With this Privacy Policy, provided in accordance with Article 13 of Regulation (EU) 2016/679 ("GDPR" or "Regulation"), we wish to inform the User about the methods by which their Personal Data (i.e., any information capable of directly or indirectly identifying them) will be processed when visiting and/or purchasing on the website www.dedi.express (hereinafter, the "Site"). This information, together with the Cookie Policy and the Terms of Use and General and Special Service Conditions, establishes the basis on which Users' personal data will be processed.
Data Controller
The data controller for personal data collected through the Site is: VirtSYS IT S.r.l.s. unipersonale, with registered office in Gela (CL), via Venezia 175, zip code 93012, VAT number 02111100851 (hereinafter "Data Controller"), email address: [email protected]
Methods of Personal Data Processing
We hold in the highest regard the right to privacy and the protection of personal data of our Users, which will be processed lawfully.
I) Personal data provided or acquired will be subject to processing based on the principles of fairness, lawfulness, transparency, and confidentiality in accordance with applicable regulations, through appropriate security measures aimed at preventing unauthorized access, disclosure, alteration, or destruction of personal data.
II) Processing is carried out using computerized and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.
Processed Personal Data
When the User visits the Site, contacts us (via email, phone, mail, etc.), subscribes to the newsletter, or places an order, we process some of their Personal Data, either independently or through third parties.
We list the categories of personal data processed:
1. Identifying, contact, and access data: name and surname, email address, shipping address, phone number, and account login credentials, as well as any other Personal Data voluntarily provided by the User.
2. Purchase data: data related to purchases made;
3. Browsing data: concerning the connection, IP addresses, domain names, and other parameters related to the browser and operating system used;
4. Usage Data: information generated by visiting the Site or making purchases on it: log data, data related to registrations made, interaction and transaction processes, performance indicators, data related to browsing flows, and use of features;
5. Billing and payment data: any VAT number, bank account number or IBAN code for payments by bank transfer, tax code, address, and possibly the company name.
Purpose of Processing and Legal Basis
The Data Controller will process Users' Personal Data, as listed above, for the conduct of its economic and commercial activities, for the specific purposes indicated below.
A. Purposes Related to Contractual and Legal Obligations:
2. Browsing the Site;
3. Registration and management of the account (credentials recovery, deletion, etc.) and use of connected services;
4. Activities necessary for the conclusion of the contract for the purchase of products sold by the Site and for its execution;
5. Processing of orders;
6. Customer assistance and care activities as well as responding to requests, complaints, reports, and disputes from Users via email to the Data Controller's addresses or through other communication channels;
7. Management of User requests via distance communication tools, such as email, chat, phone, SMS, chatbot, banners, notification systems, and other distance communication tools available on the Site;
8. Compliance with obligations arising from current law, regulations, or community legislation (e.g., tax and accounting obligations) or management and response to requests from competent administrative, tax, and judicial authorities;
9. Administrative, accounting, and tax-related activities such as activities related to the contract concluded through the Site, such as, for example, issuing receipts and/or invoices, keeping accounting records;
10. Response to requests for the exercise of rights recognized to Users by the contract entered into with the Data Controller, by law in relation to such contract, or by the GDPR, and related activities.
For these purposes, the Legal Basis is the need to fulfill the pre-contractual and contractual obligations of which the User is a party (Art. 6.1.b) of the GDPR) or the fulfillment of legal obligations to which the Data Controller is subject (Art. 6.1.c) of the GDPR).
Therefore, except for account registration data, which is optional, their processing is necessary to allow the conclusion and execution of the contract through the Site or to respond to pre-contractual requests made by the User in relation to the Site. Failure to provide data will therefore result in the impossibility for the User to conclude a contract through the Site and/or receive a response to the requests made.
B. Purposes of analysis and statistics and other purposes not based on consent
1. Carrying out statistical analyses regarding the use of the Site, browsing, product searches, to improve the website and the offer of products sold through it;
2. Ensuring compliance with the Data Controller's contractual rights or demonstrating compliance with obligations arising from the contract with the data subject or imposed by law, to prevent and/or suppress fraudulent or harmful actions;
3. Reminding the User who has started the purchase process that they have placed a product in their shopping cart.
The legal basis for this processing is legitimate interest (Art. 6.1.f) of the Regulation. Sometimes the Legal Basis consists of legitimate interest (Art. 6, paragraph 1, letter f) in combination with Recital 47 of the Regulation), for sending transactional email communications (e.g., abandoned cart).
C. Purposes of direct marketing and profiling
1. With the User's consent, we will send commercial emails to show updates, news, offers, and promotions, market research, also through automated processing tools such as emails and newsletters.
2. With the User's consent, we will process their personal data to attribute specific characteristics, preferences, and send them, also through automated processing tools such as "retargeting" or by insertion into clusters of subjects with common characteristics, personalized and diversified commercial communications, based on their profile.
