Layered Privacy Policy of the Immedia Mobile Application

The Data Controller is Zadig srl Società Benefit. Due to the limited User Interfaces (UI) of handheld devices, this policy employs a layered approach to ensure transparency.

Consent for the Processing of Sensitive Data (Questionnaires)

In order to personalize your experience in Immedia and provide you with specific functionalities, the App collects your responses to profiling and daily questionnaires. These responses may contain sensitive data. The processing of this data is strictly limited to the provision of the requested services and is carried out with appropriate security measures. If you do not provide your explicit consent, profiling-based functionalities will not be active. You can withdraw your consent at any time within the App settings.

Layer 1: Essential Information (Short Notice)

This section summarizes the most important privacy points.

1. Data Controller: The entity responsible for managing your personal data is Zadig srl Società Benefit whose DPO is dr Pietro Dri (dri@zadig.it).
2. Data Processed & Purposes: We collect data essential for app functionality (like Device ID for multi-device support) and registration data (Name, Email, Password with hashing). We also collect your questionnaire responses for specific profiling/functionality, processing which requires your Explicit Consent.
3. Third Parties (Analytics): The App integrates third-party services (Firebase Google Analytics) for usage analysis. The data collected for analytics purposes is indicated at the following link: Google Analytics Support and is governed by standard contractual clauses.
4. Protection and Security: Passwords are secured using one way hashing (anonymized and undecipherable form). We implement data protection by design and by default.
5. Your Rights: You always have the right to access, rectification, objection, and erasure, including the right to withdraw consent.
6. Data Retention: Data is not stored longer than necessary. Data is collected on a Digitalocean server located in Europe. The IP Address is not permanently saved. The maximum retention period for other categories of data, in particular usage data, is 14 months.

Layer 2: Data Categories and Purposes (Detailed Overview)

This section provides granular detail on the collected information, required for respecting the principle of purpose limitation.

A. Technical and Device Identifiers

Device Identifiers

Specific Data: DeviceID (User device identifier).
Purpose: Necessary to support the use of the App across multiple devices, ensuring service functionality.
Legal Basis: Necessity for the performance of a contract.

Network & Connection

Specific Data: IP Address.
Purpose: Necessary for connection operations. Not permanently saved.
Legal Basis: Necessity for the performance of a contract.

B. Data Collected Upon Registration and Account Management

User Identifiers

Specific Data: Name, Surname, User ID.
Purpose: Uniquely identifying the user in our database.
Legal Basis: Necessity for the performance of a contract.

Authentication & Security

Specific Data: Email, Password (saved via hashing).
Purpose: Email for address validation and password reset; Password for secure access.
Legal Basis: Necessity for the performance of a contract (security and service provision).

Contacts & Notifications

Specific Data: Email, Device language.
Purpose: Receiving essential email notifications; Sending localized push notifications.
Legal Basis: Necessity for the performance of a contract.

Account Metadata

Specific Data: Date of registration, Date of mail verification.
Purpose: Account management and tracking identity validation.
Legal Basis: Necessity for the performance of a contract.

C. Content and Profiling Data (Requires Explicit Consent)

Content/Behavioral Data

Specific Data: Responses to the profiling questionnaire; Responses to the daily questionnaires.
Purpose: Profiling the user and providing specific, personalized functionalities/services based on the responses.
Legal Basis: Explicit Consent (Mandatory if the data are classified as sensitive, Art. 9.2a GDPR).

D. Interaction and Usage Data

Interaction Data

Specific Data: Card reading; Read card identifier; Date and time of reading.
Purpose: Tracking user interactions with the specific "card" functionality.
Legal Basis: Necessity for the performance of a contract.

Usage/Log Data

Specific Data: Date of last App use.
Purpose: Monitoring activity and managing account inactivity.
Legal Basis: Legitimate Interest (operational management).

Layer 3: Adopted Measures and Data Subject Rights

3.1 Data Protection by Design and by Default

Minimisation and Hiding: We adhere to the minimise privacy design strategy. We process only the necessary data. Passwords are protected via hashing (encryption of data at rest). The IP Address is not saved permanently.
Default Settings: The App is configured by default to process only the personal data necessary for each specific purpose. If tracking or personalization is not necessary, the default setting ensures that respective data are not processed unless the user actively changes the configuration.

3.2 Consent Management and Transparency

Acceptance of the Privacy Policy, combined with a clear specification of the purposes, serves as a request for informed consent. In particular, explicit consent is required for sensitive data collected from questionnaires.

3.3 Data Subject Rights (Intervenability and Control)

The App architecture is designed to facilitate the exercise of your rights, ensuring Intervenability:

Right of Access and Rectification.
Right to Erasure (Right to be Forgotten): Personal data must be deleted as soon as possible. This right is facilitated upon deletion of the App.
Right to Data Portability.
Right to Control (Consent): you can withdraw your consent and are provided with mechanisms to control the processing of your personal data.

3.4 Contact Details

For questions regarding this Privacy Policy, to exercise your rights, or for any other communication concerning the protection of personal data, please contact the Data Controller.

Data Controller: Zadig srl Società Benefit via A.M. Ampère, 59 - 20131 Milano - email: immedia@zadig.it.

Privacy Policy