Privacy Policy

This privacy notice (the “Notice”) applies to the processing of data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“Personal Data”) of the users of this App (the “User/s,” the “Data Subject/s”, or “your”) carried out by Bending Spoons S.p.A., based in Corso Como 15, Milan (Italy) (the “Data Controller,” the “Company,” “we, or “our”) through the mobile application called “Sleep” (the “App”) in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation or the “GDPR” – as well as the Italian Legislative Decree 196/2003 (as amended), United States federal and state laws, and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s contact details

The Data Controller is Bending Spoons S.p.A., based in Corso Como 15, Milan (Italy).

Email: [email protected]

II. Categories and pieces of Personal Data that we collect; Purposes and legal basis for our use and processing

The Company processes the following categories of Personal Data, for the purposes and on the legal bases indicated below. The Company collects this information when Data Subjects create an account, make purchases within the App, or contact the Company with questions or comments. The Company also uses tracking tools to automatically collect information when the Data Subject uses the App.

Categories and pieces of Personal Data

Purpose(s) for our collection and use

Legal basis for our collection and use

Identifiers: Contact information (such as name and email address), IP address.

(a) To enable Users to use the App (e.g. to create or modify User’s account, to allow the User to use the App, to send technical information about how the App works).

(b) To prevent, detect, and investigate wrongdoing, and to fulfill Company’s legal obligations and any other obligation potentially arising from the authorities’ instructions.

(c) To send marketing communications through electronic means on special offers related to the Data Controller’s products and services.

(d) To carry out activities aimed at improving the User experience (e.g. market research, statistical analysis, or other research aimed at improving products and services, as well as to assess customer satisfaction in relation to App’s services).

(e) To inform Data Subjects of progresses and targets that he/she achieved through the use of the App (for example by congratulating the Users), as well as new features and functionalities of the App.

(f) To process any request for information and/or clarification raised by the Data Subjects (also by allowing them to contact the Data Controller’ support staff).

(a) The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

(b) The legal basis for the processing is the compliance with a legal obligation to which the Data Controller is subject (art. 6(1)(c) of the GDPR).

(c) The legal basis for the processing is consent of the Data Subject (art. 6(1)(a) of GDPR).

(d) The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). The legitimate interest of the Data Controller is to improve its products and services.

(e) The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). The legitimate interest of the Data Controller is to update the Users on the progresses reached through the App and its functionalities.

(f) The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). Legitimate interest of the Data Controller is to process and give proper feedback to any request raised by the Data Subject.

Internet and Network Activity Information: Information about your interactions with and use of the App (Your device model, device type, operating system version, ID univocally assigned by the Company to each device, device language, device name, country as set by the User in the settings of the device, IDFA or AAID, information about the content and screens you access in the App, buttons you tap within the App, options and settings you select within the App, and other related information about your usage of the App.

(a) To enable Users to use the App (e.g. to create or modify User’s account, to allow the User to use the App, to send technical information about how the App works, to improve the App experience).

(b) To carry out activities aimed at improving the User experience (e.g. market researches, statistical analysis, or other researches aimed at improving products and services, as well as for assess customers satisfaction in relation to App’s services).

(a) The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

(b) The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). The legitimate interest of the Data Controller is to improve its products and services.

Commercial Information: Records of your transaction history and purchases within the App.

(a) To enable Users to use the App (e.g. to process transactions and enable access to the App).

(b) To send marketing communications through electronic means on special offers related to the Data Controller’s products and services.

(c) To carry out activities aimed at improving the User experience (e.g. market research, statistical analysis, or other research aimed at improving products and services, as well as to assess customer satisfaction in relation to the App’s services).

(a) The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

(b) The legal basis for the processing is consent of the Data Subject (art. 6(1)(a) of GDPR).

(c) The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). The legitimate interest of the Data Controller is to improve its products and services.

Characteristics of protected classifications: Gender and date of birth

To enable Users to create or modify User’s account, and to verify age for eligibility purposes.

The legal basis for the processing is the performance of a contractual relationship with the User (art. 6(1)(b) of the GDPR).

Any other information which may be requested under authorities’ instructions.

To fulfill Company’s legal obligations and any other obligation potentially arising from the authorities’ instructions.

The legal basis for the processing is the compliance with a legal obligation to which the Data Controller is subject (art. 6(1)(c) of the GDPR).

Potential further information inserted within the contents of Data Subject’s request.

To process any request for information and/or clarification raised by the Data Subjects (also by allowing them to contact the Data Controller’ support staff).

