Privacy Notice

This privacy notice (the “Notice”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by Bending Spoons S.p.A., based in Corso Como 15, Milan (Italy) (hereinafter, the “Data Controller” or the “Company”) through its applications for secret folder / storage archetype (namely, Secret Apps Lite, Secure Photo+Video Free, Secret Folder, Password Secure Manager Lite Free, hereinafter, the “Apps”) in accordance with Regulation (EU) 2016/679 - General Data Protection Regulation or the “GDPR” - as well as the Italian Legislative Decree 196/2003 (as amended) and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s contact details
The Data Controller is Bending Spoons S.p.A., based in Corso Como 15, Milan (Italy).

Email: privacy@bendingspoons.com

II. Categories of the processed Personal Data, purposes and legal basis for the processing

The Company processes the following categories of Personal Data, for the purposes and on the legal bases indicated below. Besides the information listed below, the Apps are able to store whichever information the Users decide to store.

The Company does not require nor actively collects special categories of personal data/personal data relating to criminal convictions and offences: the Users are invited not to store such data on the Apps. Should such categories of data be stored, the Company will keep the information within its servers: in such case, the Company represents that it will not access the data nor it will use the data for any purpose.

Purpose Legal basis Apps Categories of processed data

  1. To enable Users to use the Apps (e.g. to allow the User to use the Apps, to send technical information about how the Apps work).

 The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR). Type of app Basic Data (i.e. IDFA, device model and type, country as set by the user in the device settings, device language, device name, OS version, IP address, app usage (screenshots accessed, buttons pressed, etc.), unique identifier assigned to Users by the Company)

Videos



(i.e. User's videos stored on the device)

(the App will require the User to express his/her consent prior accessing the videos stored on the device)

Pictures

(i.e. User's pictures stored on the device)

(the App will require the User to express his/her consent prior accessing the pictures stored on the device)

E-mail address

Microphone recordings


(the App will require the User to express his/her consent prior accessing the microphone recordings on the device)
Secret Apps Lite YES YES YES YES YES
Secure Photo+Video Free YES YES YES YES YES
Secret Folder YES YES YES YES YES
Password Secure Manager Lite Free YES YES YES NO YES

  1. To fulfill Company’s legal obligations and any other obligation eventually arising from the authorities’ instructions.

 The legal basis for the processing is the compliance with a legal obligations to which the Data Controller is subject (art. 6(1)(c) of the GDPR). All Apps Any information which may be requested by law or under authorities’ instructions.

  1. To process any request for information and/or clarification raised by the Data Subjects (also by allowing them to contact the Data Controller’ support staff).

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

Legitimate interest of the Data Controller is to process and give a proper feedback to any request raised by the Data Subject.

 All Apps

Identification and contact information as disclosed by the Data Subject submitting the request (such as name, email address).

Potential further information inserted within the contents of Data Subject’s request.

  1. To carry out activities aimed at improving the User experience and at assessing the expected Users’ use of the Apps (e.g. market researches, statistical analysis, or other researches aimed at improving products and services, as well as for assess customers satisfaction in relation to Apps’ services).

The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

The legitimate interest of the Data Controller is to reach improvements in relation to its products and services.

 All Apps Device information, contact information and further information collected to improve the App’s functionality (such as the screenshots accessed by the User, options selected).

  1. To claim or defend a right of the Company and its employees as well as to be able to manage any corporate operation (e.g. extraordinary operations, due diligences, assignments).

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

Legitimate interest of the Data Controller is to ensure the protection of the Company’s rights as well as the management of corporate operations.

 All Apps Any information that shall be necessary to ensure the performance of the mentioned purposes.

When the processing of Personal Data requires the User’s consent, the Data Subject may give his/her consent only if aged at least 16 years (see art. 8 of the GDPR).

The Company’s apps and services are not for children under the age of 16. The Company do not knowingly collect personal data from children. If you believe we have received personal data from children under the age of 16, please email us at privacy@bendingspoons.com.

If the Data Subject is under the age of 16, the consent must be given by a parent or other holder of parental responsibility (in the latter case, the Data Controller shall make every reasonable effort to verify that consent is given or authorized by the holder of parental responsibility).

