Privacy policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

 

  1. PREMISES
    1. This information refers to the processing of data that will be carried out on the www.nomoutdoor.it
    2. This policy will try to explain who and how processes the data of the data subject (also known as User), what his data is, and what his rights are and how he can exercise them. For particular clarifications, if the User does not understand or does not consider sufficient what is included in the policy, please write to the following address: hello@nomoutdoor.it

 

  1. SOME IMPORTANT NOTIONS ABOUT PERSONAL DATA

What is meant by personal data? Personal data is any information that relates to an identifiable natural person. The email address is personal data. The text of a message, if it reveals information relating to a person, is personal data. The nickname is personal data, but also the list of purchases or wishlist is personal data also because it reveals, or could reveal, the tastes of the customer, etc.

 

What does it mean to process data? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation and destruction of data. Practically all that can be done with user data is processing. Therefore, collecting or reading data, for example, i.e. consulting them, is a treatment.

 

  1. WHO PROCESSES THE DATA

Data Controller

Mapao Srl

Tax Code/VAT 04561650989

Via Sandro Pertini 18, Rovato 25038,

E-mail: hello@nomoutdoor.it

 

Then, with regard to any ancillary functions, Mapao Srl may make use of internal subjects authorised to process data (also known as persons in charge) or external parties mostly as data processors, as independent data controllers or joint data controllers, as the case may be.

 

  1. To whom the data is communicated (or to whom access is given to it)

The data are communicated to subjects within the Data Controller (employees) who collaborate in the executive and administrative management of the service. They can be further communicated in compliance with reporting obligations in the event of a request by a public authority (e.g. request by the Court, tax assessments, record-keeping assessments, etc.).

In addition, the data are communicated:

  • to the newsletter service provider;
  • to the CSM provider of the creation of the shop;
  • to third-party managers of the cookies installed through the site (see the relevant information);
  • to social networks in case of installation of widgets or "like/share, etc." function inserted in the website;
  • to payment service providers (in this case the data is not communicated, but the user is conveyed directly to the payment processing platforms, which are the responsibility of third-party services);
  • to couriers for the delivery or collection of goods;
  • to collaborators for customer care;

It is important to know that Mapao can only manage and dominate the data stored and processed within its system: data transferred or communicated to third parties will be, in the manner and to the extent that they are processed independently by the third parties to whom they are communicated according to their own privacy policies. In any case, where Mapao Srl ceases to process a user's personal data, it will also notify the subjects to whom such data have been communicated of the termination, but cannot guarantee the cessation of processing by them.

 

  1. WHERE IT TREATS THEM

Mapao processes the personal data of Users at the Google Cloud Platform servers of the platform provider in the EU and at the headquarters of the Data Controller.

 

  1. WHAT DATA IS PROCESSED

Based on the significant quality of the data, the following can be identified:

  • Contact details: email and telephone;
  • Identification Data: name, surname, date of birth, address, tax code, residence or address;
  • ID data: nickname;
  • Content data: the content of the communication sent by the User through the appropriate form.
  • Purchase: indicate the individual purchases, therefore product, cost, date, etc.
  • Statistical data: This is data that indicates user trends. The statistical data are produced and obtained by the Data Controller through analysis of the other categories of data, and express generalized outputs that cannot be traced back to the individual User;
  • Purchase history;
  • After-sales history and customer care.

 

 

  1. FOR WHAT PURPOSES THEY ARE PROCESSED, AND INDICATION OF THE LEGAL BASIS AND STORAGE PERIOD.

Mapao Srl processes user data for the following purposes:

  1. Response to requests sent by the user (information, exercise of rights, etc.): consists of responding to contacts made by the customer/user (by e-mail or other form of contact).

Legal basis: performance of the service requested by the user in the communication (such as, for example, the exercise of a right); Duration: ten years (obligation to keep business correspondence). Data processed: contact, identification and other data depending on the content of the request (for example, the information contained in the text of the request may refer to persons, and as such is personal data).

Mandatory nature of the provision: the provision of data is necessary in order to be able to process the request made by the User.

  1. Social sharing Link to the social page: The site hosts functions (widgets, buttons or similar) that allow the user to connect to the social page of Mapao srl. It is the user's right to connect to the page, but the mere sharing (or – if the user is registered on social networks – only browsing) involves the transmission of data to the social network, and in particular navigation on the Mapao srl website, as well as in some cases the device and IP address from which the registration or sharing is made (for more info on Meta:  https://www.facebook.com/help/2207256696182627?ref=off_facebook_activity). These data are then managed by social networks according to their own logic and policies as Data Controller.

Data processed: event (including browsing), social account, IP or connection device with which social registration or sharing is made, Legal basis: legitimate interest of the Data Controller in the promotion of the social page. The legitimate interest is considered to prevail over the interests and rights of users for the following reasons:

  • The browsing event on the site is shared with social platforms to which the user is already subscribed;
  • The user can deny the collection of data either by intervening in the social network settings or by denying consent to profiling and analysis cookies;

Duration: instantaneous as far as Mapao Srl is concerned The duration of the processing carried out by the social network depends on the relevant policies on the processing of personal data.

