Privacy Policy

1. Categories of Personal Data processed

   The Data Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

   • Contact Data: first name, last name, address, e-mail address, phone number, pictures, authentication credentials, information for creating an account, any further information sent by the Data Subject.
   • Fiscal and Payment Data: tax code, VAT number, credit card data, bank account details, etc.
   • Special Categories of Data (Health Data): Personal Data revealing health conditions, in particular data related to endometriosis management, including but not limited to:
     • Menstrual cycle data
     • Pain, symptoms and their location
     • Nutrition, meals and substances consumed
     • Activities, physical training and sleep patterns
     • Personal notes entered in the Application
     • Files and content uploaded by the Data Subject
     These data qualify as special categories of Personal Data under Article 9 of the GDPR and are collected exclusively with the explicit consent of the Data Subject. The Data Subject may withdraw consent at any time.

   The Data Controller processes the following types of Personal Data collected automatically:

   • Technical Data: Personal Data produced by devices, applications, tools and protocols such as, for example, device identifier, IP addresses, browser type, type of Internet provider (ISP), access logs. Such Personal Data may leave traces which, combined with unique identifiers and other information received by the servers, can be used to create profiles of individuals.
   • Usage Data: such as, for example, pages visited, number of clicks, actions taken, duration of sessions, anonymous usage statistics.

   If the Data Subject decides not to provide Personal Data for which there is a legal or contractual obligation, or if such data is a necessary requirement for the conclusion of the contract with the Data Controller, it will be impossible for the Data Controller to establish or continue any relationship with the Data Subject.

   The Data Subject who communicates Personal Data of third parties to the Data Controller is directly and exclusively liable for their origin, collection, processing, communication or divulgation.

2. Cookies and similar technologies

   Cookies are not used for the transmission of personal information, and neither are persistent cookies of any kind used, i.e. systems for tracing the Data Subjects. Therefore, the Application does not acquire the Personal Data of the Data Subjects using these technologies. Use is made of session technical cookies (not persistent), strictly limited to what is necessary for the safe and efficient navigation of the Application.

3. Legal basis and purpose of data processing

   The processing of Personal Data is necessary:

   1. for the performance of the contract with the Data Subject (Article 6(1)(b) GDPR), and especially:
      1. fulfillment of any obligation arising from the pre-contractual or contractual relationship with the Data Subject
      2. registration and authentication of the Data Subject: to allow the Data Subject to register in the Application, to access it and to be identified in it, also via external platforms
      3. provision of the requested service, including symptom and menstrual cycle monitoring, and personalizing features and suggestions to improve the user experience
      4. support and contact with the Data Subject: to answer the Data Subject's requests
      5. management of payment: to manage payments by credit card, bank transfer or other methods
   2. for legal obligations (Article 6(1)(c) GDPR), and especially:
      1. the fulfilment of any obligation provided for by the applicable norms, laws and regulations, in particular, on tax and fiscal matters
   3. for the legitimate interest of the Data Controller (Article 6(1)(f) GDPR), for:
      1. marketing purposes by e-mail of products and/or services of the Data Controller — to directly sell the Data Controller's products or services using the email provided by the Data Subject in the context of the sale of a product or service similar to the one being sold
      2. management, optimization and monitoring of the technical infrastructure: to identify and solve any technical issue, to improve the performance of the Application, to manage and organize the information in a computer system (e.g., server, database, etc.)
      3. security and anti-fraud: to guarantee the security of the Data Controller's assets, infrastructures and networks
      4. anonymous data based statistics: in order to carry out statistical analysis on aggregated and anonymous data in order to analyze behaviors of the Data Subject to improve products and/or services provided by the Data Controller and better meet the expectations of the Data Subject
   4. on the basis of the Data Subject's explicit consent (Articles 6(1)(a) and 9(2)(a) GDPR), for:
      1. processing of special categories of data (health data) as described in Section 1, for the purpose of providing the endometriosis care companion service
      2. profiling the Data Subject for marketing purposes: to provide the Data Subject with information on the Data Controller's products and/or services through automated processing designed to collect personal information to predict or assess the Data Subject's preferences or behaviors
      3. marketing purposes of the Data Controller's products and/or services: to send information or commercial and/or promotional materials, to perform direct sales activities of the Data Controller's products and/or services or to conduct market research with automated and traditional methods

   The Data Subject's Personal Data may also be used by the Data Controller to protect itself in judicial proceedings before the competent courts.

