Privacy Policy

INFORMATION PURSUANT TO ART. 13 and 14 EU REGULATION 2016/679 - WEBSITE

TooA S.p.A., in its capacity as Data Controller (hereinafter referred to as ‘TooA’ or ‘Data Controller’) pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to as the ‘Regulation’) and of Legislative Decree no. 196/2003 (Code for the Protection of Personal Data, hereinafter referred to as the 'Code') - considers the protection of your personal data to be an essential aspect of its activities. All the information you provide us will be treated in accordance with the principle of respecting your rights, fundamental freedoms and dignity.

The principles applied to the processing of personal data are those set out in Article 5 of the GDPR: fairness, lawfulness, transparency, limitation of purpose and storage, minimisation and accuracy, integrity and confidentiality, as well as the principle of liability.

This information:

is intended for the website tooa.com (hereinafter referred to as: “Website”);
is provided, in accordance with articles 13 and 14 of the Regulation, to those who interact with the services of the website, both through simple consultation and through the use of specific services made available through the website (including, the purchase of products, filling in forms to request information or to subscribe to the newsletter, etc.), as well as with other services provided (telephone support and support via WhatsApp).

This information does not concern other websites, pages or online services that can be accessed via links that may be published but which refer to external resources.

We therefore invite you to read the following information carefully.

******

1) DATA CONTROLLER

The Data Controller is TOOA S.p.A., Reg. No. 02823780420, with registered office in Fabriano (AN - Italy), Via Giovanni Pascoli, 2, in the person of its legal representative, phone number: +39 0732/ 191.07.55 e-mail: tooaspa@legalmail.it

2) CATEGORIES OF DATA PROCESSED THROUGH THE WEBSITE

The personal data processed is the data communicated by you or legitimately obtained by the Data Controller. The types and methods of data processing relating to the website are described below.

CATEGORIES OF DATA PROCESSED THROUGH THE WEBSITE

a. Navigation data

IT systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is necessary for the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but, by its very nature, through processing and association with data held by third parties, it could be used to identify users. This category of data includes IP addresses or domain names of the computers used by users who connect to the website, URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained as a reply, the numerical code indicating the status of the reply given by the server (successfully completed, error, etc.) and other parameters relating to the operating system and the user's computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website to ensure that it works correctly and to identify anomalies and/or abuses. Once processed, the data is immediately deleted. The data could be used to ascertain responsibility in case of alleged computer crimes against the website or third parties.

b. Data collected through tracking (cookies)

Tracking is done through the code executed within the websites, both at server level (e.g. services, procedures) and at client level (e.g. tags, pixels), also with the support of the code installed on your browser (e.g. cookies). With regard to the purpose and management of tracking consents, please refer to the specific section “Cookie Policy” of the website.

c. Content sharing data via social networks.

The website mentioned above may include plugins and/or buttons in order to allow you to share content on the social networks you use (e.g. Facebook, YouTube, Instagram).

d. Data voluntarily provided by the user:

data voluntarily entered in the various forms contained within the website, such as, for example:

the form for requesting information in the ‘Contact Us’ section, through which you will be asked to enter your name, surname and contact details - email address and telephone number - as well as to make your specific request, which may possibly contain additional personal data about you;
the chat box and the instant messaging WhatsApp service, through which you will be put in communication with a TooA operator, who will be able to assist you by answering in real time to your requests for information.

With reference to these types of data, we invite you to enter in the aforementioned forms, including chat and instant messaging service, only the personal data strictly necessary for the management of your request, thus excluding irrelevant information and/or information that may fall within the category of special categories of personal data referred to in Article 9 of the Regulation.

e. Demographics and habits:

data describing your demographic characteristics or habits, e.g. date of birth, age or age group, gender, favourite products, interests and lifestyle information.

