PRIVACY POLICY STATEMENT

Your use YESNOLOGY’s back-end within the context of a working activity you perform for a. Client of ours, who subscribed to our platform the Client shall be the Controller for the processing of your personal data and information within the platform. We are amongst the data processors. We can decide directly only on technical elements, such as the IT- related administration of the platform, the management of registration/authentication concerning the login, debugging and security. The guidelines and the policy herein namely concern the activities which can be traced back to our choices directly.

• Company: BBUP SRL, Tax Code: 02934190345
• Privacy-related contact information: info@yesnology.com, Phone numbers: +39 0521 348041, Registered office: Via Aleotti, 1- 43124 Parma, Italy
• Email address to contact the DPO: dpo@yesnology.com

The kinds of personal data and information we process, in our role as data controllers within the platform are the following:

1. Data implied in the connection with YESNOLOGY: you must know that the viewing and browsing the website involve, due to internal reasons connected with the usage of IT protocols, an exchange of technical information between our IT system and yours. The information we may learn about may be, for example, the following: the IP address, the operating system used, the browser used and the version thereof, the time of the request, the size of the information flows, the resource(s) requested, the method used to submit the request to the server, the size of the file received as a response, the numerical code indicating the status of the response provided by the server (success, error, and the like.). Providing such data is necessary as it is implied within IT protocols; should that not happen, connecting to the servers or correctly viewing the website may prove impossible.
2. Data which are relevant for the kinds of activities connected with alerts or maintenance: those are the kinds of actions generated by the activity carried out on the website, which we collect in the form of logs for maintenance-related solutions and to resolve technical/security issues, as well as rights-related problems by detecting suspects activities. The information we acquire in this case are, for example, the IP address, user ID, operating system used, the browser used and its version, the time of the request, the pages visited, log type, code response, message, agent, size, source, API-related requests, authentications and failed authentication responses code. Such information are included within their semantic content only after alert-related events. Providing such information is automatic as the users browse the website; should such a thing not happen, using the website may not be possible.
3. Registration/login information and other technical requests: such are registration/authentication data, email (usernames) and passwords, in their role as platform login information. The provision of such data and information is necessary as, should that not happen, it would not be possible to access YESNOLOGY’s back-end. In the case of authentications, only the login information whose processing is needed to access the reserved content of the website.

Technical requests: those are the requests you send us concerning the instance of processing we are data controllers for, e.g. in the field of management issues pertaining to your authentication or browsing information. Such requests contain a description of the issue you encountered. You need to provide us with such information, as we won’t be able to reply to you on the matter if you don’t do that.

Purpose no. 1: – Viewing/browsing the website: the purpose here is to allow the correct viewing and browsing of the pages of the website, which implies the processing of the i kind of personal information and data (please see above). At any rate, the personal information collected for such a purpose are not focused on identifying you, but may be suitable should a crime be committed, please see Purpose no. 4. The legal basis for that is Article 6.1.b) of the GDPR concerning the viewing of the website and the browsing thereof, as such an activity is generated by the users as they request a direct link from their IT systems to our servers. Data storage: the personal data and information collected to visualise/browse the website shall not be stored for such a purpose after the browsing session has been closed; however, such data shall then be used in the form of logs for maintenance/update and security reasons, as you can see below, up to 30 days.

Purpose no. 2: – Maintenance/updates and security: the purpose here is to solve the technical malfunctioning issues (such as, for example, an attack on our system if you are browsing it from an infected PC), something that implies the processing of type ii data (please see above). The legal basis for that is Article 6.1.f) of the GDPR, that is to say legitimate interest. Data storage: the personal data and information processed to resolve technical issues shall be stored for 30 days and, should an intervention to correct anomalies or problems be needed, said information and data shall be used afterwards, for the time needed for such a solution, something that may not be foreseen a priori; such a time shall be nevertheless limited, except in case such information and data are needed to exercise or defend rights as well; on this, please see Purpose no. 4, below. For example, this may happen in case you have carried out or have taken part in a cyberattack on our website, and the like.

Purpose no. 3: – Registration/login and your technical requests on the platform: the purpose of the processing here is to react to your registration/authentication request for the YESNOLOGY environment, to your request for the recovering of your login information, as well as to everything connected with managing your technical requests.  The purpose detailed herein imply the treatment of type iii data (please see above). The legal basis for that is Article 6.1.b) of the GDPR, i.e., the contract basis, considering both the requests activated following your initiative, or, according to specific interpretations of the norms, as well as Article. 6.1.a) of the GDPR, on consent (which can be revoked at all times). Your login or the recovery of your login information may involve security activities (for example, sending recovery links); in such cases, the legal basis includes Article. 6.1.f) of the GDPR as well (legitimate interests). Data storage: your registration shall be stored until our Client erases your account from the platform or our contract with said Client is terminated, without prejudice to any and all longer technical time slots for such an erasure. The data you provide during the authentication phase shall be stored for 30 days in the form of logs. The data concerning your technical requests shall be used for the time needed to reply to them and shall be erased once such purpose has ended. The data may be stored for a larger amount of time, should Purpose no. 4 be applied (please see below). If you have selected duration-related options (e.g., the “remember me” box during the authentication phase or the box to receive your personal data and information automatically should the service be terminated), the selected option shall be held until it is deselected.

