Cerca i nostri prodotti

Bozza Privacy Policy

Privacy Notice – Iginio Massari

Last updated: 16 July 2026 – Version 6.0

What is this document?

This privacy notice has been prepared pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation”, the “Regulation” or the “GDPR”).

Through this notice, Iginio Massari S.r.l. intends to inform each user (the “User” or the “Data Subject”) about the processing of personal data collected through the website www.iginiomassari.it (the “Website”), including data collected through the e-Shop intended for companies and retailers (the “B2B e-Shop”).

The B2B e-Shop and the related registration forms are currently available in Italian only and are intended exclusively for businesses operating in Italy. Accordingly, the sections of this Privacy Notice concerning the B2B e-Shop apply only to users who access or use that service on behalf of such businesses.


1. Data Controller and contact details

The Data Controller, pursuant to Article 4(7) GDPR, is:

Iginio Massari S.r.l.
Registered office: Via Orzinuovi 117, 25125 Brescia
Contact email: privacy@iginiomassari.it


2. Purposes of processing, personal data processed, legal bases and retention periods

The Controller processes Users’ personal data for the purposes described below.

a. Account creation and management

Personal data will be processed to enable registration or authentication on the Website, creation of a personal account and access to the services offered by the Controller.

Personal data processed

✓ personal details, such as first name and surname;
✓ contact details, such as email address;
✓ credentials and account-related information.

Legal basis

Performance of pre-contractual measures taken at the Data Subject’s request and performance of the contract, pursuant to Article 6(1)(b) GDPR.

Retention period

Until the account is deleted, without prejudice to any additional retention periods required by law or necessary for the establishment, exercise or defence of the Controller’s rights.


b. B2B e-Shop registration request and account management

Personal data will be processed to receive, verify and manage the registration request for the B2B e-Shop, ascertain whether the requirements for access as a company or retailer are met, contact the designated representative and, if the request is accepted, create and manage the account and the resulting B2B business relationship.

In particular, the Controller may verify the information provided by the company and request any additional documentation necessary to assess the access request.

Personal data processed

✓ identification and professional details of the representative, such as first name, surname and company role;
✓ contact details, such as business email address, telephone number and certified email address (PEC);
✓ identification, tax and invoicing details of the company, such as company name, registered office, billing address, VAT number or tax code and SDI recipient code;
✓ any information contained in the company documentation submitted;
✓ information relating to the registration request, verification of requirements and management of the B2B account.

Legal basis

Performance of pre-contractual measures taken at the Data Subject’s request and performance of the contract, pursuant to Article 6(1)(b) GDPR, where the Data Subject is also the contracting party.

The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in verifying the request and managing the business relationship with the represented company, where the personal data relate to an employee, collaborator, director or representative of the company.

Retention period

If the request is accepted, the data will be retained for the entire duration of the account and the business relationship, without prejudice to any additional retention periods required by law or necessary for the establishment, exercise or defence of the Controller’s rights.

If the request is rejected, withdrawn or not completed, the data will be retained for a maximum period of 12 months from closure of the request, unless further retention is necessary to handle disputes, prevent abuse or protect the Controller’s rights.


c. Management of purchases, shipments, B2B orders and invoicing

Personal data will be processed to receive, manage and fulfil orders, make deliveries, manage or verify payments through the payment service providers used by the Controller, issue invoices and other administrative documents, and provide assistance related to purchases.

Personal data processed

✓ personal details;
✓ contact details, such as email address and telephone number;
✓ shipping address;
✓ company and company representative details;
✓ registered office and billing address;
✓ VAT number or tax code;
✓ certified email address (PEC) and SDI recipient code;
✓ data relating to orders, payments, deliveries, returns, refunds and invoices;
✓ information necessary for the administrative and accounting management of the relationship.

The Controller does not necessarily acquire all data relating to the payment instruments used by the User. Such data may be processed directly by payment service providers in accordance with their respective privacy notices.

Legal basis

Performance of a contract or pre-contractual measures taken at the Data Subject’s request, pursuant to Article 6(1)(b) GDPR.

With regard to the personal data of employees, collaborators, directors or representatives of legal entities, the processing is also based on the Controller’s legitimate interest in properly managing the business relationship with the represented company, pursuant to Article 6(1)(f) GDPR.

Retention period

For the duration of the contractual relationship and for the time necessary to manage the order, delivery, payment and any related requests.

