Last updated: 16 July 2026 – Version 6.0
This privacy notice has been prepared pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation”, the “Regulation” or the “GDPR”).
Through this notice, Iginio Massari S.r.l. intends to inform each user (the “User” or the “Data Subject”) about the processing of personal data collected through the website www.iginiomassari.it (the “Website”), including data collected through the e-Shop intended for companies and retailers (the “B2B e-Shop”).
The B2B e-Shop and the related registration forms are currently available in Italian only and are intended exclusively for businesses operating in Italy. Accordingly, the sections of this Privacy Notice concerning the B2B e-Shop apply only to users who access or use that service on behalf of such businesses.
The Data Controller, pursuant to Article 4(7) GDPR, is:
Iginio Massari S.r.l.
Registered office: Via Orzinuovi 117, 25125 Brescia
Contact email: privacy@iginiomassari.it
The Controller processes Users’ personal data for the purposes described below.
Personal data will be processed to enable registration or authentication on the Website, creation of a personal account and access to the services offered by the Controller.
✓ personal details, such as first name and surname;
✓ contact details, such as email address;
✓ credentials and account-related information.
Performance of pre-contractual measures taken at the Data Subject’s request and performance of the contract, pursuant to Article 6(1)(b) GDPR.
Until the account is deleted, without prejudice to any additional retention periods required by law or necessary for the establishment, exercise or defence of the Controller’s rights.
Personal data will be processed to receive, verify and manage the registration request for the B2B e-Shop, ascertain whether the requirements for access as a company or retailer are met, contact the designated representative and, if the request is accepted, create and manage the account and the resulting B2B business relationship.
In particular, the Controller may verify the information provided by the company and request any additional documentation necessary to assess the access request.
✓ identification and professional details of the representative, such as first name, surname and company role;
✓ contact details, such as business email address, telephone number and certified email address (PEC);
✓ identification, tax and invoicing details of the company, such as company name, registered office, billing address, VAT number or tax code and SDI recipient code;
✓ any information contained in the company documentation submitted;
✓ information relating to the registration request, verification of requirements and management of the B2B account.
Performance of pre-contractual measures taken at the Data Subject’s request and performance of the contract, pursuant to Article 6(1)(b) GDPR, where the Data Subject is also the contracting party.
The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in verifying the request and managing the business relationship with the represented company, where the personal data relate to an employee, collaborator, director or representative of the company.
If the request is accepted, the data will be retained for the entire duration of the account and the business relationship, without prejudice to any additional retention periods required by law or necessary for the establishment, exercise or defence of the Controller’s rights.
If the request is rejected, withdrawn or not completed, the data will be retained for a maximum period of 12 months from closure of the request, unless further retention is necessary to handle disputes, prevent abuse or protect the Controller’s rights.
Personal data will be processed to receive, manage and fulfil orders, make deliveries, manage or verify payments through the payment service providers used by the Controller, issue invoices and other administrative documents, and provide assistance related to purchases.
✓ personal details;
✓ contact details, such as email address and telephone number;
✓ shipping address;
✓ company and company representative details;
✓ registered office and billing address;
✓ VAT number or tax code;
✓ certified email address (PEC) and SDI recipient code;
✓ data relating to orders, payments, deliveries, returns, refunds and invoices;
✓ information necessary for the administrative and accounting management of the relationship.
The Controller does not necessarily acquire all data relating to the payment instruments used by the User. Such data may be processed directly by payment service providers in accordance with their respective privacy notices.
Performance of a contract or pre-contractual measures taken at the Data Subject’s request, pursuant to Article 6(1)(b) GDPR.
With regard to the personal data of employees, collaborators, directors or representatives of legal entities, the processing is also based on the Controller’s legitimate interest in properly managing the business relationship with the represented company, pursuant to Article 6(1)(f) GDPR.
For the duration of the contractual relationship and for the time necessary to manage the order, delivery, payment and any related requests.