  1. Sending newsletters for information or marketing purposes of Mapao Srl and/or third parties: The user's e-mail address is used to send periodic emails with operational and promotional content (both from Mapao and from partner or third-party companies: in any case, the marketing content of third-party companies will also be conveyed by e-mail sent by Mapao Srl).

Data used: contact, preference or personal qualities if the e-mails are intended for a selected audience (this means if the content of the e-mail changes according to the categories of recipients, e.g. according to age).

Legal basis: A) consent expressed during the registration phase or by entering the e-mail address in the space provided. ATTENTION: consent can always be revoked by activating the appropriate function (usually at the bottom of the email received, such as Unsubscribe, Cancel me or similar) or by writing to the owner. From the revocation of consent, the data (e-mail) will no longer be used to send communications, but will be stored in order to be able to provide proof of the expression of consent and subsequent revocation.

B) Legitimate interest of the Data Controller (so-called "Legitimate Interest"). Soft spam) only for Users who have purchased goods or services on the Online Shop by providing their e-mail address for this purpose and only for the promotion of goods or services similar to the one purchased and only of the Data Controller.Duration: until cancellation from the newsletter service using the appropriate function.  Frequency: no more than one email every seven days.

Provider or tool: Brevo.

Mandatory nature of the provision: the provision of data is not mandatory and is subject to consent.

  1. Activation and management of your account.

Legal basis: execution of the User's activation request and account management (execution of the contract);

Data processed: Contact data, identifiers, nickname ID, content, navigation, purchase, preference, statistics, purchase history.

  1. Duration: until the account is deleted, without prejudice to storage for a period of three months from the cancellation of the account in order to allow it to be reactivated without loss of data where requested by the user (as well as – in the event of the commission of crimes – to allow the exercise of the complaint). The data relating to the commercial transaction and – after pseudonymization – the other data for statistical purposes (see below) are also stored. Mandatory: not providing data prevents the activation of the account. However, not all data is required for account activation. Where the data are necessary, this emerges from specific indications (with asterisks that recall the field as mandatory) or from operational blocks of the service (which does not allow to proceed in this case if the mandatory data is not entered). In any case, it is possible to use the service without activating an Account (Guest);
  2. Distance selling of Products (see Distance Selling Conditions): The site allows you to purchase goods at a distance. The data are processed by Mapao to remotely complete the sale of the Item (i.e. process the request, payment, shipping, after-sales service);

Legal basis: Contract performance;

Data processed: identifiers (name, surname, and date of birth, address), contact (e-mail and telephone), purchase history, complaints. Billing information if invoice required. Duration: ten years from the conclusion of the purchase (unless the account lasts longer); Mandatory nature of the provision: not providing the data does not allow the purchase of the goods;

  1. Execution of distance sales for non-registered Users (Guests): the site allows the distance sale of Goods even for non-registered users by redirecting them to the payment provider (Stripe, etc.). In this case, the data necessary to receive the order, payment, ship the Item, and manage the after-sales service will still be processed. Legal basis: Contract performance;

Data processed: name, surname, address, telephone, payment;

Duration: ten years from the conclusion of the purchase;

Mandatory nature of the provision: not providing the data does not allow the purchase of the goods.

  1. Creation of a database of members: Mapao creates a database of Users. This database is used both as a backup log and as a database for performing statistical processing activities (see below).

Legal basis: legitimate interest of the Data Controller in the storage and effective processing of data (considered to prevail over contrary interests as these are data already in the possession, albeit in no particular order, of the Data Controller);

Duration: until deletion is requested (see clause relating to the exercise of rights) by sending an e-mail to the Data Controller;

Data processed: Data processed: Contact data, Identifiers, ID nickname, content, navigation, purchase, preference, purchase history;

Mandatory: the provision of data in the DB is not mandatory. The user can object to this.

Please note:

  1. In cases where the Legal Basis is consent, it can always be revoked. The withdrawal of consent entails the cessation, from that moment, of the processing of data for the purpose for which consent was given. In some cases, however, the data may be kept to demonstrate the consent and subsequent revocation of the same (which in the event of total cancellation would not be possible).
  2. In cases where the legal basis is Legitimate Interest, the User, if provided for in the individual item, will have the right to object to such processing by writing to the Data Controller.

 

  1. HOW DATA IS PROVIDED

The data are provided directly by the User by filling in the appropriate forms, flagging items (for example for aesthetic data), writing comments, etc. Some data is collected from the use of the Service. Finally, other data, such as profiling and statistical data, are obtained by the Data Controller through the processing of other data provided by the User or collected during his browsing experience or use of the service.

 

  1. HOW THE SERVICE WILL COMMUNICATE WITH YOU

Mapao will communicate with you in the following ways:

  • You may send emails, make phone calls, send messages or other communications: these will be operational communications for the execution of the service or in any case a response to the communication sent by the User. These communications are essential for the regular management of the relationship with the User.
  • You may send newsletters (see point 6.3).

