Privacy Policy

The Data Controller is GALDE DI ELENA COLANGELO, represented by its legal representative pro tempore, with registered office in Milan, Via San Siro n.1, Tax Code and VAT number 02356410684 (hereinafter, the "Controller"). The Controller can be contacted at the following email addresses: info@galde.it and/or certified email: ele.colangelo@spidmail.it

1. Browsing data
   • The computer systems and software procedures used to operate this Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
   • This information is not collected to be associated with identified data subjects, but by its very nature, it could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes the IP addresses or domain names of the computers used by Users connecting to the Site, the URI (Uniform Resource Identifier) ​​addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters relating to the Users' operating system and IT environment.
   • This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning.
2. Cookies and other tracking tools
   • See the extended information on cookies.
3. Data provided voluntarily by the user or collected by the Data Controller
   • The optional, explicit, and voluntary sending of messages to the Data Controller's contact addresses published on the Site, as well as the completion and submission of forms on the Site, entail the acquisition of the sender's contact information, necessary to respond to requests, and any personal data voluntarily included in the text of the communication.
   • The Data Controller also processes the personal data of interested parties who access the Site to purchase a product therein, such as: name, surname, tax code, home and/or residential address, street address and apartment number, email address, telephone number, billing address (if applicable), certified email address, as well as payment data, i.e., information relating only to the transaction amount and the payment status of a related Order.
4. Third-party data provided by the interested party
   • Personal data of third parties provided by Users who make a purchase in order to gift a product on the Site, such as: name, surname, home and/or residential address, phone number, and extension.
   • The user who communicates the aforementioned third-party data is directly and exclusively responsible for their collection, communication and/or dissemination, thus indemnifying the Data Controller from any liability towards third parties and from any disputes and claims that may be received by the Data Controller from third parties.

Personal data will be processed by the Data Controller in paper format and/or with automated tools for the time strictly necessary to achieve the purposes for which they were collected.

Aside from what is specified for cookies (the latter are regulated in the extended information notice), the personal data provided by Users are processed for the following purposes:

1. navigation and verification of the correct technical functioning of the Site;
2. respond to any requests from Users;
3. conclude purchase contracts for products on the website and to manage all phases of sales, shipping, payment, invoicing, delivery, as well as, in general, for all activities related to the execution of a contractual relationship with the Owner;
4. with the interested party's prior consent, send the same promotional and informative material, via email, on products marketed by the Data Controller, even if not similar to those already purchased by the user (marketing).

The legal basis for processing for the purposes referred to in point 1) is the Data Controller's legitimate interest in offering access to the Site and evaluating its proper functioning pursuant to Art. 6, paragraph 1, letter f), GDPR.

Providing data for the purpose referred to in point 1) is necessary. Any refusal by the interested party to provide personal data will make it impossible to access and navigate the Site.

The legal basis for the processing referred to in points 2) is the Data Controller's legitimate interest in responding to and responding to requests from data subjects pursuant to Art. 6, paragraph 1, letter f), GDPR.

Providing data for the purposes referred to in point 2) is optional, but refusal by the interested party to provide personal data will make it impossible for the Data Controller to process requests received and provide the requested service.

The legal basis for the processing referred to in point 3) is the performance of a contract to which the data subject is party and any pre-contractual measures adopted at the data subject's request pursuant to Article 6, paragraph 1, letter b), GDPR.

Likewise, the provision of data for the purposes referred to in point 3) is optional, however, any refusal by the interested party to provide the data will make it impossible for the Data Controller to formulate contractual proposals, manage commercial relationships, and conclude any contracts.

The legal basis for the processing referred to in point 4) is the data subject's consent pursuant to Article 6, paragraph 1, letter a), GDPR. Providing data for marketing purposes is optional, but failure to provide consent will prevent the Data Controller from sending informational and advertising materials, without prejudice to the purposes of purchasing or browsing.

Browsing data is deleted immediately after processing and, in any case, is not retained for more than 7 days from the time of collection, except where required by judicial authorities to investigate criminal offenses.

The personal data provided through the form on the Site are processed for the time necessary to manage and process the requests received and are deleted after 7 days from the time of collection.

The personal data provided by data subjects for the performance of pre-contractual activities and for the conclusion of the purchase agreement are retained for the time strictly necessary to conduct the pre-contractual negotiations, and in the event of a contract being concluded, for a maximum period of 10 years from the termination of the existing contract between the data subject and the Data Controller, whereby this is understood to be the date of issue of the last invoice issued in relation to the contract. If no contract is concluded, the personal data collected will be immediately deleted.

The data provided by data subjects for marketing purposes is retained for 24 months from the date the data subject provides consent, unless the consent is revoked or the data subject objects to the processing. Consent for the marketing purposes referred to in point 4) above may be revoked freely and at any time by writing to the following email address: info@galde.it, or by clicking the unsubscribe link available in each email communication.

The personal data of the interested parties will not be disclosed for a purpose other than that for which they were collected, but may be communicated:

1. to any collaborators of the Data Controller, designated and authorised to process data by written deed;
2. to third parties, independent controllers or appointed as data processors or sub-processors, with whom specific confidentiality agreements are concluded, such as, by way of example and not limited to, supervisory and control authorities and bodies and, in general, subjects, including private individuals, entitled to request data, public authorities who expressly request it from the Data Controller for administrative or institutional purposes, in accordance with the provisions of current national and European legislation, to consultants, third-party IT supply and assistance companies, to companies that offer website and information system maintenance services, to companies that provide management and maintenance services for the Data Controller's database, committed to the correct and regular pursuit of the purposes described and to any other subject whose intervention is required.

The complete and updated list of data controllers, as well as other parties to whom personal data may be disclosed, is available at the Data Controller's headquarters and may be freely consulted upon request.

The processing takes place at the aforementioned headquarters of the Data Controller.

Personal data is stored on servers located within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to transfer personal data to countries outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will be carried out in compliance with applicable legal provisions. In the absence of an adequacy decision from the European Commission, any processing of personal data in non-EU countries will be possible only if adequate contractual or other guarantees, including binding corporate rules and standard contractual data protection clauses, are in place by the Data Controllers and Processors involved.

In the absence of an adequacy decision or other appropriate measures as described above, the transfer and processing of personal data outside the European Union will only be carried out with the data subject's prior consent.

The interested party may exercise their rights under EU Regulation 2016/679 (GDPR) by contacting the Data Controller at the contact details above.

In particular, the Data Controller informs the interested party of the existence of the following rights:

• obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;
• obtain the updating, rectification of inaccurate personal data or, where applicable, the integration of incomplete data, as well as the limitation of processing in the cases provided for by art. 18 GDPR;
• obtain the erasure of personal data and the transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
• object, at any time, for reasons relating to your particular situation, to the processing of personal data concerning you, pursuant to Article 6, paragraph 1, letters e) or f) of the GDPR, to the processing of data for direct marketing purposes, including profiling;
• receive the data provided to the Data Controller in a structured, commonly used and machine-readable format, and, if technically feasible, transmit them to another Data Controller without hindrance;
• revoke the consent given at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation;
• lodge a complaint with the competent supervisory authority;
• obtain certification that the erasure, rectification, and limitation operations have been brought to the attention of those to whom the data was transmitted, including with regard to their content, unless such compliance proves impossible or involves the use of means manifestly disproportionate to the right being protected;
• not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.