Privacy Policy di Kampaay

ex art. 13 EU Regulation 2016/679 (“GDPR”)

Dear User, pursuant to art. 13 of Regulation (EU) 2016/679 (hereinafter, “GDPR”), Kampaay S.r.l., as the data controller (hereinafter, “Kampaay” or the “Data Controller”), hereby wishes to inform you about the use of your personal data. This privacy policy refers to all those who access and interact with the website www.kampaay.com (hereinafter, the “Website” or the “Site”).

a) Definitions and legal references

Personal Data (or Data)

Personal data is any information that, directly or indirectly, even in conjunction with any other information, including a personal identification number, makes a natural person identified or identifiable.

Usage Data

This is the information collected automatically through Kampaay (including by third party applications integrated in Kampaay), including: IP addresses or domain names of the computers used by the User who connects with Kampaay, URI (Uniform Resource Identifier) notation addresses, the time of the request, the method used to forward the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server response (successful, error, etc.), the country of origin, the characteristics of the browser and operating system used by the visitor, the various time connotations of the visit (e.g. time spent on each page) and details of the itinerary followed by the User. ), the country of origin, the characteristics of the browser and operating system used by the visitor, the various temporal connotations of the visit (e.g., the length of time spent on each page) and the details of the itinerary followed within the Application, with particular reference to the sequence of pages consulted, the parameters relating to the operating system and the User's IT environment.

User

The individual who uses Kampaay which, unless otherwise specified, coincides with the Data Subject.

Customer

The legal entity that establishes a business relationship with Kampaay to take advantage of the Services offered by the latter.

Interested

The natural person whom the Personal Data refers to.

Processor (or Manager)

The natural person, legal entity, public administration and any other entity that processes personal data on behalf of the Data Controller, as set out in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data and the instruments adopted, including the security measures relating to the operation and use of Kampaay.

Kampaay (or this Application)

The hardware or software tool by which Users’ Personal Data are collected and processed.

Service

The Service provided by Kampaay as defined in the relevant terms (if any) on this site/application.

European Union (or EU)

Unless otherwise specified, any reference to the European Union in this document shall be deemed to extend to all current member states of the European Union and the European Economic Area.

Cookie

Cookies are tracking tools that consist of small portions of data stored within the User's browser.

City

Provides access to the city indicated in the user’s profile.

Legal references

Unless otherwise stated, this privacy policy applies exclusively to Kampaay.

b) Data Controller

The Data Controller of the personal data collected through the Site is Kampaay S.r.l., with registered office atViale Cassala, no. 30, 20143 Milan (MI), VAT no. 11046500960, e-mail address: amministrazione@kampaay.com

c) DPO Contact details

Pursuant to article 37 of the GDPR, Kampaay has appointed a Data Protection Officer (also known as “Data Protection Officer” or “DPO”), who can be contacted for specific privacy-related queries at the dedicated e-mail address: dpo@kampaay.com

d) Types of Data Collected

They will be processed:

data provided through the interactive sections of the Site (e.g., “Start Here”, “Sign In”, “Contact Us” sections). When you access these sections, you will be asked to provide certain personal data(e.g., your first name, last name, e-mail address, etc.) for the sole purpose of providing the servicerequested through each specific section of the Site. Details of the data processed in each sectionwill be specified below.
data provided voluntarily by the user to the Data Controller's contact details: the optional, explicit and voluntary sending of e-mails to the e-mail addresses indicated on the Site entails the acquisition and processing by the Data Controller of such data and any other information contained in such communications. Such information will be processed solely for the purpose of processing the aforementioned requests, in accordance with article 6.1 (b) of the GDPR(“performance of a contract to which the data subject is party or performance of pre-contractual measures taken at the data subject's request”);
browsing data: during their normal operation, the computer systems and software procedures used to operate the Site acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified subjects, but by its very nature could allow users to be identified. This category of data includes the IP addresses or domain names of the devices used by users who connect to the Site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the sizeof the file obtained in response, the numerical code indicating the status of the response given by the server (“successful”, “error”) and other parameters relating to the user's operating system and computer environment. Through the aforesaid processing, the Data Controller, in accordance with article 6.1, letter f) of the GDPR, pursues its own legitimate interest, consisting in obtaining anonymous statistical information on the use of the Site and in checking its correct functioning, as well as ensuring its security. The data may also be processed for the purpose of ascertaining liability in the event of crimes committed against the Site. Such data are deleted immediately after processing;
data collected through cookies: cookies collect information, including data that could potentially allow the identification of a data subject. For details on the processing of data via cookies, please see the relevant policy.

