PRIVACY POLICY
PURSUANT TO ART. 13 OF EU REGULATION 2016/679 (GDPR)
This information is provided pursuant to EU Reg. 2016/679, relating to the processing of personal data, regarding any information that allows the Data Controller to identify you and obtain data concerning you, as well as the possibility to know your preferences, directly or indirectly.
The processing of personal data takes place in accordance with the provisions of the GDPR, according to the purposes and methods described below.
1. DATA CONTROLLER
The data controller is GAIA SRL (VAT number 02263820686), Via Conte di Ruvo 71/73 - 65127 Pescara, Italy in the person of the legal representative.
The Data Controller can be contacted at the following email address: privacy@gaiamyfriend.com .
2. PURPOSE, METHOD OF PROCESSING, PERSONAL DATA COLLECTED AND LEGAL BASIS
With regard to the processing of personal data, the Data Controller and the Joint Controllers guarantee the observance and application of the principles of correctness, lawfulness, transparency, minimization, purpose limitation and conservation, to protect your privacy and your rights.
Personal data are collected and processed, through IT tools, according to the purposes and for the types of data indicated below, in compliance with the provisions in force and, in particular, with the security measures prescribed by the Italian Data Protection Authority, as well as with the observance of every measure capable to guarantee the necessary confidentiality and security of the data.
a) Contractual / pre-contractual purpose
The data indicated below are collected both during registration on the web portal gaiamyfriend . com , on the marketplace shop.gaiamyfriend.com and the GAIA MY FRIEND app (available on Google Play and Apple Store) both in the case of the use of specific functions provided by the aforementioned websites and app, which may require the completion of the user's personal profile (e.g. purchases of goods and services offered).
For the aforementioned purposes, the following personal data may be requested and collected:
- personal identification information such as name, surname, date of birth and tax code;
- contact information such as email, telephone, username and residential address;
- additional information, such as tax data and payment data, used to fulfil regulatory, accounting and tax obligations and for any purpose connected to the contractual / pre-contractual obligation and the execution of the contract stipulated between the Data Controller / Joint Controllers and the interested party.
The processing of personal data for the aforementioned purposes does not require specific consent, as it is an indispensable activity to fulfil legal obligations and for the pre-contractual and contractual phases of the relationship. Any refusal to provide the requested data makes it impossible to provide the related services.
Following the processing of your personal data for contractual purposes, in accordance with the provisions of art. 130, co. 4, Legislative Decree no. 196/2003 (Italian Privacy Code), you will be able to receive communications and commercial offers relating to the services offered by the Data Controller and by the Joint Controllers (marketing purposes with contractual legal basis).
b) Marketing purposes
The personal contact data provided by the interested party - outside the purpose referred to in point a) - during registration on the web portal gaiamyfriend.com, on the marketplace shop.gaiamyfriend.com and on the GAIA MY FRIEND app or following to fill in the appropriate contact forms contained within the web portal, the app and the marketplace, such as telephone, email and username, can be used by the Data Controller for telephone contacts, sending newsletters and sending information and promotional/commercial offers.
In this case, the processing of personal data is carried out with the explicit and optional consent given. Failure to consent will make it impossible to receive confidential communications and offers.
Communications relating to this purpose are sent - both to those who have given explicit consent in relation to the same, and in cases of processing attributable to this purpose that responds to a legitimate interest (contractual and pre-contractual) - through telephone contact, or through the platform Sendinblue (https://it.sendinblue.com/legal/privacypolicy/) and the use of digital messaging services such as SMS, MMS and Push Notifications, as well as through third-party messaging services, such as eg. Whatsapp, Telegram, Instagram, Facebook and LinkedIn.
c) Profiling activity
Personal data relating to your preferences, habits and use of our services, collected by browsing our web portal gaiamyfriend.com , on the marketplace shop.gaiamyfriend.com and on the GAIA MY FRIEND app, and using the services available for the registered users, may be profiled for commercial and marketing purposes, to allow the improvement of the aforementioned services and to be able to offer optimized services based on the preferences expressed.
The profiling activity is carried out by means of algorithms that will create your behavioural and commercial profile, processing the data collected in the manner indicated below.
Subject to explicit consent - expressed during registration and/or activation of the services provided by the Data Controller - the activities carried out on our web portal, on our app and on our marketplace and the methods of use of our services can be tracked, in order to offer you a better and optimal use of the same, in line with your preferences and habits, as well as commercial offers aimed at improving your experience of using our services.
We remind you that pursuant to art. 21 of EU Regulation 2016/679 you can always exercise the right to opposition to this processing activity. In case of exercise of the right of opposition, the Data Controller may continue to process the profiling data collected until then exclusively in aggregate and anonymous form, for statistical purposes and to optimize the web portal, the app and the services offered.
3. COMMUNICATION, DIFFUSION AND SHARING OF PERSONAL DATA
The personal data provided are not disclosed, except in cases this is required by current legislation or is necessary for the management of the services requested or for specific consent given by the interested party for this purpose.
