PRIVACY POLICY EX ARTT. 13 AND 14 OF THE EU REGULATION 2016/679 – WALLETPLACE

1. Definitions

1) Address, Blockchain, Private Key, Public Key, CID, Customer, Collection, Direct Marketing Communications, Terms and Conditions, Encryption, CRM, Centralized Database, Anonymous Data, Personal Data, Common Personal Data, Pseudonymous Data, Simplification Decree 2018, GDPR, Google, Hash, Privacy Policy, IPFS, License, Profiling, Profile, Registration, SEE, Instrumental Services, Smart Contract, SSO, Distributed Ledger Technologies, Token, Customer Token, Processing, Blockchain Processing, Centralized Database Processing, Users, Wallet, Walletplace.

1.1 Address: a publicly identifiable address for the Wallet, derived from the Public Key and consisting of an alphanumeric code.

1.2 Blockchain: the Polygon blockchain together with the Ethereum blockchain.

1.3 Private Key: a unique alphanumeric code serving as a private key (i.e., randomly generated mathematically) that functions as a password granting access to the Wallet.

1.4 Public Key: a public key, also consisting of a unique alphanumeric code generated by the Private Key through a cryptographic function.

1.5 CID: “content identifier” assigned by IPFS to a specific digital content through cryptographic hashing functions, enabling the search and display of the digital content (if visible in “clear text”).

1.6 Client: a Bcode client utilizing the services of “Token Creator” to create Client Tokens and determining the purposes, content, characteristics, and redemption methods of the Client Token.

1.7 Collection: a Smart Contract based on the ERC 1155 standard, customized by Bcode according to the features and functionalities established by the Client.

1.8 Direct Marketing Communications: commercial or promotional communications related to Walletplace, Bcode, and future developments of Walletplace and services provided through Walletplace, as well as services, products, and initiatives similar to Walletplace.

1.9 General Conditions: terms and general conditions of use for Walletplace.

1.10 Cryptography: block encryption algorithm with symmetric (private) or asymmetric (one public for encryption and one private for decryption) keys of predetermined length that allows “hiding” the content of a dataset, transforming it into a sequence of numbers and letters, decipherable only by those who know the private (and thus secret) keys.

1.11 CRM: “customer relationship management” software for managing and communicating User Personal Data to Clients.

1.12 Centralized Database: traditional database used by Bcode.

1.13 Anonymous Data: information that, even through reverse processes, processing, or associations, cannot be traced back to the natural person to whom it refers. The impossibility of identifying a natural person must be demonstrable/verifiable through any reasonably applicable technique (taking into account the state of the art and subsequent technological developments during processing).

1.14 Personal Data: Common Personal Data and Pseudo-anonymous Data.

1.15 Common Personal Data: any information related to an identified or identifiable natural person, directly or indirectly, by reference to the name, username, identification number, location data, online identifier, or characteristics of their physical, physiological, genetic, mental, economic, cultural, or social identity.

1.16 Pseudo-anonymous Data: information whose power to identify a natural person has been reduced but not eliminated entirely, as pseudonymization is a process that allows Personal Data not to be attributed to a natural person except through the use of additional information, to be kept separately and through technical measures such as Cryptography.

1.17 Simplifications Decree 2018: Decree-Law of December 14, 2018, no. 135 – the so-called Simplifications Decree 2018 – converted into law on February 11, 2019.

1.18 GDPR: EU Regulation 2016/679 of April 27, 2016.

1.19 Google: Google LLC, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043 (USA).

1.1 Hash: the “digital fingerprint” of digital content obtained through Cryptography.

1.2 Information: information regarding the processing of Personal Data prepared in accordance with articles 13 and 14 of the GDPR as constituted by this document.

1.3 IPFS: the InterPlanetary File System distributed ledger.

1.4 Profile: the personal and confidential profile created by the User on Walletplace.

1.5 Registration: the registration procedure on Walletplace that the User is required to complete to create their own Profile.

1.6 EEA: the European Economic Area, consisting of European Union countries, Norway, Iceland, and Liechtenstein.

1.7 Services: services for access, support, and assistance for the redemption and/or transfer of Client Tokens, as further described in Article 4.1 of the General Conditions.

