This App for smartphones and tablets is made available by Healthy Virtuoso S.r.l., with registered office in Piazza Deffenu 9, 09125 – Cagliari (CA) (Italy), VAT number and Tax Code: 03737900922, (hereinafter the “Company” or “Virtuoso” or “us” or “we”). The App allows you (hereinafter “User” or “you” or “your”) to use the services it offers, once you have registered.
In order for the App to work, it needs to save, on remote servers, the information you provided when registering. If you do not intend to authorize this information to be saved on remote servers, please do not install the App.

​

    1)    Categories of Personal Data Processed
The personal data you provide are processed through the App: name, surname, nickname, telephone number, e-mail address, date of birth, and photo.
Once you have authorized it, the App synchronizes with other apps that are already installed on your device – such as the Health app, Google FIT,Garmin Connect and Health Connect. You must enable the synchronization so that the App can use the information present on your device (such as weight & height,  number of steps, minutes of sleep, the hours of sports activities performed, Calories burned, distance achieved), in order to calculate the credits to assign to you, climb the rankings, challenge other users, take part in dedicated competitions, redeem the rewards, reach personal daily goals, join missions, scale levels or join your dedicated company section and interact with your colleagues and friends. Upon first activation and and after your authorization, the app will access the data recorded on your device by the Health App, Google FIT, Health Connect and Garmin Connect over the past 30 days.
In addition to the data provided by you for the completion of your profile, through the app we will collect and process data relating to (i) number of steps taken, (ii) sports activity carried out (by way of example, running, cycling, etc…), (iii) sleep hours, (iv) weight & height detection, (v) burned Calories, (vi) distance achieve, (vii) user level and ranking and, always with your permission, (vii) data related to your location, collected by Health App, Google FIT,  Health Connect  and Garmin Connect and shared with the #StepbyStep app. 
If, from the information collected, or through a combination of the same, specific data related to your state of health can be inferred, you must provide your explicit consent for this data to be processed.
The use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements.
Furthermore, the data rendered anonymous will be used jointly for the purpose of statistical analysis and to provide information that can allow the Company and our technological suppliers to improve the services offered through the App.
All of your data will be managed and encrypted on a secure way through AWS Hosting based in Europe following all of the major security and compliance standard of the market (AWS KMS, AES-GCM, AES-256, KMS HMAC)
 
2. Purpose and legal base
Your personal data will be processed for the following purposes:
a) to manage your request for registration with the App and allow you to use its functions and, in particular, allow you to select and redeem the vouchers or rewards available, in relation to the level; the legal basis for such processing is the execution of pre-contractual or contractual measures, pursuant to art. 6, c. 1, lett. b) of the GDPR or, to the extent that the processing concerns data relating to health, your consent, pursuant to art. 9, c. 2, lett. a) of the GDPR. In the absence of your consent for this purpose, the Data Controller will not be able to guarantee the use of the app;
b) to perform technical assistance activities that are strictly functional, in order to guarantee for the App to perform correctly and provide the necessary support for use; also in this case, the legal basis of the processing is the execution of pre-contractual or contractual measures, pursuant to art. 6, c . 1, lett. b) of the GDPR or, to the extent that the processing concerns data relating to health, your consent, pursuant to art. 9, c. 2, lett. a) of the GDPR. In the absence of your consent for this purpose, the Data Controller will not be able to guarantee the correct functioning of the app or the technical assistance that may be necessary;
c) for any fulfillment arising from legal obligations pursuant to art. 6, c. 1, lett. c) of the GDPR;
d) to carry out analysis and market research, through surveys made available to the user on the “News” page of the app. The legal basis for such processing is the legitimate interest of the Data Controller, pursuant to art. 6, c . 1, lit. f) of the GDPR;
e) to send commercial/sales notices about the Company’s products and services, also through e-mails, text messages, mms, faxes or similar, and/or through the postal service or telephone calls with an operator on the basis of the consent voluntarily given by you and freely revocable at any time, pursuant to art. 6, c. 1, lett. a) of the GDPR or, insofar as the processing concerns data relating to health, pursuant to art. 9, c. 2, lett. a) of the GDPR;
f) to define your personal profile and, based on this profile, direct the offer of products and services to you, also through SDK technology; on the basis of the consent voluntarily given by you and freely revocable at any time, pursuant to art. 6, c. 1, lett. a) of the GDPR or, insofar as the processing concerns data relating to health, pursuant to art. 9, c. 2, lett. a) of the GDPR.
 
