Zehus S.p.A. with registered office in Milan at Via Soperga 57, and available via email at firstname.lastname@example.org (hereinafter, “Company“) as data controller, collects and processes user persona data (hereinafter, “Users“) who utilise those Bike+ services described in the terms and conditions for the service (hereinafter, “Service”) offered by the Company, including through the Bike+ software application (hereinafter, “App“), using those methods, and for those purposes state herein, and in compliance with all applicable privacy regulations, especially the European General Data Protection Regulation no. 679/2016 (hereinafter, “Privacy Regulation“).
- Type of Data Processed
For those reasons stated herein, Company shall process the following categories of personal data:
- user contact information supplied for purposes of registering the App and using the Service, by creating a personal account;
- data supplied by the User along with any informational or support enquiries;
- data relating to the distance travelled by the bicycle (the collection of that type of data occurs in fifty trip-kilometre intervals);
- geolocalisation data on the bike on which the User is benefiting from the Service, limited to those cases identified herein and better described below.
(hereinafter jointly denoted “Data“).
No sensitive personal data as defined under Article 9 of the Privacy Regulation shall be solicited to register the App and use the Service.
- Processing Purposes
Company shall process User Data for the following purposes:
- to allow for use of the Service, accessory and/or ancillary services, and to discharge duties arising from the Service terms and conditions of use, including providing information and assistance on your request;
- to allow you to register the App by creating a personal account, including the collection, retention, and generation of data for purposes of instituting, and thereafter managing, the operational, technical, and accounting activities (for the User-created account and profile) relating to delivering the Service, and to communicate regarding Service performance;
- to geo-localise the vehicle;
- in instances where an incorrect PIN for the bicycle was entered, to send an alert back to the server with the phone’s GPS position; and
- in instances where there is evidence of an emergency or a breach of the Service terms and conditions, and in particular should any theft occur, to take subsequent corrective measures; and
- to comply with statutory, bookkeeping, tax, accounting, and contractual duties relating to the delivery of the requested services;
(hereinafter jointly denoted the “Contractual Purposes“);
- to assert and defend our own rights, including as part of any credit-collection effort, whether directly or through a third party;
- to conduct operations related to company or company-branch spin-offs, acquisitions, mergers, spin-offs, or other company reorganisations;
(hereinafter jointly denoted the “Purposes Relating to Legitimate Interests“);
- Legal Basis for Processing
The Processing of User Data for Contractual Purposes is necessary, given it is essential to:
- make it possible for you to register the App and use the Service, with reference to the cases stated in paragraph 2, subparts (a)-(c) hereof;
- comply with applicable provisions of law for the scenario contemplated in paragraph 2, subpart (d) hereof.
Should the User fail to provide the Data necessary for Contractual Purposes, the Service offered by the Company through the App will be unavailable. With respect to geolocalisation data for those purposes stated in paragraph 2, subpart (c) hereof, the provision of data is necessary to ensure a secure use of the Service, subject to the User’s right to disable such functionality by sending notice in the manner stated in paragraph 9, or by using the disabling location services on their own devices. In such cases, the User will not be able to use that particular Service function.
Data Processing for Purposes Relating to Legitimate Interests shall be performed, pursuant to Article 6, subpart (f) of the Privacy Regulation, in the pursuit of:
- Company’s legitimate interests in protecting its rights, with reference to the scenario contemplated in paragraph 2, subpart (e),
- Company’s legitimate interest, and that of its counterparties, in the consummation of those economic transactions stated in paragraph 2, subpart (f);
- Processing Method
User Data shall be processed using electronic instruments structured in a way to ensure the utmost security and confidentiality. However, Data so gathered may also be processed manually and without the use of electronic supports. The Data obtained shall be subject to processing in full compliance with all statutory requirements, as well as in accordance with the principles of lawfulness, ethics, transparency, tailoring, privacy protection, and User rights.