1.8 Smart Contract: a computer program operating on Distributed Ledger Technology that automatically binds two or more parties based on predefined effects (cf. Article 8 ter, paragraph 2, of the Simplifications Decree 2018).

1.9 SSO: Google’s “Single Sign-On” service allowing Users with Google credentials to use them to log into different third-party platforms, remaining connected without the need to repeat the authentication process with each access.

1.10 Distributed Ledger Technology: computer technologies and protocols using a shared, distributed, replicable, simultaneously accessible ledger, architecturally decentralized on cryptographic bases, allowing the recording, validation, updating, and storage of data both in clear and further protected by cryptography, verifiable by each participant, unalterable, and unmodifiable (cf. Article 8 ter, paragraph 2, of the Simplifications Decree 2018).

1.11 Token: a series of digital information recorded on Distributed Ledger Technology and representative of some form of value or right, such as ownership of an asset, the truth of information, access to a service, attestation of payment receipt, or attestation of the existence of a fact or event.

1.12 Client Token: Tokens based on the Client Smart Contract created by the Client.

1.13 Processing: any operation or set of operations concerning Personal Data, such as, for example, collection, organization, structuring, storage, modification, extraction, consultation, use, communication, interconnection, limitation, deletion, and destruction.

1.14 Blockchain Processing: Personal Data processing carried out through IPFS and Blockchains.

1.15 Centralized Database Processing: Personal Data processing carried out through the Centralized Database.

1.16 Users: users interested in using the Services as further defined in Article 4.1 of the General Conditions.

1.17 Wallet: “non-custodial Ethereum wallet,” a digital wallet on Ethereum that attributes a cryptographic identity, accessible through a dual-key mechanism, i.e., the Private Key, which can be considered as a password providing access to the Wallet, and the Public Key. Each Wallet is characterized by the Address. It is a “non-custodial wallet,” and consequently, the Wallet provider has no access to either the Private Key or the Public Key.

1.18 Walletplace: an app developed and owned by Bcode through which the Services are provided.

2. Data Controller

2) Bcode S.r.l.

The Data Controller referred to in this Information is Bcode S.r.l., with registered office at Via Flumendosa, 18, 20132, Milan, VAT and Tax Code 11514730966 (“Bcode”). Any User requests regarding the Processing carried out by Bcode concerning their Personal Data (including the exercise of the rights mentioned in the following points 11) and 12)) should be addressed to Bcode by postal mail at the registered office or by email at the following address: privacy@bcode.cloud.

3. Purpose and Legal Basis of Processing

1) Centralized Database Processing:

a) Registration: General Conditions;

b) Use of Services: General Conditions and pre-contractual measures;

c) Communication of Personal Data to the Client to whom the Client Token refers for identity verification: General Conditions;

d) Prevention and repression of fraud and abusive behavior: Bcode’s legitimate interest;

e) Responding to contact requests: Bcode’s legitimate interest;

f) Sending Direct Marketing Communications: Bcode’s legitimate interest;

g) Communication of Personal Data to the Client to whom the Client Token refers for Client promotion: Consent;

h) Improvement of Services and Walletplace: Bcode’s legitimate interest;

i) Legal or judicial obligations and investigations: Bcode’s legitimate interest or legal obligations;

2) Blockchain Processing:

j) Redemption/transfer of the Client Token: General Conditions.

Bcode collects and uses Users’ Personal Data for the following purposes:

3) Centralized Database Treatments:

a) Allow Users to Register on Walletplace: The processing referred to in point a) is necessary for the creation of the Profile, access to Walletplace, and the use of Services by the User. Any refusal prevents the User from enjoying the Services. This processing is based on the Users’ acceptance of the General Conditions and the related pre-contractual measures proposed by BCode.

b) Allow Users to use the Services: The processing referred to in point b) is necessary for the User to use the Services, and any refusal prevents the User from using the Services. This processing is based on the Users’ acceptance of the General Conditions and the related pre-contractual measures proposed by Bcode.

