This document is prepared in accordance with article 13 of EU Regulation 679/2016 and describes the way in which the “Ferrox.it” website collects and processes the personal data of those who use its website (hereinafter “site”), whether they are identified as registered users (those who have an account on the site, hereinafter “registered users”) or unregistered users (those who use the site without being registered, hereinafter “unregistered users”). These subjects are jointly referred to in this Policy as “data subjects” or “users.”
The practices summarised herein are subject to EU Regulation 679/2016 on the protection of personal data (hereinafter the “Regulation”).
The Data Controller (hereinafter the “Controller”) is Ferrox Srl, with registered office in Via del Lavoro 9, 31013 – Codognè (TV), VAT Number 03613220262.
Data Controller’s email: email@example.com
In order to enable users to access the services offered, the Controller may collect the following data:
Information provided by users
User profile: retailers can opt to open an account for accessing the site’s services as a registered user. Certain information may be collected when creating or modifying this account, such as first name, last name, email address, home address, tax code, telephone number, login username and password, and payment details.
Personal data: the site offers the possibility of making purchases as an “unregistered user.” This mode allows visitors to use the site’s services without creating an account. In this case, certain information such as first name, last name, email address, home address, tax code, date of birth, telephone number, and payment details are still requested and stored in order to complete the order and subsequent transaction.
Content sent voluntarily by users: information sent by data subjects when they contact the support service, contact the controller in another way, or request to subscribe to the newsletter may be collected.
Data relating to purchases: when a user purchases a product, data relating to the purchase made and the product chosen may be collected.
Information generated through the use of services
Transaction information: information may be collected on transactions relating to the purchase of goods offered, such as the product chosen, the date and time of purchase, the amount charged, the payment method used, and whether coupons or promotional codes were used.
PURPOSE OF PROCESSING
The information collected is used for the following purposes:
Services and features
The controller uses the information collected to provide, customise, maintain and improve its services. To achieve this purpose, a variety of activities are carried out to:
- create and update accounts;
- enable users to purchase products made available through the site, either as registered or unregistered users;
- process payments;
- perform internal operations required to maintain the site, such as troubleshooting, data analysis, testing, research, monitoring and trend control activities relating to site usage;
- fulfil normal administrative and accounting obligations;
- respond to customer requests;
The controller also uses the information collected to ensure efficient customer service, namely to:
- examine and resolve problems reported by users;
- monitor and improve customer service responses.
Legal procedures and requirements
The information collected may also be used to process or manage requests or disputes relating to the user of the services provided, as well as to fulfil specific legal obligations imposed by the applicable regulations.
The information collected may be used to propose or highlight offers relating to the products through the sending of promotional and marketing emails;
To carry out the operations necessary for the supply of its products, the information collected may be shared:
With service providers
The controller may share information with suppliers, consultants, service providers or business partners. These categories of subjects include, but are not limited to:
- payment processing and facilitation systems;
- providers of cloud storage space;
- suppliers who assist the controller in developing and optimising the site’s security;
- consultants, lawyers, accountants and other professional service providers;
- persons authorised by the data controller to process data.
For legal reasons or in the event of a dispute
The controller may share information as needed to comply with applicable laws, regulations, operating agreements, legal proceedings or governmental requests or when disclosure of such information is required for security or other similar reasons.
This includes disclosing information to law enforcement and judicial officials.
If another person’s credit card is used to pay for services purchased on the site, such information may be shared with the legitimate owner of the credit card.
With reference to what is stated in this section, we would like to inform you that you can review the most recent list of data processors at the data controller’s head office, or request a copy through the contact information provided in this document.
TRANSFER OF DATA ABROAD
The data controller informs the data subject that their data will not be transferred outside the European Union. In any case, it is understood that the data controller, if necessary, has the right to transfer data within the European Union and/or to non-EU countries. In this case, the data controller hereby guarantees that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements ensuring an adequate level of protection and/or adopting the European Commission’s standard contractual clauses and/or binding corporate rules.
The site uses the user’s profile information to provide services and stores it for as long as the account is active.
The data controller retains the information, including transaction data, for ten years in compliance with the current regulations, tax requirements and other provisions of the country in which it operates. At the end of the aforementioned term, or if such information is no longer required for the purposes set out above, the controller will take the appropriate measures to prevent access or use for any purpose.
Data subjects may request the deletion of their account, and following such a request, the data controller must delete any information that is no longer required to be stored, anonymising, where possible, any information that cannot be deleted.
Contacts required for sending promotional information shall be retained for a maximum of 24 months.
LEGAL BASIS FOR DATA PROCESSING
The personal information collected is processed in accordance with one or more of the legal bases specified in the Regulation:
Data processing is necessary to provide the services requested by data subjects:
In order to provide its services, the data controller must collect and use the following information:
- profile information required to create and manage the account and to enable payment processing;
- information relating to orders and transactions, which is required to create and store details of product purchases made on the site;
- information on the use needed to manage, optimise and improve the services provided;
- contact information necessary to respond to user requests submitted through the “Customer Service” section;
The provision and use of these data are essential requirements for using the services offered.
Data processing is necessary for the legitimate interests of the controller
The controller collects and uses personal data to the extent necessary to uphold its legitimate interests. The following information is required:
- to exercise a right in legal proceedings;
- to assist the user;
- to enhance existing services and create new ones;
- to conduct research and analysis. This includes activities such as analysing usage trends aimed at enhancing user experience, as well as bolstering the security and protection of the site.
Data processing is necessary to fulfil legal obligations
The controller may be required under the applicable regulatory framework to collect, process, disclose and store the personal data collected.
The controller may also share information with law enforcement agencies and judicial authorities, or to respond to requests from third parties in the course of legal proceedings.
Consent of the data subject is required for data processing
It is necessary for the user to provide specific and explicit consent in order to be able to use each of the following services:
- receiving promotional newsletters.
RIGHTS OF DATA SUBJECTS
Data subjects have the right to ask the data controller, at any time, for access to their Personal Data, to rectify or erase them or to object to their processing at any time; they also have the right to request the limitation of processing in the cases specified in article 18 of the Regulation, as well as to obtain the data concerning them in a structured, commonly used and machine-readable format.
The data controller will promptly respond with appropriate feedback within a maximum period of one month. In particularly complex cases, the response time may be extended to three months in accordance with the Regulation. In any case, the data controller will inform the data subject within one month of receiving the request, even in cases where refusal is necessary, as outlined by the current laws.
RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
It should be noted that pursuant to article 77 of EU Regulation 679/2016 if data subjects believe that their rights have been violated, they have the right to lodge a complaint with the Italian Data Protection Authority (“Garante”) or the relevant Judicial Authority.
UPDATING OF INFORMATION
The data controller reserves the right to update this policy periodically.
To the extent permitted by applicable legislation, by continuing to use the services provided by the site after receiving this notification, users indicate their acceptance of the proposed updates.
The data controller encourages users to regularly consult this document to stay up to date on its data protection procedures.