Cassandra Srl, as data controller, informs pursuant to Article 13 of EU Regulation no. 2016/679 (“GDPR”) that the data provided by users (the “Interested” or the “User”) through the Cassandra platform (the “Platform”), regardless of the methods and the tool used, will be treated in the manner and for the following purposes.

1. The Data Controller of personal data

The data controller is Cassandra Srl, with registered office in Coso Porta Romana 6 – Milan 20122 (hereinafter, the “Data Controller”).

The Data Controller makes the following e-mail address available for each communication: admin@cassandra.app.

The Data Controller may designate one or more personal data processors pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical measures and organizational structures adequate to protect the rights, freedoms and legitimate interests that are recognized by law to the Data Subjects.

2. Treatment description

The processing will concern individual operations, or a set of operations, of the following personal data provided by the interested party when using the services rendered by the Data Controller, through the platform, as described in the following table (the “Personal Data” or “Data”):

Typology	Purpose of the Treatment	Legal basis	Storage Period
Identification data of the interested party: name, surname, e-mail address, telephone number and residential address.	Correctly register the User’s profile on the Platform; process a request to register on the Platform; communicate and transmit informative material relating to the activities offered by the Data Controller through the Platform; IT security purposes, to guarantee the security of the Personal Data processed;	Execution of a contract of which the interested party is a party or execution of pre-contractual measures adopted at the request of the same (Article 6 paragraph 1 letter b) of the GDPR).	For the entire duration of the contractual relationship and for six (6) months after its termination.
	to prevent or detect fraudulent activity or abuse harmful to the Platform-
	fulfill the obligations established by law, by a regulation, by Community law or by an order of the Authority.	Fulfill a legal obligation to which the Data Controller is subject (Article 6 paragraph 1 letter c) of the GDPR).	For the time necessary according to the law. In any case, for a maximum period of ten (10) years.
	to exercise the rights of the Data Controller, for example to exercise a right in court.	Legitimate interest of the Data Controller (Article 6 paragraph 1 letter f) of the GDPR).
	send communications related to the activity withreferenceto which the interested party has provided their data; manage, improve and maintain the Platform.	Legitimate interest of the Data Controller (Article 6 paragraph 1 letter f) of the GDPR).	For the duration of the contractual relationship.
Data provided spontaneously by the interested party	Respond to requests from interested parties, who can be contacted by e-mail, telephone or by means of other communication systems, if provided by the same.	Legitimate interest of the Data Controller (Article 6 paragraph 1 letter f) of the GDPR).	For the time necessary to satisfy the requests of the interested parties or for the execution of the services. In any case, these data cannot be stored for a period exceeding ten (10) years from the satisfaction of the requests received from the interested party.
Navigation data: IP addresses, URI/URL (Uniform Resource Identifier/Locator) notation addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status the response given by the server (success, error, etc.); other parameters relating to the operating system and the IT environment used by the interested party.	Obtain anonymous statistical information on the use of the Platform and to check its correct functioning.	Legitimate interest of the Data Controller (Article 6 paragraph 1 letter f) of the GDPR).	The navigation data will be kept for the time necessary to carry out the analysis and comparative statistical processing activities, not exceeding 36 months except for any need to ascertain crimes by the competent authorities.
Cookies and other technologies for reading/storing information on the interested party’s terminal	Please refer to the “Cookie Policy“, available at the following link https://cassandra.app/cookie-policy/	Please refer to the “Cookie Policy“, available at the following link https://cassandra.app/cookie-policy/	Please refer to the “Cookie Policy“, available at the following link https://cassandra.app/cookie-policy/

It should be noted that, with reference to navigation data, the information collected, although not intended to be associated with identified subjects, by their nature, if associated with other data held by third parties (e.g. internet service providers), could allow identification of the interested parties (eg, IP addresses, domain names of the PCs used, URL addresses of the requested resources, time of the request, numerical code relating to the status of the response given by the server).

Cassandra’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

3. Processing methods

Processing of Personal Data:

1. is carried out by means of the operations indicated in Article 4, par. 1, no. 2 of the GDPR and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of Data;
2. it is also carried out with the aid of electronic or automated means. In this regard, we inform you that the Personal Data processed through the use of electronic or automated means are stored in electronic archives located on servers located in Italy.
3. it is also carried out through the use of e-mail or other remote communication techniques.

4. Transfer of Personal Data

The management and storage of data will take place primarily in Europe, on servers of third-party companies appointed and duly appointed as data controllers.

