We use the OAuth standard to implement social login. In the table below you can find the fields we get from the supported OAuth providers and store:
|Picture||picture||call to Graph API to get User Picture||profile_image_url_https||profilePicture/displayImage~/elements/identifiers/identifier|
Please refer to the technical documentation of each OAuth provider for more information on each field.
For every chat message published by Users, we store some data fields in our databases. In the table below, you can find a detailed list of the fields we store and you can see the visibility of each field. In particular, there are three types of data visibility:
- Public: The field is publicly displayed in real time and may remain publicly visible for a maximum time of 1 month, after which it is no more accessible to Users.
- Publisher: The field can remain visible to the owner of the website (the Publisher) where the chat message originated, up to 12 months after the message has been published.
- Private: The field is not shared with third parties and is used solely to provide law enforcement authorities with the necessary information in case of applicable law violation and to perform systems analyses and troubleshooting in case of technical issues or cyber-attacks.
|Timestamp of the message||X||X|
|Content of the message||X||X|
|Address of the website where the message was published||X||X|
|Address of the page where the message was published (we store window.location.pathname only, thus ignoring any query string and fragment)||X||X|
|OAuth provider (social network used for authentication)||X||X|
|Name of the author of the message (see the social network table above)||X||X|
|Picture of the author of the message (see the social network table above)||X||X|
|Email of the author of the message (see the social network table above)||X|
|IP address, TCP port, and timestamp of the client connection that originated the N4R session, within which the message was sent||X|
|OAuth data provided by social login||X|
In relation to personal data collected, the User is entitled to exercise the following rights:
- Right of access: the right to verify, in particular, which and which type of personal data are collected and stored by the Controller, for what purpose they are used, where they are collected and to whom they have been communicated.
- Right to rectification and/or integration: the right to obtain from the Controller the correction and/or the integration of personal data concerning and provided by the User.
- Right of restriction: the right to obtain from the Controller restriction of processing of User’s personal data if, in particular:
- a dispute arises regarding the accuracy of personal data due to non-compliance of the Controller;
- the use and processing of personal data is unlawful and requires restriction of use of the personal data;
- there is no longer any need for the Controller to keep User’s personal data, but the User needs it to ascertain, exercise or defend its rights in court.
- Right to portability: following a specific request of the User, the Controller will transfer personal data to another data controller, if technically possible, provided that the processing is based on the specific consent of the User or is necessary for the performance of a contract.
- Right to erasure: the right to obtain from the Controller the erasure of your personal data if:
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- user has the right to object to further processing of his personal data and exercise this right to objection;
- personal data have been processed unlawfully, unless the processing is necessary by virtue of legal obligations, by law or in order to constitute, exercise or defend a right in court.
- Right to objection: the right to object to the processing of personal data at any time, provided that the processing is not based on User’s consent but on the legitimate interests of N4R (as Controller) or third parties. In such cases, the Controller will no longer retain User’s personal data unless it is possible to demonstrate binding and legitimate reasons and an overriding interest in the processing or establishment, exercise or defense of a right in court.
- Right to lodge a complaint: in case of alleged violation of the current privacy law, the User may lodge a complaint with the competent data protection authority; in Italy it is the Garante per la protezione dei dati personali.
The Controller must reply to the request given by the User, for any rights the User may exercise (including the right of access), within 1 (one) month from receiving the specific request. This timeline is extendable up to 3 (three) months in cases of particular complexity. In any case, the Data Controller must however give feedback to the User within 1 (one) month from the request, even in case of denial.
The feedback must be generally given to the User in written form also through the use of electronic tools that facilitate accessibility; it can only be given orally if the User so requires.