In case authentication is provided via social login, we use the OAuth standard. In the table below you can find the fields we get and store from the supported OAuth providers:
|Picture||picture||call to Graph API to get User Picture||profile_image_url_https||profilePicture/displayImage~/elements/identifiers/identifier|
Please refer to the technical documentation of each OAuth provider for more information on each field.
In case authentication is provided via email login, we get the fields below from you and we store them:
- Email: The email address that you use to sign in to Now4real to chat.
- Name: The display name that you decide to show in Now4real chats.
- Picture: The picture associated with your email address by a third-party service called Gravatar. It will be a default random picture if you don’t associate a picture chosen by you to your email address on Gravatar’s website. Alternatively, you can choose to display a picture with your name initials.
In case authentication is not provided because the Publisher chose to allow users to post messages with no registration, we get the field below from you and we store it:
- Name: The nickname that you decide to show in Now4real chats.
In case authentication is provided by the Publisher’s website, we get the fields below from the authentication provider (the Publisher’s website) and we store them:
- Name: The display name that the Publisher decides to show from your profile on the website (it might be a nickname or a real name, depending on the website).
- Picture: The picture that the Publisher decides to show from your profile on the website or your name initials.
For every chat message published by Users, we store some data fields in our databases. In the table below, you can find a detailed list of the fields we store and you can see the visibility of each field. In particular, there are three types of data visibility:
- Public: The field is publicly displayed in real time and may remain publicly visible for a maximum time of 1 month, after which it is no more accessible to Users. By “publicly visible” we mean that the field could be visible to the general public or only to some authenticated Users, depending on the Publisher’s configuration.
- Publisher: The field can remain visible to the owner of the website (the Publisher) where the chat message originated, up to 12 months after the message has been published.
- Private: The field is not shared with third parties and is used solely to provide law enforcement authorities with the necessary information in case of applicable law violation and to perform systems analyses and troubleshooting in case of technical issues or cyber-attacks.
|Timestamp of the message||X||X|
|Content of the message||X||X|
|Address of the website where the message was published||X||X|
|Address of the page where the message was published (we store window.location.pathname only, thus ignoring any query string and fragment)||X||X|
|OAuth provider (social network used for authentication; only in case of social login)||X||X|
|Name of the author of the message (see profile fields above)||X||X|
|Picture of the author of the message (see profile fields above)||X||X|
|Email of the author of the message (see profile fields above; only in case of social login and email login)||X|
|IP address, TCP port, and timestamp of the client connection that originated the N4R session, within which the message was sent||X|
|OAuth data provided by social login||X|
In relation to personal data collected, the User is entitled to exercise the following rights:
- Right of access: the right to verify, in particular, which and which type of personal data are collected and stored by the Controller, for what purpose they are used, where they are collected and to whom they have been communicated.
- Right to rectification and/or integration: the right to obtain from the Controller the correction and/or the integration of personal data concerning and provided by the User.
- Right of restriction: the right to obtain from the Controller restriction of processing of User’s personal data if, in particular:
- a dispute arises regarding the accuracy of personal data due to non-compliance of the Controller;
- the use and processing of personal data is unlawful and requires restriction of use of the personal data;
- there is no longer any need for the Controller to keep User’s personal data, but the User needs it to ascertain, exercise or defend its rights in court.
- Right to portability: following a specific request of the User, the Controller will transfer personal data to another data controller, if technically possible, provided that the processing is based on the specific consent of the User or is necessary for the performance of a contract.
- Right to erasure: the right to obtain from the Controller the erasure of your personal data if:
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- user has the right to object to further processing of his personal data and exercise this right to objection;
- personal data have been processed unlawfully, unless the processing is necessary by virtue of legal obligations, by law or in order to constitute, exercise or defend a right in court.
- Right to objection: the right to object to the processing of personal data at any time, provided that the processing is not based on User’s consent but on the legitimate interests of N4R (as Controller) or third parties. In such cases, the Controller will no longer retain User’s personal data unless it is possible to demonstrate binding and legitimate reasons and an overriding interest in the processing or establishment, exercise or defense of a right in court.
- Right to lodge a complaint: in case of alleged violation of the current privacy law, the User may lodge a complaint with the competent data protection authority; in Italy, it is the Garante per la protezione dei dati personali.
The Controller must reply to the request given by the User, for any rights the User may exercise (including the right of access), within 1 (one) month from receiving the specific request. This timeline is extendable up to 3 (three) months in cases of particular complexity. In any case, the Data Controller must however give feedback to the User within 1 (one) month from the request, even in case of denial.
The feedback must be generally given to the User in written form also through the use of electronic tools that facilitate accessibility; it can only be given orally if the User so requires.