of a Google Workspace administrator account. This activity does not imply downloading data from Google accounts.
7.4.3.Google Classroom API.
Google Classroom API can be used for unidirectional or bidirectional (depending on how configured) synchronisation of courses and related roasters (students, teachers). Function initiated and defined only if the administrator enables Google Workspace Directory Sync and Google Classroom synchronisation, specifying whether unidirectional or bidirectional.
The scopes described involve the metadata of the user's account and do not imply downloading the data contained in Google accounts.
The activation of the Google Classroom API requires the authentication of a Google Workspace administrator account. This activity does not imply downloading data from Google accounts.
7.4.4.Android Device Provisioning Partner API.
Android Device Provisioning Partner API is used to get the list of devices entered into Android Enterprise Zero-touch and to create the Zero-touch configuration automatically. Function only started and defined if the administrator performs Android Enterprise Zero-touch Sync .
The scopes described involve the metadata of the user's account and do not imply downloading the data contained in Google accounts.
7.4.5.Google Drive API
Google Drive API / Google Picker API is used to pick up the file links which the administrator selects from Google Drive for inserting a resource in Chimpa Bazaar or for Upload File action to one or more devices.
The scopes described involve the metadata of the user's account and do not imply downloading the data contained in Google accounts.
8.Ermetix Remote Support/Chimpa Remote Support. This function is only available on devices using the Android operating system. This specification allows the Customer to create a connection on users' devices and provide support to them in real time. This function implies the creation of the following categories of personal data: data relating to the authorisation of the connection request, data displayed during the connection on the target device, logs of the activities performed by the assisting Customer.
9.Sending newsletters for commercial promotion purposes.
I. After subscribing to the service, the Controller shall send monthly e-mail communications concerning discounts and promotions and commercial initiatives.
II. The communications will be sent directly and exclusively by the Controller's staff trained and formally authorised to process your data in compliance with the provisions in force on the processing of personal data.
III. The legal basis for the processing is data subject consent pursuant to article 6.I Reg. Ue 679/16. The provision of consent is voluntary and optional. Consent to processing for marketing purposes can always be freely refused or revoked, without any consequences for the data subject in terms of use of the app services, by contacting the Data Controller or Data Protection officer at the addresses indicated above. The legality of the data processing performed on the basis of consent up to the receipt of the revocation shall not be affected by the withdrawal.
B. ORIGIN OF THE DATA PROCESSED.
The activation and use of the functional specifications generates a series of personal data such as log files of certain activities performed by the Customer (activation and deactivation and setting of the specifications), data on the state of health and very limited use of the device (amount of bandwidth used, presence of active blocks).
Some personal data are provided voluntarily by the Customer/User, e.g. data entered when setting up the account.
Some personal or indirectly personal data are generated by the activation of Google Api.
C. CATEGORIES OF DATA PROCESSED.
The developer has no access whatsoever to the content of the activities carried out in the course of using the applications, even if they are within Ermetix and Chimpa’s operating perimeter.
The data generated and saved as a result of using Chimpa and Ermetix are common personal data that often do not allow the developer to collect or process sensitive data.
Xnoova collects and processes the following personal data: location, contacts, unique device and customer identifiers [ such as IMEI [1] , IMSI [2] , UDID [3] and mobile phone number], identity of the data subject, identity of the phone [ i.e. name of the phone].
D. PROCESSING METHODS AND SCOPE OF DATA PROCESSING.
Personal data will be processed by the Controller in compliance with the applicable data protection regulations.
Personal data are processed by the Controller's staff, who is trained and authorised to process personal data in accordance with current legal requirements. The authorised personnel are also bound by specific confidentiality obligations to protect the persons concerned.
The processing is fully computerised, organised and set up in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures laid down by the provisions in force.
The activation of Google Api implies the display and transmission of data to the developer. This data is processed for the sole purpose of enabling the use of the described scopes. The developer does not perform any downloading activity of Google data.
The data generated by the activation, setting up and use of the functional specifications of the software are only accessible to the Controller's personnel who can view the data (often not directly traceable to an identified natural person) when carrying out assistance and support activities for the Customer.
Data is stored digitally on Google Cloud Platform, the service is provided by Google Cloud Italy S.r.l, Via Federico Confalonieri 4, 20124, P. Iva 11256580697, Milan, registered e-mail: googleclouditaly@legalmail.it , Google Cloud Italy S.r.l is data processor. Any subsequent transfers of personal data to the United States will be carried out in compliance with the provisions of the Regulation. [ https://www.dataprivacyframework.gov/list].
