Last updated August 2018

The policy may change as a result of the introduction of new legislation or as a result of changes to the website, so please visit this section periodically for updates.
For any clarification, information, exercise of the rights listed in this notice, please contact shop@pepelu.it or - by registered mail with return receipt - with Pepelù at Via Vittorelli 36, 36061 Bassano del Grappa (VI).

Index:
1. General information on Privacy.
2. Definition of personal data and their processing.
3. The website's privacy subjects.
4. General information on processing and purposes for which we process data.
5. User rights.
6. Cookie Policy.

1. General information on Privacy

With this information notice the company Silvia Pepoli (henceforth, Pepelù) with registered office in Via Vittorelli no. 36, 36061 Bassano del Grappa (VI) with VAT no. 03560890240 and Tax Code. PPLSLV80H41A703Z, in the person of its pro-tempore legal representative, as Data Controller, wishes to inform you of the processing of the personal data you provide by navigating this website.
EU Reg. 2016/679 lays down rules to protect and safeguard natural persons with regard to the processing of their personal data, and this notice is drafted in accordance with the new legislation.
The Privacy Policy you are reading is exclusively referable to the website indicated in the epigraph. The Data Controller shall not be liable for the manner in which the processing of personal data is handled by third-party websites that can be linked through the Cookie section, or through any other referral links on the website.
According to the law, the processing of personal data is based on the principles of correctness, lawfulness, transparency, protection of the user's privacy and protection of his or her rights: Pepelù undertakes to observe the aforementioned principles and, also for this purpose, hereby informs you that - with the exception of those processing operations for which the law provides for your explicit consent - by browsing this website, uploading or providing personal data, you accept and agree to be bound by the terms and conditions set out in this information notice.
European Reg. 679/2016 provides for enhanced protection for children under 16 years of age, whereby if you are under 16 years of age, your consent to certain processing will only be lawful if given or authorised by the person having parental responsibility for you.
In any case, we would like to give you some information on the concept of processing of personal data, on the persons who handle them, on the main processing activities we carry out, and on your rights as a user.

2. Definition of personal data and their processing

Personal data means all information that identifies or makes identifiable a certain natural person. This refers to information that directly enables the person to be identified (such as name, surname or tax code) or only indirectly (such as online identifiers or profiling cookies). Processing of personal data, on the other hand, shall mean any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. The website's privacy subjects

The Data Controller is the natural or legal person, public authority, service or other body that, individually or jointly with others, determines the purposes and means of the processing of personal data; it also deals with security profiles. With regard to this website, the Data Controller is the company Pepelù as indicated above, and for any clarification or exercise of your rights you may contact it at the addresses indicated at the beginning of the information notice.
The Data Processor, on the other hand, is the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller. With regard to the personal data provided by you while browsing this website, the Data Controller has not appointed any external Data Processor.
On the other hand, as regards the figure of the data processor, i.e. the person who processes the data under the control and direction of the Data Controller, Pepelù has appointed its employees, in particular those who may manage the website, as internal processors. These persons have been formally appointed and instructed to handle your data with care.
For more information on these individuals, please contact the addresses already mentioned.

4. Purposes for which we process your data and other information on processing

4.1 General information on processing carried out through this site

Subject to specific exceptions (see below), these rules apply to all processing carried out by our company via this website.
First of all, it should be specified that the Data Controller, in carrying out processing operations, uses only the data that are strictly necessary, which are marked with an asterisk (*) in the spaces provided on the website. The data supplied will be used solely and exclusively for the purposes set out in the following points (by way of example: data supplied for pre-contractual purposes will not be used for different purposes, unless the data subject gives his or her consent or the Data Controller has a legitimate interest in using the data for different purposes).

At the place of treatment
Your data is processed at the registered office of the Data Controller or at the office of the Data Processor.
Data collected through navigation will not be disseminated or transferred to international organisations.

On data transfer to non-EU countries
The hosting we rely on to provide you with browsing space is located in the EU territory (in Milan, Italy) so - in relation to the same service - no data is transferred to non-EU countries.
It should be noted that our company is committed to not transferring data to non-EU countries. However, when the Data Controller relies on third party companies to provide you with specific services (e.g. newsletter service, promotional communications, etc.), some data may be transferred to non-EU countries. This happens because some of these companies - or their servers - may be located in non-EU countries. This should not worry you because, if indeed a data transfer does take place, it can only take place with the guarantees provided by law, i.e. on the basis of an adequacy decision adopted by the European Commission, or with the safeguards provided for by the new European Regulation (such as the presence of binding rules for the company), or - in the absence of the aforementioned conditions - with the consent of the data subject, or within the scope of a contract between the data subject and the Data Controller, or within the scope of a contract between the Data Controller and a third party to perform a service for the data subject. For any doubts or information on the transfer of your data to non-EU countries, please contact the addresses already indicated.

