The purpose of this document is to inform the natural person (hereinafter the “Data Subject”) about the processing of their personal data (hereinafter “Personal Data”) collected by the data controller, WTS s.r.l., with registered office at Val di Rovere 18/B, Caerano Di San Marco, 31031, Italy, Tax Code/VAT No. 05595290262, e-mail address info@woosh.it (hereinafter the “Data Controller”), through the Woosh website and application (hereinafter the “Application”).
Amendments and updates shall be binding as soon as they are published on the Application. Should the Data Subject not accept the amendments made to the Privacy Policy, the Data Subject is required to cease using this Application and may request the Data Controller to erase their Personal Data.
1Categories of Personal Data processed
The Data Controller processes the following categories of Personal Data provided voluntarily by the Data Subject:
- Contact data: first name, last name, address, e-mail, telephone, images, authentication credentials, any further information sent by the Data Subject, etc.
- Tax and payment data: tax code, VAT number, credit card details, bank current account details, etc.
- Special (sensitive) data: any Personal Data capable of revealing the Data Subject’s state of health, contained in medical certificates or health documentation that the Data Subject decides to upload to the platform. Such Data is processed exclusively upon the explicit consent of the Data Subject, expressed through the voluntary act of uploading the documentation. Processing is limited to the purposes for which the data was provided, and the documents are stored with enhanced security measures for the time strictly necessary to pursue such purposes. The Data Subject may withdraw consent at any time, with effect for the future and without prejudice to the lawfulness of the processing carried out before the withdrawal; following the withdrawal, the health documentation shall be erased, save for the retention obligations provided for by law.
The Data Controller processes the following categories of Personal Data collected automatically:
- Technical data: Personal Data produced by the devices, applications, tools and protocols used, such as, for example, information on the device used, IP addresses, browser type, Internet Service Provider (ISP) type. Such Personal Data may leave traces which, in particular if combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons.
- Browsing and Application usage data: such as, for example, pages visited, number of clicks, actions performed, session duration, etc.
- Data relating to the Data Subject’s precise location: for example, geolocation data that precisely identifies the Data Subject’s position, which may be collected through the satellite network (e.g. GPS) and other means, collected upon the Data Subject’s consent. The Data Subject may withdraw consent at any time.
Failure by the Data Subject to provide the Personal Data for which there is a legal or contractual obligation, or where it constitutes a requirement necessary for the conclusion of the contract with the Data Controller, shall make it impossible for the Data Controller to establish or continue the relationship with the Data Subject.
A Data Subject who provides the Data Controller with Personal Data of third parties is directly and exclusively responsible for its origin, collection, processing, communication or disclosure.
2Cookies and similar technologies
The Application uses cookies, web beacons, unique identifiers and other similar technologies to collect the Data Subject’s Personal Data regarding the pages, the links visited and the other actions performed when the Data Subject uses the Application. These are stored so as to then be transmitted upon the Data Subject’s subsequent visit.
3Legal basis and purposes of the processing
The processing of Personal Data is necessary:
- for the performance of the contract with the Data Subject and specifically:
- fulfilment of any obligation arising from the pre-contractual or contractual relationship with the Data Subject.
- registration and authentication of the Data Subject: to allow the Data Subject to register on the Application, log in and be identified, including through external platforms.
- support and contact with the Data Subject: to respond to the Data Subject’s requests.
- payment management: to manage payments by credit card, bank transfer or other instruments.
- for legal obligation and specifically:
- the fulfilment of any obligation provided for by the regulations in force, laws and regulations, in particular in tax and fiscal matters.
- on the basis of the Data Controller’s legitimate interest, for:
- e-mail marketing purposes for the controller’s products and/or services: to directly sell the Data Controller’s products or services using the e-mail provided by the Data Subject in the context of the sale of a product or service similar to the one being sold.
- management, optimisation and monitoring of the technical infrastructure: to identify and resolve any technical problems, to improve the Application’s performance, to manage and organise information in a computer system (e.g. servers, databases, etc.).
