This privacy policy (the “policy”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by Appnap Technologies Limited, Pragati Sarani, Dhaka, (Bangladesh) (hereinafter, the “Data Controller” or the “Company”) through the application called “30 Day Fitness Challenges Free ~ Workout routines” (hereinafter, the “App”) in accordance with Regulation (EU) no. 679 of 27 April 2016 - General Data Protection Regulation or the “GDPR” - as well as the Italian Legislative Decree 196/2003 (as amended) and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s contact details

The Data Controller is Appnap Technologies Limited, Pragati Sarani, Dhaka, (Bangladesh), info@appnap.io

II. Categories of the processed Personal Data, purposes and legal basis for the processing

The Company processes the following categories of Personal Data, for the purposes and on the legal basis indicated below.

Purpose

Legal basis

Categories of processed data

1. 
   
   
   To enable Users to use the App (e.g. to create or modify User’s account, to allow the User to use the App, to send technical information about how the App works, to send to the User a code to enter at first authentication, to provide with backup features to recover data inserted within the User’s account).

The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

Identification and contact information (such as name, email address).

Information necessary to allow the use of the App (gender, age, weight, height, fitness level, IP address, device type, OS version, ID univocally assigned by Bending Spoons to each user, device language, country as set by the User in the settings of the device, IDFA Apple).

2. 
   
   
   To fulfill Company’s legal obligations and any other obligation potentially arising from the authorities’ instructions.

The legal basis for the processing is the compliance with a legal obligations to which the Data Controller is subject (art. 6(1)(c) of the GDPR).

Identification and contact information (such as name, email address).

Any other information which may be requested under authorities’ instructions.

3. 
   
   
   To send communications and newsletter on health / wellness / fitness areas (such as generic tips and advices) or special offers.

The legal basis for the processing is consent of the Data Subject (art. 6(1)(a) of GDPR).

Contact information (such as email address).

4. 
   
   
   To speed up the setup of a tailored fitness plan and to adjust the plan to a User’s level of physical activity, through the access to data contained in “Health”, application automatically installed on iOS devices.

Personal data within “Health” app will be processed exclusively for the purpose described in this section, and will not be used (or shared with third parties) for any other purpose or scope.

The legal basis for the processing is consent of the Data Subject (art. 6(1)(a) of GDPR).

Health data, included those contained in "Health", an application automatically installed on iOS devices (if a User consents) which fall under the special categories of personal data pursuant to art. 9 GDPR. These also include information on User’s weight, height, physical activity (steps walked, calories burnt).

5. 
   
   
   To carry out activities aimed at improving the user experience (e.g. market researches, statistical analysis, or other researches aimed at improving products and services, as well as for assess customers satisfaction in relation to App’s services).

The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR)

The legitimate interest of the Data Controller is to reach improvements in relation to its products and services.

Contact information (such as email address) and further information collected to improve the app’s functionality (such as the screenshots accessed by the user, options selected).

6. 
   
   
   To inform Data Subjects of progresses and targets that he/she achieved through the use of the App (by congratulating the Users, for example, when they complete their first workout), as well as new features and functionalities of the App.

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

The legitimate interest of the Data Controller is to update the Users on the progresses reached through the App and its functionalities.

Identification and contact information (such as name, email address).

7. 
   
   
   To process any request for information and/or clarification raised by the Data Subject (also by allowing them to contact our support staff).

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).

Legitimate interest of the Data Controller is to process and give a proper feedback to any request raised by the Data Subject.

Identification and contact information (such as name, email address).

Potential further information inserted within the contents of Data Subject’s request.

When the processing of Personal Data requires the User’s consent, the Data Subject may give his/her consent only if aged at least 16 years (see art. 8 of the GDPR).

The Company’s apps and services are not for children under the age of 16. The Company do not knowingly collect personal data from children. If you believe we have received personal data from children under the age of 16, please email us at info@appnap.io.

If the Data Subject is under the age of 16, the consent must be given by a parent or other holder of parental responsibility (in the latter case, the Data Controller shall make every reasonable effort to verify that consent is given or authorized by the holder of parental responsibility).

Should the Data Controller realize that some Users are aged below 16 and consents have not been given by parents (or holders of parental responsibility), it shall immediately delete the processed data and close the related account forthwith.

III. Data retention of User’s Personal Data

Personal Data may processed by both paper and electronic means.

The Data Controller adopts all technical and organizational measures for preventing the loss, improper use and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too.

