LEGAL AREA

(Articles 13 and 14 of EU Regulation No. 2016/679)

Dear user, we inform you that Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ‘on the protection of natural persons with regard to the processing of personal data and on the free movement of such data’ (hereinafter EU Regulation 2016/679), entered into force on 25 May 2016 and became operational from 25 May 2018.
It is for this reason that APPTAXI SCRL provides you with this information pursuant to Art. 13 and 14 of the aforementioned Regulation and informs you that the processing of your personal data will be based on principles of correctness, lawfulness and transparency, protection of confidentiality and your rights.

1. Data Controller

The Data Controller is APPTAXI SCRL with registered office at Via Gallarate 249, 20151 Milan (MI)
Contact details: e-mail support@apptaxi.it

2. Data Protection Officer (DPO)

Contact details: e-mail dpo@apptaxi.it

3. Nature of personal data

The personal data that will be processed by APPTAXI SCRL, following the request for execution of the passenger transport service received through the application, relate to personal data (name and surname), contact data (telephone number and email address), location data (geolocation) and accounting data (in case of enabling in-app payments).

4. Purpose of data processing

Your personal data will be processed by APPTAXI SCRL for the following purposes:
a) execution of the passenger transport service;
b) accounting management related to the service provided;
c) management of in-app payments;
d) management of loyalty cards associated by you;
e) sending informational/advertising material for marketing purposes only with your specific consent

5. Methods of data processing

Your data is processed in the manner prescribed by law and in compliance with professional and official secrecy. The data is stored in such a way as to ensure its confidentiality, prevent its destruction or use by unauthorized third parties and in full compliance with the security measures provided for by current legislation.
The data is organized in “databases” whose processing is carried out, through computer and telematic supports, only by authorized personnel.

6. Provision of data

The provision of personal data necessary for the provision of the requested service relates to your personal data (name, surname), data relating to your geographical position, and contact data (telephone number) in order to complete your registration, by entering the code you will receive by SMS, and thus use the transport service offered by APPTAXI SCRL
The indication of year of birth and gender is optional.
If you want to take advantage of the additional functions guaranteed by APPTAXI SCRL, such as the activation of in-app payments and the association of your loyalty card, it will be necessary to provide additional personal data.
The activation of the in-app payment service requires, in addition to the aforementioned personal data, your email address, whose validation will be necessary to use the in-app payment function
The entry of your credit card data takes place through an iframe system, through which your financial data is entered directly onto the servers of the financial intermediary N, and as an additional security measure, tokenization is provided in communications between the institution and APPTAXI SCRL
The “loyalty card” section within APPTAXI SCRL will allow you to use your loyalty cards, associating the personal data provided when creating your profile with the loyalty card number.
APPTAXI SCRL will communicate to the companies issuing the loyalty cards (e.g., MilleMiglia, Italo train) only your personal data and the loyalty card number so that they can become aware of the amount spent in using the services offered by APPTAXI SCRL
You will, however, be asked to express your consent to the processing of data with respect to the marketing purposes indicated in this information.

7. Data retention periods

The personal data provided by you and collected by the undersigned will be stored by the latter for the time strictly necessary for the purposes for which they are collected and based on the criteria defined internally by APPTAXI SCRL. The duration of these terms is indicated in an internal document that can be made available to you following your specific request.

8. Categories of subjects to whom the data may be communicated

The communication of the acquired information is carried out by APPTAXI SCRL in order to guarantee you a better user experience
The collected personal data may be communicated to the following categories of subjects:

• affiliated companies that provide passenger transport services (taxi)
• messaging and email sending services (Skebby, SendGrid), used by us to complete user registration and authenticate the email address to activate in-app payments. Both services receive from APPTAXI SCRL only a numerical code not associated with the user and have no possibility of saving data related to the user;
• banks and credit institutions for the management of in-app payments;
• consultants and professionals (accounting, tax, fiscal areas) for the management of your personal data related to the provision of the requested service;
• companies providing IT services;

Internal and/or external subjects to the structure (employees and consultants) may also access your personal data as authorized subjects and/or data processors in order to fulfill the tasks and duties assigned to them according to the previously expressed purposes.
At any time, you can contact the undersigned to obtain updated information on the scope of communication of your data.
Your data is not intended for dissemination.

9. Data transfer to non-EU countries.

APPTAXI SCRL may transfer your personal data consisting of personal information (name, surname) and contact details (phone number and email address) to the United States of America, in case you want to use the in-app payment service.
APPTAXI SCRL uses SendGrid (email sending service) to send you an email containing a four-digit authentication code necessary to validate your email address and enable in-app payments.
This transfer is possible based on an adequacy decision taken by the European Commission, EU – USA Privacy Shield (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-USA Privacy Shield).
SendGrid has no function of storing your personal data; the only data that is stored for thirty days relates to the request for sending emails by APPTAXI SCRL, the actual sending by SendGrid, and the reading by the recipient.

10. Consent withdrawal

In any case, you have the right to withdraw your consent to the processing of your personal data at any time, according to the provisions of art. 7, paragraph 3 of Reg. EU 2016/679, without compromising the legality of such processing carried out on the basis of that consent until the moment of withdrawal.

11. Complaint to competent authority

If you find a violation of your rights under Reg. EU 2016/679, you have the right to file a complaint through the supervisory authority of your country of residence or to the Italian data protection authority (www.garanteprivacy.it).

12. Rights of the data subject

The rights that you can exercise by addressing your request to the contacts of the Data Controller and/or the DPO are as follows (for a better understanding, please refer to the articles of the EU Reg. indicated below):
a) Right of access by the data subject (art. 15 Reg. EU 2016/67)
The data subject has the right to obtain information on the data processed by the Controller, on certain aspects of the processing and to receive a copy of the Data processed;
b) Right to rectification (art. 16 Reg. EU 2016/67)
The data subject has the right to verify the accuracy of their data and request its update or correction.
c) Right to erasure [‘right to be forgotten’] (art. 17 Reg. EU 2016/67)
Under certain conditions, the data subject can request the deletion of their data by the Controller;
d) Right to restriction of processing (art. 18 Reg. EU 2016/67)
Under certain conditions, the data subject can request the limitation of the processing of their data, in which case the Controller will not process the data for any purpose other than their storage;
e) Right to data portability (Art. 20 EU Reg. 2016/67)
The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format and, where technically feasible, to have it transferred without hindrance to another controller. This provision is applicable when the data is processed by automated means and the processing is based on the data subject’s consent, on a contract to which the data subject is a party, or on contractual measures connected to it.
f) Right to object (Art. 21 EU Reg. 2016/67)
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them.
g) Right not to be subject to automated decision-making, including profiling (Art. 22 EU Reg. 2016/67)
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.