3) SDK
Virtuoso uses SDK (Software Development Kit) technology to improve your experience in using the App. The SDKs are blocks of code provided by our business partners, installed in the App, which allow us to understand how you interact with it and to make advertising available to you that is in line with your interests.
To carry out this activity, Virtuoso processes your personal data jointly, and, however, does not make data available to our business partners that directly or indirectly allows them to identify you.

​

4) Data Retention
We will retain your personal data for the time that is strictly necessary to achieve the purposes indicated in this Privacy Policy and, in particular, for the entire time you use the App and for the period of limitation of the rights exercisable by the Company, as and when applicable.
With reference to the purposes under subs. e) and f), the processing activities will be carried out – and the related data stored – for a period of time equal to 24 (twenty-four) months and 12 (twelve) months, respectively.

​

5) Providing Personal Data
Providing your personal data for the purposes referred to lett. a), b), and c) of paragraph “Purpose and legal base” is optional, but it is required for pursuing legal and contractual obligations. In these cases, failure to provide the data will make it impossible for Virtuoso to allow you to register with the App and to use its functions. The provision of your personal data for the purpose referred to in the letter. d) is in any case optional; failure to provide it will make it impossible for the Data Controller to pursue its legitimate interest.
The data provided for points d) and, e) is optional, but failure to provide the personal data in question and/or lack of consent to their processing, will make it impossible for the Company to carry out the activities referred to in this Privacy Policy.


6) Communicating and Disclosing Personal Data
In relation to the aforementioned purposes, and within the limits strictly pertinent to the same, the data may be made accessible, brought to the knowledge of, or communicated to the following subjects, who will be appointed by the Company, as the case may be, as those responsible for or as persons authorized to process data or act as autonomous holders:
– private individuals, natural or legal persons, who the Company uses to perform the activities that are instrumental in achieving the aforementioned purposes, or to whom the Company is required to communicate data, as provided for by legal or contractual obligations;
– the Company’s shareholders and stakeholders.
In case of participation in Corporate Health Programs and positioning in the top positions of the ranking, we may communicate common data relating to participation in the initiative (name, surname and prize collected or to be collected) to your company, who will treat them as autonomous Data Controller. This will allow you, if you wish, to participate in recognition moments organized directly by your company.
#StepbyStep is committed to protecting the privacy of its users and will never share user personal data (Except for the cases explicitly provided for by law)  with third parties for commercial or marketing purposes.
User personal data will be used exclusively for the purposes specified in this privacy policy and for purposes specifically authorized by the user. Personal data collected by #StepbyStep includes all activities recorded through the Health app, Google Health Connect, Google Fit, Garmin. These data may include, for example, information about health, physical activity, sleep, and overall well-being.
Personal data will not be transferred outside the European Union and/ or the European Economic Area

​

7) Data Controller, Data Processors, Data Protection Officer (DPO)
The data controller is Healthy Virtuoso S.r.l., with registered office in Piazza Attilio Deffenu 9 – 09125 Cagliari (Italy), e-mail: stepbystep@healthyvirtuoso.com. The updated list of processors is available, upon request, by writing to: stepbystep@healthyvirtuoso.com. The Data Controller has appointed a Data Protection Officer, which can be reached at the email address stepbystep@healthyvirtuoso.com.

​

8) Rights of the Data Subject
As the data subject, you can request access to your personal data, the correction or deletion of the same, limitation on the processing, and the portability of the data, via app function or also through the e-mail address: stepbystep@healthyvirtuoso.com. You can also prevent your data from being processed for legitimate purposes or for marketing purposes. Your right to prevent your data from being processed, exercised through an e-mail, also extends to sending advertising through the postal service or telephone calls with an operator, without prejudice to the possibility of exercising this right only in part, for example, by preventing your data from being process through automated systems of communication. In the event that your consent is required for processing your personal data, you may also revoke the consent you already provided at any time, without prejudice to the lawfulness of the data processed based on the consent provide before you revoke your right. Furthermore, you can submit a complaint to the Italian Data Protection Authority if you believe that the rights you hold, pursuant to current legislation regarding the protection of personal data, have been violated, according to the methods indicated on the website of the Italian Data Protection Authority, accessible at: www.garanteprivacy.it.

​

9) Data deletion:
As the data subject, you can request deletion to your personal data through (i) special section in app “Personal Profile” > “Account”  “Delete Account”; (ii) through the dedicated page on our website (iii) sending an email to: stepbystep@healthyvirtuoso.com. All of the request will be processed within the time regulated by the current public norms in terms of data management and personal privacy by GDPR
 
 
 
 
Having read the information on the processing of my data
I allow my personal data to be used for marketing purposes as per lett. d) of this Privacy Policy Statement.
I allow my personal data to be used for profile information purposes, as per lett. e) of this Privacy Policy Statement.