Privacy Policy for eCommerce and Newsletter

PRIVACY POLICY FOR E-COMMERCE AND NEWSLETTER

Notice on the Processing of Personal Data

This document outlines the principles and rules followed by SAVIO S.p.A. in processing its customers’ data, in compliance with the European Regulation on the protection of personal data No. 679/2016 (hereinafter referred to as « GDPR »). Users are provided with all relevant information regarding data processing and the rights they may exercise.

This notice is also intended for natural persons who access the website on behalf of legal entities in the performance of their duties and use their personal data.

CONTENTS:

1. KEY DEFINITIONS (Art. 4 GDPR)
2. DATA CONTROLLER
3. PURPOSE OF DATA PROCESSING, TYPES OF DATA COLLECTED, AND LEGAL BASES FOR PROCESSING

• REGISTRATION AND PURCHASE OF GOODS ON THE WEBSITE
• PAYMENT SERVICES
• SHIPMENT OF PURCHASED GOODS
• USE OF DATA FOR FRAUD PREVENTION
• DEFENSE OF LEGAL CLAIMS
• USE OF DATA FOR MARKETING AND PROFILING PURPOSES
• NEWSLETTER
• SENDING COMMUNICATIONS ABOUT PRODUCTS SIMILAR TO THOSE PURCHASED
• SOCIAL MEDIA

1.EMPLOYEES AND THIRD-PARTY PARTNERS

• DATA RECIPIENTS OUTSIDE THE EU

1.SECURITY MEASURES

2.MINORS

3.DATA RETENTION PERIODS

4.DATA SUBJECT RIGHTS

5.CONTACT INFORMATION

1.KEY DEFINITIONS (Art. 4 GDPR)

Personal Data

Any information relating to an identified or identifiable natural person (« data subject »); a person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more elements specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Data Processing

Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Profiling

Any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning their professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Data Controller

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by such law.

Data Processor

The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

1.DATA CONTROLLER

The Data Controller is SAVIO S.P.A., with registered office at Via Torino Strada Statale 25 No. 25, 10050 Chiusa di San Michele (TO), Italy, Tax Code and VAT No. 12396890019, represented by its Chief Executive Officer, Moshe Nash ABRAMOV.

The updated list of all appointed Data Processors is available at the Controller’s operational headquarters and can be provided upon written request to the contact details listed below.

1.PURPOSE OF DATA PROCESSING, TYPES OF DATA COLLECTED, AND LEGAL BASES FOR PROCESSING

Below are the purposes of data processing, the relevant legal bases, and the types of personal data processed.

If you act on behalf of a legal entity for the purposes indicated below, and except where consent is required or the Data Controller has another legitimate interest, the legal basis for processing your data is the legitimate interest of SAVIO S.P.A. in processing the personal data of employees, executives, representatives, or administrators of the legal entity client for the purpose of concluding, fulfilling, and executing the contract entered into with the latter, in accordance with Article 6(1)(f) GDPR.

In this case, your personal data will be processed only to the extent strictly necessary for managing the relationship between the Data Controller and the legal entity for which you operate.

• REGISTRATION AND PURCHASE OF GOODS ON THE WEBSITE

In order to make a purchase of goods advertised on the websites: https://savio.it (B2B eCommerce for window accessory products) and https://shop.savio.it (B2C eCommerce for various products), it is necessary to register by creating a user profile with a username and password.

The following data will be processed:

• First Name
• Last Name
• Tax Code (Codice Fiscale)
• Email Address
• Mobile Phone Number
• Telephone Number
• Address:
• City:
• Country:
• Province:
• Postal Code (CAP):
• Company Name (if applicable)
• VAT Number (if applicable)
• PEC (Certified Email)
• Unique Code
• Website (if applicable)
• Bank Information
• Bank Account IBAN
• Shipping Addresses (if different from the main address)
• Payment Terms

The provision of the above-mentioned data is essential in order to complete and execute the contract for the purchase of goods advertised on the website, including compliance with fiscal obligations (such as invoicing).

