The company Ovum srl (VAT ID 12201150963), with registered office in Milan, Via Arcivescovo Calabiana, 6, as the data controller (hereinafter referred to as the “Controller”) of the EOS App (hereinafter referred to as the “Platform”), informs the users of the Platform (hereinafter referred to as the “Data Subjects”) in accordance with Article 13 of the European Regulation No. 2016/679, the General Data Protection Regulation (GDPR).

The Controller is aware of the importance of processing the personal data of the Data Subjects and, for this reason, takes care to indicate which data are processed and how they are processed. By continuing to browse the Website or indicating the intention to use the services provided by the same, the Data Subject declares to have read and accepted this privacy policy (hereinafter the “Policy”), thereby giving consent to the processing of personal data by the Controller.

For any information, doubts, or requests related to this Policy, the Controller provides the following email address for the Data Subjects:

[email protected]

What are the rights of the Data Subject regarding the processing of personal data?

The Data Subject has the following rights:

• • The right to be informed if there is any ongoing processing of personal data concerning them and, if so, to access the personal data processed;
  • The right to rectify personal data;
  • The right to erasure (right to be forgotten) of personal data concerning them;
  • The right to restriction of processing of personal data concerning them;
  • The right to data portability to receive, or have transmitted to another controller, the personal data concerning them in a structured, commonly used, and machine-readable format;
  • The right to object to the processing of personal data;
  • The right to withdraw consent previously given;
  • The right to lodge a complaint with the competent authorities for the violation of personal data processing.

How to exercise these rights?

The Data Subject can exercise their rights by writing to the above email address.

The Controller does not intend to charge any costs to the Data Subjects for exercising their rights, but in order to do so, the Controller may request specific information to follow up on the communications from the Data Subject regarding their rights.

The aforementioned communications are usually responded to within 30 days from the receipt of the communication itself, but if this deadline cannot be met (e.g., due to an excessive workload of requests or complexity of the response), it is the responsibility of the Controller to inform the Data Subject and keep them updated on the progress of the communication sent.

What personal data are processed?

The Controller processes the personal data provided by the Data Subject and by third parties in order to respond to the contact requests received through the Website (hereinafter the “Services“).

1. 1. Personal data provided directly by the Data Subject:

Personal data category	Type of Data
Identifying and contact information	Name, surname, residence/domicile, email address, telephone number, username, password
User data	Biography, profile picture, URLs of other linked websites, published content (photos, videos), interactions and comments, approximate location (e.g., country or city).
Technical data	IP address

2. 2. Data collected from third parties:

Third-party data source	Types of data
Analytics providers	Behavioral data/ Technical data

Aggregated data

The Controller may collect, use, and share aggregated data, such as statistical or demographic data, for any purpose.

Aggregated data may be derived from the Data Subject’s personal data, but once aggregated, they do not constitute personal data within the meaning of the GDPR, as they are not able to directly or indirectly identify the Data Subject. However, if the Controller combines or connects aggregated data with the Data Subject’s personal data in a way that allows the identification of the Data Subject, directly or indirectly, the Controller will treat the resulting data in accordance with the provisions of this Policy.

Special Categories of Data

The Controller does not process any special categories of Data Subject’s data (special categories of data include data related to ethnic or racial origin, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, genetic data, biometric data, and health data), nor does it process any data relating to criminal convictions and offenses concerning the Data Subject.

Why are personal data processed?

The Controller processes personal data for the following purposes, as indicated in the following table.

The GDPR requires that, for each purpose of processing personal data, the Controller has a legal basis for processing.

The Controller may process the personal data of the Data Subjects based on their consent as the legal basis for processing. Consent can be revoked at any time, but the processing carried out until the revocation of consent will not be affected.

