Privacy Policy

Informativa sul trattamento dei dati personali

The protection of personal data is of primary importance to us and we want to ensure that the processing of personal data carried out by any means, whether automated or manual, takes place in full compliance with the protections and rights recognised by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the “Regulation”) and by the further applicable rules on the protection of personal data.

The Regulation provides that, prior to the processing of personal data – by which is meant, according to the definition contained in Article 4(2) of the Regulation, ‘any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, alignment or combination, restriction, erasure or destruction’ (hereinafter referred to as ‘the Processing’) – it is necessary for the person to whom such personal data belong to be informed of the reasons why such data are required and how they will be used.

In this regard, the purpose of this document is to provide you, in a simple and intuitive manner, with indications on the type of information and personal data collected through our App and/or our website and all the useful and necessary information, so that you can provide your personal data in a conscious and informed manner and, at any time, request and obtain clarifications and/or corrections.

This information notice (hereinafter, “Privacy Policy”) is provided pursuant to Articles 13 and 14 of the Regulation and is divided into individual sections, each of which deals with a specific topic in order to make it quicker, easier and more readable for you.

We also invite you to read the Terms and Conditions, because they contain further information on the processing of your personal data.

This Privacy Policy is provided only for the website www.ybab.it (hereinafter, the “Site”) and for our YBAB Mobile App (hereinafter, the “App”) and not for any other websites that you may access through

A. What is meant by personal data?

Personal data means all information that can be used to identify a person, which is already held by the data controller or of which the latter may come into possession. By way of example, the following are considered personal data: name and surname; address; tax code; date of birth; telephone number; information contained in an identity document; e-mail address; location. Personal data also includes data generated through the use of services offered through the Site or the App, such as browser and device information; IP address; data on the use of the Site; information collected through cookies and other technologies (hereinafter, “Personal Data”).

B. Who is the data controller?

The company that will process your Personal Data and that, therefore, will play the role of data controller according to the definition contained in Article 4, point 7) of the Regulation is the company YOU BEFORE ANY BUSINESS S.R.L. – Benefit Company with registered office in Milan (Mi) Via Monte Rosa, 61, 20149, VAT No. 12783400968 (hereinafter, “Data Controller”).

C. What data do we collect and process?

No registration is required to access and consult the Website. However, in order to use the App and to access the services provided through the App, it is necessary to go through the registration process and provide certain Personal Data, including the email address info@ybab.it.

In any case, on the registration screen, it will be clearly indicated which information is required for registration and which information is optional and can be provided at your discretion.

As a general rule, we do not collect sensitive information regarding racial or ethnic origin, political opinion, religious belief, trade union membership, information about physical or mental health, sexual orientation and criminal history (“Special Categories of Data”). However, for the provision of welfare services, if expressly requested by you, the Controller may also process Special Categories of Data. In case we require the release of Special Categories of Data, we will provide you with all information on the purposes and methods of collection and we will ask for your prior consent to the processing of such data.

In addition to the Personal Data provided voluntarily, when you connect to the Site, the computer systems and software procedures used to operate the Site acquire, during their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols.

This refers to navigation data, information that is not collected in order to be associated with identified Data Subjects, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users who connect to the Site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment.

This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning. The data could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Site only at the request of the supervisory bodies in charge. For information on the cookies used, please consult the Cookie policy.

All Personal Data will be processed in full respect of confidentiality in compliance with all applicable regulations (and therefore also in compliance with the principles of correctness, lawfulness, transparency, proportionality and protection of privacy and rights) and with logics strictly related to the purposes indicated in this Privacy Policy.

D. Source of the data

If the personal data has not been obtained directly from you, the Data Controller informs you that it has been provided by your employer.