Failure to provide this data will prevent the conclusion of the contract.

The processing of the data provided for the conclusion and execution of the contract is based on Article 6, paragraph 1, letter b) of the GDPR (processing necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject).

• PAYMENT SERVICES

Payment methods can be made via:

• Credit card (without storing bank data) through the intermediary Stripe (privacy policy available on the website https://stripe.com/it/privacy)
• PayPal (without storing bank data; Privacy Policy on the website https://www.paypal.com/it/legalhub/paypal/privacy-full)
• Bank transfer or bank receipt

Regarding payments via credit card (Stripe intermediary) and PayPal (PayPal (Europe) S.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg) or bank transfer, the payment data will be processed directly by the service provider contracted by SAVIO S.P.A.

The banks used are: BANCA ALPI MARITTIME CREDITO COOPERATIVO CARRU’ SCRL (privacy policy available on the website https://www.bancaalpimarittime.it/privacy.asp) and BANCO POPOLARE – SOCIETA’ COOPERATIVA (privacy policy available on the website https://gruppo.bancobpm.it/privacy/).

For businesses/professionals, SAVIO S.P.A. conducts a financial check using the CRIBIS service (https://www.cribis.com/it/privacy-policy/) and reserves the right not to activate the account related to the profile after verification of the requested brands or financial situation.

In the case of refunds due to product returns, you will be required to provide your banking details for the reimbursement. Your banking data will be deleted immediately after the refund payment is processed.

Failure to provide payment data will prevent the conclusion of the contract.

The legal basis for this processing is always Article 6, paragraph 1, letter b) of the GDPR (processing necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject).

• SHIPPING OF PURCHASED GOODS

The data related to the delivery address will be transmitted to the supplier appointed by SAVIO S.P.A. for the delivery of the goods:

• FedEx Express Italy S.r.l. (privacy policy available on the website https://www.fedex.com/it-it/privacy-policy.html)
• BRT S.p.A. (privacy policy available on the website https://www.brt.it/it/privacy/)
• Raben Italy S.r.l. (privacy policy available on the website https://italia.raben-group.com/privacy-policy)
• PASSALACQUA e C. Srl (privacy policy available on the website https://www.passalacquasrl.it/wp/privacy-policy/)
• Arcese Trasporti S.p.A. (privacy policy available on the website https://arcese.com/privacy-it/)

In order to ensure the fulfillment of contractual obligations related to the purchase and delivery of the goods, the following data will be communicated to the appointed company:

• First Name (or Company Name for businesses)
• Last Name
• Address:
• City:
• Country:
• Province:
• Postal Code (CAP):
• Email Address
• Telephone Number

The data mentioned above is transmitted for the purposes outlined above and will be deleted by the Supplier once the delivery has been completed, unless the appointed Company has a legal obligation to retain the data.

Failure to provide the data required for the delivery of the goods will prevent the conclusion of the contract.

The legal basis for the processing of this data is provided by Article 6, paragraph 1, letter b) of the GDPR (processing necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject).

• USE OF DATA FOR FRAUD PREVENTION

SAVIO S.P.A. may use the data provided in the context of the purchase order to prevent fraud and identity theft that may occur, for example, when:

• The shipping address differs from the billing address.
• Multiple orders are placed for the same item.
• Large orders are made.
• Suspicious email addresses or phone numbers are provided (e.g., different names, companies posing as individuals, countries or area codes that differ from the billing address).

The legal basis for conducting such verification is provided by Article 6, paragraph 1, letter f) of the GDPR (legitimate interest of SAVIO S.P.A. to prevent payment defaults, fraud, and identity theft).

• DEFENSE OF A RIGHT

If necessary, your data may be processed to ascertain, exercise, or defend the rights of SAVIO S.P.A. in judicial or extrajudicial proceedings.

The legal basis for this processing is provided by Article 6, paragraph 1, letter f) of the GDPR (legitimate interest of SAVIO S.P.A. to ascertain, exercise, or defend a right in judicial or extrajudicial proceedings).

