IMPORTANT: AS PREVIOUSLY REPORTED, THE SERVICE HAS BEEN INTERRUPTED

WHEREAS

Svector the social vector, (hereinafter also Svector), is a startup, a social delivery platform which places people in contact, on the one hand, who need to receive a good (Wisher), and on the other hand, individuals who are willing to transport the same and/or purchase and transport it (Traveler), on a non-professional and non-commercial basis, whose purpose is to further the promotion of interpersonal relationships.
The Data Controller has undertaken all reasonable measures to limit the processing of user data to the purposes listed in the present policy document. The fundamental principle underpinning Svector is trust, therefore, should a User become aware of any illicit processing of his or her personal data, S/he is requested to immediately inform the Data Controller.

WHEREAS

Svector the social vector, (hereinafter also Svector), is a startup, a social delivery platform which places people in contact, on the one hand, who need to receive a good (Wisher), and on the other hand, individuals who are willing to transport the same and/or purchase and transport it (Traveler), on a non-professional and non-commercial basis, whose purpose is to further the promotion of interpersonal relationships.
The Data Controller has undertaken all reasonable measures to limit the processing of user data to the purposes listed in the present policy document. The fundamental principle underpinning Svector is trust, therefore, should a User become aware of any illicit processing of his or her personal data, S/he is requested to immediately inform the Data Controller.

DATA CONTROLLER

The Data Controller is Silvia Marta Flavia Di Stefano.
Contact: piazza Giovanni Perego, 8 – 20154 Milan – svectorthesocialvector@gmail.com

ARTICLE 1.
TYPES OF COLLECTED DATA

IN SUMMARY
The categories of data collected by the Controller are: public, private, encrypted. For more information > ARTICLE 1. > EXTENDED SECTION

EXTENDED SECTION
The following data is processed by the Controller:

• public data: data visible to all Users registered on the Platform
• private data: data only visible to the concerned User, to the Controller and her collaborators
• encrypted data: data only visible to the concerned user or – in case of chat messages – visible to both interlocutors, and not to the Controller

PUBLIC DATA

• username
• photos of people and items
• feedback, timestamp of feedback submission
• sender and recipient of feedback
• geographic coordinates of the starting point and final destination of a planned journey/frequent route (no geolocalization), expected date and time of departure and arrival, size of the object that the traveller is willing to carry (S, M, L), means of transport, availability of the User to carry an item, goods to exchange
• wish: name of the item, description, size of the item (S, M, L), whether the purchase of the item is required in addition to its transportation, the offer in exchange for transportation, place of departure and place of arrival of the item, date of request and date of expiry
• date and time of profile update

PRIVATE DATA

• surname: only the first letter of the surname is visible to all Users who register on the Platform
• e-mail address
• operating system of each User’s device
• sender, recipient and sending time of chat messages
• user registration status (Verified/Draft)
• content of notifications received by Users (with the exclusion of chat messages), notification date and sending time
• successful matches and matching status (Confirmed/Rejected)
• universally Unique Identifier (UUID)

ENCRYPTED DATA

• password
• chat messages

ARTICLE 2.
SCOPE OF DATA PROCESSING

IN SUMMARY
User data is collected in order to:

1. allow the Data Controller to provide services
2. enable the sale of anonymous data for statistical purposes

The provision of data is optional. However, any refusal by the User to disclose the necessary data for the provision of the service will make the provision of the service impossible.
For more information > ARTICLE 2. > EXTENDED SECTION

EXTENDED SECTION
User data is collected in order to: 

1. allow the Data Controller to provide services

• contact the User
  Processed data: surname, name, email address of the Person Concerned and content of messages (e.g. respond to assistance requests).
  Service used: GSUITE
  Service used: MAILCHIMP
  

• contact management and sending messages
  Processed data: name, surname, email address of the Person Concerned and other non-personal and non-sensitive data (e.g. travel itinerary, wish name). The service can be used for instance to inform the Person Concerned of the possibility to provide feedback to other Users or to inform the User about any amendments to the Terms and Conditions of the Agreement or to the Privacy Policy.
  Service used: MAILGUN
  Service used: MAILCHIMP
  

