Privacy policy

Privacy Policy

This privacy notice is provided pursuant to Regulation (EU) 2016/679 (hereinafter “GDPR”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, to all those who interact with the web services of this e-commerce website (hereinafter also the “Website”).

1. Data Controller

The Data Controller is:

GI.RO.RA' DI DI STEFANO GIOVANNI S.A.S.
Registered office: Via Novalucello, 47 – 95126
VAT No.: 03508430877
(hereinafter also the “Controller”)

The Controller’s contact details are listed on the Website’s Contact page.

2. Types of Data Collected

The Website may process the following categories of data:

  • Personal and contact information (e.g., name, surname, address, email, telephone);

  • Data required for order fulfillment (shipping address, billing details, purchased products);

  • Payment data (e.g., partial information on the payment card or method, via third-party payment providers);

  • Browsing data (IP address, browser type, operating system, pages visited, time spent, traffic source);

  • Data voluntarily provided by the user through contact forms, registration forms, newsletters, or personal account area;

  • Cookies and similar technologies as described in the dedicated Cookie Policy.

3. Purpose and Legal Basis of Processing

Personal data is processed for the following purposes and corresponding legal bases:

3.1 Performance of a contract and pre-contractual measures

  • Management of orders and purchase activities on the Website;

  • Payment, invoicing, shipping, and delivery management;

  • Customer support and handling of assistance requests.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract to which the data subject is party or pre-contractual measures requested by the data subject.

3.2 Compliance with legal obligations

  • Fulfillment of obligations required by laws, regulations, or EU provisions (e.g., tax and accounting obligations).

Legal basis: Art. 6(1)(c) GDPR — compliance with a legal obligation.

3.3 Direct marketing (newsletters and promotional communications)

  • Sending of newsletters, promotions, offers, and marketing communications related to the Controller’s products and/or services;

  • Possible participation in surveys, market research, or promotional initiatives.

Legal basis:

  • Art. 6(1)(a) GDPR — consent of the data subject when required (e.g., voluntary newsletter subscription);

  • Art. 6(1)(f) GDPR — legitimate interest of the Controller when sending communications regarding products/services similar to those already purchased, where permitted.

The data subject may withdraw consent or object to marketing at any time, as described in section 9.

3.4 Website navigation and functionality

  • Technical management of the Website and improvement of its functionality;

  • Statistical analysis of Website usage (in aggregate form where possible);

  • Prevention and detection of fraudulent activities or misuse of the Website.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Controller in the proper functioning and security of the Website.

4. Provision of Data

Providing personal data for the purposes indicated in sections 3.1 and 3.2 is mandatory to register on the Website, fulfill orders, and comply with legal obligations. Failure to provide such data makes it impossible to conclude or perform the sales contract.

Providing data for marketing purposes (section 3.3) is optional. Failure to provide such data will not affect the ability to purchase products but will prevent the user from receiving newsletters or promotional communications.

5. Methods of Processing

Data processing is carried out using manual, electronic, and telematic tools, with logic strictly related to the purposes described and always ensuring the security and confidentiality of the data, in accordance with Art. 32 GDPR.

6. Data Recipients

Personal data may be disclosed to:

  • IT and hosting service providers managing the Website infrastructure;

  • Couriers and shipping companies delivering the products;

  • Payment service providers (e.g., banks, payment gateways);

  • Consultants and professionals (e.g., tax, legal, accounting consultants) within the limits necessary for their tasks;

  • Companies providing newsletter, email marketing, or CRM services, where used;

  • Competent authorities where required by legal obligations or legitimate requests.

Such parties will process data as independent Controllers or, if appointed, as Data Processors pursuant to Art. 28 GDPR.

7. Data Transfer Outside the EU

If personal data is transferred to countries outside the European Union or the European Economic Area, the Controller ensures that such transfers comply with Articles 44 et seq. GDPR, for example through adequacy decisions by the European Commission or the adoption of Standard Contractual Clauses.

8. Data Retention Period

Personal data is retained only for the time necessary to achieve the purposes for which it was collected, subject to additional retention required by law or for the protection of the Controller’s rights.

  • Order and billing data: retained for the period required by tax and accounting laws;

  • Marketing data: retained until consent is withdrawn or objection is exercised;

  • Browsing data: retained for periods compatible with security and Website functionality purposes.

9. Data Subject Rights

Users may exercise their rights under Articles 15–22 GDPR at any time, including:

  • right of access to personal data;

  • right to rectification of inaccurate or incomplete data;

  • right to erasure (“right to be forgotten”), where permitted;

  • right to restriction of processing;

  • right to data portability;

  • right to object to processing, especially for direct marketing purposes;

  • right to withdraw consent at any time, without affecting the lawfulness of prior processing;

  • right to lodge a complaint with the Data Protection Authority or other competent supervisory authority.

To exercise these rights, users may contact the Controller using the information provided on the Website’s Contact page, specifying their request and attaching an identity document, if necessary.

10. Cookies

The Website uses technical cookies and, with the user’s consent, profiling and/or third-party cookies to enhance browsing experience and analyze traffic. For detailed information on the cookies used and how to manage preferences, please refer to the specific Cookie Policy available on the Website.

11. Minors

The services offered on the Website are not intended for users under 18 years of age. If the Controller becomes aware that personal data of minors has been collected without proper consent, such data will be deleted.

12. Security Measures

The Controller implements appropriate technical and organizational measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction, in accordance with Art. 32 GDPR.

13. Changes to the Privacy Policy

This Privacy Policy may be updated or modified. Any substantial changes will be communicated through the Website and will take effect from the date of publication. Users are encouraged to periodically review this page.

Last updated: 11/13/2025