Method of processing and legal basis
Processing is mostly carried out using computerised systems (by email, telephone, use of computer programmes), but in some cases also on paper (by printing documents).
Except in cases where the processing requires your explicit consent (which the Controller collects by means of a box to be ticked), all processing is lawful insofar as it is carried out on the basis of the legitimate interest of the Controller or on the basis of pre-contractual or contractual measures requested by you.

On the communication of data to third parties
In order to perform certain services for you or to fulfil legislative obligations, some data will be shared with external parties. By way of example, for the delivery of the product our company may communicate your data to the transport company, or to provide you with the Newsletter service our company may rely on companies that offer email marketing services and these companies may process your data; furthermore, to provide you with the navigation space our company relies on a company that offers hosting services: this company may also process some of your data. With regard to communications to third parties based on legal obligations, our company may communicate your data to lawyers, law enforcement agencies or judicial authorities in the case of criminal offences or other legal obligations.

On security measures
In any event, the Data Controller undertakes to protect the security of all your personal data, adopting all the computer and physical measures necessary for their protection. However, it should be emphasised that no security system can guarantee such protection with absolute certainty, and therefore, except in cases of liability for the data controller's fault, our company shall not be liable for the actions of third parties who illegally access the systems without due authorisation.

On the data of children under the age of sixteen
This website also offers services to minors under the age of sixteen. EU Reg. 679/2016 provides for enhanced protection for the latter. In fact, according to Article 8, the Data Controller may only process the data of a child under sixteen years of age with the consent or authorisation of the holder of parental responsibility. Pepelù has adopted tools to lawfully collect such consent or authorisation (see the sentences at the bottom of the data collection forms, by means of which the user is asked to declare that he/she is over the age of sixteen or that he/she has been previously authorised by his/her parent/guardian). However, the Data Controller, through this website, will never be able to check whether - in reality - such prior authorisation has actually been given by the parent/guardian. Therefore, first of all we advise you to keep a close watch on the actions of your children or guardians, then we ask you to inform us without delay in the event of receipt of unwanted communications because not previously authorised by the parent/guardian: we will proceed to the immediate deletion of the data of the child under the age of sixteen. In any case, the Data Controller is not responsible for any data collection from children under the age of sixteen who have given their consent to processing without the prior authorisation of the parent/guardian. Lastly, if the Data Controller considers that any data involuntarily collected relates to natural persons under the age of sixteen, it shall proceed without delay to their destruction.

4.2 Processing of data through mere website navigation

No identification data will be collected through simple navigation. However, for the normal operation of the website it is possible that the computer system acquires certain information whose transmission is implicit in Internet communication protocols (e.g. log files). Furthermore, through the use of cookies, information will be collected that the user does not directly provide (Cookie Policy). In any case, this is information that is not collected for the purpose of association to identified interested parties, but which, nevertheless, given its very nature, could allow third parties to identify the user, through processing and association with other data already in their possession (for example, law enforcement agencies in order to comply with specific requests by judicial authorities could trace your IP address or other online identifier).

4.3 Processing for promotional/advertising purposes

The user manifests his or her willingness to receive advertising and promotional communications from our company when he or she fills in the appropriate form on the website and when he or she gives his or her consent to receive such communications.
In order to receive such communications, the user provides his or her own personal data, i.e. his or her email address, telephone number, address (only strictly necessary data among these).
You are not obliged to provide the above-mentioned data, however, failure to do so will prevent our company from sending you the requested advertising and promotional communications concerning our products and services.
The legal basis for the processing is the granting of consent by the user, or - and this only in the case of users who are already customers of our company and expect to be informed about all news and promotions concerning our products and services - also the legitimate interest of the Controller.
The processing is carried out by means of computerised and automated systems (in particular by sending e-mails, but in some cases also by fax) in some cases managed by third-party companies providing the e-mail marketing service, as well as by more traditional systems (such as sending ordinary mail or receiving calls from our operators).
For the possible transfer of data to non-EU countries, see the entry on the transfer of data to non-EU countries in Section 4.1.
The duration of the processing depends on the will of the user who, at any time, may revoke the consent previously given by contacting the addresses indicated above, or by clicking the “unsubscribe” button at the bottom of the email received. In the case of processing based on the legitimate interest of the Data Controller, the processing ends with the user's request for objection, which he/she may assert by contacting the addresses indicated above.
Only users who have already reached the age of sixteen are permitted to request this service. For minors under the age of sixteen, see Section 4.1.

