Privacy Policy Vittoria Park

Privacy notice on the processing of personal data of app users pursuant to Art. 13 and Art. 14 of EU Regulation No. 679/2016 ("GDPR")

Vittoria Park s.r.l. (hereinafter "Bike Park" or the "Company") pays the utmost attention to the security and confidentiality of personal data of users (hereinafter, the "Users" or "User" in the singular) of the App Bike Park (hereinafter also only the "App") downloaded to take advantage of the services available for purchase and wishes to provide them with information regarding the processing of their personal data.

1. Data controller

The data controller is Vittoria Park s.r.l. with registered office in Brembate (BG), Via Liguria no. 8.
For any queries regarding the processing of personal data, as well as to exercise the rights recognised by the GDPR and described in more detail in section 9 below, please contact
Bike Park at the e-mail address info.vittoriapark@vittoria.com or telephone number 0354993911;

2. For what purposes Bike Park processes personal data.

Through the App, Bike Park collects some personal data relating to Users, either voluntarily provided by them or collected in the normal operation of the App itself, which are processed for the purposes described below, including the possibility to purchase access tickets to the Bike Park and to rent bikes or related equipment (hereinafter the "Services").

Purpose of processing	Categories of data processed	Legal basis and conferment
Providing access to the restricted area of the App In order to create its own profile that allows access to the restricted area made available in the App, Bike Park collects certain personal data necessary to identify the User.	First and last name Tax code Copy of identity document E-mail Username Password In the case of minors under the age of 18: Name and surname of the person exercising parental authority Copy of document of exercising parental responsibility	Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary because if it is not provided, the Company will not be able to provide access to the reserved area of the App.
Collect and process the purchase order formulated through the App The Company may process Users' personal data to manage the purchase orders of Products and formulated within the App, by filling in the relevant form. The Company specifies that, in order to complete the payment transaction, Users will have to access a special portal made available by the platform for online payments (www.stripe.com www.paypal.com) , the operator of which will process their data as an independent data controller.	First and last name Payment Method In the case of minors under the age of 18: Name and surname of the holder of parental responsibility	Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary, as otherwise the Company will not be able to process the purchase order.
Providing Services through the App The Company needs to process certain categories of personal data in order to render the Services available through the App and activated by the User.	First and last name Tax code Copy of identity document E-mail Username Password	Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary, as otherwise the Company will not be able to provide the Services.
Defending one's rights The Company may process personal data for the defence of rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in connection with the Services.	Depending on the case, personal data collected for purposes 1 to 6 will be processed.	Legitimate interest of Bike Park in the protection of its rights (Art. 6 (1) (f) GDPR). A new and specific contribution is not required as the Company will pursue this further purpose, where necessary, by processing the data collected for the above-mentioned purposes.
Fulfilling legal obligations The Company may process personal data in order to fulfil its obligations under laws, regulations or EU legislation, provisions/requirements of authorities empowered to do so by law and/or supervisory and control bodies.	As required, personal data collected for purposes 1 to 6 will be processed.	Fulfilment of a legal obligation (Art. 6 (1) (c) GDPR). The provision of personal data for this purpose is obligatory, as failure to do so will make it impossible for the company to fulfil specific legal obligations

3. How we keep personal data secure

Bike Park takes appropriate security measures in order to ensure the protection, security, integrity and accessibility of Users' personal data. The appropriate security measures are aimed at preventing unauthorised access, disclosure, modification or destruction of personal data.
All personal data is stored on Bike Park's protected computer equipment (or suitably stored hard copies) or on those of its suppliers, and is accessible and usable in accordance with its standards and security policies (or equivalent standards for its suppliers).

4. How long we keep personal data

The Company retains the User's personal data only for as long as necessary to achieve the purposes for which it was collected or for any other legitimate related purpose.
Personal data that are no longer needed, or for which there is no longer a legal basis for their storage, will be irreversibly anonymised or securely destroyed.
If personal data are processed for several purposes, they will be deleted or anonymised as soon as the retention period for the last purpose has expired.
In particular, the data processed for managing access to the App will be kept until the relevant profile is closed or in case of inactivity of the same for 24 months.
Personal data processed for purposes related to the handling of the purchase order will be stored for 10 years.
Personal data processed to render the Services will be retained for as long as necessary to render them and will in any case not be retained for longer than 36 months.
Personal identification documents will be processed by the Company for the purpose of identification and, therefore, deleted as soon as possible, in any event within 48 working hours of the ascertainment of identity.
With particular reference to the judicial protection of our rights or in the event of requests by the authorities, the data processed will be kept for the time necessary to process the request or to pursue the protection of the right.

5. With whom we may share personal data

Personal data may be accessed by duly authorised employees of the Company, as well as by external suppliers, appointed as data processors if necessary, who provide support for the provision of services, including those necessary for the operation of the App.
You can contact Bike Park at the contact details given in section 1, to ask to see the list of data processors and other parties to whom we disclose data.

