PICA GROUP S.P.A.

TERMS AND CONDITIONS OF GETPICA.COM WEBSITE AND GETPICA APP

1. General provisions and premises

Nel caso di persone giuridiche, il soggetto che aderisce alle presenti T&C dichiara e garantisce, sotto la propria responsabilità, di essere munito di tutti i poteri occorrenti a tale scopo. A tale riguardo, l’Utente manleva e tiene indenne Pica da ogni pretesa e/o contestazione di terzo e i suoi aventi causa.

By these terms and conditions (“T&Cs”), Pica Group S.p.A, a joint-stock company under Italian law, having its registered office in Via Dell’Aprica 12 - 20158 Milan, registered with the Chamber of Commerce of Ravenna under the number Rea 210088, VAT n. 02529950392, e-mail: administration@getpica.com , certified e-mail address address: picagroupspa@legalmail.com , (“Pica”) illustrates to users (“Users”) who navigate: (i) the website getpica. com; (ii) the “PICA” application for devices available on the Google Play Store or Apple Store (“Pica APP”) and/or other dashboards linked to the same (all, collectively, the “Platform”), the conditions governing the use of the products and/or services provided and/or marketed by Pica through the Platform, as detailed below.

Pica is not responsible for the provision of services and/or sale of products by third parties accessible from the Platform via links, banners or other hyperlinks. Pica also does not perform any control and/or monitoring on the websites that can be consulted through such links; therefore, Pica is not responsible for the content of such sites, nor for any errors and/or omissions and/or violations of law on their part.

In the case of legal entities, the party adhering to these T&Cs declares and warrants, under its own responsibility, that it has all the powers necessary for this purpose. In this regard, the User will indemnify and hold Pica harmless from all claims and/or disputes of third parties and their assignees.

2. Browsing and registration to the Platform

Browsing the Platform is free of charge. Users who decide to browse the Platform may be asked from time to time for specific consents for the processing of their personal data and/or for the use of cookies or other similar tracking devices referred to in the cookie policy available at the following address https://policy.getpica.com/it/cookie-policy/ .

Registration to the Platform allows Users to create their own personal account (“Pica Account”) free of charge, subject to the provision of their personal data, in order to use the services and/or purchase the services and products offered by Pica, as described below.

In order to register, the User must follow the appropriate procedure indicated through the Platform, provide correct, truthful data referring to the User himself/herself and accept these T&Cs. In particular, to create a Pica Account it will be sufficient for the User to fill out the appropriate form by entering the data indicated therein such as, in particular, the User’s e-mail address and a password, and click on the “Register” button. Registration will not be deemed completed until the e-mail entered is verified.

When registering to the Platform, the User declares, by means of an appropriate flag, that he/she is eighteen years of age or older. If the User is under eighteen years of age, he/she will be inhibited from registering to the Platform and acceptance of these T&Cs by the person exercising parental responsibility for the minor will be required.

The data acquired will be collected and processed in compliance with applicable data protection regulations and, in any event, in accordance with the privacy policy that the User must read upon registration and declare that he or she has read and understood (and, if applicable, also optionally providing the required consents).

Pica Account registration credentials (e-mail address and password) must be kept with care and diligence. Such credentials may be used only by the User and may not under any circumstances be given to third parties. The User undertakes to keep them confidential and to ensure that no third party has access to them. The User further undertakes to inform Pica immediately if he/she suspects or becomes aware of any misuse or improper disclosure of these credentials.

The User warrants that the personal information provided during the Pica Account creation and registration process is complete and truthful and agrees to hold Pica harmless and indemnified from any damages, compensatory obligations and/or penalties arising from and/or in any way related to the violation by the User of the rules regarding the registration or storage of registration credentials.

It is prohibited to use the Services: (i) in a manner that causes, or is likely to cause, interruption, damage and/or malfunction to the Services and its functionality, or (ii) for purposes not permitted by law, or otherwise to commit unlawful activity, or (iii) to inconvenience, harm or apprehend any third party.

Without prejudice to the right to damages, Pica reserves the right to prevent access to the Platform, to suspend or terminate an account, to remove or modify the contents of the Platform, to prevent the use of services and/or the purchase of products, in case of violation of the provisions of applicable laws and/or these T&Cs.

3. Pica’s Products and Services

Through the Platform, Pica predominantly conducts an activity of distribution to Users, including on behalf of third parties, of photos and videos (“Content”), relating, without limitation, to specific events and/or experiences or relating to the stay at accommodation/tourism/entertainment facilities (“Events”), organized/managed by third parties having agreements with Pica (“Organizers” and, each, individually, “Organizer”), subject to User’s acceptance of these T&Cs (collectively, “Content Sharing” or the “Services”).

The Content may, as applicable:

(i) Be produced by Organizer, if applicable through its suppliers/photographers (“Organizer’s Content”);

(ii) Be produced by Pica, if applicable through its suppliers/photographers (“Pica’s Content”).

Content Sharing may occur in two different ways, described below:

(i) For a fee, through an online ordering and payment system, User purchases Event-related Content, in digital (or even tangible, where expressly provided for the individual Event) media, sold directly by Pica, for its own account and interest (collectively, “Photo Buy”);

(ii) User acquires, free of charge, Content delivered directly by Pica, on behalf of and in the interest of the Event Organizer (collectively, “Photo Free”).