4.4 Processing carried out by filling in the “Newsletter” form”

The following rules apply to any processing on the website that is specifically aimed at subscribing to the Newsletter service.
By filling in this form, the user provides his personal data (email).
The user is not obliged to provide this data, but failure to do so will not allow our company to provide the Newsletter service to the user.
The legal basis for the processing consists of the granting of consent by the user, or - and only in the case of users who are already customers of our company and who expect to be informed about all news - the legal basis also consists of the legitimate interests of the Controller (sending communications to those who have already expressed an interest in our products does not compromise the rights and freedoms of those persons).
Processing is carried out by means of computerised systems (by e-mail).
For the possible transfer of data to non-EU countries, see the entry on the transfer of data to non-EU countries in Section 4.1.
In any case, for further information, please contact the addresses already indicated.
The duration of the processing depends on the will of the user who, at any time, may revoke the consent previously given by contacting the addresses indicated at the beginning of this information notice, or by clicking the “unsubscribe” button at the bottom of the email received. In the case of processing based on Pepelù's legitimate interest, the processing ends with the user's request to object, which he/she can assert by contacting the addresses indicated above.
Only users who are sixteen years of age or older are permitted to request the Newsletter service. For minors under the age of sixteen, see the item on the data of minors under the age of sixteen in Section 4.1.

4.5 Processing carried out by filling in the “Registration”/”Login” form”

By filling in the form entitled “Registration”, the user provides his personal data (Email).
Once Registration has been completed, the user will be able to access their Account by entering the data already provided in the “Login” section.
You are not obliged to provide this information, but failure to do so will not allow you to create your Account in order to proceed with the purchase of products in the online shop or to enjoy particular benefits, such as the ability to view your recent orders and your wish list (see Section 4 4), manage your shipping and billing addresses, change your password and other Account details.
Such processing is lawful insofar as it is carried out on the basis of the user's consent or on the basis of the legitimate interest of the Data Controller. Legitimate interest exists insofar as, although the service does not properly form part of the performance of the contract, the company believes it is providing it in the exclusive interest of the user, whose rights and freedoms will not be affected in any way.
This processing is carried out by means of IT tools, such as the use of the computer programme and the email service.
The duration of the processing depends on the will of the user who, at any time, may access his/her Account to unsubscribe or may directly contact the addresses already indicated to expressly revoke the consent previously given. In the event of failure to grant consent and therefore use of the Account by virtue of the legitimate interest of the Data Controller, the user may object to the processing at any time by contacting the addresses already indicated.
Registration is only permitted to users who have already reached the age of majority: this is because this form is closely linked to the product purchase procedure which, by law, can only be carried out by those who have already reached the age of majority. Registrations made by persons not having such requisites will be immediately deleted by the Data Controller.

4.6 Treatments via the “Wishlist” button”

By clicking the “Heart” button next to the products, the user expresses his or her tastes and interests, which are stored in the “WishList” section of the website.
The user is not obliged to provide such data, but failure to do so does not allow the user to store certain products and to consider purchasing them at a later date.
This action could generate two different effects depending on whether or not the registration referred to in section 4.4 exists.

4.6.1 In fact, if the user had not registered, clicking on the “Heart” will not allow the user to be identified, as the taste data cannot be associated with other data available to the website owner.

4.6.2 On the other hand, if the user had already registered, the click on the “Heart” would memorise the preference within the user's Account, thus making it identifiable and manifesting a specific taste expressed by the user. The same rules set out in Article 4.5 apply to such processing.

