PRIVACY POLICY
INFORMATION PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (“GDPR”) - ONLINE SALES
Below is the information required by the GDPR regarding the processing of personal data provided for the purpose of purchasing Carpisa products (hereinafter, the “Products”) on the e-commerce website www.Carpisa.com (hereinafter, the “Site”), as better described in the general terms and conditions of sale.
1. Identity and contact details of the data controller
Kuvera Spa, tax code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 – Naples (NA) and operational headquarters in Interporto Lotto C, A19 – A20 – A2, 80035 - Nola (NA), email address privacy@pianofortegroup.com , certified email address kuvera@pec.it (hereinafter, “Data Controller”).
2. Purpose of processing, legal bases and data retention periods
Why are personal data processed? What is the legal basis that makes the processing lawful? How long do we retain personal data? a) To allow the purchase of Products on the Site. The execution of a contract to which the interested party is a party. For the entire duration of the contractual relationship and for the 10 years following, as the ordinary limitation period. b) To carry out administrative-accounting, tax and any other legal obligations. The fulfillment of a legal obligation to which the Data Controller is subject. In the event of litigation, for the entire duration of the same and until the terms for exercising appeals have expired. c) For the possible ascertainment, exercise or defense of the Data Controller's rights in and out of court (including credit protection). The legitimate interest of the Data Controller. d) To store credit card data and, therefore, facilitate the performance of further purchase transactions of the Products. The interested party's consent. Until the date card expiry date, without prejudice to the interested party's right to request the deletion of data at any time. e) To send promotional communications on Products similar to those being sold to the customer's email address. The so-called "soft spam" pursuant to art. 130, paragraph 4 of Legislative Decree 196/2003 ("Privacy Code"). Until the interested party objects (by clicking on the "unsubscribe" link at the bottom of each communication). f) To carry out profiled marketing activities: analysis of the behaviour and preferences of the interested parties inferred from the data provided by them in combination with data relating to online navigation on the Site (collected via cookies), in order to receive promotional content from the Data Controller that is more in line with their interests, via automated contact methods (such as email, instant messaging systems) and/or online advertising banners. The interested party's consent. For 4 years, without prejudice to the interested party's right to withdraw consent at any time.
After the retention periods indicated above, the data will be destroyed, deleted, or made anonymous, consistent with the technical deletion and backup timeframes.
3. Data provision
The data marked with an asterisk are required for purchasing the Products, while the other data are optional.
4. Categories of recipients.
The data may be disclosed to other third parties operating as independent data controllers, such as public authorities and professional firms.
The data may also be processed on behalf of the Data Controller by third parties designated as Data Processors pursuant to Art. 28 of the GDPR, such as natural and/or legal persons who perform activities related to the purposes indicated above (e.g., IT services, communication and marketing services, customer care), including those operating outside the European Union.
Specifically, the data will be transferred to the company responsible for managing and maintaining the Site, namely VTEX Ecommerce Platform Limited, located in the United Kingdom (a third country deemed adequate by the European Commission pursuant to Article 45 of the GDPR with a decision dated June 28, 2021), and may be transferred to its sub-processors located outside the EU. If these sub-processors are located in countries without an adequacy decision pursuant to Article 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to Article 46, paragraph 2, letter c) of the GDPR will be used as adequate safeguards, with the possible provision of "supplementary measures" to ensure a level of protection substantially equivalent to that required by EU law.
Furthermore, the data is processed by the Data Controller's employees - belonging to the company functions responsible for pursuing the aforementioned purpose - who have been expressly authorized to process it and who have received adequate operating instructions.
5. Rights of the interested party
The data subject may exercise the rights set forth in Articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the data and the information referred to in Article 15, the rectification of inaccurate data, the completion of incomplete data, the erasure of data in the cases provided for in Article 17, the restriction of processing in the cases provided for in Article 18 of the GDPR, and the right to object, for reasons related to his or her particular situation, to processing carried out in the legitimate interest of the data controller.
Furthermore, if the processing is based on consent or a contract and is carried out using automated tools, the data subject has the right to receive the data in a structured, commonly used, and machine-readable format, as well as, if technically feasible, to transmit them to another controller without hindrance (the right to data portability).
Furthermore, the data subject has the right to withdraw consent for marketing purposes at any time, as well as to object to processing for such purposes, including related profiling. In the case of communications sent via email, the data subject may also object by clicking the "unsubscribe" link at the bottom of each email.
To exercise these rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State in which he or she habitually resides or works, or in the State in which the alleged infringement occurred.
INFORMATION PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (“GDPR”) – REGISTRATION/USE OF THE WEBSITE
Below is the information required by the GDPR regarding the processing of personal data provided for the purpose of purchasing Carpisa products (hereinafter, the “Products”) on the e-commerce website www.Carpisa.com (hereinafter, the “Site”), as better described in the general terms and conditions of sale.
