Articles 12-13 of Regulation (EU) 2016/679 (GDPR)
with its registered office at Via Libertà 58 - 90100 Palermo (PA) - ITALY
VAT n° 06803120820
Tel: (+39) 351.9587218
DPO Email: firstname.lastname@example.org
Develhope S.r.l. (hereinafter also “Develhope” or “Controller”) is a young entrepreneurial reality that has set itself the goal of bringing digital skills to the less fortunate social groups and geographical areas of our Country. We have therefore founded a school to identify the best talents and train them through highly effective bootcamps in fields such as mobile/web development, data science, product management. Our courses typically last 6 months, are 100% remote and focus on both technical and human skills, to make sure that at the end of each course our students are ready to work in a team from day one. Our methodology is challenge-based and focuses on practical skills and the technologies most demanded by the market.
Develhope is also a software development agency, where our students are hired and work on projects for third parties together with our senior professionals. Our services are based on high-end technologies and are developed using the most common languages and stacks. We can cover any stage of the SDLC, including User Research, UX/UI, Marketing, and more.
Develhope is the home of Uniwhere (hereinafter also “App” or “Application” or “Platform”), that is an App that allows students to connect to keep track of academic performance and GPA, to focus only on university emails that really matter and access reviews and advice from classmates.
Furthermore, this document will inform Users of their rights and the possibilities they have to control their personal information in order to effectively protect their personal data.
THE UNIWHERE APPLICATION
WHAT THE UNIWHERE APP IS AND HOW IT WORKS
Uniwhere is a client Application that allows university students to connect their university account to view and use their data more efficiently. By viewing emails through a simpler and faster to use interface. Making projections of their university grades and their averages. Keeping track of the time used for studying. And accessing class and exam reviews generated by all Uniwhere Users.
Furthermore, Uniwhere allows Users to view updated information relating to job offers referring to their academic course, thus facilitating the search and selection of job positions suited to their skills and professional aspirations.
THE SECURITY MEASURES ADOPTED
The most modern security technologies have been adopted in the design and implementation of the Uniwhere Application. In particular, all communication between our mobile applications and our back-end services are encrypted with the exclusive use of SSL, a 256-bit verified certificate, high security standard of the technology industry. No communication in our systems takes place outside of this security protocol.
Art. 13 of Regulation (EU) 2016/679 (GDPR)
When the service is made available to the User, personal data from various sources are processed, i.e. both personal data provided directly and voluntarily by the User can be processed, as well as personal data that is collected automatically when the User uses the App.
For the use of Uniwhere, Develhope collects, in particular, the following personal data:
To use the service offered by the App, it is not necessary to create a User account (ie, a "profile") and it is not necessary to provide any specific personal data.
However, the Controller will ask the User to connect to his university account within Uniwhere through the access data that the User has received from his university to access the university online services; with this data, the Users can then directly use the App to access their data stored in their university account, such as, for example, programs, courses, timetables, meal plans, grades, exams, sessions, etc.
If the User creates a profile, the Controller will assign him a so-called "unique user ID". In addition to the name of his profile, the unique user ID allows the App to uniquely identify his profile, a process necessary for the correct and complete provision of the services.
Once a User profile has been created and logged in with university data via the Platform, the User's personal data in relation to the university to which they are enrolled are processed.
These personal data are as follows:
If the User uses all the functions of the App, the comments on lessons and exams will also be processed, which the User is free to leave on his/her profile bulletin board.
As soon as the User opens the App, he automatically and involuntarily sends technical information to the App server, regardless of whether he/she has registered to use the service offered by the App or not.
In any case, each time the App is used, the following personal data will be recorded:
- the IP address of the terminal used;
- the date and time of the visit and the duration of the use of the App;
- the reference URL (the website on which the User may have been redirected);
- the sections visited on the App;
- additional information about the device (type of device, information on installed plug-ins, operating system, etc.).
(2) PURPOSES OF THE PROCESSING
The personal data referred to in the previous paragraph are used exclusively for the following purposes:
with third parties (eg companies, organizations, etc.) in order to receive any internship / job offers for their specific training.
