Privacy Notice App Amarantya

Privacy Notice for App users pursuant to Articles 13 and 14 of EU Regulation 679/2016
Last updated June 04, 2025

SUMMARY

Introduction
Personal Data processed
Purpose of the processing of Personal Data
Methods of processing Personal Data
Recipients of Personal Data
Personal Data circulation space
Personal Data retention periods
Data Subject rights regarding Personal Data
Exceptions to the exercise of rights
Methods for exercising rights
Amendments and updates to the Privacy Notice
Set your preferences for Data collected from Device and App
WORDKEY

1. Introduction

This Privacy Notice, drafted pursuant to EU Regulation 2016/679 ('GDPR') and applicable national personal data protection laws, helps you better understand what data is collected, for what purposes, and how you can manage your information.

The Data Controller of your personal data is Panta Rei S.r.l. (hereinafter also referred to as 'Panta Rei' or the 'Company') – with registered office at Via Camillo Benso Conte di Cavour, 17 – 30032 Fiesso d'Artico (VE), VAT number 04219700285 – with whom you have decided to establish a relationship by using the Amarantya App and related Services.

The Data Protection Officer can be contacted at the Company through the following channels:

• by sending a registered letter with return receipt to the Data Controller’s address: Panta Rei S.r.l., Via Camillo Benso Conte di Cavour, 17 – 30032 Fiesso d'Artico (VE), VAT number 04219700285

• by sending an email to or to privacy@amarantya.com;

• by calling the number (+39) 049 7968832

To make the following explanation simpler and more accessible, we have included some examples and created WordKeys, which refer to more detailed explanations available at the end of this document.

The Privacy Notices are always available in the privacy section of our website at: www.amarantya.com

2. Personal Data processed

When you use the Amarantya App, we may collect the personal data listed below.

The data collected and the purposes for which it is processed depend on how you use the Amarantya App and how you configure the Device and/or App you are using.

a) Possible Personal Data processed

While using the Amarantya App, you may provide us with personal data, identifying and non-sensitive (in particular: email). This happens, for example, when you want to access or open your user account through the Amarantya App, or when you send us questions and/or requests or interact with our support services.

If you provide data of third parties, you assume all legal obligations and responsibilities, holding us harmless from any complaint, claim, or demand for damages from data processing, etc., that we may receive from third parties whose Personal Data you have shared and thus processed in violation of applicable data protection laws.

b) Data processed by Device and App

When you access the Amarantya App, we collect information from the Device you are using.

This information is collected through SDKs embedded in the Amarantya App, which help us avoid issues with content display, service crashes, and unauthorized access. More information about SDKs can be found in the section “Set your preferences for Data collected from Device and App” below.

The Amarantya App may ask to access certain information on your Device, such as:

• Camera (e.g., to allow sending images);

• Storage (e.g., to allow you to save or open images/documents present in or downloadable from the Amarantya App);

3. Purpose of the processing of Personal Data

The Data is used for the following purposes and legal bases:

• the performance of the contract and/or fulfillment of pre-contractual commitments, in particular to:

- manage pre-contractual and contractual relationships;

- execute the contract;

- manage collections and payments;

- avoid service anomalies. For example, we may detect an anomaly when opening the Amarantya App, a link, or a section contained therein to avoid a system bug or prevent it from recurring. This processing is based on the need to ensure Service performance, as well as our legitimate interest in avoiding malfunctions.

• the Data Controller’s compliance with legal obligations, such as:

- compliance with obligations imposed by laws, regulations, or EU/national legislation, or by competent authorities;

- preparing and processing tax declarations and related obligations;

- maintaining accounting records and related requirements.

• pursuing a legitimate interest of the Data Controller, in particular:

- exercising the Controller’s rights in legal proceedings and managing any disputes;

- preventing and suppressing unlawful acts.

The Data may also be processed for periodic evaluation activities of the ethical and legal requirements set by the Company in its Code of Ethics.

4. Methods of processing Personal Data

All Data collected for the above purposes is processed both manually and through automated decision-making processes, i.e., via programs and/or algorithms that analyze information such as your location data and Data collected from Device and App.

Your Data may also be subject to combination and/or cross-referencing with other data from the Company’s databases, based on the various consents you have provided (e.g., consent for profiling, cookies, and marketing).

In any case, your personal data will never be monetized or sold to third parties.

5. Recipients of Personal Data

We share your Data with the following categories of subjects ('Recipients'):

• persons authorized by us: our employees and/or collaborators who have signed a confidentiality agreement and specific data processing rules;

• our data processors: external parties to whom we entrust certain processing operations. This includes, for example, system security providers, consultants, data hosting technology platforms, etc. We have signed contracts with each of these parties to ensure that your Data is processed with adequate safeguards;

• third parties we collaborate with: independent data controllers we partner with to fulfill your requests;

• law enforcement or any other authority to whom we are legally obliged to disclose your Data: for example, to comply with a judicial order, a regulatory authority request, or to defend ourselves in court.