Data contained in administrative, accounting and tax documents will be retained for the period required by applicable law, normally for ten years from the relevant entry, without prejudice to any additional periods required by law or necessary in the event of audits, claims or disputes.
Personal data will be processed to manage and respond to requests for information, technical assistance and support, as well as to assist the User before, during and after the provision of products or services.
✓ personal details;
✓ contact details, such as email address and telephone number;
✓ account-related information;
✓ purchase and order history;
✓ content of the request and related communications;
✓ any documents or information submitted by the User.
Performance of pre-contractual or contractual measures, pursuant to Article 6(1)(b) GDPR.
Where the request is not directly connected with a contractual relationship, the processing may be based on the Controller’s legitimate interest in providing Users with information and assistance, pursuant to Article 6(1)(f) GDPR.
For the period necessary to manage and respond to the request and, subsequently, for the time necessary to handle any related disputes or requests.
Subject to the Data Subject’s consent, personal data will be processed to periodically send the Controller’s newsletter, containing updates, information, news, editorial content and communications relating to Iginio Massari’s activities.
✓ first name and surname, where provided;
✓ email address;
✓ information relating to subscription, changes to preferences and unsubscription.
The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.
Until consent is withdrawn or the Data Subject unsubscribes and, in any event, for no longer than 24 months from the Data Subject’s last relevant interaction with the Controller, except for the period necessary to retain evidence of consent and any subsequent withdrawal.
Subject to the Data Subject’s consent, personal data will be processed to send promotional and advertising communications by email concerning the Controller’s products, services, initiatives, news and events.
Any use of additional communication channels, such as SMS, telephone calls, postal mail or push notifications, will take place only where those channels are expressly specified in the consent request or on the basis of a separate applicable legal ground.
Consent is optional and may be withdrawn at any time, without affecting the lawfulness of processing carried out before its withdrawal and without any consequences for registration on the Website or the B2B e-Shop, creation of the account or the ability to make purchases.
The use of the Meta Pixel, Conversions API and other advertising cookies or tracking tools does not depend on the direct marketing consent collected through the Website or B2B e-Shop forms.
Such processing is governed separately and depends on the preferences expressed by the User through the cookie and other tracking-tool management system available on the Website.
✓ first name and surname;
✓ email address;
✓ information relating to the consent given and any changes to or withdrawal of that consent.
Where the communication service uses technologies to detect opens or interactions, any data relating to the viewing of emails will be processed only in compliance with applicable law and on the basis of the required legal ground.
The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.
Until consent is withdrawn and, in any event, for no longer than 24 months from the Data Subject’s last relevant interaction with the Controller, except for the period necessary to retain evidence of consent and any subsequent withdrawal.
Where the Controller obtains the Data Subject’s email address in connection with the sale of one of its products or services, it may use that address to send communications concerning its own products or services similar to those purchased, within the limits and subject to the conditions set out in Article 130(4) of Italian Legislative Decree No. 196/2003.
The Data Subject may object to such use free of charge when the data are collected and subsequently at any time, including by using the unsubscribe link included in each communication or by writing to privacy@iginiomassari.it.
✓ first name and surname;
✓ email address;
✓ information relating to products or services previously purchased, limited to what is necessary to verify their similarity.
Article 130(4) of Italian Legislative Decree No. 196/2003.
Until the Data Subject objects and, in any event, for a maximum period of 24 months from the most recent purchase, unless a different period is necessary or applicable due to the nature of the business relationship.
Purchase-related data will continue to be retained for any additional periods required for contractual, administrative, accounting and tax purposes, but will no longer be used to send soft-spam communications after the period indicated above.
Subject to the Data Subject’s consent, the Controller may process data provided by the User and data acquired while the User uses the services and the e-Shop in order to conduct automated or manual analyses of the User’s habits, preferences and interests.
Profiling is used to personalise content, services, communications and commercial offers, making them more consistent with the Data Subject’s preferences and purchasing habits.
