Dear "INTERESTED PARTY",
European and national regulations concerning privacy laws consider the protection of individuals regarding the processing of their personal data as a fundamental right, as well as the free circulation of such data.
Therefore, we inform you of the following.
"CONTROLLER"
The "RESTAURATEUR", Ragionesocialetest, email valentina.cortese@plateform.app, is the sole "CONTROLLER".
PLATEFORM SRL, email amministrazione@plateform.app, hereinafter "SERVICE PROVIDER", is the "DATA PROCESSOR" as it processes data in the interest and on behalf of the "RESTAURATEUR".
The "SERVICE PROVIDER" has developed and owns hardware and software that serve the functioning of a booking and marketing platform for catering.
The "SERVICE PROVIDER" is also the owner of the trademark regularly filed and registered "PLATEFORM"[1].
With the term "PLATEFORM" hereinafter refers to the platform and the services it offers.
The "RESTAURATEUR" is the sole "CONTROLLER" since the "SERVICE PROVIDER" processes data only in the interest and on behalf of the "RESTAURATEUR".
The "RESTAURATEUR" is "DATA CONTROLLER" exclusively with reference to the data processing they carry out directly.
The "SERVICE PROVIDER" has no interest in personal data.
The "RESTAURATEUR" has an interest in personal data.
When the contractual relationship between "SERVICE PROVIDER" and "RESTAURATEUR" expires, the "SERVICE PROVIDER" only retains "ANONYMIZED" data that do not refer to a physical person (simple anonymous statistical data), while the "RESTAURATEUR" reserves the right to retain all data but must provide the "INTERESTED PARTY" with new information, showing that the "SERVICE PROVIDER" no longer holds any role.
The burden of providing new information lies solely on the "RESTAURATEUR". The "SERVICE PROVIDER" cannot know if the new information was sent or not to the "INTERESTED PARTY" and therefore cannot be held liable for failure to send it.
PROFILING[2]
"PLATEFORM" does not provide any automated processing of personal data
"DATA PROTECTION OFFICER"
In this case, the regulations do not provide for the obligation to appoint a data protection officer.
METHODS OF DATA COLLECTION
a) paper form, at the "RESTAURATEUR". The data subsequently merge on "PLATEFORM";
b) Wifi access form, from "PLATEFORM";
c) online form, from the "RESTAURATEUR"'s website or from "PLATEFORM";
d) table reservation / delivery, from "PLATEFORM", directly or through a website link from the "RESTAURATEUR", on other platforms (e.g. Facebook), or via apps installed on the "INTERESTED PARTY's" devices.
e) other platforms: for example Reserve with Google, or integrated checkout management software
f) access to the WiFi service at the "RESTAURATEUR's" premises: when connecting, browsing and access data (e.g., IP address, device used) are also recorded, processed according to the regulations in force for network security purposes.
"PROCESSING"
In general
This concerns the data collected and their nature – source – purpose – legal basis – duration.
The deletion
Once the retention periods indicated have expired, the data will be deleted or anonymized, compatible with the technical deletion and backup procedures.
a) freebies
The requested data are: first name, last name, email, and/or mobile phone.
The source is the "INTERESTED PARTY".
The purpose is to allow the "INTERESTED PARTY" to receive the gifts.
The legal basis is consent. Without providing consent, access to the service is not possible.
The processing duration is 12 months.
It is always possible to unsubscribe.
The processing includes "DIRECT MARKETING," with autonomous and explicit consent.
The legal basis is consent.
The processing duration is 12 months.
It is always possible to unsubscribe.
Without consent for both treatments, the gift cannot be received.
b) Registration to the "good lounge"
The requested data are: first name, last name, email, mobile phone, date of birth, domicile/residence.
The source is the "INTERESTED PARTY".
The purpose is to allow the "INTERESTED PARTY" to access and enjoy "situations" designed and created for selected customers.
The legal basis is consent. Without providing consent, access to the service is not possible.
The processing duration is 12 months.
It is always possible to unsubscribe.
Registration to the "good lounge" is by express invitation from the "RESTAURATEUR" and is in no case automatic.
The processing includes "DIRECT MARKETING," with autonomous and explicit consent.
The legal basis is consent.
The processing duration is 12 months.
It is always possible to unsubscribe.
Consent is required for both treatments to access the "good lounge."
c) Wifi Enrollment
The requested and processed data are: first name, last name, email, phone number, IP address, device, network access data..
The source is the "INTERESTED PARTY".
The purposes: WiFi network access → legal basis: consent, sending promotions via email/SMS → legal basis: consent, anonymous statistical analysis to improve the service → legal basis: legitimate interest.
The legal basis is consent. Without providing consent, access to the service is not possible.
The processing duration is 12 months. For data collected for marketing purposes: until consent is withdrawn.
It is always possible to unsubscribe.
The processing includes "NEWSLETTER SERVICE ENROLLMENT," with autonomous and explicit consent.
The legal basis is consent.
The processing duration: until consent is withdrawn.
It is always possible to unsubscribe.
Without consent for both treatments, the service cannot be accessed.
The newsletter service is technically managed by Plateform using the sub-controller SendGrid (Twilio Inc.), which processes data exclusively on behalf of the Controller. For more information: https://sendgrid.com/policies/privacy
d) Subscription to newsletters
The requested data are: first name, last name, email, mobile phone.
The source is the "INTERESTED PARTY".
The purpose is to allow the "INTERESTED PARTY" to receive communications of events and more via automated and traditional contact methods.
The legal basis is consent, apart from the case of so-called Soft-Spam[3], where treatment finds its legal basis in legitimate interest.
The processing duration is 24 months.
