PRIVACY POLICY FOR USERS OF THE SITE

Please read carefully this Privacy Policy (hereinafter, “Privacy Policy”), which is intended for the users of the website https://www.moonboot.com/ (hereinafter, the “Site”), in accordance with Article 13 of the General Data Protection Regulation No. 2016/679 (hereinafter, also “GDPR”), in which we provide you with all the information regarding the processing of your personal data (hereinafter, also, “Data”) and its use.

Please note this Privacy Policy is applied only to the processing of Data carried out on the Site and not also to processing carried out on different and additional websites, although accessible through links within the Site itself.

1.    Data controller and contact information

The data controller is Tecnica Group S.p.A., via Fante d’Italia, 56 – 31040, Giavera del Montello (TV), Italy, C.F. e P.IVA 00195810262 (hereinafter referred to as “Data Controller” or “Company”). E-mail address: privacy@tecnicagroup.com

2.    Contact information of Data Protection Officer (DPO)

It is possible to contact the Data Protection Officer (DPO) by writing to privacy@tecnicagroup.com

3.    Types of Data Processed

3.1 Navigation Data

We collect the following Data through the services you use.

Technical Data
This category of Data includes the IP addresses or domain names of the computers used by the users who connect to the Site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. These Data are used only for statistical information (so they are anonymous), to check the proper functioning of the Site, and are deleted immediately after processing. The Data could be used to prove responsibility in case of hypothetical computer crimes against the Site. Save this eventuality, Web Contact Data do not persist for more than 7 days.

Cookie
The Site collects Data using cookies or similar technologies. For more information, please visit the Site's “Cookie Policy”.

3.2 Data provided intentionally by the user

The Site offers to the users the opportunity to provide personal Data through, for example, filling out the “Contact Us”, “Register” and “Guest Check-out” forms on the Site.

3.3 Additional source of Data

Within the Site it is possible that User Data may be collected through third parties. Specifically, this may occur in the event that the user decides to subscribe to the Site through the ‘social login’ mode (e.g. Google, Facebook). In this circumstance, the Data Controller may process Data such as: first name, last name and e-mail address. 
Should the user wish to receive further details on the operation, Data sharing and management of ‘social login’, he may consult the privacy notices made available, respectively, by each service provider.

4.    Services offered by the Site

You can find below the description of the services offered by the Site. For each services are indicated: the purposes for which Data are processed, the legal basis for such processing, and the retention periods for the processed Data.

4.1 E-commerce 

Through the Site you can make online purchases of Moon Boot brand products. In order to proceed with the purchase of such products you can:
a.    create your own account;
b.    select the various items and checkout as a “Guest”.
Purpose of processing: to provide e-commerce services for the online buying and selling of the Controller’s products and to carry out the shipping of the purchased products.
Legal basis for processing: art. 6(1)(b) GDPR, “performance of a contract to which the data subject is party or performance of pre- contractual measures taken at the request of the data subject”.
Retention period: personal data will be retained for the entire contractual term and, after termination, for the ordinary limitation period.

4.2 “Returns” section

Within the Site there is a “Returns” section. The latter allows the user who has not created an account to make a return of a product purchased within the Site. For the purpose of providing this service, the user is necessarily required to provide an e- mail address and order number.
Purpose of processing: to provide the service of returning an order placed within the e-commerce of the site.
Legal basis for processing: art. 6(1)(b) GDPR, “performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
Retention period: personal data will be retained for a period not exceeding 24 months from the time it is provided.

4.3 “Track Order” section

Within the Site there is a “Track Order” section. The latter allows the user who has not created an account to track the order placed and view its details. For the purpose of providing this service, the user is necessarily required to provide an e-mail address and order number. 
Purpose of processing: to provide details about the order placed within the site's e-commerce as well as to be able to track the order itself.
Legal basis for processing: art. 6(1)(b) GDPR, “performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
Retention period: personal data will be retained for a period not exceeding 24 months from the time it is provided.

4.4 “Contact us” section

Within the Site there is a “Contact us” section. The latter allows the user to submit to the Company their requests for information related to the product, shipping, return or other. For the purpose of providing this service, the user is necessarily required to provide the following personal data: first name, last name and e-mail address.
Purpose of processing: provide feedback to requests for information made by the user.
Legal basis for processing: art. 6(1)(b) GDPR, “performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
Retention period: personal data will be retained for a period not exceeding 24 months from the time it is provided.

5.    Additional purposes of processing

As part of the processing of personal data carried out by the Site, the Data Controller pursues the following additional specific purposes:

5.1 Fulfillement of legal obligations

The Data Controller, where necessary, processes the personal data of data subjects, collected through the Site, in order to ensure compliance with legal obligations, regulations and EU standards to which it is subject.
Legal basis for processing: art. 6(1)(c) GDPR, “processing is necessary for compliance with a legal obligation to which the controller is subject”.
Retention period: personal data will be retained for the period strictly necessary to enable the Controller to fulfill the legal obligations to which the Controller is subject.

