Privacy Policy | PapaTartufi.it

INFORMATION ON THE PROCESSING OF PERSONAL DATA (PRIVACY POLICY) PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (GDPR)

1. Data Controller

Pursuant to Regulation (EU) 2016/679 (“General Data Protection Regulation” – “GDPR”) and applicable national legislation, Papa Tartufi, with its registered office at via A. Piccardi 1/A, email: [info@papatartufi.it](mailto:info@papatartufi.it) (hereinafter also referred to as the “Controller”), hereby informs you that it will process users’ personal data according to the principles of lawfulness, fairness, transparency, data minimization and retention limitation, integrity, confidentiality, accountability, and in compliance with the fundamental rights and freedoms of the data subject.

2. Subject of Processing – Categories of Personal Data Processed

The Controller processes, for the purposes of establishing and managing pre-contractual and contractual relationships, as well as for the fulfillment of related legal obligations, the following categories of personal data:

Identifying and personal details: name, surname, email address, telephone number, residence or home address, shipping address, VAT number or tax code for invoicing purposes.

Data relating to orders, purchased products, requests for assistance, feedback, surveys, reviews, complaints, notifications received.

Navigation data and online identifiers: IP address, device type, operating system, browser, data derived from technical and profiling cookies (where consented).

Data related to electronic payments: identifying data (transactional only) processed via the Stripe platform (which itself manages services such as Apple Pay, Google Pay, PayPal, Klarna, and similar, without the Controller ever having access to card numbers, CVV, or users’ banking credentials).

Data collected for statistical analysis and anonymous tracking, through the implementation of Mixpanel, limited to what is necessary to improve user experience, A/B testing, site performance, and IT security.

Data relating to user journey and browsing habits exclusively where the user has logged in or has expressly provided their consent.

The provision of some data (marked as "mandatory" in the online forms) is necessary to proceed with registration, the purchase, the use of requested services or assistance. Failure to provide such data may prevent proper contract execution or handling of the request.

3. Purpose of Processing and Legal Basis

Users’ personal data will be processed, in compliance with Articles 6 and 9 GDPR, for the following purposes: a) Management and fulfillment of pre-contractual and contractual obligations, including the provision of products, management of the reserved personal account, technical or administrative communications concerning orders, shipments, returns, and refunds, and any consequent activities functional to fulfilling contractual obligations, based on the execution of a contract or pre-contractual measures requested by the data subject (Art. 6(1)(b) GDPR). b) Fulfillment of obligations provided by laws, regulations, and applicable EU legislation, particularly in tax, anti-money laundering, accounting, and administration matters, and to comply with orders from public authorities, based on legal requirements (Art. 6(1)(c) GDPR). c) Management of requests for assistance, information, exercise of rights, notifications, and complaints, whether by electronic or written communication, based on contractual and pre-contractual execution as well as legitimate interest (Art. 6(1)(f) GDPR). d) Statistical analysis and anonymous monitoring of the use and performance of the site, conducted via Mixpanel, for the purpose of improving and optimizing services, IT security protection, fraud and abuse prevention, according to the Controller’s legitimate interest and, where required, with the collection of consent (Art. 6(1)(a)/(f) GDPR). e) Collection and management of feedback, reviews, and surveys—on a voluntary basis, even anonymously—for service and product quality enhancement; participation is optional, with the legal basis being consent and legitimate interest (Art. 6(1)(a)/(f) GDPR). f) Future subscription to newsletter, mailing list, or promotional programs: such activities will be activated only following the expression of free, specific, informed, and unequivocal consent (Art. 6(1)(a) GDPR), with the right to withdraw at any time. g) Implementation of A/B testing and user journey personalization exclusively for authenticated profiles or where the relevant consents have been provided. h) Only on a voluntary basis and with further consent, any future profiling or remarketing activities will be specifically detailed in an appendix to this Policy.

4. Data Processing Methods, Security Measures, and Principles Applied

Data processing is carried out using paper, electronic, and telematic tools, including automated systems, strictly related to the above purposes and, in any case, ensuring security and confidentiality. Papa Tartufi adopts appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, in accordance with Articles 32-34 GDPR and the guidelines of the Italian Data Protection Authority.

Data is accessible exclusively to personnel expressly appointed/authorized by the Controller, previously trained and instructed concerning confidentiality and data protection.

