Privacy Policy

INFORMATION NOTICE REGARDING THE PROCESSING OF PERSONAL DATA OF ONLINE CLIENTS IN ACCORDANCE WITH EU REGULATION 2016/679 (“GDPR”)

DATA PROCESSORS: The following independent controllers

1. Hexagon S.p.A., via Giorgio e Guido Paglia n. 1/D, 24122 Bergamo, Italy, Fiscal Code and VAT no. 04058560162, e-mail: privacy.hexagon@percassi.com;
2. Percassi Retail S.r.L., via Giorgio e Guido Paglia n. 1/D, 24122 Bergamo, Italy, Fiscal Code and VAT no. 04307790164, e-mail: privacy.pr@percassi.com, only for the purposes under points 8., 9. and 10., if applicable

Hereafter, singularly or jointly, also the “Company/ies” or the “Controller/s”.
DATA PROTECTION OFFICER (“DPO”): the DPO may be contacted at the following e-mails:

• dpo.hexagon@percassi.com
• dpo.percassiretail@percassi.com

PERSONAL DATA PROCESSED
Navigation data (collected, for example, through pixels and/or cookies - with reference to the latter see the Cookie Policy which can be accessed from the link in the sidebar at the bottom of the page), as well as data obtained through the use of widgets/social buttons.
The computer systems and software procedures used to operate this Web Site acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified interested parties, but which, by its very nature, could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check that it is functioning correctly, and are deleted immediately after processing, always subject to possible use to ascertain responsibility in the event of computer crimes to the detriment of the site.
The Company also processes the data provided directly by you through your possible creation of a personal account and your possible completion of additional sections on the website (by way of example but not limited to: personal data, contact details), as well as details of purchases made.
In the case of authentication via social log-in, the Company, always in compliance with the principle of necessity and proportionality, may process your personal data after receiving your authorization to the transfer of the same provided to the social network by means of which you may log in.

DATA PROCESSING PURPOSES

1. Provision of e-commerce services for online buying and selling of products (including any ancillary services that may be required, such as personal wishlist), shipping of purchased products, and order tracking.
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Contractual duration and, after termination, for the ordinary limitation period of 10 years.
   
2. Registration and creation of a personal account within the Site and/or apps (where available).
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Contractual duration and, after termination, for the ordinary limitation period of 10 years.
   
3. Membership in any loyalty programs and/or initiatives organized by the Company, including through social pages.
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Contractual duration and, after termination, for the ordinary limitation period of 10 years.
   
4. Management of reporting, complaints, and customer care activities, including through verification of your identity.
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Contractual duration and, after termination, for the ordinary limitation period of 10 years.
   
   
5. Standard operation of the website, operating system and IT environment
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Contractual duration and, after termination, for the ordinary limitation period of 10 years.
   
   
6. Fulfillment of obligations under regulations and applicable national and supranational legislation.
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: For the duration of your browsing.
   
   
7. If necessary to ascertain, exercise or defend rights (e.g. for debt collection)
   LEGAL BASIS OF PROCESSING: Performance of a contract to which you are a party.
   PERIOD OF DATA RETENTION: Duration prescribed by law (10 years for administrative-accounting activities).
   
   
8. Direct marketing (by both Data Controllers)
   by way of example, sending - by automated means of contact (such as sms, mms, e-mail, social networks, instant messaging apps, push notifications) and traditional means (such as telephone calls with operator, mail) - promotional and commercial communications related to services/products offered by the Company or reporting of company events, as well as surveying customer satisfaction, conducting market surveys and statistical analysis LEGAL BASIS OF THE PROCESSING: Consent of the Data Subject (optional and revocable at any time).
   PERIOD OF DATA RETENTION: Identification and contact data will be processed for this purpose until the user revokes consent. Purchase data will be processed for this purpose for 24 months.
   LEGAL BASIS OF PROCESSING: Legitimate interest (judicial protection).
   PERIOD OF DATA RETENTION: In the case of litigation, for the duration of the litigation, until the time limits for appeal actions are exhausted.
   
   
9. Communication/data transfer your personal identifying and contact data will be communicated to our parent company Odissea S.r.l., as well as to its subsidiaries and affiliates, even indirectly, belonging to the retail sector (both physical and digital), the food sector, the real estate sector, and the sports sector (such as Womo S.r.l., Bullfrog S.r.l., D-retail S.r.l., L'Innominato S.p.a., Odissea S.r.l., Percassi Management S.r.l, etc.), to our franchisors, licensors, and/or to third parties indicated by the latter, to allow these companies to carry out marketing activities (by way of example, sending - by automated contact methods such as sms, mms, e-mail, social networks, instant messaging apps and traditional ones such as telephone calls with operator and mail - promotional and commercial communications relating to services/products offered by the companies or reporting of company events, as well as carrying out market studies and statistical analyses) concerning their products.
   LEGAL BASIS OF PROCESSING: Consent of the Data Subject (optional and revocable at any time).
   PERIOD OF DATA RETENTION: Identification and contact data will be processed for this purpose until the user revokes consent. Purchase data will be processed for this purpose for 24 months.
   