(3) LAWFULNESS OF PROCESSING
The processing of personal data will take place according to principles of lawfulness, necessity, minimization, proportionality and correctness, and in such a way as to fully protect the confidentiality of the data, in full compliance with the principles established by art. 5 of the GDPR.
In particular, the communication and processing of personal data, as indicated above, have, as prerequisites for the lawfulness of processing, the following legal bases for the fulfillment of the purposes referred to in the above list:
Art. 6, par. 1, letters a), c), f), as better specified below,
To the extent that the User gives consent to the processing of personal data for specific purposes, this consent guarantees the lawfulness of processing. The nature of the provision is necessary for the granting of all the services and functions offered by the Application, such as, for example, the visualization of emails through a simpler and faster to use interface, the projection of university grades and grade averages and access to reviews of classes and exams generated by the Users, with respect to which the data is necessary for the identification of the classes and courses of relevance to the User. Failure to provide the data will therefore make it impossible for the Controller to provide the full functionality of the services offered by the Application.
Consent may be given for the marketing and personalization of ads based on own profile. In this case, since it is a faculty, failure to provide the data will not make it impossible for the Controller to provide the aforementioned services and features offered by the Application.
When registering and creating its own profile, the User gives the aforementioned consent by clicking on the "Continue" button.
The Controller, where formally requested by a legal obligation, is in certain cases obliged to provide specific information to the Public Authorities. The nature of the provision is, in these cases, necessary.
Failure to provide the data will make it impossible for the Controller to provide the services offered by the Application. The data can also be used to ascertain responsibility in the event of potential computer crimes against the App and/or its Users.
In these cases, the processing is necessary for the protection of the legitimate interests of the Controller such as: technological maintenance of the Application; data analysis to carry out the development and maintenance of the Application; ascertaining responsibility in the event of potential computer crimes to the detriment of the App and/or its Users; ; statistical analyzes on the use of the Application; the management of requests from Users to guarantee customer service etc.
The nature of the provision is, in these cases, necessary. Failure to provide the data will make it impossible for the Controller to provide the services offered by the Application.
Acceptance of the Terms and Conditions of use of the App https://api.uniwhere.co/w2/static/policies/TC_PP_IT.html does not create any legal obligation to provide personal data. However, the Users cannot use the service or can do so to a limited extent if such personal data is not provided.
(4) METHODS OF PROCESSING
The processing of personal data communicated by the User is carried out by means of the operations indicated in art. 4, n. 2), of the GDPR, and more precisely: "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
The most modern security technologies have been adopted in the design and implementation of the Uniwhere Application. In particular, as anticipated above, all communication between our mobile applications and our back-end services are encrypted with the exclusive use of SSL, a 256-bit verified certificate, high security standard of the technology industry. No communication in our systems takes place outside of this security protocol.
Personal data are subjected exclusively to computerized and telematic processing, with technical and organizational methods such as to guarantee a level of security adequate to the risk pursuant to art. 32 of the GDPR, by specifically authorized and trained subjects, in compliance with the provisions of art. 29 of the GDPR, or to employees and/or collaborators of Develhope in their capacity as authorized and/or designated subjects and/or system administrators, and/or by external data processors pursuant to art. 28 of the GDPR (in the person of individual professionals and/or companies), who will be able to carry out the operations necessary for the configuration and operation of the App, as well as the constant updating and maintenance of the software, in full compliance with the regulatory provisions aimed at guaranteeing the confidentiality and security of personal data as well as the accuracy, updating, proportionality, minimization and relevance of personal data in compliance with the purposes and methods of processing stated in this document. The security of the processing of personal data, pursuant to art. 32 of the GDPR, is ensured by the use of state-of-the-art cryptographic technology, i.e. through the exclusive use of SSL, i.e. a 256-bit verified certificate (security standard of the technology industry).