5. Personal Data Retention

Personal data are retained according to the principles of proportionality and minimization, for the period strictly necessary to achieve the purposes for which they were collected and, in any case:

Data related to orders and transactions: for 10 (ten) years after the last commercial interaction, to fulfill fiscal, civil, and accounting obligations;

Data regarding inactive accounts/users: for a maximum of 3 (three) years from the last access/evidence of activity, after which they will be deleted or irreversibly anonymized;

Data collected for statistical and monitoring purposes: anonymized or aggregated within 24 months and retained without the possibility of relating them to the user;

Data processed based on consent: processed until consent is withdrawn, unless otherwise required by law;

Any feedback/survey data: retained only for as long as strictly necessary to process the request/service improvement.

6. Cookies, Tracking, and Third-Party Tools

The site exclusively uses Mixpanel for statistical analysis, limited to what is indispensable for site improvement and in compliance with privacy-by-design best practices; all settings are configured to anonymize and aggregate data wherever technically possible.

An internally developed cookie consent platform is implemented: upon first access, consent is requested (where necessary) pursuant to the Italian Data Protection Authority’s “Cookies and other tracking instruments” provision of 10.06.2021.

Stripe, used for electronic transactions, acts as an independent data controller under its own privacy rules as outlined in its relevant policies.

7. Data Recipients and Disclosure

Personal data may only be disclosed or made accessible to subjects authorized by the Controller, as well as possibly to:

Couriers and carriers employed for shipping purchased products;

Email and hosting service providers;

Administrative/fiscal consultants in compliance with legal obligations;

Stripe and other payment providers, as well as financial institutions connected to transactions;

Judicial authorities/police/public security bodies, where provided for by law or requested by specific orders;

Any other third-party companies involved for technical purposes (e.g., IT maintainers), all bound by specific confidentiality agreements and, where required, appointed as data processors under Article 28 GDPR.

Under no circumstances will data be subject to indiscriminate disclosure.

The Controller does not transfer personal data to third countries outside the European Economic Area, unless necessary for service provision and only where the recipient guarantees an adequate level of protection in accordance with Articles 44 et seq. GDPR (e.g., standard contractual clauses, adequacy decisions, or other GDPR-approved instruments).

8. Data Subject Rights (Articles 15–22 GDPR) and Exercise Methods

Data subjects are entitled to:

obtain confirmation as to whether personal data concerning them exists and access to such data;

know the purposes and methods of processing, as well as the recipients or categories of recipients to whom the data may be communicated as processors or authorized staff;

obtain the update, rectification, or integration of data, erasure (“right to be forgotten”), transformation into anonymous form, or blocking of data processed unlawfully;

obtain restriction of processing or object, in whole or in part, for legitimate reasons to its processing;

receive the data in a structured, commonly used, and machine-readable format and transmit those data to another controller without hindrance (“right to portability”);

withdraw consent for processing (without prejudice to the lawfulness of processing based on consent before withdrawal);

lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

Requests may be directed to the Controller via email: [info@papatartufi.it](mailto:info@papatartufi.it).

The Controller undertakes to respond within 30 days of receipt of the request; in the case of particular complexity or number of requests, the deadline may be extended by a further 60 days upon motivated communication.

9. Data Processors – Authorized Persons

As of today, the Controller does not use external processors, except for any future entities that will be promptly identified and appointed under Article 28 GDPR. Data is managed exclusively by duly authorized and instructed internal staff. In any event, any relationships with professional service providers (e.g., software houses, accountants, hosting and mailing providers) will be regulated by appropriate agreements or processor appointments under Article 28 GDPR, with an obligation to comply with this Privacy Policy.

10. Minors and Age Limits

The website and the services provided by the Controller are not intended for persons under 16 years of age; the Controller does not knowingly process personal data relating to minors, except with express consents and within the limits of the law. Users purchasing on the site declare that they have the legal capacity to act according to the laws of their country of origin.

11. Updates and Changes to the Privacy Policy

This policy is subject to ongoing changes and updates. Each significant variation will be made promptly available by publication on this page; where necessary or required by law, new consent will be requested.

12. Contacts and Communications

For any need, request, or information regarding the processing of personal data, to exercise your rights or for clarifications regarding this policy, please write to: [info@papatartufi.it](mailto:info@papatartufi.it).