Personal Data processed to fulfill legal obligations and obligations related to the use of the App, (points II.a), II.b) and and II.i)) will be kept for a period not exceeding the one necessary for the said purposes and, in each case, for no more than 10 (ten) years from the termination of the agreement (i.e., after the cancellation of the App’s account) except for any legal obligation that set a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

User’s Personal Data processed for the purposes referred to in points II.c), II.d), II.f), II.g) and II.h) will be kept for no more than two years from the termination of the agreement (i.e., after the deletion of the App’s account). At the end of this period, the processed data will be deleted or anonymized.

Users’ Personal Data processed for the purposes referred to in point II.e) will be kept until the User withdraws his/her consent (through functions and settings made available within iOS environment) or until termination of the agreement. Then, they shall be immediately deleted or anonymized. Evidence of the consent provided will be kept for no more than 10 (ten) years from the termination of the agreement (i.e., after the cancellation of the App’s account) except for any legal obligation that set a longer data retention period.

IV. Mandatory or optional nature of the supply of personal data and consequences of the refusal to answer

The provision of User’s Personal Data for the purposes referred to in points II.a) and II.b) above is mandatory. Any refusal to provide the requested data could make it impossible to create an account and to enjoy the App’s services.

The provision of User’s Personal Data for the purposes referred to in points II.c) and II.d) above is optional. Any refusal to provide such data will not result in any detrimental consequences within the use of the App.

The processing of User’s Personal Data for the purposes referred to in points II.f) II.g), II.h) and II.i) above occurs on the basis of the legitimate interest of the Data Controller, pursuant to art. 6(1)(f) of the GDPR. In any case, Data Subjects can at any time exercise the rights referred to in point no. VII to have such processing ceased.

The processing of Personal Data for the purposes referred to in points II.e) above is optional. Any refusal to provide such data will not result in any detrimental consequences within the use of the App.

V. Recipients of Personal Data

Personal Data may be disclosed to the following categories of recipients:

1. public, judicial or police authorities, within the limits established by applicable laws and regulations;

2. third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services).

The complete and updated list of such entities is available for consultation, upon request, at the Company’s headquarters or by sending an email to info@appnap.io.

Users’ data will not be disclosed, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

The Company will not share the Personal Data with other third parties for any reason other than those stated above.

VI. Transfer of Personal Data outside EEA

The Company may also transfer personal data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available on request at the holder's office or by sending an email to info@appnap.io.

VII. Rights of the Data Subjects

The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:

1. the right to be informed on the purposes and methods of the processing;

2. the right of access;

3. the right to obtain a copy of the data held overseas and obtain information concerning the place in which such data are kept;

4. the right to ask for updating, rectification or integration of the data;

5. the right to request the cancellation, anonymization or blocking of the data;

6. the right to restrict the processing;

7. the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;

8. the right to withdraw the consent to the processing of the data freely and at any time – in such a case, the processing carried out before withdrawal of consent shall remain valid;

9. the right to data portability, (i.e. to receive an electronic copy of User’s personal data, if the User would like to port his/her personal data to himself or a different provider);

10. the right to limitation of the processing.

Data Subjects also have the right to lodge a complaint before the competent national data protection or judicial authority.

For the exercise of their rights, Users may go to https://privacy.bendingspoons.com/?app=1099771240 and follow the instructions, or contact the Data Controller, in writing by sending a letter with proof of receipt to the Company’s headquarters.

If a Data Subject is under the age of 18 in California, in certain circumstances, he/she may request and obtain removal of Personal Data or content shared by him/her and posted on the App. To make any request pursuant to California privacy law, please send an email to info@appnap.io. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information posted on the App by the User and that there may be circumstances in which the law does not require or allow removal even if requested.

VIII. Automated decision-making

No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (there included profiling under Article 22(1) and 22(4) of GDPR).

IX. Third party websites and apps

The App may include links to other websites or apps operated by third parties. The practices described in this policy do not apply to data gathered through these third party websites and apps. The Company has no control over, and is not responsible for, the actions and privacy policies of third parties and other websites and apps.

X. Changes and updates of this policy

The Company may modify, integrate and/or update, in whole or in part, this policy, also in view of future changes that may involve the Applicable Privacy Laws. It is understood that any modification, integration or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the Application. In this regard, it could be required to the User to read the new version of the policy and to accept it before continuing to use the App.

Date of last amendment: October 9, 2019