In accordance with European Regulation 2016/679 (hereinafter: "GDPR"), the following information is provided to you.
The Data Controller - as defined pursuant to art. 4, co. 1, no. 7) of the GDPR - is the company "NARVALO SRL" , with registered office in Milan, Via Pietro Maroncelli n. 17, tax code, VAT number and registration in the Company Register of Milan, Monza-Brianza and Lodi 11286320962, REA n. MI - 2592277 (hereinafter "Data Controller").
1. INTRODUCTORY INFORMATION
For ease of reading, below are some definitions directly contained in the provisions of the GDPR.
Pursuant to art. 4, co. 1 of the GDPR, means:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific identity factors physical, physiological, genetic, mental, economic, cultural or social nature of that natural person;
"Processing" means any operation or set of operations carried out on personal data or on sets of personal data, with or without the aid of automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, erasure or destruction;
"Data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. CATEGORIES OF DATA PROCESSED
a) Common personal data: as defined by art. 4, co. 1 of the GDPR. This category includes both personal data such as, for example, name, surname, date of birth, residential address, tax code, and contact data such as landline and/or mobile telephone number and e-mail address. This data is processed in relation to all the "types of users" described above.
On the registration page you will be asked:
b) Technical data: The computer systems and software procedures used to operate this application acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which, by its very nature, could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP address or domain name of the device used, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the operating system and the IT environment of the device.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the application and to check its correct functioning, and are deleted immediately after processing.
The data could be used to ascertain responsibility in the event of hypothetical computer crimes against Narvalo.
This data is processed in relation to all "types of Users".
We point out that, regardless of the foregoing, the IT systems and software procedures responsible for the operation of the Apps (such as the Apple store or Google Play) acquire, during their normal operation, some data in any case referable to the User whose transmission it is implicit in the use of Internet communication protocols, smartphones and the devices used. This category of data includes, by way of example but not limited to, the geographical position, the identity of the telephone, the User's contacts, e-mail, credit card data in the case of paid Apps, etc.
NARVALO is not involved in such treatments nor can it be held responsible for them. The interested party may, however, consult the privacy information made available on the following sites:
Apple Store: https://www.apple.com/legal/internet-services/itunes/it/terms.html
Google Play: https://play.google.com/intl/it_it/about/play-terms.html
c) Geolocation data
This App uses features of Google Maps (when using the Android operating system) and Apple Map Framework (when using the IOS operating system) which can acquire data relating to your geographical position (GPS, Wi-FI, network GSM). Subject to your express consent expressed at the time of opening the "login" service - via a specific PopUp Alert - the App accesses the data relating to your geographical position. Based on the option you have chosen - "Always allow" or "Allow when using the App" - the App will ask you for consent respectively only once or from time to time through a specific Runtime Permission
Localization, starting from the "active" choice in the App, allows you to check and access your device's navigator, knowing the air quality as well as, for Urban and Active Users, calculating the route taken. At any time the user can deactivate the localization of the geographical position by accessing the appropriate section of the App. The choice to deactivate geolocation is not definitive and can be reactivated with the same activation methods. The location data will not be stored in any way by NARVALO except in anonymized and/or aggregated form for statistical purposes.
d) Mask usage data (Narvalo Urban/Active)
By turning on the App and through the user's prior consent to the use of geolocation data (according to the methods described above in point c), information relating to the places where the User has used the App may be acquired, as well as, for Urban and Active Users, the time and methods of use of the mask (for example the data collected will also allow the processing of the data necessary to calculate the times for replacing the filter, allowing the sending of a reminder for proceed with its replacement.). For Narvalo Active Users only, it will also be possible to acquire data on the status of the mask (battery, fan speed and status, automatic use time) also allowing Users to download this information through CVS files.
All this data can be collected only when the App is active and only in the case of express consent to the collection of geolocation data. At any time you can deactivate the localization of your geographical position or any other function connected to the use of the sensor, by accessing to the appropriate section of the App. The choice to deactivate geolocation is not definitive and you can reactivate it with the same activation methods. The location data will be stored to provide the User with the functions connected to the service. NARVALO will not use geolocation data except in anonymized and/or aggregated form.
e) Data pursuant to art. 9 GDPR
Using the sensors installed in the mask, the data on the pressure in the mask and the air temperature inside the mask will also be detected. This data will allow you to verify whether the mask is worn, where it is worn, as well as the relative operating temperature and their subsequent processing will allow you to calculate the user's breathing rate and any other useful data deriving from the use of the mask, complete with filter. The sensor will allow it to detect the operating speed of the fan as well as any additional information about the user's breathing, such as breathing rate.
