PRIVACY POLICY

Version 04.2022

Preamble

MARES SpA, the leading manufacturer of diving and watersports equipment based in Rapallo/Italy, is proud to present the MARES App (the “App”) developed and offered through our sister company SSI International GmbH, the world’s largest training center-based education organisation, based in Wendelstein/Germany – both companies are part of the HEAD Sportartikel Group based in Schwechat/Austria.

This collaboration of course respects the applicable privacy legislation and includes the use of shared resources to create synergies in the areas of user management, DiveLog and equipment data.

The following sections 1 to 7 explain in general how your personal data is collected and used when you are using the App (“Privacy Notice”). The addendum contained in section 8 (“Californian Provisions”) provides additional stipulations in compliance with the California Consumer Privacy Act (“CCPA”) that only applies to Californian residents. The Californian Provisions supplement this privacy policy but in the event of any conflict between the Privacy Notice and the Californian Provisions, the Californian Provisions shall prevail but only with regard to Californian residents.

PRIVACY NOTICE
1. General Provisions

1.0 Controllers

Mares S.p.A, – Salita Bonsen 4 – 16035, Rapallo (GE), Italy – Email: privacy@mares.com (“Mares”)

and

SSI International GmbH – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany – Email: info@diveSSI.com – Tel: + 49-9129-909938-0 (“SSI”, “we” or “us”)

are joint controllers pursuant to Art. 4 (7) GDPR as regards the processing of your personal data within the App. Mares and SSI concluded a joint controller agreement pursuant to Art. 26 GDPR. Accordingly SSI is responsible to fulfill obligations with regards to exercising your rights as data subjects and to provide the required information about the processing activities in the course of the App to you.

You can request a copy of the document which describes the essence of this agreement by contacting privacy@diveSSI.com.

1.1. What is personal data?

“Personal data” means any information relating to you as an identified or identifiable natural person (“you” or “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Names, addresses, telephone numbers, e-mail addresses, user IDs, credit card numbers, social media account IDs, usernames, IP addresses, GPS data etc. are therefore considered to be personal data.

1.2. For what purposes do we collect personal data in general and are you obligated to provide your personal data?

We collect specific personal data from users of our App for the purposes as explained below.

Please note that you are not legally obligated to provide us with your respective personal data. However, otherwise we cannot offer you the services incorporated in the App.

2. Handling personal data of registered users for proactive use of the app

2.0 Registration Process

We process your personal data for the purpose of creating an user-account for you within the MySSI System, which grants you the possibility to use the App’s functionalities. The account is activated via an automatically generated email that you receive from us. Your following personal data are processed in the course of the registration process.

  • Name, First Name,
  • Street, Post Box
  • Postcode, City
  • State, Country
  • Email Address
  • Telephone Numbers (optional)
  • Date of Birth
  • Salutation, Gender
  • Personal Photo
  • Language
  • Account Password
  • SSI Training Center Affiliation
  • Current Geodata
  • SSI Master Data

Legal basis for this is the performance of a contract (Art. 6 (1) (b) GDPR).

2.1. Use for MySSI Services

You have the possibility to use all functionalities of the MySSI App in the future, which are not offered within the App. Thereby you have to register with your account on the MySSI App. Subsequently, SSI will process your personal data as an independent controller to inter alia offer you additional services as described in the MySSI App’s privacy policy, which you can access here – http://my.divessi.com/myssi_privacy.

2.2. Use of the “DiveLog” functions with GPS Data Transmission

For the purpose of identifying available dive spots and logging of dives for you, we process when using the DiveLog:

  • Your GPS or location data, as far as you have activated the location transmission function on the smartphone and/or tablet.

Legal basis for described processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

By activating the Share Functions of the personal profile as a dive buddy, geo gata of the diving spot, maximum depth and time and the name and last name of the diver who shared the data and logged dive data can be shared with the dive buddy via QR Code Scan between the personal mobile devices.

The described processing is necessary for the performance of a contract (Article 6 (1) (b) GDPR).