Full details on each type of Personal Data collected are provided in point g) below of this privacy policy or by means of specific information texts displayed prior to the collection of the Data.

e) Optional and/or compulsory provision of data

Unless otherwise specified, all Data requested by Kampaay are mandatory. If the User refuses to provide them, it may be not possible for Kampaay to provide the Service. Where Kampaay indicates certain Data as optional, Users are free to refrain from providing such Data, without this having any consequence on the availability of the Service or its operation. Users in doubt about which Data are mandatory are encouraged to contact the Data Controller.

f) Method and place of processing of collected Data

Treatment modes

The Data Controller takes appropriate security measures to prevent unauthorised access, disclosure, modification or destruction of Personal Data.
The processing is carried out using computer and/or telematic tools, with organisational methods and logics strictly related to the purposes indicated. Kampaay collects and processes the aforementioned data in compliance with the provisions in force, in order to safeguard their confidentiality, integrity, completeness, availability and to reduce to a minimum the risks of cancellation, destruction, loss, alteration, even accidental, unauthorized access, processing that is not allowed or does not comply with the purposes of collection, illicit or incorrect use, unlawful disclosure.In the processing operations, compliance is guaranteed with the general principles pursuant to Article 5 of the GDPR, such as the principles of lawfulness, fairness and transparency, minimisation, accuracy and conservation. Kampaay informs you that the processing of your Personal Data will not involve any automated decision-making processes, ex art. 15, co. 2, lett. f) and 22 GDPR.
Under no circumstances the Data Controller may be held liable for any untruthful or inaccurate information sent by the User, nor for any information concerning the User that may be provided by third parties, including fraudulently, nor may the Data Controller be held liable for any consequences that may arise out from the same. The Data Controller shall not be held liable for any damage of any nature whatsoever arising out directly or indirectly by accessing and/or browsing the Site.

g) Purposes of Data collected and their legal basis

Personal Data are collected for the following purposes, according to the legal basis indicated from time to time:

Contacting Users who send requests via the “start here” contact form
If the User fills in the contact form, accessible from the “Start from here” section of the Site, with its Data,Kampaay will process the aforementioned Data solely to respond to requests for information, quotations, orany other nature indicated by the header of the form. Personal Data processed: first name, last name, e-mail address, telephone number, company name.
Legal basis: execution of pre-contractual measures upon request of the data subject (art. 6, co. 1, lett. b)GDPR).
Site registration and authentication
By registering or authenticating, the User allows Kampaay to identify and give access to the latter to dedicated services. Personal Data are collected and stored for registration or identification purposes only.Personal Data processed: surname; e-mail; first name; telephone number; company name.
Legal basis: fulfillment of contractual obligations (art. 6, co. 1, lett. b) GDPR).
Management of commercial and contractual relations
The Personal Data provided by the Client following the establishment of a contractual relationship withKampaay will be processed exclusively for the purpose of carrying out the obligations arising therefrom,contacting the Client, as well as, where applicable, to fulfill the relevant legal obligations.
Unless otherwise specified, Kampaay processes all payments by credit card, bank transfer or other means through external payment service providers. In general, and unless otherwise specified, Users are requested to provide payment details and personal information directly to such payment service providers. Kampaay is not involved in the collection and processing of such information: instead, it will only receive a notification from the payment service provider in question that the payment has been made. Personal data processed: name, surname and contact details of the customer's contact person(s); name, surname of the customer's employees and collaborators; bank details.
Legal basis: fulfillment of contractual obligations and execution of pre-contractual measures (art. 6, co. 1, lett. b) GDPR); fulfillment of legal obligations to which the Data Controller is subject (art. 6, co. 1, lett. c)GDPR).
Live chat
This type of service allows you to interact with live chat platforms operated by third parties, directly from the pages of the Site, in order to be able to contact and be contacted by the Kampaay support service. If a service for interacting with live chat platforms is installed, it is possible that, even if Users do not use the service, it will collect Usage Data relating to the pages where it is installed. Personal data processed: any personal data contained in the text of the message(s) forwarded by the User.
Legal basis of the processing: execution of pre-contractual measures (art. 6, co. 1, lett. b) GDPR).
Newsletter
Subject to the User's explicit consent, Kampaay will process the User's Personal Data in order to send periodic information and commercial offers, as well as advertising and promotional material on its services, with variable frequency. This consent is optional and revocable at any time using the link at the bottom of each email received or by contacting the Data Controller directly. Personal data processed: e-mail address.
Legal basis: consent of the data subject (Art. 6, par. 1, lett. a) GDPR).
Profiling
Subject to the User’s explicit consent, Kampaay, by means of Tracking Tools, may collect information fromthe User's Usage Data and preferences in order to communicate, optimize and serve personalizedadvertisements. This consent is optional and revocable at any time.
The Data Controller specifies that the data processing carried out for this purpose does not concern Google Users' Data. The latter are processed exclusively to allow Kampaay to provide the services of Google applications including, but not limited to, the synchronization of Google Calendar.
Personal data processed: Usage Data
Legal basis: consent of the data subject (art. 6, co. 1, lett. a) GDPR).

h) Categories of people to whom the data may be communicated or who may become aware of them