Should the Data Controller realize that some Users are aged below 16 and consents have not been given by parents (or holders of parental responsibility), it shall immediately delete the processed data and close the related account forthwith.

III. Data retention of User’s Personal Data

Personal Data may processed by both paper and electronic means.
The Data Controller adopts all technical and organizational measures for preventing the loss, improper use and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too. Your Personal Data shall be stored at the Data Controller’s and at its IT services providers’ premises.

Personal Data processed to fulfill legal obligations and obligations related to the use of the Apps (points II.a), II.b), II.c) and II.e)) above will be kept for a period not exceeding the one necessary for the said purposes and, in each case, for no more than 10 (ten) years from the termination of the agreement (i.e. after the cancellation of the Apps’ account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

User’s Personal Data processed for the purposes referred to in point II.d) above will be kept for no more than two years from the termination of the agreement (i.e. after the cancellation of the App’s account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

IV. Mandatory or optional nature of the supply of Personal Data and consequences of the refusal to answer

The provision of User’s Personal Data for the purposes referred to in points II.a) and II.b) above is mandatory. Any refusal to provide the requested data could make it impossible to enjoy the Apps’ services.

The provision of User’s Personal Data for the purposes referred to in points II.c), II.d) and II.e) above occurs on the basis of the legitimate interest of the Data Controller, pursuant to art. 6(1)(f) of the GDPR. In any case, Data Subjects can at any time exercise the rights referred to in point no. VII to have such processing ceased.

V. Recipients of Personal Data

Personal Data may be disclosed to the following categories of recipients:

  1. public, judicial or police authorities, within the limits established by applicable laws and regulations;

  2. third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services, in case this Notice refers that marketing activities are performed).

The complete and updated list of such entities is available for consultation upon request at the Company’s headquarters or by sending an email to privacy@bendingspoons.com. Users’ data will not be disclosed for any reason other than those stated above nor disseminated, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

The Company does not communicate the Users’ personal data to third parties, except in case such communication is necessary in order to provide the service. Also, the content saved on the Apps (including any image of video files) is never communicated to third parties.

VI. Transfer of Personal Data outside EEA

The Company may also transfer personal data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available for consultation upon request at the Company’s headquarters or by sending an email to privacy@bendingspoons.com.

VII. Rights of the Data Subjects

The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:

  1. the right to be informed on the purposes and methods of the processing;

  2. the right of access;

  3. the right to obtain a copy of the data held overseas and obtain information concerning the place in which such data are kept;

  4. the right to ask for updating, rectification or integration of the data;

  5. the right to request the cancellation, anonymization or blocking of the data;

  6. the right to restrict the processing;

  7. the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;

  8. the right to withdraw the consent to the processing of the data freely and at any time – in such a case, the processing carried out before withdrawal of consent shall remain valid;

  9. the right to data portability, (i.e. to receive an electronic copy of User’s personal data, if the User would like to port his/her personal data to himself or a different provider);

  10. the right to limitation of the processing.

Data Subjects also have the right to lodge a complaint before the competent national data protection or judicial authority.

For the exercise of their rights, Users may contact the Data Controller, in writing by sending a letter with proof of receipt to the Company’s headquarters, or by sending an email to privacy@bendingspoons.com.

If a Data Subject is under the age of 18 in California, in certain circumstances, he/she may request and obtain removal of Personal Data or content shared by him/her and posted on the Apps. To make any request pursuant to California privacy law, please send an email to privacy@bendingspoons.com. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information posted on the Apps by the User and that there may be circumstances in which the law does not require or allow removal even if requested.

VIII. Automated decision-making

No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (there included profiling under Article 22(1) and 22(4) of GDPR).

IX. Third party websites and apps

The Apps may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. The Company has no control over, and is not responsible for, the actions and privacy policies of third parties and other websites and apps.

X. Changes and updates of this Notice

The Company may modify, integrate and/or update, in whole or in part, this Notice, also in view of future changes that may involve the Applicable Privacy Laws and in case of new apps that shall be considered processing personal data as described by this Notice. It is understood that any modification, integration or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the Apps. In this regard, it could be required to the User to read the new version of the Notice and to accept it before continuing to use the Apps.

Date of last amendment: July 29, 2019

Can't find what you’re looking for?
Visit the Support Center.