This policy (hereinafter "Policy") is provided pursuant to EU Regulation 679/2016 and subsequent national adjustment legislation (hereinafter collectively "GDPR"), and describes how the company identified in the following paragraph collects and processes users' or customers' Personal Data (the term "Personal Data" means all the categories of data listed in point 3 below, considered jointly). This Policy applies to all activities for collecting and subsequently processing Personal Data – both online and offline – through various channels, such as the websites owned or operated by Extraevo di Baiocchi Francesco, in particular shop.extraevo.com and extraevo.com ("Websites" or "Website"), apps, social networks and, more generally, all the activities described in this Policy.
Extraevo di Baiocchi Francesco (hereinafter "Extraevo") is the data controller of Personal Data (hereinafter the "Data Controller"). Extraevo pays the utmost attention to the security and confidentiality of the Personal Data processed while performing its activities, which include, among others, the following:
- operating e-commerce activities carried out through the Websites (managing purchases of products and services from the virtual store and related activities)
- operating the Websites (e.g. managing and developing the Websites and services for users, including the management and functioning of cookies)
- offering specific services related to them
WHAT PERSONAL DATA MAY BE COLLECTED
As part of its activities described above, the Data Controller will be able to collect the following categories of Personal Data:
- Contact data – first name, surname, address, phone number, email address and any other data you voluntarily provide within the Websites to proceed with online orders and to register.
- Demographic data and data concerning interests - data that describes your demographic characteristics or habits, for example date of birth, age or age group, gender, geographical origin (postcode), favourite products, hobbies and interests, and information about your family or lifestyle.
- Payment data – information relating to the purchase you made and the related payment (e.g. credit/debit card number, IBAN). This data will be processed to the extent necessary for periodic payments, and if you have not objected to the processing by changing your settings in the "My Account" section on the Websites, saved in the "Payment Methods" section for subsequent purchases.
- Use of the website – information on how you use the Websites, open or forward communications from the Data Controller, including information collected via cookies;
- Data provided by third parties (e.g. postal service company, couriers, data entry company) – all Personal Data that the Data Controller receive from other sources to perform their services.
- Social Log-In – information relating to your Social account as well as other data you have provided to the Social Network used to log in to the Website, which can be communicated based on the privacy preferences you have set on that Social Network.
HOW WE COLLECT YOUR PERSONAL DATA
The Data Controller can collect and process your Personal Data, in the following ways:
- if you register on the Websites or through apps, social networks or other websites owned by or available to the Data Controller
- if you subscribe to the newsletter for the virtual store or individual stores
- if you buy from shop.extraevo.com
WHAT PURPOSES YOUR PERSONAL DATA MAY BE USED FOR
The Data Controller may process your Personal Data for one or more of the purposes set out below and on the basis of the legal prerequisite indicated from time to time. All the purposes indicated below concern both Data Controller except when one of the two company is specifically indicated.
A) Fulfilling purchase orders formulated through the Websites and activities related to managing the orders(e.g. providing e-commerce services, customer sales and after-sales assistance, communicating with the customer about the order status, receiving their requests for information on the products purchased, payment management, reports, home delivery and/or in-person collection at the agreed sales point, etc.); and to ensure correct fulfilment of the obligations established by law, including the legislation on prize events if you take part in them. Your Contact Data and Payment Data can be processed by the Data Controller to process the purchase order you have formulated by filling in the appropriate form on the Websites. Your Contact Data and Payment Data can be processed by the Data Controller to process the purchase order you have formulated by filling in the appropriate form on the Websites.
B) Registration on the Website, including through the Social Log-In system, to simplify the registration process using the information already made available to your Social Network
The Data Controller may process the Contact Data to allow you to complete the registration procedure on the Websites and access your Personal Area in order to: (i) download documents relating to the services you have purchased from your Personal Area; (ii) process other requests made through the Websites. Registration on the Websites may also take place, where you voluntarily decide to use it, including by means of the Social Log-In mechanism.
C) Account management in the case of registration on the Websites to use the related services
Use of the Websites does not require the creation of a personal account; however, to access some pages reserved for registered users, you must create one and thereby become a registered user. The Personal Data you provide may be processed by the Data Controller to manage your personal account on the Websites.
D) Marketing activities
With your express consent, your contact data may be processed by Extraevo for marketing and advertising communication purposes, and also personalized after analysis of your choices, habits and purchasing preferences, by using email, text messages and other mass messaging tools, etc. or traditional contact methods (e.g. ordinary mail, phone call with operator), or for market research and statistical surveys.
Prerequisite for processing: the data subject's consent.
The absence of consent to marketing activities does not have consequences for contractual relationships. The consent can be revoked at any time via the contact details indicated below in the section "Contacts". Users can also modify or supplement their preferences at any time through extraevo.com and shop.extraevo.com, expressing their consent to be contacted about offers regarding specific stores or products of interest.