 

  1. WHAT ARE THE RIGHTS OF USERS

Users are beneficiaries of a series of rights. Rights to information about:

  • Categories of data are processed (see points no. 2 and 5);
  • Origin of the data, i.e. knowing where the service has taken its data from (see point no. 7);
  • Purpose of data processing, i.e. for what purposes the data is processed (see section 6);
  • Details of the data controller and any data processors (see point no. 3);
  • Subjects to whom the data are communicated (see point no. 3/a);
  • Data storage and processing time (see point no. 6);
  • Right to lodge a complaint with the Authority responsible for the protection of personal data;
  • Existence or not of a profiling process;
  • Legal basis of the processing (see point no. 6);

 

Then there are rights that are not simple information but operational. They are of various kinds. In summary:

  • The interested party has the right to have a copy of the data he has provided. If the data have been processed by automated means and on the basis of your consent or a contract, you may request – if technically possible – that the data be transmitted to the data subject or even to a possible new controller (portability), provided that this does not adversely affect the rights (and data) of other persons. In this case, this right cannot therefore be exercised in relation to communications that contain data of third parties, trade secrets or protected content. In this case, you can also request the deletion of the data (unless the law requires the Data Controller to retain it, as in the case of commercial communications).
  • If the personal data are inaccurate or incomplete, the data subject may request that they be rectified or completed, providing information to this effect. If the Data Controller has to verify the accuracy of the data disputed by the data subject, the data subject may in the meantime obtain the limitation of the disputed data (limitation means that the data are only stored and no other processing is carried out except with the specific consent of the data subject or if they are used to exercise or defend a right in court).
  • If the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, the data subject may request its deletion. However, if the data is used by the data subject to exercise his or her right in court, he or she can request its limitation (i.e. storage only).
  • If the processing is unlawful because the data are processed in the absence of consent, legitimate interest on the part of the Data Controller, the contract for the execution of which the processing itself is necessary, the legal obligation to process the data on the part of the Data Controller, the data subject may request its cancellation or limitation.
  • In the event of profiling, the User has the right, by means of a communication to be sent to the Data Controller by email, to request the revision of the output by a person.

 

  1. HOW CAN YOU EXERCISE THEM

Procedure for exercising rights: The User's rights can be exercised by sending an email to hello@nomoutdoor.it. The Owner must respond within thirty days (which can be extended by another two months, but the Owner in this case must give reasoned notice of the delay to the user). The Data Controller may refuse, if it has a reason, to comply with the user's request (refusal that must be communicated to the user within one month) only in the case of manifestly unfounded or repetitive requests. In this case, he must give a reasoned answer. In any case, the user can contact the Authority responsible for the protection of personal data or the Judge.

The Data Controller must respond using the same channel (email, telephone, etc.) used by the user for the request, unless the user requests a response by a different route. In the event of a request coming from an email address other than the one indicated in the account, the applicant must prove that he or she is the data subject.

The Data Controller, if it has doubts about the identity of the person making the request or exercises one of the rights listed below, may request additional information to confirm the identity of the requester. In the event of a request coming from an email address other than the one indicated in the account, the applicant must prove that he or she is the data subject.

Requests and responses are free of charge, unless they are repetitive. In the latter case, the Data Controller may charge the out-of-pocket costs incurred for the response (i.e. personnel costs, material costs, etc.).

In any case, the interested party may contact the Authority responsible for the protection of personal data or the competent Judicial Authority for the exercise of their rights.

 

  1. WHAT ARE THE DUTIES AND OBLIGATIONS OF USERS

The User is obliged to communicate truthful data. It is the User's responsibility to notify the Data Controller of any changes to the personal data previously communicated. Finally, it is the user's responsibility, where the functionalities allow it, not to enter excessive data. For example, if the form requires you to enter non-mandatory data (usually marked with an asterisk), it is recommended to enter them only if you consider it necessary. Similarly, if you write a message through the service, it is recommended that you avoid explicit references to identifiable people unless necessary.

 

  1. HYPOTHESIS OF DATA BREACH

In the event that one or more of the following events should occur with respect to the Users' data: unauthorized access, theft, loss, destruction, disclosure, modification (so-called "Unauthorized Access, Theft, Loss, Destruction, Disclosure, Modification"). Data breach) Mapao Srl, without prejudice to the urgent technical measures to be implemented to block (as far as possible) the event and to reduce its harmful effects, undertakes to:

  • restore the service as soon as possible in an efficient way, recovering the data available from the last useful backup made;
  • inform Users, directly if circumstances allow it or generically (by means of a notice on the home page of the website or by communication sent to all users, including those for whom there may have been no events on the data) of the type of event, the time in which it occurred, the measures taken (without going into detail in order not to facilitate any new attacks) to reduce the damage and to avoid new similar events,  as well as the measures and precautions that the user should - for his part - put in place to reduce the probability of new events and limit the consequences of those that have already occurred.