PRIVACY POLICY

1. Definitions and Data Controller

Personal Data: all information provided by the Data Subject (as listed in Article 2 below) as well as, if registered on the website [WEB SITE URL], navigation data (IP addresses, devices and programs used).

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Methods of exercising the right of withdrawal

The Data Controller sells consumer goods online and, therefore, acquires, stores and uses the Personal Data of Data Subjects in order to correctly fulfill the contractual obligations arising from its activity.

In any case, the Data Controller acquires, stores and uses only the following Personal Data:

• name and surname or company name;
• residence and/or shipping address for goods;
• e-mail address;
• telephone number;
• Tax Code and/or VAT Number;

In any case, if payment is made by credit/debit card, the relevant data is not communicated to the Data Controller but directly to the payment service provider.

Under no circumstances does the Data Controller request, store or process:

• sensitive and judicial data;
• credit card numbers or login credentials for payment systems used by the customer.

The aforementioned Personal Data of the Data Subject are processed by the Company for the following purposes based on the related legal bases:

• contractual purposes: performance of the contract to which the Data Subject is a party and use of the services offered by the Company;
• legal obligations and civil liability of the Company: fulfillment of obligations provided for by national and supranational legislation, especially of an accounting and fiscal nature, as well as prevention of any form of civil liability on the part of the Company for the activity carried out (e.g., by way of example but not limited to, Personal Data that can be used to contact the Data Subject are necessary if the Company decides to carry out a recall campaign for a product suspected of being defective);
• Controller's rights: to ascertain, exercise or defend the Company's rights in court or out-of-court if necessary;
• website operation: the Data Subject's Personal Data entered therein are necessary for its operation and for the use of the services offered by the Company through it.

3. Methods of data acquisition and storage

Personal Data are acquired:

• directly from the Data Subject, by filling in specific online forms or by telephone communication;
• not from the Data Subject, but through third parties (so-called "Marketplaces" such as, for example, Amazon, eBay, ManoMano, etc.) who, as intermediaries in the sale, transmit them to the Data Controller.

In the case of Personal Data not acquired from the Data Subject, but through third parties, the Controller will inform the Data Subject of this policy via e-mail or appropriate notice in the form attached to the goods shipped. The aforementioned information will be provided by the Controller no later than one month after obtaining the Personal Data or, if the latter are intended for communication with the Data Subject, no later than the time of the first communication with the same, or, if communication to another recipient is foreseen, no later than the first communication of the Personal Data.

The data thus acquired are stored electronically on servers made available to the Data Controller by IT service providers.

A complete and updated list of the appointed Data Processors can be obtained by contacting the Company via registered letter with return receipt at the addresses indicated in Art. 1, enclosing a signed copy of an identity document in this case.

4. Obligation to provide data

The provision of Personal Data by the Data Subject is mandatory and necessary for the fulfillment of contractual obligations and for compliance with mandatory legal provisions regarding fiscal, tax and accounting obligations.

In case of refusal of provision by the Data Subject, the Data Controller will not be able to accept any order or execute any contract.

The provision of personal data relating to the date of birth and the general title of the data subject is merely optional and occasional. Such data will be processed impersonally exclusively for internal statistical purposes.

5. Data retention period

The Data Subject's Personal Data will be kept for the entire duration of the contract and, after its termination, for the period referred to in art. 2220 of the Civil Code for the fulfillment of the related fiscal and tax obligations.

In case of judicial or extrajudicial litigation, the Personal Data will be kept for the entire duration of the same and until the expiry of the terms for exercising appeal actions.

Once the aforementioned terms have expired, the Data Subject's Personal Data will be deleted, compatible with the technical procedures set up for this purpose.

6. Independent Controllers, Data Processors and Recipients of Personal Data

In addition to the Data Controller, the Data Subject's Personal Data may be processed by external subjects operating as independent Controllers such as, for example, companies offering goods transport and shipping services or pre- and post-sales assistance.

Furthermore, as in the case of the IT services referred to in Art. 3, Personal Data may be processed, on behalf of the Company, by authorized external subjects designated as Personal Data Processors, to whom adequate operating instructions are given. A complete and updated list of the appointed Personal Data Processors can be obtained by contacting the Company via registered letter with return receipt at the addresses indicated in Art. 1, enclosing a signed copy of an identity document in this case.

Finally, recipients of the Data Subject's Personal Data may be the Judicial or Administrative Authority to whom they must be communicated for the fulfillment of specific legal obligations.

7. Data Subject's Rights and complaint to the Supervisory Authority

The data subject has the right:

• to access their Personal Data;
• to obtain the rectification of such data or the restriction of their Processing;
• to object to the Processing;
• to obtain the erasure of their Personal Data;
• to withdraw consent at any time without affecting the lawfulness of Data Processing based on consent given before withdrawal;
• to receive, where processing is based on consent or on a contract and is carried out by automated means, their Personal Data in a structured, commonly used and machine-readable format and, if technically feasible, to transmit them to another controller without hindrance.

To exercise the aforementioned rights, the Data Subject can contact the Company via registered letter with return receipt at the addresses indicated in Art. 1, enclosing a signed copy of an identity document in this case.

The Data Subject also has the right to lodge a complaint with the competent Supervisory Authority in the Member State where they habitually reside or work or the State in which the alleged violation occurred.

If the Data Subject has registered on the website [WEB SITE URL], by accessing their account, they can view and/or rectify their Personal Data.

In order to prevent fraud and/or allow the Judicial or Administrative Authority to prosecute it, the Controller keeps a history of the modifications made and the origin of the connection (IP address).

8. Changes to the Privacy Policy

This Privacy Policy may be modified, also as a result of legislative or regulatory changes, technological developments and the provision of new services or modification of existing ones. Users/visitors/customers are therefore invited to periodically consult the Data Controller's Privacy Policy.

9. Security of Personal Data

The Controller has adopted specific security measures to prevent the loss of the Data Subject's Personal Data, unlawful or incorrect use and unauthorized access. However, it is necessary for the Data Subject to use devices equipped with suitable tools for this purpose (such as, for example, updated antivirus software and an internet connection that guarantees data transmission through firewalls, anti-spam filters, etc.).