Privacy Policy

This Privacy Policy is provided pursuant to Article 13 of European Regulation No. 679/2016 and applies exclusively to all Data collected through the website fromherotohero.io. This Privacy Policy is subject to updates that will be published promptly on the Website. This Privacy Policy, together with the Terms and Conditions, any other documents referred to therein, and the Cookie Policy, establish the basis on which the Data of the Data Subject will be processed.

Data Controller

The Data Controller of the Data collected through this Website is: SPAZIO GAME SRLS, headquartered in Soncino (CR) 26029, via Caduti sul lavoro snc, VAT / Tax Code: 01625480197, email: info@fromherotohero.it

Personal Data Processed

Personal Data means any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical identity of that person.

Categories of Personal Data Processed

Among the Personal Data processed by this Website, either independently or through third parties, there are Common Data such as:

Personal identification data (such as first name, last name, date of birth, age, gender, etc.)
Contact information (email, address, telephone number)
Geolocation data (including "IP" addresses)
Internet browsing data (including data resulting from the use of social icons and social login buttons — e.g., Facebook, Instagram, Twitter, LinkedIn, etc. — collected through cookies installed on the computer or mobile device; for more information, please refer to the Cookie Policy)
Banking data useful for managing the commercial relationship

If a request is sent via the "Contact" section of the Website, the provision of certain Personal Data is necessary in order for the Data Controller to fulfill the request, and the relevant fields in the registration form are marked as mandatory.

Methods of Personal Data Processing

The Personal Data provided or collected will be processed in accordance with the principles of fairness, lawfulness, transparency, and the protection of confidentiality under current regulations.

The Data Controller processes the Users' Personal Data by adopting appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of Personal Data.

Processing is carried out using IT and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.

Purpose of Personal Data Processing and Legal Basis

Personal Data may be collected independently by the Data Controller or through third parties. In this case, the IT systems and software procedures used to operate this Website acquire certain technical and IT-related Personal Data of the Users (e.g., IP address, browser type, operating system, domain name, and website addresses from which access or exit occurred, etc.), the transmission of which is inherent in the normal functioning of the internet. These Data may be processed solely for the purpose of obtaining anonymous statistical information on the use of the site and/or to ensure its proper operation and will be deleted immediately after processing.

The Data that the Data Subject voluntarily chooses to provide will be processed in compliance with the lawfulness conditions set forth in Art. 6 of the GDPR and will be processed to allow the Website to provide its services, as well as for the Purposes indicated below, and will be stored for the time necessary to fulfill the aforementioned Purposes. Specifically, the Purposes of the processing are:

1) Responding to Requests and Providing Information

Data will be processed in order to be recontacted or to follow up on specific requests made to the Data Controller by the Data Subject regarding communications related to the Services and/or Content provided by the same Data Controller, via email messages or other communication tools such as phone calls.

Legal basis: this processing is optional and based on the consent of the Data Subject; however, the provision of the Data is necessary to pursue the stated purpose.
Data retention period: until the consent is revoked by the Data Subject.

2) Website Registration

The registration procedure, through the creation of an account, is intended to allow the use of the website as a "Registered User". Registering on the website by creating an account enables the Registered User to:

Make purchases more quickly by saving billing and shipping information.
Store previous purchases and retrieve the cart in case of disconnection.
Access the order history and manage purchase preferences.

Legal basis: The legal basis for the processing is the execution of a contract or pre-contractual measures (Art. 6.1 letter b GDPR), as account registration and cart management are necessary to enable the user to purchase and use the services offered by the website. User consent (Art. 6.1 letter a GDPR) is required for the optional extended storage of login credentials and purchase preferences. The user can withdraw consent at any time by contacting the Data Controller.
Data retention period: Account data will be stored until:

Consent is revoked by the User for the storage of preferences.
The account is deleted upon request by the User.
10 years for purchase-related information, in compliance with tax and accounting obligations.

