Privacy Policy
INFORMATION PURSUANT TO ART. 13 OF REG. (EU) 2016/679 (“GDPR”)
ONLINE SALES AND WEBSITE REGISTRATION
Below is the information required by the GDPR relating to the processing of personal data provided for the purpose of purchasing and/or registering on the e-commerce website www.carpisa.com (hereinafter, “Site”) of Carpisa products (hereinafter, “Products”), as better described in the general conditions of sale.
1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
Kuvera S.p.A., Tax Code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 — Naples (NA) and operational headquarters in Interporto Lotto C, A19 — A20 — A2, 80035 - Nola (NA), e-mail address privacy@pianofortegroup.com, P.E.C. address kuvera@pec.it (hereinafter, “Owner”).
2. PURPOSE OF THE PROCESSING, LEGAL BASES AND DATA STORAGE TIMES
| WHY ARE PERSONAL DATA PROCESSED? | WHAT IS THE LEGAL BASIS THAT MAKES THE PROCESSING LAWFUL? | HOW LONG DO WE KEEP PERSONAL DATA? |
|---|---|---|
| a) To allow the purchase of Products on the Site and/or registration on the Site and the use of the related services. | The execution of a contract to which the interested party is a party. | For the entire duration of the contractual relationship and for the following 10 years, as an ordinary limitation period. |
| b) For carrying out administrative-accounting, fiscal and any other legal obligations. | The fulfillment of a legal obligation to which the Data Controller is subject. | For the terms established by the relevant legislation. In the event of a dispute, for the entire duration of the dispute and until the expiry of the terms of eligibility of appeal actions. |
| c) For the possible assessment, exercise or defense of the rights of the Data Controller in judicial and extrajudicial proceedings (including credit protection). | The legitimate interest of the Data Controller. | For 10 years following the end of the contractual relationship, as an ordinary limitation period. |
| d) To store credit card data through secure tokenization, in order to facilitate the carrying out of further transactions to purchase the Products. | The consent of the interested party. | Until the card expires, without prejudice to the right of the interested party to request the cancellation of the data at any time. |
| e) To send promotional communications to the customer's e-mail address on Products similar to those being sold (so-called. “soft spam”). | Legitimate interest of the Data Controller pursuant to art. 6, par. 1, letter f) of the GDPR, in combination with art. 130, paragraph 4, of the Italian Privacy Code. | Until the interested party objects (clicking on the “unsubscribe” link at the bottom of each communication) or the cancellation of the account. |
| f) To carry out profiled marketing activities: analysis of the behaviors and preferences of interested parties derived from the data provided by them in combination with data relating to online browsing on the Site (collected through cookies), in order to receive promotional content from the Data Controller that is more relevant to their interests, through automated contact methods (such as e-mail, instant messaging systems) and/or online advertising banners. | The consent of the interested party. | For 2 years, without prejudice to the right of the interested party to withdraw consent at any time. |
Once the storage terms indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatible with the technical cancellation and backup times.
3. PROVISION OF DATA
The data marked with an asterisk are necessary for the purpose of purchasing the Products and/or registering on the Site, while the others are optional.
4. CATEGORIES OF RECIPIENTS
The data may be communicated to other third parties who also operate as independent controllers, such as public authorities and professional firms.
The data may also be processed, on behalf of the Data Controller, by third parties, designated as Data Processors pursuant to art. 28 of the GDPR, such as natural and/or legal persons who carry out activities functional to the purposes indicated above (e.g. IT services, communication and marketing services, customer care, payment services), also operating outside the European Union.
In particular, the data will be transferred to the company that manages and maintains the Site, i.e. Canada-based Shopify Inc. (third country considered adequate by the European Commission pursuant to art. 45 of the GDPR with decision 2002/2/EC), as well as they may be transferred to its sub-managers established outside the EU (including cloud service providers and payment gateway). In the event that these sub-processors are established in countries without an appropriateness decision pursuant to art. 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to art. 46, par. 2, letter c) of the GDPR will be used, with the possible provision of “additional measures” to guarantee a level of protection substantially equivalent to that required by EU law.