c) Communicate the User’s Personal Data to the Customer who created the Client Token redeemed/transferred by the User, also through the CRM: The processing of Personal Data referred to in point c) is necessary, and any refusal by the User prevents Bcode from communicating to the Customer who created, and to whom it refers, the Client Token redeemed by the User, including the contact details of the latter. This allows the Customer to verify the identity of Users who have redeemed/transferred Client Tokens. This processing is based on the Users’ acceptance of the General Conditions.

d) Prevent and suppress fraud and abusive behavior (including by third parties) contrary to current regulations and rules of correctness and good faith: The processing referred to in point d) is necessary to protect the proper functioning of Walletplace and the correct use of Services by Users. This processing is based on Bcode’s legitimate interest in protecting its company and Users from fraud or abusive behavior, which Bcode considers to be predominant over the right to Users’ privacy. Users can oppose this processing (if the requirements are met) at any time by following the indications in point 8 letter f) of this Information.

e) Manage and respond to contact requests: The processing referred to in point e) is necessary for the management and response to contact requests received by Bcode, and any refusal by the User prevents the latter from receiving a response from Bcode regarding their contact request. This processing is based on Bcode’s legitimate interest in responding to contact requests transmitted by Users, which Bcode considers to be predominant over the right to Users’ privacy. Users can oppose this processing (if the requirements are met) at any time by following the indications in point 18 letter f) of this Information.

f) Send Direct Marketing Communications to Users, by email: The processing of Personal Data referred to in point f) is optional, and any refusal by the User prevents the latter from receiving Direct Marketing Communications from Bcode. This processing is based on Bcode’s legitimate interest in the benefit that Bcode can obtain from sending Direct Marketing Communications, involving Users in the growth and development of Bcode, which the latter considers to be predominant over the right to Users’ privacy (who, moreover, can reasonably expect to receive such communications). Users can oppose this processing at any time, without any motivation, by following the indications in point 12 of this Information.

g) With optional consent, communicate the User’s Personal Data to the Customer who created the Client Token redeemed/transferred by the User for the promotion of the Customer, also through the CRM: The processing of Personal Data referred to in point g) is optional, and any refusal by the User prevents Bcode from communicating to the Customer who created, and to whom it refers, the Client Token redeemed by the User, the contact details of the latter. This allows the Customer to contact the User for promotional or marketing purposes. This processing is based on the User’s free, specific, informed, and unequivocal consent, expressed by declaration or positive action (e.g., flag) on Walletplace. The withdrawal of consent can be exercised by the User at any time by following the indications in point 8 letter a) of this Information.

h) Perform statistical analysis, market research, improve the presentation of Services and the User’s use of Walletplace (where possible, to achieve this purpose, Bcode uses Anonymous Data): The processing referred to in point h) is optional, and any refusal by the User prevents the latter from enjoying Services more in line with the aggregated preferences of Walletplace Users, without any prejudice to the receipt of Services. This processing is based on Bcode’s legitimate interest in the benefit that Bcode can obtain from offering Services more in line with the preferences expressed by its Users during the use of Walletplace and the use of Services, which Bcode considers to be predominant over the right to Users’ privacy. Users can oppose this processing (if not carried out with Anonymous Data) at any time by following the indications in point 8 letter f) of this Information.

i) Fulfill legal obligations and allow Bcode to assert, exercise, and defend its rights in court or before any other competent authority: The processing referred to in point i) is necessary to protect the legal position, rights, and interests of Bcode regarding the subscription, interpretation, and fulfillment of the General Conditions. This processing is based on: i) Bcode’s legitimate interest, consisting of the benefit that Bcode can obtain in protecting its legal position, rights, and interests, which Bcode considers to be predominant over the right to Users’ privacy; and ii) where the involvement of third-party authorities is necessary or appropriate, based on Bcode’s legal obligation to collaborate with competent authorities in carrying out investigations related to the execution, interpretation, and fulfillment of the General Conditions.

4) Blockchain Processing:

j) Allow Users to redeem and/or transfer Client Tokens: The processing referred to in point j) is necessary for the redemption and/or transfer of Client Tokens by the User, and any refusal prevents the User from performing such operations on the Blockchain. This processing is based on the Users’ acceptance of the General Conditions and the related pre-contractual measures proposed by Bcode.

