Mapo Tapo - Privacy policy

PRIVACY POLICY

related to the websitewww.mapotapo.com

Dear User,

surely you have heard of the new EU Regulation on data protection (2016/679, better known as GDPR).

In compliance with articles 13 and 14 of this legislation (also referred to the national one in force), below we provide you with the information necessary to understand how the data you provide through the use of the websitewww.mapotapo.comare processed by us.

We invite you to read the document as if you were the one asking the questions shown in the following paragraphs and we will provide you with the related answers: if you have any further doubts, do not hesitate to contact us, we are here for you.

You are the Data Subject to be protected, and we want to show you our transparency in doing so.

Let’s start?

1. Who is the Data Controller of data processed on www.mapotapo.com?

Pursuant to the art. 4, n. 7) 2016/679 EU Regulation, the Data Controller is Mapo Tapo S.r.l. – VAT and Fiscal Code: 11336700965 – with registered office in Milan (MI), via Borromei n. 2, and it could be contacted at the e-mail address legal@mapotapo.com or by phone at the number +39.392.28.63.637 (hereinafter “Mapo Tapo” and/or the “Data Controller”).

Pursuant to the present policy, Data Subject means every User that have acces, visit and interact with the websitewww.mapotapo.comand use our products and/or services.

2. What data are processed onwww.mapotapo.com?

On the websitewww.mapotapo.com, Mapo Tapo process Data Subject’s Data; in particular:

Ø  during website navigation:

·        IP adress, url, browser, metadata and cookie (pursuant to ourcookie policy);

Ø  eventually, filling our contact form present into the section “work with us” and “become a member” of our website:

·        name and e-mail address;

·        a free text space in which Data Subject could send us other data pursuant to our Terms and Conditions (T&Cs);

Ø  eventually, with a registration, creation of an account and check-out of the Data Subject filling the form  present into the section “backpack” of our website:

·        e-mail address;

·        billing data (name, surname, telephone number, tax domicile);

·        payment data (credit card number).

Through our website, we do not need to process particular data pursuant to and for the purposes of articles 9 and 10 of the 2016/679 EU Regulation: therefore, the User must not transmit these data. If, however, the User, by sending a specific request, reveals data relating to these categories or other than those listed in this paragraph, he authorizes Mapo Tapo to process them in accordance with this privacy policy and the legislation on data protection in force.

The data processed by Mapo Tapo and listed above will be jointly referred to and defined as "data".  

3.  For what purposes are data processed?

The processing of data provided by the Data Subject will be performed by Mapo Tapo for the following purposes:

a)  Contractual Purposes:

1.  allow the Data Subject to browse and use the websitewww.mapotapo.comand check-out products and services offered by Mapo Tapo;

2.  fulfill the pre-contractual, contractual and tax obligations related to any relationships established with the Data Subject;

3.  fulfill the obligations established by law, by a regulation, by national and international legislation or by an order of the Authority (such as for example in the matter of anti-money laundering);

4.  exercise the rights as Data Controller, such as, for example, the right to defense in court.

b) Legitimate interest Purpose:

1.  for carrying out activities functional to any securitizations, assignments of credit and issue of securities, disposals of companies and business units, acquisitions, mergers, demergers or other transformations of Mapo Tapo and for the execution of such operations;

2.  for carrying out checks aimed at preventing any fraud.

c) Marketing purposes:

1.  for the promotion of products and services offered by Mapo Tapo, also through the sending of advertising material, commercial communications, the execution of market research and direct sales activities, both through traditional communication tools, such as paper mail, that through remote communication tools, such as email, chat, newsletter, telephone, SMS, video call, automatic call, instant message, chatbot, intelligent interactive automated communication systems, banners, social networks, search engines, notification systems and others remote communication tools;

2.  for the Data Subject profiling by Mapo Tapo and or third parties in order to make the promotional activities indicated above better focused on the needs, habits and interests of the Data Subject and the performance of preparatory and/or functional activities for the correct execution of such promotional initiatives.

