PRIVACY POLICY
Processing of personal data carried out during navigation and purchases on the website https://bomboniereconfettidilongoalessandro.com/ (hereinafter the “Site”).
Last updated: February 20, 2026
1. Data controller
The Data Controller is:
Confetti Favors by Longo Alessandro (individual business)
Headquarters: Via dei Mille 37, 23876 Monticello Brianza (LC) – Italy
Tax Code: LNGLSN97L27F704U
VAT number: 03946570136
REA: LC – 408670
Contacts:
Email: info@rivabomboniere.it
PEC: alessandrolongo97@pec.it
Telephone: 039 9205354
Postal address: Via dei Mille 37, 23876 Monticello Brianza (LC) – Italy
DPO (Data Protection Officer): not appointed.
2. Categories of data processed
While using the Site, the following may be processed:
a) Navigation and technical data
Technical data necessary for the operation and security of the Site (e.g., IP address, device identifiers, technical logs, information on browser and operating system, pages visited, date/time).
b) Data provided voluntarily by the user
- Data communicated via contact information (e.g., name, email, telephone number if provided, content of the request and related attachments).
- Data for subscribing to newsletters or informational communications (e.g., email address and preferences).
- Purchase and order data (e.g., identification and contact information, shipping and/or billing address, products purchased, amounts, notes, order status, returns/refunds).
- Account data (if created by the Customer): credentials and information useful for managing orders and preferences (the password is managed in encrypted/hashed form).
c) Payment data
Payment data (e.g., card details) are processed by the respective payment providers; the Cardholder receives only the information necessary for administrative management (e.g., transaction outcome and ID) and does not store the complete card details.
d) Data from cookies and similar technologies
Data collected through cookies and similar tools, as described in the Cookie Policy and managed through banners and cookie settings.
3. Data provision
- Providing the data necessary to manage requests, quotes, purchases, payments, shipments, and accounting/tax compliance is mandatory. Failure to provide this data will prevent us from following up on your request or completing/managing your order.
- Providing data for newsletters and cookie-based marketing activities is optional: failure to provide it does not prevent browsing and purchasing.
4. Purpose of processing and legal bases
a) Operation, technical management and security of the Site
Purpose: to enable navigation and content delivery, prevent abuse and fraud, manage security and malfunctions, and perform maintenance.
Legal basis: legitimate interest of the Data Controller (Article 6, paragraph 1, letter f GDPR) and, where applicable, fulfillment of legal obligations (Article 6, paragraph 1, letter c GDPR).
b) Contact requests / customer care
Purpose: to respond to requests for information, assistance, quotes, or complaints.
Legal basis: execution of pre-contractual or contractual measures (Article 6, paragraph 1, letter b GDPR).
c) Newsletters and informative/promotional communications upon consent
Purpose: to send newsletters and updates and/or promotional communications, if the user gives consent.
Legal basis: consent (Article 6, paragraph 1, letter a) GDPR).
Revocation: The user can revoke consent at any time via the unsubscribe link in the emails or by contacting the Data Controller.
d) Promotional communications to customers (soft spam)
If the user has purchased on the Site and provided his/her email address at the time of purchase, the Data Controller may send promotional communications via email relating to products similar to those already purchased.
The user can object at any time, easily and free of charge, via the "unsubscribe" link in each email or by contacting the Data Controller.
Legal basis: legitimate interest of the Data Controller and applicable law.
e) Online sales and execution of the contract
Purpose: order management, payments, shipping, after-sales support, returns/refunds, accounting and tax compliance, fraud prevention.
Legal basis: Performance of the contract and pre-contractual measures (Article 6, paragraph 1, letter b GDPR), legal obligations (Article 6, paragraph 1, letter c GDPR), and, for anti-fraud/security purposes, legitimate interest (Article 6, paragraph 1, letter f GDPR).
f) Statistics and marketing/remarketing through cookies and similar technologies
Purpose: performance measurement, statistical analysis, campaign measurement, marketing/remarketing activities.
Legal basis: Consent via cookie banner (Article 6, paragraph 1, letter a) of the GDPR) for non-technical cookies/tools; consent is not required for essential technical cookies.
5. Profiling and automated decisions
With consent to marketing/remarketing cookies, "marketing" profiling activities may be carried out based on online identifiers and interactions (e.g., page visits, events, purchases) to display more relevant ads, measure campaigns, and create audience segments.
No exclusively automated decisions are made that produce legal effects or significantly similar impacts on the user.
Consent can be modified/revoked at any time via your cookie settings. Revoking consent to marketing cookies will deactivate cookie-based remarketing activities for the future.
6. Processing methods and security measures
Processing is carried out using computerized and electronic tools and, if necessary, on paper, adopting appropriate technical and organizational measures to guarantee the security, integrity, and confidentiality of the data.
7. Data recipients
The data may be communicated or made accessible, to the extent necessary, to:
- technical and IT service providers (hosting, maintenance, security, backup);
- online store management platforms and related services;
- couriers and logistics operators (shipping/deliveries);
- payment service providers;
- newsletter/email marketing service providers (for sending and managing subscriptions);
- providers of analytics/advertising tools (only according to cookie preferences);
- consultants and professionals (e.g. accountants/tax/legal), to the extent necessary;
- public authorities, when required by law.
These entities operate as data processors or independent controllers, as applicable. The list of data processors can be requested from the Data Controller.
8. Data transfers to non-EU/EEA countries
If we use suppliers or platforms that process data outside the EU/EEA, the transfers will be carried out in compliance with the GDPR, adopting appropriate safeguards (e.g., Standard Contractual Clauses and additional measures where necessary).
9. Storage times
- Browsing data/security logs: up to 12 months, unless necessary for investigation or defense purposes.
- Contact/customer care data: until the request is processed and, generally, for up to 12 months thereafter, barring disputes.
- Newsletter data based on consent: until revoked; if not revoked, deletion/anonymization 24 months after the last significant interaction.
- Soft spam: until objected to and in any case a maximum of 24 months from the last purchase.
- Order/billing data: for the time necessary to manage the contract and subsequently for legal obligations (typically up to 10 years for accounting/tax documentation).
- Account: until deleted/closed; if inactive for 24 months, it may be deleted/anonymized, consistent with legal obligations and the protection of rights.
10. Rights of the interested party
The user can exercise the rights provided for in Articles 15–22 GDPR (access, rectification, erasure, restriction, objection, portability, and withdrawal of consent).
To exercise your rights: contact the Data Controller at the contact details indicated in point 1.
11. Complaint
The user has the right to lodge a complaint with the Data Protection Authority.
12. Updates
This policy may be updated if changes are made to the Site's functionality or the processing performed. The updated version is published on this page.