Information on the processing of personal data and methods of permitted use – My Corisit APP

This document is drawn up in order to inform the users of the My Corisit Application of the data processing to which they will be subjected to access and use the features of the App, as well as to provide the methods of permitted use of the same.
The document may undergo updates or revisions over time as a result of changes in the operating methods or changes in the reference legislation (General Data Protection Regulation, GDPR Reg. EU 2016/679).
The current version is updated to 28/06/2024 (ver. 01)

Data Controller

The Data Controller is Corisit S.R.L., with registered office in Viale Galileo Galilei 26, 42046 Reggiolo (RE) and VAT number: 02628000354 and owner of the My Corisit application (hereinafter also “Application”).

The Application is conveyed and made available to Android and Apple Users through the store app by Micronova S.R.L., a company that deals with the development and maintenance of the Application. Micronova acts under the responsibility and on behalf of Corisit S.R.L., as external data processor and with the task of developing and keeping the Application updated.

Contents

Definitions

Personal data: any information that may determine the identity or identifiability of a natural person;

Data Subject: natural person to whom the personal data refer;

Processing of personal data: any operation carried out on personal data (use, viewing, collection, modification, storage, deletion, communication, etc.)

Data Controller: person who determines the purposes and means of data processing;

External Data Processor: a person identified by the Data Controller to carry out certain processing operations under its authority;

My Corisit: mobile application downloadable on Android or Apple devices for the management of heating systems (hereinafter also “Application” or “App”);

User: a person who has purchased a Corisit heating system enabled for remote control using the Wi-Fi Module who chooses to use the App’s features;

Cloud Corisit: set of computer systems that guarantee the operation of the Application, including servers and applications that receive, process and apply the settings determined by the user through the App;

Wi-Fi module: information transmission and reception system integrated or connected to the heating system that allows communication between it and the Corisit Cloud.

Purposes of processing and legal bases

Purpose of improving and completing the service offer and guaranteeing customers access to the service

Corisit makes available free of charge, to its customers who have purchased heating systems with Wi-Fi Module, the My Corisit Mobile Application, aimed at improving and completing the offer of the Data Controller’s products/services to its customers. The Application has, in fact, the purpose of facilitating the management of heating systems remotely through the user’s smartphone, to significantly improve the experience of use and efficient consumption of the systems, being able to manage all technical and operational aspects including:

  • Switching on/off;
  • Ambient temperature;
  • Water temperature (for Hydro stoves);
  • Control of ventilation;
  • Schedule.

The legal basis that legitimises the processing is linked to the execution of a contract to which the data subject is a party, as well as to Corisit’s legitimate interest in being able to improve and offer a more complete service to its customers. This interest of the data controller is considered balanced with respect to the legitimate expectations and risks to the rights and freedoms of the data subjects, since for the operation of the systems the download and use of the Application is not mandatory (since these can be controlled directly on site by the customer through the system control panel), the data collected and processed are only those strictly related to the operation of the application (minimisation) and strict security measures are provided for data protection.

Purpose of guaranteeing the operation, protection of the computer system of the Application and the existence of illicit/unauthorised uses

The computer systems and software procedures used to operate the Application acquire, during their normal operation, some personal data whose transmission is implicit in the use of the Internet communication protocols.

This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. The Application and the communication of navigation data are protected by a secure communication protocol “HTTPS”, which allows an encrypted connection between Cloud Corisit and the User’s computer device. Among this information communicated implicitly by the communication protocols is the transmission of:

  • iP address;
  • action requested by the user;
  • time of request;
  • request parameter.

The processing of this data is essential to allow Users to correctly access the Application and its functionalities.

Finally, this data could be used to verify and counter cyber threats to the system itself and to collect evidence to be used in litigation and/or to be communicated to the competent authorities.

The processing is based on the legitimate interest of the Data Controller to guarantee the access and operation of the Application, its security from cyber threats and to protect its rights in court/out of court as well as to notify any illegal conduct to the competent authorities.

Finally, the controller may process the data of the data subject in order to ascertain compliance with the requirements in the section “Permitted methods of use” and to take the necessary measures to interrupt and sanction non-compliant behaviour or behaviour in violation of the law.

The legal basis for the processing lies in the legitimate interest of the Data Controller to ensure the proper and regular functioning of the Platform by Users. Any control activities will be carried out in such a way as to comply with the principles of proportionality and necessity, on a sample basis, with preventive blocking tools or with automated anomaly detection tools.

Purposes of statistical collection for analytical purposes

The Data Controller may process information on the use of the Application by Users. This information, processed where possible in anonymised and/or aggregated form, will be necessary to collect statistics on the interaction of Users with the Application itself in order to assess actions to improve, enhance or revise the functionalities in order to optimise, make the User experience more pleasant and meaningful, as well as to assess more generally the impact of the tool on its customers.

The results of the processing will not constitute personal data, as they will be expressed in aggregate terms and for the exclusive internal use of Corisit. The data, including personal data, on which such processing will be based are intended for exclusively internal use and accessible only to the application managers in charge of extrapolating the reports.