• saving and backup management
  Processed data: all collected data
  Service used: Amazon S3

• database management
  Processed data: all collected data
  Service used: MySql workbench

• hosting and backend infrastructure
  Processed data: all collected data
  Service used: Amazon web services – Amazon EC2

• statistics
  Processed data: all anonymized data
  Service used: Google Analytics
  Service used: Facebook pixel

• promotion actions
  Processed data: all anonymized data. 
  Service used: Instagram
  Service used: Facebook 
  Read Facebook and Instagram Terms of use and privacy policy to have more details about the info they collect.

• social functions
  Using the button “Share App” Users can share the App download link on a number of social networks.
  Processed data: data collected by social networks varies according to user privacy rules applicable to each social network
  Service used: Cordova-plugin-x-socialsharing

• device unique identifier
  Svector can trace Users by saving a Universally Unique Identifier (UUID) for statistical purposes or to store User preferences. Such Identifier is generated through the installation of the App, and it is not deleted when the App is closed or updated. However, it is erased if the User uninstalls the App from his/her device. If the App is re-installed, a new UUID is created.
  Processed data: UUID
  Service used: Cordova plugin internally installed in the App(https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-device/)

• push notifications
  This App is enabled to send push notifications to the User.
  Processed data: UUID, public data
  Service used: Onesignal

2. enable the sale of anonymous data for statistical
The Data Controller reserves the possibility to sell to third parties anonymous data in compliance with current privacy legislation. Data can be sold to companies and institutions for statistical purposes and anonymously, and under no circumstance such data can be connected to individual Persons Concerned.
The Data Controller reserves the right to sell the Svector Platform, together with all collected data, after informing Users through the publication of a notice through the Platform or via email. Such communication would allow each Person Concerned to make an informed decision on whether to express his/her consent to the processing of data collected through Svector following the communication of the sale.

LEGAL GROUNDS FOR DATA PROCESSING
The provision of data is optional. However, any refusal by the User to disclose the necessary data for the provision of the service will make the provision of the service impossible.
The present Privacy Policy refers to law decree “Codice in materia di protezione dei dati personali”, 30 June 2003, n. 196 and EU Regulation 2016/679, adopted by the European Parliament and Council on 27 April 2016.

ARTICLE 3.
DATA PROCESSING METHOD

The Data Controller undertakes to process Users’ personal data through the adoption of all necessary security measures aimed at preventing the access, disclosure, modification or unauthorized destruction of personal data.
Data processing is handled through IT and/or telematic tools, with organizational structures and purposes that are strictly related to the indicated goals. Besides the Controller, under certain circumstances, other categories involved in the management of the Platform may have access to the data (administrative, commercial, marketing, legal personnel and system administrators) or external subjects (including third party service providers, couriers, hosting providers, IT companies, communication agencies).

Place
Data is processed at the venues where the providers which are involved in the provision and management of the service are located. (see Article 2)

ARTICLE 4.
LEGITIMATE INTERESTS PURSUED BY THE DATA CONTROLLER OR BY THIRD PARTIES (article 6, paragraph 1, letter f –  EU REGULATION 2016/679)

The User acknowledges receipt of an autonomous and adequate advantage and added value through the registration to Svector and the use of the service. In reason of the expenses and costs borne by the Controller for the creation, provision and maintenance of the services offered through Svector, the Controller reserves the possibility to sell anonymous data, in accordance with the rules set out in Article 2 paragraph B.

ARTICLE 5.
TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANISATION

DATA CENTER LOCALIZATION
Users data is collected in a database and stored on an Amazon server with data center located in Ireland. It is possible that some other services listed in article 2. (Mailgun, Mailchimp, MySql Workbench, Google Analytics, Onesignal, Facebook, Instagram), use a data center located outside the European Union.
By accepting this privacy policy, the User agrees to have their data processed by third services (needed for the platform functioning) in data centers outside the European Union.
By accepting this privacy policy, the User is aware and agrees to have its data processed by Onesignal, a U.S. company located in California. Onesignal is a company that offers a service for sending and receiving push notifications. This company can use the received data for marketing and can sell some information to third parties. To learn about which information is collected by Onesignal, visit the website: https://onesignal.com/privacy_policy
It is specified that Svector, in order to offer the service, provides to Onesignal the universal user ID (UUID), but not data such as name and last name or email address. 