In addition, Content Sharing may be enjoyed, as appropriate, through two distinct channels:

(i) Organizer makes Content (including those made by their own photographers or by those hired by third parties, including Pica) created as part of Events available on the Platform administered by Pica (“Organizer’s Platform”);

(ii) Pica licenses its Platform to the User in a “SaaS” version (“Pica SaaS”), so that the User, as Organizer, may create Events and upload Content directly to the Platform for the purpose of collecting and sharing Content, including with third parties.

The Content covered by the Photo Buy and the license in the case of Pica SaaS are hereinafter also referred to jointly as “Products”.

4. Photo Free

In the case of Photo Free fruition, Pica manages, in the name and on behalf of the Organizer, the distribution of Content through the Platform, upon User’s specific request. The Content Sharing in Photo Free mode will therefore be governed by these T&Cs, as well as by any additional contractual documentation prepared by the Organizer. In the latter case, Pica will not perform any verification of merit on such possible documentation, and therefore disclaims as of now any liability in this regard.
In addition, Pica will not perform any verification on the Content, with respect to which, respectively, the Pica SaaS User and the Organizer both assume all responsibility.

5. Purchase of Products

In case of purchase of Products, the contractual relationship will be concluded directly with the User and will be governed by these T&Cs, as well as by any additional legal documentation provided to the User prior to the finalization of the purchase procedure.

All orders for the purchase of Products made through the Platform, as well as related services, are subject to these T&Cs, which represent the entirety of the existing commitments between Pica and the User, unless otherwise agreed.

In general, the purchase of Products is allowed both to Users who have the quality of consumer under Article 3, paragraph 1, letter a) of the Italian Consumer Code, and to Users who do not have this quality.

Any order by the User implies full acceptance of these T&Cs, which must, however, be carefully read by the User, before the completion of the purchase process. The order’s submission (and the consequent payment, where required, at the time of placing the order) presupposes the User’s full knowledge and full acceptance of said legal documents. Pica, therefore, does not consider itself bound to different conditions, unless previously agreed in writing.

In accordance with Italian Legislative Decree No. 70 of April 9, 2003 on electronic commerce, Pica informs the User that:

• in order to purchase one or more Products through the Platform, the User must complete an order in electronic format and transmit it to Pica, following the appropriate purchase procedure in electronic format, following the instructions that will appear from time to time within the Platform. Acceptance is therefore manifested by following the on-screen instructions for the forwarding of the order, through the exact completion of all the dedicated sections, having first selected the words “Acceptance of the T&Cs and Privacy Policy”;

• prior to the submission of the order, the User will see a page summarizing the contents of the same, with the precise indication of the main information relating to the contract, where applicable (including fees, payment terms, any mode and terms of delivery, etc). Through the Platform, it will always be possible, before placing the order, (i) to modify User’s data and/or, where possible, the selected Products and (ii) to choose the payment method preferred by the User among those made available on the Platform;

• once the order has been acquired, Pica will send to the User at the e-mail address indicated, the confirmation of the order containing: a summary that includes, among other things, information relating to the essential characteristics of the Product purchased as well as detailed indication of the price (where applicable) and of the means of payment used;

The User acknowledges that he or she will be identified as the holder of his or her rights and duties exclusively on the basis of the credentials that he or she will have selected when creating the Pica Account, and agrees to guard these credentials with the required diligence and to immediately report to Pica - at support@getpica.com - any loss of control over them, noting the circumstance that, in the absence of such a report and, in any case, until the moment of receipt of the report made to Pica, he or she will be responsible for any action and conduct put in place using these credentials. In any case, the User may at any time request the cancellation of the Pica Account by forwarding an e-mail to the following address: privacy@getpica.com or make the cancellation autonomously through the procedure made available on the Platform in the section of the User’s profile. Please note that the cancellation of the Pica Account will result in the inability to access any active services.

Pica reserves the right to cancel or refuse orders from Users who have violated these T&Cs, or orders for which payment of the required fees has failed. This is without prejudice to any further remedies provided by the applicable reference legislation and/or these T&Cs.

Pica will retain copies of orders received and acceptances sent for a reasonable period of time, again in compliance with the applicable reference legislation. The aforementioned documentation will be kept on Pica’s servers and will be accessible to personnel who need to consult it in connection with their obligations. The documentation will, likewise, be accessible to third parties for the sole purpose of the performance of contractual obligations as well as to parties entitled to access it under the applicable reference legislation, always in compliance with the rules for the protection of personal data.

For further liability profiles, please refer to the provisions below.

The purchase of the license in the case of Pica SaaS may take place in two ways:

A. Purchase in relation to a single Event (in this case, the User of Pica SaaS explicitly acknowledges and accepts that it will not be possible to upload Content in Pica SaaS until the activation of a single Event);

B. Subscription purchase (where applicable for the specific product), with the option to take advantage of a free trial period.

The purchase of the license in the case of Pica SaaS may also relate to a package of photo credits (the “Package”), pursuant to which the User will have a limited number of photo credits (the “Credits”), to be used for uploading to the Platform a number of Content corresponding to the number of Credits. The uploading of any erroneous and/or duplicate Content to the Platform will in any case result in the use of the corresponding Credits, and any deletion of the same from the Platform will in no case result in a recovery of the Credits already used.