3) Pre-contractual Information and Obligations

Data will be processed to recontact the Data Subject and respond to specific requests for information, such as informative communications about the products and services offered by the Data Controller, quote requests and/or pre-contractual assistance for product purchases. Recontact may take place via email, telephone, or through the contact form on the website.

Legal basis for processing:

Execution of pre-contractual measures at the request of the Data Subject (Art. 6.1 letter b GDPR), when processing is necessary to respond to information or quote requests.
Consent of the Data Subject (Art. 6.1 letter a GDPR), when data is collected for subsequent commercial contact and/or promotional offers.

Data retention period:

Data provided for information or quote requests will be stored for a maximum of 12 months, unless a contractual relationship is established.
If the Data Subject has given consent to be recontacted for future offers, the data will be stored until the consent is withdrawn.

4) Processing Necessary Within the Scope of a Contract

Data will be processed for the following purposes:

Execution of the contract entered into between the Data Subject and the Data Controller for the sale of the Products/Services offered on the Website.
Management of the contractual relationship, including communications related to orders, invoicing, and shipping.
After-sales support, including legal warranty claims, withdrawal, and contract resolution.
Fulfillment of legal, administrative, and fiscal obligations arising from the sale of products/services.

Legal basis for processing:

Contract execution (Art. 6.1 letter b GDPR): processing is necessary to provide the product/service purchased by the Data Subject.
Legal obligation (Art. 6.1 letter c GDPR): processing is necessary to comply with tax, administrative, and accounting obligations.

Payment Data

Online payments are processed by external payment service providers (e.g., PayPal, Stripe, Shopify Payments). The Data Controller does not store the Data Subject's credit card or payment data directly but only receives confirmation of successful payment from the provider.

Data retention period: Personal data processed for contractual and administrative purposes will be retained for the time necessary to execute the contract and, subsequently, for a maximum period of 10 years in accordance with legal obligations regarding taxation and accounting.

5) Compliance with Legal Obligations

Data will be processed to fulfill any type of obligation required by current laws, regulations, related legislation, commercial practices, and tax regulations, including for purposes required under anti-money laundering legislation (Legislative Decree 231/2007 and subsequent amendments).

Legal basis: This processing is necessary to comply with a legal obligation to which the Data Controller is subject.
Data retention period: As required by law, and in any case for a maximum period of 10 years for the fulfillment of related administrative and fiscal obligations.

6) Soft Spam

The Data Controller may send the Data Subject commercial and promotional communications via email regarding products/services similar to those already purchased by the Data Subject, without requiring prior consent, pursuant to Article 130, paragraph 4 of the Italian Privacy Code, as amended by Legislative Decree 101/2018.

The Data Subject has the right to object at any time to such communications by using the unsubscribe link provided in each received email or by contacting the Data Controller directly.

Legal basis for processing: Processing is based on the legitimate interest of the Data Controller (Art. 6, letter f GDPR) in promoting products or services similar to those already purchased by the user. This legitimate interest is balanced with the Data Subject's right to object at any time, as stated in Recital 47 of the GDPR.
Data retention period: The Data Subject's data will be processed for this purpose until the right to object is exercised.

7) Newsletter

The personal data provided by the Data Subject will be processed for the purpose of sending newsletters containing promotional, commercial, and advertising communications, as well as updates on initiatives and events of the Data Controller.

For the purpose of sending newsletters, the Data Controller may process the user's first and last name (if provided), and email address. The Data Controller may also track interactions with the emails sent (e.g., newsletter opens, link clicks), where such tracking is supported by the systems in use.

Legal basis for processing: Processing is based on the explicit and freely given consent of the Data Subject, pursuant to Art. 6, paragraph 1, letter a GDPR. Subscription to the newsletter is optional and the failure to provide data does not affect the use of other services on the website.

Data retention period: Data will be processed until the Data Subject revokes consent. The right to unsubscribe may be exercised at any time:

Via the unsubscribe link at the bottom of each newsletter received.
By sending a direct request to the Data Controller via email.

8) Statistics

Data will be processed to carry out statistical analyses and market research aimed at understanding user preferences and behavior in order to improve the products and services offered, and to analyze user interaction with the website to optimize navigation and user experience.

