PRIVACY POLICY FOR REGISTERED USERS

Pursuant to and for the purposes of Article 13 of EU Regulation no. 2016/679 (hereinafter ‘Regulation’ or ‘GDPR’), we provide the following information regarding the processing of your personal data provided for the purposes of the online psychological support service provided by Unobravo (‘Unobravo’), also as joint data controllers (see the related policy under paragraph B.) with the individual professionals who provide the professional service.
A. PROCESSING FOR WHICH UNOBRAVO IS THE SOLE CONTROLLER
1. Data controller
The data controller is Unobravo S.r.l. Società Benefit, based in Naples (NA), Via Giovanni Porzio 4 - Isola B2 – 80143, VAT and Tax Code 09516691210
Unobravo operates as an independent data controller of the personal data provided by the data subject, both of common information (personal and identification data) and data falling into special categories (including information relating to health status) for the purposes and within the terms described below.
2. DPO contact details
The contact details of the DPO are as follows:
3. Why we process your data (processing purpose and legal basis)
Unobravo operates as the data controller of the personal data provided by the data subject for the purposes and within the terms described below:
  1. for treatment, diagnosis, rehabilitation and prevention purposes using online methods (‘online session’) and the provision of related services (for example, programming and planning of activities and service communications, e.g. sending reminders about appointments with professionals, communications regarding billing and payments, any changes to contractual conditions, system updates, service functions, relevant regulatory changes, contractual deadlines, scheduled service interruptions, resolution of problems, etc.), including the professional’s ‘matching’ service, personalisation services for psychological support services as well as, during the support process, to provide interested parties with tools to monitor the historical trend of psychological support.The data is collected and processed during the initial questionnaire to enable the platform to assign you the most suitable Unobravo professional based on the answers you provide and collected in the questionnaire. These answers will be made available to the selected professional who will then be able to make a better assessment of the most suitable treatment programme for you. In the professional’s proposal, a comparison is made between the needs and requirements declared by you in the questionnaire in relation to the features of the service provides, in order to verify their suitability. In addition to the data collected through the initial questionnaire, for the purposes referred to in this paragraph, the data on the use of the platform and, subject to the consent of the data subjects, data collected from professionals will be collected and processed.For common data, the legal basis for processing lies in the execution of the contract or in the execution of pre-contractual measures adopted at the request of the data subject, pursuant to Article 6, paragraph 1, lit. b) of the GDPR; for data belonging to special categories, it lies in the need for diagnosis, assistance or therapy pursuant to Article 9, paragraph 2, lit. h) of the GDPR or, for the purposes of monitoring the historical progress of therapy by the data subjects, their consent expressed pursuant to Article 6, paragraph 1, lit. a) GDPR.
  2. For the performance of administrative, tax and accounting activities and in general for the fulfilment of legal obligations.
    For common data, the legal basis for processing lies in the fulfilment of legal obligations pursuant to Article 6, lit. c) of the GDPR; for data belonging to special categories, it lies in the need for diagnosis, assistance or therapy pursuant to Article 9, paragraph 2, lit. h) of the GDPR, in the public interest pursuant to Article2-sexies, lit. t) of Italian Legislative Decree 196/2003 and subsequent amendments (‘Privacy Code’).
  3. For the purpose of improving the service provided by Unobravo.
    As part of this purpose, data relating to the use of the service and those collected through automatic tracking systems and specific surveys or questionnaires will be used to evaluate the performance of the services provided by Unobravo and its professionals in order to improve them, along with user satisfaction levels. User satisfaction surveys are conducted in a personalised or anonymous form. In the first case, the data is collected and processed purely in relation to the purpose. Participation in all surveys is on a voluntary basis, so by not participating you will be able to object to the collection of personal data. In the latter case, personal data is not collected.Unobravo may also use the data collected with the initial questionnaire and specific further surveys or other data collected through automatic tracking systems (information regarding the actual receipt of communications and/or reception/shipping errors) even beyond the storage period provided for in section 6 below, after anonymising them by eliminating user identification data or pseudonymisation, for internal uses to constantly improve the service provided.For common data, the legal basis for processing lies in the legitimate interest of Unobravo pursuant to Article 6, paragraph 2, lit. f) of the GDPR, attributable in particular to the need to improve the services provided to users; for data belonging to special categories, it lies in the consent pursuant to Article 9, paragraph 2, lit. a) of the GDPR expressed by the data subject.
  4. To conduct studies and scientific research in the medical field
    .     Unobravo participates in research projects (both internal ONES and in collaboration with other centres) in order to improve therapeutic performance and contribute to the general development of medical knowledge. The research will be carried out using anonymous data that makes it impossible to identify the data subject. Fully ‘anonymised’ data does not meet the criteria necessary to qualify as personal data and, as a result, does not fall within the scope of the GDPR.In the event that the research project carried out with another party (universities, medical centres, etc.) requires the identification of the data subjects, the processing will be carried out upon prior communication of specific information and only with the explicit consent of the data subject. To further protect confidentiality, the information and health data used in such research and studies in such cases may be deprived of the data subject’s identification and marked with a code consisting of letters and numbers, which does not allow to directly trace the identity of the data subject. The list that allows this code to be associated with the identification data of the data subjects will be held exclusively by the Principal Investigator and kept as confidential documentation.
  5. For marketing activities.
    With your express consent, we may contact you by email and/or other means of communication to inform you about content and initiatives promoted by Unobravo and its Partners.

