Privacy Policy

With this document (“Policy”), the Data Controller, as defined below, wishes to inform you about the purposes and methods of processing your personal data, as well as the rights granted to you under Regulation (EU) 2016/679 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”). This Policy may be supplemented by the Data Controller should any additional services you request require further processing.

Data Controller

KEY5 DI DELBONO NICOLA

  • Address: VIA GIUSEPPE VERDI 3/C, 25038 Rovato (Brescia), Italy
  • Phone: +39 0302077122
  • Email: [email protected]
  • VAT/Tax Code: 02085470983

Types of Data Processed

The processing activities involve the collection of the following personal data:

  • Behavioral Data: Browsing logs.
  • Common Data: Personal details, pseudo-anonymized data.
  • Financial Data: Banking details.

Categories of Data Subjects

The processing activities concern the following categories of data subjects:

  • Web Users

Purpose of Processing and Legal Basis

1. E-commerce

The processing of personal data is necessary to gather the information required to conclude and execute the contract entered into with the Data Controller for the sale of design items, furniture accessories, lamps and lighting accessories, furniture for indoor and outdoor spaces for homes, offices, and contracts, as well as tableware and kitchen items.

  • Legal Basis: Contract Execution – Art. 6, para. 1, letter b, GDPR
  • Purpose of Processing:
    1. Execution and management of the contract entered into with the Data Controller.
    2. Collection of preliminary information for contract conclusion.
    3. Communications related to the execution or conclusion of the contract via various channels such as phone, email, instant messaging (e.g., WhatsApp), and postal mail.
  • Nature of Data Provision: Mandatory. Failure to provide data will make it impossible for the Data Controller to execute the contract.
  • Retention Period: Data used for contract execution will be processed for the duration of the existing relationship with the Data Controller. Data collected for evaluating contract conclusion, in case of failure, will be deleted within 6 months.
  • Processing Methods: Primarily conducted using electronic tools.

2. Clients – Legal Compliance

The processing of personal data is necessary to comply with obligations established by laws, regulations, or EU regulations, or by supervisory/control bodies or other authorized authorities.

  • Legal Basis: Legal Obligation – Art. 6, para. 1, letter c, GDPR
  • Purpose of Processing:
    1. Retention of accounting and administrative documents in paper form.
    2. Retention of accounting and administrative documents in digital form.
    3. Digital retention of issued/received invoices (electronic invoicing).
  • Nature of Data Provision: Mandatory. Failure to provide data will make it impossible for the Data Controller to execute the contract.
  • Retention Period: Personal data will be processed for the time required to fulfill legal obligations. Generally, data will be retained for 10 years starting from the termination of the contract or from a binding decision by a competent authority. Certain data categories may be retained for longer as required by law.
  • Processing Methods: Primarily conducted using electronic tools.

3. Clients – Marketing

The transmission of commercial offers promoted by the Data Controller.

  • Legal Basis: Consent – Art. 6, para. 1, letter a, GDPR
  • Purpose of Processing:
    1. Sending commercial newsletters to clients’ and/or potential clients’ email addresses.
    2. Sending instant messages through tools such as SMS, WhatsApp, and Telegram.
  • Nature of Data Provision: Optional. Failure to provide data will make it impossible for the data subject to receive promotional messages from the Data Controller.
  • Retention Period: Data will be deleted immediately upon contract termination or withdrawal of consent. Data related to prospects, for whom a contract is not finalized, will be deleted within 24 months of registration.
  • Processing Methods: Primarily conducted using electronic tools.

4. Website – Browsing Data

To derive anonymous statistical information on usage, monitor the correct functioning of the site, and ascertain responsibility in case of hypothetical computer crimes against the Data Controller.