E) Statistical analysis, service improvements and protection of legitimate interest
Extraevo may, where possible also in aggregate and anonymous form, use your Personal Data, including that relating to your use of the Website, your choices, habits and purchase preferences, geographical area of reference, level of expenditure incurred, active services and frequency of use, for internal statistical research and improvements to the services offered, as well as for customer care and customer satisfaction activities, complaint management, administrative and accounting management, etc.
Within the limits of the provisions of Article 21 of the GDPR, you have the right to object to the processing of personal data concerning you performed by Extraevo in pursuit of its legitimate interest. The objection must be sent to the following address: email@example.com.
Your Personal Data will not be used to profile you for commercial and marketing purposes, except with your prior consent collected pursuant to the provisions of point E) above. Only in this case can the profiling activity described also be performed to send personalised commercial communications as per point E) above.
G) Defending rights during judicial, administrative or out-of-court proceedings, and in the context of disputes arising in relation to the services offered
Your Personal Data may be processed by the Data Controller to defend their rights or act or even make claims against you or third parties.
HOW WE KEEP YOUR PERSONAL DATA SECURE
The Data Controller use suitable security measures to improve the protection, security, integrity and accessibility of your Personal Data. All your Personal Data is stored on our protected servers (or suitably archived hard copies) or those of our suppliers, and is accessible and usable according to our standards and security policies (or equivalent standards for our suppliers).
HOW LONG WE KEEP YOUR DATA FOR
The Data Controller keep your Personal Data only for the time necessary to achieve the purposes for which it was collected or for any other legitimate related purpose. Your Personal Data that is no longer necessary, or for which there is no longer a legal basis to keep it, will be irreversibly anonymised or safely destroyed.
WHO WE CAN SHARE YOUR PERSONAL DATA WITH
The other company of the Extraevo Group – meaning all the company directly or indirectly controlled by Extraevo di Baiocchi Francesco – may have access to your Personal Data as autonomous Data Controller and/or processors by virtue of intra-group agreements and in connection with needs and activities carried out within the group, along with consultants and external suppliers such as: cloud service provider, IT provider or hosting provider, tax and legal consultants etc. appointed – if they do not act as independent Data Controller – as data processors.
Furthermore, where requested, your Personal Data and information about transactions and other activities carried out through the Websites can be made available to the judicial authorities and police in compliance with procedural rules or other State administrations, where expressly requested.
TRANSFER OF DATA TO NON-EU COUNTRIES
The Data Controller may transfer your Data to countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter "Third Countries"), whose data protection laws may have lower standards than those of the EEA. In the latter case, the Data Controller will ensure that all your data accessible outside the EEA is processed with appropriate safeguards. The Data Controller will provide adequate guarantees and protections for such cross-border transfers, in accordance with the provisions of the legislation on personal data protection; these include the use of Standard Contractual Clauses approved by the European Commission, Codes of Conduct and/or Binding Corporate Rules. These clauses impose similar data protection obligations directly on the recipient, unless we are allowed by applicable data protection law to transfer data without such formalities. Some third countries, such as USA, Canada and Switzerland, have been authorised by the European Commission as they provide protection similar to that of the EEA data protection legislation, and therefore additional legal protections are not necessary.
The contact details of the Data Controller are as follows:
- Extraevo di Baiocchi Francesco, Via Sant'Antonio 35 - Silvi Marina (Te) 64028, firstname.lastname@example.org
YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY
In accordance with Articles 15-21 of the GDPR, you have the right to request:
- access to your personal data and the purposes and logic of the processing activity carried out by the Data Controller
- a copy of the Personal Data you have provided to us (so-called portability)
- the correction of your Personal Data held by the Data Controller
- the erasure of your Personal Data when: (i) the Personal Data is no longer necessary with respect to the purposes for which it was collected or otherwise processed; (ii) the Personal Data is unlawfully processed; (iii) you have legitimately opposed the processing and there is no prevailing legitimate reason for the data to be kept; (iv) the Personal Data must be erased to fulfil a legal obligation. However, the Data Controller has the right to disregard the request for erasure if the right to freedom of expression and information prevails, or to exercise a legal obligation or defend their rights in court;
- revocation of your consent, if the processing is based on consent;
- limitation of the processing (i) for the period necessary for the Data Controller to verify the accuracy of your Personal Data in the event of a dispute; (ii) in the event of unlawful processing of your Personal Data when you object to its erasure, requesting a limitation of the processing; (iii) in the event that, although the data is no longer necessary and should be deleted, you need it to be processed to assess, exercise or defend a right in court; (iv) for the period necessary to verify any prevalence of the Data Controller' legitimate reasons with respect to your request to oppose the processing.
Furthermore, you have the right to object to the Data Controller processing your Personal Data for reasons related to your particular situation, except where the existence of the Data Controller' legitimate binding reasons prevails for continuing the processing, or there is a need to keep your Personal Data to assess or defend a right in court.