(under Article 13 of EU Regulation No. 679/2016)

This privacy notice outlines how your data is processed. It is provided by Article 13 of EU Regulation 679/2016 (hereinafter referred to as the “GDPR”) and the applicable national legislation on privacy and personal data protection.

Identity and Contact Details of the Data Controller

YOUNG PLATFORM S.p.A., with its registered office in Turin (TO), Via Cigna no. 96/17 (Tax Code and VAT No. 11931440017), represented by its legal representative Alexandru Stefan Gheban (Tax Code: GHBLND98T22Z129Y), email: [email protected], acts as the Data Controller (hereinafter referred to as “Young Platform” or the “Controller”).

Should the Controller appoint data processors or sub-processors under Article 28 of the GDPR, the updated list of such processors and individuals authorised to process data is available at the Controller’s registered office.

Data Protection Officer

According to Article 37 of the GDPR, the Controller has appointed Mr Angelo Giunta as the Data Protection Officer (hereinafter referred to as the “DPO”), who is domiciled at the registered office of Young Platform and can be contacted via email at [email protected].

What Types of Personal Data We Process

The types of personal data we collect depend on the purpose for which they are collected.
In general, we may collect the following types of personal data directly from you:

Through the Young Platform Step App:

• Common personal data (such as, by way of example but not limited to: first name, surname, date and place of birth, residential address, email address, telephone number);
  
• Geolocation data;
  
• Usage, navigation, functional, session, statistical, and profiling data, including device identifiers;
  
• Images and photographs uploaded by you to your profile.
  

Through the Young Platform website and app:

• Common personal data (such as, by way of example but not limited to: first name, surname, date and place of birth, residential address, tax code, email address, telephone number, social security or welfare identification number, banking details);
  
• Financial and transactional information (e.g., information relating to transactions you have made, etc.);
  
• Geolocation data (e.g., information about the device used);
  
• Banking and tax identification data;
  
• Personal data provided via communications or attachments to communications;
  
• Usage, navigation, functional, session, statistical, and profiling data, including device identifiers or the user’s IP address, the time of site visits, URI (Uniform Resource Identifier) addresses of requested resources, time of request, method used to submit the request to the server, size of the file obtained in response, numerical code indicating the server response status (successful, error, etc.), and other parameters related to the user’s operating system and IT environment;
  
• Images and photographs uploaded by you to your profile.
  

These are collectively referred to hereinafter as “Personal Data”.

Why We Process Your Data and on What Legal Bases

The Controller processes your Data:

A) Without your express consent (Article 6 letters b) – f) of the GDPR, for the following purposes:

• To activate and manage your user profile on the Young Platform Step and Young Platform apps, as well as on the platform accessible via the website https://youngplatform.com/;
  
• To fulfil pre-contractual, contractual and tax obligations arising from relationships in which you are a party (for example, for the provision of services reserved for registered users);
  
• To comply with legal obligations, regulations, EU legislation, or orders issued by authorities;
  
• Pursuing a legitimate interest of the Controller or third parties, provided such interests do not override your fundamental rights and freedoms requiring personal data protection (e.g., the Controller’s right to legal defence).
  

B) Only with your specific and separate consent (Article 6 letter a) and Article 7 of the GDPR, for marketing purposes:

• To send, via email, post and/or push notifications and/or phone calls, newsletters, commercial communications and/or advertising material about the services offered by the Controller, and to measure customer satisfaction regarding the quality of services.
  

C) Only with your specific and separate consent (Article 6 letter a) and Article 7 of the GDPR, for profiling purposes:

• To send advertising communications, offers, and promotions via email, post, SMS, and/or phone calls that align with your user profile.
  

Profiling allows the Controller to tailor the product and service offerings to Users. For this purpose, the Controller may assess the type and number of information requests submitted (including through the Website), the purchase of goods or services from the Controller, personal and contact information (such as place of residence), and additional information provided by the Customer (e.g., age, and profession).

If you do not consent, we cannot conduct the activities referred to under points B) and C). If you have consented to the processing activities under points B) and C), you may withdraw your consent at any time.

How We Process Your Data

Your Data is processed in paper, electronic, and/or automated formats for the time strictly necessary to achieve the purposes for which it was collected. The processing is carried out either by the Controller or by individuals who are duly authorised and/or appointed to perform such tasks and who are consistently identified and/or designated, appropriately trained, and made aware of the legal obligations and restrictions.

