BRIDGY PRIVACY NOTICE

 

Pursuant to Article 13 of Regulation (EU) 2016/679 (the “Regulation”), this Privacy Notice describes how We collect and process your personal data when you register and access to Bridgy application and request the services provided by Us (the “Service”) or benefit from this Service.

 

To the extent that you are a customer of our services, this Privacy Notice applies together with any terms of business and other contractual documents, including but not limited to any agreements We may have with you.

 

Regarding the terms used in this Privacy Notice, such as “processing” or “controller” or “personal data”, We refer to the definitions of the Regulation.

 

1. Who is the data controller of my personal data?

The data controller of your personal data is Neural ID Pay S.r.l., with registered office Via Del Cotonificio 129/B, 33100 Udine, Italy, operating under the brand name Bridgy (“Neural ID” or “Bridgy” or “We/Our/Us”).

 

2. How have my personal been obtained?

We collect your personal data directly from you at the time you access to the Service and when We provide the Service to you or automatically or through Our third parties.

 

3. What personal data does Bridgy collect and process?

 

We may collect and process the following personal data:

 

Identity Data: first name, last name, title, date of birth and gender, ID documents such as national ID card, passports, driving licences or other forms of ID documents.

 

Identity Related Data: risk assessment, compliance assessment.

 

Contact Data: residence details, billing and delivery address (for cards), email address and telephone number, proof of address documentation.

 

Financial Data: payment card details, amounts associated with accounts, external account details, source of funds and related documentation.

 

Transactional Data: details about incoming and outgoing operations.

 

Technical Data: internet connectivity data, IP address, operator and carrier data, login data, browser type and version, device type, category and model, time zone setting and location data, language data, operating system, diagnostics data such as crash logs and any other data we collect for the purposes of measuring technical diagnostics.

 

Profile Data: your username and password, your identification number as our user, requests by you for products or services, your interests, preferences and feedback, other information generated by you when you communicate with our customer support.

 

Special categories of data: biometric data

 

Data that We collect or receive from third parties: information about you from the third-party providing services to you, and/or from the group of companies related to Us by common control or ownership as a normal part of conducting business.

 

4. For what purposes will my personal data be processed?

We will process your personal data for the following processing purposes:

 

1. to perform Our obligations under the Terms of Service entered into between you and Us or to take steps at your request prior to entering into the Terms of Service (Art. 6, para. 1, let. b) of the Regulation);

 

1. to comply with legal obligations, including anti-money laundering, financial, tax and consumers’ protection laws (Art. 6, para. 1, let. c) of the Regulation);

 

1. to pursue Our legitimate interest in (i) preventing frauds and assessing your trustworthiness and reliability as a potential customer and to (ii) extract statistical information on service usage and (ii) check functioning of the services (Art. 6, para. 1, let. f) of the Regulation);

 

1. for authentication purposes with your optional consent ( 6, para. 1, let. a) of the Regulation and Art. 9, para. 2, let. a).

 

1. for marketing purposes (direct sales, sending of advertising material, carrying out market research, commercial communication, surveying the degree of customer satisfaction) and send you marketing communications by email relating to products/services offered by Us, with your optional consent ( 6, para. 1, let. a) of the Regulation)

 

5. Is the provision of data mandatory or optional?

The collection and the processing of your personal data under A), B) and C) of the above paragraph is optional but failing to provide the data would prevent the possibility for you to enter into the Terms of Service and be provided with the Service.

 

If you do not consent to the processing of your personal data under D) and E) of the above paragraph, you will not suffer any prejudicial consequences whatsoever. In any case, you can freely withdraw your consent to the processing of your personal data at any time, even selectively, requesting it in the manner indicated in paragraph 12 below. In relation to promotional communications sent via e-mail, you can revoke your consent to the processing of your e-mail address for marketing purposes by clicking on the cancellation link (opt-out) in each promotional e-mail.