Analyses will be performed on aggregated and anonymous data, where possible. If the data cannot be fully anonymized, it will be processed in a pseudonymized form and subject to the protections provided by the GDPR.

Legal basis for processing:

Consent of the Data Subject (Art. 6, para. 1, letter a GDPR): when data is collected through analytics tools that track user behavior.
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR): when analyses are carried out exclusively on anonymous and aggregated data.

The Data Subject may withdraw consent at any time and disable tracking by:

Using the cookie management banner on the website.
Changing browser settings to block tracking cookies.
Sending a direct request to the Data Controller at the following email address: [insert email].

Data retention period: Data will be retained until consent is withdrawn or for the maximum period set by each analytics tool.

9) Profiling for Advertising Campaigns

The Data Subject's personal data will be processed to analyze and evaluate interests, habits, and purchasing behaviors in order to create personalized profiles based on user preferences, send informational and promotional material about Services/Products offered by the Data Controller, and display personalized advertisements on third-party platforms (e.g., Facebook Ads, Google Ads, email marketing).

Legal basis for processing: Processing is based on the explicit and freely given consent of the Data Subject, pursuant to Art. 6, para. 1, letter a GDPR. The Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The Data Subject may object to profiling and stop the processing through:

The privacy settings in their account (if available).
The unsubscribe link included in every promotional communication received.
A direct request to the Data Controller at the following email address.

Data retention period: The Data Subject's data will be processed for this purpose until consent is withdrawn.

Data Disclosure

In addition to the Data Controller, in some cases, the following may have access to the Data:

a) Categories of personnel specifically authorized and trained for the operation of the Website (administrative, sales, marketing, legal staff, and system administrators);
b) External parties (such as third-party technical service providers, hosting providers, IT companies, communication agencies), also appointed as Data Processors by the Data Controller pursuant to Art. 28 GDPR. An up-to-date list of the appointed Data Processors, if any, can always be requested from the Data Controller;
c) Public or private entities that may access the Data in compliance with legal obligations;
d) Entities performing tasks that are auxiliary and instrumental to the activities of the Data Controller.

Data Retention Periods

As expressly provided by Article 5, paragraph 1, letter e) of the GDPR, Data is retained for the time strictly necessary for its Processing in relation to the service requested by the Data Subject, or as required by the purposes described in this document.

At the end of the retention period, Personal Data will be deleted and, therefore, the rights of access, deletion, rectification, and data portability can no longer be exercised.

Cookies

This Website uses cookies. Cookies are small text files that websites can use to make the user experience more efficient and to personalize content and ads, provide social media features, and analyze traffic. For more information, refer to the [Cookie Policy].

Place of Processing and Data Transfers Abroad

Data is processed at the operational headquarters of the Data Controller. For more information, you may contact the Data Controller. Data may be processed by individuals and/or legal entities acting on behalf of the Data Controller and bound by specific contractual obligations, located in EU or non-EU countries. If Data is transferred outside the EEA, the Controller will adopt all appropriate contractual measures to ensure an adequate level of data protection.

Exercising the Data Subject's Rights

The Data Subject has the right to exercise the faculties provided under Articles 7 and 15–22 of Regulation (EU) 2016/679. In particular, the Data Subject has the right to withdraw their consent at any time and, by simple request to the Data Controller, may:

Request access to Personal Data
Receive the Personal Data provided to the Controller and, where possible, transmit it to another Controller without hindrance (so-called data portability)
Obtain the update, restriction of processing, rectification, or deletion of data processed in violation of the law
Object to the processing of their Personal Data for legitimate reasons, including for direct marketing or market research purposes
File a complaint with the Italian Data Protection Authority or take legal action before the competent courts

To exercise these rights, the Data Subject may contact the Data Controller via email at: info@fromherotohero.it

Tools Used for the Processing of Personal Data

Web Hosting

The website uses Amazon Web Services (AWS) for platform hosting, database management, and digital service delivery. Through AWS, technical personal data is processed (e.g., IP address, access logs, browsing data) as well as content necessary for website functionality, such as files, forms, orders, and user communications. AWS ensures high levels of security, infrastructure reliability, and compliance with international standards.