2.3. Use of the “Equipment” function

You can upload the following information to the App:

a) personal equipment and relating data like brand, model, description, serial number, purchase date, dealer/store, etc.,

b) certain equipment related documents such as proofs for service and maintenance, warranty certificates, copies of purchase invoices, etc.,

We process the data specified in points a) – b) for the purpose of being able to offer you the services in the “Equipment” function. Legal basis for this processing activity is the performance of a contract (Art. 6 (1) (b) GDPR).

2.4. Tailored marketing communication from SSI or third parties and product improvement

SSI collects your postcode, city, state, country, date of birth, SSI Training Center Affiliation, current geodata and your data as described in Section 2.3. a) and b) above to identify your interests to provide you with customized advertising materials via newsletters, or in the app, or in your personal dashboard related to training, products and services. This includes, for example, advertisements for dive insurance, diver memberships, local training programmes and events, etc. The Legal basis for this processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

Additionally, SSI collects the data mentioned in this paragraph to be able to improve the App and its products and services. The legal basis for this processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

SSI shares your postcode, city, state, country, date of birth, SSI Training Center Affiliation, current geodata and data as described in Section 2.3. a) and b) above with Mares in order to enable her to send you personalized advertising materials via newsletters, or in the app, or in your personal dashboard related to training, products and services. This includes, for example, advertisements for dive insurance, diver memberships, local training programmes and events, etc. Legal basis for this processing activity is your consent if provided (Art. 6 (1) (a) GDPR).

2.5. Personal Privacy Settings, Disclosure to other App users and processing of anonymised data

Registered users of the App can select the confidentiality level of most of their information in their profile settings by defining visibility settings like “Everyone” (visible for everybody), “Buddies” (visible for accepted buddies) or “Private” (only visible to the user). The default presetting of the MySSI System for new users is always „Private“, so that the new user must actively allow higher visibility levels. When the profile is set to “Private”, only anonymized data is processed about the respective use, in order to determine trends, usage patterns, frequency of use and regional activities.

2.6. No processing of personal data from individuals who are under the age of 18

SSI does not process personal data from individuals under the age of 18 who download the app.

The conduct of SSI companies on this subject is in accordance with the “Children’s Online Privacy Protection Act” (COPPA) introduced in 2000. This law on the protection of children’s privacy on the internet is respected and applied by SSI. Further information about COPPA can be found at: http://www.coppa.org

3. Transfer of your personal data

SSI transfers your personal data to the following recipients:

  • IT service providers and/or providers of data hosting services;
  • service providers of software solutions who also support us in providing our services (incl. providers of marketing tools, marketing agencies, communication service providers and call centers);
  • companies of the HEAD group;

Mares SpA (Salita Bonsen 4, 16035, Rapallo (GE), Italy)

  • third parties who are fulfilling our obligations in regard to services provided to you (e.g., parcel service providers for the shipment of your certificate, payment service providers and banks for payment processing);
  • other third parties (e.g., auditors, insurance companies, legal representatives etc.);
  • officials and other public bodies if required by law (e.g., tax authorities etc.).
4. Transfer of your personal data to third parties outside of the EU/EEA

SSI transmits your personal data companies and other contractual partners outside of the EU/EEA for the provision of our services, the maintenance of our IT systems and software etc.However, such transmission does not change anything in our obligation to protect your personal data in accordance with this Privacy Notice. If your personal data is transmitted outside of the EU/EEA, we guarantee an adequate measure of security by forwarding them to countries that have an appropriate level of protection based on confirmation by the European Commission or by concluding a transfer agreement incorporating the latest version of the European Commission’s Standard Contractual Clauses: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=de (for controller to processor transfers) and https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=DE (for controller to controller transfers) between us and the legal person outside of the EU/EEA who receives the data. In other cases, the data transfer might be based on Art. 49 (1) 1 GDPR. You may receive a copy of the suitable guarantees by sending an e-mail to privacy@divessi.com.

