index
Ponte Vecchio Store

Privacy policy

 

Graziella Braccialini S.p.A.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR"), this Policy describes the methods of processing the personal data of users (hereinafter, the "Data Subjects" or "Users") who interact with the website www.graziellapontevecchio.it (hereinafter, the "Site").


1. Data Controller

  • The Data Controller is Graziella Braccialini S.p.A. Registered office at Via di Casellina 61/D, 50018, Scandicci, Florence, Italy, VAT number 01388540518 Email: info@graziellaluxury.it Certified email: graziella.group@pec.it (hereinafter, “Graziella Braccialini” or the “Data Controller”)


2. Data Protection Officer (DPO)

  • The Data Controller has appointed a Data Protection Officer (DPO), in accordance with Art. 37 of the GDPR.


3. Processed Personal Data

The Data Controller collects and processes the following categories of personal data from Data Subjects:

  • Browsing Data: Data collected automatically while browsing the Site, such as IP addresses, browser type, operating system, access times, pages visited, time spent, actions performed (clicks, purchases, wishlists) used to obtain anonymous statistical information on the use of the Site and to check its correct functioning.

  • Data relating to purchases or preferences: Products purchased, frequency and value of orders, abandoned products.

  • Data collected from marketing campaigns: Contact origin, interaction with newsletters, responses to email campaigns or social.


Data Provided Voluntarily by the User:

  • (optional) Registration Data: First name, last name, email address, password, required to create a personal account on the Site and to access dedicated services (e.g., checking order status, managing personal data, changing marketing consent) *Optional: date of birth, gender, .

  • Purchase Data: First name, last name, shipping and billing address, telephone number, email, payment information, discount code used. Please note that the data relating to payment instruments are not processed directly by the Data Controller, but by external payment service providers (such as Shopify Payments, PayPal, Shop Pay, Google Pay), who operate as independent data controllers or Processors pursuant to art. 28 GDPR.

  • Contact and Complaint Information: Name, surname, email address, telephone number, and any other information provided by the user for requests for information, assistance, or to submit complaints.

  • (if any) User Content: Reviews, suggestions, ideas, photographs, drawings, texts, or other information ("Content") published by the registered Buyer.

  • Data collected via Cookies: For specific information on the cookies used, please refer to the dedicated Cookie Policy, which is an integral part of this Policy.


4. Purpose of Processing and Legal Basis

The processing of personal data by Graziella Braccialini S.p.A. is processed for the following purposes and on the basis of the relevant legal bases:


A) Performance of the Contract and Pre-Contractual Measures:

  • Management of Product purchase orders (product selection, completion of the order form, order submission, order confirmation).

  • Management of payments, using the services offered by the Shopify platform and its payment processors (e.g., credit cards, PayPal, Shop Pay, Google Pay).

  • Shipping and delivery of Products, Management of returns, refunds, exercise of the right of withdrawal.

  • Provision of after-sales services and management of the legal guarantee of conformity.

  • (if applicable) Management of the Buyer's personal account (saving/editing personal data, accessing order/return information, checking order status, dedicated services).

  • Order-related communications (e.g., order confirmation, shipping status, updates).

Legal Basis: The performance of the contract to which the Data Subject is a party or the implementation of pre-contractual measures adopted at the request of the Data Subject (Art. 6, par. 1, letter b) GDPR).

The provision of data for these purposes is mandatory for the performance of the contract; Failure to provide this information will prevent us from completing the purchase or providing related services.

B) Fulfillment of Legal Obligations:

  • Fulfillment of tax and accounting obligations.

  • Fulfillment of obligations under laws, regulations, judicial authority orders, or other legal provisions.

Legal Basis: Fulfillment of a legal obligation to which the Data Controller is subject (Art. 6, par. 1, letter c) GDPR).

The provision of data for these purposes is mandatory.

C) Legitimate Interest of the Owner:


  • Improving the browsing experience on the Site and preventing interruptions, damage, or malfunctions to the Services or the Site.

  • Prevention, suppression, and detection of unlawful conduct, fraud, or abuse (including any unauthorized use of email addresses or authentication credentials).

  • Management of complaints and disputes, debt collection.

  • Defense of the Owner's rights in or out of court.