• USE OF DATA FOR MARKETING AND PROFILING PURPOSES

The data will be used for the following purposes:

• Advertising, marketing, or promotional activities (via email, postal service, social networks, SMS), including the sending of commercial newsletters, offers, promotions, discounts, and invitations to events or exhibitions.
• Profiling, through the automated analysis of purchasing behaviors, using data related to your spending, in order to improve commercial offerings and carry out specific promotions of products and commercial offers most suited to your profile and needs, also through market research and surveys.

The following data may be used:

• First Name
• Last Name
• Email Address
• Address
• City
• Country
• Province
• Cookies (for information on cookie management and profiling, please refer to the specific policy adopted on the website https://savio.it/cookie-policy/)
• Data related to your usage of the website, such as browsing activity and items added to your shopping cart, for both statistical purposes and personalized advertising.

Additionally, user data may be shared with third-party advertisers within the same sector as SAVIO S.P.A.

The processing of the above-mentioned data for the purposes outlined can only occur with the prior consent of the data subject, in accordance with Article 6, paragraph 1, letter a) of the GDPR.

\

• NEWSLETTER

You have the option to subscribe to the newsletter to receive news related to the goods for sale, potential promotions, and any personalized offers. After submitting the subscription request, you will receive an email asking you to confirm your subscription: only after activating the confirmation link will your subscription become effective.

The legal basis for this processing is consent, pursuant to Article 6, paragraph 1, letter a) of the GDPR.

• SENDING COMMUNICATIONS ABOUT SIMILAR PRODUCTS TO THOSE PURCHASED

Promotional messages about products similar to those you have purchased may be sent exclusively to the email address provided during the purchase on the website, in accordance with Article 130, paragraph 4 of the Privacy Code (Legislative Decree No. 196/2003).

The legal basis for this processing is the legitimate interest of SAVIO S.P.A. in carrying out promotional activities, pursuant to Article 6, paragraph 1, letter f) of the GDPR.

You have the right to object to this processing at any time by sending a communication to SAVIO S.P.A. at the contact addresses provided.

• SOCIAL MEDIA

SAVIO S.P.A. is present for advertising purposes with official profiles on Facebook, Instagram, and LinkedIn. The responsibility for managing data in compliance with personal data protection regulations lies with each provider, and users are referred to the respective privacy notices and policies for data processing (Facebook: https://www.facebook.com/privacy/policy/; Instagram: https://about.instagram.com/it-it/safety/privacy; LinkedIn: https://www.linkedin.com/legal/privacy-policy?).

By logging out of social media pages and deleting installed cookies, you can prevent the social networks from linking information regarding your visit to our website with your user account on the respective social network.

1. EMPLOYEES AND THIRD-PARTY PARTNERS

Your data, as described in this privacy notice, may be communicated and processed by individuals within the SAVIO S.P.A. organization who need access to it due to their job role. These individuals are authorized to process the data under the direct authority of the Data Controller pursuant to Article 4, No. 10 of the GDPR.

For the performance of its activities and the provision of services, SAVIO S.P.A. relies on third-party partners (transport and logistics companies, companies responsible for the maintenance and management of IT systems and software, professionals, sole proprietors, and companies that provide support or consulting services to the Data Controller).

The data being processed will be transmitted to these third-party partners when necessary for the provision of services. In such cases, the third parties will process the data on behalf of SAVIO S.P.A. and are designated as data processors. In this case, the data will only be processed for the purposes explicitly stated in the agreement that governs the data processing, and only to the extent necessary to achieve these purposes, in accordance with SAVIO S.P.A.’s instructions.

The transfer and communication of data to public authorities or for the fulfillment of legal obligations remain unaffected.

4.1 RECIPIENTS OUTSIDE THE EU AND THE EUROPEAN ECONOMIC AREA

In general, we do not transfer your data to recipients located outside the European Union or the European Economic Area.

If this becomes necessary, SAVIO S.P.A. will act in accordance with the provisions of Chapter V of the GDPR.

