Privacy Information Notice

pursuant to Article 13 Regulation (EU) 2016/679 (“GDPR”)

Masha & The Bear’s App

1.DATA CONTROLLER AND DATA PROTECTION OFFICER

Digital Virgo Italia s.p.a., with registered office in Via Maurizio Gonzaga,7, 20123, Milan (Italy), in the person of its legal representative pro tempore, is the Data Controller of your personal data (“Data Controller” or “Buongiorno”).

The Data Protection Officer (“DPO”) designated by the Data Controller, pursuant to Articles 37, 38 and 39, GDPR, you may contact the DPO at the e-mail address dpo@dvipay.it or via registered post at the address Via Maurizio Gonzaga,7, 20123, Milan (Italy).

This document is written in accordance with article 13 of GDPR, to provide you all the information required regarding the processing of your personal data and information provided by the Company in order to allow the use of the application called "Masha & The Bear’s App" available on the Stores (hereinafter referred to as the “Service").

In case of discrepancy of GDPR with local laws and regulations, we will follow the local applicable law.

2.PERSONAL DATA DEFINITION AND INFORMATION REGARDING THE PROCESSING ACTIVITIES

Under the GDPR personal data is defined as: “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (“Data”).

We collect your Data in order for us to provide you with the service required, including the customer care activities.

In addition, Buongiorno may process your Data in order to send you commercial e-mails, providing you with special promotions and informing you regarding newly available products/services similar to the ones you already bought (“Direct Marketing activities”).

Please, find below a schema about the purposes of the processing activity, the nature of request of providing personal data, the consequences of failure to provide the personal data and the legal basis for processing your Data.

2.1CLIENT ENGAGEMENT, PROVISION OF THE SERVICE AND ADMINISTRATION

oThe nature of the request of providing personal is: Voluntary

oConsequences of failure to provide the personal data are: It will not possible to provide you with the service required

oLegal basis for processing your Data: Performance of the service you have required

2.2CUSTOMER MANAGEMENT

oThe nature of the request of providing personal is: Voluntary

oConsequences of failure to provide the personal data are: Inability to provide you with the service required

oLegal basis for processing your Data: Performance of the service you have required

2.3DIRECT MARKETING ACTIVITIES

oThe nature of the request of providing personal is: Voluntary

oConsequences of failure to provide the personal data are: We will not provide you with special offers nor new products/services

oLegal basis for processing your Data: Data Controller’s Legitimate interest

In order to use the Service through Native App, there is no need for the User to register or create an account, but the so-called "native" permissions are required (such as camera access, notification-enabled authentication by the App) in order to enable the App’s normal functionality and the user's full enjoyment of the content offered there.

However, if the User wants to customize the App, he/she might be requested to provide some personal information about his/her child, such as name - gender - date of birth, as optional and not mandatory for the use of the App itself. The provision of such data is merely optional and is not transferred to third parties. Failure to provide such data would not alter the use of the App.

The data is collected and stored within the App for the purpose of customizing it. Optionally granted personal data may be modified and/or deleted from the App at any time by the user in the Parent Dashboard section, clicking on Kid Profiles link.

While using the service through Native App, the Data Controller could potentially collect and archive some User's personal information such as name, e-mail, and phone (named "Personal Data") only for the purpose of providing assistance through the Customer Care and to manage possible complaints and disputes.

3.DISCLOSURE OF YOUR DATA TO EU AND NON-EU DATA PROCESSORS

For the purposes described under paragraph 2 above, the Data Controller may transfer your Data to third-party or to other legal entities belonging to Buongiorno group located in the European Union, that have been specifically appointed as Data Processors by Buongiorno.

Pursuant to the GDPR, Data Processors is the natural or legal person, public authority, agency or another body which processes personal data on behalf of the Data Controller.

Your Data shall principally be processed by the Data Controller within the European Economic Area.

Eventually, your Data may be transferred to third parties, located outside from the European Economic Area that has been appointed as Data processor in order to manage the customer care service.

If this is the case, we are committed to ensuring that appropriate safeguards are put in place in order to make sure that the level of protection of natural persons guaranteed by the Regulation is not undermined.

In particular, such transfer may be carried out on the basis of the standard contractual clauses signed between Data Controller and Data Processor. In any case, you may request further information about the transfer of your Data by contacting the Data Controller or the DPO. You may also require any evidence of the appropriate safeguards adopted.

An updated list of Data Processors is available at request to the Data Controller.

4.APPLICABLE RETENTION PERIOD

The main use and storage periods of your Data under the specific purposes of the processing are the following:

a)for the purposes of performing the contract, your Data will be processed by the Controller for the entire term of the contract and until the date of expiration of all obligations connected to its performance, and will be stored for 10 years after that date for any purposes related to compliance with any legal obligations and to allow the Controller to defend its rights;

b)for the purpose of complying with any legal obligations, your Data will be processed and stored by Buongiorno for as long as such processing is required to comply with those legal obligations;

c)with reference to any processing activities carried out for marketing purposes and based on a legitimate interest of the Controller or your consent, your Data will be processed for the entire term of the contract and for a further 6-month period after its expiration or termination, unless you object to the processing or revoke your consent.

5.YOUR RIGHTS AS DATA SUBJECT

At any point while we are in possession of or processing your Data you, the data subject, have the following rights:

•Right of access – you have the right to request a copy of the Data that we hold about you;

•Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete;

•Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records;

•Right to restriction on processing – where certain conditions apply to have a right to restrict the processing;

•The right of portability – you have the right to have the Data we hold about you transferred to another organization;

•Right to object – you have the right to object to the processing;

•Right to lodge a complaint: You have the right to complain as outlined in paragraph 6 below.

You may contact Digital Virgo Italia s.p.a. on the e-mail address dpo@dvipay.it or via registered post at the address Via Maurizio Gonzaga,7, 20123, Milan (Italy).

6.COOKIES ON APP.MASHABEAR.COM WEBSITE

We utilize cookies to personalize your experience in the companion website of "Masha & The Bear’s App": app.mashabear.com

Cookies are small text files that we place in visitors’ computer browsers as well as mobile devices to store their preferences and track the web browsing. Our cookies themselves do not contain any personal information.

We use both session ID cookies and persistent cookies. We use session cookies to make it easier for you to browse "Masha & The Bear’s App" web app. A session ID cookie expires when you close your browser. Persistent cookies remain on your hard drive for an extended period. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file.

Amendments of Information Notice

This Information Notice can be amended by our discretion. Please review this information from time to time to keep track of the changes. Buongiorno might also inform the Users with alerts by the App in case of significant changes regarding the mode of processing or type of data required for the use of the App.

Third Party Apps

This Information Notice is applied and refers only to this App and it does not cover in any possible way third-party applications or sites that may be linked through any banner advertisements. Buongiorno does not share your own information with third-party apps, nor it is responsible for the privacy of third-party apps.

7.COMPLAINTS

In the event that you wish to make a complaint about how your Data is being processed by Digital Virgo Italia s.p.a., or how your complaint has been handled, you have the right to lodge a complaint directly with the data protection authority and/or the DPO, as identified under paragraph 1 above.

Updated on 6 December 2018