In order to keep the service offered by the App functioning and to develop it to the fullest, we process the access data and use of the service by the User, as above reported. The information thus acquired gives the Controller the opportunity to understand, for example, if a feature of the service is not used too much, in order to evaluate whether to discard or modify it or if the App suffers stops or malfunctions due to a system error, or if it needs to be restarted, so that a prompt action can be taken to solve the problem. As a result, information on functionality, content and links is processed when the User uses the App.
To process this data, Google Analytics is used in conjunction with Firebase. Firebase is a real-time database that allows the Controller to save information in real time. In this case, the aforementioned User data is sent anonymously to Firebase. Firebase is a Google owned and offered service based in San Francisco, California.
The data collected by Google Analytics on the use of the Platform are usually transmitted to a Google server in the United States and stored there. The IP anonymization (by shortening it) has been activated on the App in such a way that the IP address of European Users is shortened, and therefore anonymized before transmission outside the EU. On our behalf, Google will use this information to evaluate the use of the App by the Users, compile reports on the activity of the App and provide other services relating to the use of the App and the website through which to better understand how develop, maintain and implement the functionalities of the Platform.
The IP address transmitted by Google Analytics from the Users’ device will not be linked or merged with any other data processed by Google. Storage can be prevented by an appropriate setting in the device operating system. In this case, the User may not be able to use all the features of the App fully. Furthermore, it is possible to prevent Google from collecting and processing data relating to the use of the App (including the IP address), by downloading and installing the plug-in available at the following link: http://tools.google.com/dlpage/gaoptout.
Further information on Google Analytics is also available on the following link http://google.com/intl/de/analytics/privacyoverview.html.
It is a service of Facebook Ireland Ltd., based at 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland ("Facebook EU"), which also provides data to Facebook Inc., based at 1 Hacker Way, Menlo Park , CA 94025, USA ("Facebook USA").
In this case, the so-called Facebook “pixels” are integrated into the App that the User can use without being registered with Facebook. The pixels allow the Application to use Facebook as an analytics tool and to have an anonymous attribution of any campaigns and interactions with the Application. If the User subsequently signs up for Facebook, a non-personal checksum (“profile”) from his/her usage data will be sent to Facebook for analysis and marketing purposes.
If the User wishes to opt out of the use of Facebook Custom Audiences, he/she can do so on https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen/.
It is a service of Facebook Ireland Ltd., based at 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland ("Facebook EU"), which also provides data to Facebook Inc., based at 1 Hacker Way, Menlo Park , CA 94025, USA ("Facebook USA").
Facebook Remarketing is a remarketing and behavioral targeting service offered by Facebook, Inc. and connects the application activities with the Facebook advertising network.
The personal data processed are those acquired by the cookies relating to the service itself, when accepted through the appropriate cookie banner.
If the User wishes to opt out of the use of Facebook Remarketing, he can do so on https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen/ .
Google Ads Remarketing is a remarketing and behavioral targeting service offered by Google LLC and connects the application activities with the Google Ads advertising network and the DoubleClick Cookie.
Personal data processed are cookies and usage data.
If the User wishes to opt out of the use of Google Ads Remarketing, he/she can do so on https://adssettings.google.com/authenticated.
(5) SCOPE OF DATA COMMUNICATION
Develhope processes Users' personal data with care and confidentiality, not disclosing to the public but only by communicating, only and exclusively when strictly necessary, or, where required, subject to the specific consent, to third parties as described below and for the purposes indicated only.
In relation to the purposes indicated above under par. (2), the personal data processed may therefore be communicated, by way of example but not limited to, to the following subjects and/or categories of subjects: third parties (eg companies, organizations, etc.), subjects who provide services for the management of the computer system and/or networks telecommunications (for example, e-mail providers and management of web portals and websites, cloud storage and hosting services, server farms); competent authorities and/or supervisory bodies for the fulfillment of any legal obligations; companies and law firms for the protection of contractual rights; in general, subjects who operate as data processors/other managers pursuant to art. 28, par. 4, of the GDPR, or in total autonomy as separate data controllers, and in any case third parties (natural or legal persons) who perform or provide specific services functional to the functioning of the App, the complete and detailed list of which is available, upon written request, from Develhope.
