Chariot
PRIVACY POLICY
Privacy Policy Cookie Policy
Privacy Policy Cookie Policy

Privacy Policy

PRIVACY POLICY OF THIS WEBSITE

This document describes the processing method of personal data of (a) users who visit our website www.savetheduck.com (the “Website”), (b) users who spontaneously send communications to the contact details indicated on the Website as well as (c) those who interact with the Website by creating an account or purchasing our products.

This policy also constitutes the policy provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”).

The policy is provided only for the website www.savetheduck.com, and not also for other third-party websites that may be accessed by the user through links published thereon.

Detailed policy is provided separately in relation to particular functionalities or data release forms or specific services (for example, “newsletter” and “cookie”).

  1. CONTROLLER OF DATA PROCESSING – CONTACT DETAILS

The data controller is Save The Duck S.p.A., with registered office in Via Arcivescovo Calabiana, 6, Milano, Italy, fiscal code and VAT number 07853840960 (the “Controller” or “STD”). To request information about the processing of your personal data, you can contact the Controller or send inquires/question to the email address privacysavetheduck@savetheduck.com. It is specified that, for the purposes of preparing the reports on the performance of the size recommendation services on the Website rendered by Measmerize LTD and to facilitate size selection on the Website, STD will process personal data as joint controller pursuant to Article 26 of the GDPR, as indicated in the specific policy.

  1. CATEGORIES OF DATA PROCESSED – PURPOSE AND LEGAL BASIS FOR PROCESSING

2.1       Browsing data

During their normal operation, the computer systems and computer programs used to operate the Website acquire some personal data whose transmission is implicit in the communication protocols of the Internet. Such information is not collected to be associated with identified data subjects, but because of their very nature they could allow to identify users through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users who connect to the Website, URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters regarding the operating system and computer environment. Browsing data will be collected exclusively in the legitimate interest of allowing the user to enjoy the content published on the Controller's Website and its proper administration and management.

 

2.2      Cookies

For any information relating to the use of cookies on this Website, we invite you to consult the specific cookie policy available at the page www.savetheduck.com.

2.3      Voluntarily provided personal data

The optional, explicit and voluntary sending of electronic mail to the addresses indicated on this Website implies the subsequent acquisition of the sender's address, necessary to respond, and any other personal data included in the message.

If the voluntary contact by the user takes place by filling out the form in the “contact us” section, personal data released in the fields with compulsory completion (for example, name, email, phone number), as well as information voluntarily rendered in the field with free completion, will be processed; in this regard, please do not release sensitive information or related to third parties nor statements that are offensive to the decorum or dignity of others. The legal bases of the processing are, therefore, the need to fulfill the pre-contractual requests made by the data subject (Art. 6, par. 1, lett. b, of the GDPR) as well as the legitimate interest of the Controller to respond to data subject’s received communications (Art. 6, par. 1, lett. f, of the GDPR).

Should the user intend to fill out a web form that the Website offers for particular services, he/she may consult the detailed information notice before submitting the form containing his/her personal data.

2.4      Account creation

It is not required to create a personal account for using the Website. However, each user has the chance to create his/her own personal account and become a registered user; through a personal account the user can view his/her orders and saved addresses as well as request returns of purchased products.

When creating your personal account, you will be asked to enter the following registration information: 

  • First name and Surname*;
  • e-mail address*;
  • Password*;
  • Address;
  • Birth date,

The data marked with the symbol * are mandatory to create the account.

 

2.5 Purchase of STD’s products

Personal data voluntarily provided at the execution of an order relating to the purchase of a product through the Website are collected and processed, and consist of those data collected by sending emails, interacting with Website features/functions, and requesting services and/or products offered by the Website. Personal data that are processed for the purpose of executing and performing purchases of STD’s products through the Website include first name, surname, fiscal code, email address, address, phone and/or mobile phone number, bank details and information regarding order submitted to STD and, in general, contractual relationship with STD. Upon request, the client may activate the contact service “Back in Stock”, managed by a third-party supplier, which will allow the client to receive an email alert if a product currently unavailable becomes available for purchase again.

