Airobot Data Processor Privacy Policy

1. Background

• The data processor (hereinafter “Data Processor”) is a supplier of the data controller (hereinafter “Data Controller”) through which the latter offers its customers the opportunity to purchase the service of automatic check in and seat selection.

• A DPA (Data Processing Agreement) is in effect between the Data Controller and the Data Processor through which the Data Processor agrees to process the Data Subject's data in the manner prescribed by the Data Controller and taking all the precautions and precautions prescribed by both the Data Controller and the GDPR (European legislation about data protection, Eu Reg. 2016/679).

• The Data Controller has already specifically informed the natural person (hereinafter “Data Subject”) about the manner and purpose of collecting and processing the Data Subject's personal data, including through the Data Processor, in accordance with the GDPR.

• The Data Subject, in order to use the service provided by Airobot as a provider of the Data Processor, has already given specific consent to the processing of his/her personal data, including through the Data Processor.

2. The purpose of this document

• To inform the Data Subject about the processing of his/her personal data (hereinafter “Personal Data”) collected by the Data Controller, and processed in its name by the Data Processor, INSTAGO SAGL, with registered office in Chiasso, Vicolo dei Calvi 2, 6830 Switzerland e-mail address, via the website of the Data Controller in order to provide the service of “AIROBOT "(INSTAGO SAGL) (hereinafter “the Service”).

• To inform the Data Subject about the precautions used by the Data Processor in processing his or her data;

• To give the Data Subject the addresses and contacts where to raise any complaints or report data processing errors or data breaches so that the Data Processor can correct them and take legal precautions.

3. The Data Subject

The Data Controller processes the following types of Personal Data voluntarily provided by the Data Subject to the Data Controller:

• Contact Data: first name, last name, address, e-mail address, phone number, authentication credentials, passport / visa information and any further information sent by the Data Subject.

3.1 Legal basis and purpose of data processing

The processing of Personal Data is necessary:

1. For the performance of the contract with the Data Controller and especially:

• Fulfillment of any obligation arising from the pre-contractual or contractual relationship with the Data Controller,

2. For legal obligations and especially:

• The fulfilment of any obligation provided for by the applicable norms, laws andregulations, in particular, on tax and fiscal matters;

• For the legitimate interest of the Data Controller, for management, optimization and monitoring of the technical infrastructure: to identify and solve any technical issue, to improve the performance of the Service, to manage and organize the information in a computer system (e.g. server, database, etc.);

• Security and anti-fraud.

4. Data processing methods

The processing of Personal Data is performed via computer and software tools with methods of organisation and logics strictly related to the specified purposes and through the adoption of appropriate security measures.

Personal Data are processed exclusively:

• According to the DPA signed with the Data Controller;

• By the Data Processor, its employees and contractors as precipitated and permitted by the DPA in order to carry out all the processing activities necessary to pursue the purposes set out in the Data Controller privacy policy as read and agreed by the Data Subject at the time of contract conclusion and published on the Data Controller's website.

The Data Processor in processing Data Subject personal data uses appropriate measures and guarantees to protect Personal Data and only access data necessary to perform their duties.

Personal data communicated from the Data Controller will not be indiscriminately shared in any way.

5. Place of processing

The location of the Data Processor is Vicolo dei Calvi 2, 6830 Chiasso Switzerland. The servers where the personal data are stored are located in France, within the EEA. The hosting provider is OVH Groupe SA, a company registered with the Lille company registry under the number 537 407 926 sise 2, rue Kellermann, 59100 Roubaix France.

• Data transfer outside the EEA will be possible only under the conditions required by law, i.e. in particular:

- Issuing a decision stating the adequate level of personal data protection in a third country, issued by the European Commission.

- Signing Standard contractual clauses - approved by the European Commission, the content of which is made available for use by administrators. signing binding corporate rules - i.e. data protection policies used in international corporations.

• The personal data of the Data Subject may be transmitted to Data Processor's employees and contractors located outside EEA.

• In any case, the Data Processor assures that the regulations and precautions required by the European legislation on personal data, i.e. GDPR, will be respected.

6. Personal Data storage period

Personal Data will be stored for the period of time that is required by the Data Controller within the DPA.

At the end of the conservation period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.

7. Rights of the Data Subject

Data Subjects may exercise specific rights regarding the Personal Data processed by the Data Controller, also through the Data Processor. In particular, the Data Subject has, towards the Data Controller, the right to:

• be informed about the processing of their Personal Data

• withdraw consent at any time

• restrict the processing of his or her Personal Data

• object to the processing of their Personal Data access their Personal Data

• verify and request the rectification of their Personal Data

• restrict the processing of their Personal Data

• obtain the erasure of their Personal Data

• transfer their Personal Data to another Data Controller

• file a complaint with the Personal Data protection supervisory authority
and/or take legal action.

7.1 Ways of exercising rights

The Data Processor processes the Data subject's personal data exclusively on behalf of, for, and in the interest of the Data Controller.

Requests and rights under the above point must therefore be addressed directly and exclusively to the Data Controller. It is the latter who will involve the Data Processor, should it become necessary.

8. Possible processing errors and data breaches

The Data Processor processes the Data Subject's personal data, in accordance with the DPA entered into with the Data Controller, through software and the cooperation of employees and human collaborators. The Data Processor:

• imparts precise instruction to its employees and collaborators regarding the GDPR and how and what precautions to take when processing personal data;

• has developed specific procedures to be activated in case of error/malfunction of its human and technical resources. These procedures are shared and approved by the Data Controller.

Despite these precautions, on rare occasions there may be instances of technical malfunctions or human distractions that could lead to erroneous data processing or possible data breaches.

In such eventualities, the Data Processor:

• in accordance with the DPA shall promptly notify the Data Controller of what happened;

• shall activate procedures for handling the error.

• shall activate procedures for handling the error. In order to detect the error or malfunction as quickly as possible and to resolve it, remedy the situation in a timely manner, the Data Processor shall make available directly to the Data Subject the following email address to which all reports of erroneous data processing or malfunctions may be sent.

15/08/2022 Instago SAGL