6. Fees and method of payment

Once the order for the purchase of the Products is submitted, the User is obliged to pay, where applicable, the fees indicated on the summary page. Payments for the purchase of Products shall all be made in favor of Pica, unless expressly stated otherwise.

Where applicable, the sale prices of Products on the Platform shall be expressed in the currency corresponding to the country in which the event takes place. In any case, the price to be paid (i) does not include the cost of using the means of distance communication used to send the order nor any fees applied independently by the provider of the payment service used, (ii) includes a fee for using the platform for the purpose of purchasing the Products.

The message accepting the order for the purchase of the Products will contain a summary of the amount to be paid to Pica, as well as the different items that make it up.

Pica may change the Products’ prices at any time, without prior notice; however, the User will be charged the amounts indicated on the Platform at the time of placing the order, unless the prices indicated are disproportionately incompatible with the normal market price of the Products due to obvious material errors. In addition, with respect to the price of the Products, Pica reserves the right to notify the User of any errors or changes, prior to confirming your order. In this case, Pica will promptly inform the User by specific communication thus guaranteeing the User the right to cancel the order.

Payment of the prices for the purchase of the Products may be made by credit card, debit card, bank transfer or other payment systems also temporarily made available on the Platform. In the event that one of these methods cannot be used in relation to a specific Product, this will be clearly indicated on the Platform, at the latest at the beginning of the purchase process.

Pica uses a secure payment service based on the SSL protocol. The data of the credit/debit card used will be immediately encrypted and transmitted to the payment service provider.

With reference to the payment terms for individual Products please refer to the “Price List” section within the Platform.

In case of Events organized by the Organizers, the specific conditions defined, from time to time, by the Organizers will apply.

7. Method of delivery of the Products and/or Content and duration of the contract.

The Content Sharing activity is of instantaneous execution.

The Products and/or Content will be made available to the User electronically via the User Account created through the Platform.

In the case of purchasing Products on tangible media, any additional delivery charges over and above the fee payable by the User will be indicated at check-out.

8. Right of withdrawal (cancellation of the purchase and refund, where applicable)

Users who qualify as consumers, without having to provide any reason, within the period of 14 (fourteen) days from the day of the purchase of the Products by sending an e-mail to support@getpica.com of a statement prepared (i) on the basis of the model provided under the Italian Consumer Code, (ii) on any format, as long as it contains the declaration of the consumer that he wants to explicitly withdraw from the contract concluded with Pica.

In the event of withdrawal, the consumer must specify in detail the reasons for the request, while Pica will be obliged to make a refund of the amount paid for the purchase of the Products, subject to verification of the validity of such reasons.

However, Pica informs the consumer that, in case of purchase of a Product on digital media, it is possible to decide to make the download at the same time as the purchase of the same, or at a later time. In both cases, the User who qualifies as a consumer recognizes and accepts that the start of the download will correspond to the moment of the beginning of the execution of the contract, anticipating the expiration of the withdrawal period and losing, consequently, the corresponding right. In any event, prior to placing the order or prior to downloading the Product, the User (i) is informed that he or she will be required to obtain consent prior to the download itself and (ii) agrees that he or she will forfeit such right once the download has commenced. Where, on the other hand, the User does not make the download of the Product in digital format, as well as in the case of the purchase of Products on tangible media, Pica informs the User that the right of withdrawal is applicable, within the term of 14 calendar days starting from the date of sending the order.

9. Procedure for Content Sharing

In all the cases described above, in order to find the Content depicting them (i) taken/recorded by photographers commissioned by Pica or third parties at specific Events of the Organizers or (ii) uploaded by the User of Pica SaaS with reference to its own Events, it will be necessary to take advantage of the facial recognition service made available by Pica by means of the Platform and provide a photograph of the User’s face (“Selfie”) through the latter’s device or made available by the Organizer.

In any case, for the purposes of Content Sharing, whether in the case of Photo Free or Photo Buy, it is necessary for the User to have created a Pica Account, upon acceptance of the T&Cs, following the procedure described in Art. 2 of these T&Cs.

The User acknowledges that, if the Event involves the use of a unique and personal code or, as the case may be, an Event identification code (“PicaCode”, as per the example below), which allows direct access to Content depicting the User at the Event, the User agrees (i) to make strictly personal use and therefore not to transfer to third parties, as well as to guard with the required diligence the PicaCode and (ii) to hold Pica harmless and indemnified from any claim, damage, indemnity obligation from or in any way related to the transfer, theft, loss of the PicaCode.

Pica will retain the Content and additional personal data processed in the performance of the Services:

(i) in case of Photo Buy fruition, for a maximum period of 10 years;
(ii) in case of Photo Free fruition, for the period determined by the Data Controller (as better specified below) and, in any case, for a maximum period of 2 years.

In addition, through the Platform the Content will be made available to the User for the same period indicated under (i) and (ii) above.

The same retention terms shall also apply to access to the Content by the User who has purchased a license of Pica SaaS.

10. Statutory and contractual warranties

Pica offers a warranty, the minimum duration of which depends on the type of Product purchased, according to the applicable reference legislation.

