Dear User,
the present Privacy Policy is in accordance with Articles 13 and 14 of the EU Regulation 2016/679 – (from now “GDPR”) and with the relevant provisions of the Privacy Code (D.lgs. N. 196/03) modified by the D.lgs. n. 101/18 with regard to the protection of personal data of the ones who connect to the website https://incantogourmet.com/ and use the services. This page describes the operating methods of the website owned by ALI S.R.L. (here also “The Data Controller”) and the processing of personal data of the users who enter and navigate the site. This policy refers only to the page previously mentioned and not also other websites possibly visited by the user through specific links.
1. PERSONAL DATA CONTROLLER
In accordance with art. 4, point 7 of GDPR, the Data Controller is the one who“determines the purposes and the means of the personal data processing”. Relatively to the present website, the Data Controller is: ALI S.R.L., based in Via Piero della Francesca, n. 38, 20154 Milano, VAT number 08958250964, (here also “The Data Controller”), certified e-mail: arrowluxury@legalmail.it
2. DATA PROTECTION OFFICER
The Data Protection Officer – DPO is a figure provided by art. 37 of GDPR. to fulfil support, control, advisory, training and informational functions, whose appointment is mandatory only in the cases provided by art. 37, par. 1, let. B) and c) of GDPR. This figure is not mandatory for the Data Controller of the present website.
3. DATA TYPE AND PURPOSE OF PROCESSING
A. Browsing data
Some personal data, the transmission of which is implicit in the use of Internet communication protocols, are captured by the software and IT systems that enable the operation of this website during their regular exercise and for the only period of connection. Such information is not collected in order to be associated with identified interested parties, but could by their nature be used to identify the users, by means of processing operations and in combination with other data in the possession of third parties. This data category includes IP addresses or domain names of the computers used by the users to access the website, the addresses in URI (Uniform Resource Identifier) notation for resources requested, their time stamps, the method used to deliver the request to the server (success, error, etc.) the country of origin, the time span of the visit (e.g. the time spent on each page) and other parameters connected to the IT system and computing environment of the user.
Such data could be used to:
i) statistics: collection of data and information in aggregate and anonymous form in order to verify the proper functioning of the website. None of such information is connected to the physical person-User of the website, and does not allow identification in any way.
ii) security: collection of data and information in order to protect the security of the website and Users (spam filters, firewalls, virus detection) and to prevent or unmask fraud or abuse to the detriment of the website.
iii) Non-continuous geolocation: this website may collect, with prior consent of the User, location data, in order to provide location-based services. The geographic location of the User is determined in a non-continuous manner, either at the specific request of the User or when the User does not point out its current location in the appropriate field and therefore does not allow the application to detect the position automatically.
B. Data voluntarily provided by the user
This category includes:
– data provided during account registration on an e-commerce platform (of WooCommerce) and User authentication of dedicated account, meaning through the login credentials of social networks such as Facebook, Instagram, Linkedin, Amazon and Paypal provided by their owners.
– data provided when subscribing to the newsletter through the dedicated plug-in of MailChimp.
The personal data processed are: name, surname, company name, tax code, VAT number, certified e-mail, SDI Univocal Code, e-mail address, phone number, shipping address of product, credentials of the social network account you used, payment data which vary according to the chosen payment service (credit card, PayPal).
Such data can be used to:
i) identification and access to the e-commerce platform: allowing identification and access of the User to the e-shop services. Registration and authentication services are provided by means of WooCommerce and of Social Network, through the WooCommerce Social Login plug-in. In such case, the website will be able to access some data, stored by these third party services, for registration or identification purposes. In case of access via social account, the website can gather data from your account on third party services and perform actions with it.
ii) order management: allowing the conclusion of the distance contract and the performance of services, both of the User and of the Data Controller, subject of matter of the contract itself. Regarding the provision of the Data Controller, the specific aims are to allow the User to process the order on the platform WooCommerce, to allow the transfer of the order to a platform for logistics management (UPS) and to allow B&B Service of Brivio e Viganò Operator to access the UPS platform for ready to shipment notices and for delivery management. Regarding this service, we invite the User to read the privacy policy of the e-shop, shipment and delivery service administrators.
iii) payment management: processing payments via credit cards and PayPal and issuing payment invoices. The data provided for the payment are acquired directly by the payment service administrator (PayPal or Stripe Inc.). Regarding this service, we invite the User to read the privacy policy of the chosen payment service administrator.
iv) customer service: answering the information requests or the issues of any nature regarding the customer service.
v) user database management constructing User-profiles and tracking User activities through statistical capabilities, in order to structure and improve the efficiency of the website.
vi) marketing: with the User’s consent, sending email messages and newsletters containing information, also of commercial and promotional nature, regarding the products offered. The newsletter service is provided through the use of MailChimp, whose privacy policy is available to the User on their home site.
C. Cookies
This website uses first and third party cookies, as detailed on the cookie policy here referred (LINK).
4. LEGAL BASIS
Below are the legal basis of the personal data processing for the purposes indicated in the previous paragraph, referring to the cookie policy the identification of the legal basis for the data acquired through cookie installation:
– purposes stated on the § 3, let. A), points i) and ii) and let. B) points i) and v): legitimate interest of the Data Controller;
– purposes stated on the § 3, let. B), points ii), iii), iv): contract and pre-contractual negotiations;
– purposes stated on the § 3, let. A) point iii) e let B) point vi): consent of the data subject.