The Data Controller may also provide access to the Platform and the services indicated therein in other countries, in which case the transfer of Data to these countries is strictly limited to the actual need to be aware of it. The Data Controller will take the necessary measures to protect the Users’ Personal Data and prevent unauthorized access.

In the event that the Personal Data is transferred to the systems used by the Data Controller even outside the European Union, the Data Controller guarantees the application of the standard contractual clauses of the European Commission to guarantee a secure international transfer of personal data, on the basis of the articles 44, 45 and 46 GDPR.

5. Security measures

The Data Controller has adopted a variety of security measures to protect the Data against the risk of loss, misuse or alteration, in line with the measures expressed in Article 32 of the GDPR.

6. Consequences of failure to communicate Personal Data

Without prejudice to the right of the interested party to provide Personal Data to the Data Controller, the provision of Personal Data can be:

1. mandatory for the provision of services accessible through the Platform and for purposes related to the fulfillment of obligations established by applicable laws and/or regulations, as well as by provisions issued by the competent supervisory and/or control authorities/bodies;
2. optional with reference to the data provided spontaneously by the interested party.

Any refusal by the interested party to provide Personal Data to the Data Controller could make it impossible for the Data Controller to provide the requested services and make access to the Platform available.

Furthermore, please consider that the revocation of one or more permits and/or consents not granted by the User may have consequences on the correct functioning and/or on the possibility of accessing and/or using the Platform correctly and/or providing the services by the Data Controller.

7. Data retention and deletion

The retention period of Personal Data is indicated in the table in point 2 above.

At the end of the retention period, the Personal Data will be deleted. Therefore, upon expiry of this term, the right of access, cancellation, rectification and the right to the portability of Personal Data can no longer be exercised by the User..

Personal Data will be stored in paper and IT archives, including portable devices, by adopting suitable measures to guarantee their security and to limit access exclusively to personnel authorized by the Data Controller and strictly within the scope of the purposes indicated above.

8. Rights of the interested party

The interested party can exercise the rights provided for in Chapter III of the GDPR within the limits and under the conditions provided therein:

1. access to Data (art. 15): the interested party has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him is being processed and, in this case, obtain access to Personal Data in a commonly used electronic format and some information on the processing (e.g. purposes, categories of data processed, recipients, transfers outside the EU, implementation of profiling activities, etc.);
2. Data rectification (art. 16): the interested party has the right to obtain the rectification of inaccurate Personal Data concerning him without unjustified delay and/or the integration of incomplete Personal Data, also by providing a supplementary declaration;
3. deletion of Data or “right to be forgotten” (art. 17): the Data Subject has the right to obtain from the Data Controller the deletion of Personal Data concerning him without unjustified delay and the Data Controller has the obligation to cancel without unjustified delay the Personal Data;
4. limitation of treatment (art. 18): the interested party has the right to obtain from the Data Controller the limitation of treatment;
5. Data portability (art. 20): the interested party has the right to receive, in a structured format, in common use and readable by an automatic device, the Personal Data concerning him provided to a Data Controller and has the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom it has been provided;
6. opposition to processing (art. 21): the interested party has the right to object at any time, for reasons related to his particular situation, to the processing of Personal Data concerning him pursuant to article 6, paragraph 1, letter e) of) of the GDPR, including profiling on the basis of these provisions.

1. Methods of exercising rights

 

The interested party may at any time exercise the rights by sending:

1. an email to the address: admin@cassandra.app.
2. a registered letter with return receipt to Cassandra Srl, with registered office in Coso Porta Romana 6 – Milan 20122.

The Data Controller undertakes to provide the interested party with information relating to the action taken regarding a request to exercise the rights without unjustified delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request itself , extendable up to 3 months only in particularly complex cases.

Any rectifications or cancellations or limitations to the processing carried out at the explicit request of the interested party (unless this proves impossible or involves a disproportionate effort) will be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted. The Data Controller may communicate the contact details of the recipients to the interested party, if requested.

9. Right of complaint

Interested parties who believe that the processing of Personal Data is in violation of the provisions of the GDPR have the right to lodge a complaint with the Personal Data Protection Authority (Privacy Guarantor) via e-mail, at garante@gpdp.it or urp@gpdp.it , by fax 06.696773785, or by mail to the Privacy Guarantor for the protection of Personal Data which is based in Rome (Italy), Piazza Venezia n. 11 – Cap 00187, or alternatively by appealing to the Judicial Authority.

10. Manager and appointees

The updated list of data processors and data processors is kept at the headquarters of the Data Controller.

11. Changes to this information

This information may be subject to changes. We therefore recommend that you regularly check this information and refer to the most updated version.