All Product and Content descriptions, illustrations, depictions, details, dimensions, presentation data, and any other information available on the Platform are to be understood as illustrations of a general nature of the Products and Content and do not in any way represent warranties or representations of conformity of the Products and Content with them.

With respect to Products purchased directly from Pica, consumers will also be entitled to the legal guarantee of conformity provided for in Articles 128 et seq. of the Italian Consumer Code. Nothing in these T&Cs will affect the rights guaranteed to the consumer by law.

Furthermore, Pica undertakes to ensure that the Platform is constantly updated and provides, in accordance with Article 130 of the Italian Consumer Code, periodic free updates to the User. If the User does not install the provided update within a reasonable period of time, Pica shall not be liable for any lack of conformity resulting from the lack of the relevant update.

For anything not provided for in this article, the provisions of the applicable civil reference legislation on the formation, validity and effectiveness of contracts and legal guarantees shall apply, including the consequences of termination of the contract and the right to compensation for damages.

11. Limitation of Liability

Nothing in these T&Cs shall exclude or limit Pica’s liability for (a) willful misconduct and/or (b) gross negligence.

The User expressly acknowledges and represents that:

• the User’s use of the Platform takes place at the User’s sole discretion and at your own risk;

• the Platform is provided time to time in the version available at that particular time;

• Pica assumes no liability with respect to the fruition, availability, punctuality, cancellation, failure to provide, updating, absence of defects and correction, quality and compatibility of the service for a specific use, or to the compliance with the rules of use of the service by Users; no advice and no information provided by Pica may create any guarantees not expressly provided for in the T&Cs;

• Pica does not guarantee the uninterrupted performance of the Platform, nor does it cover any damage suffered by the User’s terminal (or mobile device) or any loss of data consecutive to the downloading of Products and/or Content or, in general, from the use of the Platform;

• the User agrees to indemnify Pica against any damages or claims of third parties resulting from (i) User’s posting, dissemination, use or transmission of content, (ii) use of the Platform, (iii) violation of these T&Cs, or (iv) violation of the rights of third parties.

User acknowledges and agrees that, subject to mandatory statutory provisions, Pica shall not be liable for:

• the Content, Products, failures, inefficiencies and/or delays related to causes not attributable to Pica and/or due to circumstances beyond Pica’s control and/or caused by force majeure;

• any direct or indirect damage of the User, data or any other loss that may result from (i) the use or conversely the inability to use the Platform, (ii) the acquisition of goods or a transaction made during the use of the Platform or the Services, (iii) as a result of unauthorized access to the Platform;

• any non-compliance with any applicable regulations of the Content managed by the User through Pica SaaS. In addition, if the User is a consumer, the Products and Content are provided by Pica for home and private use only.

In addition, if, for reasons beyond Pica’s control, access to the Platform is interrupted, transmission errors occur, or access to the Services is randomly suspended or restricted in order to allow for repair work, maintenance, or the introduction of any new activities or services, Pica shall not be liable for: (i) losses that are not a consequence of the violation of these T&Cs, or (ii) for any loss of business opportunity, or (iii) any direct and/or indirect losses that are not reasonably foreseeable, or otherwise directly attributable to Pica’s own actions and/or omissions.

If the User uses the Products and/or Content for commercial or professional purposes, Pica:

• shall not be liable to User, whether for contractual or non-contractual (including negligence) liability, breach of statutory duty, or otherwise, for any loss of profit or any indirect or consequential loss arising out of or in connection with any contract with Pica;

• Pica’s liability for any loss arising out of or in connection with any contract with Pica, whether for contractual or non-contractual (including negligence) liability, breach of statutory duty, or otherwise, shall be limited to the total amounts paid for the Products.

User further acknowledges and agrees that, in any event, Pica’s liability shall not exceed the amounts paid by User to Pica for the purchase of the Products. This is without prejudice to what is otherwise provided for under applicable law.

Lastly, Pica shall in no event be liable for the fulfillment of obligations borne by third parties that may offer commercial guarantees in relation to the Contents and Products, as well as for facts or conduct attributable directly to the Organizer, nor yet in the event of unlawful processing of personal data attributable to the latter or to other third parties, attributable in view of their status as autonomous data controllers under Regulation (EU) 2016/679 (the “Regulation”).

12. Intellectual property rights

12.1. Intellectual property rights relating to the Platform

Intellectual and industrial property rights refer to, but are not limited to:

(i) applications and registrations of trademarks, de facto trademarks, insignia, firms, domain names and any other distinctive signs;
(ii) applications and registrations of designs, as well as unregistered designs;
(iii) software, databases and source codes;
(iv) interfaces, graphic layouts, text and images;
(v) trade secrets, confidential and confidential information (including industrial and/or trade secrets and know-how);
(vi) copyrights, rights related to copyrights and sui generis rights (including, rights to archives, data analysis, raw data, semi-processed data, processed data, mathematical models, formulas of all kinds and nature),

(“IP Rights”).

It is understood that all IP Rights related to, included in, or made available through the Platform are and remain the exclusive property of Pica.

The User does not acquire any IP Rights owned by Pica and agrees not to copy, modify, distribute, sell or grant third parties use of any part of the Platform itself without Pica’s prior written consent. The User also undertakes not to engage in activities - such as, but not limited to, decompiling, reverse engineering or any other activity aimed at obtaining the source code of the Platform - that may compromise Pica’s or third parties’ IP Rights.