As defined in the art. 4 of the GDPR, profiling means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation , health, personal preferences, interests, reliability, behavior, location or movements of that natural person. In this sense, you will be optionally asked for information relating to your habits (e.g. vehicles and places, respectively, used and frequented habitually), functional to the use of the App.
g) Push notifications
This App can send push notifications relating to the service both when the application is active and when it is in the background or closed, if you have activated the sending of push notifications via your device's operating system (Android or IOS). This data is processed in relation to Urban and Active Users.
Specifically, if prior consent is given, it will be possible to use the following functions and related notifications:
h) Usage Identifiers and other similar Technologies
The usage identifier is the unique code of the device worn which is used to provide personalized information and value-added services relating to the User's preferences for using the device, such as, for example, the time of wearing the mask, the fan rotation speed or air quality in the areas or places visited while wearing the mask or the duration of the filter.
When the App is used, NARVALO may collect information relating to activities in the App through the use of usage identifiers, so as to be able to provide additional services and/or advice that better respond to your personal interest for better use. of the device referring to its need and/or particular interest in use.
You can request, at any time, to no longer receive targeted information through the settings of your device's operating system (Android or IOS).
The App also uses third-party analysis platforms to collect anonymous and/or aggregate statistical information on the use of the application.
NARVALO has adopted tools that reduce the user's identification power and tools to not cross-reference the information collected with other information already known to the platform.
You can disable the use of the above usage markers at any time by searching the system settings and disabling the latter's permissions.
The Data described in this paragraph are processed within the limits and in consideration of the different functions available in the App for each type of User (Basic, Urban or Active).
3. PURPOSE OF THE PROCESSING AND LEGAL BASIS
The Data Controller processes your personal data for the following purposes:
The legal basis of the processing is Article 6, paragraph 1 of the GDPR, according to which the processing is lawful only if and to the extent that at least one of the following conditions applies:
4. PROCESSING METHODS AND STORAGE TIME
We inform you that your data will be processed in compliance with the GDPR and current legislation regarding the processing of personal data.
We inform you that the processing of the data in question is based on the principles established by Article 5 of the GDPR, in particular on the principles of correctness, lawfulness, transparency and protection of the confidentiality and rights of the person whose data is processed.
The processing of your personal data will be carried out using paper, IT and telematic tools, in order to guarantee security and confidentiality in accordance with the provisions of Article 32 of the GDPR.
Your personal data will be retained by the Data Controller for the period strictly necessary to achieve the purposes for which they were collected, and in any case in compliance with the principle of minimization referred to in Article 5, paragraph 1, letter c) of the GDPR as well as the obligations established by law. The location data will be stored to provide the User with the functions connected to the service. NARVALO will not use geolocation data except in anonymized and/or aggregated form.
5. COMMUNICATION OF YOUR PERSONAL DATA
We inform you that your personal data are not subject to dissemination, meaning with this term the communication of the same to indeterminate subjects, in any form, including making them available or viewable.
On the other hand, the communication of data is requested from the Data Controller, in compliance with legislative provisions, by public authorities, judicial authorities, supervisory and control bodies, information and security bodies or other subjects and/or public bodies for purposes defense and security of the State, prevention and detection or repression of crimes.
To achieve the purposes described in point 3, the Data Controller may need to communicate your personal data to the following categories of third parties:
6. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANIZATION
We inform you that your personal data will be processed by the Data Controller exclusively within the national territory. The data you provide will not be transferred by the Data Controller to third countries inside or outside the European Union and/or to international organisations.
7. RIGHTS OF THE INTERESTED PARTY
Pursuant to art. 7 co. 3 of the GDPR, we inform you that you can revoke the consent given at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation.
By submitting your request directly to the registered office of the Data Controller indicated above or by using the following e-mail address: firstname.lastname@example.org , you may exercise, at any time, pursuant to articles 15 to 22 of the GDPR, the right to :
a) request confirmation of the existence or otherwise of your personal data;
b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom your personal data have been or will be communicated and, if possible, the retention period;
c) obtain the correction and deletion of your personal data;
d) obtain the limitation of the processing of your data;
e) obtain data portability, i.e. receive them from a data controller, in a structured, commonly used and machine-readable format, and transmit them to another data controller without impediments;
f) object to processing at any time and also in the case of processing for direct marketing purposes;
g) oppose automated decision-making concerning individuals;
h) to ask the Data Controller to access and rectify or delete the data or limit the processing of data concerning him or to oppose their processing, as well as the right to data portability;
i) revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation;
j) lodge a complaint with a supervisory authority.