Purpose no. 4: – Exercising and protecting rights, also during the extrajudicial phase. According to specific cases, the processing may concern all the categories of personal information and data, including any and all preparatory and preloading verification activities, such as the setup of all acquisition tools following specific events (suspicious activity). For example, in case of objections on the availability and accessibility of services, identity theft or abuse when login information is concerned, in the case of DDoS attacks on the platform, and the like. In such cases, the connection IP addresses, the data on the device and on the software used for such a connection (considering their availability), as well as the IT related requests carried out. The categories of personal data used for such a purpose are defined above as part of the iii e iv kinds. Any and all objections by you shall be assessed based on the GDPR. The legal basis for that is Article 6.1.f) of the GDPR (legitimate interest). Data storage: the data storage period shall be, at the maximum, set up on the basis of the duration of the legislative provision, except longer periods due to the suspension/interruption of said provision in all allowed cases. The data storage for such a purpose shall be enabled in any case, but shall not be limited any and all pre-litigation situations (e.g., sending a cease-and-desist, fumus of illicit activities, and the like).

We hold your privacy in the highest regard: we shall not use profilation cookies, including third-party analytics, but we use only first-party (i.e., our) technical cookies, which require no consent, pursuant to Article 122 of the Italian Legislative Decree no. 196/03 (legal basis) and shall be used that only to ensure the correct functioning of the portal. Data storage: the cookies shall have their duration limited to that of the browsing session or, at any rate, up to 60 minutes, and shall be deleted following your logout. The deletion, or the objection to the installation, of such cookies (also through browser functionalities) shall cause issues in the functioning of the platform. You can find the directions to disable cookies in the case of different browsers below:

Edge: you can find the relevant information here

Chrome: you can find the relevant information here

Opera: you can find the relevant information here

Safari MAC: you can find the relevant information here

Safari iPhone, iPad, or iPod touch: you can find the relevant information here

Firefox: you can find the relevant information here

Android: you can find the relevant information here

Internet Explorer: you can find the relevant information here

Internet Explorer [versione mobile]: you can find the relevant information here

your personal data and information may become known to our staff and to our contractors which are expressly authorised to the processing. We also make use of a company providing European hosting/cloud services, therefore your personal data and information are archived on the relevant EU servers thereof, as well as of other companies which carry out technical activities as data controllers. Furthermore, due to specific reasons, your personal data and information may become known to external contractors (e.g., external maintenance technicians, professionals supporting us in case of relevant IT-related events, or lawyers in case of disputes, each of the aforementioned within the limits of the activities they can perform). Finally, due to reasons provided for within the legislation, the personal data and information may be made known to public subjects.

In order to ensure a more significant level of security, we shall store Your personal and information within EU based data centres.  At any rate, and in order to comply with a higher degree of caution, we reserve the right to adopt further measures, whenever we think the reason reasonable risk that the extraterritorial regulations of third countries may be applied in order to acquire personal data and information, even whenever said personal data and information are physically present only within EU based data centres.

Fear not, we shall carry out no automatic decision-making processes on your personal information and data, as detailed within Article 22 of the GDPR.

On this, please see the details for the various kinds of personal information and data above.

You shall have the following rights:

• the right to access your personal information and data (pursuant to Article 15 of the GDPR), as well as to know about the existence, categories of data, storage time, purposes of the processing, legal bases, data subjects, any and all completely automated processes, as well as the rights that can be exercised concerning such information;
• the right to rectify (pursuant to Article 16 of the GDPR) your objective personal information and data, should any and all mistakes be present or to integrate them in case they are incomplete;
• the right to erase your personal information and data (pursuant to Article 17 of the GDPR) should they no longer be necessary, or in case they lack a legal basis for their processing, or whenever you succeed in objecting to their processing, if the processing of such information and data is unlawful or if such information and data must be erased in order to comply with the legislation in force;
• the right to restrict the processing of your personal information and data (pursuant to Article 18 of the GDPR); in other words, you can obtain that your personal information and data are specifically earmarked for the time needed in order to verify their correctness in case of disputes, or to verify the suitability of any and all oppositions on your part and, at any rate, in case you request a limitation in case of illicit treatment or if you need such information and data in order to exercise a right;
• you can request the portability of your personal information and data (pursuant to Article 20 of the GDPR) processed with automated means, based on consent or contract (therefore, such a right shall be excluded whenever Article 6.1.f of the GDPR is the legal base). In such cases, You will receive the data in a structured format and/or, following a request on your part, shall be transmitted to another that the controller, should that be technically feasible, in compliance with the GDPR.
• you can object (pursuant to Article 21 of the GDPR) to the processing of your personal information and data at any time, providing reasons for that, except in the cases when binding reasons are a part of any given data controller’s legitimate interest.
• you can revoke any and all consents you have provided (pursuant to Article 7 of the GDPR). Such a revocation shall not hinder the lawfulness of the previous processing operations.
• you can file a claim before the competent vigilance Authority (pursuant to Article 77 of the GDPR and to Articles 140-bis and following of the Italian Legislative decree no. 196/03): namely the one of the city you habitually reside or work in, or the competent Authority where the alleged breach has occurred. For Italy, such a competence falls on the Italian Data Protection Authority (www.garanteprivacy.it). For events which occur abroad, please see: https://edpb.europa.eu/about-edpb/board/members_it