Reproduction (in whole or in part), modification or use - for any reason and by any means - of the IP Rights present and/or related to the Platform, without the express written permission of Pica and/or the respective holders of such rights is strictly prohibited.

The User agrees to use the Platform exclusively within the limits established by these T&Cs and not to engage in any activities that may infringe or compromise Pica’s or third parties’ IP Rights.

In case of violation of IP Rights owned by Pica by the User, Pica may suspend or terminate the User’s account and also take legal action to protect its rights.

12.2. Intellectual Property Rights Related to Content

The User acknowledges that the use of the Platform may take place in two different ways, each of which is governed differently in terms of intellectual and industrial property:

(i) In case of Photo Buy fruition, both in the case of Pica SaaS and in the case of Platform for Organizers:

a) in case of Organizer’s Content, the Organizer assigns to Pica the IP Rights to the Content sold by Pica through the Platform;
b) in case of Pica’s Content: Pica makes available to the User the Content made directly or provided by third-party photographers contracted by Pica. In such case, Pica remains the sole owner of all IP Rights to the Content and with respect to the latter grants the User a non-exclusive, personal, non-transferable, non-sublicensable license of use, valid worldwide and, more generally, limited to the uses set forth in these T&Cs. It is understood that the User may use the Content for personal purposes only, any commercial purposes therefore remaining excluded unless prior written permission is obtained from Pica.

With reference to such license granted by Pica, it is understood that:

the same pertains only to the Contents. Therefore, the following are excluded from the scope of the same: i) the right to use any IP Rights of third parties that may appear in the Contents; ii) the right to exploit the image of third parties portrayed in the Contents without their prior consent; iii) the right to modify, distribute, sell or create derivative works from the Contents without the prior written authorization of Pica;
Pica reserves the right to revoke the same in case of violation of these T&Cs upon prior notice to the User. In case of revocation, the User shall immediately cease all use of the Content;
Pica reserves the right to change the terms of the same at any time. Any changes will be communicated to the User with a notice of at least 30 (thirty) days, allowing the User to accept the new conditions or cease using the Content. It is understood that the use of the Platform after the entry into force of the changes implies the acceptance of the new conditions.

(ii) In case of Photo Free fruition, whether in the case of Pica SaaS or Organizer Platform, the User and/or Organizer remains the sole owner of the IP Rights to the Content. furthermore, in the case of Pica Saas for Photo Free Events, Pica only provides hosting and sharing service without in any way acquiring rights to the Content, except as necessary for the delivery of the Services and the improvement of the user experience. The User and/or Organizer warrants that they have all necessary rights to upload Content to the Platform, including Content depicting third parties. The User and/or Organizer is responsible for obtaining the necessary permissions for the use of third-party images and releases Pica from any liability in the event of any claims, disputes, or requests for compensation.

In case of violation of IP Rights related to the Content by the User and/or the Organizer, Pica may: i) request the removal of the Content that violates third party rights; ii) suspend or terminate the User’s account; iii) take any legal action necessary to protect its rights.

With reference to the Selfie taken, the User, by means of the same, authorizes the use of his/her image to the extent necessary to take advantage of the facial recognition service and in accordance with the provisions of Pica’s Privacy Policy.

13. Data Protection

Pica acquires and processes User’s personal data (“Personal Data”) in order to provide the Products and/or Content and services in accordance with these T&Cs.

In case of Photo Buy fruition, Pica will process Personal Data as Data Controller, if applicable through direct contracting of photographers who will act as Data Processors upon express appointment pursuant to and in accordance with Art. 28 of the Regulation.

In the case of Photo Free fruition, Pica will process as Data Processor, subject to appointment pursuant to and for the purposes of Art. 28 of the Regulation by the Organizer by means of separate agreements or by the Pica SaaS User by means of the Deed of Appointment set out in Annex 1 to these T&Cs (which automatically applies to Pica SaaS Users), the following personal data:

(i) Photographs depicting Users uploaded to the Platform. This data will be provided to Pica by the Organizer or by the Pica Saas User, who warrants:

a) that Personal Data has been collected on an appropriate legal basis, including, where required under the Regulation, the consent of the data subjects and a release for the use of the image;
b) that Personal Data is kept only for the period necessary to pursue the purposes for which it was collected and that data subjects are always permitted to freely exercise their rights under the Regulation;

(ii) Users’ Personal Data (such as, in particular, name, surname, e-mail address and/or telephone number) used to send invitations to third parties.

Such data will be provided to Pica by the User of Pica SaaS who guarantees:
a) that data has not been purchased or otherwise collected through the Internet or public directories;
b) that data has been collected on an appropriate legal basis, including, where required under the Regulations, the consent of the data subjects;
c) that data’s accuracy has been verified;
d) that data is kept only for the period necessary to pursue the purposes for which they were collected.

In addition, Pica, as owner and operator of the Platform and in order to allow the Organizers to properly execute their respective relationships with the User, may share with such parties the personal data provided by the User during the creation of the Account and/or entered in the purchase process. In such cases, Pica will act as an external data controller appointed by the Organizers pursuant to the Regulations.

In any case, Pica makes available to the Organizers and Users of Pica Saas opt-out tools by means of which the data subjects will be able to revoke any consent given.