- security and anti-fraud: to ensure the security of the Data Controller’s assets, infrastructure and networks.
- statistics with anonymous data: to carry out statistical analyses on aggregated and anonymous data in order to analyse the Data Subject’s behaviour, to improve the products and/or services provided by the Data Controller and to better meet the Data Subject’s expectations.
- on the basis of the Data Subject’s consent, for:
- retargeting and remarketing: to reach with a personalised advertisement the Data Subject who has already visited or has shown interest in the products and/or services offered by the Application, using their Personal Data. The Data Subject may opt out by visiting the Network Advertising Initiative page.
- marketing purposes for the Data Controller’s products and/or services: to send commercial and/or promotional information or materials, to carry out direct sales of the Data Controller’s products and/or services, or to conduct market research by automated and traditional means.
- detection of the Data Subject’s precise location: to detect the presence of the Data Subject, to control access, times and the Data Subject’s presence in a given place, etc.
On the basis of the Data Controller’s legitimate interest, the Application allows interactions with external web platforms or social networks whose processing of Personal Data is governed by their respective privacy policies, to which reference should be made. The interactions and information acquired by this Application are in any case subject to the privacy settings that the Data Subject has chosen on those platforms or social networks. This information – in the absence of specific consent to processing for further purposes – is used solely to enable the use of the Application and to provide the information and services requested.
The Data Subject’s Personal Data may also be used by the Data Controller to defend itself in legal proceedings before the competent judicial authorities.
4Methods of processing and recipients of Personal Data
The processing of Personal Data is carried out using paper and electronic tools, with organisational methods and logic strictly related to the purposes indicated, and through the adoption of appropriate security measures.
Personal Data is processed exclusively by:
- persons authorised by the Data Controller to process Personal Data who have undertaken to maintain confidentiality or who have an appropriate legal obligation of confidentiality;
- parties acting independently as separate data controllers, or parties designated as data processors by the Data Controller in order to carry out all the processing activities necessary to pursue the purposes referred to in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);
- parties or bodies to whom it is mandatory to disclose Personal Data by legal obligation or by order of the authorities.
The parties listed above are required to use appropriate safeguards to protect Personal Data and may only access the data necessary to carry out the tasks assigned to them.
Personal Data shall not be disseminated indiscriminately in any way.
5Location
Personal Data shall not be subject to any transfer outside the territory of the European Economic Area (EEA).
6Personal Data retention period
Personal Data shall be retained for the period of time necessary to fulfil the purposes for which it was collected, in particular:
- for purposes relating to the performance of the contract between the Data Controller and the Data Subject, it shall be retained for the entire duration of the contractual relationship and, after its termination, for the ordinary limitation period of 10 years. In the event of legal proceedings, for the entire duration thereof, until the time limits for bringing appeal actions have expired;
- for purposes relating to the Data Controller’s legitimate interest, it shall be retained until such interest has been fulfilled;
- for the fulfilment of a legal obligation, by order of an authority and for the defence in legal proceedings, it shall be retained in accordance with the time limits provided for by such obligations and regulations, and in any case until the expiry of the limitation period provided for by the rules in force;
- for purposes based on the Data Subject’s consent, it shall be retained until the consent is withdrawn.
At the end of the retention period, all Personal Data shall be erased or stored in a form that does not allow the Data Subject to be identified.
7Rights of the Data Subject
Data Subjects may exercise certain rights with regard to the Personal Data processed by the Data Controller. In particular, the Data Subject has the right to:
- be informed about the processing of their Personal Data;
- withdraw consent at any time;
- restrict the processing of their Personal Data;
- object to the processing of their Personal Data;
- access their Personal Data;
- verify and request the rectification of their Personal Data;
- obtain the restriction of the processing of their Personal Data;
- obtain the erasure of their Personal Data;
- transfer their Personal Data to another controller;
- lodge a complaint with the supervisory authority for the protection of their Personal Data and/or take legal action.