   Important notice: The Application is not intended to provide diagnosis or medical advice and does not replace professional medical consultation. The Data Subject accepts that the service is provided solely for tracking and informational purposes.

4. Data processing methods and receivers of Personal Data

   The processing of Personal Data is performed via paper-based and computer tools with methods of organization and logics strictly related to the specified purposes and through the adoption of appropriate security measures.

   Personal Data are processed exclusively by:

   • persons authorized by the Data Controller to process Personal Data who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality;
   • subjects that operate independently as separate data controllers or by subjects designated as data processors by the Data Controller in order to carry out all the processing activities necessary to pursue the purposes set out in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);
   • subjects or bodies to whom it is mandatory to communicate Personal Data by law or by order of the authorities.

   The subjects listed above are required to use appropriate measures and guarantees to protect Personal Data and may only access data necessary to perform their duties.

   Personal Data will not be sold or transferred to third parties for commercial purposes. Personal Data will not be indiscriminately shared in any way.

5. Place

   Personal Data will not be transferred outside the territory of the European Economic Area (EEA). Servers used by the Application are located in the EU or operate in compliance with the GDPR, including through the use of Standard Contractual Clauses (SCC) where applicable.

6. Personal Data storage period

   Personal Data will be stored for the period of time that is required to fulfill the purposes for which it was collected. In particular:

   • for purposes related to the execution of the contract between the Data Controller and the Data Subject, they will be stored for the entire duration of the contractual relationship and, after termination, for the ordinary prescription period of 10 years. In the event of legal disputes, for the entire duration of such disputes, until the time limit for appeals has expired.
   • for purposes related to legitimate interests of the Data Controller, they will be stored until the fulfilment of such interest.
   • in compliance with legal obligations, by order of an authority and for legal protection, they shall be stored according to the relevant timeframes provided for by such obligations, regulations and, in any case, until the expiry of the prescriptive term provided for by the rules in force.
   • for purposes based on the consent of the Data Subject, they will be stored until the consent is revoked.
   • upon account deletion by the Data Subject, Personal Data will be deleted immediately, except where retention is required by law.

   At the end of the conservation period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.

7. Rights of the Data Subject

   Data Subjects may exercise specific rights regarding the Personal Data processed by the Data Controller. In particular, the Data Subject has the right to:

   • be informed about the processing of their Personal Data
   • withdraw consent at any time (noting that withdrawal may limit or preclude access to some features of the Application)
   • restrict the processing of his or her Personal Data
   • object to the processing of their Personal Data
   • access their Personal Data
   • verify and request the rectification of their Personal Data
   • obtain the erasure of their Personal Data ("right to be forgotten")
   • transfer their Personal Data to another data controller (data portability)
   • file a complaint with the Personal Data protection supervisory authority and/or take legal action.

   In order to exercise their rights, Data Subjects may send a request to the following e-mail address: info@agendo.health. Requests will be immediately treated by the Data Controller and processed as soon as possible, in any case within 30 days.

8. Security Measures

   The Data Controller adopts appropriate technical and organizational measures to protect Personal Data, including:

   • encryption of sensitive data at rest and in transit
   • access limited to authorized personnel only
   • protected and redundant backups
   • servers located in the EU or compliant with GDPR, including through the use of Standard Contractual Clauses (SCC)

Last update: 31/03/2026