Data contained in administrative, accounting and tax documents will be retained for the period required by applicable law, normally for ten years from the relevant entry, without prejudice to any additional periods required by law or necessary in the event of audits, claims or disputes.


d. Handling and fulfilment of requests for information and assistance

Personal data will be processed to manage and respond to requests for information, technical assistance and support, as well as to assist the User before, during and after the provision of products or services.

Personal data processed

✓ personal details;
✓ contact details, such as email address and telephone number;
✓ account-related information;
✓ purchase and order history;
✓ content of the request and related communications;
✓ any documents or information submitted by the User.

Legal basis

Performance of pre-contractual or contractual measures, pursuant to Article 6(1)(b) GDPR.

Where the request is not directly connected with a contractual relationship, the processing may be based on the Controller’s legitimate interest in providing Users with information and assistance, pursuant to Article 6(1)(f) GDPR.

Retention period

For the period necessary to manage and respond to the request and, subsequently, for the time necessary to handle any related disputes or requests.


e. Sending the newsletter

Subject to the Data Subject’s consent, personal data will be processed to periodically send the Controller’s newsletter, containing updates, information, news, editorial content and communications relating to Iginio Massari’s activities.

Personal data processed

✓ first name and surname, where provided;
✓ email address;
✓ information relating to subscription, changes to preferences and unsubscription.

Legal basis

The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.

Retention period

Until consent is withdrawn or the Data Subject unsubscribes and, in any event, for no longer than 24 months from the Data Subject’s last relevant interaction with the Controller, except for the period necessary to retain evidence of consent and any subsequent withdrawal.


f. Direct marketing communications

Subject to the Data Subject’s consent, personal data will be processed to send promotional and advertising communications by email concerning the Controller’s products, services, initiatives, news and events.

Any use of additional communication channels, such as SMS, telephone calls, postal mail or push notifications, will take place only where those channels are expressly specified in the consent request or on the basis of a separate applicable legal ground.

Consent is optional and may be withdrawn at any time, without affecting the lawfulness of processing carried out before its withdrawal and without any consequences for registration on the Website or the B2B e-Shop, creation of the account or the ability to make purchases.

The use of the Meta Pixel, Conversions API and other advertising cookies or tracking tools does not depend on the direct marketing consent collected through the Website or B2B e-Shop forms.

Such processing is governed separately and depends on the preferences expressed by the User through the cookie and other tracking-tool management system available on the Website.

Personal data processed

✓ first name and surname;
✓ email address;
✓ information relating to the consent given and any changes to or withdrawal of that consent.

Where the communication service uses technologies to detect opens or interactions, any data relating to the viewing of emails will be processed only in compliance with applicable law and on the basis of the required legal ground.

Legal basis

The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.

Retention period

Until consent is withdrawn and, in any event, for no longer than 24 months from the Data Subject’s last relevant interaction with the Controller, except for the period necessary to retain evidence of consent and any subsequent withdrawal.


g. Use of the email address for similar products or services (“soft spam”)

Where the Controller obtains the Data Subject’s email address in connection with the sale of one of its products or services, it may use that address to send communications concerning its own products or services similar to those purchased, within the limits and subject to the conditions set out in Article 130(4) of Italian Legislative Decree No. 196/2003.

The Data Subject may object to such use free of charge when the data are collected and subsequently at any time, including by using the unsubscribe link included in each communication or by writing to privacy@iginiomassari.it.

Personal data processed

✓ first name and surname;
✓ email address;
✓ information relating to products or services previously purchased, limited to what is necessary to verify their similarity.

Legal basis for processing

Article 130(4) of Italian Legislative Decree No. 196/2003.

Retention period

Until the Data Subject objects and, in any event, for a maximum period of 24 months from the most recent purchase, unless a different period is necessary or applicable due to the nature of the business relationship.

Purchase-related data will continue to be retained for any additional periods required for contractual, administrative, accounting and tax purposes, but will no longer be used to send soft-spam communications after the period indicated above.


h. Profiling

Subject to the Data Subject’s consent, the Controller may process data provided by the User and data acquired while the User uses the services and the e-Shop in order to conduct automated or manual analyses of the User’s habits, preferences and interests.

Profiling is used to personalise content, services, communications and commercial offers, making them more consistent with the Data Subject’s preferences and purchasing habits.