It is always possible to unsubscribe.
e) Booking and Take away
The requested data are: first name, last name, email, mobile phone, date and time of reservation, number of people. The "INTERESTED PARTY" can also voluntarily provide information on food preferences or needs (e.g., allergies, intolerances, choice between meat/fish).
The source is the "INTERESTED PARTY".
The purpose: reservation management and confirmation → legal basis: contract, sending reminders or post-visit requests (e.g., reviews) → legal basis: consent, sending promotions via email/SMS → legal basis: consent.
The legal basis is contractual.
The processing duration: reservation data: 24 months, marketing: until consent is withdrawn, food preferences in the form: information may be maintained in the system for the benefit of the user for future bookings, until deactivation. Such data are not used for profiling or marketing purposes of the user account or the platform unless a request for cancellation is made.
The processing includes "DIRECT MARKETING," with autonomous and explicit consent.
The legal basis is consent.
The processing duration is 12 months.
It is always possible to unsubscribe.
CONSENT is NOT necessary for both treatments to access the reservation service.
f) Delivery
The requested data are: first name, last name, email, mobile phone, delivery address.
The source is the "INTERESTED PARTY".
The purpose is to allow the "INTERESTED PARTY" to access the service.
The legal basis is contractual.
The processing duration is that of the relationship.
The processing includes "DIRECT MARKETING," with autonomous and explicit consent.
The legal basis is consent.
The processing duration is 12 months.
It is always possible to unsubscribe.
CONSENT is NOT necessary for both treatments to access the Delivery service.
The "INTERESTED PARTY" might indicate, requested or not, data belonging to "THIRD PARTIES." The "INTERESTED PARTY" assumes all responsibilities over such data, guaranteeing in particular to have acquired the data in full compliance with the applicable regulations and to have the consent to process them, providing broad indemnity, by way of example, to any contestation, claim, or request for damages.
g) Archiving
The "SERVICE PROVIDER" retains only consumption data and only in "ANONYMIZED" form. There is no need, therefore, to request consent and may retain such data indefinitely, as they are not personal data and the key to link such data with the "INTERESTED PARTY" can no longer be retrieved.
h) Defense of rights
The data collected are those used for processing.
The source is the processing itself.
The "CONTROLLER" and the "DATA PROCESSOR" have an interest in retaining data related to performed operations if necessary to protect their rights.
The legal basis is legitimate interest.
The duration is that of the ordinary prescription term, which is 10 years from the last processing.
THIRD-PARTY PROVIDERS WHO PROCESS THE CUSTOMER'S/
END USER'S PERSONAL DATA ("INTERESTED PARTY")
"PLATEFORM" offers the possibility to be integrated with "THIRD-PARTY SERVICE PROVIDERS" software (for example, it happens with some manage checkout software), provided they offer adequate data confidentiality guarantees, while maintaining that "PLATEFORM" and "THIRD-PARTY SERVICE PROVIDERS" remain distinct and independent responsibilities.
Among the sub-managers used by Plateform is SendGrid (Twilio Inc.), a platform used for sending newsletters. More information on the privacy policy: https://sendgrid.com/policies/privacy
COMMUNICATIONS
Outside the cases listed above, your data cannot be communicated to partners, consulting companies, or private companies.
TRANSFER OF DATA ABROAD
The collected data will not be transferred to third countries.
Currently, "PLATEFORM" stores data on servers located in European Union countries.
If in the future it is decided to use servers in countries outside the European Union, servers that ensure adequate security measures will be chosen (e.g., countries that guarantee an adequate level of protection or on the basis of Standard Contractual Clauses (SCC) approved by the European Commission).
RIGHTS OF THE "INTERESTED PARTY"
With a simple written request via email sent to the "SERVICE PROVIDER" or to the "RESTAURATEUR", the "INTERESTED PARTY" always has the right to:
— request access
— request rectification
— request deletion
— request restriction of processing
— oppose processing
— request data portability
— revoke consent to processing
— file a complaint in case of rights violations.
DATA OF MINORS
It is not foreseen that data are collected from people who have not reached the age of majority. For this reason, all our forms show the following wording:
"DO NOT FILL OUT IF YOU ARE NOT OF LEGAL AGE".
10) ONLINE PAYMENTS
Online payments will be managed through PAYPAL, SATISPAY, or other online platforms, which will be the sole and exclusive responsible for those data processing. For online payments, PLATEFORM SRL uses their systems.
In no case can PLATEFORM SRL be held responsible for any damage resulting to the customer from the use of services provided by PAYPAL or SATISPAY or other platforms.
11) BROWSING DATA, COOKIES, AND OTHER TECHNOLOGIES
"PLATEFORM" does not release cookies.
[1] The trademark is registered in Italy for the commodity categories 9, 16, 35, 38, 41, 42.
[2] "PROFILING" means allowing the "CONTROLLER," through algorithms, to perform an automated analysis that evaluates personal aspects concerning a physical person, in particular to analyze or predict aspects relating to professional performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements "OF THE INTERESTED PARTY" (See recitals 71 and Art. 4, No. 4) of the GDPR). It is therefore about performing an automated analysis of preferences, habits, directly expressed or inferred, for example, by "clicks" online on items/sections of websites, which allows a better understanding of "THE INTERESTED PARTY's" preferences, also to send them, with automated and traditional contact methods, communications related to information and/or more suitable promotional and commercial services/products for the interested party, who will also be subject to an automated decision-making process.
[3] The possibility of carrying out soft-spam is subject to the following requirements:
the user is already a customer;
only on email;
only with an email already indicated within the scope of the rendered service or product;
only for the direct sale of products and/or services;
for similar products or services;
provided that there was no refusal to receive promotional communications;
with the possibility to object easily.