Data relating to products viewed and interactions with the Website will be used only where collected in compliance with the law applicable to cookies and other tracking tools.
✓ personal details;
✓ contact details;
✓ order and purchase history;
✓ products viewed;
✓ stated preferences;
✓ interactions with the Website and the e-Shop, where collected in compliance with applicable law;
✓ information inferred from the analysis of purchasing habits and preferences;
✓ information relating to interactions with commercial communications and content, where lawfully collected.
The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.
Until consent is withdrawn and, in any event, for no longer than 12 months from collection of the data or the Data Subject’s last relevant interaction, unless the data must be retained for other purposes based on a different legal ground.
Profiling does not involve decisions based solely on automated processing that produce legal effects concerning the Data Subject or similarly significantly affect them.
In particular, profiling does not automatically determine the acceptance or rejection of a B2B registration request, the application of individual contractual terms, the granting of credit or exclusion from access to services.
Personal data will be processed where the Data Subject applies for an open position or submits an unsolicited curriculum vitae.
✓ personal details;
✓ contact details, such as email address and telephone number;
✓ educational background;
✓ professional experience;
✓ skills and qualifications;
✓ information contained in the curriculum vitae and the documentation submitted.
The Data Subject is requested not to include irrelevant data or information belonging to special categories of personal data in their curriculum vitae, unless strictly necessary for the purposes of the application.
Performance of pre-contractual measures taken at the Data Subject’s request, pursuant to Article 6(1)(b) GDPR.
For a maximum period of 24 months from receipt of the application, unless an employment or collaboration relationship is established or the Data Subject requests earlier deletion of the data.
Personal data will be processed to comply with obligations arising from laws, regulations, national legislation or European Union law, including administrative, tax, accounting and invoicing obligations.
The data may also be processed to handle and respond to requests from administrative, tax, judicial or public-security authorities, or from other authorised public bodies.
✓ personal details;
✓ contact details;
✓ company identification and tax details;
✓ registered office and billing address;
✓ VAT number or tax code;
✓ certified email address (PEC) and SDI recipient code;
✓ data relating to orders, payments, deliveries and invoices;
✓ administrative, accounting and tax documentation;
✓ any additional data requested by the competent authorities.
Compliance with a legal obligation to which the Controller is subject, pursuant to Article 6(1)(c) GDPR.
For the periods prescribed by applicable civil, tax, administrative and accounting legislation, normally for ten years from the date the document is recorded, without prejudice to any additional periods required by law, by the competent authorities or due to ongoing proceedings, inspections or disputes.
The Controller may process Users’ data to enable navigation, consultation and proper operation of the Website, prevent abuse or fraudulent activity, protect system security and improve the user experience.
The use of cookies and tracking tools that are not strictly necessary is governed by the Cookie Policy and by the preferences expressed by the User through the relevant consent management system.
✓ IP address and technical connection data;
✓ device and browser data;
✓ system and security logs;
✓ data relating to use of and interaction with the Website;
✓ information relating to technical errors, anomalies and unauthorised access attempts.
The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in ensuring the operation, security, protection and improvement of the Website and services.
Where required by applicable law, processing based on cookies or other tracking tools will take place subject to the User’s consent.
For the period strictly necessary to pursue the purposes indicated.
Data may be aggregated or anonymised for statistical purposes and to improve the Website. Data that have been effectively anonymised are no longer considered personal data.
The Controller may process personal data to handle complaints and disputes, prevent and identify unlawful conduct, and exercise or protect its rights and interests in out-of-court, administrative or judicial proceedings.
✓ personal details;
✓ contact details;
✓ data relating to the account, orders and payments;
✓ content of communications and complaints;
✓ documentation and information relevant to the dispute or claim.
The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in establishing, exercising or defending a right or interest of the Controller.
For the period necessary to handle the complaint or dispute and, subsequently, for the time required to establish, exercise or defend the right, in compliance with the applicable limitation periods.