Legal basis for processing:

The legitimate interest of the Data Controller in ensuring the security, availability, and functionality of the website (Art. 6, para. 1, letter f GDPR);
Compliance with legal obligations, particularly in the area of IT security and log retention (Art. 6, para. 1, letter c GDPR).

Data retention period: Technical data collected (e.g., access logs, errors) are retained for the time strictly necessary for security, maintenance, or legal defense purposes, and in any case no longer than 30 days, unless otherwise required.

Place of processing: AWS is a service provided by Amazon Web Services EMEA Sàrl, headquartered in Luxembourg. Data may be processed on servers located within the European Union, particularly in Ireland, and, if necessary, also in non-EU countries. In such cases, appropriate safeguards are adopted, such as the Standard Contractual Clauses approved by the European Commission.
Privacy Policy: https://aws.amazon.com/it/privacy/

Web Platform

The website is developed and managed using WordPress, an open-source platform that enables the dynamic creation and administration of web content. The use of WordPress involves interaction with components that may collect and process Personal Data for purposes such as user management, e-commerce, activity tracking, security, and technical analytics.

Legal basis for processing:

Execution of a contract or pre-contractual measures at the request of the Data Subject (Art. 6, para. 1, letter b GDPR)
The legitimate interest of the Data Controller in the technical, administrative, and commercial management of the site (Art. 6, para. 1, letter f GDPR)

Data retention period: Data processed through WordPress is retained for the time necessary to ensure the operation of the website, the delivery of requested services, and compliance with legal or tax obligations. Retention periods may vary depending on the configuration of installed plugins.

Place of processing: Data is processed via servers primarily located in Ireland, but some integrated services may use geographically distributed servers, including those outside the European Economic Area. In such cases, appropriate safeguards are applied in accordance with Articles 44 and following of the GDPR.
Privacy Policy: https://automattic.com/privacy/#controllers-and-responsible-companies

Contact Form

By filling out the contact form with their own Data, the Data Subject consents to its use for responding to information requests or for any other purpose indicated in the form's header.

Personal Data collected through the contact form: Email, First and Last Name, Phone number

WPForms (WPForms, LLC.)

The site uses WPForms, a service provided by WPForms, LLC., which allows the creation and management of contact forms and data collection tools directly integrated into the website pages. WPForms enables the Data Subject to send contact requests, inquiries, or personalized messages to the Data Controller via fillable forms.

Personal Data processed: Name, Email, Any additional Data voluntarily provided in the form fields, Other types of Data as specified in the WPForms privacy policy

Legal basis for processing:

Consent of the Data Subject (Art. 6, para. 1, letter a GDPR), expressed by voluntarily filling out the form
Pre-contractual measures (Art. 6, para. 1, letter b GDPR), if the request is related to the provision of a service

Data retention period: Data is retained for the time strictly necessary to respond to the User's request or, in the case of purposes related to a contractual relationship, according to the timeframes set forth by current regulations.

Place of processing: United States
Privacy Policy: https://wpforms.com/privacy-policy/

EMAIL ADDRESS MANAGEMENT

These services allow the management of a database of email contacts, telephone contacts, or contacts of any other type used to communicate with the Data Subject. These services may also collect data regarding the date and time messages are viewed by the Data Subject, as well as interactions such as clicks on links included in the messages.

By subscribing to the newsletter, the Data Subject's email address is automatically added to a list of contacts who may receive emails containing information, including commercial and promotional content, related to this Website. The Data Subject's email address may also be added to this list as a result of registering on the Website or after making a purchase. The Data Subject can unsubscribe from the newsletter at any time by clicking a specific unsubscribe link found in every email. Once the unsubscribe link is clicked, the Data Subject's Data will be immediately deleted from the "email marketing" software.

Personal Data collected: Email and Name.

