Privacy Policy

NOTICE ON THE PROCESSING OF PERSONAL DATA

1. Introduction

Pursuant to Articles 13 and 14 of the General Data Protection Regulation 2016/679 (“the Regulation”), ALTROMERCATO IMPRESA SOCIALE SOC. COOP., with registered office in Bolzano (BZ), via Francesco Crispi 9 – Tax Code and VAT number: IT01337600215, registered with the Chamber of Commerce, Industry, Crafts, Tourism and Agriculture of Bolzano – REA BZ 116817, certified email address: altromercato@pec.it, email: ecommerce@altromercato.it, owner of the website https://shop.altromercato.it, in its capacity as Data Controller, provides users with information concerning the processing of their personal data. The term “personal data” refers to the definition contained in Article 4(1) of the Regulation, namely “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity” (hereinafter, the “Personal Data”). The Regulation provides that, before processing Personal Data – understood in accordance with Article 4(2) of the Regulation as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (hereinafter, the “Processing”) – the data subject must be informed of the reasons for which such data are requested and how they will be used. Users may contact the Data Controller at any time for information relating to the processing of their personal data at the following email address: ecommerce@altromercato.it . Processing may be carried out using manual procedures or electronic tools. All Processing activities undertaken by the Data Controller adhere to the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, data minimisation, accuracy, integrity and confidentiality.

2. Types of data processed and purposes of processing

i. The personal data processed by the Data Controller include the following:

  • Data voluntarily provided by the user: all personal data freely provided by the user on the website https://shop.altromercato.it, for example, when creating an Altromercato account, contacting us by email, or subscribing to our newsletter;
  • Data collected during website browsing: (e.g., IP addresses, session identifiers, device identifiers, device brand and model, operating system parameters, type and quality of connection used such as mobile or Wi-Fi). This information is used by the Data Controller to produce aggregated statistics and verify the website’s proper functioning;
  • Data collected to allow registration on the website: use of services reserved for registered users and management of the user account. The platform hosting the website also allows registered users to associate past purchases made on the website with their account, even without prior log-in or even if the purchase occurred before registration, using the email address provided during registration as a unique identifier. This function enables users to view the order history associated with their account, regardless of whether the purchase was made after logging in or before registration, provided that the email used for the order matches the email associated with the account.

ii. Categories of personal data collected by the Data Controller:

  • Identification and contact data such as, by way of example, first name, last name, address, email, phone number, etc., necessary to identify the user when accessing services offered on the website (e.g., account creation, billing, shipping, etc.);
  • In the case of newsletter subscription: first name, last name, email, and date of birth (the latter to allow the sending of a birthday email containing a dedicated discount voucher);
  • In the case of profiling, subject to the user’s optional consent: first name, last name, gender (if provided), date of birth; purchase data (frequency, quantity, type, amount, shipping address, phone number, payment method); purchase channels (e.g., website and/or physical stores); browsing data (e.g., IP address, pages and products viewed);
  • Historical data relating to the user’s interactions with the Data Controller.

iii. Purposes of processing Personal data provided by the user may be processed for the following purposes: A) Provision of services offered on the website https://shop.altromercato.it , including user registration; B) Statistical purposes using anonymised data; C) Sending newsletters, subject to the user’s explicit consent; D) Marketing: sending commercial communications, including discount vouchers and promotions, relating to products and services of the Data Controller or third parties, and conducting market research (Customer Satisfaction) via email, SMS or telephone; E) Profiling: with the user’s explicit consent, Altromercato processes personal data to monitor and track user behaviour on the website (e.g., pages viewed, products), monitor and track purchase data (e.g., types of products purchased, purchase frequency and volume, etc.) in stores and/or on the website; analyse and process data to identify patterns and group users into “clusters” (categories of customers with shared characteristics); and/or send, via email, SMS, telephone or website display, personalised offers relevant to the cluster to which the user belongs; F) Compliance with legal obligations under applicable national or EU law; G) Establishment, exercise or defence of legal claims by the Data Controller.