5. NATURE OF THE PROVISION
Except as specified for navigation data and in accordance to the cookie policy referred, the user is free to provide personal data by registering or logging in the e-commerce platform, through a dedicated account or a social network account. The website visit does not require a previous registration or login. Registration or login, however, are necessary to enter the e-commerce platform services. Unless otherwise specified, the Data required by the platform are mandatory for registration. If the User refuses to provide them, it may not receive the e-shop service.
The provision of the social network account credentials is a User choice about the login option and takes places exclusively on a voluntary basis.
In case the User provides, posts, shares or in any way handles personal data of third parties while using the website features, henceforth guarantees to have the right to perform the treatment and, where necessary, to have previously obtained the consent of the third party for the processing of their data, taking all responsibility in this regard with every indemnification in favour of the website Data Controller.
6. HOW AND WHERE PERSONAL DATA ARE PROCESSED, TRANSMITTED AND SHARED
The personal data treatment is performed lawfully, correctly and transparently and, in any case, in compliance with the provisions of arts. 5 and 6 of the EU Regulation 2016/679 – GDPR. Your personal data is processed by manual and IT tools, on the basis of principles strictly tied to purposes indicated above and in any case to ensure the security and the confidentiality of the data.
Data management and storage takes place on a server located in Switzerland (see EU Commission Decision of 26 July 2000 on the adequacy of protection of personal data in Switzerland under Directive 95/46/CE, to which validity has been confirmed pursuant to art. 45 of EU Regulation n. 2016/679) where the company that provides the hosting service is based (Hostpoint SA – Neue Jonastrasse 60, 8640 Rapperswil-Jona / Switzerland).
Personal Data may be shared and processed by internal personnel and/or external collaborators of the Data Controller as authorised subjects for treatment, within the framework of their respective functions and in accordance with the instructions given by the Data Controller.
In some cases, personal data may be communicated to external subjects acting on behalf of the Data Controller, duly nominated, if necessary, Responsible of data treatment under art. 28 of GDPR in regards of protection of personal data, such as:
– Natural and legal persons who perform services of website development and maintenance and hosting providers;
– Natural and legal persons who perform services connected to the e-shop, logistics, payment, on behalf of the Data Controller;
– Natural and legal persons who perform marketing activities on behalf of the Data Controller;
– Accountants, lawyers and other practitioners to whom the Data Controller is directed;
– Financial and public institutions.
The updated list of the Responsible can always be requested to the Data Controller. Please note that your data will not be disclosed to indeterminate third parties.
Personal data may be transferred to countries outside the European Union such as United Kingdom (to which, until the 31st December, EU Regulation n.2016 is applied), Japan (23rd January 2019 EU Commission Decision about the adequacy of Japan’s regulation on personal data treatment) and Canada (20th December 2001 EU Commission Decision of conformity of Canada’s regulation of personal data treatment to Directive 95/46/CE, the validity of which, pursuant to art. 45 of GDPR, has been confirmed). It is understood that the Data Controller, where necessary, shall have the faculty of data transfer also in other countries. In such case, the Data Controller hereby guarantees that the data transfer to non-EU countries will be performed in accordance with statutory provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
7. RETENTION PERIOD
Except as provided for in the cookie policy, the collected data are stored for the time strictly necessary to perform the activities stated on the §3. Upon expiration, the data will be deleted or made anonymous, unless there are additional purposes for storing them. The data used for security purposes (blocking attempts to damage the site) are kept for 30 days. Data for statistical purposes are kept in aggregate form for 24 months. Data for direct marketing purposes are stored for 24 months.
8. USER RIGHTS
You may exercise your rights towards the Data Controller by using the following contact information: e-mail claim@incantogourmet.com and telephone: +39 0294155076.
In order to guarantee the correct exercise of your rights, you must be uniquely identifiable. The Data Controller is committed to providing adequate reply within 30 days and, if unable to comply with these deadlines, to justify the possible extension of the deadline established. The feedback will be free of charge except in cases of groundlessness (e.g. there are no data concerning the asking person) or excessive demands (e.g. repetitious over time) for which a fee may apply, nonetheless not exceeding the costs actually incurred for the specific request.
In any moment you can exercise, in pursuance of arts. 15 to 22 of GDPR, the right of:
a) Ask the confirmation of existence or absence of your personal data;
b) Obtain the indications about the purposes of the treatment, the personal data categories, the recipients or category of recipients to whom the personal data have been or will be transferred to and, when possible, the data retention period;
c) Obtain the correction or cancellation of your personal data;
d) Obtain the limitation of treatment;
e) Obtain the data portability, namely receive them from a data controller, in a structured format, commonly used and readable by an electronic device, and to transmit them to another data controller without impediments;
f) Object to the processing of persona data in any moment and also for direct marketing purposes;
g) Object to an automated decision-making process regarding physical persons, including profiling.
h) Ask the Data Controller to access your personal data and the correction/cancellation of the same, or the limitation of the treatment that concerns them, or to oppose their treatment, in addition to the right to data portability;
i) Withdraw consent in any moment without prejudice to the legality of the data processing carried out prior to the withdrawal;
j) Lodge a complaint with a supervisory authority;
You may also express preferences regarding the use of cookies, as described in the cookie policy.
9. CHANGES TO THE PRESENT DOCUMENT
The present document constitutes the privacy policy of this website.
It can be subject to amendments or updates. In the case of significant changes and updates, these will be reported with appropriate notifications to users.