Privacy Policy for ReLearn NANDO.App
Agenda:
- Data Protection Officer
- Types of personal data we process
- Why we process your personal data and on what legal bases
- How long we keep and process your personal data
- How we process your personal data
- Recipients of personal data
- Transfer of personal data outside the EU
- Data subject rights
- Changes to the Privacy Policy
Re Learn srl Via Cernaia 24, 10122, Turin, Italy Share Capital: 10,000€ REA: TO-1288994 – VAT Number: 12428410018 – CUU: 9SUB64Q Limited Liability Company – Innovative Startup www.re-learn.eu – info@re-learn.eu – privacy@re-learn.eu
1. Data Protection Officer
The controller does not process personal data that requires regular and systematic monitoring of data subjects on a large scale, nor does it process large-scale special categories of personal data or data relating to criminal convictions and offenses. Therefore, in accordance with Articles 37, 38, and 39 of the General Data Protection Regulation (GDPR), it is not necessary to appoint a Data Protection Officer (DPO) for company operations.
2. Types of Personal Data We Process
The types of personal data we collect depend on the purpose for which they are collected. In general, we may collect the following types of personal data from users of our Android app:
Personal Information:
- Android ID
- Location data (GPS coordinates when taking pictures)
- Images (photos taken of waste, always initiated by user interaction)
- App usage data (collected via Google Firebase and Google Analytics)
3. Why We Process Your Personal Data and on What Legal Bases
The processing of your personal data by the Controller occurs for the following purposes and consequent legal bases:
Service Provision and Enhancement:
- To identify users’ apps via Android ID for service personalization and security: Legitimate interest (Article 6(1)(f) GDPR).
- To improve our services and user experience through usage data analytics: Legitimate interest (Article 6(1)(f) GDPR).
- To associate pictures of waste with their GPS locations to optimize waste management solutions: Consent (Article 6(1)(a) GDPR).
User-initiated Actions:
- To allow users to take pictures of waste and associate these with a location: Consent (Article 6(1)(a) GDPR).
4. How Long We Keep and Process Your Personal Data
Your personal data will be processed by the Controller for the time strictly necessary to achieve the purposes of the processing described above, in accordance with the principles of “storage limitation” (Article 5(1)(e) GDPR) and “data minimization” (Article 5(1)(c) GDPR).
Once the purposes of the processing have been achieved, your personal data will be retained solely to comply with legal obligations, for administrative purposes, and/or to assert or defend a legal claim. This retention will be limited to the time necessary to fulfill such obligations and no longer than the legal prescription periods.
The Controller will conduct periodic reviews of the need for processing your personal data to ensure that they are retained only for the time strictly necessary and in compliance with current data protection regulations.
5. How We Process Your Personal Data
Personal data is subject to processing in both paper and electronic and/or automated form for the time necessary to achieve the purposes for which they were collected, as determined by the Controller or specifically authorized and/or appointed persons. These persons are constantly identified and/or appointed, and are adequately trained and informed about the legal constraints regarding data protection.
Processing is carried out in compliance with the principles of lawfulness, fairness, and transparency, as well as the principles of storage limitation and data minimization, as provided for in Articles 5(1)(e) and 5(1)(c) GDPR.
Adequate technical and organizational security measures are adopted to ensure confidentiality and to prevent risks such as data loss or destruction, unauthorized access, unauthorized processing, or processing that is not compliant with the purposes outlined above.
The processing of personal data is carried out in compliance with applicable data protection laws and in respect of the rights and freedoms of data subjects, in accordance with Articles 5 and 6 GDPR.
6. Recipients of Personal Data
For the purposes indicated above, the personal data collected may be made accessible or communicated to:
- The CEO of the Controller, as an authorized person for processing, limited to their duties and in accordance with the instructions received. This individual is bound by confidentiality and secrecy obligations.
- The Tech Team of the Controller, responsible for maintaining, updating, and ensuring the security of technological infrastructures. Data may be used to diagnose problems, optimize system performance, and develop new technologies that improve the company’s services.