4.7 Processes carried out for purchasing via an online shop (Shopping Cart - Checkout - Procedure for purchase)

This article regulates the processing of data that the user provides for the purchase of the product in the online shop.
Only users over 18 years of age, who have previously created their own Account (see Section 4.5 of this notice), are permitted to purchase.
To proceed with the purchase, the user must first click on the desired product. The user's preferences are stored in the “Shopping Cart” section. In this section, the user can store several products, choose which ones to purchase and which ones to delete from the basket. Once the products to be purchased have been determined, the user - by clicking the “Checkout” button - accesses the further section aimed at purchasing. In this section, the user must provide the personal data necessary for identification (such as name, surname, address), as well as the promotional code, if any.
Lastly, the user will have to choose how to pay for the product. The data used for payment will not be processed by the Data Controller, but only by the credit institution of reference. For these reasons, the user is advised to read the privacy policy of the Data Controller's credit institution (indicated at the top of the form for the collection of such data), the privacy policy of its own credit institution, as well as that of PayPal.
The following rules apply to all the above steps for the purchase of the product.
In order to proceed with the purchase, the user provides his or her own personal data (data relating to his or her tastes, first name, last name, address, any other address for delivery of the goods, telephone number, email, own notes, data relating to payment systems, other).
The user is not obliged to provide such data, but failure to do so does not allow the user to purchase the product.
The processing is lawful insofar as it is carried out on the basis of pre-contractual measures (use of the data in order to proceed with the purchase) and contractual measures (for purchases, returns, replacements, other related to the contract) requested by the user. In any case, the Data Controller requires the express consent of the user.
Processing is carried out by means of computerised (ecommerce platform) and paper-based (order printing) systems.
The duration of the processing depends on whether or not the purchase procedure is concluded. Indeed, if the user releases the data but does not purchase the good, his data will not be stored. On the other hand, if the good is purchased, the user's data will be stored for ten years from the conclusion of the contract, due to legal, accounting and fiscal protection requirements to which the Data Controller is subject by law.
Only persons of legal age are permitted to purchase. The Holder is not liable in the case of data provided by minors who have used trickery and deception to appear to be of age (e.g. use by the minor of data and credit cards of parents or guardians).

4.8 Processing following the use of the contact details given at the bottom of the website

By contacting the telephone number and e-mail address indicated on the website, the user provides personal data (e.g. name, surname, telephone number, etc.). The provision of such data is optional, but failure to provide it does not allow the Data Controller to respond to requests for information from the user. The legal basis of the processing consists in the execution of pre-contractual measures (requests for information on our activity, for estimates, other pertaining to the sphere of our work) or in the user's consent (which he/she will expressly declare by contacting us) or in the legitimate interest of the Data Controller (consent or legitimate interest, only where the information requested is not pre-contractual or contractual in nature). This data will be processed using computerised or paper-based systems and the duration of the processing ends with the fulfilment of the information service by the Data Controller.

5. User rights

The data subject - i.e. the person who makes his or her personal data available to the data controller - is entitled to the following rights:

• the right of the data subject to request access to personal data from the controller, i.e. to know what data the controller processes;
• the right to have them updated;
• the right to have one's data rectified, i.e. the right to have one's data changed;
• the right to supplement one's own data, i.e. the right to supplement the data with other information provided by the data subject;
• the right to restriction of processing concerning him, i.e. to limit the use of the data by the data controller;
• the right to object, on legitimate grounds, to their processing;
• the right to data portability, i.e. the right to receive all personal data processed by the
• holder in a structured, machine-readable format;
• the right to request deletion of one's data from the data controller;
• transformation into anonymous form or blocking of data processed in violation of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
• the right to obtain certification that the operations of updating, rectification, integration of data, deletion, blocking of data, transformation, have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where this proves impossible or involves a manifestly disproportionate effort compared to the right protected;
• the right to revoke at any time the explicit consent previously given, without prejudice to the lawfulness of the processing carried out up to that moment;
• the right to lodge a complaint with the Garante per la Protezione dei dati personali in the event of violations of the law.

For a more detailed examination of your rights, see Articles 13 - 15 - 16 - 17 - 18 - 20 - 21 of EU Reg. 679/2016. Requests may be addressed to the Data Controller, without formalities, at the addresses listed above, or alternatively, using the form provided by the Garante per la Protezione dei Dati Personali available at http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924

6. Cookie Policy

This website may also use automated tools to send you advertisements in line with your tastes and interests. Information on cookies and cookie-like automated systems is made available to the user by clicking on the appropriate link called “Cookie Policy” on the website. For the sake of completeness, the Data Controller also provides the aforementioned information below.

Consent Management and Cookie Banner

To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and their consents, we use the "Real Cookie Banner" consent tool. Details on how "Real Cookie Banner" works can be found at https://devowl.io/rcb/data-processing/.

The legal bases for the processing of personal data in this context are Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. Our legitimate interest is the management of cookies and similar technologies used and the relevant consents.

The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide personal data. If you do not provide personal data, we will not be able to handle your consent.