6. Personal Data circulation space

Some of your Data is shared with Recipients who may be located outside the European Economic Area.

We ensure that the processing of your Data by us and the Recipients complies with European and Italian legislation.

Transfers of your Data to Recipients may be based on an adequacy decision or on the Standard Contractual Clauses approved by the European Commission, and always in compliance with the recommendations of the European Data Protection Board (EDPB) and applicable laws.

In other countries, where required by the GDPR, your Data transfer will be governed in accordance with the principles of EU Regulation 2016/679 in the contractual relationships maintained by the Company.

In any case, as a Data Subject, you may always request more information regarding the transfer of your Data by writing to privacy@amarantya.com.

7. Personal Data retention periods

The Data processed for the above purposes will be retained as long as you use the Amarantya App and for the time strictly necessary to achieve those same processing purposes.

The Company processes and retains the Data Subject’s personal data for the entire duration of the contractual relationship (purchase by the Data Subject of a premium version with additional paid functionalities – 'Amarantya Premium Services') and, in any case, for no longer than 10 years after termination of the contractual relationship, in order to fulfill related and subsequent obligations, comply with applicable legal and regulatory requirements, and for defense purposes, until the data retention period expires.

In particular, the Data will be retained throughout the duration of the contractual relationship and even after its termination, in compliance with civil and tax obligations (e.g., civil obligation to retain invoices and company documentation for at least 10 years).

Data acquired during the pre-contractual negotiation process or while using the free version with basic functionalities ('Amarantya Basic Service'), if not followed by a contractual relationship with the Company, will be retained for no more than 5 years from collection.

Once the retention periods have expired, the data will be destroyed or anonymized.

At the end of the applicable retention period, the personal data relating to Data Subjects will be deleted or stored in a form that does not allow the Data Subject to be identified, unless further processing is necessary for one or more of the following purposes:

• resolution of pre-litigation and/or litigation initiated before the retention period expires;

• compliance with investigations/inspections by internal control functions and/or external authorities initiated before the retention period expires;

• responding to requests from Italian and/or foreign public authorities received/notified to the Company before the retention period expires.

8. Data Subject rights regarding Personal Data

You may exercise the following rights at any time:

• Right of access;

• Right to rectification;

• Right to erasure;

• Right to restriction of processing;

• Right to data portability;

• Right to object.

Right of access

The right of access allows the Data Subject to know which personal data referring to them is processed by the Company, pursuant to Article 15 of the GDPR, and to receive a free copy (a fee may be charged for any additional copies requested, based on administrative costs). Information provided includes processing purposes, data categories, retention period or, if not possible, criteria used to define such period, as well as safeguards applied in case of data transfer to third countries, and the rights exercisable by the Data Subject.

Right to rectification

The right to rectification allows the Data Subject to obtain the update or correction of inaccurate or incomplete data concerning them, as set out in Article 16 of the GDPR.

Right to erasure (so-called 'right to be forgotten')

The right to erasure, or right to be forgotten, allows the Data Subject to have their personal data erased if one of the conditions provided for in Article 17 of the GDPR is met, particularly in the following cases:

• the personal data is no longer necessary for the purposes for which it was collected and processed;

• the Data Subject withdraws consent on which the processing is based, and there is no other legal basis for the processing;

• the Data Subject objects to the processing and there is no overriding legitimate reason for the Controller to continue processing for:

o the pursuit of a legitimate interest of its own or of third parties, and there is no prevailing legitimate reason of the Controller to continue processing;

o direct marketing purposes, including profiling related to it;

• the Data Subject’s personal data has been unlawfully processed.

This right may also be exercised after consent is withdrawn. However, the Company may not delete the personal data if processing is necessary, for example, to comply with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

Right to restriction of processing

The right to restriction of processing can be exercised by the Data Subject if one of the conditions in Article 18 of the GDPR applies, particularly in the case of:

• unlawful processing, as an alternative to erasure;

• request for data rectification (pending rectification) or objection to processing (pending the Controller’s decision).

Except for storage, any further processing of the restricted data is prohibited unless the Company no longer requires it and there are no legal bases or purposes justifying its continued processing.

Right to data portability

The right to data portability under Article 20 of the GDPR allows the Data Subject to use their data held by the Company for other purposes. Each Data Subject may request to receive their personal data or have it transferred to another Controller in a structured, commonly used, and machine-readable format, if technically feasible. In this case, the Data Subject must provide the exact details of the new Controller and written authorization.

In particular, the data that can be ported includes identifying data (e.g., email). This right does not apply to non-automated processing (e.g., paper records).

