Privacy Notice

Connect Me Too® – Privacy Notice

1. Introduction

CMT S.r.l., with its registered office at Via Bartolomeo D'Alviano 18, 20146 Milan (VAT No. IT09760300153), provides the "Connect Me Too®" platform, an application designed to manage events featuring audio description, specifically tailored for users who are blind, visually impaired, or affected by multiple visual disabilities.

This Privacy Policy is issued in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Italian data protection legislation (Legislative Decree No. 196/2003, the "Privacy Code", as amended by Legislative Decree No. 101/2018). It clearly and transparently describes how the personal data of users of the Connect Me Too® App is processed, ensuring confidentiality and security in full compliance with the above-mentioned laws.

2. Data Controller

The data controller for the personal data collected for the use of the Connect Me Too® App varies depending on the operational phase, as outlined below:

(i) "Pilot Match" phase: during the pilot phase of the Connect Me Too® project (the "Pilot Match" means the first match in which a new Event Organiser decides to test and evaluate the service using participants already registered on the App, either on-site or remotely), CMT S.r.l., as identified above, acts as the sole data controller for users' personal data. In this phase, users register on the App by providing their personal data directly to CMT, who processes such data independently to enable access to the service.

(ii) Initial Phase: in this phase, CMT S.r.l. remains the data controller. Users register on the App by providing their personal data directly to CMT, who processes such data independently to enable access to the service. CMT S.r.l. determines the purposes and means of processing the data provided by users in connection with the service and assumes the obligations set forth in the GDPR.

(iii) Code entry and independent data control by event organiser: when an Event Organiser provides the user with a unique code and the user enters this code into the App to access that Organiser's events, the Event Organiser becomes an independent data controller for the user's personal data and all processing operations related to their own events.

(iv) Role of CMT S.r.l. after code entry: following the step described above, CMT S.r.l. continues to act as independent controller for data related to user registration, technical operation and use of the application, even after the unique code has been entered. The processing is carried out solely for the purposes strictly necessary to deliver the service. CMT S.r.l. does not use such data for its own purposes.

3. Data Processors and other authorised personnel

In order to deliver the service, CMT S.r.l. may engage external parties appointed as data processors, in accordance with Article 28 of the GDPR. Specifically, user data is stored on a secure cloud infrastructure managed by a specialised provider appointed by CMT S.r.l. as a Processor. This provider ensures high standards of security and compliance, and does not access or use the data for its own purposes, limiting its role to secure storage and any necessary technical maintenance of the service.

Within CMT S.r.l., users' personal data is accessible only to authorised staff assigned processing duties, solely within the scope of their roles and subject to a confidentiality agreement.

4. Legal Basis for the Processing

The processing of personal data by CMT S.r.l. is based on the necessity of allowing the user to access the App and use the related services, in accordance with the Terms and Conditions of Use.

The legal basis is in line with Article 6(1)(b) of Regulation (EU) 2016/679 (GDPR), which states that processing is lawful when it is "necessary for the performance of a contract to which the data subject is party".

The service is specifically designed for individuals with visual impairments; however, no health data concerning the user's disability status is collected or processed. Therefore, no "special categories of personal data" are processed within the scope of the standard service provision, as defined under Article 9 of the GDPR.

5. Types of Data Collected and Purposes of Processing

The Connect Me Too® App requires and collects only a limited set of basic identifying information for the purpose of user registration:

• First Name
• Surname
• Email address

This data is strictly necessary to create and manage the user account and to enable access to audio-described events on the platform. No other personal data is requested and the App does not use cookies. The App also does not track the user's location and does not access any content stored on the device, except for standard connectivity functions required to deliver the service.

Purpose of the processing:

• Provision of the audio description service: the user's first name, surname and email address are used to register them and enable access to audio-described event content.
• Access management for events: the first name and surname may be linked to the list of users authorised to access a specific audio-described event.
• Content accessibility: the data collected allows for the personalisation of the user experience.
• Security and abuse prevention: data may be processed to ensure the security of the platform and prevent misuse.
• User support: contact details (email address) may be used to respond to support requests.
• No additional uses: personal data is not used for marketing purposes, newsletters or promotional communications, nor for automated decision-making or user profiling, unless the data subject explicitly consents to such processing in the future.

6. Data Retention Period

CMT S.r.l. retains users' personal data for only as long as is strictly necessary to fulfil the purposes for which the data was collected. In practice:

• Account and registration data: this data remains active for as long as the user maintains their account on Connect Me Too®. The user can delete their account independently at any time.
• Blacklist data (for misuse prevention): if a user is reported for misuse, their email address may be retained indefinitely for the sole purpose of preventing re-registration.
• Legal obligations and protection of rights: in certain cases, we may retain specific data for longer periods if required to comply with legal obligations or to protect rights in legal proceedings.

7. User and data subject rights

Users of the Connect Me Too® App, as data subjects under the GDPR, may exercise at any time the rights granted under Articles 15 to 22 of the Regulation. In particular, users have the right to:

• Right of access: obtain confirmation as to whether personal data concerning them is being processed
• Right to rectification: obtain the correction or updating of inaccurate personal data
• Right to erasure (right to be forgotten): obtain the deletion of personal data
• Right to restriction of processing: request that their data be temporarily "frozen"
• Right to data portability: receive the personal data they have provided in a structured format
• Right to object: object to the processing of their personal data on grounds relating to their particular situation
• Right to withdraw consent: withdraw at any time any consent previously given
• Right to lodge a complaint: submit a complaint to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)

To exercise your rights:

Requests will be handled by CMT S.r.l. without undue delay and, as a rule, within 30 days of receipt. The exercise of these rights is free of charge.

8. Security measures

CMT S.r.l. implements strict technical and organisational security measures to protect the personal data it processes, in accordance with Article 32 of the GDPR and industry best practices:

• Encryption and data protection: personal data is encrypted during transmission
• Principle of least privilege: access is restricted to authorised personnel only
• Role separation: user data is accessible only to the relevant Organisations
• Auditing and logging: all access is tracked and recorded
• Regular testing: security measures are periodically assessed and reviewed

9. Improper Use of the App and Blacklist

The Connect Me Too® App is intended strictly for personal, non-commercial use. The following activities are prohibited:

• Sharing access credentials or codes with unauthorised third parties
• Recording the audio description for any purpose other than personal listening
• Retransmitting or distributing the audio by any other means
• Enabling unauthorised individuals to listen collectively

In the event of confirmed misuse, appropriate measures will be taken, including notification to the relevant Organisation and/or competent authorities, inclusion in a blacklist, account deactivation, and possible legal action.

10. Contact and Requests

When contacting CMT S.r.l. by email, please specify in the subject line that your request concerns the Connect Me Too® App. CMT S.r.l. will respond as soon as possible.

11. Privacy Policy updates

This Privacy Policy may be subject to updates or changes over time. Any material changes will be communicated to users through appropriate channels (e.g. via in-app notifications or email).