Data relating to products viewed and interactions with the Website will be used only where collected in compliance with the law applicable to cookies and other tracking tools.

Personal data processed

✓ personal details;
✓ contact details;
✓ order and purchase history;
✓ products viewed;
✓ stated preferences;
✓ interactions with the Website and the e-Shop, where collected in compliance with applicable law;
✓ information inferred from the analysis of purchasing habits and preferences;
✓ information relating to interactions with commercial communications and content, where lawfully collected.

Legal basis

The Data Subject’s consent, pursuant to Article 6(1)(a) GDPR.

Retention period

Until consent is withdrawn and, in any event, for no longer than 12 months from collection of the data or the Data Subject’s last relevant interaction, unless the data must be retained for other purposes based on a different legal ground.

Automated decision-making

Profiling does not involve decisions based solely on automated processing that produce legal effects concerning the Data Subject or similarly significantly affect them.

In particular, profiling does not automatically determine the acceptance or rejection of a B2B registration request, the application of individual contractual terms, the granting of credit or exclusion from access to services.


i. Job applications

Personal data will be processed where the Data Subject applies for an open position or submits an unsolicited curriculum vitae.

Personal data processed

✓ personal details;
✓ contact details, such as email address and telephone number;
✓ educational background;
✓ professional experience;
✓ skills and qualifications;
✓ information contained in the curriculum vitae and the documentation submitted.

The Data Subject is requested not to include irrelevant data or information belonging to special categories of personal data in their curriculum vitae, unless strictly necessary for the purposes of the application.

Legal basis

Performance of pre-contractual measures taken at the Data Subject’s request, pursuant to Article 6(1)(b) GDPR.

Retention period

For a maximum period of 24 months from receipt of the application, unless an employment or collaboration relationship is established or the Data Subject requests earlier deletion of the data.


l. Compliance with legal obligations

Personal data will be processed to comply with obligations arising from laws, regulations, national legislation or European Union law, including administrative, tax, accounting and invoicing obligations.

The data may also be processed to handle and respond to requests from administrative, tax, judicial or public-security authorities, or from other authorised public bodies.

Personal data processed

✓ personal details;
✓ contact details;
✓ company identification and tax details;
✓ registered office and billing address;
✓ VAT number or tax code;
✓ certified email address (PEC) and SDI recipient code;
✓ data relating to orders, payments, deliveries and invoices;
✓ administrative, accounting and tax documentation;
✓ any additional data requested by the competent authorities.

Legal basis

Compliance with a legal obligation to which the Controller is subject, pursuant to Article 6(1)(c) GDPR.

Retention period

For the periods prescribed by applicable civil, tax, administrative and accounting legislation, normally for ten years from the date the document is recorded, without prejudice to any additional periods required by law, by the competent authorities or due to ongoing proceedings, inspections or disputes.


m. Website operation, security and improvement

The Controller may process Users’ data to enable navigation, consultation and proper operation of the Website, prevent abuse or fraudulent activity, protect system security and improve the user experience.

The use of cookies and tracking tools that are not strictly necessary is governed by the Cookie Policy and by the preferences expressed by the User through the relevant consent management system.

Personal data processed

✓ IP address and technical connection data;
✓ device and browser data;
✓ system and security logs;
✓ data relating to use of and interaction with the Website;
✓ information relating to technical errors, anomalies and unauthorised access attempts.

Legal basis

The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in ensuring the operation, security, protection and improvement of the Website and services.

Where required by applicable law, processing based on cookies or other tracking tools will take place subject to the User’s consent.

Retention period

For the period strictly necessary to pursue the purposes indicated.

Data may be aggregated or anonymised for statistical purposes and to improve the Website. Data that have been effectively anonymised are no longer considered personal data.


n. Handling complaints, protecting interests and exercising the right of defence

The Controller may process personal data to handle complaints and disputes, prevent and identify unlawful conduct, and exercise or protect its rights and interests in out-of-court, administrative or judicial proceedings.

Personal data processed

✓ personal details;
✓ contact details;
✓ data relating to the account, orders and payments;
✓ content of communications and complaints;
✓ documentation and information relevant to the dispute or claim.

Legal basis

The Controller’s legitimate interest, pursuant to Article 6(1)(f) GDPR, in establishing, exercising or defending a right or interest of the Controller.

Retention period

For the period necessary to handle the complaint or dispute and, subsequently, for the time required to establish, exercise or defend the right, in compliance with the applicable limitation periods.