Legal Basis: The legitimate interest of the Owner (Art. 6, paragraph 1, letter f) of the GDPR) to protect their rights, safeguard the security of the Site, and prevent unlawful activities.

D) Direct Marketing and Profiling:

  • Sending newsletters, commercial and promotional communications via email about Graziella Braccialini S.p.A. products, offers, and services.

  • Analysis of the Buyer's preferences, habits, purchasing choices, and interests to provide personalized offers and communications (profiling).

Legal Basis: The explicit, freely given, specific, informed, and unambiguous consent of the Data Subject (Art. 6, paragraph 1, letter a) of the GDPR). Providing data for these purposes is optional, and failure to provide it does not prevent you from purchasing the Products or using other services.


5. Cookies and Withdrawal of Consent

The information on the use of cookies (Cookie Policy) is available to the User at the following link.

The Customer has the option to withdraw consent to the processing of their personal data for the Data Controller's sending of thematic newsletters, marketing, and profiling at any time by contacting the Data Controller or the DPO.


6. Processing Methods

Personal data is processed using manual, computerized, and electronic means, using methods strictly related to the purposes indicated and, in any case, in a way that guarantees the security and confidentiality of the data.


7. Recipients

Personal data may be disclosed to:

  • Parties acting as Data Processors (Art. 28 GDPR), such as technical and IT service providers (e.g., Shopify for the management of the e-commerce platform), hosting service providers, communication and marketing service providers, payment processing companies, couriers and freight forwarders.

  • Parties, entities, or authorities to whom disclosure of data is mandatory by law or by order of the authorities.

  • Internal staff of Graziella Braccialini S.p.A. authorized to process personal data and bound by confidentiality obligations.

 

8. Transfer of Personal Data to Third Countries

Considering that Shopify has servers in third countries (e.g., the United States), the communication of personal data to Shopify and other service providers based in Countries outside the European Union or the European Economic Area (EEA) may involve international data transfers. Such transfers are regulated in accordance with the provisions of Chapter V of the GDPR, adopting adequate safeguards to ensure a level of personal data protection equivalent to that guaranteed in the EU/EEA.


9. Data Retention Period

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, as specified below:

  • Data for contract performance and compliance with legal obligations: For the entire duration of the contract and, subsequently, for the period required by applicable law for accounting, tax, and dispute management purposes (typically 10 years from the termination of the contractual relationship). The order will be archived in the Data Controller's database for the time necessary to fulfill it and, in any case, within the terms of the law.

  • Data for marketing and profiling: Until the Data Subject withdraws consent or for a maximum period of 24 months for marketing and 12 months for profiling.

  • Data for managing complaints and disputes: For the time necessary to resolve the dispute and for the entire duration of the applicable limitation period.


10. Data Subject Rights

As ​​a Data Subject, you have the following rights, which you can exercise at any time against the Data Controller or the DPO, in accordance with the GDPR:

  • Right of Access: Obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, obtain access to the data and information relating to the processing.

  • Right to Rectification: Obtain the rectification of inaccurate personal data and the completion of incomplete personal data.

  • Right to Erasure (“Right to be Forgotten”): Obtain the erasure of personal data concerning you without undue delay, where certain conditions.

  • Right to Restriction of Processing: Obtain restriction of processing when one of the conditions set out in art. 18 GDPR.

  • Right to Data Portability: To receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format and, if technically feasible, to obtain the direct transfer of that data to another controller.

  • Right to Object: To object at any time to the processing of personal data concerning you, including profiling.

  • Right to Withdraw Consent: To withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

  • Right to Lodge a Complaint: To lodge a complaint a complaint to the Italian Data Protection Authority (Piazza Venezia n. 11 - 00187 Rome).

For any questions regarding the processing of your data and to exercise your rights, the Data Subject may contact the Data Controller or the DPO at the contact details indicated in this Policy.

 

11. Changes to this Policy

The Data Controller reserves the right to modify or update this Privacy Policy at any time, including in light of new legislative or regulatory provisions or new features of the Site. Changes will be communicated to Users by publication on the Site. Users are encouraged to consult this page periodically to stay up-to-date.


Last modified: June 1, 2025.