It is understood that, in such cases, the Organizer (and other third parties), as well as the Users of Pica SaaS will process the aforementioned personal data as autonomous data controllers on the basis of their own privacy policies.

By agreeing to these T&Cs, Users acknowledge that they have read and understood the privacy documentation provided by the Organizer and/or third parties from time to time as part of the purchase process.

Pica does not have access to the payment data related to the purchase of Products through the Platform. Instead, billing information relating to the same purchases is provided by Users on a case-by-case basis during the individual purchase and will not be retained by Pica.

For more information concerning the processing of the User’s Personal Data, please read the Platform’s Privacy Policy, available at the following address: https://policy.getpica.com/it/privacy-policy-pica/ .

14. Modification of these T&Cs

The User is invited, both at the time of registration to the Platform and thereafter, to read, download and keep these T&Cs in which the date of the last update and the version of these T&Cs are stated.

The download of the Pica APP is free of charge and navigation permitted both to Users who hold the quality of consumers and to Users who do not hold this quality.
The User declares that he/she is aware and agrees that: (i) the Pica APP is licensed and not sold; (ii) User’s use of the Pica APP is at User’s own responsibility and risk.

These T&Cs may be modified at any time. In particular, they may be amended, in addition to mere formal changes and to introduce more favorable conditions than those set forth herein, upon the occurrence of: (i) needs of a technical nature; (ii) any change in the reference legislation; (iii) any changes in the use of Services. Pica also reserves the right to modify the Services in order to offer new Products and/or Services, or again to ensure compliance with legal and regulatory provisions.

Any changes and/or new conditions will be in force from the moment of their publication on the Platform in the “T&C” section with indication of the version and date of update. Users are, therefore, invited to regularly consult the dedicated section. This is always without prejudice to the User’s right to withdraw from the existing contract (i.e. from these T&Cs), in the manner specified.

Should one or more provisions of these T&Cs be declared invalid or ineffective due to a legislative change or as a result of a ruling by a competent judicial authority, the other provisions of these T&Cs shall remain in full force and effect.

In the event of User’s breach of these T&Cs, User’s failure to exercise his or her right of action against Pica shall never be considered a waiver of the right to enforce a breach of User’s commitments.

Pica may assign, transfer or subcontract its rights and obligations under these T&Cs to third parties, in which case, Pica and will remain liable for the acts and omissions of the subcontractors.

Users may assign or transfer their rights or obligations under these T&Cs to third parties only upon written agreement with Pica.

The contract covered by these T&Cs is between Pica and Users only. Except as otherwise required or permitted by applicable law, no third party shall have the right to enforce any provision of these T&Cs.

The User specifically agrees to the following clauses:
● 11. Limitation of Liability;
● 16. Jurisdiction and Competent Court.

15. Contact and Complaints

The User may at any time request information or assistance, send communications, file complaints, by contacting Pica’s customer service department in the following ways:

● by e-mail, at support@getpica.com and by telephone, at +39 0544 188 9362, operating from Monday to Friday from 9:00 am to 6:00 pm;

● by mail, by writing to Pica Group SPA via XXII Ottobre 15/b - 48015 - Cervia (RA) Italy

Pica will respond to complaints made within 7 working days of their receipt.

16. Jurisdiction and Competent Court

These T&Cs are governed by Italian law and for any dispute related to their interpretation, execution or termination of effectiveness will be competent, pursuant to Legislative Decree no. 206/2005, the court of residence or domicile of the User, if a consumer and if he/she has his/her residence or domicile in Italy. This is without prejudice to the application to Consumer Users who do not have their habitual residence in Italy of any more favorable and mandatory provisions provided for by the law of the country in which they habitually reside.

In addition, if the User is a consumer residing in the European Union, it is possible to submit a complaint to the “Online Platform for Conflict Resolution” developed by the European Commission, in order to settle any dispute arising from the sale of the Products. The Online Conflict Resolution Platform can be accessed at https://ec.europa.eu/consumers/odr/ .

In any case, whatever the outcome of the out-of-court dispute resolution procedure, the User’s rights to go to ordinary courts are unaffected. For any further information, the User may contact the following address: support@getpica.com .

For disputes with Users other than consumers, the Court of Milan will have exclusive jurisdiction.

ANNEX 1

This Annex applies only in case of purchase of the Pica SaaS Service.

APPOINTMENT OF DATA PROCESSOR

Pursuant to Article 28 of EU Regulation 2016/679 of April 27, 2016 (hereinafter, the “Regulation”), the User of Pica SaaS, as defined in the T&Cs of which this Deed of Appointment forms an integral part, (hereinafter also referred to as the “Data Controller”),

considering that:

1) The User of Pica Saas and Pica Group S.p.A., with registered office in Via Dell’Aprica n. 12 - 20158 Milan, VAT No. 02529950392 (hereinafter, the “Provider” and, jointly with the User of Pica SaaS, the “Parties”) have entered into a contract having as its object the provision by the Provider of its Platform in ‘SaaS’ version, governed by the T&Cs of which this Deed of Appointment forms an integral and substantial part (hereinafter, the “Contract”);

2) The User of Pica SaaS acts as Data Controller with respect to the data processed in order to execute the Contract and indicated more precisely in Annex A (hereinafter, the “Personal Data”);

