Privacy policy

This Privacy Policy provides users of the website https://www.fornasetti.com/it/it/ (hereinafter, respectively, the "Users" and the "Website") with as comprehensive an overview as possible regarding the processing of their personal data, as described below, through the Website, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Italian legislation on the protection of personal data (together with the GDPR, hereinafter referred to as the "Applicable Legislation").

This Privacy Policy applies exclusively to the Website and does not concern any websites or platforms to which the Website may link.

This Website and any services offered through the Website are reserved for individuals who are at least 18 years of age. The Data Controller therefore does not collect personal data relating to individuals under the age of 18. At the request of Users, the Data Controller will promptly delete any personal data unintentionally collected relating to individuals under the age of 18.

1. DATA CONTROLLER

Pursuant to the GDPR, the data controller is the person who, alone or in collaboration with others, defines the purposes and means of personal data processing. The data controller in relation to the Website is Immaginazione S.r.l., with registered office in Via Bazzini 14, 20131 – Milan, VAT number 09676180152 (the "Controller").

For any information regarding this privacy policy, Users may contact the Data Controller at any time using the following methods:

• By sending a registered letter with return receipt to the registered office of the Data Controller at Via Bazzini 14, 20131 – Milan;
• By sending an email toprivacy@fornasetti.com.

2. PERSONAL DATA: PURPOSE OF PROCESSING

The term "personal data" refers to any information relating to an identified or identifiable natural person, even indirectly. In particular, the Data Controller lawfully processes Users' personal data for the following purposes:

a) Management of navigation on the Website

The Data Controller collects browsing data, by automatic means, in order to enable and improve the User's browsing on the Website. Browsing data includes all personal data whose transmission is implicit in the use of Internet communication protocols, which the computer systems and software procedures used to operate the Website acquire during their normal operation, such as: IP address, date/time of visit and duration, any referral URLs, pages visited on the Website, device used, and other information.

The processing of such personal data allows Users to access the Site and take full advantage of its features and services. In addition, browsing data may be used to verify that the Site is functioning properly. From time to time, browsing data is anonymized and processed for statistical purposes.

Without prejudice to the provisions elsewhere in this privacy policy, under no circumstances will the Data Controller make Users' personal data accessible to other Users and/or third parties.

In this case, the legal basis for the processing of personal data is Article 6(1)(b) of the GDPR (performance of a contract to which the data subject is party).

b) Order Management

In order to complete an order, the Website requires the User to provide certain personal data for the purpose of managing the purchase order placed and complying with the contractual obligations with the User. Such personal data includes, for example: first and last name, email address, delivery address, payment details, etc.

This personal data is also essential to enable Customer Service to assist the User with any requests and for any related needs, before or after the sale (for example, regarding the delivery status of the order or product returns).

Failure to provide the personal data requested to complete the order will prevent the User from completing the order on the Site.

The Data Controller may also verify the validity of the payment instruments used by customers for purchases on the Website (e.g., credit or debit cards, etc.), mainly to prevent fraudulent activity or in accordance with anti-money laundering regulations. As this activity is delegated to duly authorized third parties, the Data Controller does not process or store financial information relating to customers and payment instruments.

In this case, the legal basis for the processing of personal data is Article 6(1)(b) of the GDPR (performance of a contract to which the data subject is party).

c) Registration on the Website

When the User decides to create and register a personal account on the Website, they are asked to provide personal data, such as: first name, last name, email address, date of birth, gender, etc. The Website clearly indicates which personal data is necessary (or not) to set up a Website account.

The User is required to provide truthful and accurate personal data at the time of registration and is invited to keep it up to date by accessing their personal account to make any necessary changes.

Unless the User gives the Data Controller specific and optional consent to process their data for the additional purposes set out in the following paragraphs, the User's personal data will be used by the Data Controller for the sole purpose of verifying the User's identity (including through email address validation), thus preventing possible fraud or abuse, and contacting the User for service reasons only (e.g., sending notifications regarding the services offered on the Website).

In this case, the legal basis for the processing of personal data is Article 6, point 1. letter b) of the GDPR (performance of a contract to which the data subject is party).

d) Soft spam

The Data Controller may send Users who have made purchases on the Website, by email and without the need to request their consent, informational and commercial communications about products similar to those already purchased, or belonging to the same product category, as well as requests for feedback.

Users may always object to the sending of such communications, easily and free of charge, by clicking on the "unsubscribe" link at the bottom of each email, as well as by the ordinary methods indicated in paragraph 8 below (in this case, this purpose of processing will be pursued by the Data Controller without the need to obtain the User's consent, in line with the exception provided for in Article 130, paragraph 4, of Legislative Decree No. 196/2003, without prejudice to the aforementioned possibility for the User to object easily).