 

6. How will my personal data be processed and for how long will they be stored?

Your personal data will be processed using automated and non-automated means. Specific security measures are put in place to prevent data loss, illicit or incorrect use and unauthorized access. Your personal data will be retained for 10 years from the date on which the contract between us has terminated or from the date of the last event interrupting the statutory prescription period.

 

Your personal data that We process upon your consent will be retained until you will revoke your consent to the processing of your personal data for marketing and/or profiling purposes. However, the information needed to prove your consent will be retained for 10 years from the date on which you have revoked your consent or from the date of the last event interrupting the statutory limitation period.

 

7. Who might have knowledge of my personal data?

Our employees and collaborators in charge of the management of the Service might have knowledge of your personal data. Moreover, the following categories of entities, acting as data processors, might have knowledge of your personal data: IT service providers; crypto to fiat exchange providers; banks; AML services providers; providers of management and administrative services; consultants.

 

8. Will my personal data be disclosed to third parties?

Your personal data may be disclosed to third parties belonging to the following categories: banks and payment institutions, to the extent necessary to make or receive payments in connection with the Services; taxation public authorities, to the extent required by the law; judicial authorities and/or police forces, when required by the law; lawyers and law firms, where necessary to pursue our legitimate interest in exercising or defending a right in court and out of court; third parties which the contract has been assigned to or third-party companies that have acquired Our companies or a branch of Our companies.

 

Third Party Data Controllers

Through the Bridgy application, you may request services which are provided by third party service providers acting as independent data controllers for their own purposes which may include but are not limited to:

• The card issuance

The third-party service providers rely on legal basis for data processing as disclosed in their respective privacy notices, provided to you directly by them or accessible from their websites.

 

9. Will my personal data be transferred outside the European Economic Area?

Yes, your personal data will be transferred in the United Kingdom and in Switzerland. Both countries have been found to guarantee an adequate level of data protection, therefore such transfer is made on the basis of adequacy decisions issued by the European Union Commission.

 

10. Which are my rights?

You have the right to exercise at any time, free of charge and without formalities the following rights as per Articles from 15 to 22 of the Regulation: the right to request access to personal data (or the right to obtain from us the confirmation that data concerning you are being processed and, if so, to obtain the access to personal data, obtaining a copy of them and of the information referred to in Article 15 of the Regulation) and rectification (i.e. the right to obtain the correction of inaccurate data concerning you or the integration of incomplete data) or the erasure of the same (meaning the right to obtain the deletion of data concerning you, should any of the events indicated in Article 17 of the Regulation occur) or the restriction of the processing related to you (meaning the right to obtain, in the cases indicated in art. 18 of the Regulation, the marking of stored personal data with the aim of limiting their processing in the future), in addition to the right to data portability (i.e. the right, in the cases indicated in Article 20 of the Regulation, to receive from us, in a structured, commonly used and machine readable format the data concerning you, and to transmit it to another data controller without impediments). You also have the right to object to the processing (see paragraph 9 below). Should you deem that the processing of your personal data infringes the Regulation, you have the right to lodge a complaint with the Italian supervisory authority (Garante per la protezione dei dati personali – www.garanteprivacy.it) or the competent supervisory authority of the EU Member State where you live or work or where the alleged breach has occurred (Article 77 of the Regulation) or to take a legal action before a court (Article 79 of the Regulation).

 

11. Do I also have the right to object to the processing?

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on letter e) (performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or f) (legitimate interest) of Art. 6, para 1 of the Regulation, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

12. How can I exercise my rights?

To exercise your rights, please contact us by mail (to “Neural ID Pay S.r.l., with registered office Via Del Cotonificio 129/B, 33100 Udine, Italy – To the kind attention of Data Protection Officer”) or by email (to the address dpo@bridgy.com).

 

13. Have you appointed a Data Protection Officer (DPO) and how can I contact the DPO?

Neural ID has appointed a DPO, who can be contacted by email to the address dpo@bridgy.com.