Search Search
Wishlist Wishlist Cart Cart0
Privacy Policy
Arrow down
Privacy Policy
Cookie Policy
Terms and Conditions
Condizioni d'uso del sito
Resi e Rimborsi
Spedizioni
Pagamenti
FAQ
Contact us
Privacy Policy
Cookie Policy
Terms and Conditions
Condizioni d'uso del sito
Resi e Rimborsi
Spedizioni
Pagamenti
FAQ
Contact us

PRIVACY POLICY

NOTICE ON THE PROCESSING OF PERSONAL DATA

pursuant to Article 13 of EU Regulation 2016/679

Through this privacy policy (the “Notice”), GGZ S.r.l., with registered office in Pozzonovo (PD) – Via Tezzon, No. 6/A – VAT No. 01767000282 (the “Data Controller”), provides information to visitors (the “Data Subjects”) of the website www.grifoni.com (the “Website”) regarding the processing of personal data. Data Subjects are invited to read this Notice carefully. It applies both when accessing and browsing the Website without making any purchase and when purchasing products through the Website.

Pursuant to Article 13 of EU Regulation 2016/679 (hereinafter, the “GDPR”), the Data Controller provides the following information.

1. DATA CONTROLLER

The Data Controller is GGZ S.r.l., with registered office in Pozzonovo (PD) – Via Tezzon, No. 6/A – VAT No. 01767000282, registered with the Companies Register of Padua under No. PD-179898.

The Data Controller has not appointed a Data Protection Officer (DPO), as the relevant conditions under the GDPR do not apply. For any privacy-related enquiries, the Data Controller may be contacted at: Email: info@grifoni.com  Tel: +39 0429773632

2. TYPES OF DATA PROCESSED AND PURPOSES

The Data Controller processes the following personal data (hereinafter, the “Data”):

- personal and contact data (e.g. first name, surname, gender, place and date of birth, tax code, address, email, telephone number, etc.);

- data relating to orders and transactions (e.g. payment data, purchases information, returns, etc.);

- browsing data (e.g. location data, device identification number or advertising ID, etc.);

- behavioural profiling data (e.g. socio-demographic data, purchasing preferences, interests and consumption habits, etc.).



The Data are processed, in accordance with the methods described in paragraph 4, for the following purposes:

1. registration and access to restricted areas of the Website;

2. handling requests sent by Data Subjects;

3. for the purchase of products on the Website and for activities necessary for the performance of contractual relationships, as well as for any necessary pre- and post-sales assistance;

4. for marketing activities, including newsletters and promotional communications (via traditional and electronic means such as newsletters, emails and text messages) as well as profiling and retargeting activities, also through third parties (e.g. social networks, etc.);

5. for profiling purposes, i.e. to analyze consumer habits and choices, with a view to ensuring that products, initiatives and individual commercial offers are better tailored to the tastes and needs of its customers;

6. to comply with obligations imposed by applicable law, regulations, EU legislation or orders of the competent authorities;

7. to exercise the Data Controller’s rights, for example defence in legal proceedings.

3. LEGAL BASIS FOR PROCESSING

The legal basis for processing of Data is based on:

- for the purposes referred to in points 1, 2 and 3 above, the performance of a contract to which the Data Subjects are party or the implementation of pre-contractual measures pursuant to Article 6(1)(b) of the GDPR;

- for the purpose referred to in point 6 above, to comply with a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR;

- for the purpose referred to in point 7 above, on the basis of the legitimate interests of the Data Controller, pursuant to Article 6(1)(f) of the GDPR;

- for the purposes referred to in points 4 and 5 above, on the basis of the data subjects’ consent pursuant to Article 6(1)(a) of the GDPR.

4. METHODS AND LOCATION OF PROCESSING

The Data will be processed in accordance with the principles of fairness, lawfulness, transparency and protection of confidentiality, using both automated methods, on electronic or magnetic media, and non-automated methods, on paper, in compliance with the confidentiality and security rules laid down by law, by subsequent regulations and by internal provisions.

Data processing is carried out at the registered office of GGZ s.r.l., located in Pozzonovo (PD) – Via Tezzon, No. 6/A.

5. DISCLOSURE OF DATA

The Data processed by the Data Controller will not be disclosed, i.e. it will not be made known to unspecified parties.

The Data may, however, be disclosed to employees of the Data Controller and to certain external parties with whom it collaborates, within the limits of the purposes set out in this Policy. Finally, it may be disclosed to parties authorized to access it pursuant to legal provisions, regulations and legislation.

The Data may be disclosed, exclusively for the purposes set out above and limited to what is strictly necessary, to the following categories of parties:

1. payment processing companies;

2. product shipping and delivery companies;

3. legal, tax and audit consultants providing services and assistance to GGZ S.r.l.;

4. companies acting on behalf of GGZ S.r.l. as data processors under a specific contract that precisely governs the processing activities entrusted to them and their data protection obligations; an up-to-date list of data processors may be requested from the Data Controller by writing to: info@grifoni.com

5. public or private bodies for the fulfilment of legal obligations;

6. service providers and partners involved in marketing and advertising, such as social media websites, advertising agencies or advertising partners.


In relation to profiling and retargeting activities, Data may be processed by online advertising and social media platforms, including Meta Platforms and Google, as detailed in the Website’s Cookie Policy.


6. TRANSFER OF DATA ABROAD

Data may be transferred to countries within the European Union and/or to third countries outside the EU which the European Commission has assessed as ensuring an adequate level of protection pursuant to Article 45 of the GDPR, or where the Data Controller has provided appropriate safeguards and provided that Data Subjects have enforceable rights and effective remedies pursuant to Article 46 of the GDPR.