3) Pursuant to Article 28 of the Regulation, the Data Processor shall be designated by the Data Controller on an optional basis and, if designated, shall be identified from among individuals whose experience, capacity and reliability provide suitable guarantees of full compliance with the applicable processing provisions, including the security profile;

4) The tasks entrusted to the Data Processor must be analytically specified in writing and the Data Processor must comply with the instructions given by the Data Controller, who, also by means of periodic audits, supervises the punctual observance thereof;

5) The User of Pica SaaS has verified that the Provider, by virtue of its experience, capacity and reliability, is able to provide suitable guarantees of full compliance with the current provisions on the protection of personal data, including the profile relating to security, as required by the Applicable Regulations (as defined below);

6) It is the intention of the User of Pica SaaS, as Data Controller, to proceed with the appointment of the Provider as Data Processor, which it intends to accept.

All of the foregoing, the User of Pica SaaS

hereby appoints

the Provider as Data Processor for the processing of Personal Data to be carried out pursuant to the Contract, in the manner and within the limits specified below.

1. Definitions
In this data processing agreement (hereinafter referred to as “DPA”), the terms whose first letter is written in capital letters, with the exception of those defined in this DPA, have the same meaning as defined by the Applicable Law. The following terms have the following meanings:

“Security Measures”, are measures designed to protect personal data against accidental or unlawful destruction or loss, alteration, disclosure or unauthorized access, as provided for in Article 32 of the Regulation;

“Applicable Law” means the Regulation, the Italian Legislative Decree No. 196 of 30 June 2003, and subsequent amendments, as well as any other personal data protection legislation applicable to the processing activities carried out according to this DPA, already in force or that will enter into force after this DPA enters into force, including the provisions of the Italian Data Protection Authority (Garante per la protezione dei dati personali) and/or of any other Supervisory Authority issued in implementation of the Applicable Law;

“Sub-Providers”, natural or legal persons who carry out their business for the Provider by dealing with Personal Data belonging to the User of Pica Saas.

2. Obligations of the Parties
1. Obligations of the Provider
1.1 Processing Purposes

By signing this DPA, the Provider undertakes to:

i. process the Personal Data for the exclusive purpose of implementing the Contract, and within the limits established by it, while strictly adhering to the instructions given by the Data Controller;
ii. only process the Personal Data that is strictly required for a correct and full implementation of the Contract or to fulfil legal obligations;
iii. make sure that its employees and Sub-Providers have access and only process the Personal Data that is strictly required for a full and correct implementation of the Contract or to fulfil legal obligations;
iv. process Personal Data in a lawful manner, according to correctness and in full compliance with the Applicable Law;
v. inform the Data Controller, without undue delay, of a security breach of Personal Data.

1.2 Security Measures
The Provider undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, also taking into account the state of the art and cost of implementation.

The Provider, also based on the new solutions provided by technical and technological progress, taking into account the nature of the data and the characteristics of the processing, undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.

1.3 Representatives
The Provider agrees to:
i. instruct, according to Article 29 of the Regulation, the persons responsible for processing operations (hereinafter the “Representatives”), choosing them among its employees who, by their experience, skills and training, can ensure compliance with the Applicable Law;
ii. provide the Representatives with detailed operational instructions in writing regarding the methods for carrying out the processing operations entrusted to them, as well as to strictly supervise the exact fulfilment of the instructions received;
iii. implement Security Measures in order to ensure that each Representative can only have access to Personal Data that can be processed according to their authorization profile;

1.4 Data Subjects’ rights
The Provider must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to notify in writing and without delay the Data Controller of any request to exercise such rights presented by one of the Data Subjects, and to enclose a copy of the request.

The Provider undertakes to cooperate with the Data Controller to ensure that the requests for exercising the rights mentioned above, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.

1.5 Data communication and transfer outside of the European Economic Area (EEA)
The Provider will not be able to exercise autonomous control over Personal Data, and undertakes to refrain from disseminating or communicating this Personal Data to third parties, unless expressly provided for in the Contract or authorized by the Data Controller in writing, and in any case in compliance with the provisions of the privacy notice given to the Data Subjects and any consents they may have given to the Data Controller in relation to the different processing purposes.

In the event of transfer of Personal Data outside the European Economic Area (EEA), the Provider undertakes to ensure that such transfer takes place in compliance with the guarantees set forth in Chapter V of the Regulation.

1.6 Sub-Providers
By means of this DPA, the Data Controller hereby grants a general written authorization to the Provider, pursuant to Article 28, par. 2 of the Regulation, to use Sub-Providers whose services are functional to the performance of the Contract.

If the Provider intends to engage a Sub-Provider in whole or in part for the performance of the Contract, and this is permitted by the Contract, the Provider shall appoint the Sub-Provider by a data processing agreement substantially equivalent to this DPA.

Upon request by the Data Controller, the Provider agrees to provide the latter with a list of its Sub-Providers and to inform the Data Controller of any additions or substitutions.

In such cases, within 7 (seven) days of said communication concerning the list and/or any addition or replacement, the Data Controller shall have the right to object, with reasons and in writing, to the appointment of one or more of the subjects listed and/or to the additions or replacements.