In particular, Develhope communicates the Users’ data, for example, to the following categories of subjects:
It is in the nature of the service provided by the App that it is possible to share some data of the User’s profile and other data (e.g. news or articles written, or reviews and/or evaluations sent) on the basis of the explicit consent of the User to others Platform Users.
Given the above, Develhope will not explicitly and individually show the User's votes to other Users of the Platform, or other personal data with respect to which the User's prior consent has not been given; for some functions we reserve the right to show aggregate information, from which, however, it will not be possible to trace the User individually (precisely as they are aggregated and anonymized).
Develhope will transmit data to third parties that allow the Uniwhere service to be provided: these include, as anticipated above, the server and hosting service provider Amazon Web Services and Google Inc., the latter as owner of the analysis platform and repository of Google Firebase data. Each of these service providers requires the Controller to adhere to strict rules to ensure the security of the information when processing Users’ personal data through the App.
In the end, Develhope will provide personal data to the supervisory authorities in charge only in the case of a legal obligation based on a request for information by the same authorities.
Develhope informs that the servers on which the Uniwhere software is based are located in the European Union, therefore within the European Economic Area and that it will not transfer the personal data processed to a third country outside the EU, nor to an international organization with headquarters outside the borders of the European Union/European Economic Area.
In the event that this should become necessary for any reason, Develhope from now on ensures that the transfer of personal data will take place in compliance with the applicable legal provisions and, in particular, in accordance with articles 44 - 45 - 46 - 47 - 48 and 49 of the GDPR, and to other applicable laws.
Due to the use of Google Firebase, some collected data will also be transmitted to the United States. The Google Analytics uses of the App are usually transmitted to a Google server in the United States and stored there. However, the Google IP address will be shortened and therefore made unreliable to a specific user before being sent to the United States and, therefore, effectively anonymised.
More information on Google Analytics and Firebase can also be found at http://google.com/intl/de/analytics/privacyoverview.html and up on https://www.firebase.com/terms/privacy-policy.html.
(7) DATA RETENTION PERIOD
In compliance with the principles of lawfulness, proportionality, necessity, minimization and limitation of purposes and data retention, pursuant to art. 5 of the GDPR, the retention period of the User's personal data is established for a period of time not exceeding the achievement of the purposes for which they are collected and processed, or for the entire duration of use of the App, and, at the eventual term of the latter, for a time in any case not exceeding one (1) subsequent year from the conclusion of the same relationship, and kept with high security methods such as encryption, only and exclusively for any fulfillment of legal and/or administrative obligations, or for defense purposes in court and/or in order to assert a right in judicial/extrajudicial litigation.
At the end of this last period of time, the personal data processed will be definitively deleted from every database, application and/or computer archive, in which they were recorded and stored to guarantee the User the correct functioning of Uniwhere.
(8) PROFILING AND AUTOMATED PROCESSES
Develhope informs that, with regard to the processing of personal data specified above, Uniwhere, only under specific consent given by the User, may carry out activities, direct or indirect, of profiling, for marketing purposes and specifically for the publication of personalized advertisements, or those aimed at using personal data to analyze or predict aspects regarding professional performance, economic situation, personal preferences, interests, reliability, behavior, location, etc. of the subjects to whom the data refer to. Profiling takes place through the use of the data provided by the User when creating the account, manually and with the connection to his/her university account, and based on the use of the Application itself.
In this way, the App provides a personalized service based on the User's personal preferences, his interests and on his previous behavior, e.g. to show informative articles on the basis of what has been previously consulted on the Platform, or to make personalized offers and therefore to show offers, ads, contents, or even educational materials, which adapt to the profile and interests of the User.
Uniwhere does NOT make use of automated decision-making processes, i.e. those aimed at making decisions based solely on technological means on the basis of predetermined settings and criteria (i.e. without human involvement).