3. Legal basis

The legal basis for the processing of personal data is the performance of a contract for the purposes referred to under point A). No user consent is required for the anonymised processing of data for the purposes under point B). For point C), the legal basis is the optional and revocable consent of users aged 16 or older. For point D), the legal basis is the user’s consent pursuant to Article 6(1)(a) of the Regulation. For point E), the legal basis is the explicit consent of the user pursuant to Article 6(1)(a) of the Regulation. For point F), the legal basis is the need to comply with legal obligations; for point G), the legal basis is the Data Controller’s legitimate interest. Users may object to or restrict the processing at any time by contacting the Data Controller at ecommerce@altromercato.it

4. Mandatory and optional nature of data provision and consent

Providing personal data is optional. However, some data marked as mandatory (e.g., first name, last name, phone number, email) are necessary in order to allow the Data Controller to provide the services offered on the website. Failure to provide such data will prevent the user from registering on the website and accessing services reserved for registered users. Likewise, some data (first name, last name, email) are required for registration and service provision. Failure to provide them will prevent registration and use of the related services. Providing data for marketing and profiling purposes is optional. The Data Controller also performs statistical analyses using aggregated data to better understand how users interact with the website and to improve the services offered. With the user’s consent, such data also enable the Data Controller to send newsletters. Users may object to or restrict processing at any time by contacting the Data Controller at ecommerce@altromercato.it

5. Data disclosure

Users’ Personal Data may be shared, for the purposes indicated above, with:

  • Individuals authorised by the Data Controller to process personal data for activities strictly related to service provision, who are bound by confidentiality obligations (e.g., employees, collaborators, professionals, system administrators);
  • Third parties involved in the management of the website, typically acting as Data Processors. A complete list of Data Processors can be requested at: ecommerce@altromercato.it
  • Providers of systems for the sending of electronic communications, including newsletters;
  • Entities to whom the personal data must be disclosed in compliance with legal obligations or orders issued by authorities.

Personal data are processed using a centralised database through IT and telematic tools. The database is accessible only to authorised personnel – including employees or other collaborators – who may need to access the data for advertising mailings, order fulfilment or other contract-related purposes. Third-party service providers may also access the data when strictly necessary. All authorised personnel receive specific processing instructions which they must follow. PayPlug: The website allows users to purchase products using the PayPlug payment service. The user will be redirected to a page external to the website, where they must provide personal data requested by PayPlug—acting as an independent Data Controller—to complete the transaction. The relevant privacy policy is available at: https://www.payplug.com/it/politica-di-confidenzialita/ . Personal data do not transit through the website’s servers. Processing of such data is necessary to complete the online purchase. Failure to provide them will prevent completion of the transaction. Further information and terms are available at https://www.payplug.com/it/ PayPal: Once the order is confirmed, the customer will be redirected to the PayPal website to complete payment via their account or via credit/prepaid card, depending on the methods accepted by PayPal (https://www.paypal.com ). Satispay: Upon confirming the order on the website, the user will be redirected to Satispay’s secure servers to complete payment according to the methods accepted by Satispay (https://www.satispay.com/it-it/ ). With regard to payment card data, processing is necessary to allow completion of the online purchase. Failure to provide such data will prevent the user from completing the transaction.

6. Transfer of personal data

Users’ personal data will be processed within the European Union. If, for technical or operational reasons, it becomes necessary to rely on entities located outside the EU, such entities—where processing personal data on behalf of the Data Controller—will be appointed as Data Processors pursuant to Article 28 of the Regulation. Transfers will take place in accordance with one of the mechanisms provided by law, such as: (i) an adequacy decision by the European Commission; (ii) adherence to international data transfer frameworks (e.g., the EU-US Data Privacy Framework) pursuant to Article 45(3); or (iii) the adoption of Standard Contractual Clauses pursuant to Article 46.

