This purpose of this document is to establish the General Conditions of Use of the Joyco mobile application, owned by COGES MOBILE SOLUTIONS S.R.L., IT02666240359, with registered office at Via Luigi Dalla Via, no. 10, 36015, Schio (VI), Italy, which holds all exploitation rights, and therefore has the legal capacity required to grant the use of this APPLICATION license to users.
The download and use of the application confer the condition of user of the same (henceforth the USER) and infer the reading, understanding and acceptance of all the terms and conditions included in these Conditions of Use.
The company COGES MOBILE SOLUTIONS S.R.L. is at liberty, at any time and without prior notice, to make changes and updates to these Conditions of Use and the Privacy Policy. These changes will be published on the website and on the Application, and shall enter into force from the time of their publication.
Consequently, the USER undertakes to periodically check if any changes have been made to these Conditions of Use and, in the presence or otherwise of explicit consent, the use of the service by the USER after such publication shall imply due acceptance and subscription.
If the USER does not agree with the Conditions of Use and the Privacy Policy, the same shall refrain from using the service.
Access and download of the application are free of charge, except for the cost of the connection to the telecommunications network provided by the telephone company chosen by the users. Certain services are exclusive to our customers and access to such services is limited.
The User acknowledges to voluntarily enter his or her personal data. The data to be collected shall be the following:


  • Mandatory: First name, surname and email address.
  • Optional: Telephone, address, gender and date of birth.


If access is made by children under sixteen, they must have previously obtained due authorisation from their parents, guardians or legal representatives, who shall be responsible for all actions carried out via this mobile application by the minors under their charge, as provided by art. 8 of Regulation (EU) 2016/679 concerning the protection of personal data.

The user undertakes, acknowledges and accepts the use of the contents and services provided by the Joyco application, using it at his or her exclusive risk and under his or her own responsibility, in a diligent, correct and lawful manner and, finally, undertakes NOT to engage in any of the conduct described below:


  • Not to carry out illegal activities that constitute a crime, that infringe the rights of third parties or that violate the legislation on intellectual and industrial property or any other legal regulation.
  • Not to transmit, introduce, distribute or make available to third parties any kind of material or information.
  • Not to introduce or disseminate contents or propaganda of a racist, xenophobic, pornographic, or terrorism support nature or violate human rights.
  • Not to introduce or distribute computer programs (viruses or harmful software) on the network that could damage the access provider’s computer systems.
  • Not to send unsolicited or unauthorised adverts, advertising material, “spam”, “chain email”, “pyramid structures”, or any other type of request, except in the areas (such as advertising spaces) that have been designed exclusively for this purpose.
  • Not to introduce or disseminate any kind of false, ambiguous or inaccurate information and content that misleads the recipients of such information.
  • Not to disseminate, send or make available to third parties any type of information, element or content that envisages a breach of the confidentiality of such communications and the legislation on personal data.
  • Not to impersonate other users by using their access credentials on the various application services.


COGES MOBILE SOLUTIONS S.R.L. will ensure the availability, continuity or smooth operation of the application. It is entitled to block, interrupt or restrict access if deemed necessary to improve the application.
We recommend that the user installs anti-virus protection programs to manage malware, spyware and similar tools.
COGES MOBILE SOLUTIONS S.R.L. shall not be responsible in the event of:


  • Force majeure events or exceptional circumstances.
  • Loss, misplacement or theft of your mobile device leading to third party access to the application.
  • Access errors on the part of the customer.
  • Damage, termination of credit, emerging damage or moral damage.


COGES MOBILE SOLUTIONS S.R.L., in accordance with the requirements of Regulation (EU) 2016/679 of 27 April regarding the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, informs all users of the following information.

Data Controller: COGES MOBILE SOLUTIONS S.R.L., with registered office in Via Luigi Dalla Via no. 10, 36015, Schio (VI), Italy, with Tax Code: IT02666240359

Security Officer contact details: The user can contact the security officer at the email address

Purpose and legal basis of the processing: The provision of services offered by the application, including the sending of commercial communications, both require the explicit consent of the data subject.

Communication to third-parties: COGES MOBILE SOLUTIONS S.R.L. shall only transfer the user’s data to the OPERATOR and to the company AZKOYEN SA, with which it has entered into a data processing contract, in compliance with and pursuant to the provisions of article 28 of Regulation (EU) 2016/679.

Date retention: We shall retain the user’s data for the time necessary to provide the service subject of this application. If the user does not connect with any operator in a 12 month period, the user’s data shall be erased from the COGES MOBILE SOLUTIONS S.R.L. database, as well as from the database c/o AZKOYEN S.A.

Security measures in place: The processing of the provided personal data shall be carried out by adopting the appropriate technical and organisational measures to prevent the loss, improper use, alteration and unauthorised access to the same, taking into account the state-of-the-art of the technology, the nature of the data and the risk analysis carried out.

