OPTO PRIVACY AND COOKIE POLICY

Information pursuant to Art. 13 of EU Regulation 2016/679 on Personal Data Protection (the “GDPR”) and Legislative Decree No. 196/2003 (the Italian “Code on Personal Data Protection”) as amended by Legislative Decree No. 101/2018.

This document is intended for all natural persons (agents acting on their own behalf or as legal representatives / attorneys of legal persons, hereinafter referred to as “Users”), who register at and interact with the OPTO website and application (hereinafter, “OPTO”).

1. PREAMBLE

OPTO has been created, developed and managed by Payment Technologies S.r.l. (hereinafter, “Paytec”), in connection with the e-money payment system issued by Mangopay S.A. (hereinafter, “Mangopay”), of which Paytec is an agent in the provision of payment services.

Paytec and Mangopay will process the personal data provided by the Users upon registration and completion of their personal profile, acting as joint controllers (individually as “Joint Controller” and jointly as “Joint Controllers”) or as independent data controllers (individually as “Independent Controller” and jointly as “Independent Controllers”) in compliance with the provisions of EU Regulation 679/2016 (hereafter GDPR) and of the Italian Legislative Decree of 30 June 2003 No. 196 (the Italian “Privacy Code”) as amended by Legislative Decree of 10 August 2018 No. 101.

In particular:

- Paytec and Mangopay, acting as Joint Controllers, shall process the personal data collected upon the request to open an E-Money Payment Account, which takes place simultaneously with OPTO registration;

- Paytec, acting as an Independent Controller, shall process the personal data provided by Users as part of their use of the services strictly related to OPTO, with the exclusion of data necessary for managing the operation of the E-Money Payment Account, as well as for other purposes related to the use of the application, as described herein, and for marketing and profiling (subject to free and express consent in this regard);

- Mangopay, acting as an Independent Controller, will process the personal data provided by Users as part of their specific payments and management activities related to their E-Money Payment Account. In this case, Paytec may be considered only as external processor of personal data, in the name and on behalf of Mangopay and acting exclusively within the instructions provided by the latter. The processing carried out by Mangopay, as an Independent Controller and as a Joint Controller, is described in the Mangopay Privacy Policy which is available at www.mangopay.com/privacy, to which reference is made.

PRIVACY

This information is therefore provided with reference only to the processing operations carried out by Paytec as an Independent Controller and/or as a Joint Controller.

2. THE DATA CONTROLLER

Payment Technologies S.r.l., with registered office in Milan (MI), Via F. Filzi No. 47, and headquarters in Rovellasca (CO), Via XX Settembre No. 20, Tel. +39029696141, Fax +390296961414, Certified Email Address payment.technologies@legalmail.it, email opto@paytec.it, represented by its Legal Representative

pro tempore, is an Independent Controller of the processing of the personal data provided by Users upon registration with OPTO and when using the additional services provided by the application, excluding management of the E-Money Payment Account.

Paytec is the Joint Controller of the processing of the personal data provided by Users upon registration with OPTO and/or subsequently for managing requests to open an E-Money Payment Account, along with Mangopay S.A., a company governed by Luxembourg law with registered office in the Grand Duchy of Luxembourg (EE), Luxembourg, 10 Boulevard Royal, Tel. +35227862186, represented by its Legal Representative pro tempore. Mangopay has appointed a Data Protection Officer whom Users may contact directly by sending an email to dpo.mangopay@mangopay.com.

3. TYPE OF DATA AND PROCESSING

Paytec mainly processes common personal data.

It may also process particular personal data, namely:

- biometric information solely to increase the safety level of OPTO access;

- information relating to the health, as inferred from processing information concerning eating habits, purchase history and the nutritional information of the individual products purchased.

The conferment of such particular data is optional and the respective processing can be carried out only with the express consent of the interested party.

Provision of required personal data is necessary to complete the registration process, to purchase products in the vending machines and/or to receive assistance; therefore, missing or partial provision of this sort of data shall make it impossible to access the services provided by Paytec. Mandatory personal data is indicated with an asterisk (*).

The provision of non-mandatory personal data is optional; therefore, missing or partial provision of this sort of data shall not prevent access to OPTO and the related services.

In consideration of the provisions of Art. 4 of the GDPR, the processing of personal data carried out by Paytec consists of any operation or set of operations, performed with or without the aid of automated means, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure and destruction.

4. PURPOSE OF THE PROCESSING

Paytec, as a Joint Controller, processes the personal data provided by Users to:

a. manage requests for the opening and Use of Mangopay E-Money Payment Account.