7. Data retention

The Data Controller retains personal data for the duration of the contractual relationship and thereafter only for the time strictly necessary depending on the purposes for which they were collected. At the end of such period, personal data will be erased, deleted or anonymised, in accordance with technical procedures for data deletion and backup. To unsubscribe from the newsletter, users may click “Unsubscribe” in the footer of the email. In case of technical issues, users may write to: ecommerce@altromercato.it Personal data processed for compliance with legal obligations will be retained for the period required by applicable law. Personal data processed for marketing purposes will be retained until withdrawal of consent and for up to 24 months from the date of provision. This period renews each time a registered user makes a purchase or logs into the reserved area. Once consent is withdrawn, data will no longer be used for such purposes, though the Data Controller may retain them to protect its rights. Personal data processed for profiling purposes will be retained until withdrawal of consent and for up to 12 months from the date of provision. Users may withdraw consent or restrict its scope at any time by writing to the Data Controller: ALTROMERCATO IMPRESA SOCIALE SOC. COOP., via Francesco Crispi 9, Bolzano (BZ), certified email: altromercato@pec.it , email: ecommerce@altromercato.it Personal data processed to prevent abuse and/or fraud will be retained only for the time strictly necessary for such purpose.

8. Data subject rights – Complaint to the supervisory authority

As provided by Article 15 of the Regulation, data subjects may access their personal data, request rectification and updating if incomplete or inaccurate, request deletion where data have been processed unlawfully, and object to processing on legitimate grounds. Below is a summary of all rights exercisable at any time with respect to the Data Controller:

  • Right of access: under Article 15(1), the right to obtain confirmation of whether personal data is being processed, and, if so, access to such data and related information: (a) purposes of processing; (b) categories of personal data; (c) recipients or categories of recipients; (d) retention period or criteria used to determine it; (e) the existence of rights to rectification, erasure or restriction; (f) the right to lodge a complaint with a supervisory authority; (g) source of the data if not collected from the data subject; (h) the existence of automated decision-making, including profiling, and meaningful information about its logic and consequences. All such information is available in this Privacy Notice and the Privacy section of the website.
  • Right to rectification: under Article 16, the right to obtain correction of inaccurate personal data and integration of incomplete data.
  • Right to erasure (“right to be forgotten”): under Article 17(1), the right to obtain erasure of personal data without undue delay where one of the following grounds applies: (a) data are no longer necessary for the purposes for which they were collected; (b) consent is withdrawn and no other legal basis exists; (c) the data subject objects to processing under Article 21(1) or (2) and no overriding legitimate grounds exist; (d) data have been unlawfully processed; (e) erasure is required by EU or national law. As specified in Article 17(3), erasure may not be carried out where necessary, for example, for freedom of expression, legal obligations, public interest, scientific research, statistical purposes, or legal claims.
  • Right to restriction of processing: under Article 18, this right applies where: (a) the accuracy of data is contested; (b) processing is unlawful and the data subject requests restriction rather than erasure; (c) data are needed for legal claims; (d) an objection is raised and verification of overriding legitimate grounds is pending. In such cases, data may be processed only with consent or for legal claims, protection of others’ rights, or important public interest.
  • Right to data portability: under Article 20(1), the right to receive personal data in a structured, commonly used and machine-readable format, and transmit it to another controller. The data subject must provide the details of the new controller in writing.
  • Right to object: under Article 21(2), the right to object at any time to processing of personal data for direct marketing purposes, including profiling related to such marketing.
  • Right to lodge a complaint with a supervisory authority: without prejudice to other administrative or judicial remedies, users may lodge a complaint with the competent Data Protection Authority if they believe processing is in violation of the Regulation. For Italy: the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): http://www.garanteprivacy.it.

These rights may be exercised at any time by writing to the Data Controller: ALTROMERCATO IMPRESA SOCIALE SOC. COOP., via Francesco Crispi 9, Bolzano (BZ), certified email: altromercato@pec.it , email: ecommerce@altromercato.it

9. Data security

Personal data will be processed using automated tools for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principles of necessity and proportionality, and avoiding processing where anonymous data or alternative means suffice. The Data Controller has implemented specific security measures to prevent the loss of personal data, unlawful or incorrect use, and unauthorised access.

10. Amendments to this privacy policy

The Data Controller periodically reviews its privacy and security policies and may amend them in line with regulatory, organisational or technological developments. Any updates will be published on this page of the website. The Data Controller uses technical and profiling cookies to collect and access information stored on the user’s device. For further details, please refer to the extended cookie policy available on our website.