1. Data Controller and contact details
The Data Controller is IRON LYNX S.R.L with registered office in Via Civinelli, 950 - 47522, Cesena (FC), P.IVA 04345820403, hereinafter also "Data Controller" or just "Controller".
2. Personal data subject to processing
The personal data processed through the Store are those indicated below.
A. Navigation data
The computer systems and software procedures used to operate the Store acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. These personal data are not collected to be associated with identified data subjects, but, considering their nature and intrinsic characteristics, they could, through processing and association with data held by third parties, enable Users to be identified. This category of data includes, for example, IP addresses, domain names of the computers used by Users who connect to the Store and the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the User's IT environment. These data are only used to obtain aggregate or anonymous statistical information on the use of the Store itself and able to check its correct functioning and to identify anomalies and/or abuses. The data could also be used to ascertain responsibility in case of hypothetical computer crimes against the Store or at the request of the competent authorities. Apart from this eventuality, the data collected are deleted immediately after the aforementioned statistical processing.
B. Data provided on a voluntary basis
Through the Store, the User may voluntarily provide personal data, such as:
- personal data (such as, for example, first name, last name, e-mail address, telephone/cell phone number, etc.) requested by the form on the Store and provided by the User when registering on the Store and, therefore, when creating his/her own account and/or modifying the letter and/or purchasing products sold on the Store (Registered User);
- personal data (such as, for example, first name, last name, e-mail address, shipping address, etc.) provided through the Store by the non-registered User (Guest User) when purchasing products sold therein;
- personal data (such as, for example, first name, last name, e-mail address, telephone/cell phone number, etc.) provided by the User in the case of requests for information/clarifications, also concerning the products sold on the Store, made using the form and/or by sending an e-mail to customer care or another email address indicated on the Store;
- any other personal data provided by the User in the event of any complaints and/or exercise of their rights.
The Registered User, therefore, will have a personal account in which data and information referable to him or her will be stored (e.g., biographical data, order/purchase/reservation history, preferred delivery and billing addresses) and accessible by the User who can modify and/or update such data and information and consult the history of his/her purchases.
As regards personal data relating to the credit card or other digital payment instrument used to purchase products on the Store, the User will be redirected to the web page of the payment service providers - such as, for example, Shopify International Ltd, as regards Shop Pay and PayPal Holdings, Inc. as regards PayPal - and will have to enter the data necessary to complete the purchase process. By selecting the payment option, the data subject agrees to the transfer of personal data required for payment processing. The data in question will not pass through the Data Controller's server and will be processed by the aforementioned service providers as independent data controllers, unless the User decides to store them with the aim of facilitating future purchases on the Store.
The Store uses the following payment services whose respective privacy policies please refer to for further information regarding personal data processing:
Shopify Payments: https://it.shopify.com/legal/privacy
The Data Controller shall process personal data in compliance with the Applicable Law, assuming that they refer to the User or to third parties whose personal data the User was otherwise entitled to provide. With respect to these assumptions, the User undertakes to indemnify and hold harmless the Data Controller from any dispute, claim or request for compensation for damage caused by the processing of personal data that may be received from such third parties.
C. Cookies and other tracking tools
3. Purposes and legal basis of the processing
The table below describes purposes and legal basis of the processing of personal data mentioned above.
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6 (1)(b), of the GDPR].
The processing is necessary for compliance with legal obligations to which the Data Controller is subject [Article 6(1)(c) of the GDPR].
Verifying any fraudulent or illegal use of the Store and ensure its security and functionality in the interest of the Data Controller and the Users.
The processing is necessary for pursuing the legitimate interests of the Data Controller and the Users to prevent or identify any fraudulent or otherwise illegal use of the Store [Article 6(1)(f) of the GDPR].
Carrying out research/statistical analysis on aggregate or anonymous data, without therefore being able to identify the User, to measure traffic and assess usability and interest of Users with respect to the Store.
The processing is necessary for pursuing of the legitimate interest of the Data Controller to verify the usability and appeal of the Store [Article 6(1)(f) of the GDPR].
Ascertaining, exercising, or defending legal claims or whenever courts are acting in their judicial capacity.
The processing is necessary for pursuing of the legitimate interest of the Data Controller to ascertain, exercise, or defend legal claims or whenever the courts are acting in their judicial capacity [Article 6(1)(f) of the GDPR].
Send newsletters on the products sold and/or on the initiatives and/or events organized by the Data Controller and/or on the activities carried out by the latter.
The processing is based on the consent to subscribe to the newsletter expressed by the User by entering their e-mail address in the appropriate box and flagging the appropriate checkbox there [art. 130 of the Privacy Code and art. 6(1)(a) of the GDPR]. The User can unsubscribe from the newsletter at any time by clicking on the "Unsubscribe" link at the bottom of the emails sent or by requesting the Data Controller to unsubscribe from the newsletter.
4. Consequences of failure to provide personal data
The provision of personal data by the User is, in most cases, necessary. Failure to provide the same, in whole or in part, could in fact result in the impossibility of correctly processing the purchase order and/or concluding and executing the contract and/or fulfilling the legal obligations to which the Data Controller is subject and/or providing a response to the User's requests.
The User, conversely, is free to provide or not to provide his or her data for the reception of the newsletter and/or communications of a commercial nature and no consequences will arise on the conclusion and execution of the contract in the event that he or she decides not to give his or her consent or to revoke the consent initially given to receive the newsletter.
