Privacy Notice (EU 2016/679 – GDPR)
Last updated: [●]
This notice describes how personal data of users who visit and/or purchase on the website [● Domain] (hereinafter, the “Site”) is processed, pursuant to Regulation (EU) 2016/679 (“GDPR”) and applicable national legislation.
1. Data Controller
The data controller is: [● Company Name], with registered office at [● Address], VAT/Tax Code [●], e-mail: [●] (hereinafter, the “Controller”).
2. Types of data processed
- Browsing data: IP addresses, device identifiers, technical logs, data relating to visited pages and interactions, collected through IT systems and cookies/similar technologies.
- Data provided by the user: first name, last name, e-mail, shipping/billing address, contacts, data relating to orders and support requests.
- Payment data: the Controller does not store full card details. Payments are handled by third-party providers (e.g. PSPs) according to their own policies.
3. Purposes and legal bases
The Controller processes data for the following purposes:
- Performance of the contract (art. 6(1)(b) GDPR): order management, payments, shipping, returns, customer support, account management.
- Legal obligations (art. 6(1)(c) GDPR): accounting and tax compliance, invoicing management, obligations toward authorities.
- Legitimate interest (art. 6(1)(f) GDPR): Site security, fraud prevention, protection of the Controller’s rights, dispute management, service improvement and aggregated analysis.
- Consent (art. 6(1)(a) GDPR): marketing (newsletter/promotions) and non-technical cookies, where required.
4. Processing methods and security measures
Data is processed using IT tools and, where necessary, paper records. The Controller adopts appropriate technical and organizational measures to ensure confidentiality, integrity and availability of data, including access controls, tracking and protections against unauthorized access.
5. Recipients and processors
Data may be disclosed to third parties, acting as data processors or independent controllers, strictly necessary to provide services, including:
- hosting, maintenance and IT service providers;
- payment and anti-fraud providers;
- couriers and logistics operators;
- consultants (legal, accounting) and competent authorities, in cases provided by law.
The updated list of processors may be requested from the Controller at the contacts indicated.
6. Transfers outside the EEA
If some providers process data outside the European Economic Area, the Controller ensures the adoption of appropriate safeguards (e.g. adequacy decisions, Standard Contractual Clauses, supplementary measures), in compliance with arts. 44 et seq. GDPR.
7. Retention
Data is retained for the time necessary for the purposes indicated and, in any case:
- purchase and invoicing data: for the periods required by accounting/tax legislation;
- account data: until deletion request, subject to obligations or legitimate interests;
- support data: for the time necessary to manage the case and protect the Controller;
- marketing data: until withdrawal of consent or objection.
8. Data subject rights
The user may exercise the rights under arts. 15-22 GDPR (access, rectification, erasure, restriction, portability, objection, not being subject to automated decisions) by contacting the Controller. It is also possible to lodge a complaint with the Data Protection Authority.
9. Cookies and similar technologies
For detailed information on cookies used and how to manage preferences, please refer to the Cookie Policy.
10. Updates
The Controller may update this notice. The version published on the Site is the current one.