E. Why do we process Personal Data and what is the legal basis of the processing?

Il Trattamento dei Dati Personali sarà effettuato per le seguenti finalità

PURPOSE	LEGAL BASIS/strong>
Managing the registration process and your personal account to enable you to take advantage of the services and features in your personal area of the App	The processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at his or her request
Provision of corporate welfare services i.e. the provision of goods and services that the company can offer its employees	The processing is necessary for the performance of a contract with the employer to which the data subject is party, or the performance of pre-contractual measures. In the provision of corporate welfare services, we may act as data controllers on behalf of your employer and other partners acting as data controllers. In this case, the respective controllers are obliged to ensure a legal basis for the processing of your Personal Data, to provide you with appropriate information on the processing of your Personal Data as well as adequate technical and organisational security measures. For such information, please refer to the respective information on the processing of Personal Data
Fulfilment of administrative and tax obligations arising from the provision and use of welfare services	The processing is necessary to enable the Controller and your employer to fulfil their respective legal obligations
Assistance in connection with the provision and use of services	Processing is necessary for the performance of a contract to which the data subject is party, or for the performance of pre-contractual measures taken at the request of the data subject
DFollow up any requests made by users themselves, for example, by spontaneously sending electronic or traditional mail messages to the addresses indicated on the Site or by instant messaging, which may involve the acquisition of the address, including e-mail, of the sender or of the relevant telephone number	Processing is necessary to fulfil requests made by you
Follow up on requests for assistance in case of malfunctioning of the App and related services	Processing is necessary to fulfil requests made by you
Sending communications concerning similar products and/or services, in accordance with current legislation (‘soft spam’)	Legitimate interest of the Controller to provide offers of goods and services similar to those already used
Sending surveys to measure satisfaction and receive suggestions on how to improve our services	Legitimate interest of the controller and users of the App to improve services and support
Preventing fraud or other crimes from being committed through the use of the App	Legitimate interest of the controller and users of the App to prevent and protect against fraud and unauthorised transactions
Obtaining anonymous statistical information on the use of the Site and to check its correct functioning	Legitimate interest of the controller and users of the App to improve services and support
Fulfilling an obligation required by law, regulation or EU legislation	Legal obligation
Ascertain, exercise or defend a right of ours in pre-litigation or judicial proceedings	Legitimate interest of the Data Controller

We may process Personal Data for reasons other than those set out in this Privacy Policy, where such further processing is compatible with the purpose for which the data was originally collected, or with your consent and, in any case, subject to the provision of appropriate information.

F. Is it necessary to provide personal data and what are the consequences of refusal?

Providing your data is not obligatory, but failure to provide them, or providing them partially or incorrectly, will not allow you to complete the registration process on the App and to take advantage of the services made available through it.

G. How do we process Personal Data and for how long do we store them?

Personal Data is processed with or without the aid of electronic or, in any case, automated, computerised or telematic tools, with logic strictly related to the purposes expressed above. The Processing shall be carried out in a lawful and fair manner and in any case in accordance with the applicable legislation on the protection of Personal Data, by means of instruments that guarantee adequate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and may also be carried out by means of automated instruments designed to store, manage and transmit the data.

In the processing of Personal Data we seek to observe a principle of strict necessity.

H. How long do we keep your data?

We will retain your Personal Data for as long as is necessary to enable you to use the App and its functionality. Therefore, we will keep your Personal Data for as long as you are using our services or have an active account on our App. The data provided during registration or login and relating to your use of the App will be retained until you request deactivation of the service or deletion of your account. Upon termination of the Controller’s contractual relationship with Your employer the Personal Data will be retained in accordance with the terms dictated by applicable laws. Once the purposes for which it was collected and processed have been fulfilled, we will remove it from our systems and records and/or take appropriate steps to anonymise it so that you cannot be identified. This is except where we need to retain such data in order to comply with regulatory obligations, or to establish, exercise or defend our legal rights.

I. Data relating to minors

Personal Data of minors under 18 years of age will not be processed by the Controller

J. Who has access to Personal Data and with whom is it shared?

Your Personal Data may be disclosed to specific persons who are considered recipients of such Personal Data. In fact, Article 4(9) of the Regulation defines a recipient of Personal Data as ‘the natural or legal person, public authority, service or other body receiving communication of personal data, whether a third party or not’ (hereinafter the ‘Recipients’).

