Privacy policy
Privacy Notice on the processing of personal data of website and App users Pursuant to Article 13 of EU Regulation No. 2016/679 ("GDPR")
Vittoria S.p.A. (hereinafter also referred to as "Vittoria"), with registered office in 24041 - Brembate, Via Liguria, n. 8, C.F. and P.IVA: VAT 01989570161 and Vittoria Park S.r.l. with registered office in 24041 - Brembate, Via Liguria, n. 8, C.F. and P.VAT: 04621540162 (hereinafter "Vittoria Park" and, together with Vittoria, the "Companies"), pay the utmost attention to the security and confidentiality of the personal data of the users (hereinafter, the "Users" or "User" in the singular) of this website https://int.vittoria.com/en (hereinafter, the "Website") and of the Bike Park App (hereinafter, also only the "App") downloaded to purchase products (hereinafter, the "Products") and take advantage of the services that can be purchased through the same Website (hereinafter, the "Services") and wish to provide the same with information regarding the processing of their personal data.
1. Data Controllers and/or Joint Data Controllers and Data Protection Officer - DPO
The aforementioned companies act as autonomous Data Controllers for the purposes specified in paragraph 2 below. They may also act as Joint Data Controllers in relation to the processing of data for marketing purposes as specified in paragraph 3 below, having jointly determined the purposes and means of processing through the conclusion of a specific agreement pursuant to Article 26 of the GDPR.
For any queries regarding the processing of personal data, as well as to exercise the rights recognised by the GDPR and better described in point 8 below, you can contact the Companies at the following e-mail addresses or telephone numbers:
Vittoria S.p.A.: info@vittoria.com or by phone 035-4993911
Vittoria Park S.r.l.: info.vittoriapark@vittoria.com or by phone 035-4993911
The Companies have appointed a Group Data Protection Officer ("DPO"), designated pursuant to Article 37 of the GDPR, who can be contacted at the following email addresses: dpo@vittoria.com for Vittoria and dpo.vittoriapark@vittoria.com for Vittoria Park.
2. For what purposes does the company process personal data
Through the Website and the App, the Companies collect certain personal data relating to Users, either voluntarily provided by the latter or collected in the normal operation of the same, which are processed for the purposes described below, including the possibility of proceeding to the purchase of the Products and Services offered.
The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified subjects, but by its very nature could, through processing and association with data held by third parties, make it possible to identify Users. This category of data includes the IP addresses of the computers used by Users who connect to the Site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system used. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct operation, and is deleted immediately after processing. The data could be used to ascertain liability in the event of any computer crimes against the Site.
Through the App, Bike Park collects some personal data relating to Users, either voluntarily provided by them or collected in the normal operation of the App itself, which are processed for the purposes described below, including the possibility to purchase access tickets to the Bike Park and to rent bikes or related equipment (hereinafter the "Services").
| Purpose of processing | Categories of data processed | Legal basis and conferment | Storage period |
|
1. Creation of a personal account. The Companies collect certain personal data necessary to identify the User in order to create a profile that allows access to the reserved area, the management of account settings and the realisation of online purchases. |
First and last name |
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of data is necessary, as failure to do so will result in the Companies being unable to provide access to the reserved area of the Website. |
Until the profile is closed and in any case, in case of inactivity of the profile for 2 years. |
|
2. Collection and processing of the purchase order formulated through the Website or App. The Companies may process Users' personal data in order to manage the purchase orders of Products and Services, formulated within the Website or App, by filling in the relevant form. Purchases can be made through the personal account, which will thus keep track of purchases made and further information provided. The Companies specify that, in order to complete the payment transaction, Users will have to access a special portal made available by the online payment platform, whose operator will process the User's data as an autonomous data controller. |
Purchase from personal account. ID and password for authentication |
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of data is necessary, since without it the companies will not be able to process the purchase order. |
Purchase from personal account. The data will be stored within the account and available to the user until the account is closed or in the event of account inactivity for 2 years. They will be stored in the companies' systems for 10 years from purchase. |
|
3. Customer Satisfaction Surveys. Companies may process the User's personal data to conduct surveys to measure the level of satisfaction with the service provided (by way of example but not limited to: in-store post-sales surveys; online post-sales surveys; etc.). In any case, communications made for this purpose will not have an advertising content, nor a direct sales content, and will not be used for market research or commercial communications. |
First and last name |
The Company's legitimate interest (Art. 6 (1) (f) GDPR) in checking and improving the quality of the services offered. | The data will only be processed for the time strictly necessary to prepare reports with the results of the survey in anonymous form. |
|