    The legal basis for processing lies in consent pursuant to Article 6, paragraph 1, lit. a) of the GDPR.

    With your express consent, in order to send you information about content and initiatives promoted by Unobravo and its Partners and to include or exclude you from other types of promotional messages, we may use your personal data (i.e. personal and contact data, information about the services to which you have expressed your interest and browsing information on our services) in order to learn more about your tastes and habits, also by including you in sets of users with habits and tastes similar to yours, thus offering you a personalised experience about the type of information and messages you will receive.

    The legal basis for processing lies in consent pursuant to Article 6, paragraph 1, lit. a) of the GDPR.

    Pursuant to Article 130, paragraph 4, Italian Legislative Decree 196/03, we may send information by email about our services or products similar to those provided by us. At the time of data collection and when sending any communication made for these purposes, you will be informed of the possibility of objecting to processing, easily and free of charge, through the procedures indicated in the communications received or as better described below.

    The legal basis for processing lies in the legitimate interest of Unobravo pursuant to Article 6, paragraph 1, lit. f) of the GDPR.
  6. For defensive purposes, in extrajudicial and/or judicial proceedings of a civil, criminal or administrative nature, the legal basis for processing common data lies in the legitimate interest of Unobravo pursuant to Article 6.1 lit. f) of the GDPR; for data belonging to special categories, it lies in the need to ascertain, exercise or defend a right in court pursuant to Article 9.2 lit. f) of the GDPR.
  7. For the verification and improvement of the quality of care, service and assistance. For the purposes of monitoring, assessing and improving the effectiveness and functionality of the services provided, the appropriateness and quality of care as well as health risk factors, both provided for by law (for which the patient’s consent is not necessary) and in addition to the latter. Namely, the Data Controller aims to evaluate and compare (also between groups of users or the population) the adequacy, appropriateness, effectiveness, efficiency and functionality of the assistance and service provided, in order to improve the quality of care and services, also with reference to specific diseases or health problems, possibly by sharing specific surveys and questionnaires completed by users with professionals who work through the platform to enable them to introduce any changes in the psychological support programme. In these cases, the legal basis for processing common data lies in the legitimate interest of Unobravo to maintain the high quality of the psychological support services provided and to improve them, pursuant to Article 6.1 lit. f) of the GDPR and for data belonging to special categories, in the consent expressed by the data subject pursuant to Article 9, paragraph 2, lit. a) of the GDPR.

    Please bear in mind that if you do not express your consent where required for the processing referred to in this paragraph, we will not be able to use the data for the aforementioned analyses, but you will still be able to use the services provided by the platform. Unobravo also intends to participate in surveillance systems and registers provided for by law. For the use of data in the context of these activities, it is not necessary to collect consent since it is provided for by the GDPR (Article 9, paragraph Article 2, lit. i) ‘processing necessary for the guarantee of high quality and safety parameters of health care and medicines and medical devices, provided for by law’).
4. Types of data and nature of their provision
The following data is processed:
  1. Common data, such as: name, email, tax code, country of residence, payment details;
  2. Data belonging to particular categories, such as: information relating to the health status related to the request for therapeutic help made by the data subject and personal events.
The provision of data is necessary for the provision of the service. 
The provision of data for the purposes referred to in sections 3.a, 3.e. and 3.g is optional.
In the case of non-anonymous surveys, it will be sufficient not to participate in the survey in order not to result in the processing.
5. Data recipients and processing methods
The data will be processed by employees and collaborators of Unobravo specifically authorised and instructed by the latter and will be shared, for the purpose of carrying out the service, with the assigned professional and, where appropriate, with the Medical Director in compliance with the principle of necessity. Moreover, the data may also be processed, within the limits of the principles of minimisation and necessity (i) by public and private entities, bodies, insurers and institutions in accordance with the provisions of current legal provisions and Regulations, (ii) by public and private entities (for example, your employer, your insurance company) when using any vouchers, discount codes or vouchers generated by Unobravo for you at the request of the aforementioned parties and (iii) by third parties who carry out activities for Unobravo instrumental to the achievement of the specified purposes. The latter parties have adequate guarantees regarding the protection of the data subject’s personal data and are appointed Data Processors pursuant to Article 28 of the Regulation.