TooA will generally not process personal data relating to personal beliefs, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information relating to health, sex life or sexual orientation (hereinafter referred to as ‘Special Categories of Data’). In the event that it is necessary to process Special Categories of Data, TooA undertakes to process such data in accordance with applicable legislation. The legal basis for such processing is, as a rule, compliance with a legal obligation, it being understood that TooA will ask for your explicit consent if there is no concrete legal obligation to process such Data.

f. Data processed because of online services:

data voluntarily provided for the purpose of performing the services offered online, with particular reference to the following services:

registration and access to your personal area, in which your personal data, contact data, shipping addresses and product preferences can be processed (based on the data you have saved). Credit card data, if any, will be handled by an external service provider, in accordance with current legislation;
conclusion and execution of purchase contracts (including the service of checking the status of orders), in which your personal data, contact data and data relating to the delivery address of the products purchased will be processed, as well as all information relating to your purchasing experience, including confirmation of payment. In this respect, the company chosen to handle the payments, which is qualified as an independent Data Controller, will communicate to TOOA the circumstance of the payment and the information necessary for the shipment of the order. No payment data (other than confirmation) will be processed directly by TooA;
management of warranties through the Customer Care service;
processing of returns or withdrawals, whereby your personal data, contact data and data relating to the address at which the returned products may be picked up, as well as all information relating to your purchase and return experience, will be processed;
handling customer orders for the purchase of cartons.

In general, moreover, the Data Controller will process, subject to your consent, any information relating to your purchases (type of product, date of purchase, amount spent as well as, in general, your purchasing choices, your preferences and your browsing behaviour) and deriving from the activities carried out online within the website for profiling purposes, with or without personalised effects, as better specified below; the Data Controller will also process the information deriving from your choices to personalise the contents of the newsletter.

g. Third-party data voluntarily provided by the user.

During the use of the services of the website, personal data of third parties, communicated by you to TOOA, could be processed (for example, in case of data released for the purchase of products to be sent to third parties; for billing purposes; also, in case you request information in the ‘Contact us’ section of the website). Regarding these hypotheses, you act as autonomous Data Controller, assuming all the obligations and responsibilities set out by law. In this regard, you hereby grant the widest possible discharge in case of disputes, claims to compensation for damage caused by the processing, etc., that the Data Controller may receive from third parties, whose personal data have been processed through your use of the website services in violation of the applicable data protection regulations. In any case, if you provide or otherwise process personal data of third parties in the use of the website, you guarantee from now on - assuming all related liability - that this particular hypothesis of processing is based, where necessary, on the prior acquisition - by you - of the third party’s consent to the processing of the information concerning them.

3) METHOD OF PROCESSING:

the Data Controller will process the data through computerised systems. Data relating to promotional purposes and personal and general profiling will be processed using automated decision-making processes.

4) PURPOSES FOR WHICH WE USE YOUR DATA - WHAT CONDITION MAKES THE PROCESSING LAWFUL - HOW LONG WE KEEP THE DATA

B) PURPOSE:

provision of all the services made available by the Data Controller (including, by way of example, the online sales service, the returns service and the service relating to product warranty management, the ‘Contact us’ section - relating to your customer care requests -, checking the status of orders placed, saving the preferred delivery addresses of goods purchased, etc.), including management of the security of the website, as well as contractual and administrative and accounting relations and after-sales services. It should also be noted that, through the website, further support services are made available to the Customer, including, in particular, the telephone support service and the support service via WhatsApp, through which you can make specific requests and receive assistance from TOOA Customer Care.

LEGAL BASIS:

art. 6, paragraph 1(b) of the Regulation ([...]processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;), since the processing operations are necessary for the provision of services. The provision of personal data for these purposes is optional, but not providing it would make it impossible to activate the services requested.

STORAGE TIME: the data will be stored for the time strictly necessary to achieve those same purposes, i.e. for the time necessary to perform the contract, to provide legal or conventional guarantees, in accordance with the storage time required by law (see also, in particular, Article 2946 of the Italian Civil Code et seq.).

C) PURPOSE:

registration in restricted areas and activation of your account.

LEGAL BASIS: art. 6, paragraph 1(b) of the Regulation ([...]processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing operations are necessary for the provision of services. The provision of personal data for these purposes is optional, but not providing it would make it impossible to activate the services requested.

STORAGE TIME: until the request to delete the account is made. With immediate destruction of data following the request.

D) PURPOSE:

to meet specific requests made to the Data Controller, also in relation to post-sales, including requests for Customer Service and information (e.g. in relation to the management of product warranties) submitted by filling in the relevant contact forms on the website, as well as through the chat and instant messaging service.

D) PURPOSE:

handling customer orders for the purchase of cartons.