10. Profiling:: analysis of your preferences, habits, behaviors, interests, also through the installation of cookies (e.g., analysis of navigation, monitoring of selected products and virtual shopping cart... see Cookie Policy which can be accessed from the link in the sidebar at the bottom of the page), in order to send you personalized commercial communications/targeted promotional actions/offers and services adapted to your needs/preferences.
    LEGAL BASIS OF PROCESSING: Consent of the Data Subject (optional and revocable at any time).
    PERIOD OF DATA RETENTION: Identification and contact data will be processed for this purpose until the user revokes consent. Purchase data will be processed for this purpose for 12 months.
    

Once the retention periods indicated above for each of the aforementioned purposes have elapsed, the Data will be destroyed, deleted or anonymized, compatibly with the technical procedures for deletion and backup and with the accountability requirements of the Controller.
It should be noted that the Controllers, in order to pursue the purposes referred to in points 8, 9, and 10, will create an account referring to You internally to their centralized management system (CRM). Should you wish to request the deletion of such account from the CRM, you may exercise your right of deletion in the manner provided in the "Rights of the Data Subject" section of this policy.
In addition, following your possible withdrawal of consent in relation to the purposes that require it, the Company will continue to process your Data for the sole purpose of being able to have evidence that such activities should no longer be carried out with respect to you.

OBLIGATORY NATURE OF PROVIDING DATA
Personal and contact data are mandatory in order to enter into contractual relationships, such as to enable the registration of your personal account or to ensure the provision of the requested services. The navigation data are necessary to give course to the computer and telematic protocols; therefore, their non-conferment would not allow the functioning of this website.
The provision of data for the purposes of direct marketing, profiling, and communication of data to third parties is entirely optional: these processing activities will be carried out only against your express and unequivocal consent, without prejudice to your right to revoke the consent given at any time. It should be noted that the revocation of consent does not affect the lawfulness of the processing based on the consent before the revocation.

RECIPIENTS OF THE DATA
The data may be processed by external parties operating as autonomous data controllers such as, but not limited to, authorities and supervisory and control bodies, parties offering electronic payment services on their circuits, social networks present or referred to on the website you are visiting, as well as parties offering services necessary for the operation of the website.
Data may also be processed on behalf of the Company by external parties designated as data processors, to whom appropriate operational instructions are given. These parties are essentially included in the following categories:

• companies that offer e-mailing services;
• companies that offer services instrumental to the pursuit of the purposes indicated in this information sheet (media agency, IT suppliers, shippers...);
• companies that offer support in carrying out market studies;
• individuals, professional firms or companies that offer professional services in accounting, tax, legal, banks and service providers in payment matters, anti-fraud services, etc.

SUBJECTS AUTHORIZED TO PROCESS
The data may be processed by employees of the company functions assigned to the pursuit of the above purposes, who have been expressly authorized to process the data and have received appropriate operational instructions.

TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
Your personal data may be transferred outside the European Union to the parties indicated in the paragraph "Recipients of the Data" if required for the purposes indicated in this policy. The Company guarantees that your personal data will be processed by such Recipients in accordance with applicable data protection legislation. Such transfers may be based on the adequacy decision or Standard Contractual Clauses approved by the European Commission. For further information, you may contact privacy.hexagon@percassi.com

RIGHTS OF THE DATA SUBJECT - COMPLAINT TO THE SUPERVISORY AUTHORITY
By contacting the Privacy Office, by mail at Hexagon S.p.A., via Giorgio e Guido Paglia n. 1/D 24122 Bergamo, to the kind attention of the Privacy Officer c/o the Legal Department, or by e-mail at privacy.hexagon@percassi.com , data subjects may request from the data controller access to the data concerning them, their deletion, update, the rectification of inaccurate data, the integration of incomplete data, the restriction of processing, as well as the opposition to processing, and exercise any other right as referred and according to the GDPR.
In case of your exercising the right to erasure, the Data Controller may arrange to adopt the procedures best aimed at ascertaining your identity.
Data subjects also have the right, where the processing is based on consent or contract and is carried out by automated means, to receive in a structured, commonly used and machine-readable format the data, as well as, if technically feasible, to transmit them to another data controller without hindrance.
Data subjects have the right to withdraw the consent given at any time for marketing and/or profiling purposes, as well as to object to the processing of data for such purposes, in its entirety or limited to automated methods.
Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State where they usually reside or work or the State where the alleged breach occurred.

MODIFICATION OF THIS POLICY
The Company reserves the right to amend this Privacy Policy, in whole or in part, or simply to update its contents, for example when there are changes in the applicable law. The Company, therefore, encourages you to regularly consult this Privacy Policy to learn about the most recent and up-to-date version of it.