This policy describes the modalities by which our company, Qooder SA, processes the personal data of the users when using the website www.qooder.com (the “Website”), in order to provide them with the information as to which personal data are collected, how they are used, which third parties might have access to them and how you can exercise your rights as to this processing.
The processing fully complies with the Swiss federal law on data protection (“LPD”) and the Regulation UE 2016/679 – “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (the “Regulation”).
Please read carefully this policy. By accessing the Website, you hereby declare to accept this policy. Should you do not agree with this statement, please do not browse any other page of the Website.
Data Controller, Representative of the Controller and data processors
The data controller is Qooder SA, with registered office in Vacallo (Svizzera), Via dei Lauri 4, in the person of its pro tempore legal representative, email firstname.lastname@example.org (the “Controller” or the “Company”).
Pursuant to Article 27 of the Regulation, the Controller has Designated, as its representative in the Union for the purposes of the application of the rules as to data processing, Qooder Italia S.r.l., with registered office in Como, Via Alessandro Volta 66, C.F., VAT number and number of enrolment with the Companies Register of Como no. 03434900134. You can contact the representative by sending an email to email@example.com.
The controller has also designated as data processors certain third parties (natural or legal persons), which provide specific services or perform activities that are linked, or support those of the Company. The complete list of data processors may be consulted by sending a request to the following email: firstname.lastname@example.org.
Source of the personal data
Personal data are collected directly from the data subjects.
Categories of data
When the user browses the Website, we process certain personal data:
- Browsing data
When the user browses the Website, the Controller automatically receives and collects the ID of the devices used to browse, the IP (Internet Protocol) address, the operating system being used and the name of the ISP (Internet Service Provider) of the device, the pages which are browsed.
These data are only used to obtain anonymous statistical information about use of the Website and to check it is working correctly, and are deleted immediately after processing.
The data may be used to ascertain responsibility in the event of computer-related crimes: except for this case, data on web contacts are not kept for more than 7 days.
When accessing the Website via a mobile device, the user can authorise the activation of the geolocation service. In this case, device location tracking data may also be processed, including specific geographic locations, for example via GPS, Bluetooth or wi-fi. In the absence of explicit authorisation, no geolocation data may be processed.
At any time, the data subject may interrupt or disable the geolocation service by changing the settings on the mobile device, referring to the user manual.
The data related to user geolocation may also be used to improve the services offered to the user and for marketing purposes.
The Website may use certain types of cookies. To see the policy on cookies, please click here
- Data provided by data subjects
In case of registration to the Website, which allows to access to specific sections, the data subjects will have to provide certain personal data (e.g.: name and surname, email address).
Furthermore, any sending of communications to contacts listed on the Website entails the acquisition of the e-mail address and other personal data contained in the communication, which may be used by the Controller to send communications to the data subjects.
Purposes and legal basis for processing
Personal data are processed for the following purposes:
- Functioning of the Website. This processing is based on the legitimate interest of the Company;
- Access to specific functions of the Website. This processing is based on the consent of the data subject;
- Fulfilment of legal obligations, including the accounting, tax and administrative ones, as well as of orders from authorities and eventually supervisory and control authorities;
- With the prior consent of the data subject, for commercial, promotional and marketing purposes, including the promotion and sales of products and services of the Company, performed by means of letters, phone, advertising materials, automatic systems, etc.; sending of information material;
- With the prior consent of the data subject, for the purpose of carrying out customer satisfaction surveys on the quality of the services and the activities performed, and market surveys. This activity is performed by means of interviews by person or by phone, by surveys, etc.;
- Upon prior request of the data subject, provide the “Newsletter” service, by e-mailing list. This processing is based on the consent of the data subject.
- With the prior consent of the data subject, data profiling in order to offer customized offers and services in line with the user's needs.
Personal data are processed in a lawful, fair and transparent manner, pursuant to the modalities and for the purposes indicated above.
Data retention time
Personal data will be retained for the following terms:
- for the purposes under 1 of the previous paragraph, for the term of the browsing session on the Website. After such term, the personal data shall be destroyed, erased or anonymized (if they have not already been collects in anonymous form);
- for the purposes under 2, for the term necessary to implement the specific function of the Website as requested by the data subject;
- for the purposes under 3, for the term as provided for by the applicable law;
- for the purposes under 4,5, and 7, no more than 24 months;
- for the purposes under 6, for the entire term of the “Newsletter” service, until the data subject will unsubscribe from it.
Mandatory or optional nature of data provision
The provision of data from data subject may be either mandatory or optional.
With reference to the purposes under a) of paragraph “Purposes and legal basis for processing”, the provision of data is mandatory. The relevant processing does not require the consent from the data subject, since it is based on the legitimate interest of the Controller.
With reference to the purposes under b), the provision of data is not mandatory, but it is necessary to have access to the specific function of the Website as requested by the data subject. In case of refusal to provide such data, the data subject would not have access to this specific function. The relevant process requires the consent of the data subject.