The data will be processed almost exclusively with computer and electronic tools with logics designed to guarantee the confidentiality, integrity and availability of the data itself. In any case, personal data will not be disclosed in any way.

In the context of the online session, images and communications will not be recorded or stored. Images and communications will be processed in real time and only for the duration of the online session.

Unobravo may also, exclusively with your express and optional consent, communicate or transfer the data to third parties for the purpose identified in section 3 lit. e) above. Failure to provide your consent will make it impossible for Unobravo to communicate or transfer your personal data to third parties to allow for independent marketing purposes.
6. Retention period
For the purposes referred to in section3lit. a, the data will be kept for a period of time equal to:
  1. 36 (thirty-six) months from the termination of the account associated with the data subject on the Unobravo platform;
  2. if the data subject does not register on the platform after completing the questionnaire, the data collected through them, where necessary, will be anonymised or deleted.
For the purposes referred to in section 3 lit. b, the data will be kept for the period provided for by the legislation, namely for 10 years for accounting, tax and administrative needs;
For the purposes referred to in section 3 lit. c
  • the data will be kept for 36 (thirty-six) months from the termination of the account associated with the data subject on the Unobravo platform;
  • data collected with automatic tracking systems will be kept for 24 months from each individual tracking event.
For the purposes referred to in section 3 lit. d, the anonymised data will be kept for an unlimited period of time. If research has been carried out jointly with another party who has led to the collection of identification data, with the consent of the data subject, said data will be kept for a period of time for the entire duration of the study or research project, and in any case for a period of time equal to 36 (thirty-six) months from the termination of the account associated with the data subject on the Unobravo platform and in any case until the user withdraws the consent to the treatment or for a different period of time indicated in any specific information.

For the purposes referred to in section 3 lit. e, the data will be kept for 36 months from the expression of consent unless withdrawn by the data subject.

For the purposes referred to in section 3 lit. f, the data will be kept for the period required to defend or exercise the right in court.

For the purposes referred to in section 3 lit. g, the data will be kept for 36 months from the termination of the account associated with the data subject on the Unobravo platform and after that period it will be anonymised.
7. Transfer to third countries and guarantees
Your personal data will not be transferred to non-EU countries. In the event that the non-EU transfer is necessary for the provision of the service, personal data will be transferred to countries or international organisations outside the European Union (or the European Economic Area) that guarantee an adequate level of protection, recognised pursuant to Article 45 of the GDPR, on the basis of an adequacy decision of the EU Commission. In cases where the Commission has not adopted any adequacy decision pursuant to Article 45 of the GDPR, the transfer will only take place in the presence of adequate guarantees provided by the recipient country or organisation, pursuant to Article 46 of the GDPR and provided that the data subjects have enforceable rights and effective remedies. In the absence of an adequacy decision of the Commission, pursuant to Article 45 of the GDPR, or adequate guarantees, pursuant to Article 46 of the GDPR, including binding corporate rules, the cross-border transfer will only take place if one of the conditions indicated in Article 49 of the GDPR occurs.
8. Rights of the data subject
According to the European Regulation, you have the right to request:
  1. access to your personal data (so to know what personal data we hold);
  2. the correction of inaccurate data or the integration of incomplete data (in case some of your data has undergone changes, such as a new email);
  3. the deletion of personal data (upon the occurrence of one of the conditions indicated in Article 17, paragraph 1 of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article);
  4. the limitation of the processing of your personal data, when one of the cases specified in Article 18, paragraph 1 of the GDPR;
  5. opposition to the processing (for example, if you notice that your data is processed in a manner that does not comply with this policy);
  6. request and obtain your personal data in a structured and machine-readable format, also in order to communicate such data to another data controller (right to portability);
  7. withdraw consent at any time, limited to cases in which the processing is based on consent for one or more specific purposes and concerns common personal data (for example, date and place of birth or place of residence) or special data categories (for example, data that reveals racial origin, political opinions, religious beliefs, health status or sexual life). Processing based on consent and carried out prior to revocation of the same shall, however, retain its lawfulness.
  8. propose a complaint to a supervisory authority (Personal Data Protection Authority).
9. How to exercise your rights
You can exercise your rights at any time by sending an email to privacy@unobravo.com 
B. PROCESSING CARRIED OUT BETWEEN UNOBRAVO SRL SB AND THE PROFESSIONAL AS JOINT DATA CONTROLLERS
1. Joint data controllers
The processing of personal data acquired in the context of the provision of services provided by Unobravo provides, for the specific purposes described below, a joint data controller regime between the following parties:
  1. Unobravo S.r.l. Società Benefit, based in Naples (NA), Via Giovanni Porzio 4 - Isola B2 - 80143, VAT and Tax Code 09516691210)
    Certified email address: unobravo@pec.it
    E-mail: info@unobravo.com
    and
  2. The professional who provides the professional service in the context of the online psychological support service provided by Unobravo (hereinafter the ‘Professional’)
An internal agreement as joint data controllers has been concluded between the aforementioned joint data controllers that outlines their respective responsibilities, pursuant to Article 26 of the GDPR, available at the request of the data subject to be sent to the following email address: privacy@unobravo.com
2. DPO contact details
The contact details of the DPO are as follows: DPO@unobravo.com
3. Joint data processing purpose and legal basis