4. Generic marketing. Subject to express and specific consent, the Companies may process the User's personal data for marketing and advertising communication purposes, aimed at informing about promotional sales initiatives. The sending of marketing communications may take place by means of automated contact methods ( e-mail, SMS, instant messaging, social accounts, services and tools made available by social networks and other mass messaging tools ) and traditional contact methods (e.g. telephone call with operator). In this regard, the User may at any time indicate the contact method he or she prefers among those listed above and may object to receiving promotional communications through all or only some of these contact methods. |
Personal and contact data In the case of minors under the age of 18: |
Consent (Art. 6 (1) (a) GDPR). Consent may be revoked at any time by clicking the following link. |
Personal and contact data will be retained until the expiry of the last retention period referred to in the further purposes. Purchase data will be stored for 24 months after collection and continuously updated. If consent is withdrawn, personal data, which will continue to be stored for further lawful purposes, will in any case no longer be processed for marketing purposes. |
|
5. Profiled marketing. The Companies may also process personal data in order to send Users commercial communications in line with their preferences, on the basis of a specific profile, in the event of further consent and always within the limits described in the relevant formula. The sending of marketing communications may take place by means of automated contact methods ( e-mail, SMS, instant messaging, social accounts, services and tools made available by social networks and other mass messaging tools ) and traditional contact methods (e.g. telephone call with operator). In this regard, the User may at any time indicate the contact method he or she prefers among those listed above and may object to receiving promotional communications through all or only some of these contact methods. |
Personal and contact data |
Consent (Art. 6 (1) (a) GDPR). Consent may be revoked at any time by clicking the following link. |
Personal and contact data will be retained until the expiry of the last retention period referred to in the further purposes. Purchase data will be stored for 12 months after collection and continuously updated. If consent is withdrawn, personal data will continue to be stored for further lawful purposes, but will no longer be processed for marketing purposes. |
|
6. Sending of notices for the promotion of products and services similar to those of a previous purchase, pursuant to Article 130(4) of the Privacy Code. The Companies may process the User's e-mail address in order to send promotional communications and material relating to products and services similar to those of previous purchases. |
E-mail address acquired as part of the sale. |
The legitimate interest of the Company (Art. 6 (1) (f) GDPR) in maintaining an effective contractual relationship with you. |
The data, acquired in the context of the sale, will be stored in accordance with the provisions of purpose 2. above, but will not be further processed for this purpose in the event of your objection. |
|
7. Providing access to the App. To access the App, the Companies collect certain personal data necessary to identify the User. |
Name |
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of data is necessary, as without it the companies will not be able to provide access to the App. |
Until the profile is closed or in case of inactivity of the profile for 2 years. |
|
8. Providing Services through the App The Company needs to process certain categories of personal data in order to render the Services available through the App and activated by the User. |
First and last name |
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary, as otherwise the Company will not be able to provide the Services. |
Until the profile is closed or in case of inactivity of the profile for 2 years. |
|
9. Defending one's rights The Company may process personal data for the defence of rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in connection with the Services. |
Depending on the case, personal data collected for purposes 1 to 8 will be processed. |
Legitimate interest of Bike Park in the protection of its rights (Art. 6 (1) (f) GDPR). A new and specific contribution is not required as the Company will pursue this further purpose, where necessary, by processing the data collected for the above-mentioned purposes. |
The time necessary to pursue the protection of the right. |
|
10. Fulfilling legal obligations The Company may process personal data in order to fulfil its obligations under laws, regulations or EU legislation, provisions/requirements of authorities empowered to do so by law and/or supervisory and control bodies. |
As required, personal data collected for purposes 1 to 9 will be processed. |
Fulfilment of a legal obligation (Art. 6 (1) (c) GDPR). The provision of personal data for this purpose is obligatory, as failure to do so will make it impossible for the companies to fulfil specific legal obligations. |
The time required to process the request. |
|
Providing access to the restricted area of the App In order to create its own profile that allows access to the restricted area made available in the App, Bike Park collects certain personal data necessary to identify the User. |
First and last name Tax code Copy of identity document Username Password In the case of minors under the age of 18: Name and surname of the person exercising parental authority Copy of document of exercising parental responsibility |
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary because if it is not provided, the Company will not be able to provide access to the reserved area of the App. |
|
|
Collect and process the purchase order formulated through the App |
First and last name Payment Method
In the case of minors under the age of 18: Name and surname of the holder of parental responsibility
|
Performance of a contract to which the User is a party (Art. 6 (1) (b) GDPR). The provision of the data is necessary, as otherwise the Company will not be able to process the purchase order. |
3. Treatments carried out on a jointcontrollership basis
The Joint Controllers, as identified in paragraph 1 of this Information Notice, have entered into a Joint Controllership Agreement pursuant to Article 26 of the Rules.