4. Data Collection Methods

a) Personal data entered into Walletplace by users; b) Pseudo-anonymous data automatically generated by IPFS and blockchains; c) Personal data expressly communicated to Bcode by users offline; d) Personal data communicated to Bcode by Google.

Bcode collects Personal Data in the following ways:

a) Personal Data entered into Walletplace by Users: these are the Personal Data provided by Users, for example, but not limited to, for Registration, management of the Profile, use and correct functioning of the Services;

b) Pseudoanonymous data automatically generated by the Blockchain: these are the Pseudoanonymous data automatically generated by IPFS and the Blockchain for the execution of Client Token redemptions/transfers (e.g. the hashes);

c) Personal Data expressly communicated to Bcode by Users offline: these are the Personal Data provided, for example, to the Bcode customer service (in case of contact request) or collected during events and/or initiatives organized by Bcode.

d) Personal Data communicated to Bcode by Google: these are the Personal Data that Google provides to Bcode to allow Users to use SSO (i.e. name, surname, username and email address).

5. Possible categories of recipients of Personal Data.

Employees, collaborators, customers who have created redeemed/transferred customer Tokens, users, third-party service providers, third-party technical and commercial parties.

Personal Data is processed by Bcode and/or third parties selected for reliability and competence, and to whom they may be communicated as necessary or appropriate, as long as it is within the EEA. In particular, Bcode informs users that Personal Data may be processed by and/or communicated to:

a) employees and/or collaborators of Bcode;
b) customers who have redeemed/transferred Client Tokens created by the user;
c) Users who use the Services (for example, users who access the “play” section will see the Personal Data of users who have participated in the game in a final ranking);
d) third-party providers of services necessary to ensure the functioning of Walletplace (for example, a company that provides hosting services) and/or the provision of Services;
e) third-party providers of navigation data analysis services for Walletplace;
f) third-party providers of automatic newsletter services and/or any other type of commercial communication, marketing and promotion services, analysis of consumption habits and choices.

6. Transfer of Personal Data outside the EEA

5) Yes, only the Wallet Address that is subject to Blockchain Treatment.

Regarding:

a) Centralized Database processing, Personal Data subject to such processing are processed by Bcode only within the EEA;

b) Blockchain processing, given the characteristics and functioning of IPFS and Blockchain technology – which constitute Distributed Ledger Technology (i.e. participants in the Blockchain may be located anywhere in the world) – it is not possible to exclude the risk that the Address of each User (associated with each redeemed/transferred Client Token) may be transferred outside the EEA. Further information on the functioning of IPFS and Blockchain and/or the measures adopted by Bcode can be requested from Bcode itself.

7. Data Retention Period for Personal Data (or Criteria for Determination)

a) Personal data for registration, use of services, prevention of fraudulent and abusive behavior: for the duration of the General Conditions or until the deletion of the Profile and for 6 months thereafter;
b) Pseudoanonymous data for redemption/transfer of Customer Tokens: for an indefinite period equal to the duration of IPFS and Blockchains;
c) Personal data for responding to contact requests: 6 months after receipt of the contact request;
d) Personal data for Bcode marketing activities: 24 months after the User’s last interaction;
e) Personal data for communication to Clients to whom Customer Tokens refer: 24 months from the collection;
f) Personal data for legal or judicial obligations and investigations: for a period of 10 years.

Personal Data is stored by Bcode for the strictly necessary period of time to achieve the purposes for which they were collected, as indicated in point 3 above. In particular, except for exercising the right to revoke consent as provided for in point 8, letter a) or the right to object as provided for in points 8, letter f) and 9, Bcode retains Personal Data for the following periods:

a) Personal Data for Registration, use of Services, prevention of fraudulent and abusive behavior: for the purposes set out in point 3, letters a), b), c) and d) for the duration of the General Conditions, or for the shorter period during which the User decides to keep their Profile active, and for the following 6 months;

b) Pseudo-anonymous Data for redemption/transfer of Customer Tokens: for the purpose set out in point 3, letter j) for an indefinite period equal to the duration of IPFS and Blockchains;

c) Personal Data for handling and responding to contact requests: for the purpose set out in point 3, letter e), for a period of 6 months from receipt of the contact request sent by the User;