The provision of data necessary to create and manage the account, manage the B2B e-Shop registration request, fulfil orders, issue invoices, deliver products, manage payments and comply with legal obligations is mandatory.
In the “Companies” and “Retailers” forms, data marked with an asterisk are required to verify and manage the registration request, assess whether the applicable requirements are met, create the B2B account and subsequently manage purchases, invoicing and related obligations.
Failure to provide such data will prevent the Controller from processing the registration request or providing the requested products and services.
The provision of data and consent for newsletter, marketing and profiling purposes is optional.
Failure to give consent does not prevent:
· submission of the registration request;
· assessment of the request;
· creation of the account;
· access to the B2B e-Shop;
· making purchases;
· performance of the contractual relationship.
Consent requests for newsletter, marketing and profiling purposes are presented separately.
The relevant boxes are not pre-selected, are not mandatory for submitting the form and allow the Data Subject to make a free, specific and separate choice for each purpose.
The Controller retains the documentation necessary to demonstrate the consent given, including, where applicable, the date, the content of the consent request and the version of the form or notice presented to the Data Subject.
Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before its withdrawal.
Activities based on legitimate interest do not require the Data Subject’s consent. Where necessary, the Controller has carried out or will carry out a balancing test between its interests and the fundamental rights and freedoms of Data Subjects.
The use of certain Website services may involve the disclosure to the Controller of personal data relating to third parties, such as data concerning employees, collaborators, directors, company representatives or shipment recipients.
The User who discloses such data warrants:
· that they are authorised to disclose them;
· that the processing is based on an appropriate legal basis;
· that they have provided the data subjects with the information required by applicable law, where necessary;
· that the data disclosed are relevant, accurate and limited to what is necessary.
The User assumes responsibility for any disclosure of third-party personal data made in breach of applicable law.
Personal data are processed using paper-based, IT and electronic tools, by manual and automated means, in accordance with the principles of lawfulness, fairness, transparency, data minimisation, accuracy and storage limitation.
The Controller implements technical and organisational measures appropriate to the risk, designed to protect personal data against:
· unauthorised access;
· unlawful disclosure;
· alteration;
· destruction;
· accidental loss;
· unlawful or improper use;
· system unavailability;
· processing inconsistent with the stated purposes.
Access to personal data is permitted only to persons who need it to perform their activities and within the limits of the authorisations granted.
Personal data may be processed by the Controller’s personnel specifically authorised pursuant to Article 29 GDPR and Article 2-quaterdecies of Italian Legislative Decree No. 196/2003.
With regard to data collected through the “Companies” and “Retailers” forms and through the B2B e-Shop, the data may be processed, within the scope of their respective responsibilities, by personnel in the following departments:
· sales;
· administration;
· accounting;
· tax;
· logistics;
· customer care and support;
· IT and technical;
· legal.
Personal data may also be disclosed or made accessible to the following categories of recipients:
1. providers of hosting, IT infrastructure and cloud services;
2. providers of e-commerce and B2B platforms, including Shopify Inc. and companies belonging to its group;
3. providers of CRM systems, customer management, communication automation and marketing services, including Klaviyo Inc.;
4. providers of support, customer care and ticketing services, including Zendesk Inc.;
5. providers of management systems, ERP solutions and tools for managing orders and business processes, including Odoo and any related suppliers or technical partners;
6. providers of systems for managing forms, databases and B2B request approval workflows;
7. providers of electronic invoicing, accounting, document-retention, certified email (PEC) and Interchange System transmission services;
8. payment service providers, banks and financial intermediaries;
9. freight forwarders, carriers, couriers and logistics operators;
10. legal, tax, accounting, administrative and IT advisers;
11. providers of security, fraud-prevention and system-protection services;
12. Meta Platforms Ireland Limited and other advertising platforms, within the limits of the preferences expressed by the User through the cookie and tracking-tool management system;
13. public authorities, judicial authorities, tax authorities, law-enforcement bodies and other parties to whom disclosure is required by law or necessary to comply with lawful requests.