5.2 Establishment, exercise and defense of rights in court

The Data Controller, where necessary, processes the personal data of data subjects, collected through the Site, in order to establish, exercise or defend its own right in court or whenever the judicial authorities exercise their jurisdictional functions.
Legal basis for processing: art. 6(1)(f) GDPR, “processing is necessary for the pursuit of the legitimate interest of the controller”.
Retention period: personal data will be retained for the period strictly limited to the duration of the litigation, until the time limit for appeal actions is exhausted.

5.3 Direct marketing activities

Your personal data, subject to your free and specific consent, will be processed by the Data Controllers to update you on promotional, commercial and advertising initiatives, events, initiatives in accordance with the provisions of the Italian Data Protection Authority's provision “Linee guida in materia di attività promozionale e contrasto allo spam – 4 luglio 2013 [2542348]”. We inform you that these activities may be carried out by means of paper mail, telephone contact by operator (so-called “traditional modalities”), e-mail, sending of sms, push notifications and use of social networks (so-called “automated modalities”). In addition, we will process Your Data to perform analysis and reporting activities related to promotional communication systems. In the absence of your specific consent for this purpose, we will not be able to process your Personal Data for direct marketing purposes and will therefore not be able to inform you of new products and/or current promotions.
Legal basis for processing: Consent of the data subject ex art. 6(1)(a) GDPR, “the data subject has given consent to the processing of his/her personal data for one or more specific purposes”.
Retention period: personal data will be retained until the user withdraws consent. Purchase data for marketing purposes will be retained for 24 months. This is without prejudice, in any case, to the possibility for Data Controllers to retain the user's personal data in order to demonstrate compliance with the principle of accountability under Article 5 GDPR.

5.4 Profiling

Subject to your free, optional and specific consent, we will process your personal data for profiling purposes. In particular, through monitoring the products and services you purchase through the Site as well as your behaviors and interactions, we will assess your behavior in more detail and analyze your preferences, interests, and consumption habits. In the absence of your specific consent for this purpose, we will not be able to process your personal data for profiling purposes.
Legal basis for processing: Consent of the data subject ex art. 6(1)(a) GDPR, “the data subject has given consent to the processing of his/her personal data for one or more specific purposes”.
Retention period: personal data will be retained until the user withdraws consent. Data from purchases for profiling purposes will be retained for 12 months. This is without prejudice, in any case, to the possibility for Data Controllers to retain the user’s personal data in order to demonstrate compliance with the principle of accountability under Article 5 GDPR.

6.    Recipients and transfer of personal data

The Data may be processed by parties operating as autonomous data controllers, such as but not limited to: authorities and supervisory and control bodies and in general subjects, public or private, entitled to request the Data.
Data may also be processed on behalf of the Company by external parties designated as Data Processors (pursuant to Article 28 of the GDPR), who are given appropriate operational instructions. These subjects are essentially included in the following categories: 
a.    subsidiaries of Tecnica Group (pursuant to Article 2359 of the Civil Code);
b.    companies that offer e-mailing services;
c.    companies that offer services instrumental to the pursuit of the purposes stated in this policy (media agencies, IT suppliers, forwarders...);
d.    companies that perform the service of managing and/or maintaining the Company’s website;
e.    companies that offer support in conducting market studies;
f.    companies offering shipping services.
Personal data are transferred outside the European Union. In any case, it is understood that, should it become necessary, the Data Controller may also transfer personal data to countries outside the EU, guaranteeing as of now that the transfer will take place in compliance with the applicable legal provisions and therefore entering into, if and to the extent necessary, specific agreements guaranteeing an adequate level of protection of personal data, or in any case adopting the standard contractual clauses provided by the European Commission for the transfer of personal data outside the EU.

7.    People authorized to process

The data may be processed by the employees and/or collaborators of the Controller and/or the Manager deputed to the pursuit of the above purposes, who have been expressly authorized for the processing and have received appropriate operational instructions.

8.    Withdrawal of consent and exercise of data subjects’ rights

Data subjects may contact the Data Controller by e-mail at the following e-mail address: privacy@tecnicagroup.com

Data subjects may request from the controller access to the data concerning them, their deletion, the rectification of inaccurate data, the integration of incomplete data, the restriction of processing in the cases provided for in Article 18 GDPR, as well as the opposition to processing, for reasons related to their particular situation, in cases of legitimate interest of the controller.

In the event that you exercise your right to erasure, the Data Controllers will remove the data referring to you not only from the Site, but also from all of the company's databases: this could therefore include the possible deletion also from other platforms of the Data Controllers on which you have registered. In view, therefore, of the impact that such deletion could have on you, the Data Controllers may provide for procedures better aimed at ascertaining your identity.

In addition, data subjects, where processing is based on consent or contract and is carried out by automated means, have the right to receive in a structured, commonly used and machine-readable format the data, as well as, if technically feasible, to transmit them to another data controller without hindrance.

Data subjects have the right to revoke the consent given at any time for marketing and/or profiling and/or data transfer/communication purposes. This is without prejudice to the possibility for a data subject who prefers to be contacted exclusively through traditional means to object to processing for marketing purposes only in relation to receiving communications through automated means.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the member state where they usually reside or work or the state where the alleged violation occurred.