For these purposes, processing, including the final decision on the promotional communication to be sent or displayed to the user based on the cluster(s) to which they belong, takes place automatically, without human intervention, based on algorithms whose parameters have been previously set.
The legal basis is the User's express consent to the processing of personal data for these purposes (Art. 6.1.a) of the Regulation. Providing data for these purposes is optional. In case of lack of consent, withdrawal of the same or exercise of the right to object, the User's ability to make purchases on the Site will not be prejudiced in any way.
D. Soft-spam
To send commercial communications to the User's email address provided within the scope of purchasing products through the Site, for the direct sale of similar products. This activity does not require the acquisition of prior express consent from the data subject as it is exercised on the legal basis provided for in Art. 130, paragraph 4, of the Privacy Code (Legislative Decree 30 June 2003, no. 196), which expressly allows it, provided that the user does not refuse such use, initially or on subsequent occasions.
Modification of Choices and Consent Withdrawal
In case of consent withdrawal, the User may revoke the consent given at any time and/or object to the processing of personal data for generic marketing and profiling purposes through the methods indicated in the 'Rights of Data Subjects' section later in this information.
In case of consent withdrawal, the processing carried out on the basis of the consent given before its withdrawal will still be considered legitimate. In case of consent withdrawal and/or objection to the processing of your data for the purpose of generic marketing, the user's data will no longer be processed for this purpose and will be retained by the Data Controller only if there is another legal basis that legitimizes the processing (e.g., contractual performance; legal obligation; legitimate interest).
Retention Period
The Data Controller will process users' personal data for the time necessary to achieve the purposes for which such data was collected, as defined in this information. However, for each of the purposes indicated, the personal data collected will be retained for the specific time periods as follows:
1. For purposes related to the Contract, the Data Controller will process the user's data for the time strictly necessary to carry out the individual processing activities, provided that, upon expiry of this period, the Data Controller may retain the data for the purposes and for the maximum retention periods set out in other sections of this information, if relevant and/or in cases established by the GDPR and/or by law.
2. For tax, administrative, accounting, and legal purposes, until the expiry of the legal deadlines provided for the completion of each obligation and/or for the retention periods provided for by law. In case of account closure initiated by the User, the data contained therein will be kept for administrative purposes for a period of 3 months from the account closure request.
3. For purposes based on the Data Controller's legitimate interest, the Data Controller will process the user's data for the time strictly necessary to satisfy such interest, unless, in the event of disputes and/or complaints, the Data Controller needs to retain personal data to carry out defense activities (letter k) for the following 10 years (statute of limitations) or, in the presence of litigation, further retention is determined by the duration of the litigation or by specific requests from the authority. The User can obtain further information on the legitimate interest pursued by contacting the Data Controller.
4. For the purpose of direct marketing and profiling, as long as consent is not revoked and in any case for a period of 12 months from when consent is given or renewed by the User, on the occasion of a new purchase or from the date of the last contact with the User, including, for example, the opening of the newsletter.
After these retention periods, the Personal Data will be deleted, and the User will no longer be able to exercise the rights of access, deletion, rectification, and portability of the Data.
Communication and Disclosure of Data
In addition to the Data Controller, in some cases, the Data may be accessed by:
individuals involved in the organization of the website (for example: administrative, commercial, marketing staff);
third parties who perform ancillary and instrumental tasks in relation to the Data Controller's activity and who process personal data on behalf of the Data Controller (for example: payment services, legal, accountants, system administrators, logistics companies, newsletter services);
public or private entities that may access the Data in compliance with the law, regulations, and measures issued by competent authorities;
potential buyers of the Data Controller company and entities resulting from mergers or any other form of transformation.
Depending on the case, these recipients process Users' personal data as data processors, data controllers, or independent data controllers. The User can request an updated list of Data Processors pursuant to Article 28 of the GDPR.
Location of Processing and Data Transfer Abroad
The processing of Data primarily takes place in Italy and in countries of the European Union. Some third-party tools may process data of users of this website in countries outside the European Economic Area ("Third Countries").
Data transfer to Third Countries may also occur through the use of external tools that provide certain services (e.g., newsletters, remarketing, advertising, use of social buttons, video display).
At times, the use of such tools may involve the transfer of personal data of users visiting this website to a third country, such as the United States, for which there is no adequacy decision by the European Commission.
If there is a need to transfer data to Third Countries, the Data Controller undertakes to ensure that the country to which the data will be sent provides an adequate level of protection, as required by Article 45 of the GDPR; such transfer will be governed based on the standard contractual clauses for data protection approved by the European Commission for the transfer of personal information outside the EEA under Article 46.2 of the GDPR.
Cookies
This website uses cookies. Cookies are small text files that can be installed by websites on users' devices to make browsing more efficient and to personalize content and advertisements, provide social media features, and analyze traffic. For more information, please read the Cookie Policy.