5. Data Security

We take appropriate technical and organisational security measures to protect your personal data from unintentional or unauthorized deletion or modification, and from loss, theft and unauthorized viewing, forwarding, reproduction, use, alteration or access. We and our employees are also bound to data secrecy and confidentiality. Likewise, performance agents and authorized agents who must have access to your personal data to fulfil their professional duties will be subject to the same obligations to observe data secrecy and confidentiality.

6. Data Retention period

Unless stated otherwise above we store your data as long as your App account is active and we will keep your data for the duration of the contractual relationship you have with us. Laws may require SSI to hold certain information for specific periods. In other cases, SSI may retain data for an appropriate period after any relationship with you ends to protect itself from legal claims, or to administer its business.

In case a registered user does not activate the App account and does not get certified within 12 months after registration, the account and user data will be automatically deleted from the MySSI System.

7. Your rights

You have the following data subject rights in relation to your personal data processed by SSI and Mares:

  • you have the right to access your personal information and to receive a copy of the personal data processed by SSI and Mares (Art. 15 GDPR);
  • If your data which SSI and Mares are processing is incorrect or no longer current, you have the right to rectification, Art. 16 GDPR;
  • you have the right to obtain erasure of your data (“right to be forgotten”), Art. 17 GDPR;
  • you have the right to receive your personal data in a structured, commonly used and machine-readable format and you have the right that SSI and Mares transmit your data to another controller Art. 20 GDPR;
  • you have the right to obtain from SSI and Mares the restriction of processing where the prerequisites are met, Art. 18 GDPR;
  • you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects, Art. 22 GDPR;

Your right to object, Art. 21 GDPR:

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If SSI and Mares process your data for legitimate purposes, you also have the right to object this processing at any time if grounds for this arise from your specific situation.

So that SSI and Mares can process your inquiry regarding your rights specified above and ensure that personal data is not given to unauthorized third parties, please address the inquiry with clear identification of your person and with a short description regarding the scope of the exercise of your data subject rights listed above.

Your right to lodge a complaint

You also have the right to lodge a complaint with the competent data protection authority, in particular the data protection authority in the Member State of your habitual residence or place of work, if you are of the opinion that the processing of the personal data about you violates the applicable data protection laws.

Your right to withdraw your consent

If you have given us SSI or Mares consent for a certain processing activity, you can withdraw it at any time (Art. 7 (3) GDPR). The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

7.1. Contact details

If you have any questions about the processing of your personal data, please feel free to contact us under

Mares S.p.A, – Salita Bonsen 4 – 16035, Rapallo (GE), Italy – Email: privacy@mares.com

(our data protection officer: Mares S.p.A c/o Privacy, – Salita Bonsen 4 – 16035, Rapallo (GE), Italy – Email: privacy@mares.com)

or

SSI International GmbH – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany – Email: info@diveSSI.com - Tel: + 49-9129-909938-0

(our data protection officer: SSI International GmbH c/o Privacy – Johann-Hoellfritsch-Straße 6 – 90530 Wendelstein – Germany – Email: privacy@diveSSI.com)

7.2. Changes to this Privacy Notice

If necessary, we will update our privacy notice with regards to the development of the App and according to changes in the legal situation and legal precedents. We therefore review this notice at regular intervals to ensure that you have read the most up-to-date version.

8. Californian Provisions

8.1. Categories of personal information we collect, where we collect it from, why we collect it, and who we share it with

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“personal information”).

We use the personal information we collect for our operational purposes or other purposes set out in this privacy notice. Those purposes may include:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Undertaking internal research for technological development and demonstration.

(6) Undertaking activities to verify, improve, upgrade, enhance, or maintain the quality or safety of our products or services.

To help you understand our privacy practices, the following table shows, for the past twelve (12) months: which categories of personal information we have collected, the categories of sources from which we collected personal information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we have shared personal information:

Category of Personal Information

Sources

Purposes

Third parties shared with

Identifiers such as name, email, address, PTR number, and PPR number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Third parties that help us market or advertise our products and services

Categories of personal information described in Cal. Civ. Code § 1798.80(e) such as name, email, address, credit card number or other payment information, and telephone number

Consumer

Third-party operators of tournaments or other events.

