INTRODUCTION

In the exercise of its business activity, the owner of the business that uses the App "Sushiko" (hereinafter referred to "Operator" for the sake of brevity) pays the utmost attention to the protection of personal data of all those who work or interact with it (hereinafter referred to as "Interested party" and / or "User" for brevity), implementing appropriate technical and organizational measures to guarantee an adequate level of security in relation to the risk.

In accordance with the principles of transparency and correctness, the following policy is created to provide all information in order to make all interested parties aware of the methods and purposes of the processing of personal data carried out in the provision of services and / or in the marketing of its assets (hereinafter referred to as "Services" altogether for the sake of brevity) also through the use of the "Sushiko" App (hereinafter referred to as "App Sushiko" for brevity), and this also in compliance with the provisions of San Marino law n . 171 of December 21st 2018 regarding the protection of individuals with regard to the processing of personal data (hereinafter referred to as "RSM Privacy Law") and, where applicable, by Regulation (EU) no. 2016/679 regarding the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter referred to as "GDPR").

The processing of these data will take place in a lawful and correct manner, with the use of manual and / or automated systems that allow to store, manage and transmit data solely for the purposes expressly indicated below.

DATA CONTROLLER OF PERSONAL DATA

The Data Controller of the personal data is the Operator (hereinafter "Data Controller" for brevity), whose data are known to the User who has voluntarily connected his own mobile device to the Operator's Server in order to benefit of his Services also with the Sushiko App.

PERSONAL DATA AND PROCESSING OF PERSONAL DATA

Personal data means: "all information concerning an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as the name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychic, economic, cultural or social identity".

The processing of personal data means "any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data (or sets of personal data), such as, by way of example but not limited to, collection, the registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction".

The personal data as described above are mainly processed when the interested party uses the Services and / or the Sushiko App.

The provision of all other personal data is optional but may be necessary in order to use the Services and / or the Sushiko App, such as data to make offers, buy or sell that are necessary to conclude a contractual transaction.

Personal data are provided directly by the data subject and / or acquired automatically through the devices when the Services and / or the Sushiko App are used, when data is provided in a web form on our sites, when an account is created and / or updated or when the interested party contacts us in any other way or provides his personal data expressly and with his consent, all as detailed below.

TYPE AND CATEGORIES OF DATA PROCESSED

Of the personal data as described above, and for the delivery of the Sushiko App, the Data Controller only collects the following types of data:

Information that can identify the person such as name, surname, date and place of birth, place of residence, fiscal code, vat number and venue, telephone number, e-mail address (even with certified email), gender or other data that we are supposed or allowed to collect and process, pursuant to current legislation, in order to authenticate or identify the User or verify the provided and collected information;
Ip address and browsing data and every other data that concerns interaction between the Users and the Services and/or the Sushiko App, for example when viewing or searching content, when creating or accessing one's own account and/or a reserved area. Data related to devices and/or computers used by the User to access to Services and/or Sushiko App, including the device unique code, the language and operating system;
Data related to offers, purchases or sales related to the Services and/or Sushiko App provided during a precontractual negotiation and its following improvements and every other data provided in reference to these operations;
Data related to payment and invoicing (and potential shipment) of the Services and/or Sushiko App;
Financial data, considering that some Services and/or Sushiko App support payment and transaction with third parties. For this scope it may be necessary provide some data to identify and verify the identity of the Data subject and the payment method used, such as name, surname, credit/debit card number and expiry date. If collect by the Data Controller, these data will be saved in a cryptography mode. In some cases, to allow the User to speed up, future, new and similar payment operations, the Operator could store the last four number of the card only;
f) Processing of special categories of personal data (so called "sensitive data")
Particular categories of personal data, for example data revealing racial or ethnic origin, politic opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation are not collected and therefore not processed.

PURPOSE AND METHOD OF DATA PROCESSING

The processing of personal data collected takes place solely and exclusively for the following purposes:

Execute the contracts related to the Services and/or Sushiko App.
Through the information and data communicated, we are able to carry out the contractual activities and services provided by the Services and / or the Sushiko App contracts requested by the interested party (also in the name and / or on behalf of third parties) or to execute pre-contractual measures and / or negotiations related to the same Services and / or the Sushiko App, including administrative and accounting activities, management of tax obligations, payments and invoicing.

The information collected will also be used to contact the User regarding his account or in any case regarding his contractual position, to solve problems with the account and / or the reserved area, solve a dispute, carry out debt collection activities.