The data processed for the above purposes will be accessible to Kampaay staff authorised to process them pursuant to article 29 GDPR. This data cannot be communicated, sold or transferred to third parties, except the sole notification in the cases provided for by law. In any case, the notification would be possible only to third parties appointed to perform certain services as part of the activity carried out by the Data Controller and/or, in general, in its favor (e.g., suppliers of IT services of various kinds, suppliers of services aimed at organizing the event) who will act as data processors, as well as the communication and/or dissemination of data requested, in accordance with the law, by police forces, judicial authorities, information and security bodies or other public entities for purposes of defence or state security or the prevention, detection or repression of crimes.

i) Transfer of personal data to non-EU countries

For certain types of services, the Data Controller may transfer personal data collected through the Site to countries outside the EU. In any case, any transfers of data outside the countries of the European Union are handled in accordance with the provisions of the GDPR, i.e.:

exclusively to countries in respect of which an adequacy decision has been adopted by the European Commission concerning the degree of protection for personal data guaranteed;
through the provision of Standard Contractual Clauses relating to the processing of personal data subject to transfer. Alternatively, subject to the agreement of the parties involved, one of the guarantee measures provided for by article 46 GDPR will be adopted, where the conditions for the application of an exemption mechanism, pursuant to article 49 GDPR, do not exist.

j) Data retention period

Personal Data are processed and kept for the time required by the purpose for which they were collected and may be kept for a longer period to fulfill a legal obligation or by order of an Authority.Therefore:

Personal Data collected for purposes related to the performance of an agreement between the Data Controller and the User will be retained until the performance of such agreement is completed and for 10 years thereafter, in accordance with applicable law;
Personal Data collected for purposes attributable to the legitimate interest of the Data Controller will be retained until such interest is satisfied; and
Personal Data processed on the basis of the User's consent may be processed until the purpose is fulfilled and, in any case, according to the retention period specifically identified by the Data Controller, as well as until any revocation of the consent given, without affecting in any way the processing carried out by the Data Controller prior to such revocation.

At the end of the retention period, Personal Data will be deleted. Therefore, at the end of this period, the right of access, cancellation, rectification and the right to Data portability can no longer be exercised.

k) User’s rights on the basis of the General Data Protection Regulation (GDPR)

Pursuant to articles 15-22 GDPR, Users may exercise certain rights with regard to the Data processed by the Data Controller.
In particular, within the limits provided for by current legislation, the User has the right to:

revoke consent at any time. The User may revoke the consent to the processing of its Personal Data previously expressed;
object to the processing of their Data. The User may object to the processing of their Data when itis done on a legal basis other than consent;
access to their Data. The User has the right to obtain information on the Data processed by theData Controller, on certain aspects of the processing and to receive a copy of the Data processed.
verify the correctness of the Data and request its rectification. The User may verify the correctness of its Data and request that it be updated or corrected.
obtain the limitation of the processing. The User may request the restriction of the processing ofits Data. In this case, the Data Controller will not process the Data for any purpose other than its preservation.
obtain the deletion of their Personal Data. The User may request the deletion of its Data by theData Controller.
receive their Data or have them transferred to another Data Controller. The User has the right to receive its Data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred without hindrance to another data controller.
Propose a complaint. The User may lodge a complaint with the competent data protection supervisory authority or take legal action (the supervisory authority, for Italy, is the Garante per laProtezione dei Dati Personali). In order to exercise the aforementioned right, please follow the instructions provided on the Authority's institutional website: https://www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo

l) How to exercise rights

Any requests to exercise the User’s rights may be addressed to the Data Controller and/or its DPO, through the following channels:

sending an e-mail to the Data Controller's address: amministrazione@kampaay.com
sending a registered letter with acknowledgement of receipt addressed to: Kampaay S.r.l., viale Cassala, no. 30, 20143 Milan;
sending an e-mail to the address of the DPO of Kampaay: dpo@kampaay.com

The request is free of charge and the Data Controller will reply as soon as possible, providing the User with all the information required by law, in any case within one month. Any rectification, cancellation or restriction of processing will be communicated by the Data Controller to each of the recipients, if any, to whom the Personal Data have been transmitted, unless this proves impossible or involves a disproportionate effort. The Data Controller shall inform the User of such recipients if requested.

m) Further information on treatment

Defence in court

The User's Personal Data may be used by the Data Controller in legal proceedings or in the preparatory stages to its possible establishment in order to defend against abuses in the use of Kampaay or related Services by the User.The User declares that it is aware that the Owner may be obliged to disclose the Data by order of public authorities.

Specific Information

At the User's request, in addition to the information contained in this privacy policy, Kampaay may provide the User with additional and contextual information regarding specific Services, or the collection and processing of Personal Data.

Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by notifying Users on this page and, if possible, on Kampaay as well as, when technically and legally feasible, by sending a notification to Users through one of the contact details it has. Please therefore consult this page frequently, referring to the date of last modification indicated at the bottom.

If the changes affect processing whose legal basis is consent, the Data Controller will collect the User's consent again, if necessary.