LEGAL BASIS: for the management of orders art. 6, paragraph 1(b) of the Regulation ([...]processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing operations are necessary for the provision of services. The provision of personal data for these purposes is optional, but not providing it would make it impossible to activate the services requested.

STORAGE TIME: For the management of orders the data will be stored for the time strictly necessary to achieve those same purposes, i.e. for the time necessary to perform the contract, to provide legal or conventional guarantees, in accordance with the storage time required by law (see also, in particular, Article 2946 of the Italian Civil Code et seq.).

F) PURPOSE:

to fulfil any obligations under applicable laws, regulations or EU legislation, or to comply with requests from the authorities.

LEGAL BASIS: art. 6, paragraph 1(c) of the Regulation ([...]processing is necessary for compliance with a legal obligation to which the controller is subject). Once personal data has been provided, processing is indeed necessary to comply with legal obligations to which the Controller is subject.

STORAGE TIME: Personal data processed for the purposes set out in this section will be kept for as long as required by the specific obligation or applicable law.

G) PURPOSE:

direct sending via e-mail and commercial communications in relation to products or services similar to those purchased by you, pursuant to art. 130, paragraph 4 of the Code and the provision of the Authority for the protection of personal data of 19 June 2008, unless you expressly refuse to receive such communications, which you can express when registering on the site or at a later date.

LEGAL BASIS: With reference to this purpose, it should be noted that if the Data Controller uses, for the purpose of direct sales of its own products or services, the e-mail or postal mail details provided by the Data Subject in the context of the sale of a product or service, the Data Controller may, pursuant to Section 130(4) of the Code, not require the consent of the Data Subject, provided that the products or services in question are similar to those sold and that the Data Subject, having been adequately informed, does not refuse such use, either initially or on the occasion of further communications.

STORAGE TIME: Your personal data will be processed until you object the processing.

G) PURPOSE:

sending commercial communications and proposals, including newsletters (of which you may customise the contents), by automated means; it should be noted that the Data Controller collects a single consent for the marketing purposes described herein, pursuant to the General Provision of the Garante per la Protezione dei Dati Personali ‘Linee guida in materia di attività promozionale e contrasto allo spam’ of 4 July 2013; if, in any case, you wish to object to the processing of your data for marketing purposes carried out by the automated means indicated herein, you may do so at any time by contacting the Data Controller at the contact details indicated in the “Contact us” section of this policy, without prejudice to the lawfulness of the processing carried out prior to your objection.

LEGAL BASIS: the explicit consent of the data subject pursuant to Art. 6 paragraph 1(a) ([...] the data subject has given consent to the processing of his or her personal data for one or more specific purposes;) and Article 22, paragraph 2(c) of the Regulation.

STORAGE TIME: until consent is withdrawn.

H) PURPOSE:

analysing your personal data, your purchasing choices and preferences, in order to send you personalised commercial communications and proposals and, in general, for profiling activities using automated processes.

LEGAL BASIS: The processing operations carried out for the purposes referred to in this section are based on the granting of your consent in accordance with Article 6, paragraph 2 of the Directive. 1(a) ([...] the data subject has given consent to the processing of his or her personal data for one or more specific purposes;) and Article 22, paragraph 2(c) of the Regulation. This consent may be revoked at any time without prejudice to the lawfulness of the processing carried out prior to the revocation in accordance with Article 7 of the Regulation.

The provision of your personal data for these purposes is therefore entirely voluntary and does not affect the use of services. If you wish to object to the automated processing of your data for marketing and profiling purposes, you may contact the Data Controller at any time at the contact details given in the ”Contact us” section of this policy or, where available, via the Privacy Settings in your Personal Area.

STORAGE TIME: Your personal data will be stored until you revoke your consent and, in any case, for no longer than seven years from the date of their registration, in accordance with the provisions of the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali). Upon withdrawal of consent or expiry of the seven-year storage period (whichever comes first), the data processed for the above purposes will be permanently deleted or anonymised.

I) PURPOSE:

general profiling purposes, without personalisation, through the performance of general analyses (also of a predictive or strategic orientation type) aimed at creating statistical processing and calculation models in relation to the entire customer base; this purpose implies the processing of your data on an aggregate basis and in pseudonymised form.

