Privacy Policy

Boglioli S.p.A., as data controller, provides users, pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter, the "GDPR"), the following information on the processing of personal data of users of the website www.bogliolimilano.com (hereinafter, the "Site").

Data Controller

The data controller (hereinafter, the "Data Controller"), i.e., the entity that defines the purposes and means of personal data processing, is Boglioli S.p.A., with registered office in Via Brescia n. 47, Gambara (BS), Italy, VAT no. 00564580983; contact: privacy@boglioli.it.

Personal Data

"Personal data" means any information relating to an identified or identifiable natural person ("data subject").

The Site collects the following Personal Data from users:

Navigation data: IP addresses, domain names of computers used by users, URI addresses, time of request, method used in submitting the request to the server, size of the file obtained in response, numerical code indicating the status of the response, country of origin, browser and operating system characteristics, time spent on pages, and details related to the itinerary followed within the Site.
Personal and contact data (only upon registration to the Site): name, surname, date of birth, gender (optional data), email address, phone number, delivery address for purchased goods, geographical location.
Payment data: payment information (managed through the Shopify platform).
Purchase-related data: purchase history, billing data and address and any other data necessary for managing purchase orders.

Methods of data collection

Personal Data is provided directly by the user.

Purpose of processing, legal basis and nature of data provision

1. Management of Site navigation

Data is collected by automatic means to enable and improve user navigation on the Site, allow access to the features and services of the Site, verify its correct functioning and allow the display of content from external platforms.

Legal basis: legitimate interest of the Data Controller (Art. 6, para. 1, letter f GDPR).

Provision: necessary to allow navigation on the Site.

2. Sale of products through the Site, management of orders and support and contact requests

The Data Controller may verify the validity of payment instruments used by users to prevent fraudulent activities or comply with anti-money laundering regulations. This activity is delegated to duly authorized third parties; the Controller does not process or store financial information relating to users and payment instruments.

Legal basis: performance of a contract or pre-contractual measures (Art. 6, para. 1, letter b GDPR).

Provision: necessary for the sale of products, management of orders and support requests.

3. Registration on the Site

The created account can also be accessed via social media. In this case, the Site collects certain personal data already provided by the user to social media (e.g., email address and public profile). The Controller does not manage social media services or their privacy settings.

Legal basis: consent of the data subject expressed at the time of registration (Art. 6, para. 1, letter a GDPR).

Provision: necessary for registration on the Site.

4. Newsletter and marketing communications

Users can opt to receive newsletters and commercial communications via email and SMS. The Controller always collects explicit, free, and unequivocal consent from users before sending such communications.

Users can withdraw consent at any time:

through account settings;
by clicking on the "unsubscribe" link in emails;
by contacting Customer Service.

Legal basis: consent of the data subject (Art. 6, para. 1, letter a GDPR).

Provision: optional.

Pursuant to Art. 130, paragraph 4, of Legislative Decree 196/2003, the Controller may also send users who have made purchases on the Site email communications regarding products similar to those purchased, unless the data subject objects.

Legal basis: legitimate interest (Art. 6, para. 1, letter f GDPR).

5. Profiling

With the user's consent, the Controller may process Personal Data to offer more interesting products, improve the Site, and personalize the products offered, including through remarketing, retargeting or profiling activities also carried out through third parties.

Legal basis: consent of the data subject (Art. 6, para. 1, letter a GDPR).

Provision: optional.

6. Fulfillment of legal obligations

If users make purchases, request an invoice, assert a legal guarantee or in the presence of other regulatory obligations, the Controller will process Personal Data to fulfill legal obligations regarding tax and consumer protection.

Legal basis: fulfillment of a legal obligation (Art. 6, para. 1, letter c GDPR).

Provision: necessary.

7. Judicial defense

The Controller may process Personal Data for the judicial defense of its rights or in case of abuse in the use of the Site.

Legal basis: legitimate interest (Art. 6, para. 1, letter f GDPR).

Provision: necessary for the protection of the Controller's rights.

8. Geolocation

By tracking the IP address, the Controller may determine the geographical location in order to apply the correct language.