All measures will be taken to ensure the protection of personal data, based on the following:

• A decision of adequacy from the European Commission;
• The existence of adequate safeguards under Article 46 of the GDPR;
• The adoption of Binding Corporate Rules under Article 47 of the GDPR.

You can request any additional information or clarification from SAVIO S.P.A. using the contact details provided.

SAVIO S.P.A. uses services and programs, including cloud services such as Microsoft 365, whose servers and data centers are located within the European Union. For maintenance/diagnostic reasons related to the IT infrastructure and the operational requirements of cloud services, as well as for cybersecurity purposes, Microsoft may conduct interventions from outside the EU/EEA.

In such cases, the EU-US Data Privacy Framework applies, to which Microsoft adheres. This framework has been deemed adequate by the European Commission in its decision of July 10, 2023 (all relevant information is available on the following websites: https://www.microsoft.com/it-it/trust-center/privacy; https://www.microsoft.com/en-us/privacy/privacystatement and https://learn.microsoft.com/it-it/privacy/eudb/eu-data-boundary-transfers-for-all-services).

Inizio modulo

1.SECURITY MEASURES

SAVIO S.P.A. has implemented technical and organizational measures to protect and prevent unlawful access to the data processed.

Users are advised to use a complex password (at least 8 characters long, containing an uppercase letter, a number, and a symbol) in order to secure their account.

It is recommended not to share the password with third parties or use the same password across multiple websites.

If a user believes their account has been compromised, they may contact SAVIO S.P.A. directly using the contact details provided in this privacy notice.

1.MINORS

The services provided on the website are reserved for users who are of legal age (18 years or older). No data of minors is processed. If a minor has registered on the website without the consent of a parent or legal guardian, the minor’s data must be immediately communicated to SAVIO S.P.A. using the contact details in this privacy notice, so that the minor’s data can be deleted without delay, and the registration cancelled.

Similarly, immediate deletion will occur if it becomes known that a minor has registered on the website.

1.DATA RETENTION PERIODS

The period for which data is retained depends on the purposes of the processing and is outlined below.

In any case, specific legal obligations (such as those related to tax, accounting, or civil law) may require the Data Controller to retain your data for longer periods, solely for the purposes set out in the relevant legislation (e.g., to comply with tax/accounting obligations).

In cases where the processing of data requires the consent of the data subject, the subject has the right to withdraw consent at any time by sending a communication to the contact details provided.

Therefore, subject to any additional legal obligations mentioned above:

• Data collected for the establishment and execution of the contract is retained for the entire duration of the contract and until the expiration of any statutory or contractual warranties, subject to the legal obligations mentioned above. After the termination of the contract, the data will be retained for a maximum period of 10 years in compliance with the civil code’s statute of limitations.
• Data related to the activated account (including newsletter subscription) will be retained as long as the account is in use (i.e., as long as you remain an active customer). The customer account will be deleted after 3 years of inactivity.
• Promotional messages regarding products similar to those purchased, sent to the email address provided during the purchase on the website, as per Article 130, paragraph 4 of the Privacy Code, will be linked to the ongoing use of the account (i.e., the sending of such messages presumes that you are an active customer). The sending will cease after 2 years of inactivity, with the cessation of data processing for this purpose.
• Use of data for marketing purposes (without tracking): 5 years from the last contact, unless consent is revoked earlier by the user.
• Tracking data: 3 years from the last contact, unless consent is revoked earlier by the user.
• Tax obligations: for the duration of the contract, as well as for the subsequent 10 years following the end of the relevant fiscal year, to address tax assessments or disputes.
• In the case of legal disputes, if necessary to defend, act, or make claims against you or third parties, the Data Controller may retain personal data deemed reasonably necessary for such purposes and for the duration during which such claims may be pursued.

8.RIGHTS OF THE DATA SUBJECT

The GDPR grants the data subject a comprehensive set of rights that allow you to consistently monitor the processing of your data by SAVIO S.P.A.