FRAMEWORK 360

An Italian platform for managing newsletters, promotional communications, and marketing automation. Through FRAMEWORK 360, personal data of the Data Subject (such as name, surname, email, and interaction data with communications) are processed for sending newsletters, automated reminders, commercial offers, and personalized informational content.

Legal basis for processing:

Explicit consent of the Data Subject (Art. 6, para. 1, letter a GDPR), given at the time of newsletter subscription or via contact form
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), in cases of soft spam for the promotion of products or services similar to those already purchased, pursuant to Art. 130, paragraph 4 of the Italian Privacy Code

Data retention period: Personal data is retained until the Data Subject withdraws consent.

Place of processing: FRAMEWORK 360 is a service provided by Framework S.r.l., headquartered in Italy. Data is processed on servers located within the European Union. In the event of transfer to third countries, the Data Controller ensures the adoption of appropriate safeguards in accordance with Articles 44 and following of the GDPR, such as Standard Contractual Clauses.
Privacy Policy: https://www.framework360.it/privacy

WEBSITE REGISTRATION

By registering or authenticating, the Data Subject allows the Website to identify them and grant access to dedicated services such as order management, purchase history, and personalized user experience. The Data Subject registers by filling out the appropriate registration form and providing their Personal Data.

Legal basis for processing: Execution of pre-contractual or contractual measures (Art. 6, para. 1, letter b GDPR), necessary to allow the user to access the Website's services.

Personal Data collected: First and last name, email address (used as username), and password. The Data Subject may modify or delete their account at any time by accessing their profile settings or by contacting the Data Controller at the provided email address.

STATISTICS

Statistical services enable the Data Controller to monitor and analyze web traffic data and are used to track the behavior of the Data Subject.

GOOGLE ANALYTICS 4

This website uses Google Analytics 4 (GA4), a web analytics service provided by Google LLC, to collect anonymous statistical information about the use of the website in order to improve the services offered. Google uses the collected Personal Data to:

Track and examine usage of this website
Compile reports on site activity
Share data with other Google services for analysis and optimization

Google may also use the collected Personal Data to personalize ads in its advertising network and may share such information with third parties where required by law or where such parties process the information on Google's behalf. In GA4, IP addresses are only used at the time of data collection and then deleted before storage.

Legal basis for processing:

Consent of the Data Subject (Art. 6, para. 1, letter a GDPR) if data is collected through non-anonymized tracking cookies
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR) if data is collected anonymously and in aggregate form, without identifying the user

Personal Data collected: Usage data (information on user interaction with the site) and Cookies (if enabled)
Data retention period: Data collected via Google Analytics is retained for a maximum of 14 months, unless otherwise configured by the Controller.

The Data Subject can disable tracking by:

Using the cookie management banner on the site
Installing the browser add-on to opt-out of Google Analytics, available at: https://tools.google.com/dlpage/gaoptout?hl=en

Place of processing: USA – Ireland
Privacy Policy: https://policies.google.com/privacy?hl=en

TAG MANAGEMENT

The use of tag management systems allows the installation and control of code snippets (called Tags) within a website's HTML pages. This technology enables:

The loading of tracking and analytics tools without manually modifying the site's source code
The management of multiple services via a single snippet

Using these services may result in the transfer of the Data Subject's Data to third-party tools that use the activated tags.

Google Tag Manager (Google LLC or Google Ireland Limited)

This website uses Google Tag Manager, a service provided by Google LLC, which allows integration and management of third-party tags (such as analytics, remarketing, and conversion tracking tools). Google Tag Manager does not collect Personal Data directly, but may trigger other tracking tools that do. If such tools collect Personal Data, their use is subject to their respective privacy policies and user consent.

Possible data managed via tags: Cookies and tracking tools (if enabled), Website usage data (user interactions)

Legal basis for processing:

Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), when used only for technical tag management without triggering non-essential trackers
Consent of the Data Subject (Art. 6, para. 1, letter a GDPR), when used to activate tracking and personalized advertising tools (e.g., Google Analytics, Facebook Pixel)

Data retention: Google Tag Manager does not retain personal data of users. However, third-party services activated through it may collect and retain data according to their own policies.