The exercise of Data Subject Rights: If the user wishes to revoke the granted consent, or exercise the rights to access personal data and request rectification, suspension, objection, restriction, portability and the right not to be subject to automated decision-making, he or she may apply in writing to the postal address Via Luigi Dalla Via no. 10, 36015, Schio (VI), Italy, or by email to the following address:
This request must include the name and surname of the data subject; a copy of an identity document, passport or other valid identification document of the data subject and, where applicable, a representative, in addition to a document proving such status as representative; domicile address for notifications and specification of the subject of the request.

Mandatory nature of the requested data: The mandatory data shall be specified as such at the time of collection, as they are necessary for the provision of the service. Refusal to provide such information will prevent communication with the user and, where applicable, will make it impossible to provide the service subject of the application.

Commitments of the user: The user undertakes to notify COGES MOBILE SOLUTIONS S.R.L. of any changes to the information provided. Such communication can be sent to the email address
Likewise, the user undertakes to keep his or her access credentials and identification codes secret, and shall inform COGES MOBILE SOLUTIONS S.R.L. as quickly as possible in the event of loss, theft or unauthorised access.
Until such communication has been received, COGES MOBILE SOLUTIONS S.R.L. shall be exempt from any liability that could arise from the improper use of such identification data by unauthorised third parties.

International data transfer: COGES MOBILE SOLUTIONS S.R.L. will provide its services via this application both in EU and non-EU countries, complying with, in any case, the applicable legislation on the protection of national data and Regulation (EU) 2016/679, concerning the processing of personal data, without the international transfer of data. Therefore, COGES MOBILE SOLUTIONS S.R.L. hereby informs you that it does not engage in any international data transfer.

The user shall connect his or her account with the operator so as to use the service. By topping up the credit on his or her personal application account, the user shall have at his disposal an amount of money associated with that operator, which can be used to purchase products from the vending machines.
If the user wants to connect with a different operator, it is necessary to delete the original user account, create a new user account, and simply connect again with the new operator. As a result, the user shall lose the amount of money eventually associated with the previous operator.

COGES MOBILE SOLUTIONS S.R.L. holds the title to the intellectual and industrial property rights of this application. All contents displayed by the application and, in particular, the drawings, texts, graphics, logos, icons, buttons, software, trade names, brands, industrial designs, or any other sign used for industrial or commercial purposes, are subject to the intellectual or industrial property rights of COGES MOBILE SOLUTIONS S.R.L. or, where applicable, third party owners of the same, duly authorised to display them on the website.
This shall not in any case infer the granting of any license or the waiver or transfer – neither total nor partial – of intellectual and industrial property rights.



For the purposes of this Annex, the CLIENT shall be considered as Data Processor, and COGES MOBILE SOLUTIONS S.R.L. shall be considered as Data Controller.

The parties hereby



  • That the DATA CONTROLLER is a commercial business that manages, produces and / or sells vending machines that include payment devices manufactured by COGES MOBILE SOLUTIONS S.R.L.
  • That the DATA PROCESSOR is a commercial business that markets a payment device for vending machines developed by COGES MOBILE SOLUTIONS S.R.L.
  • That, in order to provide these services, the DATA PROCESSOR is required to perform a series of data processing operations on the DATA CONTROLLER’s data.
  • That this Agreement shall comply with Regulation (EU) 2016/679 (GDPR) of the European Parliament and the Council of 27 April 2016 on the general protection regulation pursuant to the processing of personal data, as well as on the free movement of such data, in application of art. 3 of the aforementioned Regulation, as the Data Processor provides its services from a member country of the European Union.
  • Therefore, and pursuant to Article 28 of Regulation 2016/679 (henceforth GDPR), both parties, in a free and voluntary manner, agree to regulate such access and processing of personal data, in accordance with the following





  • 1.1.- The subject and purpose of this Agreement is to regulate the processing conditions indicated in the preamble of this Agreement by the DATA PROCESSOR, as well as the rights and obligations of the Parties regarding the aforementioned processing.
  • 1.2.- Processing information:


  • Subject of the processing: Execution of the service provider agreement.
  • Duration of the processing: Duration of the Agreement.
  • Scope and purpose of the processing: Management and maintenance of customers of the COGES MOBILE SOLUTIONS S.R.L. application
  • Data type: Name, surname, email address, telephone number, address, gender, date of birth, consumed products, amounts and balance of the customers’ virtual account.
  • Category of data subjects: Clients.