Through the above agreement, the data controllers intend to jointly process the data collected in the course of their activities for the purposes of:
i. generic marketing (point 4 of paragraph 2 above);
ii. profiled marketing (point 5 of paragraph 2 above);
iii. sending notices for the promotion of products and services similar to those of a previous purchase, pursuant to Article 130(4) of the Privacy Code (point 6 of paragraph 2 above).
The provision of data for the aforementioned purposes is optional, and the processing thereof is subject to the legitimating prerequisite of consent. Failure to consent to the processing will not allow the activities indicated, but will not prejudice the User in any way.
For the aforementioned purposes, the Joint Data Controllers have also jointly determined within the specific agreement the methods of processing and have defined, in a clear and transparent manner, the procedures for providing the User with timely feedback should he or she wish to exercise his or her rights, as provided for in Articles 15, 16, 17, 18 and 21 of the GDPR, as well as in the cases of portability of personal data provided for in Article 20 of the GDPR.
Vittoria Park S.r.l. has appointed Vittoria S.p.A. as data controller in relation to the provision of information services including the management and maintenance of customer relationship management ("CRM").
4. How we keep personal data secure
The Companies adopt appropriate security measures to ensure the protection, security, integrity and accessibility of Users' personal data. Appropriate security measures are aimed at preventing unauthorised access, disclosure, modification or destruction of personal data.
All personal data are stored on protected computer devices (or properly stored hard copies) or on those of suppliers, duly appointed as data controllers, and are accessible and usable according to our standards and security policies (or equivalent standards for our suppliers).
5. How long we keep personal data
The Companies retain the User's personal data only for as long as necessary to achieve the purposes for which they were collected or for any other legitimate related purposes.
Personal data that are no longer needed, or for which there is no longer a legal basis for their storage, will be irreversibly anonymised or securely destroyed.
If personal data are processed for several purposes, they will be deleted or anonymised as soon as the retention period for the last purpose has expired.
6. With whom we may share personal data
The personal data may be accessed by duly authorised employees of the Companies, as well as by external suppliers, appointed, if necessary, as data processors, who provide support for the provision of services, including those necessary for the operation of the App.
You can contact Vittoria S.p.A. at the following e-mail address info@vittoria.com , to ask to see the list of data processors and other persons to whom we disclose data.
7. Transfers to third countries
Your personal data will mainly be processed within the European Economic Area (EEA). However, the use of certain tools by the Companies may entail, albeit on a residual basis, a transfer of the same to entities established in countries that do not belong to the European Union (EU) or the EEA (hereinafter "Third Countries"). Such transfer, in any case, is carried out in compliance with the provisions of Chapter V of the GDPR.
These external parties will process personal data either as autonomous data controllers or as data processors, duly appointed by the Company in accordance with data protection legislation (depending on their role in relation to the processing).
You may write to the companies at any time, using the contact details below, asking which entities your personal data is being transferred to, and to receive a copy of the guarantees adopted for the transfer.
8. Personal data protection rights and the right to lodge complaints with the Supervisory Authority
Every User has the right to request the Companies, subject to the existence of the legal prerequisite underlying the request:
a) access to personal data, as provided for in Article 15 of the GDPR;
b) the rectification or integration of personal data held by the Companies that are considered inaccurate, as provided for in Article 16 of the GDPR;
c) the deletion of personal data for which the Company no longer has any legal grounds for processing, as provided for in Article 17 of the GDPR;
d) the restriction of the manner in which personal data are processed, if one of the cases provided for in Article 18 of the GDPR applies;
e) the copying of personal data provided to the Companies, in a structured, commonly used and machine-readable format and the transmission of such data to another data controller (so-called portability), as provided for in Article 20 of the GDPR;
f) withdrawal of consent, where the processing is based on that legal basis.
Right to object: in addition to the rights listed above, the User may always object at any time to the processing of personal data carried out by the Companies in pursuit of their legitimate interests. Furthermore, the User may always object at any time if personal data are processed for marketing purposes, including profiling insofar as it is related to such marketing.
The exercise of these rights, which can be done through the contact details of the Companies indicated in point 1, is free of charge and is not subject to formal constraints. It shall be the duty of the Companies to verify that the User is entitled to exercise the relevant right and to reply, as a rule, within one month.
If the User considers that the processing of his/her personal data is in breach of the provisions of the GDPR, he/she has the right to lodge a complaint with the Garante per la protezione dei dati personali, using the references available on the website www.garanteprivacy.it, or to take legal action
Last updated: 22 May 2024