Legal basis: legitimate interest (Art. 6, para. 1, letter f GDPR).

Provision: optional.

9. Statistical purposes

Personal Data may be collected to understand how and how much the Site is used by users. For this purpose, statistical and aggregated data are generated, also through third-party providers, without identifying users. For these activities, cookies are used, to which the relevant policy refers.

Legal basis: legitimate interest (Art. 6, para. 1, letter f GDPR).

Provision: optional.

10. Site Security

The Controller may process Personal Data to ensure the security of the Site, control its proper functioning, and ascertain responsibility in the event of hypothetical cyber crimes.

Legal basis: legitimate interest (Art. 6, para. 1, letter f GDPR).

Provision: optional.

Recipients of personal data

Personal Data may be processed by employees and collaborators of the Data Controller who deal with customer assistance, marketing/profiling activities or administration.

Furthermore, as data processors, entities providing instrumental services for the management of the Site, including:

providers of IT, cloud computing, analytics and management services;
providers of assistance services to users who have purchased products;
providers of marketing, newsletter, logistics, courier and warehouse services;
consultants, external professionals, lawyers and accountants;
banks, payment institutions and payment service providers.

Personal Data may also be transmitted to the Judicial Authority.

Users' Personal Data will not be disseminated.

Transfer of personal data to non-EU countries

For the management of the Site, users' Personal Data may be transferred outside the European Economic Area ("EEA"), for example to the United States, in compliance with the appropriate guarantees provided by the Regulation.

Data retention periods

Personal Data is retained for the time strictly necessary to pursue the purposes for which it is collected and to fulfill applicable legal obligations.

Site navigation management: please refer to the cookie policy.
Product sales, order management and support: 10 years from purchase.
Site registration: 10 years from the date of registration, unless an account deletion request is made.
Newsletter, marketing and profiling: 10 years from the date of subscription or last purchase, unless consent is revoked or objection is raised.
Fulfillment of legal obligations: for the necessary time and in any case no longer than 10 years.
Judicial defense: for the time necessary to protect the Controller's rights.
Geolocation: for the time necessary to allow location-based interaction.
Site security: for the time necessary to pursue the legitimate interest and in any case no longer than 10 years.

At the end of the retention period, Personal Data will be deleted or anonymized.

Processing methods

Personal Data is processed using IT, automated and electronic tools and, in limited cases, by documented means. In accordance with the GDPR, specific security measures have been implemented to prevent data loss, illicit or incorrect use and unauthorized access.

Connection to third-party websites or platforms

The Site may publish banners, advertisements and other links to websites or platforms of third parties. The Data Controller cannot control or be held responsible for the conduct of such sites or platforms in relation to personal data protection regulations. Users are invited to read the relevant privacy policies.

Data subject's rights

Users can exercise, at any time, free of charge and without formality, the rights provided by Articles 15-22 of the GDPR, including:

right of access to Personal Data;
right to rectification;
right to erasure;
right to restriction of processing;
right to object to processing;
right to data portability;
right to withdraw consent at any time.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Requests to exercise rights can be sent to the Data Controller at the following address: privacy@boglioli.it.

Users can also lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority) or the competent supervisory authority of the European Union Member State in which they reside or work.

Reference to the Cookie Policy

The Data Controller invites users of the Site to consult the Cookie Policy published on the Site.

Additional information for users in Switzerland

This section applies to users in Switzerland and replaces any conflicting or divergent information contained in this policy.

Users may exercise, within the limits of the law, the right of access, the right to object to processing, the right to request restriction, erasure or destruction of data, the right to prohibit disclosure to third parties, the right to data portability and the right to request rectification of incorrect data.

Requests may be addressed to the Data Controller using the contact details provided in this document.

Additional information for users in the United States of America

For users residing in certain US States, supplementary provisions apply regarding the categories of Personal Information collected, the purposes of processing, the exercisable rights and the methods for exercising them, in accordance with applicable law.

Such users may have, among others, the right to access, rectify, delete, data portability, object to the sale or sharing of personal data, limit the use of sensitive data and non-discrimination.

Requests may be submitted using the contact details provided in this policy.