Application privacy policy

(pursuant to Article 13 of the GDPR)
Name:  2HOURS S.r.l. 
VAT Number: 12698750010 
Registered Office:  Corso Galileo Ferraris 127, 10128 Torino (TO) 
2HOURS S.r.l. (hereinafter, “Controller,” “2HOURS”), as the Data Controller (“Controller”), informs you pursuant to Article 13 of EU Regulation no. 2016/679 (hereinafter, “GDPR”) that your data will be processed with the methods and for the purposes described below:
1. Subject of the Processing 
The Controller processes the identifying data communicated by you during the registration and access phases to the services of the “2HOURS” application.   By way of example and not limited to, the following data may be processed: name, surname, date of birth, tax code, gender, address, phone number, email, profile picture, anthropometric data (e.g., height, weight, etc.), payment data, including payment cards, etc – hereinafter referred to as “Personal Data” or simply “Data,” including usage data generated indirectly through the use of the application. 
The “2hourS ” app is capable of tracking the user’s device by saving the so-called “Universal Unique Identifier” (UUID) for statistical analysis purposes and to store preferences.  Furthermore, additional device data and technical information related to the User’s network (e.g., IP address) may be processed.
2. Purpose and Legal Basis of Processing 
Your personal data are processed for the following purposes: 
a) Allow the User to use the application; 
b) Allow the User to register within the 2HOURS Application through the registration form within the Application; 
c) Enable the User to book and use services provided by participating Partners such as gyms, fitness centres, wellness centres, sports associations, sports centres, and, in general, economic operators related to the sports and wellness sectors (hereinafter, the “Controller’s Partners”). The minimum necessary data will be communicated to the Partners for booking activities; 
d) Send the user messages and communications strictly functional to ensure interaction with the application (e.g., registration confirmation email, password recovery email, email for email address verification, etc.); 
e) Send the User messages and communications related to the contract management to the email address provided during registration or to the mobile number indicated during registration; 
f) Manage User requests; 
g) Manage payments related to the contractual performance (e.g., payment for services offered on the application, etc.); 
h) Allow the User to upload and view their medical certificate within the Application to provide them with the ability to easily and quickly display the medical certification required by the Controller’s Partners. It is specified that in order to ensure the security and confidentiality of the User’s personal data, the medical certificate remains stored exclusively on the user’s mobile device and can only be viewed within the Application by the User.  The Controller will not have access to the data contained in the User’s medical certificate; 
i) Allow the User to send messages to the Controller through a specific contact form within the application or by sending an email to the Controller (in the latter case, the Data will not be processed directly through interaction with the application); 
j) Allow the User to interact with the content within the application (e.g., create their own personal account; search for gyms, fitness centres, wellness centres, and other sports and wellness centres of interest; search for Controller’s Partners through geolocation that allows viewing Partners geographically closest on a map; select specific sports centres and specific activities as favorites; send requests to book activities offered by the Controller’s Partners, etc.); 
k) Allow the User to generate a virtual and/or printable reservation to show to the Partner upon accessing the Activity; 
l) Fulfil pre-contractual, contractual, accounting, and tax obligations arising from existing relationships with the user; 
m) Fulfil obligations imposed by law, regulation, European legislation, or an order of the Authority; 
n) Acquire statistics and metrics aimed at ensuring the proper functioning of the application; 
o) Exercise the rights of the Controller (e.g., the right to defense in court). 
The legal bases for the above processing are as follows:
Regarding purposes a), b), c), d), e), f), g), i), j), k), and l), the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject;
In relation to purposes l) and m), the processing is necessary to comply with a legal obligation to which the Controller is subject.
Regarding purposes n) and o), the legal basis is the legitimate interest of the Controller, namely, to monitor the correct functioning of the application and exercise the rights of the Controller, such as the right to defense in court.
The provision of data for the aforementioned purposes is mandatory. In case of non-disclosure of the data, the Controller will not be able to allow you to use the 2HOURS application.
Regarding purpose c), specific consent will be obtained from the data subject for the communication of their personal data to the Partner during the booking phases of the activities.
Regarding purpose h), considering the processing of specific categories of the data subject’s data, the legal basis is the consent of the data subject. The provision of data is voluntary. Therefore, you may choose not to provide any data or later deny the possibility of processing data already provided. In such a case, the user will not be able to upload their medical certificate to the application. The user can revoke consent to data processing at any time without affecting the lawfulness of the processing based on consent prior to the revocation.
Furthermore, your data may be processed only with your specific and separate consent (Art. 7 GDPR) for the following Profiling and Marketing Purposes:
p) Sending the user emails, promotional communications, and push notifications containing commercial proposals, etc.
q) Profiling: Automatically conducted through the collection of information acquired directly from users and data related to users’ activities during the use of the application. Metrics are correlated through statistical algorithms to identify common traits and create specific aggregated and anonymized marketing profiles. Profiled users may be shown offers, advertisements, and sent personalized messages within the app for commercial purposes.
r) Communication of data to third parties for marketing purposes: Your identifying data (name, surname, email) may be communicated to third parties with your specific and separate consent for the purpose of sending commercial communications through automated tools (email and banners within the app).
In relation to purpose r), the third-party recipients of the communications of your personal data for sending commercial communications can be identified with reference to the following subjects and categories of goods or economic activities: gyms, fitness centres, wellness centres, sports associations, sports centres, and, in general, economic operators related to the sports and wellness industry.
The provision of data for purposes p), q), and r) is voluntary. Therefore, you may choose not to provide any data or later deny the possibility of processing data already provided. In such a case, you will not receive offers related to the products and services offered by the Controller or its partners. You can revoke consent to data processing at any time without affecting the lawfulness of the processing based on consent before the revocation by following the instructions available at the bottom of each newsletter and commercial communication or by sending a communication to the email address:  
Please note that, in case you purchase products and/or services within the application, we may send you commercial communications related to services and products similar to those you have already used, unless you exercise the opt-out option (Art. 130, paragraph 4, Privacy Code).
3. Duration of Processing
Personal data will be stored for the time necessary to fulfil the purposes indicated in this notice. The Controller will retain, as required by the Civil Code, a copy of legally and commercially relevant correspondence for ten years.
If a user does not interact with the application for a period exceeding 36 months, their profile will be deleted, and all personal data will be eliminated through anonymization procedures (only anonymous statistics will be retained).
Logs generated by user actions on the platform are retained for a period of 36 months.
Data collected for profiling and marketing purposes will be kept until the withdrawal of consent by the data subject, and in any case, for a period not exceeding 36 months if the data subject does not interact with the newsletters transmitted by 2Hours. After the above-mentioned retention period, personal data will be deleted or pseudonymized, except in exceptional cases where it is necessary to retain the data to defend the rights of 2HOURS in relation to ongoing disputes.
User’s personal data may also be retained for the time necessary to ensure a legal defense or to pursue any abuses in the use of this application.
4. Data Communication
Your data may be communicated (anonymised and in aggregated form) to partner companies to send promotional messages, including personalized ones, through the application.
User data will not be publicly disclosed but may be made accessible, where necessary for the provision of services or by law:
to employees and collaborators of the Controller in Italy and abroad, in their capacity as authorized persons for the processing of personal data and/or system administrators;
to Partners of the Controller as defined above (subject to consent collection during activity booking);
to third-party companies or other entities (such as credit institutions, professional firms, IT consultants, etc.) that perform outsourcing activities on behalf of the Controller, acting as external data processors.
The Controller may disclose your data for the purposes specified in Article 2 to supervisory bodies, judicial authorities, public entities to which the communication of data is mandatory, and those subjects to whom communication is required by law for the fulfilment of said purposes.
The Controller lists below the main controllers and sub-controllers employed for the proper functioning of the application: 
Data processorReference
Amazon (S3, Lambda)