Paytec, as an Independent Controller, processes the personal data provided by Users to:

b. allow for OPTO registration and the creation of a personal profile;

c. make it possible to view the Mangopay E-Money Payment Account and to use it for purchasing the products in vending machines;

d. enable the opening and management of a Limited Spending Account, as well as to manage and use it for purchasing the products in vending machines belonging to the Usual Operator;

e. store data and information in personal profiles, including biographical data, the payment transaction history, re-crediting and reimbursement operations, the Usual Operator, and remaining account balances (in E-Money Payment Accounts and in Limited Spending Accounts);

f. manage customer service;

g. allow for consultation of nutritional information pertaining to the purchased products;

h. store a record of the eating habits based on purchase history;

i. geolocate the User's enabled Device in order to identify vending machines equipped with an OPTO reader;

j. receive commercial information from Paytec and/or the vending machine Operators affiliated with OPTO;

k. profile Users in order to send personalized commercial communications and/or carry out targeted promotional actions;

l. fulfil any obligations under current laws, regulations or community legislation, or to satisfy requests from the Authorities.

The legal basis for the processing of personal data for the purposes referred to in sections a) to f) is Art. 6(1)(b) GDPR ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), insofar as such processing is necessary for the provision of the services requested to Paytec.

With regard to sections g) to k), the legal basis for processing is the consent provided by the User (Article 6(1)(a) GDPR). The provision of personal data for these purposes is optional, but failure to provide it, depending on the case, may make it impossible to activate the services requested.

The purpose referred to in section l) represents a legitimate cause for data processing in accordance with Art. 6(1)(c) of the Regulation ([…] a processing is necessary for compliance with a legal obligation to which the controller is subject). Once personal information has been provided, its processing is necessary to fulfil the legal obligations to which Paytec is subject.

5. PROCESSING PROCEDURE AND STORAGE TIME

Personal data, in accordance with the provisions of Art. 5 of the GDPR, is treated in a lawful, fair and transparent manner using automated tools operated by specifically appointed individuals for the time strictly necessary to achieve the purpose(s) for which such data has been collected, and in particular:

Once the storage terms indicated above have passed, the personal data will be destroyed, deleted or made anonymous, in accordance with the applicable technical cancellation and backup procedures.

6. TRANSFER OF THE DATA TO THIRD PARTIES

Collected personal data which is neither particular nor sensitive may be disclosed, for the purposes indicated in Article 4 sections j) and k), to the vending machine Operators affiliated with OPTO, to the suppliers of the products sold in the aforementioned vending machines, and to any third-party service providers. The interested person may receive a complete list of third parties to whom Paytec may transfer their data by writing to opto@paytec.it.

Additionally, without the need for express consent (pursuant to Articles 6(1)(b) and 6(1)(c) GDPR), the Data Controller may disclose his/her data to Supervisory Bodies and Judicial Authorities, as well as to those subjects or entities to whom such communication is required by law for the aforementioned purposes. Such subjects or entities shall then process the information in their respective capacity as independent data controllers.

7. RIGHTS OF THE INTERESTED PARTY

Paytec guarantees Users that they can exercise the rights provided by the GDPR at any time.

In particular, the following rights are guaranteed:

- to know if the Controller holds and/or processes his/her personal data and to access it completely, as well as obtaining a copy (Art. 15 - Right of access);

- to correct or rectify any inaccurate personal data or to complete any incomplete personal data (Art. 16 - Right to rectification);

- to erase the personal data held by the Controller if any of the reasons provided for by the GDPR apply (Art. 17 - Right to erasure);

- right to request for the Controller to limit the processing to only certain personal data if any of the reasons provided for by the GDPR apply (Art. 18 - Right to restriction of processing);

- to request and receive all the personal data processed by the Controller in a structured format commonly used and readable by automatic devices or to request its transfer to another Controller without impediments (Art. 20 - Right to data portability);

- right to object, in whole or in part, to the processing of the data for the purpose of sending advertising materials and market research (Article 21 - Right to object);

- to object, in whole or in part, to the processing of the data in automated or semi-automated manners for the purpose of profiling (Art. 22 - Right to object to automated decision-making).

These rights may be exercised by communicating with Paytec, as an Independent Controller and/or as the Joint Controller of the processing, at the following email address: opto@paytec.it.

It is always possible to submit a complaint with the Italian Data Protection Authority by writing an email to garante@gpdp.it or by visiting the site http://www.gpdp.it.

COOKIES

1. BROWSING DATA (TECHNICAL COOKIES)

While browsing, the data being processed only include the IP addresses or domain names of the computers used by Users connecting to the site www.optopayment.com, the time of the request, and other parameters related to the operating system and User's IT situation.

This data is used solely for the purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation.

September 2018