Depending on the circumstances, such parties may act as:
· processors appointed pursuant to Article 28 GDPR;
· independent data controllers;
· persons authorised to process personal data.
Where a provider acts as a processor, the Controller enters into a specific agreement pursuant to Article 28 GDPR.
An up-to-date list of processors may be requested by writing to privacy@iginiomassari.it.
Personal data are processed at the Controller’s premises and through the systems and providers used to deliver the services.
Some providers may be established outside the European Economic Area or may process personal data outside that area.
In such cases, transfers will be carried out in compliance with Articles 44 et seq. GDPR and on the basis of one of the mechanisms provided for by applicable law, including:
· an adequacy decision adopted by the European Commission;
· standard contractual clauses approved by the European Commission;
· binding corporate rules, where applicable;
· specific derogations provided for by the GDPR;
· any additional safeguards or supplementary measures necessary to ensure an adequate level of protection.
Before making a transfer, the Controller assesses, where required, the level of protection guaranteed in the destination country and the technical, organisational and contractual measures applied by the provider.
Further information on the countries concerned, the providers used, the safeguards applied and how to obtain a copy of them may be requested from the Controller by writing to privacy@iginiomassari.it.
The Data Subject may exercise at any time the rights provided for in Articles 15–22 GDPR, within the limits and subject to the conditions established by applicable law.
In particular, the Data Subject may exercise the following rights:
Obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, obtain access to the data and the information provided for by the GDPR.
Obtain the rectification of inaccurate personal data and the completion of incomplete data.
Obtain the erasure of personal data in the cases provided for by law.
Obtain restriction of processing in the cases provided for by the GDPR.
Receive the personal data provided to the Controller in a structured, commonly used and machine-readable format and transmit those data to another controller, where the processing is based on consent or a contract and is carried out by automated means.
Object at any time, on grounds relating to their particular situation, to processing based on legitimate interest.
Where personal data are processed for direct marketing purposes, including profiling related to such marketing, the Data Subject may object at any time without having to provide reasons.
Withdraw previously given consent at any time.
Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.
Not be subject, in the cases provided for by law, to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them.
The Data Subject may change or withdraw preferences relating to cookies and advertising tracking tools through the consent management system available on the Website.
The Data Subject may also manage preferences relating to activities carried out by Meta through the tools made available in their Facebook or Instagram account.
Rights may be exercised free of charge by writing to the Controller at:
privacy@iginiomassari.it
The request must contain the information necessary to identify the Data Subject and understand which right they intend to exercise.
The Controller responds to requests without undue delay and, as a rule, within one month of receipt.
That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. In that event, the Controller informs the Data Subject of the extension and the reasons for it within one month of receiving the request.
Where there are reasonable doubts concerning the identity of the person making the request, the Controller may request the additional information necessary to confirm their identity.
In the case of manifestly unfounded or excessive requests, in particular because of their repetitive nature, the Controller may charge a reasonable fee or refuse to act on the request, within the limits permitted by Article 12 GDPR.
Where the Data Subject considers that the processing of their personal data infringes applicable law, they have the right to lodge a complaint with the competent Supervisory Authority pursuant to Article 77 GDPR.
In Italy, the competent Authority is:
Garante per la protezione dei dati personali (Italian Data Protection Authority)
The Data Subject’s right to seek a judicial remedy before the competent courts remains unaffected.
The Controller reserves the right to amend or update this privacy notice, including as a result of:
· changes in laws or regulations;
· guidance from the competent authorities;
· technological developments;
· the introduction of new services;
· changes to business processes or the providers used.
The updated version will be published on the Website together with the date of the latest update.
Where changes significantly affect the processing carried out or the rights of Data Subjects, the Controller may provide a specific notice through the Website, the User’s account or other available contact channels.