The legal basis for the processing is the legitimate interest of the Data Controller (art. 6(1)(f) of GDPR). The legitimate interest of the Data Controller is to process and give a proper feedback to any request raised by the Data Subject.

III. Sharing your Personal Data

We may share or disclose your Personal Data to the following categories of recipients:

  1. public, judicial or police authorities, within the limits established by applicable laws and regulations;
  2. vendors carrying out activities that are related or instrumental to our business and operational activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services, in case this Notice refers that marketing activities are performed).

The complete and updated list of such entities is available for consultation upon request at our mailing address above or by sending an email to [email protected] Your Personal Data will not be disclosed for any reason other than those stated above, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

IV. Your rights with respect to your Personal Data

At any time and free of charge, you can have or exercise the following rights, as specified in Applicable Privacy Laws:

  1. the right to be informed on the purposes and methods of the processing of your Personal Data;
  2. the right of access;
  3. the right to ask for the updating, rectification or integration of your Personal Data;
  4. the right to request the deletion or erasure of your Personal Data, subject to certain exceptions under Applicable Privacy Laws;
  5. the right to restrict the processing of your Personal Data;
  6. the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;
  7. the right to withdraw the consent to the processing of the data (in such a case, the processing carried out before withdrawal of consent shall remain valid);
  8. the right to data portability (i.e. to receive a portable copy of your Personal Data);

You also have the right to lodge a complaint before the competent national data protection or judicial authority.

To exercise any of these rights, you may contact us, in writing by sending a letter with proof of receipt to our mailing address above, by sending an email to [email protected] or by clicking here. We may take reasonable steps to verify your identity prior to responding to your requests.

V. Your choices with regard to the use of your Personal Data

The provision of User’s Personal Data for the purposes enabling User to use the App or to enable Data Controller to comply with legal obligations is mandatory. Any refusal to provide the requested data or allow us to use the requested data could make it impossible to create an account and to enjoy the App’s services.

The provision of User’s Personal Data for the purpose of receiving Data Controller’s marketing communications is optional. Any refusal to provide such data will not result in any detrimental consequences within the use of the App. To opt out of receiving such marketing communications, Data Subjects can follow the instructions within any marketing message the Data Controller sends, or update their settings within the App.

The provision of User’s Personal Data for the purposes improving your experience with the App occurs on the basis of the legitimate interest of the Data Controller, pursuant to art. 6(1)(f) of the GDPR. Data Subjects can at any time restrict or modify Data Controller’s collection and use of such Personal Data by updating their settings within the App.

User may manage how User’s mobile device shares certain information with the Company by adjusting the privacy and security settings on the mobile device. Users should refer to instructions provided by their mobile service provider or the manufacturer of their device to learn how to adjust User’s settings.

VI. Transfer of Your Personal Data

We may transfer your Personal Data to countries located outside the country where it was collected. In such cases, we will make sure that such transfer is based on appropriate safeguards in accordance with Applicable Privacy Laws, including, if such transfer is from the European Economic Area to another country: (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available for consultation upon request at our mailing address above, or by sending an email to [email protected]

VII. Data Storage and Protection

Personal Data may be processed by both paper and electronic means. We may store your Personal Data at our and our services providers’ premises. We adopt technical and organizational measures designed to prevent the loss, improper use, or alteration of Personal Data. However, transmissions over the Internet are never 100% secure, and we cannot guarantee the security of your Personal Data.

Personal Data processed to fulfill legal obligations and obligations related to the use of the App will be kept for a period not exceeding the one necessary for said purposes and, in each case, for no more than 10 (ten) years after the cancellation of your App account, except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

Personal Data processed for our marketing purposes will be kept for no more than two years from their collection except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

Personal Data processed to improve your experience with the App will be kept for no more than two years after the cancellation of your App account, except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

VIII. Children’s Personal Data

This App is not intended for children under the age of 16. The Company does not knowingly collect Personal Data from children under the age of 16. If you believe we have received Personal Data from children under the age of 16, please email us at [email protected]

IX. Automated decision-making

No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (under Article 22(1) and 22(4) of GDPR).

X. Third party websites and apps

The App may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. We have no control over, and are not responsible for, the actions and privacy policies of third parties and other websites and apps. Please read the applicable privacy policies to learn how those third parties collect and process data.

XI. Changes and updates of this Notice

We may modify, integrate and/or update, in whole or in part, this Notice. We will notify you of any modification, integration or update in accordance with Applicable Privacy Laws.