Provide security and protection both to personal data received and to the security system adopted.
The data collected are also used to verify the identity and authenticate Users, allow to make and / or receive payments, protect against fraud and / or abuse, respond to a request or complaint, perform checks, prevent, detect, mitigate and / or ascertain security breaches and / or activities that are even potentially prohibited, illegal and / or unlawful.

Communicate with the Data subject
Data may be used to contact the User for purposes contained in this document and in cases laid down by the law. The contact and communication could be done by e-mail (even with certified email), telephone, SMS, paper mail, push notification on mobile devices

We can use the User's information to send service communication and/or to answer request, to offer discounts and special promotions, to know his opinion using surveys and questionnaires.

Carry out marketing activities
With the express and specific consent of the User to be provided according to the modality specified from time to time, we may use the User's information to promote new products or services to which he may be interested, carry out marketing activities via phone calls, and email (also with certified e-mail) or SMS, via paper mail, push notifications on mobile devices, as well as through third parties specifically appointed.

The User may in any case revoke the express consent provided for marketing activities by following the appropriate instructions included within the tools used (e.g. newsletters, e-mails etc.) or by sending an e-mail to the Operator's email address.

LEGAL BASIS FOR THE PROCESSING

The legal bases with which we treat the personal data of the data subject could be different according to the circumstances, namely:

contracts established or to be established (with data subjects) to make use of the Services; or;

the consent expressed by the data subject. This consent may be revoked in the terms and according to the methods specified in the following paragraph X, lett. a); or

c) our legitimate interests [with respect to which it is possible to file an opposition pursuant to paragraph X, lett. a)], meaning for example the interest to: prevent fraud; carry out direct marketing activities, improve, customize and develop the Services; carry out the marketing of new services or products that could be of interest to the User; to carry out the promotion of security and protection of data; to perform data processing within a group of companies or related entities for internal administrative purposes, without prejudice to the general principles and regulatory requirements for the transfer of personal data within an entrepreneurial group, including a company located in a Third Country (meaning a country outside the European Union).
The processing of personal data relating to traffic is also a legitimate interest, to the extent which is strictly necessary and proportionate to guarantee network and information security, meaning the ability of a network or an information system to resist, to a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of the personal data stored or transmitted and the security of the related services offered or made accessible through such networks.
Without prejudice to the above, it should be noted that we may collect additional personal data or integrate those already in our possession with other data and information collected from third parties (for example our suppliers or business partners), also using data and information in the public domain, information collected through specific databases or additional contact information, credit verification data and information on solvency provided by the appointed offices, in compliance with the current legislation.
We may also collect data through the social media used by the User. Where the User connects his account to the respective social media site, these social media may authorize us to automatically access certain information in their possession. With this possibility, the data subject expressly provides us access to sites with the various contents contained therein.

Data collected on third part or by other sources;
We could collect additional personal data or integrate that available to us with other data and information collected by third subjects (for example our suppliers or commercial partner), using even data and information of public domain, information collected by databases or additional contact information, credit verification data and related information to the solvency provided by the offices in charge, in compliance with current legislation.

We could collect data even by social media used by the User. Where the User linked his/her account to his/her respective social media, these social media could authorize us to access automatically to specific data in their possession. With this possibility the Data subject provide to us direct access to these social media's content.

METHOD OF INFORMATION SHARING WITH THIRD PARTIES

The personal data provided may be shared with third parties only in the following cases:

Consent of the data subject:

The data subject may authorize us to share (or disclose) his data with (and to) other third parties, for example in case he uses our community (such as forums or other social media) or where he has expressed his intention to be contacted and / or called back for any need or clarification regarding the Services.

Treatment by external entities:

Personal data may be provided to entities connected and / or affiliated with our company, service providers and / or business partners that treat them according to instructions we provide (eg partners who provide customer support services, information technology, payment and / or sales management, marketing, data analysis, research and investigation).

Personal data may also be shared with:
- our suppliers who perform: payment processing, advertising customization, prevention, detection, verification of potentially illegal acts, breaches of the Services; collection of invoices; consulting, training and event organization services;
- third party providers of shipping services (eg, DHL, UPS, GLS, Italian Post Office etc.) with whom we share delivery addresses, contact information and shipping codes;
- providers of websites, applications, services and tools with which we work to provide the Services and / or the Sushiko App.