The legal basis of the processing lies in the legitimate interest of the Data Controller to improve and enhance the Application and the User experience based on analytical data, in order to make these implementations relevant to the achievement of the purpose of the Application.

Litigation management purposes

If a dispute arises between the User and Corisit regarding the functionality and use of the application, the Data Controller reserves the right to process the data collected and processed by the latter to defend itself in court or out of court. In the event of a violation of legal regulations by the User, the Data Controller may contact the competent authorities so that, if necessary, they can take action to prosecute the unlawful conduct.

This processing is based on the legitimate interest of the Data Controller to defend its rights in court and to ensure that the Application operates in a legal context, also in order to protect the Data Controller from possible violations of legal provisions resulting from the unlawful use of the application by Users.

Purposes of diagnostics and monitoring-analysis of use

Corisit, following the express consent given by the user at the time of registration or subsequently through the App, may process information on the use and operation of the application and/or heating systems for the purpose of diagnosing any malfunctions and as part of the improvement of the service offered by Corisit and/or its products.

The legal basis for carrying out this processing lies in the express consent of the data subject. The consent may be revoked at any time, without compromising the lawfulness based up to that moment on the consent given.

Methods of processing and provision of data

To allow the use of the functions of the Application, the heating systems must be prepared with a Wi-Fi module, which guarantees communication between the system and the control system at the Corisit Cloud.

To use the Application, the customer must have an internet connection and register using the form on the app’s log-in screen. The validity of the email address communicated will be verified by sending an OTP code, which must be entered in the Application to complete the registration.

Failure to register will make it impossible for the user to access the app’s features.

Once the authentication has been carried out, the user can proceed with the configuration of the systems within the Application through the appropriate function.

To configure the system, in order to identify it within the Corisit systems, the user must provide some identification codes through the Application, necessary to connect the system to the user’s profile.

For the insertion and management of the system, the My Corisit Application may need and request permissions for the use of the following smartphone technologies:

  • Bluetooth: as the communication connection with the available systems takes advantage of BLE technology – Bluetooth low energy – and to configure the wi-fi network on the Wi-Fi module connected to the system;
  • Geolocation: improve the accuracy of bluetooth scanning;
  • Camera: framing the QRcodes and barcodes for the automated reading of the system identification codes;
  • Notifications: promptly communicate information on events relevant to the management of the plant;
  • Cellular data internet network: allow communication between smartphones and Corisit Cloud, necessary to access the app’s features.

The user can decide whether to deny or authorise the permissions to use the technologies during the configuration of the App and modify the authorisation preferences through the settings of their smartphone, however, the denial/limitation of access by the App to these technologies may result in the total or partial inaccessibility of the user to the features of the App.

The system is managed with the following transmission methods:

  • the user interacts with the Application to change the system management settings;
  • the changes are sent via the App via the internet to the Corisit Cloud, which transposes the information and transmits it, again via the internet, to the wi-fi module of the system;
  • the wi-fi module receives the information and modifies the operating settings of the system, sending feedback to the Corisit Cloud, which retransmits it to the application.

This process will involve the transfer of information to the Corisit Cloud, in order to guarantee the correct functioning and security of the processing carried out, as well as to achieve the purposes described above.

Finally, the user can choose to connect their smartphone with Bluetooth to the wi-fi module via BLE to set and modify the system settings by bypassing communication with the Corisit Cloud. Communication with the Corisit Cloud is still necessary for the initial setup (obtaining the access code and configuration of the connected system). This technology operates only in local contexts, as the connection technically has a limited amplitude – since it exploits the BLE functions.

Communication of data to third parties

Users’ personal data may be disclosed to the following categories of third parties:

  • managers of data centres, databases and services provided in SaaS, to ensure access, proper operation and security of the Application;
  • subjects who deal with the development and maintenance of the application, as part of the performance of their activity, may come into contact with the information collected or provided by Users;
  • competent public authorities, if the User acts in violation of the law when using the Application.

Data retention

The data are stored for a period of time sufficient to guarantee the achievement of the purposes for which they are processed. Unless there are different relationships between the Data Controller and the User or conditions of lawfulness that justify the storage of the data (e.g. legal obligation or protection of the rights of the data controller in court), these are kept with the following criteria:

  • data provided by the user for the registration and configuration of the application: this data is kept by the Data Controller for as long as there is an active account to access and use it until the request for cancellation and/or revocation of the consent underlying the processing; the account can be deleted independently by the user through automated functions made available through the application. The Data Controller, in order to avoid the presence of unused/unattended accounts that have access to its systems, also provides for the following policy for the retention of data relating to the account in the event of inactivity of the same:
    • following the non-use of the App and the account for a period of 3 years, the account will be deactivated and it will no longer be possible to access it with the current credentials, unless a request for reactivation is submitted by the User to the Corisit service channels;
    • after 1 year from the deactivation of the account, in case of no request for reactivation and consequent lack of continuous use, the account will be permanently deleted and it will be necessary to proceed with a new registration in order to access the services of the App again;
  • data collected by the controller to allow the operation of the application and communication with Corisit servers: these technical data are stored for the minimum time necessary to ensure the management of the request as well as to verify any anomalies with respect to the security of the computer system; after which this information is stored and further processed in aggregate form for statistical purposes.