Right to object

The right to object, under Article 21 of the GDPR, allows the Data Subject to object at any time, for reasons related solely to their situation, to the processing of personal data concerning them. The Data Subject may object at any time if the processing is carried out for public interest purposes or for the legitimate interest of the Controller (including profiling).

If the Data Subject exercises the right to object, the Company will refrain from further processing their personal data, unless there are compelling legitimate grounds to proceed (overriding the Data Subject’s interests, rights, and freedoms), or the processing is necessary for legal claims.

Additional rights of the Data Subject

• Right to lodge a complaint with the Data Protection Authority

Without prejudice to the Data Subject’s right to lodge a complaint with other administrative or judicial authorities, they may lodge a complaint with the competent Data Protection Authority if they believe that the processing of their personal data by the Controller is in breach of the Regulation and/or applicable legislation.

9. Exceptions to the exercise of rights

Data protection law provides for specific exceptions to the rights granted to the Data Subject.

However, the Company must continue to process the Data Subject’s personal data if one or more of the following conditions apply:

• compliance with a legal obligation applicable to the Company;

• resolution of pre-litigation and/or litigation (own or third party);

• internal and/or external investigations/inspections;

• requests from Italian and/or foreign public authorities;

• reasons of significant public interest;

• performance of a contract between the Company and a third party;

• any additional technical blocking conditions identified by the Company.

10. Methods for exercising rights

Each Data Subject may exercise their rights by contacting the Company at the following:

• by sending an email to or to privacy@amarantya.com;

• by calling the number (+39) 049 7968832

The response time is one (1) month, extendable by two (2) months in particularly complex cases; in such cases, the Company will provide at least a preliminary reply within one (1) month.

The exercise of rights is generally free of charge; the Company, considering the complexity of the request and in the case of clearly unfounded or excessive (including repetitive) requests, reserves the right to request a fee.

The Company has the right to request additional information necessary to identify the requester.

This Privacy Notice explains the processing carried out by the Company as Data Controller on the Amarantya App. For other processing activities, please refer to the specific notices provided at the time of Data collection, also available in the privacy section of our official website.

11. Amendments and updates to the Privacy Notice

This Privacy Notice is effective as of 04/06/2025. We reserve the right to modify or simply update its content, in whole or in part, even due to changes in applicable laws. In the case of substantial changes to this Notice, they may be communicated through the Company’s various channels (including, but not limited to: banner, email, official website, push notifications, etc.).

12. Set your preferences for Data collected from Device and App

a) SDKs

The SDKs we use on the Amarantya App are technical and anonymized third-party tools, duly appointed as data processors. They are used solely to verify the proper functioning of the App, to generate temporary passwords (so-called OTPs), and for anti-fraud purposes. To view and learn more about the list of SDKs used, simply log in to the app’s reserved area and follow the path: Menu > Settings > Customize > Consent Management.

b) Unique Identifiers

If you wish your Device not to share Unique Identifiers with us or with other applications, or if you want to reset them, you can do so by properly configuring your Device.

c) Location data

If you do not want to share your location data with us, you can disable the location permission in your Device settings. If you want to limit the location data we process, you can do so by setting your Device to allow tracking only while using the Amarantya App.

13. WORDKEY

Personal Data: refers to any information that identifies or makes a natural person identifiable, directly or indirectly. For example, name, surname, email address, Unique Identifiers, etc. are considered Personal Data.

Services: collectively refers to the services provided by us through the Amarantya App.

Amarantya App: refers to our 'Amarantya' application (App Store and Google Play) installed on your Device.

Combination and/or cross-referencing: means the fully or partially automated operations by which we combine your location data and data collected from Device and App to provide Services, measure their effectiveness, and create new ones. We may perform Combination and/or cross-referencing also across different sources, e.g., from data collected from Our Sites and App or from our databases or third parties based on the consents provided.

Unique Identifiers: information that can uniquely identify you through your browser, Device, and/or App. On browsers, these include IP address and cookies. On devices, these include advertising identifiers such as Apple’s IDFA or Android’s AAID. Note that, in line with opinions from European Authorities, we do not use other Identifiers like MAC Address and IMEI, since they cannot be reset by you. For how to reset or not share Unique Identifiers, refer to the section 'Set your preferences for Data collected from Device and App'.

Device Sensors: depending on your Device, these may include sensors such as accelerometer, gyroscope, Bluetooth, Wi-Fi, and GPS, which collect and share information with the Device and therefore with the Amarantya App. If enabled in your Device settings, these allow us to collect your location data.

Aggregated Information: statistical data derived and stripped of your Personal Data so that it is no longer traceable to you. We use this to measure the effectiveness of our Services.

SDKs: software libraries installed along with the Amarantya App. They allow for data collection similar to cookies in browsers. SDKs allow us to collect information from your Device, including Unique Identifiers.

Our Sites and App: include our social media pages, our App, and websites: www.amarantya.com