The Data Controller does not submit the collected personal data to automated decision-making processes nor to profiling pursuant to of Art. 22 par. I and IV of EU Reg. 679/16.
The Controller does not transfer directly processed personal data outside the territory of the European Union or to international organisations.
Newsletters are sent directly by the Controller's staff formally authorised to process your personal data.
E. RETENTION PERIODS.
The personal data processed by the Controller will be stored for the following periods.
1 Authentication, user profile creation and device configuration. The Customer sets the data retention time independently. The developer is not in a position to impose a different retention period than the one chosen by the Customer.
The account data remains saved until the account is removed. Removal implies automatic deletion of the data.
Logs of the done activities remain stored for 90 days from the date of logs are generated and at the end of this period are deleted by automated means.
2 Geolocation. The device's position data is saved for 72 hours from the time the position was recorded. The logs of the activities performed by the Customer are stored for 90 days from the date the logs are generated, and at the end of this period they are deleted by automated means.
3 Application of blockages and restrictions. The Customer sets the retention time for blocks and restrictions independently. The developer is not in a position to impose a different retention period than the one chosen by the Customer.
This data remains stored until it is removed. The logs of setting/removing blocks and filters associated with the account remain saved for 90 days from the date the logs are generated, and at the end of this period they are deleted by automated means.
4.Device monitoring. The data collected as a result of device monitoring are stored for a maximum of 90 days from the time of data generation. After this period has expired, deletion takes place by automated means.
5 Uploading and removal of content in Chimpa folder/ Ermetix folder documents, downloads and sites. Activity logs are saved for a maximum of 90 days from the day the log was created. After this period has expired, deletion takes place by automated means.
6 Creation of links to external resources by the user using Chimpa Bazaar/Ermetix Private Catalog. Activity logs linked to the account, possibly named reference, remain saved for a maximum of 90 days from the day the log was created. After this period has expired, deletion takes place by automated means.
7. Use of Google API ( Google API Services User Data Policy) . [7.1Safe Browsing Api; 7.2. Ermetix Firebase Android/Chimpa Firebase Android; 7.3 Ermetix Firebase IOS/Chimpa Firebase IOS; 7.4. Ermetix Google Connect/Chimpa Google Connect. If the Customer activates this service, the data involved described remain saved as long as the account created by the Customer remains active.
Ermetix and Chimpa use to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes), including the Limited Use requirements.
8. Ermetix Remote Support/Chimpa Remote Support. Activity logs are saved for a maximum of 90 days from the day the log was created. After this period has expired, deletion takes place by automated means.
9. Sending newsletters for commercial promotion purposes. Your data will be stored for 24 months from the first sending.
F. RIGHTS OF THE DATA SUBJECT. The interested party may, at any time, exercise the rights recognised by Reg. EU 679/16 by sending a request to the addresses indicated in the header of this policy.
Right of access to personal data . The data subject shall have the right to obtain from the Controller access to the personal data undergoing processing and to obtain a copy thereof, unless the granting of a copy would be detrimental to the rights and freedoms of other data subjects.
Right to rectification . The data subject has the right to obtain from the Data Controller the rectification of inaccurate personal data concerning him/her and the integration of incomplete personal data.
Right to cancellation . The data subject has the right to obtain from the Data Controller the deletion of personal data concerning him/her.
Right to limitation of processing . The data subject has the right to obtain from the Data Controller the restriction of processing. Where processing is restricted, personal data are processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of public interest.
Right to data portability . The data subject has the right to receive in a structured, commonly used and machine-readable format the personal data concerning him/her that he/she has provided to a Data Controller and has the right to transmit these data to a different Data Controller without hindrance from the Data Controller to whom he/she has provided them if the processing is based on consent or on a contract and is carried out by automated means.
Right of opposition. The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her in accordance with Article 6 Par. 1, point e) or f).
Right to lodge a complaint with the Data Protection Authority. The data subject has the right to lodge a complaint with the Control Authority by hand delivery of the complaint at the offices of the Italian Data Protection Authority Garante (at the address below) or by registered letter with acknowledgement of receipt addressed to Garante per la protezione dei dati personali , Piazza di Montecitorio, 121, 00186 Rome or by sending a certified email message to protocollo@pec.gpdp.it
• I read and understood the privacy policy which precedes
• I consent to the periodic sending of newsletters for commercial promotion purposes
[1] International Mobile Equipment Identity
[2] International Mobile Subscriber Identity
[3] Unique Device Identifier