(9) RIGHTS OF THE DATA SUBJECT
To the User – as a data subject, i.e. the natural person, identified or identifiable, to whom the information/personal data being processed refers to - the GDPR recognizes the faculty to exercise the following rights within the limits specified below.
Right of Access pursuant to art. 15 of the GDPR and Right of Rectification pursuant to art. 16 of the GDPR
The data subject, pursuant to art. 15 of the GDPR, has the right to obtain confirmation of the existence or otherwise of the processing of personal data concerning him/her, to obtain access to them and to all the information referred to in the same art. 15, paragraph 1, letters from (a) to (h), by issuing a copy of the data being processed in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The data subject, pursuant to art. 16 of the GDPR, also has the right to obtain the correction and/or integration of the data being processed if they are out of date and/or inaccurate and/or incomplete.
Right of erasure pursuant to art. 17 of the GDPR and right to restriction of processing pursuant to art. 18 of the GDPR
The data subject has the right to obtain, without undue delay, exclusively in the cases referred to in art. 17, paragraph 1, letters from (a) to (f), of the GDPR, the erasure of data concerning him/her - with the exception of the hypotheses specifically provided for by art. 17, paragraph 3.
The data subject, pursuant to art. 18 paragraph 1, letters from (a) to (d), of the GDPR, has the right to request and obtain the restriction of processing of his/her personal data, or that such data are not subjected to further processing and can no longer be modified, ensuring that the restriction of processing is implemented through appropriate technical devices that guarantee its inaccessibility and immutability.
Right to data portability pursuant to art. 20 of the GDPR
The data subject has the right to receive, pursuant to art. 20 of the GDPR, the personal data concerning him/her, the processing of which is carried out by automated means, in a structured format, commonly used and readable by an automatic device, and also has the right to transmit such data to another controller of the processing, or to obtain, where technically feasible, the direct transmission of such data to another specifically identified controller.
Right to object to processing pursuant to art. 21 of the GDPR
The data subject has the right to object at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her pursuant to art. 6, par. 1, letters e) or f), including profiling, unless the Controller demonstrates the existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him/her for these purposes, including profiling, to the extent that it is connected to such direct marketing.
The data subject also has the right to object to the processing of his/her personal data on grounds relating to his/her particular situation if they are processed for scientific or historical research purposes or statistical purposes pursuant to article 89, par. 1, of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
(10) PROCEDURE FOR EXERCISING OF THE DATA SUBJECTS’ RIGHTS
The data subject may exercise the rights listed above by means of a request to be sent by e-mail to the address email@example.com.
Develhope will confirm receipt of the request and provide information relating to the action taken, with reference to the exercise of the rights provided for in articles 15 to 22 of the GDPR, within 1 (one) month from the receipt of the request. If necessary, taking into account the complexity and number of requests, the deadline may be extended by 2 (two) months, subject to a motivated communication to be sent within 1 (one) month from the receipt of the request.
Develhope will communicate any rectification, cancellation, limitation, opposition to all recipients, as identified by art. 4, par. 1, n. 9 of the GDPR, to which such data have been transmitted, unless this proves impossible and/or involves a disproportionate effort.
Following the sending of the request for rectification, cancellation, limitation, opposition, if Develhope has reasonable doubts about the identity of the applicant, it will request further information to confirm it. Such communications will be sent by e-mail from the address above indicated and will be processed by the person specifically authorized for the purpose.
In the event that the request is not complied with within the period indicated above, the data subject, duly informed of the reasons for the non-compliance, will have the right to lodge a complaint with the Supervisory Authority (https://www.garanteprivacy.it/), as specified in pursuant to art. 13, paragraph 2, letter (d) and governed by articles 77 et seq. of the GDPR and 141 et seq. of the Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.
(11) STEPS FOR ACCOUNT DELETION
The data subject may delete its account by:
REGISTER of UPDATES
Summary of updates made:
Date of publication and update
Summary of updates
February 9, 2022
Release of version 1.0
May 20, 2022
Release of version 1.1
November 27, 2023
Release of version 1.1a (added account deletion steps)