Should any information referring to third parties is collected, processed and disclosed to us, you must do so in accordance with the provisions of the applicable legislation, including the GDPR and, therefore, you must give them prior notice of the processing and, if necessary, you must collect free and express consent before processing.

2.6 Marketing and profiling

By virtue of your consent (optional and revocable at any time):

  • STD may process your personal data for marketing purposes, market researches, sending of information, promotional or advertising material (newsletters included), communication of new business initiatives, products or services offering, including through the Website, surveys, customer satisfaction surveys on the quality of STD’s products or services, sending invitations to events, pursued directly or through specialized companies, including through personal or telephone interviews, questionnaires, market surveys and similar; such activity will be carried out through email (including in newsletter form), MMS, SMS or similar modalities, traditional mail, phone call with an operator, as well as through targeted advertising carried out through digital platforms, social networks and, in general, advertising carried out by digital methods and/or tools, none excluded;
  • STD may collect information about your preferences, habits, lifestyles, as well as the details of purchases made in order to use them for the creation of group and individual profiles (“profiling”) and the sending of personalized communications; such activity will be carried out through email (including in the form of newsletters), MMS, SMS or similar modalities, traditional mail, phone calls with an operator, as well as through targeted advertising carried out through digital platforms, social networks and, in general, advertising carried out through digital methods and/or tools, none excluded.

 

 

2.7      Legal bases for processing

Personal data will only be processed if one of the legal prerequisites provided in the current legislation is met, and specifically:

  • for the management of pre-contractual fulfilments, for the execution and performance of an agreement to which the user is a party with respect to the purchase of the products offered on the Website, as well as the provision of any services for registered users, as well as to fulfill pre-contractual requests of the data subject (Art. 6, par. 1 lett. b) of the GDPR). Assistance on contracted services and products (and eventual complaints) is also included in this field and, in general, the processing of any customer requests and the management of interactions that occur in the context of the contractual or commercial relationship is included;
  • to comply with a legal obligation to which the Controller is subject within the scope of its purposes (Art. 6, par. 1, lett. c), of the GDPR);
  • for the legitimate interest of the Controller in order to ensure the browsing and registration activity for registered users, to prevent and prosecute fraudulent activities to process requests for information solicited by the date subject, to defend a right or interest of the Controller before any competent authority or entity (including for debt collection purposes), as well as to proceed to the direct offer of products or services similar to those object of previous purchase, limited to the email coordinates provided in the contractual/commercial context and subject to opposition to such processing (soft spamming), as well as for customer archive management and statistical processing, in aggregate form, for internal purposes (Art. 6, par. 1, lett. f), of the GDPR);
  • based on the consent of the data subject with respect to marketing and profiling activities referred to in section 2.6 above (Art. 6, par. 1, lett. a), of the GDPR).
  1. OPTIONAL OR MANDATORY NATURE OF PERSONAL DATA PROVISION

Except as specified for browsing data and as referred to in the Cookie Policy, the user is free to provide personal data through communications or through STD’s web forms (in the section "Contact us"). Failed, partial or incorrect release of personal data may prevent STD from correctly receiving and/or processing requests. Providing the information above in section 2.4, and marked with the symbol *, is necessary in order to create an account and also to respond to and handle user’s requests for information and/or feedback; to provide the services requested through the Website, including registration and subsequent updates, and to manage initiatives organized through the Website; for the management of activities functional to sales and after-sales services, such as administrative, accounting, returns and warranty management, customer relationship management, fraud prevention, and for the exercise of rights in court. The refusal to provide such information would still allow you to use the Website, but would prevent you from using some of the services reserved for registered users.

In addition, it will be necessary to process the personal data indicated in section 2.5 for the purpose of carrying out the contractual relationship arising from the purchase of STD products. The provision of such data is a contractual obligation: the user is free to provide the data or not, but without the required data it will not be possible to conclude or execute the contract and the requests.