Specifically, your rights are as follows:

Right of access to your personal data stored by us (Article 15 of the GDPR): As the data subject, you have the right to obtain confirmation from the Data Controller (SAVIO S.P.A.) as to whether or not personal data concerning you is being processed, and if so, to obtain access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data being processed;
c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly if the recipients are located in third countries or international organizations;
d) where possible, the retention period for the personal data or, if not possible, the criteria used to determine that period;
g) if the data was not collected directly from you, all available information on its origin.

• Right to rectification of inaccurate data or completion of incomplete data (Article 16 of the GDPR).
• Right to erasure of stored data (Article 17 of the GDPR), provided that SAVIO S.P.A. is not required to retain the data due to legal obligations and if there is no right for further retention for the assessment, exercise, or defense of a right in legal proceedings (for example, in the case of outstanding debts owed by you).
• Right to restriction of processing your data (Article 18 of the GDPR): This right may be exercised if:

• You contest the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of the data;
• The processing is unlawful, and the data subject objects to the erasure of the personal data and requests that its use be restricted instead;
• Although the Data Controller no longer requires the data for processing, the personal data is necessary for the data subject to assert, exercise, or defend a right in legal proceedings;
• The data subject has objected to the processing pursuant to Article 21, paragraph 1 of the GDPR, pending verification of whether the legitimate interests of the Data Controller override those of the data subject.

We remind you that if the processing of data has been restricted following the exercise of your right, the data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise, or defense of a right in legal proceedings, or to protect the rights of another natural or legal person, or for important public interest reasons within the European Union or a Member State.

If you have obtained a restriction on processing, you will be informed by the Data Controller before the restriction is lifted.

• Inizio modulo

• Right to data portability (Article 20 of the GDPR):
  If you wish to receive certain personal data that we hold about you, in a structured, commonly used, and machine-readable format, or request that such data be transmitted to another data controller.
• Right to object (Article 21 of the GDPR) and to withdraw consent:
  You can object at any time to the processing of your personal data for marketing purposes, or withdraw any consent previously given by sending a communication via mail or email to the addresses provided in the « Contacts » section.

You can also exercise these rights directly on our website in the “My Account” section.

Once we have received your objection or withdrawal of consent, SAVIO S.P.A. will refrain from using, processing, and transmitting the relevant data, subject to technical times required to process your request.

You may also object at any time to the processing of your data based on SAVIO S.P.A.’s legitimate interest, including any profiling based on such processing. SAVIO S.P.A. will refrain from processing on this legal basis, unless there are overriding legitimate grounds for proceeding with the processing that prevail over your interests or rights, or if it is necessary for the establishment, exercise, or defense of a legal claim.

We remind you that if the data processing is based on your consent, you have the right to withdraw it at any time by sending a communication to SAVIO S.P.A. at the contact details provided.

• Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you (Article 22 of the GDPR):
  This does not apply to decisions that are necessary for the conclusion or performance of a contract between you and the data controller; authorized by the law of the European Union or the Member State to which the Data Controller is subject (Italy in this case); or based on your explicit consent.
• Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR):
  If you believe that your data is being processed in violation of data protection regulations, you can contact the Data Protection Authority (Garante per la protezione dei dati personali) following the procedures outlined on their website (garanteprivacy.it), or the supervisory authority of another EU country where you reside or work, or where the alleged violation has occurred.

Please note that the rights and powers outlined above may be subject to limitation/exclusion under Article 23 of the GDPR and Article 2-duodecies of the Privacy Code (Legislative Decree No. 196/2003) for reasons of justice (including the judicial handling of legal matters and disputes). In such cases, you can still exercise your rights through the Data Protection Authority in the manner provided under Article 160 of the Privacy Code.

1.CONTACTS
You can exercise the rights described above, as well as withdraw your consent to the processing of your data in the cases specified in this notice, by writing to the company SAVIO S.P.A. with its registered office at Via Torino Strada Statale 25 n. 25 – 10050 CHIUSA DI SAN MICHELE (TO), or by sending an email to privacy@savio.it or a certified email (PEC) to hope57@legalmail.it.

Latest update: January 2025