1. Identity and contact details of the data controller
Kuvera Spa, tax code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 – Naples (NA) and operational headquarters in Interporto Lotto C, A19 – A20 – A2, 80035 - Nola (NA), email address privacy@pianofortegroup.com , certified email address kuvera@pec.it (hereinafter, “Data Controller”).
2. Purpose of processing, legal bases and data retention periods
Why is your personal data processed? What is the legal basis for processing it? How long do we retain your personal data? To allow the user to register on the Site and use the related services. The performance of a contract to which the data subject is a party. For the entire duration of the contractual relationship and for the following 10 years, which is the ordinary limitation period.
After the retention periods indicated above, the data will be destroyed, deleted, or made anonymous, consistent with the technical deletion and backup timeframes.
3. Data provision
The data marked with an asterisk are required for purchasing the Products, while the other data are optional.
4. Categories of recipients.
The data may be disclosed to other third parties acting as independent data controllers, such as public authorities and professional firms. The data may also be processed, on behalf of the Data Controller, by third parties designated as Data Processors pursuant to Art. 28 of the GDPR, such as natural and/or legal persons who perform activities related to the purposes indicated above (e.g., IT services, communication and marketing services, customer care), including those operating outside the European Union.
Specifically, the data will be transferred to the company responsible for managing and maintaining the Site, namely VTEX Ecommerce Platform Limited, located in the United Kingdom (a third country deemed adequate by the European Commission pursuant to Article 45 of the GDPR with a decision dated June 28, 2021), and may be transferred to its sub-processors located outside the EU. If these sub-processors are located in countries without an adequacy decision pursuant to Article 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to Article 46, paragraph 2, letter c) of the GDPR will be used as adequate safeguards, with the possible provision of "supplementary measures" to ensure a level of protection substantially equivalent to that required by EU law.
Furthermore, the data is processed by the Data Controller's employees - belonging to the company functions responsible for pursuing the aforementioned purpose - who have been expressly authorized to process it and who have received adequate operating instructions.
5. Rights of the interested party
The data subject may exercise the rights set forth in Articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed and, where that is the case, access to the data and the information referred to in Article 15, the rectification of inaccurate data, the completion of incomplete data, the erasure of data in the cases provided for in Article 17, the restriction of processing in the cases provided for in Article 18 of the GDPR, and the right to object, for reasons related to his or her particular situation, to processing carried out in the legitimate interest of the data controller.
Furthermore, if the processing is based on consent or a contract and is carried out using automated tools, the data subject has the right to receive the data in a structured, commonly used, and machine-readable format, as well as, if technically feasible, to transmit them to another controller without hindrance (the right to data portability).
Furthermore, the data subject has the right to withdraw consent for marketing purposes at any time, as well as to object to processing for such purposes, including related profiling. In the case of communications sent via email, the data subject may also object by clicking the "unsubscribe" link at the bottom of each email.
To exercise these rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State in which he or she habitually resides or works, or in the State in which the alleged infringement occurred.
INFORMATION PURSUANT TO ART. 13 OF THE REG. (EU) 2016/679 (“GDPR”) - NEWSLETTER
Below is the information required by the GDPR regarding the processing of the email address (hereinafter, "Data") provided for the purpose of subscribing to the newsletter service, i.e. the periodic sending of email communications containing updates on products, offers and initiatives from the Carpisa world (hereinafter, "Newsletter Service").
1. Identity and contact details of the data controller
Kuvera Spa, tax code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 – Naples (NA) and operational headquarters in Interporto Lotto C, A19 – A20 – A2, 80035 - Nola (NA), email address privacy@pianofortegroup.com , certified email address kuvera@pec.it (hereinafter, “Data Controller”).
2. Purpose of processing, legal bases and data retention periods
Why are personal data processed? What is the legal basis for processing? How long do we retain personal data? To provide the Newsletter Service. The performance of a contract to which the data subject is a party. Until you withdraw from the Newsletter Service as indicated in point 5 below.
Once the retention periods indicated above have elapsed, the Data will be destroyed, deleted, or made anonymous, consistent with the technical deletion and backup timeframes.
3. Data provision
The user is only asked for their email address, which is necessary to provide the Newsletter Service; therefore, any refusal to provide it will make it impossible to use the Newsletter Service.
The provision of a discount coupon on a user's first order merely serves as an incentive for users to subscribe to the Newsletter Service and learn more about the Data Controller's activities. It is understood that users are always permitted to cancel the Newsletter Service, without this preventing them from benefiting from the discount coupon.
4. Withdrawal from the Newsletter Service
To stop receiving emails from the Newsletter Service, the user can click on the unsubscribe link at the bottom of each email.