  • Legal Basis: Legitimate Interest – Art. 6, para. 1, letter f, GDPR
  • Purpose of Processing:
    1. Data analysis for updates and maintenance of the website.
    2. Ascertaining responsibility in case of potential computer crimes against the website and/or data subjects.
    3. Anonymous statistical analysis of website usage.
  • Nature of Data Provision: Mandatory. Failure to provide data will make it impossible for the company to provide the web service offered.
  • Retention Period: Data is retained for 30 days.
  • Processing Methods: Conducted using electronic tools.

5. Clients – Marketing for Similar Products

The transmission of newsletters regarding similar products already purchased by clients.

  • Legal Basis: Soft Spam – Art. 130, para. 4
  • Purpose of Processing:
    1. Sending commercial offers related to similar products already purchased or requested by clients.
  • Nature of Data Provision: Optional. Failure to provide data will make it impossible for the data subject to receive newsletters about promotions from the Data Controller.
  • Retention Period: Data will be deleted immediately upon contract termination or objection to processing.
  • Processing Methods: Primarily conducted using electronic tools.

6. Website – User Requests

Processing requests submitted by users through the website.

  • Legal Basis: Contract Execution – Art. 6, para. 1, letter b, GDPR
  • Purpose of Processing:
    1. Sending requests through the web platform.
  • Nature of Data Provision: Optional. Failure to provide data will make it impossible for the Data Controller to respond to user requests.
  • Retention Period: Data is processed for the time necessary to fulfill the request.
  • Processing Methods: Conducted using electronic tools.

7. Website – Service Use and Reserved Area

Access to services offered through the website’s reserved area.

  • Legal Basis: Contract Execution – Art. 6, para. 1, letter b, GDPR
  • Purpose of Processing:
    1. Registration within the reserved area.
    2. Access to services provided through the reserved area.
  • Nature of Data Provision: Optional. Failure to provide data will make it impossible for the Data Controller to provide services through the reserved area.
  • Retention Period: Data is retained until user account deletion.
  • Processing Methods: Conducted using electronic tools.

8. Google Fonts

Personal data is used to improve the accessibility of website content through the Google Fonts service. Google Fonts optimizes website loading speeds, reduces transmitted data volumes, and ensures proper text display across platforms.

  • Legal Basis: Legitimate Interest – Art. 6, para. 1, letter f, GDPR
  • Purpose of Processing:
    1. Utilizing CSS files provided by Google Fonts to enhance website and app styling.
  • Nature of Data Provision: Mandatory. Objection may result in reduced content accessibility.
  • Retention Period: For data retention details, refer to Google’s Privacy Policy: https://policies.google.com/privacy
  • Processing Methods: Google Fonts is a service provided by Google as an independent Data Controller. No cookies are stored in the browser. Files are delivered through Google’s domains fonts.googleapis.com and fonts.gstatic.com. For further details, consult Google’s Privacy Policy.

Data Transfers Outside the EU

Personal data may be processed outside the EU in non-EEA countries. Safeguards include Standard Contractual Clauses and ad hoc contractual provisions (Art. 46 GDPR). To obtain a copy of the safeguards, contact the Data Controller.

Data Recipients

  • Data Processors: Providers, Cloud Services.
  • Independent Data Controllers: Banking Institutions.

Data Subject Rights and Complaints

Under GDPR (Articles 15 to 22), you have the following rights:

  • Right of Access: Obtain confirmation about data processing and access your personal data.
  • Right to Rectification: Correct inaccurate or incomplete personal data.
  • Right to Erasure (Right to be Forgotten): Request deletion of personal data under certain conditions.
  • Right to Restriction of Processing: Limit processing under specific circumstances.
  • Right to Data Portability: Receive and transfer personal data to another controller.
  • Right to Object: Oppose processing based on your specific situation, particularly for marketing purposes.

If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. You also have the right not to be subject to decisions based solely on automated processing, including profiling.

For complaints, you may contact the Italian Data Protection Authority: http://www.garanteprivacy.it.

To exercise your rights, contact the Data Controller using the details provided above.