  • 2.1.- THE DATA PROCESSOR shall only and exclusively process the personal data provided by the DATA CONTROLLER according to the documented instructions provided with the same, and within the scope and execution of the Main Contract and this Agreement. The instructions provided by the DATA CONTROLLER shall also be observed in the case of international transfers of data that may arise pursuant to the provision of the service. If the DATA PROCESSOR is legally obliged to transfer data to a third country or to an international organization, it shall inform the DATA CONTROLLER before executing the processing, unless the law prohibits such information for reasons of public interest.
  • 2.2.- By way of derogation from the previous paragraph, if the DATA PROCESSOR considers that any of the instructions provided are in breach of the GDPR regulation or any other provision regarding data protection, the DATA PROCESSOR shall immediately report the occurrence to the DATA CONTROLLER and, in any case, the DATA PROCESSOR shall comply with the provisions of the aforementioned legislation.
  • 2.3.- If the DATA PROCESSOR determines the purposes and means of the processing, it shall be recognised as the DATA CONTROLLER, and subject to the legal responsibilities provided for in the data protection legislation.
  • 2.4.- The DATA PROCESSOR shall help the DATA CONTROLLER to guarantee due fulfilment of the obligations set out in articles 32 to 36 of the GDPR regulation, taking into account the nature of the processing and the information available to the DATA PROCESSOR.


  • 3.1.- The DATA PROCESSOR agrees and undertakes to ensure that all persons who have access to the DATA CONTROLLER’s data sign an agreement with the DATA PROCESSOR pursuant to which they undertake to comply with all confidentiality requirements. As an alternative to the foregoing, if any of these persons are subject to a statutory confidentiality obligation, it shall not be necessary to require them to enter into a further confidentiality agreement.
  • 3.2.- The DATA PROCESSOR shall take appropriate measures to ensure that any person acting under his authority and with access to personal data, can only process such data according to the instructions provided by the DATA CONTROLLER.


  • 4.1.- In order to comply with the provisions of article 32 of the GDPR regulation, the DATA PROCESSOR shall put in place the appropriate technical and organizational measures to guarantee a level of safety appropriate to the risk in question, taking into account the state of the art and the implementation costs, as well as the nature, object, context and purpose of the processing, in addition to the risk of varying probability and severity for the rights and freedom of natural persons.
  • 4.2.- In assessing the appropriate level of security, the DATA PROCESSOR shall give special attention to the risks arising from the processing of the personal data, and in particular those regarding accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  • 4.3.- Security measures to be put in place by the DATA PROCESSOR:
    The DATA PROCESSOR guarantees that the appropriate technical and organizational measures shall be put in place so that the processing meets the legal requirements, ensuring, more specifically, a level of security appropriate to the risk, taking into account the state of the art and the implementation costs, as well as the nature, object, context and purpose of the processing, in addition to the risk of varying probability and severity for the rights and freedom of natural persons. To this purpose, the DATA PROCESSOR in charge of the processing guarantees the application of data protection security measures according to the standards required by ISO/IEC 27001/2013, the Information Security Management System, the area involved in the provision of services of the main contract, ensuring that all due technical and organizational measures are put in place to ensure the security of information and personal data and to prevent the alteration, loss, processing or unauthorised access, considering the state of the art, the nature of the stored data and the risks to which they are exposed, regardless of whether their origin is from human actions or from the physical or natural environment.


  • 5.1.- In the event that the impact assessment referred to in Article 35 of the GDPR needs to be performed in order to carry out the processing operations envisaged by this Agreement, the DATA CONTROLLER undertakes to perform the same and make it available to the DATA PROCESSOR before processing commences. The DATA CONTROLLER must constantly update this impact assessment throughout the duration of the Agreement.
  • 5.2.- Within the scope of the Agreement framework established between the Parties, the DATA PROCESSOR shall help the DATA CONTROLLER to conduct and maintain the impact assessments and the prior consultation as indicated in the previous paragraph, taking into account the nature of the processing and the information available to the DATA PROCESSOR, the same within the context of the rights and obligations established by the Parties, providing reasonable assistance in compliance with the obligations imposed by such regulations.


  • 6.1.- The DATA PROCESSOR shall notify the DATA CONTROLLER, without undue delay, regarding any security breaches of personal data under its responsibility and of which he may become aware of, together with all the relevant information for the documentation and reporting of the breach in question.
    This notification shall not be necessary if the security breach is unlikely to pose a risk to the rights and freedom of natural persons.
  • 6.2.- The DATA PROCESSOR shall report at least the following information:
    1. description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  • 6.3. – Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  • 6.4.- Once the security incident has occurred, the DATA PROCESSOR shall carry out the necessary actions to investigate, mitigate and resolve the incident, and promptly inform the DATA CONTROLLER of the progress and result of such actions.


  • 7.1.- The DATA PROCESSOR shall maintain records of processing activities, as foreseen by Article 30 of the GDPR, unless the exception foreseen in paragraph 5 of the GDPR is applicable.
  • 7.2 – The records shall in any case contain the following:
    1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
    2. the categories of processing carried out on behalf of the DATA CONTROLLER;
    3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where required by law, the suitable guarantees referred to in the regulation;
    4. a general description of the technical and organisational security measures referred to in Article 30 of the GDPR regulation.