5. Permissions required by the applicatione
To allow you to use the ‘2HourS’ app, we request the following permissions:

Push notificationsAllow the user to receive notifications from the app
CameraAllow the user to take a photograph and use it as a profile picture
PositionThe application may need to detect the user’s GPS location solely for the purpose of showing nearby Partner facilities.

6. Data Transfer
Personal data is stored on servers located within the European Union, owned by the Controller and third-party companies duly appointed as Data Processors.
The Controller may transfer certain categories of user data to third countries outside the European Union. Data will be transferred exclusively to countries deemed adequate by the European Commission or to companies that meet the safeguards provided by Articles 44–50 of the GDPR.

7. Data Subject Rights
In relation to the data processing described herein, you may exercise the rights provided by the GDPR (Articles 15-22), including:
a. receive confirmation of the existence of the Data and access their content (right of access);
b. update, modify, and/or correct the Data (right of rectification);
c. request the deletion or limitation of the processing of Data processed unlawfully, including those for which storage is not necessary for the purposes for which the Data were collected or otherwise processed (right to be forgotten and right to limitation);
d. object to the processing (right of objection);
e. lodge a complaint with the Supervisory Authority (Italian Data Protection Authority in case of violation of data protection regulations;
f. receive a copy in electronic format of the Data concerning you as a Data Subject when such Data have been provided in the context of a contract and request that such Data be transmitted to another Controller (right to data portability).”

8. Processing of Minor’s Data
In Italy, to use the Services, it is necessary to be at least 18 years old. In some jurisdictions, this age limit may be different.
We do not intentionally collect information about individuals under the age of 18 (in some jurisdictions, this age limit may be different). If we discover that an individual under the age of 18 has provided us with their personal data, we will delete the collected information. If you are aware of any user using the Services who is below the minimum age required to use it, please contact us at the email address:

9. Procedures for Exercising Rights and Contact Information of the Controller
The Controller is:
2HOURS S.r.l. with registered office at Corso Galileo Ferraris 127, 10128 Torino (TO)
You can exercise your rights at any time by sending:
a registered letter with return receipt to: 2HOURS S.r.l. with registered office at Corso Galileo Ferraris 127, 10128 Torino (TO)
an email to the address:

10. Contact Information for the Data Protection Officer (DPO)
The Data Protection Officer (DPO) of 2HOURS can be contacted by sending an email to the following address:

11 Information not included in this Policy
Further information regarding the processing of personal data can be requested at any time from the Controller using the contact information.

12. Changes to this Policy
This Policy may undergo changes. Therefore, it is recommended to regularly check the updated version of this Policy within the ‘Legal Notes’ section.