In this case, the legal basis for the processing of personal data is Article 130, paragraph 4 of Legislative Decree No. 196/2003.

e) Marketing communications

On the Website, the User may opt to receive commercial communications from the Data Controller (sending of advertising material, direct sales, commercial communications, or e s for sending newsletters containing information on news in the product sector to which the Data Controller belongs, news relating to the Website, and/or products offered by the Data Controller on the Website ), which for this purpose will process personal data such as, for example, name, surname, address, and email address.

The Data Controller always obtains the User's explicit, free, and unambiguous consent before sending marketing communications or, more generally, before undertaking dedicated marketing initiatives.

The User can always easily revoke their consent to receive commercial communications in the following ways:

• through their account settings;
• by clicking on the "unsubscribe" link in any of these emails;
• by contacting our Customer Service.

In this case, the legal basis for the processing of personal data is Article 6, point 1. letter a) of the GDPR (consent of the data subject).

Failure to give consent will not affect the ability to use and/or register on the Website in any way. If consent is given, the User may revoke it at any time by submitting a request to the Data Controller in the manner indicated in paragraph 8.

f) Profiling

Based on the User's explicit consent, the Data Controller may process the User's personal data (i.e., personal and contact details, as well as information relating to the services in which the User has expressed an interest) also for the purpose of identifying and defining the User's tastes and preferences, purchasing habits, and interests, so that it can send commercial communications consistent with the identified profile, as well as improve its product offering to the User.

In this case, the legal basis for the processing of personal data is the consent of the data subject to the processing of their personal data (Article 6, point 1. letter a) of the GDPR.

In the event of failure to consent, the possibility of using and/or registering on the Website will not be affected in any way. In the event of consent, the User may revoke it at any time by submitting a request to the Data Controller in the manner indicated in paragraph 8.

g) Administrative and accounting purposes

The Data Controller may process Users' personal data in the context of organizational, administrative, financial, and accounting activities, such as internal organizational activities and activities functional to the fulfillment of contractual and pre-contractual obligations.

In this case, the legal basis for the processing of personal data is Article 6, point 1. letter b) of the GDPR (performance of a contract to which the data subject is party and/or performance of pre-contractual measures at the User's request).

h) Legal obligations

The Data Controller may process Users' personal data in order to comply with obligations imposed by law, by an authority, by a regulation, or by European legislation.

In this case, the legal basis for processing is Article 6(1)(c) of the GDPR, as processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

i) Protection of the rights and interests of the Data Controller

Users' personal data may also be processed by the Data Controller for the protection of the Data Controller's rights and interests, in court and/or out of court, as well as in administrative proceedings or in other cases, as provided for by law.

For this processing activity, the legal basis is Article 6, paragraph 1, letter f) of the GDPR, as the processing is necessary for the pursuit of the legitimate interest of the Data Controller and, specifically, to allow the Data Controller to ascertain, exercise, or defend a right or interest of the Data Controller or a third party (including the Users themselves) in court and/or out of court.

3. Mandatory provision

The provision of data relating to Users' browsing, for the purposes mentioned above, depends on the level of privacy that the User has enabled or disabled through their browser. In some cases, disabling this feature may affect browsing on this Website. For certain forms on this Website, the provision of browsing data and/or the use of technical cookies is mandatory for the proper functioning of the Website itself.

The provision of certain personal data is in any case necessary for the structure of the Website and its procedures. Any request for other optional data will be preceded by a specific approval check box. The provision of all other data is optional, depending on the type of information the User wishes to provide to the Website.

Without prejudice to the above, for example, the provision of an email account is necessary in order to respond to requests made via the contact form, as are other mandatory data indicated with an asterisk. Other data is optional.

Failure to provide the data necessary for the requested action (e.g., your email account via the form for requesting information by this means) will make it impossible for the Data Controller to process the request.

PROVISIONS APPLICABLE TO ALL PROCESSING

In any case, even if the data subject has given consent to authorize the Data Controller to pursue all the purposes mentioned in the points above, they will remain free to revoke it at any time.

We specifically and separately inform you, as required by Article 21 of the Regulation, that you have the right to object at any time to the processing of your personal data for the purposes mentioned above and that, if you object to the processing, your personal data may no longer be processed for those purposes.

4. COOKIES

Information about the cookies used on the Website is available at the following link: [https://www.shopify.com/it/legal/cookies].

5. SHARING AND TRANSFER OF PERSONAL INFORMATION

The User's personal data may be transferred outside the European Union and, in this case, the Data Controller will ensure that the transfer takes place in accordance with the Applicable Regulations and, in particular, in accordance with Articles 45 (Transfer based on an adequacy decision) and 46 (Transfer subject to appropriate safeguards) of the Regulation.

The personal data of Users may be disclosed to employees and/or collaborators of the Data Controller who are responsible for managing the Website and User requests. These individuals, who have been instructed by the Data Controller in accordance with Article 29 of the Regulation, will process User data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Regulations.

Third parties who may process personal data on behalf of the Data Controller as Data Processors may also become aware of Users' personal data, such as, for example, IT and logistics service providers functional to the operation of the Website, outsourcing or cloud computing service providers, professionals, and consultants.