With reference to the purposes under c), the provision of data is mandatory. In case of refusal to provide such data, the data subject would not have access to the Website. The relevant process does not require the consent of the data subject.
On the other hand, the provision of data is optional for the purposes under 4,5, and 7; any refusal to provide such data has no consequence as to the access to the Website, but it would not allow the Controller to carry out certain statistical and commercial activities. The process of data by the Company for these purposes requires the prior consent of the data subject which, in any case, will have the faculty to cease at any time the process, by sending a request to email@example.com.
With reference to the purposes under 6, the provision of data is always optional; the refusal to supply would not allow to provide the “Newsletter” service. The process of data by the Company for this purpose requires the prior consent of the data subject which, in any case, will have the faculty to cease at any time the process, by using the function “unsubscribe” in any of the newsletter.
With reference to the purposes above, the personal data shall be processed by means of using paper, automated and telematic tools, using automated tools, with logics strictly related to the purposes, and in any case so that the safety and confidentiality of data will be preserved.
The Controller warrants that the safety and confidentiality of the personal data will be safeguarded by adopting suitable security measures, pursuant to the provisions of LPD and Regulation, in order to reduce the risk of leakage, loss (even accidental) and non-authorised access or unlawful process or process non-consistent with the purposes.
The Controller does not take upon any liability as to the data transferred via internet. Likewise, no liability shall be upon the Controller in case of open of link or other web pages linked to the Website.
The data shall be processed on the basis of the need-to-know principle. Hence, the process shall be minimized and shall be excluded in case the relevant purposes may be pursue by using anonymous data.
Communication and dissemination of data
Personal data may be processed by persons which need to know them while performing their tasks, provided that they have been duly appointed as persons authorised to process the personal data by the Controller. Data may also be communicated or transferred to controlling, controlled or affiliated companies of the Controller, also abroad, as well as to the sales and assistance network of the Company.
Furthermore, while carrying out its activity, the Company, in order to fulfil contractual obligations or comply with legal obligations or to satisfy specific request from the data subject, may communicate the personal data of the latter to persons whose intervention is strictly necessary to execute the contractual relationship.
For carrying out the activities above, the Company may communicate the personal data to the following persons or categories:
- banks (when applicable), for the collection and payment management;
- persons which carry out activities linked or of support to the execution of the contractual relationship (e.g.: suppliers of services and of technical assistance; delivery of the products; sending, enveloping, transport and sorting of communications to customers or suppliers; storage of documents relating to the previous relationships with customers or suppliers);
- public administrations and third parties when required to comply with legal obligations.
For this kind of communications, the consent of the data subject is not required, since the process is finalized to fulfil contractual obligations or comply with legal obligations.
The persons above act, in some cases, as data processors or external persons delegated to process the data on behalf of the Controller, duly designated by the latter; in other cases, as independent data controller, in which case the will provide their own privacy policies to the data subject. Should the data subject wish to know in details the list of the persons to which data may be communicated, he/she can send a request to the following email: firstname.lastname@example.org.
In no event the personal shall be disseminated by the Controller.
Data transfer abroad
Data may be transferred abroad, including to countries outside the European Union, provided that the European Commission has ascertained that these countries outside the European Union guarantee an adequate level of protection for the data being transferred.
Social plugin of third parties
Website might use social plugin provided and managed by third parties, such as Facebook.
As a consequence, the data subject might send to such third parties the information that he/she is viewing on a specific section of the Website. If the data subject has not logged in on the website of the third party, it cannot come to know its identity; otherwise, it can be in a position to link the information relating his/her visit in the Website to his/her account. Likewise, his/her interaction with the social plugin can be registered by the latter.
Rights of the data subject
The data subject shall have the right to obtain from the Controller, in any time:
- The confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of automated decision-making, including profiling, the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (right of access);
- The rectification of inaccurate personal or the completion of incomplete personal data (right to rectification);
- The erasure of personal data in case of (i) withdrawal of the consent on which the processing is based and where there is no other legal ground for the processing by the Company; (ii) objection to the processing and there are no overriding legitimate grounds for the processing; (iii) unlawful process; (iv) compliance with a legal obligation; unless and to the extent that processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims (right to be forgotten);
- restriction of processing (right to restriction of processing).
Furthermore, the data subject shall have the right to:
- receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where the processing is based on consent and carried out by automated means (right to data portability);
- object to processing of personal data, even if such data are pertinent to the purpose of the collection, and/or withdraw the consent to the process of personal data, at any time; this would not jeopardize the lawfulness of the process based on the consent given before the withdrawal, for marketing purposes (right to object);
- lodge a complaint with a supervisory authority, when he/she deems that the process breaches the applicable privacy regulation.
For the exercise of his/her right, as well as for receiving any information, the data subject can send an email to email@example.com.