6. Transfers to Third Countries

Bike Park informs you that your Data will be processed, for the above-mentioned purposes, within countries belonging to the European Union (EU) or the European Economic Area (EEA). In order to carry out some of the processing activities of your Personal Data Bike Park may also communicate the same to external parties, located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter "Third Countries"); in these cases the lawfulness of such transfer is guaranteed by the instruments provided for in Chapter V of the GDPR.
You may write to Bike Park at any time, using the contact details given in this notice, asking who the Data is disclosed to, and to receive a copy of the guarantees adopted for the transfer.

7. Personal data protection rights and the right to lodge complaints with the Supervisory Authority

Every User has the right to ask Bike Park if the legal basis for the request exists:

access to personal data, as provided for in Article 15 of the GDPR;
rectification or supplementation of personal data held by Bike Park that are considered inaccurate, as provided for in Article 16 of the GDPR;
the deletion of personal data for which Bike Park no longer has any legal basis for processing, as provided for in Article 17 of the GDPR;
the restriction of the manner in which personal data are processed, if one of the cases provided for in Article 18 of the GDPR applies;
the copying of the personal data provided to Bike Park, in a structured, commonly used and machine-readable format and the transmission of such data to another data controller (so-called portability), as provided for in Article 20 of the GDPR

Right to object: in addition to the rights listed above, the User may always object at any time to the processing of personal data carried out by Bike Park for the pursuit of its legitimate interest. In addition, the User may at any time object if personal data is processed for marketing purposes.
The exercise of these rights, which can be done through the contact details of the companies indicated in paragraph 1, is free of charge and is not subject to formal constraints. It shall be the responsibility of Bike Park to verify that the User is entitled to exercise the relevant right and to reply, as a rule, within one month.
In the event that the User considers that the processing of his or her personal data is in breach of the provisions of the GDPR, he or she has the right to lodge a complaint with the Garante per la protezione dei dati personali, using the references available on the website www.garanteprivacy.it, or to take legal action.

8. Purposes implemented by Bike Park in joint controllership with Vittoria S.p.A. ("Vittoria").

Through the App, for certain purposes, Bike Park, operates in joint controllership with the parent company Vittoria, sharing with it the choice of the purposes and methods of treatment. In particular, Bike Park and Vittoria, as joint controllers, collect certain personal data relating to Users, with their consent, for the following purposes:

Purpose of processing

Categories of data processed

Legal basis and conferment

Marketing to meet your needs and to provide you with promotional offers also in line with your preferences

Subject to express and specific consent, the joint controllers may process your personal data for marketing and advertising communication purposes, aimed at informing you about sales promotion initiatives.

The joint controllers may also process personal data in order to send commercial communications to Users in line with their preferences, on the basis of a specific customer profile, in the event that further consent is given and always within the limits described in the relevant formula.

The sending of marketing communications may take place by means of automated contact methods (e-mail, text messaging, instant messaging, social accounts of the co-owners, push notifications, services and tools made available by social networks and other mass messaging tools, etc.) and traditional contact methods (e.g. telephone call with operator, etc.). ) and traditional methods of contact (e.g. telephone call with operator). In this regard, the User may at any time indicate the contact method he or she prefers among those listed above and may object to receiving promotional communications through all or only some of these contact methods.

Generic' marketing:

Personal and contact data

Profiled' marketing

Personal and contact data
Transaction Data
Interests and Data you voluntarily provide

In the case of minors under the age of 18:
Name and surname of the person exercising parental authority
Copy of document of exercising parental responsibility

Consent (Art. 6 (1) (a) GDPR).
Consent may be revoked at any time by clicking the following link.

For the joint controllership purpose of marketing and advertising communication, Bike Park and Vittoria have entered into a specific agreement pursuant to art. 26 of the GDPR, an extract of which is available for consultation by contacting each of the joint controllers using the contact details indicated in point 1 above for Bike Park and the following contacts for Vittoria: at the e-mail address privacy@vittoria.com or telephone number 0354993911.

For the said processing of personal data for marketing and advertising purposes Bike Park and Vittoria:

take appropriate security measures to ensure the protection, security, integrity and accessibility of Users' personal data;
store personal data on protected computer devices (or appropriately stored hard copies) or on those of their suppliers, accessible and usable according to their own standards and security policies (or equivalent standards for their suppliers).
retain personal data collected for marketing purposes for 24 months after collection.

Personal data collected for marketing purposes may be accessed by duly authorised employees of Bike Park e Vittoria, as well as external suppliers, who are appointed as data processors if necessary.
For the regulation of the transfer to Third Countries, the provisions of paragraph 6 shall also apply to the joint controllers. In this case, the User may contact Bike Park, using the contact details in paragraph 1, or Vittoria, using the following contact details privacy@vittoria.com
Users may also assert against the joint controllers the rights referred to in paragraph 7 above, in addition to the revocation of consent, since the processing is based on this legal basis. These rights may be exercised vis-à-vis Bike Park, using the contact details in paragraph 1, and vis-à-vis Vittoria, using the following contact details privacy@vittoria.com
For the rights concerning the protection of personal data and the right to lodge complaints before the Supervisory Authority, the provisions of paragraphs 8 and 9 above apply to Bike Park and Vittoria respectively.

Date of last update: 19 September 2022