Below is a summary table of the purposes and their description:

Purpose	Description	Retention
Provision of Services	he Data Subject can receive topic detection, sentiment analysis, emotion analysis through the Platform. They can also receive qualitative feedback on the performance of their communities and public data.	Data will be retained until the provision of individual Services is completed.
Support to Data Subjects	esolve technical issues encountered by Data Subjects during navigation, their support requests, improve the Services and the Platform, and provide the requested support.	Data will be retained until the completion of Data Subject’s support request.
Newsletter	The Controller may send non-commercial updates to inform the Data Subject about developments in their business, such as agreements with business partners and participation in events.	Data will be retained for 24 months.
Compliance with legal, regulatory, and protection obligations of the Controller’s business	The Controller may process the Data Subject’s personal data to comply with legal and regulatory obligations, such as complying with orders from judicial and administrative authorities. The Controller may also process data to protect their rights and interests, such as in the case of legal protection or due diligence in the event of assessments of changes in the corporate structure.	Personal data will be retained for the period of time determined by the law, regulation, and/or the relevant authority.

What happens if the Data Subject does not provide the necessary personal data?

If the data are necessary to provide the Services and support to Data Subjects, the Controller will not be able to provide them and support the Data Subject in their requests. In such cases, the Controller may alternatively request the integration of personal data or delete the Data Subject’s personal data, thereby preventing the provision of the Services.

For purposes other than the provision of Services and support to Data Subjects, the provision of data is optional, and the failure to provide personal data will not affect the aforementioned purposes of processing.

To whom are personal data disclosed and shared?

1. 1. Communication

The personal data of the Data Subjects may be communicated to third parties other than the Controller, as better indicated in the following table:

Recipients	Purpose of communication
Data processors	Data processors, authorized personnel In the case of contractual obligations, the Controller may disclose data to, for example, suppliers supporting them in providing the Services, including but not limited to platform development, hosting, maintenance, backup, virtual infrastructure.
External consultants	In case of legal obligations or obligations related to a relationship established with the Data Subject, the Controller may disclose personal data to external consultants, such as accountants and lawyers.
Authorities and judicial proceedings	The Controller may disclose the personal data of the Data Subjects to state and/or administrative and/or judicial authorities if this is required by law, regulations, or orders of authorities, or to defend their own rights and/or interests.

2. 2. Disclosure

The personal data of the Data Subjects will not be disclosed.

Where are personal data stored?

The Controller stores personal data in paper archives within the Controller’s headquarters, as well as in electronic archives located both within the European Union and outside it, if this is instrumental to the pursuit of the aforementioned purposes. In the latter case, the Controller ensures that companies without offices within the European Union treat personal data with the utmost confidentiality, in compliance with the decisions of adequacy of the European Commission, any Privacy Shield, or, if necessary, by entering into agreements that guarantee an adequate level of protection.

How are personal data processed?

The Controller processes the personal data of the Data Subjects by adopting appropriate security measures to prevent unauthorized access, disclosure, alteration, or destruction.

The processing of data is carried out through computer procedures, telematic means, and, in residual cases, on paper media by internally authorized personnel, as well as by external processors if appointed, based on existing contractual agreements.

What is the policy on the processing of minors’ data?

The Controller is aware of the sensitivity of processing data concerning minors. In particular, the Services are not intended to be provided to children under 14 years of age, and the Controller does not knowingly process data of children under 14 years of age. In this regard, Data Subjects are requested not to request the provision of Services if the age is under 14 years.

The Controller encourages those exercising parental responsibility for children under 14 years of age to ensure that they do not request the provision of Services and, in any case, to educate children under 14 years of age not to provide their personal data through the Website.

If the Controller becomes aware that certain personal data relate to children under 14 years of age, the Controller will take measures to delete the personal data.

What happens if there are links to other websites?

The Controller informs the Data Subjects that this Policy applies only to the Website, and if there are links to other websites, the Data Subject should review the privacy policies of those sites before providing their personal data.

The Controller assumes no responsibility for personal data provided by Data Subjects on other websites.

Changes to the Policy

The Controller reserves the right to modify this Policy at any time. In the event of changes, the Controller will upload the new policy to this page and, in this regard, urges the Data Subject to check the policy changes: the Data Subject can view the history of policies by checking the date provided.

By continuing to use the Website after the modifications, the Data Subject accepts such modifications and consents to the processing of data as modified.