7. MANDATORY OR OPTIONAL NATURE OF DATA PROVISION

The provision of Data is generally optional. Only in certain cases may failure to provide Data result in the inability to access specific services and prevent the Data Controller from granting access to the Website’s services or responding to requests from Data Subjects.

The Data required in each case is indicated and marked with an asterisk (*) in the various data collection forms on the Website.

8. LINKS TO OTHER WEBSITES

This Notice applies solely to the website www.grifoni.com and not to any other websites that the user may visit via links; consequently, GGZ S.r.l. cannot be held responsible for any data provided by users to third parties or to any websites linked to this Site.

9. DATA RETENTION PERIOD

Data is retained in accordance with the following retention periods:

- Browsing data: this is retained for a maximum period of 12 months from the date of collection, unless there is a need to investigate cybercrimes or in response to requests from the judicial authorities;

- Data relating to orders and purchase transactions (including personal, contact, delivery and billing details): these are retained for 10 years from the conclusion of the contract, in accordance with the civil and tax obligations set out in current legislation;

- Registered user account data: this is retained for the entire duration of the account and, in the event of account inactivity for a period exceeding 24 months, the account is deactivated and the associated personal data is deleted or anonymized, except for the retention of any further data necessary to comply with legal obligations;

- Data processed for marketing and newsletter purposes: this is retained for up to 24 months from the date consent is given or from the user’s last active contact, unless the data subject withdraws their consent earlier;

- Data used for profiling and retargeting activities: this is retained for a maximum period of 12 months from collection, unless consent is renewed;

- Data relating to support requests and contacts with Customer Service: this is retained for a maximum period of 24 months from the closure of the request, unless further retention is necessary for the management of disputes or litigation.


In any event, at the end of the retention periods indicated above, personal data will be deleted, anonymized or aggregated, unless further retention is necessary to comply with legal obligations or to protect the rights of the Data Controller in legal proceedings.

Data subjects may at any time exercise the rights provided by the GDPR, including the right to request the erasure of personal data, in accordance with the procedures set out in this Policy.

10. RIGHTS OF DATA SUBJECTS

Data subjects have the right, at any time, to exercise the rights set out in Articles 15 et seq. of the GDPR. In particular, they have the right to:


Access: Data Subjects have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed and to obtain access to the data and information referred to in Article 15 of the GDPR; in such cases, the Data Controller shall provide a copy of the data being processed. Where data subjects request further copies, the Data Controller reserves the right to charge a reasonable fee based on administrative costs.

- Rectification and completion (Article 16 of the GDPR): Data Subjects have the right to obtain from the Data Controller the rectification of inaccurate Data concerning them without undue delay. Taking into account the purposes of the processing, Data Subjects have the right to have incomplete Data completed, including by providing a supplementary statement.

- Erasure: Data Subjects have the right to obtain from the Data Controller the erasure of Data concerning them without undue delay, and the Data Controller is obliged to erase the Data without undue delay if one of the grounds set out in Article 17 of the GDPR applies.

- Restriction: Data subjects have the right to obtain from the Data Controller the restriction of processing where one of the circumstances set out in Article 18 of the GDPR applies. If processing is restricted, the Data shall be processed, except for storage, only with the consent of the Data Subjects or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.

- Data portability (Article 20 GDPR).

- Objection to processing (Article 21 GDPR): Data Subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of Data concerning them pursuant to Article 6(1)(f) of the GDPR; in such cases, the Data Controller shall cease further processing of the Data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where Data is processed for direct marketing purposes, Data Subjects have the right to object at any time to the processing of Data concerning them carried out for such purposes, including profiling insofar as it is related to such direct marketing. Furthermore, where the processing of Data is based on consent (for example, for marketing purposes, sending newsletters or profiling), Data Subjects have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal.

Withdrawal may be exercised via the unsubscribed link included in every commercial communication and/or by contacting the Data Controller at the contact details provided in this Policy.

The Data Controller shall provide Data Subjects with information regarding the actions taken in response to a request submitted by the Data Subjects without undue delay and, in any event, no later than one month from receipt of the request. If Data Subjects submit the request by electronic means, the information shall be provided, where possible, by electronic means, unless otherwise indicated by the Data Subjects.

With specific reference to retargeting activities and the use of profiling cookies, the Data Subject may withdraw their consent at any time, including via the cookie management panel accessible from the Website, without affecting the lawfulness of the processing carried out prior to the withdrawal.

11. HOW TO EXERCISE YOUR RIGHTS

Data subjects may exercise their rights at any time by sending: 

- a registered letter with acknowledgement of receipt to GGZ srl, with registered office in Pozzonovo (PD) – Via Tezzon, No. 6/A, Tel.+39  0429773232


- an email to: info@grifoni.com


12. COMPLAINTS

Users also have the right to lodge a complaint with supervisory authority. In Italy, the supervisory authority is the Italian Data Protection Authority, whose contact details are available on the website www.garanteprivacy.it.

13. COOKIES AND OTHER TRACKING TOOLS

The Website uses technical cookies and, subject to the user’s express consent, profiling cookies and other tracking tools, including those from third parties, designed to improve the browsing experience and to offer personalized content and offers.

For further information on the types of cookies used, as well as to give, withhold or withdraw consent, you may consult the Cookie Policy available at the following link and manage your preferences via the dedicated panel accessible from the Website.


14. CHANGES TO THIS NOTICE

Any future changes to this Notice will be published on the Website and, where appropriate, notified to Data Subjects by email. Data Subjects are invited to read this Notice frequently to check for any updates or changes.



Last updated 12/05/2026