In relation to the purposes referred to in section 2.6 above (marketing and profiling), the provision of data is merely optional and its processing is based on consent, which is optional and revocable at any time. Failure to give consent will not entail any consequence, but only the impossibility of receiving from STD advertising material or offers related to products and/or services of the Controller, also included personalized newsletters. Without prejudice to the foregoing, it is understood that, in the event of a refusal to consent to the processing of personal data for the purposes referred to above, the Controller may still use the personal data solely for the purpose of properly fulfilling its obligations under applicable laws and obligations arising from contractual relationships established with the Controller and/or for the pursuit of its own legitimate interest. Any consents given for the purposes set forth in Section 2.6 may be revoked at any time, it being understood that any subsequent revocation of consent will not affect the lawfulness of the data processing carried out during the period prior to such revocation.

  1. PROCESSING MODALITIES AND PROCESSING AUTHORIZATED SUBJECTS – STORAGE PERIOD

The processing of personal data is carried out in a lawful, correct, and confidential manner and is done for purposes that are determined, explicit, legitimate, and not exceeding the purposes indicated in this document. The processing of personal data is carried out with the help of paper, optical, computer and telematic media, eventually even in cloud, as well as through automated and computerized procedures, always, however, according to criteria of maximum fairness and security, in accordance with the provisions of the protection of personal data’s applicable legislation and through appropriate technical and organizational measures suitable to prevent the destruction or loss of data, illicit or incorrect use and unauthorized access.

Within the structure of the Controller, personal data will be processed, each to the extent of its competence, by authorized personnel responsible for managing the Website, interacting with its users, and the sales, marketing, administrative and support functions. Personal data may occasionally be accessed, for technical reasons only, by authorized personnel providing support to the Website and to the Controller’s computer systems.

Any IT service providers who may - for reasons of support, maintenance or rescue - come into contact with personal data, will be expressly authorized by the Controller, and will operate under strict contractual obligations or as data processor under the GDPR. The e-commerce service through the Website is managed by the company Shopify, which has been designated as a data processor under Article 28 of the GDPR, while the contact service “Back in Stock” is rendered by the company SURESWIFT CAPITAL INC, which will process the personal data (email address) as data controller or will be designated as a data processor under Article 28 of the GDPR.

In order to achieve the purposes stated herein, your personal data may be disclosed, including abroad, to the entities or categories of entities listed below and always only in connection with the implementation of the purposes stated in paragraph 2 above:

  • public authorities, administrations and/or agencies to carry out legal or secondary and EU regulatory fulfillments;
  • any suppliers, subcontractors, business partners, collaborators in various capacities of the Controller, as part of the implementation of the supply activities provided for in the contracts with customers, of the implementation of technical and design analysis with reference to your requests for contractual services. These subjects may operate as autonomous data controllers or data processors designated by the Controller in accordance with Article 28 of the GDPR;
  • external parties who carry out in Italy or abroad specific tasks on behalf of the Controller (such as, but not limited to, certification of financial statements, invoicing and filing of invoices, shipping of documents and materials, insurance coverage, debt collection, legal/accounting/tax consulting, crediting and/or debiting of economic entitlements). These subjects may act as autonomous controllers or as data processors designated by the Controller pursuant to Art. 28 of the GDPR; the data required for electronic invoicing will be transferred to the e-Invoicing service provider appointed as data processor pursuant to Art. 28 of the GDPR, which will automatically forward them to the Interchange System of the Internal Revenue Agency (“Sistema di Interscambio dell’Agenzia delle Entrate”);
  • entities, consortia, associations and bodies, operators of authorized credit information systems, having the purpose of credit protection.

Finally, personal data may also be communicated and/or transferred to third parties, including for purposes not directly related to the performance of the contract between you and the Controller, in accordance with the consents expressed by the data subject, and to those who carry out on behalf of the Controller the activities referred to in Section 2.6, including companies that manage digital platforms or social networks, as well as may occasionally be disclosed, or otherwise made accessible, to identified third parties in order to fulfill a request from the user, or to comply with a legal obligation or for the legitimate interest of the Controller in the protection, even judicial, of its rights. Personal data will not be disseminated in any way.

To find out the identity, activities carried out and the framework under the GDPR of third parties who may process your personal data, you can submit a specific request to the email address privacysavetheduck@savetheduck.com.