Third-party organizations for amateur and professional athletes.

To provide product offerings or services at events we sponsor.

To accept and fulfil product purchases.

To provide you with newsletters or other mailings.

To perform our contractual obligations to you.

To perform market research and product development.

To market our products and services to you.

Service providers

Affiliates

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Characteristics of protected classifications under California or federal law such as age and gender.

Consumer

To provide product offerings or services at events we sponsor.

Service providers

Affiliates

Commercial information such as, e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

To provide you with newsletters or other mailings.

To perform market research and product development.

To market our products and services to you.

Third parties we rely on for business, financial, or legal matters, such as financial institutions, collection agencies, insurance companies, creditor protection associations, and legal counsel

Internet or other electronic network activity information such as e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement

8.2. Disclosure of personal information

In the past twelve (12) months, we have disclosed the following categories of personal information of California consumers for a business purpose:

  • Identifiers
  • Categories of personal information described in Cal. Civ. Code § 1798.80(e)
  • Characteristics of protected classifications under California or federal law

8.3. Do Not Track

Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform. We do not currently respond to those signals. Instead, we collect, use, and share information as described in this privacy notice regardless of a “do not track” choice.

8.4. Your rights under California law

You have the right to ask us to send you the following information:

  • The personal information we have collected, used, or disclosed about you.
  • The categories of personal information we have collected about you.
  • The categories of sources from which we collected the personal information.
  • Our business or commercial purpose for collecting personal information.
  • The categories of third parties with whom we share personal information.
  • The specific pieces of person information we have collected about you.

You have the right to ask us to delete the personal information about you that we have collected or that we maintain.

We do not, and will not, sell your personal information. Therefore, we don`t provide a mechanism to opt-out of sales of personal information.

8.5. Non-discrimination

Your privacy rights are important. If you exercise your privacy rights under California law, we will not do anything of the following inresponse:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through the use of discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.

Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

8.6. How California residents can submit requests

If you are a California resident and you want to submit a request to us regarding your California rights, you can contact us here privacy@divessi.com. If you have a pre-existing account with us, you must submit your request through that account, but you do not have to create an account with us to submit a request.

If you submit a request to delete personal information, you must separately confirm the request. After receiving your request, we will send you a separate communication with instructions on how to confirm your request to delete.

We can only respond to your request if it is verifiable. This means we are obligated to take reasonable steps to verify your identity.

  • If you have a password-protected account with us, we will verify your identity using our existing authentication practices for that account, but you must re-authenticate yourself before we can disclose or delete the information related to your request.
  • If you do not have an account with us, we verify your identity by matching the following information you provide as part of your request with information about you we already have: name, address, phone number.

If necessary to verify your identity, we may ask you to provide additional information that will help us do so. We may also require a signed declaration under penalty of perjury, depending on the nature of the request. We will only use that additional information in the verification process, and not for any other purpose. If we cannot verify your request, we will not disclose any personal information.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

8.7. Authorized agents

If you wish to submit a request to know or delete through an authorized agent, we require the following before we can process the request:

  • A notarized copy of your written permission authorizing the agent to make the request, and
  • That you verify your identity directly with us, as described above.

Consumers may submit the information listed above to privacy@divessi.com. Authorized agents may also submit the notarized copy of written permission to privacy@divessi.com.

If your authorized agent has a valid power of attorney under California Probate Code sections 4000 to 4465, we may request proof of the power of attorney instead of the foregoing.

We may deny a request from an agent that does not submit proof you authorized them to act on your behalf.

8.8. Changes to the Californian Provisions

From time to time, we may update this privacy notice. When we do, we will post it on our website and include the effective date of the update. If there are material changes to this privacy notice, we will post a prominent notice on our website and provide other notice as required by law.