Privacy Policy

Privacy Policy

Information on the processing of personal data pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

Data Controller

Pursuant to Regulation (EU) 2016/679 (GDPR) (hereinafter referred to as the “Regulation”), this page describes how the personal data of users who consult this website are processed.

This information does not apply to other websites, pages, or online services that may be accessed via hyperlinks published on this site.

Following consultation of the website, data relating to identified or identifiable natural persons may be processed.

The Data Controller is:

Biosa Onofrio
VAT number: 01560090118
Via Vallarsa 2
19123 La Spezia (SP), Italy

Phone: +39 3207112159
Email: info@onytcg.it

The legal provisions mentioned above regulate the confidentiality of personal data and impose several obligations on those who process personal information relating to other individuals.

Among these obligations is the requirement to adequately inform the individual to whom the data relates (the Data Subject) about how their data will be used, so that consent to the processing of such data can be freely given and unequivocal.

Where required by law, the user's consent will be requested before processing personal data.

If the user provides personal data of third parties, they must ensure that the communication of such data to the Data Controller and its subsequent processing for the purposes specified in this Privacy Policy comply with applicable data protection regulations. For example, users may provide third-party personal data only after having properly informed them and obtained their consent.

Personal Data Collected Automatically

Browsing Data and Cookies

Cookies used on the website are intended solely to support the functioning of the website by performing authentication processes, monitoring sessions, and storing technical information to improve navigation within the website.

For example, cookies allow users to navigate between pages and access restricted areas of the site.

Personal Data Provided by the User

The website may collect the following categories of personal data provided voluntarily by users:

Personal identification information

  • First name

  • Last name

  • Country/Region

  • Street and house number

  • Postal code

  • City/Province

Contact information

  • Email address

  • Phone number

Financial information

  • Credit card details or other payment information required to complete purchases

Order information

  • Details relating to purchases made

Additional order information

  • Optional notes or details entered by the user during checkout

Nature of Data Provision

Providing certain personal data is mandatory in order to allow the Data Controller to manage communications, process requests submitted by the user, or contact the user to respond to such requests.

These data are typically marked with an asterisk (*), and their provision is necessary to process the request. Without them, the request cannot be fulfilled.

The provision of other data that are not marked with an asterisk is optional. Failure to provide such data will not have any consequences for the user.

Withdrawal of Consent

If the user has given consent for the processing of their personal data for one or more specific purposes, they may withdraw their consent at any time, either fully or partially.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Users may contact the Data Controller at any time using the contact details provided in the section “User Rights”.

Purposes and Legal Basis for Processing

Processing and managing orders

Processing personal data is necessary to execute pre-contractual measures requested by the user and to fulfill the purchase contract.

Types of data processed:

  • Personal identification information

  • Contact information

  • Order information

Compliance with legal and tax obligations

Processing is necessary to comply with legal obligations, including accounting and tax requirements.

Types of data processed:

  • Personal identification information

  • Contact information

  • Order information

  • Financial information

Shipping purchased products

Processing is necessary for the performance of the purchase contract, allowing products to be shipped to the address provided by the user.

Types of data processed:

  • Personal identification information

  • Contact information

  • Order information

Responding to inquiries

Personal data provided through the Contact section may be processed to respond to product inquiries or quotation requests.

The legal basis is the legitimate interest of the Data Controller in responding to the user's requests.

Types of data processed:

  • Personal identification information

  • Contact information

  • Communication information

Managing the user's account area

Processing is necessary for the performance of a contract, allowing users to access and manage their personal account.

Types of data processed:

  • Personal identification information

  • Authentication credentials

  • Contact information

  • Order information

Newsletter and marketing communications

With the explicit consent of the user, contact data (email address) may be processed to send updates regarding services, products, and offers provided by the Data Controller.

Users may withdraw consent at any time by clicking the unsubscribe link included in every communication.

Disclosure of Personal Data

Personal data collected through the website and for the management of the online shop may be processed by authorized internal personnel acting under the instructions of the Data Controller.

External parties may also process personal data for purposes such as:

  • tax and accounting compliance

  • IT support

  • website maintenance

  • technical service providers

  • hosting providers

  • IT companies

  • couriers responsible for delivering products

Payment data are processed directly by payment service providers through secure payment gateways compliant with applicable regulations.

The entities belonging to the categories listed above may operate either as:

  • independent Data Controllers, or

  • Data Processors appointed under Article 28 of the GDPR

The Data Controller may also disclose personal data when:

  • required or permitted by applicable law

  • necessary to meet legal obligations

  • required to establish, exercise, or defend legal claims

  • requested by competent authorities

Data Processing Methods

The Data Controller adopts appropriate technical and organizational security measures to prevent unauthorized access, disclosure, modification, or destruction of personal data.

Personal data are processed using IT and organizational tools strictly related to the purposes described above.

Data Retention Period

Personal data are retained only for the time strictly necessary to achieve the purposes for which they were collected, unless longer retention is required by law or necessary to manage legal disputes or proceedings.

Transfer of Data Outside the EU

Personal data may be transferred to recipients located outside the European Economic Area, such as cloud service providers or payment infrastructure providers.

These transfers are carried out in compliance with applicable regulations and appropriate safeguards, such as:

  • European Commission adequacy decisions

  • Standard Contractual Clauses (SCCs)

User Rights

Users have the right to:

  • withdraw consent at any time

  • object to the processing of their data

  • access their personal data

  • request correction or updating of their data

  • request restriction of processing

  • request deletion of their data

  • receive their data in a structured format and transfer them to another controller

  • lodge a complaint with the competent supervisory authority

How to Exercise Your Rights

Users may exercise their rights by contacting the Data Controller using the contact details provided in the Data Controller section.

Requests are free of charge and do not require any specific formalities.
The Data Controller will respond within one month of receiving the request.

If the user believes that the processing of personal data violates the GDPR, they have the right to file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) via the website:

www.garanteprivacy.it

or take appropriate legal action before the competent judicial authority.