This document describes the manner by which the Oncodol platform (hereinafter, “Platform”) is managed, with reference to the proces-
sing of personal data belonging to the users, either patients or healthcare professionals, (“User/Users”) consulting and/or using it, in ac
cordance with article 13 of the EU Regulation no. 679/2016 (“GDPR”)

1. The data controller

The data controller is eFarm Group S.r.l., with registered office at Milan (MI), Via Copernico 57, 20125, Vat Code n. 03609030964 (“Data Control
ler”), email address

2. Purposes of the processing

A. Navigation data

The computer systems and software procedures used to download and operate the Platform acquire, during their normal operation,
some personal data whose transmission is implicit in the use of communication protocols. This information is not collected to be asso
ciated with identified interested parties, but by its very nature could, through processing and association with data held by third parties,
allow users to be identified. This category of data includes, for example, IP addresses, the model of the mobile phone, the operating
system installed, the telephone number, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the re
quest, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the
status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s IT environment. These data
may be used for statistical purposes and for security purposes pursuant to article 6(1) let. f) GDPR and are kept for no longer than seven
days (except where judicial authorities need such data for establishing the commission of criminal offences)

B. Data provided by the User

The Data Controller will process the common personal data provided by the User during the registration within the App, such as the
email address provided by the User, for the purpose of managing the contractual obligations with the User and the related legal obliga
tions pursuant to art. 6(1) lett. b) and c) of GDPR.
Moreover, the Data Controller, with reference only to the User in their capacity as patient (Patient-User), with the previous explicit User’s
consent pursuant to art. 9(2) let. a) of GDPR, will process the health data provided:
• by the User; or
• by User’s healthcare professional writing a specific text to a Patient-User regarding how to deal with BTcP Episodes in the “How to
manage BTcP” section of the Platform;
within the Platform in order to manage its usage of the Platform and for scientific publication purpose. For the latter purpose the Data
Controller will anonymize and aggregate such data.

3. Consequences of any refusal to provide personal data

The refusal of providing common personal data, such as a valid e-mail address, by the User would make it impossible for the Data Con
troller to manage the contractual obligations with the User and the related legal obligations and to manage the User’s usage of the Pla
tform. Moreover in case of refusal of providing health data and consent, the Data Controller will not be able to manage the User’s health
data and to use such data for scientific publication purpose.

4. Security measures

The personal data is processed through computerized and automated systems.
The Data Controller informs that all app User data is encrypted locally. Such data are transmitted, stored and backed up on a secure
server, located in the European Union. No personal data will be transferred outside the European Union.
The User during the creation/registration of their account will:
– receive a User’s ID, which is a random, alpha-numeric code of 8 digits with upper and lowercase letters uniquely assigned to a User;
– define a password of User’s own choice, which shall be an alpha-numeric code of 8 digits with upper and lowercase letters. Such
password shall be changed every 3 months.
Moreover, the user may create a 4-digit PIN code to protect access to the Platform. The Patient-User, can automatically share their per
sonal data through the Platform with one or more Users with a professional user profile (healthcare professional). This feature requires
the manual ‘pairing’ of a Patient-User profile with a professional user profile, the “pairing” process is described in the relevant section of
the Platform. However, no “pairing” is possible between two patients or two professionals. Moreover, a User with a professional profile can
access and use the Oncodol web platform through a 2-step authentication (credentials and one time password). The User can reinstall
the Platform even using another device. In such case, the User shall follow the instructions and the security measures, such as one time
password, provided by the Data Controller trough the Platform.
The personal data is processed only by those subjects appointed to carry out such fulfilments, currently identified and duly educated on
the constraints provided by the applicable law, as well as by adopting specific security measures aimed to ensure the protection of the
User’s confidentiality and to avoid the loss of data, any unauthorized accesses to the data and any data processing which may be quali
fied as unlawful or not in compliance with the abovementioned purposes

5. Communication of personal data

The Users’ personal data will be transmitted to Atstrat S.r.l., Via Gallarate, 105, 20151 Milano, Vat Code n. 09651680960, as the Joint Controller of such data.
In addition to the communication described in the previous paragraph 4, the Data Controller retains the right to communicate the Users’
personal data to companies in charge of carrying out specific services within its activity that will operate as independent data controllers
or data processors, as well as the right to communicate the Users’ personal data that, in compliance with the applicable law, the police,
the judicial authority, the information and security agencies or other public subjects might ask for purposes related to defense or State
security or to preventing, detecting or suppressing crimes.
No communication of data will occur outside the European Union. No diffusion is allowed.

6. Data subject’s rights

As per Articles 15 et seq. of GDPR, the User has the right to receive from the Data Controller information on the existence of the processing
of his/her personal data, as well as to access his/her own data, to obtain the rectification, integration, updating or erasure of the data;
each data subject also has the right to obtain a copy of his/her data, the limitation of the processing and/or, moreover, to oppose
against processing, as well as the right to data portability and to bring a complaint with the competent supervisory authorities under the
conditions and within the limits given in the art. 13 of GDPR. The User has the right to withdraw consent at any time, without affecting the
lawfulness of processing based on consent before its withdrawal.
In order to exercise the aforementioned rights, it is necessary to write to the Data Controller at the following e-mail address,
specifying “Privacy – exercise of the data subject rights” as object and inserting the e-mail address used during the registration through the Platform and the User’s ID.

7. Retention period

The data processing will last until the User is registered within the App or until the User is considered as “active” (the User will be conside
red as inactive if they don’t use the App for the period of 1 (one) calendar year); then, the data controller, after a process of anonymiza
tion and aggregation, will process such anonymized and aggregated data for the period of time necessary for scientific publication pur
poses. Moreover, The Data Controller will process personal data for a further period, in compliance with the legal obligations provided by
the applicable laws, for administrative purposes and/or to claim or to defend a right in the case in which a litigation or a pre-litigation
procedure arise.

This privacy policy takes effect on 30/06/2021 any possible amendments will be published on this page.