This document is provided prior to the collection of data and is intended to inform the individual - the user - about the processing of his/her personal data collected by the Data Controller, Headu s.r.l., with registered office in Mosciano S.A. in Viale Europa no. 23 Tax code/VAT no. 01973770678, email address: email@example.com, (hereinafter the "Data Controller"), through the HEADU APP - Application.
Categories of Personal Data processed
The Data Controller processes the following types of Personal Data provided voluntarily by the Data Subject/User:
• identification data such as name, surname, date of birth,
• contact details: e-mail, telephone, images, authentication credentials,
• tax and payment data, bank or credit card data, payment details
• technical data: of the devices and tools used, IP addresses, type of browser, type of Internet provider (ISP).
• Application navigation and usage data, such as pages visited.
If the Data Subject does not provide the personal data necessary for the contract with the Data Controller, the relationship with the user cannot be established or continued.
The Data Subject is solely responsible for the data he or she provides and its origin, communication or dissemination.
Legal basis and purpose of processing
The processing of personal data is necessary:
- for the pre-contractual or contractual relationship;
- for registration and authentication of the user to access the App and for the use of the App, for games and education in online mode;
- for the fulfilment of obligations of the regulations in force;
- pursuant to Article 4 of the GDPR for user profiling for marketing purposes, i.e. to provide information on products and/or services following the automated collection of information on preferences;
- for marketing purposes of products and/or services of the Data Controller.
The Personal Data of the Data Subject may also be used by the Data Controller to protect itself in court before the competent judicial offices.
Provision of data and Privacy of minors
Personal data are communicated with the registration to the reserved areas - or in the commercial and promotional areas.
The processing of personal data complies with Article 6(1)(a) of the GDPR, which requires the user's consent to be expressed using the appropriate computer form. Personal data relating to minors may only be provided with the consent of one of their parents or guardian, or in any case of the authorised person indicated in Article 8 of the GDPR according to the laws of their country.
Processing methods and recipients of Personal Data
The processing of Personal Data is carried out by paper and electronic means by:
• persons authorised by the Data Controller to process Personal Data who are committed to confidentiality;
• subjects who operate independently for the activities necessary for the purposes set out in this policy (for example, business partners, consultants, hosting providers);
• subjects or entities to which it is mandatory to communicate Personal Data by law;
• persons responsible for the operation and maintenance of processing systems.
Only strictly necessary personal data are processed and will not be disseminated in any way.
Place of processing
Personal Data will not be transferred outside the territory of the European Economic Area (EEA).
Fully automated decision-making processes
The Data Controller does not process data consisting of fully automated decision-making processes.
Cookies and similar technologies
The Personal Data Retention Period
Personal Data will be kept as long as necessary for the purposes for which it was collected, in particular:
• for the entire duration of the contractual relationship and, after termination, for the ordinary limitation period of 10 years. In the event of legal disputes, for the entire duration of the same, until the time limit for any action, including appeals, has expired;
• for purposes related to the legitimate interest of the Data Controller, they will be kept until such interest is fulfilled;
• for the fulfilment of legal obligations and for legal protection, they will be kept for the period necessary for such purposes;
• for purposes based on the Data Subject's consent, they will be kept until the consent is revoked;
At the end of the retention period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.
Rights of the Data Subject
Data Subjects may exercise certain rights with reference to the Personal Data processed by the Data Controller. In particular, the Data Subject has the right to:
• be informed about the processing of their Personal Data;
• revoke consent at any time;
• limit the processing of their Personal Data;
• object to the processing of their Personal Data;
• access their Personal Data;
• rectify their Personal Data;
• delete their Personal Data;
• transfer their Personal Data to another Data Controller;
• lodge a complaint with the supervisory authority for the protection of their Personal Data.
To exercise their rights, Data Subjects may send a request to the following email address: firstname.lastname@example.org. Requests will be dealt with by the Data Controller immediately and processed as soon as possible, in any case within 30 days.
Last updated: 01/01/2022