In this perspective, in order to properly carry out all the Processing activities necessary to pursue the purposes set out in this Privacy Policy, the following Recipients may be in a position to process your Personal Data

third parties who perform part of the Processing activities and/or activities connected and instrumental to the same on behalf of the Data Controller (such as the management of the IT system). These subjects have been appointed as data processors, whereby the term “natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller” (hereinafter the “Data Processor”) is to be understood individually, in accordance with Article 4(8) of the Regulation. The third parties that process data on our behalf and under our authority have been adequately selected and are experienced, capable and trustworthy and offer sufficient guarantees of full compliance with the applicable provisions on Processing, including the profile of data security. We periodically check that the Data Processors have fulfilled the tasks entrusted to them punctually and that they continue to provide adequate guarantees of full compliance with the provisions on the protection of personal data;
individuals, employees and/or contractors of the Data Controller who have been entrusted with specific and/or multiple Processing activities concerning your Personal Data. Such individuals have been given specific instructions on the security and proper use of Personal Data and are defined, pursuant to Article 4(10) of the Regulation, as “persons authorised to process Personal Data under the direct authority of the Controller or the Processor” (hereinafter the “Authorised Persons”);
third parties who may be autonomous data controllers even though they are ‘related processors’. These are those cases in which a purpose is pursued that, de facto underlying the main processing, can or must be considered “instrumental” and therefore enjoy a kind of autonomy by virtue of which the entity that carries it out is considered an autonomous controller of a related processing; for example, we may share Personal Data with our partners for the provision of their services. In such cases, the further processing and use of data received from us is governed by their privacy policies and is beyond our control.
where required by law or to prevent or suppress the commission of a criminal offence your Personal Data may be disclosed to public bodies or judicial authorities without them being defined as recipients. Indeed, according to Article 4(9) of the Regulation, ‘public authorities that may receive communication of Personal Data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as Recipients’.
A detailed and updated list of such entities, as well as of those acting as data controllers, can be easily found by sending an e-mail to: info@ybab.it

K. Can we transfer personal data to third countries or international organisations? Your Personal Data will be processed by the Controller within the territory of the European Union.

hould it be necessary for technical and/or operational reasons to use subjects located outside the European Union, we hereby inform you that such subjects will be appointed as Data Processors pursuant to and for the purposes of Article 28 of the Regulation and the transfer of your Personal Data to such subjects, limited to the performance of specific Processing activities, will be regulated in accordance with Chapter V of the Regulation. Therefore, all necessary precautions will be taken in order to ensure the most complete protection of Your Personal Data by basing such transfer: (a) on adequacy decisions of the receiving third countries expressed by the European Commission; (b) on adequate safeguards expressed by the receiving third party pursuant to Article 46 of the Regulation; (c) on the adoption of corporate binding rules.

If the destination country does not have an adequacy decision, the transfer of Personal Data will take place through Standard Contractual Clauses adopted by the European Commission that provide adequate safeguards pursuant to Article 46 GDPR. For more information on Standard Contractual Clauses click here. Please note that such a transfer may be necessary for the performance of a contract concluded between the data subject and the data controller or for the performance of pre-contractual measures taken at the request of the data subject, as well as for the performance of a contract concluded between the data controller and your employer, for your benefit, pursuant to Article 49 GDPR.
The Data Controller has carefully assessed all the circumstances relating to the transfer of Personal Data and, on the basis of this assessment, provides data subjects with adequate guarantees regarding the protection of Personal Data.

In any case, you may at any time request evidence of the specific safeguards adopted for the transfer of your Personal Data outside the EU by writing to: info@ybab.it.

L. How is the security of personal data guaranteed?

We take appropriate security measures in order to minimise the risks of destruction or loss – even accidental – of data, unauthorised access or processing that is not permitted or not in accordance with the purposes of collection as set out in our Privacy Policy. The transfer, storage and processing of your data collected through the Site and the App are ensured by means of appropriate technical measures. However, we cannot guarantee users that the measures taken for the security of the Site/App and the transmission of data and information limit or exclude any risk of unauthorised access or dispersal of data from user devices: we recommend that you ensure that your computer is equipped with appropriate software for the protection of network data transmission, both incoming and outgoing (such as up-to-date antivirus systems) and that your Internet service provider has taken appropriate measures for the security of network data transmission (such as firewalls and spam filters).