PURPOSE

LEGAL BASIS

Administrative and management purposes related to the provision of healthcare services

‘COMMON’ DATA
Article 6, paragraph 1, lit. b) and c) of the Regulation
SPECIAL CATEGORIES OF DATA
Article 9, paragraph 2, lit. h) of the GDPR; Article 2-sexies of the Privacy Code

Protection of the health of the data subject or third parties, in particular sharing the data collected through the questionnaire for the correct assessment of the psychological support programme

‘COMMON’ DATA
Article 6, paragraph 1, lit. b) of the Regulation
SPECIAL CATEGORIES OF DATA
Article 9, paragraph 2, lit. h) of the Regulation

4. Types of data processed and nature of its provision

TYPE OF DATA PROCESSED

‘Common’ personal data identifying the data subject (e.g. personal data, tax code, payment data)

Special categories of personal data pursuant to Article 9 of the Regulation (e.g. healthcare data) collected when completing the questionnaire to use the online psychology service

NATURA CONFERIMENTO

Required to access the service.
Failure to provide it will result in the impossibility for the joint data controllers to provide the requested service

5. Data recipients and processing methods
The data will be processed with paper-based methods and with computer and electronic tools with logics designed to guarantee the confidentiality, integrity and availability of the data itself exclusively for the aforementioned purposes, by employees and collaborators specifically authorised and instructed by each Joint Data Controller. Personal data may be shared with the Medical Director and processed by public and private entities, bodies and institutions in accordance with the provisions of current legal provisions and Regulations. The data may also be processed by third parties who carry out activities for the Joint Data Controllers instrumental to the achievement of the specified purposes. These parties have adequate guarantees regarding the protection of the data subject’s personal data and are appointed Data Processors by the Joint Data Controllers pursuant to Article 28 of the Regulation. In any case, personal data will not be disclosed in any way.
6. Retention period
Personal data will be stored by each joint data controller according to their own storage policy:

Unobravo

The data will be kept for the entire period in which the account will be active and deleted after 36 (thirty-six) months from the termination of the account associated with the data subject on the Unobravo platform without prejudice to the storage times established for the treatments in which Unobravo operates as an independent data controller. In the event of the filing of any disputes pending the deadline, this deadline will be extended until the definition of the procedure in administrative or judicial proceedings with a non-appealable measure

Professional

The data will be kept only for the period of time strictly necessary for the performance of the assignment and the pursuit of the purposes of the assignment itself and in any case for a minimum period of 5 years (Article 17 of the Code of Ethics of Italian Psychologists) and/or as required or permitted by current law. In the event of the filing of any disputes pending the deadline, this deadline will be extended until the definition of the procedure in administrative or judicial proceedings with a non-appealable measure.

Personal data that is no longer necessary, or for which there is no longer a legal basis for its storage, will be irreversibly anonymised or securely destroyed.
7. Transfer to third countries and guarantees
Your personal data will not be transferred to non-EU countries. In the event that the non-EU transfer is necessary for the provision of the service, personal data will be transferred to countries or international organisations outside the European Union (or the European Economic Area) that guarantee an adequate level of protection, recognised pursuant to Article 45 of the GDPR, on the basis of an adequacy decision of the EU Commission. In cases where the Commission has not adopted any adequacy decision pursuant to Article 45 of the GDPR, the transfer will only take place in the presence of adequate guarantees provided by the recipient country or organisation, pursuant to Article 46 of the GDPR and provided that the data subjects have enforceable rights and effective remedies. In the absence of an adequacy decision of the Commission, pursuant to Article 45 of the GDPR, or adequate guarantees, pursuant to Article 46 of the GDPR, including binding corporate rules, the cross-border transfer will only take place if one of the conditions indicated in Article 49 of the GDPR occurs.
8. Rights of the data subject
You will be able to exercise the rights referred to in Articles 12 and following of the GDPR (including, by way of example, the right to request access to personal data or the rectification or cancellation of the same or the limitation of the processing or to oppose the processing, the right to withdraw your consent and to lodge a complaint with the supervisory authority) by means of a request addressed without formalities to the following email address: privacy@unobravo.com
9. Further information
If you have any questions or problems regarding the processing of your data, you can get in touch at privacy@unobravo.com.
***
This Privacy Policy may be subject to subsequent changes and/or additions. Please consult it periodically according to your needs.