3. Nature of the provision of data

The provision of data necessary to create and manage the account, manage the B2B e-Shop registration request, fulfil orders, issue invoices, deliver products, manage payments and comply with legal obligations is mandatory.

In the “Companies” and “Retailers” forms, data marked with an asterisk are required to verify and manage the registration request, assess whether the applicable requirements are met, create the B2B account and subsequently manage purchases, invoicing and related obligations.

Failure to provide such data will prevent the Controller from processing the registration request or providing the requested products and services.

The provision of data and consent for newsletter, marketing and profiling purposes is optional.

Failure to give consent does not prevent:

·       submission of the registration request;

·       assessment of the request;

·       creation of the account;

·       access to the B2B e-Shop;

·       making purchases;

·       performance of the contractual relationship.

Consent requests for newsletter, marketing and profiling purposes are presented separately.

The relevant boxes are not pre-selected, are not mandatory for submitting the form and allow the Data Subject to make a free, specific and separate choice for each purpose.

The Controller retains the documentation necessary to demonstrate the consent given, including, where applicable, the date, the content of the consent request and the version of the form or notice presented to the Data Subject.

Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before its withdrawal.

Activities based on legitimate interest do not require the Data Subject’s consent. Where necessary, the Controller has carried out or will carry out a balancing test between its interests and the fundamental rights and freedoms of Data Subjects.


4. Personal data of third parties

The use of certain Website services may involve the disclosure to the Controller of personal data relating to third parties, such as data concerning employees, collaborators, directors, company representatives or shipment recipients.

The User who discloses such data warrants:

·       that they are authorised to disclose them;

·       that the processing is based on an appropriate legal basis;

·       that they have provided the data subjects with the information required by applicable law, where necessary;

·       that the data disclosed are relevant, accurate and limited to what is necessary.

The User assumes responsibility for any disclosure of third-party personal data made in breach of applicable law.


5. Processing methods and security measures

Personal data are processed using paper-based, IT and electronic tools, by manual and automated means, in accordance with the principles of lawfulness, fairness, transparency, data minimisation, accuracy and storage limitation.

The Controller implements technical and organisational measures appropriate to the risk, designed to protect personal data against:

·       unauthorised access;

·       unlawful disclosure;

·       alteration;

·       destruction;

·       accidental loss;

·       unlawful or improper use;

·       system unavailability;

·       processing inconsistent with the stated purposes.

Access to personal data is permitted only to persons who need it to perform their activities and within the limits of the authorisations granted.


6. Recipients of personal data

Personal data may be processed by the Controller’s personnel specifically authorised pursuant to Article 29 GDPR and Article 2-quaterdecies of Italian Legislative Decree No. 196/2003.

With regard to data collected through the “Companies” and “Retailers” forms and through the B2B e-Shop, the data may be processed, within the scope of their respective responsibilities, by personnel in the following departments:

·       sales;

·       administration;

·       accounting;

·       tax;

·       logistics;

·       customer care and support;

·       IT and technical;

·       legal.

Personal data may also be disclosed or made accessible to the following categories of recipients:

1.             providers of hosting, IT infrastructure and cloud services;

2.             providers of e-commerce and B2B platforms, including Shopify Inc. and companies belonging to its group;

3.             providers of CRM systems, customer management, communication automation and marketing services, including Klaviyo Inc.;

4.             providers of support, customer care and ticketing services, including Zendesk Inc.;

5.             providers of management systems, ERP solutions and tools for managing orders and business processes, including Odoo and any related suppliers or technical partners;

6.             providers of systems for managing forms, databases and B2B request approval workflows;

7.             providers of electronic invoicing, accounting, document-retention, certified email (PEC) and Interchange System transmission services;

8.             payment service providers, banks and financial intermediaries;

9.             freight forwarders, carriers, couriers and logistics operators;

10.        legal, tax, accounting, administrative and IT advisers;

11.        providers of security, fraud-prevention and system-protection services;

12.        Meta Platforms Ireland Limited and other advertising platforms, within the limits of the preferences expressed by the User through the cookie and tracking-tool management system;

13.        public authorities, judicial authorities, tax authorities, law-enforcement bodies and other parties to whom disclosure is required by law or necessary to comply with lawful requests.

Depending on the circumstances, such parties may act as:

·       processors appointed pursuant to Article 28 GDPR;

·       independent data controllers;

·       persons authorised to process personal data.