Appropriate security measures are implemented to safeguard confidentiality and prevent the risk of loss or destruction, unauthorised access, or processing not permitted by the abovementioned purposes.

Who We May Share Your Data With
For the purposes outlined above, your collected data may be made accessible or disclosed to:

• Employees and collaborators of the Controller, as authorised data processors, within the scope of their duties and following the instructions received. These individuals are, in any case, bound by confidentiality and privacy obligations;
  
• Third parties that carry out outsourced activities on behalf of the Controller, where such activities are related, instrumental, or supportive of those of the Controller (e.g., management software providers);
  
• All public and/or private entities, whether individuals or legal persons (such as, by way of example, legal, administrative, or tax consultancy firms, pension or welfare funds, judicial authorities, chambers of commerce), where the disclosure is necessary or functional to the proper fulfilment of contractual obligations, as well as obligations arising from the law;
  
• All parties (including Public Authorities) who are entitled to access Personal Data by legal or administrative provisions;
  
• With your consent, the Controller may also disclose your data to business partners (such as Bitcashback), who will process your data as independent data controllers.
  

In any case, your collected personal data will not be publicly disclosed.

Transfer of Personal Data Outside the EU

The management and storage of your Personal Data will take place within Europe.
The Controller may transfer Personal Data to third parties acting as independent Data Controllers or external Data Processors to carry out the activities outlined in this privacy notice.

Should such transfers occur to countries that do not offer the same level of data protection as provided by the GDPR or other applicable regulations—or in any case, an adequate level of protection for personal data—Young Platform will ensure that each recipient assumes specific contractual obligations in compliance with applicable data protection laws (including the signing of Standard Contractual Clauses “SCC” approved by the European Commission). Without an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR (including binding corporate rules), Young Platform may request your explicit consent for such transfers, by Article 49 of the GDPR.

In any case, you may request further information regarding transferring your Personal Data, including a detailed table listing all external Processors, a description of their activities, and the location of their servers, by writing to [email protected].

Your Rights

Under Articles 15 and following of the GDPR and the applicable national legislation on privacy and personal data protection, you have the right to:

1. Obtain confirmation from the Controller as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the following information:
   
   • the purposes of the processing;
     
   • The categories of personal data concerned;
     
   • The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
     
   • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
     
   • Where the data is not collected from the data subject, any available information as to its source;
     
   • The existence of automated decision-making, including profiling.
     
2. You have the right to obtain the rectification of inaccurate personal data concerning you from the Controller without undue delay. Considering the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.
   
3. You must obtain the erasure of personal data concerning you from the Controller without undue delay. The Controller must erase such data without undue delay within the limits and in the cases provided for by current legislation.
   
4. Obtain the restriction on processing from the Controller.
   You also have the right to receive the personal data concerning you that you have provided to the Controller in a structured, commonly used, and machine-readable format. You have the right to data portability, meaning the right to transmit such data to another controller without hindrance from the controller to whom the data was initially provided, where the processing is based on consent or a contract and is carried out by automated means.
   
5. Object at any time, on grounds relating to your particular situation, to the processing of your data if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or where the processing is necessary for the legitimate interests pursued by the Controller or by a third party.
   
6. Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali – www.garanteprivacy.it) and/or with any other competent supervisory authority under the GDPR, if you believe that the Controller has infringed your rights.
   

Where you exercise the rights referred to in points 2), 3), and 4), the Controller shall notify each recipient to whom the personal data has been disclosed of any rectification, erasure or restriction of processing carried out, within the limits and in the forms provided for by applicable law.

To exercise the above rights concerning the Controller, you must submit a written request either by registered mail with return receipt to YOUNG PLATFORM S.p.a., Via Cigna no. 96/17, 10155 Turin, or by email to: [email protected].

What Happens if the Privacy Policy is Modified

This privacy notice may be modified and/or updated at any time.
Should the Controller intend to process your Data for purposes other than those indicated in Article 4 above, you will be provided with appropriate information regarding such new purposes before further processing occurs. Such processing will comply with applicable legislation and, where necessary, be subject to your specific consent.

This Privacy Policy was published on 5 April 2025.
Any updates will be published on this page.