In addition, the data are processed by the Data Controller's employees - who belong to the business functions responsible for the pursuit of the above-mentioned purposes - who have been expressly authorized to process and who have received appropriate operating instructions.
5. RIGHTS OF THE INTERESTED PARTY
The interested party may exercise the rights referred to in articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain confirmation from the Data Controller whether or not personal data concerning him is being processed and, in this case, access to them and to the information referred to in art. 15, the correction of inaccurate data, the integration of incomplete data, the cancellation of data in the cases provided for by art. 17, the limitation of processing in the cases provided for by art. 18 GDPR, as well as to object, for reasons related to his situation in particular, to the processing carried out for the legitimate interest of the owner.
Furthermore, if the processing is based on consent or contract and is carried out with automated tools, the interested party has the right to receive the data in a structured format, commonly used and readable by an automatic device, as well as, if technically feasible, to transmit them to another owner without hindrance (right to “data portability”).
In addition, the interested party, at any time, has the right to revoke the consent given for marketing purposes, as well as to oppose the processing for this purpose, including the profiling related to it. In the case of communications sent via e-mail, the interested party may also object by clicking on the “unsubscribe” link at the bottom of each e-mail.
To exercise their rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The interested party has the right to lodge a complaint with the competent Supervisory Authority in the Member State in which he usually resides or works or the State in which the alleged violation occurred.
INFORMATION PURSUANT TO ART. 13 OF REG. (EU) 2016/679 (“GDPR”)
NEWSLETTER
Below is the information required by the GDPR regarding the processing of personal data provided in order to subscribe to the newsletter service, i.e. the periodic sending of e-mail communications containing updates on products, offers and initiatives in the Carpisa world (hereinafter, “Newsletter Service”).
1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
Kuvera S.p.A., Tax Code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 — Naples (NA) and operational headquarters in Interporto Lotto C, A19 — A20 — A2, 80035 - Nola (NA), e-mail address privacy@pianofortegroup.com, P.E.C. address kuvera@pec.it (hereinafter, “Owner”).
2. PURPOSE OF THE PROCESSING, LEGAL BASES AND DATA STORAGE TIMES
| WHY ARE PERSONAL DATA PROCESSED? | WHAT IS THE LEGAL BASIS THAT MAKES THE PROCESSING LAWFUL? | HOW LONG DO WE KEEP PERSONAL DATA? |
|---|---|---|
| To provide the Newsletter Service. | The execution of a contract to which the interested party is a party. | Until you unsubscribe from the Newsletter Service in the manner indicated in the following point 4. |
Once the storage terms indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatible with the technical cancellation and backup times.
3. PROVISION OF DATA
The user is only required for the e-mail address, necessary for the provision of the Newsletter Service; therefore, any refusal to provide it makes it impossible to use the Newsletter Service.
4. UNSUBSCRIBE FROM THE NEWSLETTER SERVICE
To stop receiving the emails referred to in the Newsletter Service, the user can click on the unsubscribe link at the bottom of each e-mail.
5. CATEGORIES OF RECIPIENTS
The data may be communicated to third parties operating as independent controllers, such as public authorities and professional firms.
The data may also be processed, on behalf of the Data Controller, by third parties, designated as Data Processors pursuant to art. 28 of the GDPR, such as natural and/or legal persons who carry out activities functional to the purposes indicated above (e.g. IT services, mass sending of communications) also operating outside the European Union (“EU”).
In particular, the data will be transferred to the company that manages and maintains the Site, i.e. Canada-based Shopify Inc. (third country considered adequate by the European Commission pursuant to art. 45 of the GDPR with decision 2002/2/EC), as well as may be transferred to its sub-managers established outside the EU. In the event that these sub-processors are established in countries without an appropriateness decision pursuant to art. 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to art. 46, par. 2, letter c) of the GDPR will be used, with the possible provision of “additional measures” to guarantee a level of protection substantially equivalent to that required by EU law.
In addition, the data are processed by the Data Controller's employees - who belong to the business functions responsible for the pursuit of the above-mentioned purpose - who have been expressly authorized to process and who have received appropriate operating instructions.