Where a provider acts as a processor, the Controller enters into a specific agreement pursuant to Article 28 GDPR.

An up-to-date list of processors may be requested by writing to privacy@iginiomassari.it.


7. Transfers of data outside the European Economic Area

Personal data are processed at the Controller’s premises and through the systems and providers used to deliver the services.

Some providers may be established outside the European Economic Area or may process personal data outside that area.

In such cases, transfers will be carried out in compliance with Articles 44 et seq. GDPR and on the basis of one of the mechanisms provided for by applicable law, including:

·       an adequacy decision adopted by the European Commission;

·       standard contractual clauses approved by the European Commission;

·       binding corporate rules, where applicable;

·       specific derogations provided for by the GDPR;

·       any additional safeguards or supplementary measures necessary to ensure an adequate level of protection.

Before making a transfer, the Controller assesses, where required, the level of protection guaranteed in the destination country and the technical, organisational and contractual measures applied by the provider.

Further information on the countries concerned, the providers used, the safeguards applied and how to obtain a copy of them may be requested from the Controller by writing to privacy@iginiomassari.it.


8. Rights of the Data Subject

The Data Subject may exercise at any time the rights provided for in Articles 15–22 GDPR, within the limits and subject to the conditions established by applicable law.

In particular, the Data Subject may exercise the following rights:

Right of access – Article 15 GDPR

Obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, obtain access to the data and the information provided for by the GDPR.

Right to rectification – Article 16 GDPR

Obtain the rectification of inaccurate personal data and the completion of incomplete data.

Right to erasure – Article 17 GDPR

Obtain the erasure of personal data in the cases provided for by law.

Right to restriction – Article 18 GDPR

Obtain restriction of processing in the cases provided for by the GDPR.

Right to data portability – Article 20 GDPR

Receive the personal data provided to the Controller in a structured, commonly used and machine-readable format and transmit those data to another controller, where the processing is based on consent or a contract and is carried out by automated means.

Right to object – Article 21 GDPR

Object at any time, on grounds relating to their particular situation, to processing based on legitimate interest.

Where personal data are processed for direct marketing purposes, including profiling related to such marketing, the Data Subject may object at any time without having to provide reasons.

Right to withdraw consent

Withdraw previously given consent at any time.

Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.

Rights relating to automated processing – Article 22 GDPR

Not be subject, in the cases provided for by law, to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them.

Preferences relating to advertising tools

The Data Subject may change or withdraw preferences relating to cookies and advertising tracking tools through the consent management system available on the Website.

The Data Subject may also manage preferences relating to activities carried out by Meta through the tools made available in their Facebook or Instagram account.


9. How to exercise rights

Rights may be exercised free of charge by writing to the Controller at:

privacy@iginiomassari.it

The request must contain the information necessary to identify the Data Subject and understand which right they intend to exercise.

The Controller responds to requests without undue delay and, as a rule, within one month of receipt.

That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. In that event, the Controller informs the Data Subject of the extension and the reasons for it within one month of receiving the request.

Where there are reasonable doubts concerning the identity of the person making the request, the Controller may request the additional information necessary to confirm their identity.

In the case of manifestly unfounded or excessive requests, in particular because of their repetitive nature, the Controller may charge a reasonable fee or refuse to act on the request, within the limits permitted by Article 12 GDPR.


10. Complaint to the Supervisory Authority

Where the Data Subject considers that the processing of their personal data infringes applicable law, they have the right to lodge a complaint with the competent Supervisory Authority pursuant to Article 77 GDPR.

In Italy, the competent Authority is:

Garante per la protezione dei dati personali (Italian Data Protection Authority)

The Data Subject’s right to seek a judicial remedy before the competent courts remains unaffected.


11. Changes to this notice

The Controller reserves the right to amend or update this privacy notice, including as a result of:

·       changes in laws or regulations;

·       guidance from the competent authorities;

·       technological developments;

·       the introduction of new services;

·       changes to business processes or the providers used.

The updated version will be published on the Website together with the date of the latest update.

Where changes significantly affect the processing carried out or the rights of Data Subjects, the Controller may provide a specific notice through the Website, the User’s account or other available contact channels.

Shipping Method Details


Consegna a casa


English

Submit Withdrawal Request

Please fill out the following form to submit your withdrawal request.