Privacy Policy — Personal Data Processing

1. Subject matter of processing

The Controller processes personal data, including by way of example name, surname, company name, address, telephone, e-mail, VAT number, tax code, banking and payment details, purchase information and cookie data (hereinafter, "personal data" or "data") that you provide when concluding contracts for the Controller's services, by filling in contact/registration forms or by interacting with the website.

1.1 Statistics (Analytics)

Our website uses Google Analytics (Google LLC). Google Analytics is a web analytics service that collects usage data in order to track and examine the use of the website, compile reports and share them with other Google services. Personal Data collected: Cookies and Usage Data. Place of processing: United States — transfer occurs in compliance with Standard Contractual Clauses (SCC) approved by the European Commission.

1.2 Third parties and integrated services

The website uses the following third-party providers acting as data processors:

• Meta Pixel (Meta Platforms Ireland Ltd.) — tracking pixel for measuring advertising conversions on Facebook and Instagram. Data collected: Cookies, browsing and behavioural data. Place of processing: European Union / United States (SCC).
• PayPal (PayPal Europe S.à r.l. et Cie, S.C.A.) — online payment processing. Data collected: payment data, e-mail, shipping address. Place of processing: Luxembourg / other EU countries.
• MailerLite (UAB MailerLite) — sending transactional communications and newsletters. Data collected: e-mail address, name, e-mail interaction data. Place of processing: European Union.

2. Purposes of processing

Your personal data are processed:

A) Without your express consent (Art. 6(b)(e) GDPR), for the following Service Purposes:

• to conclude contracts for the Controller's services;
• to fulfil pre-contractual, contractual and tax obligations arising from relationships with you;
• to fulfil obligations required by law, regulation, EU legislation or an order of a competent authority (e.g. anti-money laundering);
• to exercise the Controller's rights, such as the right of defence in legal proceedings;
• to send notifications regarding the order status (confirmation, shipment with tracking number) and, once delivered, a service review request via the Trustpilot platform.

The Controller may retain submitted data solely to guarantee the service requested by the visitor; such data will not be used for commercial, marketing or profiling purposes by the Controller. Visitors using these services acknowledge that data will be forwarded to third parties. Where the manner of third-party data use for service provision is unclear, the visitor has the right to ask the Controller about the destination and method of data transfer. The Controller is exempt from any liability regarding improper use of data by third parties.

B) Only with your specific and separate consent (Art. 7 GDPR), for the following Marketing Purposes:

• to send you via e-mail, post and/or SMS and/or telephone, newsletters, commercial communications and/or advertising material regarding products or services offered by the Controller and to measure satisfaction with service quality;
• to send you via e-mail, post and/or SMS and/or telephone, commercial and/or promotional communications from third parties (e.g. business partners, insurance companies, other companies of the Studi Web srl group).

Please note that if you are already our customer, we may send you commercial communications regarding the Controller's services and products similar to those you have already used, unless you object.

3. Methods of processing

The processing of your personal data is carried out by means of the operations referred to in Art. 4(2) GDPR, namely: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of data. Your personal data are processed both on paper and electronically and/or by automated means. The Controller will process personal data for the time necessary to fulfil the above purposes, and in any case for no longer than 10 years from the termination of the relationship for Service Purposes and no longer than 2 years from data collection for Marketing Purposes.

4. Access to data

Your data may be made accessible for the purposes referred to in sections 2.A) and 2.B):

• to employees and collaborators of the Controller or companies of the Studi Web Group in Italy and abroad, in their capacity as internal data processors and/or system administrators;
• to third-party companies or other entities (by way of example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, etc.) that carry out outsourced activities on behalf of the Controller, in their capacity as external data processors.

5. Disclosure of data

Without the need for express consent (Art. 6(b)(c) GDPR), the Controller may disclose your data for the purposes referred to in section 2.A) to supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as to those entities to whom disclosure is required by law for the stated purposes. Such entities will process the data as independent data controllers.

Your data will not be disseminated.

6. Data transfers

Personal data are stored on servers located in Roubaix (France) and Strasbourg (France), within the European Union. It is understood that the Controller, where necessary, reserves the right to relocate the servers outside the EU. In such case, the Controller undertakes to ensure that any transfer of data outside the EU will be carried out in compliance with applicable legal provisions, subject to the execution of Standard Contractual Clauses (SCC) provided by the European Commission.

7. Nature of data provision and consequences of refusal

The provision of data for the purposes referred to in section 2.A) is mandatory. Without it, we will be unable to provide you with the Services.

The provision of data for the purposes referred to in section 2.B) is optional. You may therefore decide not to provide any data or subsequently withdraw consent to processing of data already provided: in such case, you will not be able to receive newsletters, commercial communications and advertising material relating to the Controller's Services. You will nonetheless retain the right to the Services referred to in section 2.A).

8. Rights of the data subject

As a data subject, you have the rights under Art. 15 GDPR, namely the rights to:

1. obtain confirmation of whether or not personal data concerning you exist, even if not yet recorded, and their communication in an intelligible form;
2. obtain information on: a) the origin of personal data; b) the purposes and methods of processing; c) the logic applied where processing is carried out with electronic means; d) the identification details of the controller and processors; e) the entities or categories of entities to whom personal data may be communicated;
3. obtain: a) the updating, rectification or, where interested, the integration of data; b) the erasure, anonymisation or blocking of data processed unlawfully; c) certification that the operations referred to in (a) and (b) have been brought to the attention of those to whom the data have been communicated;
4. object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending advertising material or direct sales or for conducting market research or commercial communication.

Where applicable, you also have the rights under Arts. 16–21 GDPR (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the supervisory authority.

9. How to exercise your rights

You may exercise your rights at any time by sending:

• a registered letter to Studi Web S.r.l. – Via Nicolò Sergio De Bellis, 15 – 70013 Castellana Grotte (BA) Italy
• a certified e-mail to info@pec.studiweb.it

10. Controller, processor and appointed persons

The Data Controller is Studi Web S.r.l., registered office at Via Nicolò Sergio De Bellis, 15 - 70013 Castellana Grotte (BA) Italy – VAT No. IT05983000729. The updated list of processors and appointed persons is kept at the registered office of the Data Controller.