Personal data will be stored until the purposes for which they were collected are achieved, and in particular:

  • with regard to the personal data referred to in Section 2.1, they are kept for the short time necessary for the use of the Website and could be used to ascertain liability in case of hypothetical computer crimes against STD; thereafter, the data are kept only in anonymous form for statistical interest only;
  • with respect to the personal data referred to in Section 2.3, it will be retained for as long as necessary to comply with any requests from the sender or matters therein submitted to the Controller and, in any event, for as long as required by specific legal provisions;
  • with respect to the data of the user who has created an account as set forth in Section 2.4, such data will be retained as long as the account is active to the extent strictly necessary to provide the user with the features described above; even after the account is closed, the data may be retained, if necessary, for the purpose of complying with obligations imposed by laws or regulations, to protect the rights of the Controller, to prevent fraud, or to enforce this policy;
  • with regard to data relating to or connected with relationships of a contractual nature, they will be processed and stored for the entire duration of the contractual relationship and, thereafter, for the maximum time provided for by the applicable legal provisions regarding the statute of limitation (including in the administrative-fiscal filed) and, in general, for the exercise/defense of the rights of the Controller in disputes promoted by public authorities, public subjects/entities and private parties; the term of retention of personal data will not, however, exceed 10 years from the termination of the contractual relationship, unless legal protection needs arise or changes in the terms of law occur;
  • with regard to marketing and profiling purposes referred to in section 2.6, personal data will be retained until consent is revoked.

Once all the purposes legitimizing the retention of personal data have ceased, the Controller will delete them, compatibly with technical back-up procedures, or will transform them into anonymous form.

  1. PLACE OF PROCESSING AND TRASFER OF DATA ABROAD

The processing operations related to the web services of this Website (physically placed in hosting at the servers of the company Shopify, a company designated as a data processor under Article 28 of the GDPR) take place at the headquarters of the Controller.

In carrying out the company’s business, as structurally or occasionally organized, it is possible, however, that your personal data may be transferred to individuals or companies located outside the EU or the European Economic Area (EEA). In particular, Shopify, which manages the Website and e-commerce service, and SURESWIFT CAPITAL INC., which manages the contact service “Back In Stock”, are based in Canada and therefore there may be a transfer of data from the EU/EEA; for this reason, the Controller has ensured that every measure (contractual and non-contractual) is taken to ensure an adequate level of protection of personal data in accordance with and in the manner indicated by Chapter V of the GDPR and, in any case, by the legislation at the time in force on the protection of personal data; for more information on the privacy policy of Shopify, click here, while for more information on the privacy policy of SURESWIFT CAPITAL INC, click here

Should the Controller uses other web service providers located outside the EU or the European Economic Area (EEA) that have access to some personal data of the users of the website, the Controller will provide them with full information and will verify that every measure (contractual and non-contractual) appropriate and necessary to ensure an adequate level of protection of their personal data is taken in accordance with and in the manner indicated by Chapter V of the GDPR and, in any case, by the legislation in force at the time regarding the protection of personal data.

In any case, you may always request more information about the identity of non-EU third parties who may know/process your personal data and the activities they carry out by making a request to the Controller at privacysavetheduck@savetheduck.com.

  1. RIGHTS OF DATA SUBJECTS

As a data subject, you have the right to ask the Controller for access to your data, rectification, deletion of your data, restriction of processing or to object to the processing of your data under the conditions set out in Articles 15,16,17,18, 21 of the GDPR. Finally, you have the right to lodge a complaint with a Supervisory Authority if you believe that the processing concerning you violates the legislation applicable to the protection of your personal data. To request information about data processing or exercise your rights to your data, please contact the Controller at privacysavetheduck@savetheduck.com

  1. UPDATE OF THIS PRIVACY POLICY

The news rendered here may be subject to revision as a result of:

  • changes in data protection regulations, for the aspect of interest here;
  • technological implementations adopted by the Controller that impact the current processing methods;
  • organizational changes in the structure of the Controller that may affect the date subject.

Users are kindly invited to consult this policy periodically so as to be constantly updated on the characteristics of the processing.

 

Merci pour votre subscription

You are currently browsing EU site
If you want to shop in US click below
Go to US