Tools for Personal Data Processing
LIVE CHAT
Crisp Chat (Crisp IM SAS)
The live chat service through "Crisp Chat" can be used by users to access assistance or customer care services before, during, and after purchase. The service is provided by Crisp IM SAS and may use various technologies to collect and store information when using the integrated services, which may include the use of cookies and similar tracking technologies. For processing methods, please refer to Crisp Chat's Data Processing Terms, as well as Crisp Chat's Service Terms. Data collected: phone number, email, usage data, cookies. Location of Processing: FRANCE - Privacy Policy.
NEWSLETTER
The newsletter service allows the Data Controller to send promotions and commercial communications to users via email. This Site uses the following service:
Mailjet (Sinch Email)
Mailjet is an address management and email messaging service provided by Sinch Email. Location of Processing: GERMANY - BELGIUM - View the service's Privacy Policy to learn about the data processed by it. If the User does not want their personal data to be managed by Mailjet, it will be necessary to unsubscribe from the newsletter. To do this, the Data Controller provides an unsubscribe button (unsubscribe link) in each commercial communication.
PAYMENT MANAGEMENT
Stripe (Stripe Inc.)
Stripe is a payment service provided by Stripe Inc., which allows the User to make online payments via credit card. Personal Data processed: various types of Data as specified in the service's privacy policy. Location of Processing: See Stripe's privacy policy - Privacy Policy
PayPal (Paypal Europe S.à.r.l. et Cie, S.C.A Inc.)
PayPal is a payment service provided by PayPal Europe S.à.r.l. et Cie, S.C.A Inc., which allows the User to make online payments using their PayPal credentials. Personal data collected: Cookies and various types of Data as specified in the service's privacy policy. Location of Processing: LUXEMBOURG - Privacy Policy
STATISTICS
Statistical services allow the Data Controller to monitor and analyze traffic data and serve to track User behavior. This Site uses the following third-party services:
Google Analytics (Google Ireland Limited)
Google Analytics is an analytics service provided by Google Ireland Limited. Google uses Personal Data collected for the purpose of tracking and examining the use of this Site, compiling reports, and sharing them with other Google services. Google may use Personal Data to contextualize and personalize the ads of its own advertising network. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google's behalf. This site has activated the IP anonymization function. The IP address transmitted by the browser for Google Analytics purposes will not be merged with any other data held by Google. In some cases, the use of Google Analytics may involve the transfer of personal data of users who visit this website to a third country, such as the United States, for which there is no adequacy decision by the European Commission. The following link https://tools.google.com/dlpage/gaoptout?hl=en provides the browser add-on for disabling Google Analytics, provided by Google. Personal Data collected: Cookies, IP Address, Usage Data, and other Personal Data as defined in Google's privacy policy. Location of Processing: IRELAND and in some cases UNITED STATES - Privacy Policy (https://policies.google.com/privacy?hl=en)
Rights of Data Subjects
Interested parties have the right to exercise the rights provided for in Articles 7, 15-22 of the Regulation. In particular, Users have the right to obtain: access, update, rectification, or, when interested, integration of data; the erasure, transformation into anonymous form, or blocking of data processed unlawfully, including data whose retention is unnecessary in relation to the purposes for which the data was collected or subsequently processed; certification that the operations referred to above have been made known, including as regards their content, to those to whom the data has been communicated or disclosed, except where this proves impossible or involves a disproportionate effort compared to the right protected.
Furthermore, Users have the right to withdraw consent at any time, where the processing is based on their consent, to request data portability, i.e., to receive all personal data concerning them in a structured, commonly used, and machine-readable format), to request the limitation of the processing of personal data and/or erasure ("right to be forgotten"), as well as the right to object to the processing of personal data concerning them and to the processing for the purposes of sending advertising material, direct sales, and conducting market research.
Pursuant to the Applicable Regulations, the Data Controllers inform that Users have the right to obtain information about (i) the origin of personal data; (ii) the purposes and methods of processing; (iii) the logic applied in case of processing carried out with the aid of electronic instruments; (iv) the identifying details of the Data Controllers and processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it as Data Controllers or processors.
Interested parties may exercise their rights by sending a specific communication to the Data Controller or using the form for exercising the rights of data subjects, available at this link, to be sent, duly completed and signed, to the Data Controller via email at: [email protected].
Interested parties, if they believe that the processing concerning them violates the Regulation, also have the right to lodge a complaint with the Privacy Guarantor as the supervisory authority for the protection of personal data (Privacy Guarantor, headquartered in Piazza Venezia n. 11 - 00187 - Rome (http://www.garanteprivacy.it/).
Changes to this Privacy Policy
The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to Users on this page. Therefore, please check this page often, referring to the last modification date indicated at the bottom. If the User does not accept the changes made to this Privacy Policy, they are required to discontinue using this website and may request the Data Controller to remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that point. The Data Controller is not responsible for updating all the links displayed in this Privacy Policy; therefore, whenever a link is not functioning and/or updated, Users acknowledge and agree that they should always refer to the document and/or section of the websites referred to by that link.