Justice, legal and / or general protection needs

We may keep or disclose personal data where necessary to meet justice needs, for example because requested by an administrative authority, a control and / or supervisory authority or in the context of a judicial proceeding or, in any case, in compliance with the provisions of law, or otherwise for the exercise of legal rights or for the defense against complaints and / or legal actions or to prevent, detect or investigate illegal activities, fraud, abuse, violations of subjective legal positions or where there are even potential threats to the security of the Sushiko App or to the physical security of any person.

Except in the event that one or more recipients referred to in this article is in a Third and / or Foreign Country or represents an international organization, and without prejudice to the cases expressly permitted by law (RSM Privacy Law and / or GDPR) , the Data Controller will not transfer personal data to a country other than the Republic of San Marino and / or to an international organization.

Any transfer of personal data to a country other than the Republic of San Marino and / or to an international organization will in any case take place in full compliance with the terms, methods and conditions provided:
- by the Privacy RSM Law - articles 46, 47, 48 and 50, - where the transfer entails, respectively, one of the hypotheses governed therein; as well as;
- by the GDPR - to articles 45, 46, 47 and 49, - where the transfer entails, respectively, one of the hypotheses governed therein.

DATA STORAGE PERIOD

The period of storage of personal data is determined (or determinable) according to the purpose or the legal basis by virtue of which the processing should take place.

Except for the case in which the personal data is processed for marketing purposes, after the termination of the contract the data of the Data Subject will be kept for the time necessary to correctly and fully perform the services provided in the contract (including those strictly connected and related to its termination). In any case the data will be stored for a period of time not exceeding the highest between the two periods specified below, corresponding to:

10 (ten) years from the termination of the Passepartout Programs and Services; or
the maturation of the statute of limitations for the commencement of the actions and / or initiatives that Passepartout may experience to ascertain, exercise or defend a right in court as a result of and / or as a result of the contracts established or to be established (with the Interested Parties) concerning the Passepartout Programs and Services.

RIGHTS OF THE DATA SUBJECT

All interested parties, whose personal data is processed in accordance with the terms and methods established by RSM Privacy law and GDPR where applicable, may exercise the rights described below:

Right of access, rectification and deletion of data, limitation and opposition to the use of data and right to withdraw consent.
Except for what provided above in terms of conservation, the data subject may, at any time, access his personal data, as well as update, modify, limit the processing or request its cancellation.
If you choose to delete data, please note that although most of the information stored will be deleted within 60 (sixty) days, it may take up to 180 (one hundred and eighty) days to delete all data entered in our systems depending on the size or complexity of the systems and procedures used.
When the processing of data is subject to the consent issued by the data subject, this consent may be revoked at any time. You can therefore always oppose yourself to receiving newsletters and to the processing of your data for marketing and commercial purposes.
The data subject may also oppose himself to the processing of his data even if this activity is carried out for the legitimate interests.
If asked to withdraw consent, limit the use of data or delete the personal data previously provided, we may no longer be able to provide the Services.
The subject can ask for the cancellation of data, contacting directly the restaurant in which data are stored or through in the context menu of the ordering application "MySelf" (web or native app) by selecting: "Request data removal".
In any case, requests for data deletion are subject to current legal requirements and the conservation of documents imposed by laws or regulations.

Right to portability. The data subject has the right to receive his personal data in a structured, commonly used and readable format and has the right to transmit this data to another data controller.

Right to lodge a complaint
The data subject will always have the right to lodge a complaint with the competent Supervisory Authority, if he believes that the treatment of his data is against the applicable legislation.

Right to report
Anyone can send a report to the Guarantor Authority for the protection of personal data if they believe that there are violations of the Privacy RSM Law.

Opposition rights
Opposing the provision issued by the Guarantor Authority for the protection of personal data, including administrative sanctions , Passepartout or the data subject may file an opposition with a judicial appeal . The opposition does not suspend the execution of the provision.

Automated decision making
The data subject is also informed that, in the event that the processing of the data is based on explicit consent, the interested party has the right to revoke the consent at any time without prejudice to the lawfulness of the processing based on consent before the revocation.
Automated technologies are used for decision-making or profiling. In any case, no automated decisions will be taken on the interested party that could have significant consequences for him, except in circumstances in which this decision is necessary to execute a contract or because the User has explicitly provided his consent.

SECURITY MEASURES

We assure the implementation and maintenance of appropriate technical and organizational measures to guarantee an adequate level of security for every possible risk, constantly carrying out a series of technical, administrative and physical checks to keep the personal data of the data subject confidential and safe.

COMPLETENESS AND CHANGES

This privacy statement is issued to complement and replace any other regulation that may exist before today regarding the protection of the User's personal data processed for the same purposes contained herein.