The Data Subject can withdraw consent through:

The cookie management banner on the site
Browser settings to block third-party cookies

Place of processing: USA – Ireland
Privacy Policy: https://policies.google.com/privacy

INTERACTION WITH SOCIAL NETWORKS

These services allow interaction with social networks directly from the pages of this Website. Interactions and information acquired by this Website are subject to the Data Subject's privacy settings for each social network. If a service for social media interaction is installed, it is possible that, even if Users do not use the service, it may collect traffic data relating to the pages where it is installed.

Facebook (Meta Platforms, Inc.)

The Facebook buttons are services that allow interaction with the Facebook social network, provided by Meta Platforms, Inc.
Personal Data collected: Cookies and Usage Data.

Legal basis for processing: The integration of these services may involve the processing of Personal Data, which is based on:

Explicit consent of the Data Subject (Art. 6, para. 1, letter a GDPR), if the website uses tracking cookies for marketing or personalization purposes
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), if data is collected solely to enable interaction with social networks without additional tracking

The Data Subject can withdraw consent and limit social network tracking through: The cookie management banner available on the website, The privacy settings of their social media account, Their browser settings, which allow blocking of third-party cookies

Place of processing: Ireland
Privacy Policy: https://www.facebook.com/privacy/explanation

Instagram (Meta Platforms, Inc.)

The Instagram buttons are services that allow interaction with the Instagram social network, provided by Meta Platforms, Inc.
Personal Data collected: Cookies and Usage Data.

Legal basis for processing: The integration of these services may involve the processing of Personal Data, which is based on:

Explicit consent of the Data Subject (Art. 6, para. 1, letter a GDPR), if the website uses tracking cookies for marketing or personalization purposes
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), if data is collected solely to enable interaction with social networks without additional tracking

Place of processing: Ireland
Privacy Policy: https://help.instagram.com/519522125107875

YouTube (Google Ireland Limited)

The YouTube buttons are services that allow interaction with the YouTube video content platform, managed by Google Ireland Limited.
Personal Data collected: Cookies and Usage Data.

Legal basis for processing: The integration of these services may involve the processing of Personal Data, which is based on:

Explicit consent of the Data Subject (Art. 6, para. 1, letter a GDPR), if the website uses tracking cookies for marketing or personalization purposes
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), if data is collected solely to enable interaction with social networks without additional tracking

Place of processing: Ireland
Privacy Policy: https://policies.google.com/privacy?hl=en

Telegram (Telegram UK Holdings Ltd)

This website uses Telegram sharing buttons, a messaging service provided by Telegram UK Holdings Ltd, allowing Users to share website content directly via the Telegram app. Even if the User does not actively interact with the button, Telegram may collect Personal Data via cookies or tracking technologies related to browsing activity on the pages where the button is present.

Personal Data collected: Cookies, Usage Data (e.g., visited URL, interactions, browser, device)

Legal basis for processing:

Consent of the Data Subject (Art. 6, para. 1, letter a GDPR), given via the cookie banner for third-party cookie use
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), to enable a feature voluntarily requested by the User (content sharing)

Data retention period: Data is collected and processed by Telegram according to the timeframes specified in its own privacy policy. The Data Controller does not store this data.

Place of processing: United Kingdom
Privacy Policy: https://telegram.org/privacy

WhatsApp (WhatsApp Ireland Limited)

This website uses a WhatsApp widget allowing the Data Subject to start a direct conversation with the Data Controller. The button, visible on the website pages, opens a chat via the WhatsApp app or web version. During use of the widget, Personal Data such as phone number, messages sent, IP address, and usage data may be processed.

Legal basis for processing:

Performance of a contract or pre-contractual measures at the Data Subject's request (Art. 6, para. 1, letter b GDPR), e.g., to receive information before a purchase
Consent (Art. 6, para. 1, letter a GDPR), if used for automated or promotional communications

Data retention period: Data is stored for the time necessary to manage the conversation or for the duration defined by the WhatsApp service, unless specific deletion is requested.