LEGAL BASIS: The processing referred to in this section is carried out for the purpose of pursuing the legitimate interest of the Controller pursuant to Article 6, paragraph 1(f) of the Regulation.

STORAGE TIME: Your data will be stored for no longer than seven years after registration. Upon expiry of the seven-year storage period (whichever comes first), the data processed for the above purposes will be permanently deleted or anonymised.

L) PURPOSE:

satisfying possible defensive needs.

LEGAL BASIS: satisfying possible defensive needs of the Data Controller pursuant to Article 6, paragraph 1(f) of the Regulation.

STORAGE TIME: Personal data shall be stored for the entire duration of the complaint and/or the out-of-court and/or judicial proceedings until the time limit for judicial remedies and/or appeals has expired.

M) PURPOSE:

purposes of statistical evaluation and monitoring; this purpose implies an analysis of aggregate information that does not refer to identified or identifiable natural persons and which, therefore, does not constitute personal data and does not allow the Data Controller to trace your identity in any way. Since this processing does not concern personal data, it does not fall within the scope of the legislation on the protection of personal data and can therefore be freely carried out by the Data Controller.

In general, the Data Controller reserves the right to retain your data for as long as necessary to comply with any legal obligation to which it is subject or to meet any defensive requirements. This is without prejudice to the possibility for the Data Controller to retain your personal data for the period of time provided for and permitted by Italian law in order to protect their interests (Art. 2947 c.c.).

5. RECIPIENTS OF THE PERSONAL DATA

Your personal data may be shared, for the purposes set out in section 4 of this Privacy Policy, with:

- persons authorised by the Data Controller to process personal data pursuant to Articles 29 and 2-quaterdecies of the Code (e.g. sales, administration and accounting staff, after-sales service, CRM, information systems management, etc.);

- third parties who, in the provision of services (by way of example: technological services, assistance and consultancy services in accounting, administrative, legal, tax and financial matters, technical maintenance, transport services, banking and insurance services), typically act as Data Controllers pursuant to Article 28 of the Regulations. The Data Controller keeps an up-to-date list of the data processors appointed and guarantees that the Data Subject will be able to view it at the offices indicated above or upon request addressed to the contact details indicated above;

- subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of provisions of law or orders of the authorities.

Such persons are hereinafter collectively referred to as "Recipients".

6. TRANSFERS OF THE PERSONAL DATA

Your personal data is shared with recipients located only within the EU.

7. RIGHTS OF THE DATA SUBJECTS

You, as a Data Subject, may exercise your rights under Articles 15-22 GDPR and revoke your consent at any time without prejudice to the lawfulness of the processing carried out before revocation.

In particular, you may request access to your Personal Data pursuant to art. 15 GDPR, rectification pursuant to art. 16 GDPR, deletion of the same pursuant to art. 17 GDPR, restriction of processing in the cases provided for by art. 18 of the GDPR as well as to obtain the transfer of data concerning you in the cases provided for by art. 20 of the GDPR.

You may formulate a request to object to the processing of your data pursuant to Articles 21 and 22 of the GDPR in which you provide evidence of the reasons justifying the objection: the Data Controller reserves the right to evaluate your request, which will not be accepted in the event of the existence of compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms.

Requests should be made in writing to the Data Controller at the contact details indicated in the "Contact us" section of this policy.

8. COMPLAINT TO THE GARANTE (Italian Authority for the protection of personal data)

If you believe that the processing of your Personal Data carried out by the Data Controller is in breach of the provisions of the GDPR, you have the right to lodge a complaint with the Garante (Italian Authority for the protection of personal data), as provided for by art. 77 of the GDPR itself, or to take appropriate legal action (Article 79 of the GDPR).

10. AMENDMENTS

The Data Controller reserves the right to modify or simply update the content, in part or in full, including due to changes in applicable legislation. The Data Controller therefore invites you to visit this section regularly in order to be informed of the most recent and up-to-date version of the Privacy Policy so that you are always well informed about the data collected and how it is used by TOOA.

11. CONTACT US

To exercise the above rights or for any other request, you can write to the Data Controller at the postal address indicated above, or through the dedicated contact, preferably by including the words ‘request to exercise privacy rights’ in the subject of your message.