App data and processing methods

The processing of personal data as a result of installing and using the Bank's apps* is for the purpose of enabling users to use the services distributed through those applications.

For the Bank's customers, some of the data collected by the apps may also be used for profiling purposes, based on the consent given, to offer products and services of the Bank and Intesa Sanpaolo Group companies.

Following the download and installation of the app, the mobile device automatically recognises the model, as well as the type and version of the operating system it uses. This information helps us to provide the required services and manage the app, analyse its use, protect the app and its content from inappropriate or improper use and improve the user experience.

Furthermore Alfabeto Banking and Fideuram apps feature some so-called SDKs, which access other data on the device, including language, telephone service provider or Internet provider, IP address, date, time, other installed applications with technical details (in order to check whether malicious apps are installed) and unique identifiers to avoid anomalies in the contents displayed, unforeseen service shutdowns and unlawful access. For more information, please refer to the relevant supplement published below.

Personal data is used to enable the app to function, to maintain and improve the app, and to communicate with users.

Downloading the app is also used as numerical data for the sole purpose of obtaining anonymous statistical information about the number of users who download the app.

Regarding the Alfabeto Banking and Fideuram apps, if the user grants the relevant permission, these apps will collect location data, while in use, and in the background or while not in use to provide a higher level of security and to help the user locate branches and automated teller machines.

* Alfabeto Banking, Alfabeto Trading, Alfabeto Patrimonio, Trading+, Fideuram

Processing methods

Personal data is processed by automated systems for the time strictly necessary to achieve the purposes for which it was collected. Specific security measures are taken in order to prevent a loss of data, its illegal or improper use, and unauthorised access to data.

Note that during the ordinary course of operations, the IT systems and software procedures used to operate the apps (App Store or Google Play) acquire certain user data, whose transmission is implied in the use of the communication protocols of the Internet, smartphones and the devices used. The Bank is not involved in such processing and therefore may not be held liable for such processing.

Users may, however, view the privacy information available on the following websites:

• App Store: https://www.apple.com/legal/internet-services/itunes/it/terms.html
• Google Play: https://play.google.com/intl/it_it/about/play-terms.html

Browsing data

During the ordinary course of operations, and only for the duration of the connection, the IT systems and software procedures for running this website acquire some personal data, whose transmission is implied in the use of the communication protocols of the Internet (browsing data).
It concerns information that is not collected to be linked to identified data subjects, but by their own very nature could, through the processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the website, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the operating system and the user’s IT environment.

This data is processed for the following purposes:

• to comply with the prescriptions of domestic and European laws and provisions issued by Supervisory and Control Authorities, including in relation to the obligations to monitor the operational and credit risks at the Banking Group level; the processing of your Personal Data to comply with the regulatory provisions is mandatory and your consent is not required;
• to pursue a legitimate interest of Fideuram, companies within the Bank’s Group or third parties where such interests do not conflict with the interests or fundamental rights and freedoms of the data subjects (Article 6.1 point f of Regulation (EU) 679/2016), namely:
  
  • to ascertain liability in the event of hypothetical computer crimes against the website, and for investigations should any disputes arise.
  • to obtain anonymous statistical information on the use of the website and to ensure that it is functioning correctly, as well as for measuring and improving the services offered and the website itself.
  • to pursue any and additional legitimate interests. In the latter case, the Data Controller may process your Personal Data only after having informed you and having ascertained that achieving its legitimate interests or those of third parties does not compromise your rights and fundamental freedoms.

The browsing data collected on the website and the app will remain on the servers for 12 months. Likewise the Personal Data may be processed for a longer time, in cases an act occurs that interrupts and/or suspends the provision that justifies the extension of the data retention.
Regarding the data stored by the app in the device's keystore, depending on the operating system used, please note the following:

• Android: data is stored in shared preferences until the customer either runs “Clear Data” from the Application Manager or uninstalls the app;
• IOS: data is stored in the keystore.

The Bank is not involved in such processing; for further information on saving and deleting data on the device, please contact the manufacturers of the operating systems used.