Only the technical data necessary to guarantee the maintenance of the user’s login and the systems managed by the user will be stored on the user’s device. This information is removed upon logout.

Rights of the data subject and how to exercise them

Users, as data subjects, have the right to request:

  • access to their personal data held by the Data Controller;
  • rectification or updating of data;
  • the cancellation of the same;
  • restriction of processing;
  • opposition to processing;
  • data portability.

These rights may be exercised in the manner and with the limitations set out in Articles 15 to 22 of the GDPR and Articles 2-undecies and 2-duodecies of Legislative Decree 196/03 supplemented with the amendments made by Legislative Decree 101/18 of harmonisation to the GDPR.

For more information on how to process data and exercise rights, it is possible to read the or write to the email address: privacy@corisit.com

In order to facilitate the identification of the request to exercise the rights of the data subject, the communication should specify the following formula in the subject: “Request to exercise the rights of the data subject – Privacy“. Within the communication, it is also important to specify one’s identity, the nature of the relationship with the Data Controller and the right they intend to exercise, as well as all the information deemed useful to identify the data and processing involved in the exercise of the rights (e.g. indicating the usual contact/contact persons at the Data Controller). To this end, we suggest using the form for the exercise of rights prepared by the Guarantor for the protection of personal data (downloadable in PDF format or editable Word format, or made available upon request by the Data Controller).

In accordance with the law, feedback will be provided to the data subject within one month, a period that can be extended up to three months in case of particular complexity of the request (notifying the data subject of this extension).

If part of the processing has as its legal basis the consent given, the User has the right to revoke it at any time without prejudice to the lawfulness of the processing based on the manifestation of the same given previously.

You have the right to lodge a complaint with the Data Protection Authority by sending a certified email to protocollo@pec.gpdp.it, through the other contact tools made available by the Data Protection Authority on its website :https://www.garanteprivacy.it/home/modulistica-e-servizi-online or with the competent controlling authority of another Country of the European Union.

Allowed methods of use

  1. The user may use the Application exclusively for the purposes explicitly stated and declared by Corisit (operational management of heating systems).
  2. In order to access the services of the Application, the user must be of legal age and register using the registration form present at the start of the App and, subsequently, authenticate themselves. You cannot use the App without registering and authenticating.
  3. The user profile is to be understood as personal and not transferable to third parties without authorisation from the supplier.
  4. The login credentials to authenticate must be kept by the user in an appropriate manner and kept secret, in order to prevent any illegal access. The access password must be regularly changed and comply with the complexity requirements set by the supplier.
  5. The following behaviours are expressly prohibited:
    1. take any action that:
      1. may unreasonably burden the structure of the Application;
      2. interferes with the proper functioning of the Application;
      3. circumvents or attempts to circumvent measures to prevent or restrict access to the Application;
      4. circumvents, interferes with or disables the security measures applied to the Application;
      5. distributes malware or other malicious software that may damage the Application, users and their computer systems;
      6. circumvents or manipulates the structure of the Application;
    2. use the Application or the features made available through it for illegal purposes or in illegal ways, even where not covered by this document;
    3. use the Application or its features in the event of temporary or permanent suspension of the user profile;
    4. carry out actions that may cause an unreasonable overload of activities of the technological infrastructures of the Application;
  6. Failure to comply with the aforementioned requirements may result in the suspension or cancellation of the user profile, depending on the severity and/or repetition of the violations detected.
  7. The access and functionality of the Application may be temporarily or permanently interrupted, in whole or in part, due to technical problems, to ensure the correct maintenance of the IT infrastructure, as well as its maintenance in a state of efficiency and security. Such service interruptions will be, if possible, notified in advance through the Application or by sending informative communications by e-mail.
  8. Corisit cannot be held liable for any direct or indirect damage, missed opportunity, lost profit or any other damage or loss of any kind related to the access and use of the Application if it is used in a manner that does not comply with the explicit purposes for which the Application was developed and made available, or as a result of non-compliance with the provisions set out in the previous points of this section.
  9. After a period of continuous inactivity (no access to the App or no use of the same) of 3 years, Corisit will proceed to deactivate the access account to the App; the account can be reactivated at the request of the User. After a further 1 year from deactivation, in case of non-reactivation request, the account will be permanently deleted and in order to access the services of the Application again, it will be necessary to register and configure it again.
  10. This document is to be understood as regulated and must be interpreted according to Italian law.
  11. Any dispute that may arise regarding the interpretation, validity and execution of this document will be referred to the exclusive jurisdiction of the court of Reggio Emilia, unless the current legislation establishes different methods of identifying the competent court.