5. Categories of recipients.
The Data may be disclosed to third parties acting as independent data controllers, such as public authorities and professional firms. The Data may also be processed, on behalf of the Data Controller, by third parties designated as Data Processors pursuant to Art. 28 of the GDPR, such as natural and/or legal persons who carry out activities related to the purposes indicated above (e.g., IT services, mass mailing of communications), including those operating outside the European Union ("EU").
Specifically, the data will be transferred to the company responsible for managing and maintaining the Site, namely VTEX Ecommerce Platform Limited, located in the United Kingdom (a third country deemed adequate by the European Commission pursuant to Article 45 of the GDPR with a decision dated June 28, 2021), and may be transferred to its sub-processors located outside the EU. If these sub-processors are located in countries without an adequacy decision pursuant to Article 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to Article 46, paragraph 2, letter c) of the GDPR will be used as adequate safeguards, with the possible provision of "supplementary measures" to ensure a level of protection substantially equivalent to that required by EU law.
Furthermore, the Data is processed by the Data Controller's employees - belonging to the company functions responsible for pursuing the aforementioned purpose - who have been expressly authorized to process it and who have received adequate operating instructions.
6. Rights of the interested party
The data subject may exercise the rights set forth in Articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the data and to the information referred to in Article 15, the rectification of inaccurate data, the completion of incomplete data, the erasure of data in the cases provided for in Article 17, and the restriction of processing in the cases provided for in Article 18 of the GDPR. Furthermore, if the processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the data in a structured, commonly used, and machine-readable format, and, if technically feasible, to transmit the data to another controller without hindrance (the right to data portability).
To exercise these rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State in which he or she habitually resides or works, or in the State in which the alleged infringement occurred.
INFORMATION PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (“GDPR”) - “CONTACT US” FORM
Below is the information required by the GDPR regarding the processing of personal data provided by completing the online "Contact Us" form and using the relevant customer care service.
1. Identity and contact details of the data controller
Kuvera Spa, tax code and VAT number 07563710636, with registered office in Piazza dei Martiri n. 30, 80100 – Naples (NA) and operational headquarters in Interporto Lotto C, A19 – A20 – A2, 80035 - Nola (NA), email address privacy@pianofortegroup.com , certified email address kuvera@pec.it (hereinafter, “Data Controller”).
2. Purpose of processing, legal bases and data retention periods
Why are personal data processed? What is the legal basis for processing? How long do we retain personal data? To respond to requests for information or assistance. To perform a contract to which the data subject is party. The data will be retained for the time necessary to process the request and in any case no longer than 1 year, unless further terms are required by law.
Once the retention periods indicated above have elapsed, the Data will be destroyed, deleted, or made anonymous, consistent with the technical deletion and backup timeframes.
3. Data provision
Providing the data marked with an asterisk is necessary to properly process your request; failure to provide it will prevent your request from being sent.
4. Categories of recipients.
The data may be disclosed to third parties acting as independent data controllers, such as public authorities and professional firms.
The data may also be processed, on behalf of the Data Controller, by third parties designated as Data Processors pursuant to Art. 28 of the GDPR, such as natural and/or legal persons who perform activities related to the purposes indicated above (e.g., IT services, customer care), including those operating outside the European Union ("EU").
Specifically, the data will be transferred to the company responsible for managing and maintaining the Site, namely VTEX Ecommerce Platform Limited, located in the United Kingdom (a third country deemed adequate by the European Commission pursuant to Article 45 of the GDPR with a decision dated June 28, 2021), and may be transferred to its sub-processors located outside the EU. If these sub-processors are located in countries without an adequacy decision pursuant to Article 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to Article 46, paragraph 2, letter c) of the GDPR will be used as adequate safeguards, with the possible provision of "supplementary measures" to ensure a level of protection substantially equivalent to that required by EU law.
Furthermore, the data is processed by the Data Controller's employees - belonging to the company functions responsible for pursuing the aforementioned purpose - who have been expressly authorized to process it and who have received adequate operating instructions.
5. Rights of the interested party
The data subject may exercise the rights set forth in Articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the data and to the information referred to in Article 15, the rectification of inaccurate data, the completion of incomplete data, the erasure of data in the cases provided for in Article 17, and the restriction of processing in the cases provided for in Article 18 of the GDPR. Furthermore, if the processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the data in a structured, commonly used, and machine-readable format, and, if technically feasible, to transmit the data to another controller without hindrance (the right to data portability).
To exercise these rights, the interested party may contact the Data Controller at the contact points indicated in paragraph 1.
The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State in which he or she habitually resides or works, or in the State in which the alleged infringement occurred.
Have a specific question or haven't found the answer you were looking for?
Fill out the contact form; the relevant office will receive your message directly and will respond promptly.