COUNTRIES WHERE THE APPLICATION IS DOWNLOADABLE
To date, the service is provided in EU Member States. Depending on the success of the startup, it is possible that this platform in the future would be downloadable also in a country outside the European Union. In this case the User would be informed through the publication of a notice through the Platform or via email. Such communication would allow each User to make an informed decision on whether to express his/her consent to the processing of data collected through Svector following the communication of the changes. Any change will become operational on the day of its publication on the Platform, with no prejudice to the right of individual Users to withdraw from the present contract in case of non-acceptance of the changes.

ARTICLE 6.
TORAGE PERIOD OF COLLECTED DATA

Personal data will be stored for the duration necessary to the provision of the required service.
Anonymous data will be stored for an unlimited period of time.

ARTICLE 7.
USER RIGHTS

Users can request at any point in time which of their data is being processed, and for that data to be rectified or erased, by sending an email to svectorthesocialvector@gmail.com. The processing of data for which a User has provided his/her consent remains legitimate until consent is revoked by the User.
Users can refer to the Privacy Ombudsman, Italian control authority, for any complaint (https://protezionedatipersonali.it/autorita-di-controllo).

ARTICLE 8.
DEFENCE IN COURT

User personal data can be used by the Data Controller in Court or in view of upcoming court proceedings concerning the use of the Svector App or connected services involving the Person Concerned.
The User hereby declares s/he is aware that the Controller might be required by Public Authorities to disclose data.

ARTICLE 9.
CHANGES TO THE PRESENT PRIVACY POLICY

The Controller reserves the right to amend the present privacy policy at any time, informing Users through the Platform or via email. The use of Svector following the communication of changes to the present policy implies the acceptance of all changes.
In case of non-acceptance of the changes made to the present privacy policy, the Person Concerned is required to cease the use of the service and s/he may request the Controller to erase his/her personal data. Unless otherwise specified, the present privacy policy will continue to be applicable to any personal data collected up to that point in time.

ARTICLE 10.
SECURITY MEASURES

Security measures implemented to prevent access to data by unauthorised third parties include:

1. the use of multi-factor authentication (MFA) on services provided by Amazon (server, backup…)
2. weekly backup on Amazon S3
3. encryption of passwords and messages exchanged between Users
4. protection of workstations used by the Controller and any collaborators with anti-malware and anti-virus software (F- Secure)

ARTICLE 11.
RIGHT TO DATA PORTABILITY

The User has a right to receive all data concerning his/her person which is in possession of the Controller in a format that is structured, commonly-used and readable on an automatic device and has the right to transfer such data to another Controller without obstruction from the Controller to whom it was initially provided.

ARTICLE 12.
INFORMATION NOT CONTAINED IN THE PRESENT POLICY

More information on the processing of personal data can be requested at any time to the Controller by referring to the contact details above.

ARTICLE 13.
DEFINITIONS AND LEGAL REFERENCES

• Personal data (or data): any information related to an individual, either identified or identifiable, also indirectly, by referring to any other information, including a personal identification number.
  
• User: an individual who uses the Application, who shall be the Person Concerned or operate under authorisation from the Person Concerned whose data is being processed.
  
• Person Concerned: an individual or legal person to whom the personal data refers.
  
• Data Controller (or Controller): the individual, legal person, public administration, or any other institution, association or body who is responsible, also in conjunction with another Controller, for all decisions on goals and means of personal data processing, as well as the tools employed for the treatment, including for security purposes, in relation to the functioning and use of the Svector Application. The Controller, unless otherwise specified, is the owner of the Application.
  
• Application (or App): the hardware or software through which User personal data is collected.

Click here for the original version of this document (Italian)