5.Methods of personal data processing
Personal data are processed with manual and/or computer-based instruments, in any case in such a way as to guarantee their security and confidentiality. To this end, the Data Controller has adopted and implements security measures, both technical and organisational, appropriate to the level of risk related to the processing of personal data carried out. In particular, Store functionality is provided on HTTPS encrypted connection and personal data are collected, filed, and stored on secure servers, protected by firewalls, and physically located within the European Union.
6. Recipients or categories of recipients of the personal data
Recipients or categories of recipients of the personal data, for the purposes set out in paragraph 3 above, will be:
- employees of Data Controller authorized to process those personal data pursuant to Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code and who have received specific instructions on how to process the data in accordance with the Applicable Law;
- companies, consultants, or professionals who may be entrusted with the installation, maintenance, updating of the Store (for example, web agency) and, in general, with the management of the hardware and software of the Data Controller, included the hosting provider and cloud computing services provider that act as data processors pursuant to Article 28 of the GDPR;
- the Shopify company which provides the online e-commerce platform through which the products are sold and in whose database the data is collected and stored, which acts as data processor pursuant to Article 28 of the GDPR;
- the company in charge of customer care activities in relation to the products sold on the Store which acts as data processor pursuant to Article 28 of the GDPR;
- payment service providers who act as independent data controllers;
- the company in charge of logistical support and/or warehouse and/or packaging activities for the products sold on the Store and which acts as independent data controller;
- the couriers responsible for shipping, delivery and/or, if applicable, collection of the products sold through the Store and who act as independent data controllers;
- Public Authorities to whom, in their capacity as independent data controllers, it is mandatory to disclose the personal data by virtue of legal provisions or orders of the authorities or to prevent and/or detect any fraudulent activity or abuse concerning the use of the Store and/or the services offered by the Data Controller;
- law firms, associated firms, consultants or professionals (for example, legal, accounting and/or tax consultancy firms) who support the Data Controller in order to guarantee the correct fulfillment of the legal obligations to which he is subject and the ascertainment, exercise or defence of legal claims in court or whenever the jurisdictional authorities exercise their jurisdictional functions ;
- companies that provide logistical support and/or assistance for shipping, delivery and/or, possibly, collection of products sold through the Store.
7. Data transfers towards third countries or international organizations
Personal data is generally processed in the European Economic Area. However, in some cases the data will be transferred to countries located outside the European Economic Area which do not guarantee an adequate level of protection of personal data, such as the United States. A complete list of these countries is available upon request from the Data Controller. The transfer of data to these third countries will in any case take place in compliance with the provisions of articles 44 et seq. of the GDPR.
8. Periods of retention of personal data
The personal data of the User or provided by the User will be kept for a period not exceeding that necessary to pursue the purposes for which they are collected and processed. In particular, without prejudice to due compliance with the ten-year retention period for invoices and accounting documents, the personal data of the User-customer will be retained for a maximum period of 24 months from the last purchase. For marketing purposes, the data will be stored for a maximum period of 24 months from the date of subscription to the newsletter and/or from the renewal of the consent given to receive the newsletter.
In the event that the Data Controller, if the conditions are met, finds himself in the situation of having to ascertain, defend or enforce legal situations in court or whenever the jurisdictional authorities act in this capacity, the retention periods may extend until the conclusion of the proceedings.
9. Rights of the data subject
The User, as the data subject, and/or the third party on whose behalf the User has provided the data, has the right to:
- to receive confirmation as to whether or not his/her personal data are being processed and, if so, to obtain access to them and to a range of relevant information, including, by way of example, information concerning : a) the purposes of the processing; b) the categories of personal data that are subject to processing; c) the entities or categories of entities to whom or which the personal data have been or will be communicated; d) the storage period of the data or, if that is not possible, the criteria used to determine that period; e) the source of the personal data, if they have not been provided by the User;
- to request and obtain the updating of personal data, the rectification of inaccurate data or, when needed, the integration of incomplete data;
- where the processing is based on the consent of the User, to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- to request and obtain the erasure of personal data if: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the User objects to the processing carried out on the basis of a legitimate interest of the Data Controller and there is no overriding legitimate reason to continue the processing; c) the personal data have been processed unlawfully; d) the personal data must be erased by the Controller in compliance with a legal obligation;
- to request and obtain the restriction of processing in the event of: (a) contestation of the accuracy of his/her personal data for the time necessary for the Data Controller to carry out the requested verifications; (b) unlawful processing of data by the Data Controller, if the User objects to the deletion of the data and instead requests the restriction of its use; (c) ascertainment, exercise or defence of a right of the User in court, although the Data Controller no longer needs the data for the purposes of processing; (d) awaiting the outcome of the verification as to whether the Data Controller's legitimate reasons prevail over those of the data subject;
- in cases where the processing of personal data is based on a contract and is carried out by automated means, to request and receive in a structured, commonly used and machine-readable format his/her personal data and, if technically feasible, to obtain the direct transmission of them by the Controller to another controller;
- to object, in whole or in part, on legitimate grounds relating to the User’s particular situation, to the processing of personal data concerning the User, even though they are relevant to the purpose of collection;
- to file a complaint with the Italian Data Protection Authority pursuant to Article 77 of the GDPR and Articles 140-bis et seq. of the Privacy Code, if the data subject believes that his/her rights under the Applicable Law have been violated.
The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
10. Exercise of rights of the data subject
As data subject, the User may exercise the above-mentioned rights at any time contacting the Data Controller at the contact details listed above.
If the User wishes to lodge a complaint with the Italian Data Protection Authority, he/she may use the forms available on the Store of the above-mentioned Authority.
Last update: 6th November 2023