M. What rights can you exercise and how?

As provided for in Article 15 of the Regulation, you may access your Personal Data, request that it be corrected and updated if incomplete or erroneous, request that it be deleted if it was collected in breach of a law or regulation, and object to its processing for legitimate and specific reasons. In particular, we list below all the rights that you may exercise, at any time, with regard to the Data Controller: Right of access: you shall have the right, pursuant to Article 15 of the Regulation, to obtain from the Controller confirmation as to whether or not your Personal Data are being processed Right of rectification: you shall have the right, pursuant to Article 16 of the Regulation, to obtain the rectification of any Personal Data found to be inaccurate. Taking into account the purposes of the Processing, you may also obtain the integration of any Personal Data that is incomplete, including by providing a supplementary declaration. Right to erasure: you may obtain, pursuant to Article 17 of the Regulation, the erasure of your Personal Data without undue delay and the Controller shall be obliged to erase your Personal Data, if any of the following reasons exist ( a) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; b) it has withdrawn the consent on which the Processing is based and there is no other legal basis for its Processing; c) you have objected to the Processing pursuant to Article 21(1) or (2) of the Regulation and there is no longer any overriding legitimate ground for the Processing of your Personal Data; d) your Personal Data has been processed unlawfully; e) it is necessary to delete your Personal Data in order to comply with a legal obligation imposed by an EU or national law. In some cases, as provided for in Article 17(3) of the Regulation, the Controller is entitled not to delete your Personal Data if their processing is necessary, for example, for the establishment, exercise or defence of legal claims. Right to restriction of processing: you may obtain the restriction of the Processing, pursuant to Article 18 of the Regulation, in the event that one of the following cases occurs a) you have contested the accuracy of your Personal Data (the restriction shall last for the period necessary for the Controller to verify the accuracy of such Personal Data); b) the Processing is unlawful but you have objected to its deletion, requesting instead that its use be restricted c) although the Controller no longer needs it for the purposes of the Processing, your Personal Data is needed for the establishment, exercise or defence of legal claims; d) you object to the Processing pursuant to Article 21(1) of the Regulation and are awaiting verification as to whether the Controller’s legitimate reasons prevail over yours. Right to data portability: you may, at any time, request and receive, pursuant to Article 20 of the Regulation, all of your Personal Data in a structured, commonly used and readable format or request its transmission to another data controller without hindrance. In this case, it will be your responsibility to provide us with the exact details of the new controller to which you intend to transfer your Personal Data by providing us with written authorisation. Right to object: You may object, at any time, to the Processing of your Personal Data if it is processed for direct marketing purposes, including profiling insofar as it is related to such direct marketing. In such cases, we will refrain from further processing your Personal Data unless there are compelling legitimate grounds for processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Withdrawal of consent: if you have given your consent to the Processing for one or more of the purposes for which it has been requested, you may, at any time, withdraw it in whole and/or in part without prejudice to the lawfulness of the Processing based on the consent given before the withdrawal.

N. Is it possible to make complaints?

You have the right to make complaints to the Italian Supervisory Authority where necessary, or to request information on the exercise of your rights. Without prejudice to any other administrative or jurisdictional recourse, you have the right to make a complaint to the Italian Supervisory Authority if you consider that the Processing concerning you is carried out in breach of the Regulation. Further information is available on the website www.garanteprivacy.it

O. Updates

We reserve the right to revise, modify or simply update, in whole or in part, in any manner and/or at any time, without prior notice, this Privacy Policy, including in consideration of changes in data protection laws by indicating at the bottom of the Website the date of the last update. Changes and updates will be notified on the Home Page of the Website and the App as soon as they are adopted and will be binding as soon as they are published on the Website and the App. We invite you to regularly access this section to check the publication of the most recent and updated Privacy Policy.

For further questions or doubts regarding this Privacy Policy or for further information on our method of protecting your data, you can contact the Data Controller at the following e-mail address info@ybab.it.

Last updated 14.05.2023