- The Customer Care Team of the Controller, responsible for assisting customers in all stages of pre- and post-sale service, resolving issues, responding to requests and complaints, and ensuring effective communication with customers. Personal data is processed to meet specific customer requests and improve their overall experience.
- Third parties performing outsourced activities on behalf of the Controller and whose activities are connected, instrumental, or supportive of the Controller’s operations (e.g., Google Firebase, Google Analytics).
- Public and/or private entities, individuals and/or legal entities (such as legal, administrative, and tax consultancy firms, private pension and assistance funds, Judicial Offices, Chambers of Commerce), if communication is necessary or functional for the proper fulfillment of contractual obligations, as well as obligations arising from the law.
- Entities (including Public Authorities) that have access to personal data by virtue of regulatory or administrative measures.
Your collected personal data will not be disseminated to unidentified entities.
7. Transfer of Personal Data Outside the EU
The processing of personal data may involve the transfer of data outside the European Union (EU) to countries that may not guarantee the same level of data protection as established by the GDPR.
In such circumstances, the Controller will take appropriate measures to ensure the protection of the transferred personal data. These measures may include the adoption of Standard Contractual Clauses (SCC) approved by the European Commission, in accordance with Article 46 GDPR. The SCCs provide a set of contractual provisions that ensure an adequate level of data protection.
Alternatively, the transfer may occur based on specific derogations provided for in Article 49 GDPR, such as the explicit consent of the data subject to the transfer of their personal data to third countries that do not offer an adequate level of data protection.
Any transfer of personal data outside the EU will be carried out in accordance with the principles of lawfulness, fairness, and transparency, as well as respecting the rights of data subjects as provided by the GDPR.
For more information on the transfer of personal data outside the EU and the protective measures adopted, data subjects can contact the Controller at the addresses indicated in this information.
8. Data Subject Rights
Pursuant to Articles 15 and following of the GDPR and applicable national privacy and data protection regulations, you have the right to:
- Access personal data (Article 15 GDPR): obtain confirmation of the existence of processing of your personal data, as well as access to the data itself and information related to the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom the data has been or will be disclosed, the retention period of the data or the criteria used to determine it, and the possible existence of automated decision-making processes, including profiling.
- Rectification (Article 16 GDPR): request the correction of inaccurate personal data and the integration of incomplete personal data.
- Erasure (Article 17 GDPR): obtain the deletion of your personal data without undue delay, in the cases provided for by current regulations.
- Restriction of processing (Article 18 GDPR): request the limitation of the processing of your personal data.
- Data portability (Article 20 GDPR): receive the personal data concerning you in a structured, commonly used, and machine-readable format, and transmit such data to another controller without impediments.
- Object to processing (Article 21 GDPR): object at any time to the processing of your personal data if the processing is based on a public interest or legitimate interest unless the Controller demonstrates compelling legitimate grounds for proceeding with the processing.
- Lodge a complaint (Article 77 GDPR): lodge a complaint with the Data Protection Authority or other competent supervisory authorities under the GDPR if you believe your rights have been violated.
The Controller will notify each of the recipients to whom personal data has been disclosed of any rectification, erasure, or restriction of processing, within the limits and forms provided by law.
To exercise the above rights, the data subject can send a written request by registered mail to the Controller’s address or send an email to the address provided by the Controller.
9. Changes to the Privacy Policy
This information may be changed and/or updated at any time. If the Controller intends to process your personal data for purposes different from those stated in the previous section 3, it commits to providing you with adequate information regarding such different purposes before further processing and to carrying out such further processing in compliance with current regulations, obtaining your specific consent where necessary.
This Privacy Policy was published on 22/07/2024. Any updates will be published on this page.
Re Learn srl Via Cernaia 24, 10122, Turin, Italy Share Capital: 10,000€ REA: TO-1288994 – VAT Number: 12428410018 – CUU: 9SUB64Q Limited Liability Company – Innovative Startup www.re-learn.eu – info@re-learn.eu – privacy@re-learn.eu