6. RIGHTS OF THE INTERESTED PARTY
The interested party may exercise the rights referred to in articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation that personal data concerning him or her is being processed and, in this case, access to them and to the information referred to in art. 15, the correction of inaccurate data, the integration of incomplete data, the cancellation of data in the cases provided for by art. 17, the limitation of processing in the cases provided for by art. 18 GDPR.
Furthermore, if the processing is based on consent or contract and is carried out with automated tools, the interested party has the right to receive the data in a structured format, commonly used and readable by an automatic device, as well as, if technically feasible, to transmit them to another owner without hindrance (right to “data portability”).
To exercise their rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The interested party has the right to lodge a complaint with the competent Supervisory Authority in the Member State in which he usually resides or works or the State in which the alleged violation occurred.
INFORMATION PURSUANT TO ART. 13 OF REG. (EU) 2016/679 (“GDPR”)
“CONTACT US” FORM
Below is the information required by the GDPR regarding the processing of personal data provided by filling out the online form “Contact Us” and using the related customer care service.
1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
Kuvera S.p.A., Tax Code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 — Naples (NA) and operational headquarters in Interporto Lotto C, A19 — A20 — A2, 80035 - Nola (NA), e-mail address privacy@pianofortegroup.com, P.E.C. address kuvera@pec.it (hereinafter, “Owner”).
2. PURPOSE OF THE PROCESSING, LEGAL BASES AND DATA STORAGE TIMES
| WHY ARE PERSONAL DATA PROCESSED? | WHAT IS THE LEGAL BASIS THAT MAKES THE PROCESSING LAWFUL? | HOW LONG DO WE KEEP PERSONAL DATA? |
|---|---|---|
| To respond to your request for information or assistance. | The execution of a contract to which the interested party is a party. | The data will be kept for the time necessary to process the request and in any case no longer than 1 year, except for further terms required by law. |
Once the storage terms indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatible with the technical cancellation and backup times.
3. PROVISION OF DATA
The provision of data marked with an asterisk is necessary for the correct management of the request; therefore, failure to provide it will not allow the sending of the same.
4. CATEGORIES OF RECIPIENTS
The data may be communicated to third parties operating as independent controllers, such as public authorities and professional firms.
The data may also be processed, on behalf of the Data Controller, by third parties, designated as Data Processors pursuant to art. 28 of the GDPR, such as natural and/or legal persons who carry out activities functional to the purposes indicated above (e.g. IT services, customer care), also operating outside the European Union (“EU”).
In particular, the data will be transferred to the company that manages and maintains the Site, i.e. Canada-based Shopify Inc. (third country considered adequate by the European Commission pursuant to art. 45 of the GDPR with decision 2002/2/EC), as well as may be transferred to its sub-managers established outside the EU. In the event that these sub-processors are established in countries without an appropriateness decision pursuant to art. 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to art. 46, par. 2, letter c) of the GDPR will be used, with the possible provision of “additional measures” to guarantee a level of protection substantially equivalent to that required by EU law.
In addition, the data are processed by the Data Controller's employees - who belong to the business functions responsible for the pursuit of the above-mentioned purpose - who have been expressly authorized to process and who have received appropriate operating instructions.
5. RIGHTS OF THE INTERESTED PARTY
The interested party may exercise the rights referred to in articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation that personal data concerning him or her is being processed and, in this case, access to them and to the information referred to in art. 15, the correction of inaccurate data, the integration of incomplete data, the cancellation of data in the cases provided for by art. 17, the limitation of processing in the cases provided for by art. 18 GDPR.
Furthermore, if the processing is based on consent or contract and is carried out with automated tools, the interested party has the right to receive the data in a structured format, commonly used and readable by an automatic device, as well as, if technically feasible, to transmit them to another owner without hindrance (right to “data portability”).
To exercise their rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The interested party has the right to lodge a complaint with the competent Supervisory Authority in the Member State in which he usually resides or works or the State in which the alleged violation occurred.