In the event of the Data Controller’s objection, the Parties, if requested by the Provider, shall negotiate a substitution in good faith and, if the Parties do not agree regarding such replacement within 10 (ten) days, the Provider shall have the right to terminate the Contract with immediate effect.

2. Obligations of the Data Controller
2.1 Principles relating to processing of personal data
The Data Controller declares and guarantees that it has implemented, and constantly maintains, all adequate and necessary technical and organizational measures in order to guarantee the protection of Personal Data and to comply with the requirements and principles established by the Applicable Law (by way of example, but not exhaustive, the principle of “storage limitation” referred to in Article 5 of the Regulation), undertaking, if necessary, to provide timely instructions in writing to the Provider.

2.2 Collection method of personal data
The Data Controller represents and warrants that any method of collection of Personal Data processed under this DPA:

i. will take place following the provisions to the Data Subjects, if the conditions under Articles 13 and/or 14 of the Regulation apply, of a privacy policy that is clear, simple to understand but at the same time complete and compliant with the Regulation, that is easily understandable by the Data Subjects and identifies how the information obtained will be collected and used;
ii. offers Data Subjects the opportunity to remain excluded from such collection and processing of such information;
iii. provides, when necessary, for obtaining all the consents of the Data Subjects, to whom the Personal Data relates, as required by the Regulation.

2.3 Legal Basis
Given what is stated in the above paragraph, in particular, the Data Controller expressly guarantees that it will ensure that:

i. the Data Subjects give consent to the Data Controller, where applicable, to the Processing of their Personal Data through a free, specific, informed and unambiguous manifestation of will, for each purpose referred to in the Processing operations covered by this DPA;
ii. the Personal Data are collected and/or will be collected in each case pursuant to an appropriate legal basis, as well as in accordance with fairness and lawfulness and for purposes corresponding to those for which they are processed under this DPA.

3. Audit
The Provider acknowledges that, in compliance with Article 28 of the Regulation, the Data Controller may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the Data Controller.

The Data Controller will also have the right to access, directly or through third party auditors (appropriately bound by adequate confidentiality obligations) no more than once a year, except in cases of extraordinary necessity and urgency, offices, computers and other IT systems / documents of the Provider and/or of its Sub-Providers (where possible, in accordance with agreements with each Sub-Provider), where this is deemed necessary to verify that the Provider or its Sub-Provider acts in compliance with the obligations agreed in virtue of this DPA. In the event of access to the Provider’s or Sub-Provider’s premises by the Data Controller, it will be required to give the Provider written notice of at least 7 (seven) working days and the verification activity shall be carried out without hindering the activity of the Provider and the Provider’s other customers.

The Data Controller expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.

Nothing contained in this DPA presupposes Provider’s consent to disclosure to the Data Controller, as well as Data Controller’s access to:

i. internal accounting or financial data of the Provider;
ii. Provider’s trade secrets;
iii. information which, on the basis of reasonable objections raised by the Provider, could: (A) compromise the security of the Provider’s systems or offices; or (B) entail the violation of the obligations of the Provider as per the Applicable Law or of its obligations regarding security and/or confidentiality towards the Data Controller or third parties; or
iv. information to which the Data Controller (or any external auditors appointed by the latter) seek to access for reasons beyond the duty of good faith in fulfilling the obligations of the Data Controller as set out in the Applicable Law.

4. Statements and guarantess of the Provider
The Provider states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.

The Provider states that its Data Protection Officer (DPO) is Shibumi S.r.l., in the person of Lapo Curini Galletti, who can be contacted at the e-mail adress: dpo@getpica.com .

5. Fee
Without prejudice to what was established in the Contract, the Provider will carry out its function as Data Processor without payment, unless otherwise agreed with the Data Controller.

6. Duration
This DPA takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.

If the Contract is terminated for whatever reason, the Provider will return the Personal Data in its possession to the Data Controller and will delete any copies thereof. Upon the Data Controller’s request and at its full discretion, the Provider must alternatively delete the Personal Data in its possession, giving written confirmation to the Data Controller without delay, unless the retention of data is required by law.

7. Communications

The Parties agree that all communications relating to this DPA shall be made through the following communication channels:

• For the User of Pica Saas: by the e-mail adress communicated for registration to the Platform (as defined in the T&Cs of which this DPA forms an integral part);

• For the Provider: by the e-mail adress privacy@getpica.com .

ANNEX A

Description of the processing

Data Subjects
The Personal Data processed concern the following categories of Data Subjects:
- Individuals portrayed in photographs uploaded to the Platform by the Data Controller;
- Individuals receiving invitations sent by the Provider on behalf of the Data Controller.

Data Categories
- Images of the individual portrayed in the photographs uploaded to the Platform by the Data Controller;
- Personal data (such as name, surname, email address, and/or telephone number) of the individuals receiving invitations sent by the Probviderr on behalf of the Data Controller.

Special categories of personal data/data relating to criminal convictions and offences (if applicable)
No special categories of data and/or data relating to criminal convictions and offences are to be processed.

Nature of the processing
The processing consists of carrying out, on behalf of the Data Controller, the operations listed below:
- collection
- recording
- organisation
- structuring
- storage
- adaptation or alteration
- retrieval
- consultation
- use
- disclosure by transmission, dissemination or otherwise making available
- alignment or combination
- restriction
- erasure
- destruction