- Scope of Data Disclosure
For the Contractual Purposes abovementioned, the Data may be transferred to the following third parties who perform operations functional to those of the Service, located within the European Union: (a) Company associates, employees, and vendors within the scope of their job duties and/or any contractual duties undertaken relating to a sales relationship with Users; (b) third-party support and consultancy providers used by the Company for areas including but not limited to technology, bookkeeping, accounting, legal affairs, and insurance; (c) companies from within Company’s same corporate group; (d) banking institutions to manage deposits and payments arising from providing the Service, as independent data controllers; (e) subcontractors engaged in operations relating to Service delivery, as external data processors; (f) entities and authorities whose right to access the Data is expressly contemplated by statute, regulation, or orders by any authority with jurisdiction over the matter.
For Purposes Relating to Legitimate Interests, Data may be transferred to the following categories of recipients, all located within the European Union: (a) legal, accounting, and tax advisors assisting the Company in operations functional to the activities listed above, as independent data controllers; (b) subcontractors engaged in operations functional to the activities appearing above, as external data processors; (c) companies from Company’s same corporate group; (d) those with an interest in purchasing Company, and surviving entities following a merger, and any other surviving entity following any type of merger or reorganisation in which the Company is involved; (e) public entities and/or court authorities and/or supervisory boards or commissions, upon their request, as independent data controllers.
- Transfer of Data Outside the EU
User Data shall not be transferred outside the EU.
- Data Retention
However, with reference to User geolocalisation data, these shall be retained for a period specific to their Contractual Purpose:
- as to paragraph 2, subpart (a), for so long as the Service is being used, including to process any informational or support enquiries, subject to User’s right to disable such functionality by sending a request in the manner described in paragraph 9 hereof, or by disabling location services on the User’s own device. In such cases, the User will not be able to use such Service functions.
- as to paragraph 2, subpart (c), point (i), for the time needed to unlock the vehicle using the proper access credentials;
- as to paragraph 2, subpart (c), point (ii) until the vehicle is found by Zehus staff, its associates and/or by the authorities;
without prejudice to those instances where a longer retention period is required due to any pending dispute, request by an authority with jurisdiction over the matter, or as required by law.
Once the aforementioned deadlines have elapsed, User data may be erased, pseudonymised and/or aggregated.
- User Rights
Without prejudice to the User’s right to withhold Data altogether, User may at any time, and free of charge:
- obtain a confirmation on whether their Data are being held;
- know the Data’s source, the processing purposes and methods, as well as the logic applied to any processing performed using electronic instruments;
- requests updates, corrections, or – should the User so desire – supplement their own Data;
- secure the erasure, pseudonymisation, or blocking of any unlawfully processed Data;
- request Company limit processing in any of the following situations:
- User disputes the Data’s accuracy, for the period the Company needs to verify Data accuracy;
- processing is unlawful, but User objects to Data erasure and instead wishes their use to be limited;
- although Company no longer needs the Data for processing, User needs the Data to assess, assert, or defend a right in a court of law;
- User objects to processing pursuant to Article 21, paragraph 1 of the Privacy Regulation until a determination may be made on whether the Company’s legitimate interests trump User’s own;
- object to Data processing for Purposes Relating to Legitimate Interests at any time, unless the Company’s legitimate reasons outweigh User’s own, or where there is a need to assert or defend a right in any court proceeding;
- request their Data be erased without undue delay;
- secure Data Portability on their Data;
- lodge a complaint with the authorities with jurisdiction over the matter (and more specifically within the European Union member state in which their domicile is located, or in which the alleged violation occurred).
- Contact Us
Should User have any concerns, suggestions, or complaints regarding Data Controller’s Data collection or processing methods, or should User wish to exercise one of the rights enumerated in paragraph 8 herein, they may contact Data Controller directly via email at email@example.com.
- Changes and Updates
The present Policy shall be in effect as of the date noted in the heading. Company may make changes and/or amendments to such policy, including to maintain compliance with any amendments to the Privacy Regulation. Users shall be alerted in advance of any change to the Policy; moreover, the updated text shall always be available at http://www.zehus.it/bitride-mybike-app-privacy-policy/