d) Personal Data for Bcode’s marketing purposes: for the purposes set out in point 3, letters f) and h) (the latter only in the case of use of Personal Data and not Anonymous Data), for a period of 24 months following the last interaction with Bcode by the User suitable to demonstrate an interest in receiving Direct Marketing Communications, such as consent collection and use of Services;

e) Personal data for communication to Customers who have created Customer Tokens: for the purpose set out in point 3, letter g), for a period of 24 months from the collection of Personal Data by Bcode;

f) Personal Data for legal or judicial obligations and assessments: for the purpose set out in point 3, letter i), for a maximum period of 10 years from collection (or for the longer period of any dispute if applicable), limited to the information necessary to comply with legal obligations and enable Bcode to exercise and defend its own right in a court of law.

8. User Rights

Revocation of consent, access to personal data, correction or supplementation of personal data, deletion of personal data, restriction of processing, objection to processing, transfer of personal data, data breach, complaint to competent authorities.

Under the GDPR, each user has the right to: a) withdraw their consent for Bcode’s processing of their data, without affecting the legality of previous processing (Article 7 of GDPR); b) access their personal data, receive information about its processing, and request a copy in electronic format, unless otherwise specified by the user (Article 15 of GDPR); c) request the rectification and/or integration of their personal data without undue delay, with the limitation that blockchain processing will be rectified/integrated as far as technically possible (Article 16 of GDPR); d) request the erasure of their personal data without undue delay, subject to technical limitations in blockchain processing (Article 17 of GDPR); e) request the restriction of processing in specific circumstances, subject to technical limitations in blockchain processing (Article 18 of GDPR); f) object to processing of their personal data, unless it’s anonymized (Article 21 of GDPR); g) receive their personal data in a readable format for communication to a third party or, when technically feasible, request direct transmission by Bcode to that third party (right to data portability – Article 20 of GDPR); h) be informed by Bcode of any breaches or unauthorized access by third parties to their personal data (data breach – Article 34 of GDPR); and i) lodge a complaint with the EU supervisory authority in their country of residence or work, or where they believe their rights have been breached (Article 77 of GDPR). To exercise these rights, users can consult the GDPR text or contact Bcode according to the terms specified in the Privacy Policy.

9. Opposition to the treatment concerning direct marketing communications of Bcode.

6) Right to object to receiving Bcode Direct Marketing Communications.

Bcode emphasizes that each user has the right to object to the Processing of Personal Data referred to in point 3 letter f), at any time and without any reason, by sending an email to Bcode or by opting out of direct marketing communications from Bcode. In case of exercising this right, Bcode will cease the use of the user’s Personal Data for direct marketing purposes of Walletplace, future developments of Walletplace or similar services, products or initiatives to Walletplace.

10. Profiling.

Automated processing of users’ personal data aimed at discovering users’ preferences expressed on the platform, for evaluative and/or predictive purposes.

Bcode’s profiling has the following characteristics: a) context: Profile is associated with the provision of the License or Services on the Platform by Bcode; b) object: User information related, for example, to the type of Customer Token redeemed, expressed tastes, Customers followed and added to the Platform as favorites by Users; c) legal basis: expressed consent through a positive action (flag) on the Platform by Users; d) processing logic: (i) analysis and evaluation of the information collected on Users referred to in letter b) on a statistical basis through processing and comparison of the Personal Data of all Users of the Platform; and (ii) classification of Users into homogeneous categories of Users, to analyze or make predictions about their possible preferences; e) purpose: to make the License and Services “more personalized” on the possible preferences of Users and, therefore, improve the degree of “satisfaction” of Users in the use of the License and Services provided on the Platform. Profiling is therefore aimed at predicting Users’ preferences or future choices based on the Platform’s Services; f) effects for Users: use of the License and Services on the Platform in line with the preferences expressed by Users in browsing the Platform and using the Services. In no way does Bcode’s profiling: i) constitute an automated decision-making process from which legally or similarly significant effects for Users derive; ii) prejudice the behavior and purchasing choices of Users; iii) has a prolonged and permanent impact on Users, considering that the Personal Data collected by Bcode can be independently updated at any time by Users; and iv) does not determine any discrimination against Users.

Refer to the Italian language version for legal validity