4. What are the legal basis to process the data?

The Data Controller can process the data provided by the Data Subject on the websitewww.mapotapo.com because, in compliance with the conditions of lawfulness referred to the art. 6 of 2016/679 EU Regulation:

·        needs to process them to pursue the Contractual Purposes referred to in art. 3, lett. a), nn. 1) and 2) of this privacy policy and, specifically, its legal basis is based on the use of the website and any contractual relationship established with the Data Subject: pursuant to the art. 6, lett. b) of the 2016/679 EU Regulation, processing is necessary as it is aimed at the use of the website and the possible execution of the contractual relationship between the Data Controller and the Data Subject, the supply of products and requested services and any information relating to them;

·        needs to process them to pursue the Contractual Purposes referred to in art. 3, lett. a), nn. 3) and 4) of this privacy policy and, specifically, its legal basis is based on compliance with a legal obligation: pursuant to art. 6, lett. c) of the 2016/679 EU Regulation, the processing is necessary to fulfill the legal obligations to which the data controller is subject.

The processing of data for Contractual Purposes is mandatory: if the Data Subject does not provide such data, the Data Controller does not guarantee the correct provision of the services offered and connected to the websitewww.mapotapo.com.

·        may need to process them for the Legitimate Interest purposes referred to in art. 3, lett. b), nn. 1) and 2), pursuing its legitimate interest or that of third parties: according to art. 6, lett. f) of the 2016/679 EU Regulation, the processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, adequately balanced with the interests of the Data Subject in light of the limits imposed on such treatment and the specific circumstances in which the processing takes place illustrated in the same paragraph 3.

The processing of data for Legitimate Interest purposes is not mandatory and the Data Subject may object by contacting the Data Controller directly: if the Data Subject opposes said processing, his data cannot be used for Legitimate Interest purposes, except that the Data Controller demonstrates the presence of prevailing binding legitimate reasons or the exercise or defense of a right pursuant to article 21 of the 2016/679 EU Regulation.

·        does not need to process them for the Marketing Purposes referred to in art. 3, lett. c), nn. 1) and 2) and can only do so with the consent of the Data Subject.

The processing of data for Marketing Purposes is optional and, if the Data Subject refuses his consent, he will not receive any commercial communications, will not participate in market research and will not receive communications and services adapted to his profile. The lack of consent for Marketing Purposes does not in any way affect the contractual relationships established with the Data Controller and the provision of the services offered by them.

At any time, the Data Subject may revoke any consent given by contacting the data controller directly at the addresses indicated in paragraph 1 of this privacy policy.

5. How data are processed?

The processing of the data is carried out by Mapo Tapo with the operations indicated in art. 4 no. 2) of the 2016/679 EU Regulation and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.

The data can be processed with manual or IT tools, suitable to guarantee its security, confidentiality and to avoid unauthorized access.

The data storage is carried out with cloud computing tools on servers located inside and/or outside the territory of the EU (US-based): for more information on the safety, compliance and compliance standards required by the GDPR adopted by the chosen external providers, consult the web pageshttps://webflow.com/legal/eu-privacy-policyehttps://www.foxy.io/privacy-policy. 

6. To whom are data communicated?

Data may be disclosed for Contractual Purposes to subjects that perform services connected and functional to the management of the relationship in place or to be entered into with the Data Subject and, in particular, to the following categories of subjects located within the European Union and, within the limits set out in paragraph 7 of this statement, outside the European Union:

·        service providers connected to the activities of the Data Controller;

·        assistance, tax and legal advice, including debt collection companies;

·        providers of IT or archiving services, such as, among others, the company that issues and manages the digital signature certificate in the event that the digital signature is used by the Data Subject to sign the contract.

Data may be disclosed for the purposes of Legitimate Interest to suppliers of assistance services, technical, tax and legal consultancy, assignees of receivables in the context of credit securitization or credit assignment operations for purposes strictly connected and instrumental to the management of the relationship with the transferred Data Subject, as well as the issue of securities, company assignees or business units, potential purchasers of the data controller and companies resulting from possible mergers, divisions or other transformations, also in the context of activities functional to these operations, and to competent authorities.

Finally, data may be communicated for Marketing Purposes to service providers such as external data processors and with the prior consent of the Data Subject, to the third parties referred to in paragraph 3, lett. c), no. 1).

The subjects indicated above may act, as appropriate, as external Data Processors or independent Data Controllers.

The updated list of companies to which the data of the Data Subject will be communicated may be requested at any time to the Data Controller, with a specific request to be sent using the contacts indicated in paragraph 1 of this privacy policy.

The data will not be subject to further disclosure with respect to what is indicated in this privacy policy. 

7. Will data be transferred abroad?

Data may be freely transferred outside the national territory to countries located in the European Union, but could also be transferred outside the European Union.