  • 8.1.- If, in accordance with art. 37 of the GDPR regulation, the DATA PROCESSOR is required to designate a data protection officer, be it at the beginning of the data processing or later on in the activity, the DATA PROCESSOR agrees and undertakes to effect such designation according to the legal requirements of the GDPR regulation, and to communicate the personal data of the DPO to the DATA CONTROLLER as soon as possible.
  • 8.2. – Once the DPO has been designated, the DATA PROCESSOR shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data, providing the same with all the resources required to fulfil the designated tasks and duties. The DATA PROCESSOR shall not impart any instruction regarding the fulfilment of his duties, since he can not be removed or penalized for performing his tasks.


  • 9.1.- The DATA CONTROLLER guarantees to the DATA PROCESSOR that all personal data that the DATA PROCESSOR is assigned to process have been or shall be obtained legally from the data subjects. To this purpose, the DATA CONTROLLER shall ensure full compliance with the requirements for lawfulness of processing provided for by the GDPR regulation and, in particular, provide the right of information to the data subjects at the time of data collection or at a later date if they are not been obtained by the data subjects themselves.


  • 10.1.- The DATA PROCESSOR shall provide assistance to the DATA CONTROLLER, taking into account the nature of the processing, putting in place appropriate technical and organizational measures, if possible, so that the same can fulfil its obligation to respond to requests concerning the exercise of rights of Data Subjects provided for in Chapter III of the GDPR regulation.
  • 10.2.- For the purposes of the previous paragraph, the Parties hereby agree that, whenever the persons involved exercise the rights of access, rectification, erasure, objection, restriction of processing, data portability and objection to automated decisions, the DATA PROCESSOR shall report the same by email to the address, being that indicated by the DATA CONTROLLER. Such communication shall be effected immediately, and in no case later than the business day following the day the request was received together, where applicable, with other information that may be relevant to fulfil the request.


  • 11.1.- The DATA PROCESSOR shall return all personal data once the processing services have been completed, and shall delete any copies that may have been produced.
  • 11.2.- By way of derogation from the previous paragraph, the DATA PROCESSOR may keep the data appropriately blocked for as long as any form of responsibility for the services provided should remain applicable.


  • 12.1.- The DATA PROCESSOR expressly declares to be in possession of all sufficient guarantees to apply appropriate technical and organizational measures, in such a manner that the processing regulated by this Agreement complies with the requirements of the data protection legislation and, in particular of the GDPR regulation, and ensure the protection of the rights of all Data Subjects.


  • 13.1 – The DATA PROCESSOR shall make available to the DATA CONTROLLER all information necessary to demonstrate compliance with the obligations laid down in this Agreement.
  • 13.2.- The DATA PROCESSOR agrees and undertakes to allow and contribute to the performance of verifications, including inspections, by the DATA CONTROLLER or another auditor authorised by the aforementioned DATA CONTROLLER.


  • 14.1.- The DATA PROCESSOR can not designate another data processor to carry out the processing regulated by this Agreement, without the prior written authorisation, specific or general, of the DATA CONTROLLER. The auxiliary services required by the DATA PROCESSOR to provide its normal operational activities are exempt from this prohibition.
  • 14.2.- In order to fulfil certain processing activities on behalf of the DATA CONTROLLER, the DATA PROCESSOR is expressly authorised to designate other processors as indicated in paragraph 14.4.
  • 14.3. The DATA CONTROLLER may, by means of prior written authorisation, authorise the DATA PROCESSOR to replace or extend the number of deputy processors.
    The DATA PROCESSOR shall sign a contract with each deputy data processor that imposes the same data protection obligations as those stipulated in this Agreement and, in particular, sufficient guarantees as to the putting in place of appropriate technical and organizational measures, to ensure that the processing fully complies with the provisions of the GDPR regulation. If the deputy data processor should fail to fulfil its data protection obligations, the DATA PROCESSOR shall be fully liable towards the DATA CONTROLLER regarding the fulfilment of the duties designated to the deputy processor.
  • 14.4.- The DATA CONTROLLER authorises the DATA PROCESSOR to subcontract the data retention service to the company AZKOYEN, SA, with registered office in Avda. San Silvestre S/N, Peralta, Navarra, Spain (31350).


  • 15.1.- The parties expressly grant full jurisdiction and competence to the Courts and Tribunals indicated in the Main Contract, concerning the resolution of any disputes that may arise in relation to the interpretation or execution of this Agreement, hence expressly waiving any other competent jurisdiction.
    This Agreement is signed in duplicate copies by both parties to mark their approval of the same, in the location and on the date indicated in the Main Contract.


Do you need more info?