In such cases, the data may be disclosed to external entities who provide their services for the Data Controller such as - for example - professionals, public institutions, banks, insurance companies, trade associations, as well as companies or professionals with whom The Data Controller maintains relationships aimed at managing specific services (such as administrative, legal, accounting services, email and newsletter management, web marketing and customer care).
The personal data provided to external companies and professionals will be used by them exclusively to carry out the agreed services.
The Data Controller may also communicate the personal data processed to public institutions within the limits of the regulatory provisions in force, as well as to the law enforcement agency and judicial authorities where required and always for judicial and public order purposes.
The interested party can know the list of external data processors and any third parties to whom the Data Controller has communicated his personal data by making a request to the contacts indicated in paragraph 1 of this policy.
The personal data you provide for contractual and pre-contractual purposes, provided by registering on the web portal gaiamyfriend.com, on the marketplace shop.gaiamyfriend.com and on the GAIA MY FRIEND app, allows you to make purchases through our marketplace. In this case, your personal data, necessary for this purpose, are shared with the sellers present on the aforementioned marketplace with which you conclude the purchase, who act as Joint Controllers. The list of sellers on the marketplace shop.gaiamyfriend.com, who may be Joint Controllers for the purposes of processing your personal data for the purposes indicated, can be consulted by clicking on the following link: RETAILER LIST
4. ACCESSIBILITY AND SECURITY OF PERSONAL DATA
The interested party may request access to his personal data, at any time, by making a request to the Data Controller at the contacts indicated in paragraph 1 of this policy.
Access to personal data may also be allowed by the Data Controller to employees and collaborators, within the limits established and governed in the relationship with the latters and in specific assignments aimed at the processing of personal data on behalf of the Data Controller, if this is necessary for the execution of the tasks assigned to them and the activities carried out by them.
It takes place in compliance with the technical and organizational measures adopted by the Data Controller for the purposes of protecting and safeguarding personal data, adopting different levels of access and appropriate control tools.
The processing of personal data takes place in compliance with the principles established by the GDPR, preventing - with appropriate technical and organizational measures - unauthorized or illegal processing or the loss, destruction or damage of data held by the Data Controller.
In the event that the Data Controller deems that the security and protection of the personal data of the interested parties may have been placed in danger, the Data Controller will inform them in accordance with the procedures set out in the regulations in force, as well as, where necessary, communicating the data breach to the competent Data Protection Authority.
5. STORAGE AND DURATION OF THE PROCESSING OF PERSONAL DATA
Personal data are stored in digital format, taking into account the purposes for which they are collected and processed. The data in digital format are stored on servers owned by Contabo GmbH (https://contabo.com/en/legal/privacy/).
The maximum retention period of the collected data is ten years (e.g. for accounting and tax purposes, for contractual purposes and in all other cases for which the current legislation allows data to be kept for this period) or for the period of time prescribed by the current legislation, as in the case of rights and obligations arising from the contract stipulated between the Data Controller / Joint Controllers and the interested party.
The processing and storage period provided for commercial and marketing purposes is five years.
The period of processing and storage of the data subject to profiling activities is connected to the duration of the services provided and to the consent given by the interested party for this purpose.
At the end of the aforementioned periods, personal data may continue to be stored by the Data Controller anonymously and for purely statistical purposes.
6. TRANSFER OF DATA ABROAD
Your personal data will not be transferred abroad to countries, other than those belonging to the European Union, that do not ensure adequate levels of protection of the data.
7. RIGHTS OF THE INTERESTED PARTY
In relation to the data subject to the processing envisaged by this policy, the following rights are recognized:
· Access (Article 15 EU Reg. 2016/679)
· Correction (Article 16 EU Reg. 2016/679)
· Cancellation (Article 17 EU Reg. 2016/679)
· Limitation (Article 18 EU Reg. 2016/679)
· Portability (Article 20 EU Reg. 2016/679), understood as the right to obtain from the Data Controller the data in a structured format of common use and readable by an automatic device to transmit them to another Data Controller, provided that the nature digital processing allows it and that this does not involve the infringement of the rights and freedoms of others, including the intellectual property rights of the Data Controller or the trade secrets relating to it; moreover, it does not apply in cases where the processing is based on legitimate interests;
· Opposition (Article 21 EU Reg. 2016/679).
The opposition and requests for deletion of data are subject to compliance with legal obligations regarding the processing and storage of documents and the possible existence of a legal basis that legitimizes the processing itself.
Consequently, the requests for opposition and cancellation will be accepted only in the event that the right of the interested party does not conflict with treatments that are in any case legitimate, which are prevalent with respect to the difference will expressed by the latter.
If the interested party considers that the Data Controller’s personal data management method is not compliant with current legislation, he can file a complaint with the Data Privacy Authority.
-------------------------------------------------- -------------------------------
Last modification of this information: June 14, 2021