Any transfer of the data related to the Data Subject to countries located outside the European Union will take place, in any case, in compliance with the appropriate and appropriate guarantees for the purposes of the transfer itself in accordance with the applicable legislation and in particular with articles 45 and 46 of the 2016/679 EU Regulation (including the Data Subject consent).

The Data Subject will have the right to obtain from the data controller a copy of the data held abroad and to obtain information about the place where such data is stored by making an express request to be sent using the contacts indicated in paragraph 1 of this privacy policy.

8. What are the rights of the Data Subject?

The Data Subject, pursuant to the Articles from 15 to 22 of the 2016/679 EU Regulation, has the right to:

·        obtain confirmation from the Data Controller that a processing of Data concerning him is in progress;
·        obtain access to Data and information relating to the processing of Data concerning him;
·        obtain from the Data Controller the correction of inaccurate Data concerning him without undue delay;
·        obtain the integration of incomplete Data, also by providing an additional declaration;
·        obtain from the Data Controller the cancellation of the Data concerning him without undue delay;
·        obtain the limitation of processing from the Data Controller:

a.      for the period necessary to verify the accuracy of such Data by the Data Controller, when the Data Subject disputes its accuracy;
b.      when the processing is unlawful and the Data Subject opposes the deletion of the Data, requesting instead that its use be limited;
c.      when the Data are necessary for the Data Subject to ascertain, exercise or defend a right in court, although the Data Controller no longer needs it for processing purposes;
d.      when the Data Subject has opposed the processing pursuant to Article 21, paragraph 1 EU/2016/679 Regu-lation and for the whole period in which it remains pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject;

·        receive in a structured format, commonly used and readable by an automatic device, the Data concerning him provided to the Data Controller;
·        transmit this Data to another Data controller without hindrance by the Data Controller to whom it has provided them;
·        obtain the direct transmission of Data from one Data Controller to another, if technically feasible;
·        object at any time, for reasons connected with your particular situation, to the processing of the Data that con-cern you pursuant to Article 6, paragraph 1, letters e) or f), including profiling;
·        not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects that concern him or which similarly significantly affects his person;
·        propose a complaint directly to the Guarantor Authority if there is a violation of the data protection legislation by the Data Controller.
Requests for the exercise of the above rights can be sent to the Data Controller by contacting the Data Controller (contact set in paragraph 1 of the present privacy policy).
The right of complaint, however, can be freely exercised by the Data Subject sending an act of claim to the Privacy Authority in the way deemed most appropriate:
·        letter A/R addressed to the "Guarantor for the protection of personal data, Piazza Venezia n. 11, 00187, Rome";
·        certified e-mail message to the address "protocollo@pec.gpdp.it”.   

9. Who are the external Data Processor?

The complete list of data processors is available by sending a written request to the Data Controller (contact set in paragraph 1 of the present privacy policy).

10. Data retention  

Data processed by Data Controller:

§  for the Contractual Purposes and Legitimate Interest Purposes set in paragraph  3, lett. b) n. 1), will be stored during:

-         the use of our website; and
-         the relationship between the Data Subject and the Data Controller for any product and/or service offered (renewal included) and for 10 years from the expiration date, termination or withdrawal of the same, except in cases where storage for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;

§  for the Legitimate Interest Purposes referred to in paragraph 3, lett. b) n. 2), will be kept for the duration strictly necessary to ensure the reliability of the checks indicated therein;

§  for the Marketing Purposes referred to in paragraph 3, lett. c), n. 1) of this information, will be kept for a period equal to the duration of the Contract and/or the service offered (including any renewals) and for a maximum period equal to 24 months from the expression of the consent by the Data Subject;

§  for the Marketing Purposes referred to in paragraph 3, lett. c), n. 2) of this information, will be kept for a period equal to the duration of the Contract and/or the service offered (including any renewals) and for a maximum period equal to 12 months from the expression of the consent by the Data Subject.

11. Modification and Updates

This Privacy Policy is effective from the date indicated below.

The Data Controller may also make changes and/or additions to this privacy policy, also as a consequence of any subsequent amendments and supplements of applicable laws/regulations.

If substantial, the changes will be notified in advance and the Data Subject can find the text of it constantly updated on the websitewww.mapotapo.comor sending a specific to the Data Controller (contact set in paragraph 1 of the present privacy policy).

Last update

16.09.2020