Users have the right to obtain a list of any data processors appointed by the Data Controller by submitting a request to the Data Controller in the manner indicated in paragraph 8.

6. CONNECTION TO THIRD-PARTY PLATFORMS

In some cases, the Website may contain links to third-party platforms, such as payment service providers, which act as independent data controllers in the provision of their services. The Data Controller cannot control or be held responsible for the conduct of such platforms in relation to personal data protection legislation. Users are invited to read the privacy policies of these platforms to verify how they collect, store, or process personal data.

1. Apple Pay

2. Google Pay

3. PayPal

4. Klarna

5. Zendesk

7. Social media plug-ins

This website may contain plug-ins from certain social media platforms (e.g., Facebook). Social plug-ins are special tools that allow social network features to be incorporated directly into the website (e.g., Facebook's "Like" button) and are marked with the logo of the respective social media platform. When you visit a page on this website and interact with the plug-in (e.g., by clicking the "Like" button) or decide to leave a comment, the corresponding information is transmitted from your browser directly to the social network platform (in this case, Facebook) and stored there. For information on the purposes, type, and methods of collection, processing, use, and storage of personal data by the social network platform, as well as the methods by which you can exercise your rights, please consult the social network's privacy policy.

8. PROCESSING METHODS AND SECURITY MEASURES

Users' personal data is processed by the Data Controller using computerized, automated, and electronic tools and, in limited cases, using documentary means. In accordance with the GDPR, specific security measures have been implemented to prevent data loss, illicit or incorrect use, and unauthorized access.

Only persons authorized by the Data Controller or by suppliers, in their capacity as Data Processors, have access to personal data relating to the activities of the Website. Instructions and security measures have been defined in agreements or specific appointments of Data Processors to ensure that the level of security required by the GDPR is always guaranteed during the processing of personal data relating to the activities on the Website.

Security measures have been adopted in the settings and processing carried out through the Website to prevent the loss, destruction, or dissemination of personal data; at the same time, security risks related to online data transmission cannot be excluded.

9. STORAGE OF PERSONAL DATA

The personal data of Website Users will be stored for the time strictly necessary to fulfill the primary purposes outlined in paragraph 2 above, or in any case as necessary for the civil protection of the interests of both Users and the Data Controller.

In the cases referred to in letters e) and f) of paragraph 2, Users' personal data will be stored for the time strictly necessary to fulfill the purposes described therein and, in any case, until the User revokes their consent .

Personal data collected through the customer service (e.g., requests for assistance, complaints, communications via contact forms or email) will be stored for a maximum period of 3 years from the final response to the request, in order to manage any disputes, protect the Data Controller in the event of disputes, and demonstrate the proper fulfillment of contractual and pre-contractual obligations. This storage is based on the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, letter f) of the GDPR.

The above terms do not apply in cases where it is necessary to retain the data for a longer period of time in order to defend or assert a right or to comply with any legal obligations or orders from the Authorities.

10. THE RIGHTS OF DATA SUBJECTS

Users, as data subjects, have the right to receive confirmation as to whether the Data Controller holds data relating to them.

In this circumstance, pursuant to the GDPR, the User, as a data subject, also has the right to:

• be informed about the collection and use of personal data concerning them;
• obtain access to personal data and related information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organizations; the envisaged period for which the personal data will be stored or the criteria used to determine that period;
• request the Data Controller to correct, update, or, where interested, supplement the personal data concerning them;
• request the Data Controller to delete, anonymize, or restrict the personal data concerning him/her;
• the portability of data, i.e. to receive in a structured, commonly used and machine-readable format the personal data concerning him/her provided to the Data Controller;
• the right to object:
  • in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if pertinent to the purpose of collection;
  • in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication;
  • if personal data are processed for direct marketing purposes, at any time, to the processing of their data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
• to withdraw consent to the processing of personal data at any time, where requested and provided, without prejudice to the lawfulness of processing prior to withdrawal;
• lodge a complaint with the Data Protection Authority, Piazza di Montecitorio n. 121, 00186, Rome (RM).

Users may contact the Data Controller for any request and to exercise their rights regarding the protection of personal data:

• By sending a registered letter with return receipt to the Data Controller's registered office at Via Bazzini 14, 20131 – Milan;
• By sending an email to privacy@fornasetti.com

Appointed/Authorized Persons, Data Processors

Below we provide some information that you need to be aware of, not only to comply with legal obligations, but also because transparency and fairness towards data subjects is a fundamental part of our business.

Appointed/Authorized Persons. The updated list of persons appointed/authorized to process data is kept at the Data Controller's headquarters.

Processing managers.

The updated list of data processors is available upon request from the Data Controller.

11. CHANGES TO THIS PERSONAL DATA PROTECTION POLICY

Any future changes to this Privacy Policy will be published on the Website and, where necessary, notified to Users by email. Users are invited to review this Privacy Policy frequently to check for any updates or changes.