Place of processing: WhatsApp is a service provided by WhatsApp Ireland Limited. Data may be processed on servers located in Ireland and, if necessary, transferred to third countries, such as the United States. In such cases, WhatsApp applies Standard Contractual Clauses and GDPR-compliant safeguards.
Privacy Policy: https://www.whatsapp.com/legal/privacy-policy

REMARKETING AND RETARGETING

These services allow this website to communicate, optimize, and serve advertisements based on the Data Subject's past use of the site. This activity is carried out through the tracking of Usage Data and the use of Cookies or Tracking Tools.

Facebook Remarketing (Meta Platforms, Inc.)

This website uses the Facebook Remarketing service, provided by Meta Platforms, Inc., which links website user activity with the Facebook and Instagram advertising networks.

The site uses Facebook Pixel to:

Display personalized ads to users who have visited the website
Create audience groups for targeted advertising
Analyze conversions and measure ad campaign effectiveness

Personal Data collected: Cookies and Tracking Tools, Usage Data (user interactions with the site and with ads)

Legal basis for processing:

Explicit consent of the Data Subject (Art. 6, para. 1, letter a GDPR): The Facebook Pixel is activated only after consent is given via the cookie banner
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR): If data is collected anonymously for statistical analysis purposes only

Information collected by the Facebook Pixel is anonymous to the Website Owner, but Facebook may link it to the user's profile. Facebook may use this data for its own advertising purposes, including on third-party websites, in accordance with its Privacy Policy. The Data Controller has no direct control over Facebook's use of the data.

Data retention period: Data collected by the Facebook Pixel is retained for up to 180 days, unless otherwise configured by Meta.

The Data Subject can withdraw consent and disable remarketing via:

The cookie management banner on the website
Their Facebook account settings under "Ad Preferences"
Facebook's ad deactivation tool: Manage Ad Preferences

Place of processing: Ireland
Privacy Policy: https://www.facebook.com/about/privacy/

PAYMENT PROCESSING

The payment processing services enable this Website to process payments via credit card, bank transfer, or other methods. The Data used for payment is acquired directly by the payment service provider requested, and is not processed in any way by this Website. Some of these services may also allow the scheduled sending of messages to the Data Subject, such as emails containing invoices or payment-related notifications.

Stripe

The site uses Stripe, a service provided by Stripe Payments Europe, Ltd., to manage electronic payments via credit card, debit card, or other digital methods. During the payment process, Stripe collects and processes the User's Personal Data, including banking information, card details, email address, billing address, IP address, and device data.

Legal basis for processing:

Performance of a contract (Art. 6, para. 1, letter b GDPR), to process payments requested by the User
Legal obligation (Art. 6, para. 1, letter c GDPR), to comply with fiscal and accounting duties related to transactions
Legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR), to prevent fraud and ensure the security of online payments

Data retention period: Payment data is retained by Stripe according to the terms outlined in its privacy policy. The Data Controller retains only the data necessary for invoicing and legal compliance, for a maximum period of 10 years.

Place of processing: Stripe Payments Europe is based in Ireland, but data may also be transferred to Stripe Inc. (USA) and other subprocessors in third countries. Stripe ensures GDPR compliance through Standard Contractual Clauses and, where applicable, participation in the Data Privacy Framework.
Privacy Policy: https://stripe.com/it/privacy

CHANGES TO THIS PRIVACY POLICY

The Data Controller reserves the right to make changes to this Privacy Policy at any time by posting a notice to Users on this page. Please refer to this page often, taking note of the last modified date listed at the bottom. If the Data Subject does not accept the changes made to this Privacy Policy, they must cease using this Website and may request the Data Controller to remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that point.

The Data Controller is not responsible for the updating of all external links contained in this Privacy Policy. Therefore, Users acknowledge and accept that they should always refer to the official documents and/or sections of the websites referenced in such links if any of them is no longer working or updated.