Download PDF
Download PDF

PRIVACY POLICY

(“Policy”)
February 2026 version

Index

  1. Data Controller
  2. Data Subjects
  3. Categories of Data
  4. Purposes, legal bases and Data retention period
  5. Authorized processing personnel and Data Recipients
  6. Methods and place of processing
  7. Privacy rights and protection
  8. Processing of navigation data


1. Data Controller

With this privacy policy provided pursuant to Article 13 of the European Regulation (EU) 2016/679 GDPR (“GDPR”), Lo Scrittoio S.n.c. di Bardazzi Andrea e Bardazzi Alessandro informs, in its capacity as Data Controller (“Controller”), the users browsing the website www.loscrittoiofirenze.com (“Website”) regarding the processing of personal data carried out through the Website (“Data”).

The Controller’s details and contacts are provided in the footer of the Website.

2. Data Subjects

The Data processed by the Controller refer to those who interact with the Website by registering a customer account and/or purchasing products on the e-commerce hosted on the Website (collectively, the “Data Subjects/Subject”). Data Subjects also include those who contact the Controller for the purpose of purchasing products sold on the e-commerce.

3. Categories of Data

The processing concerns the following categories and types of Data:

  • identification data (first name and surname, username, business name in the case of a sole proprietorship);
  • contact data (telephone number, email address);
  • delivery data (home or residential address);
  • transaction data (amount received, payer, intermediary/payment system used, IBAN);
  • tax data (VAT number), where associated with a natural person;
  • order history;
  • any other information qualified as personal data that the Data Subject provides when communicating with the Controller.

4. Purposes, legal bases and Data retention period

a) Account registration on the Website. Identification and contact Data are processed by the Controller to enable the Data Subject to create a personal account on the Website. The legal basis for processing is the performance of contractual measures (Article 6(1)(b) GDPR). Data is processed until the Data Subject decides to deactivate their account. Should the Data Subject fail to access their account for more than two consecutive years, the Controller will deactivate the account and delete the Data. Providing this Data is necessary for Data Subjects who wish to purchase products available on the Website.

b) Processing and fulfilment of purchase orders. Identification, contact, delivery, transaction, and tax Data are processed by the Controller to execute purchase orders. Specifically, these Data are processed to receive and fulfil purchase orders, arrange shipments, and manage Data Subjects’ rights of withdrawal and warranty, as well as to issue mandatory accounting/tax documentation. The legal bases for processing are the performance of contractual measures (Article 6(1)(b) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR). These Data are processed throughout the duration of the contractual relationship and, except for the Data that must be retained by law for ten years (such as invoices and documents required for accounting records), the Data are deleted upon completion of the order. Without the provision of the Data referred to in this paragraph, the Controller cannot fulfil the Data Subject’s pre-contractual requests or perform its contractual obligations.

c) Soft spam. Contact Data may be processed by the Controller to send commercial communications regarding the Controller’s products and/or services similar to those already subject to a prior commercial relationship (so-called Soft spam), unless the Data Subject exercises their right to object. The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR). Contact data are deleted 24 (twenty-four) months after the Data Subject’s last purchase on the Website.

d) Request for information. The Data Subject’s identification and contact Data, as well as any other personal data included in communications sent to the Controller (for example, when requesting quotes), are processed by the Controller to receive and respond to Data Subject enquiries. Such Data are therefore processed to execute pre-contractual measures (Article 6(1)(b) GDPR) and are retained for the minimum time necessary to respond to the enquiry, and in any event for no longer than six months, unless a new legal basis for processing arises (for example, the performance of contractual obligations). Processing is necessary to execute the pre-contractual measures requested by the Data Subject.

e) Disputes. In the event of a dispute between the Controller and the Data Subject, the Controller may process the Data Subject’s Data for the purposes of establishing, exercising or defending the Controller’s legal claims before a court. In such cases, the legal basis is the Controller’s legitimate interest (Article 6(1)(f) GDPR) and the Data are retained for the entire duration of the complaint and/or out-of-court and/or judicial proceedings.

5. Authorized processing personnel and Data Recipients

Processing of Data is reserved to the Controller’s employees and collaborators who have been specifically authorised and instructed.

Data may also be accessed by external parties, acting as independent data controllers or processors, belonging to the following categories:

a. providers of development, management, support and maintenance of IT infrastructure, including hardware and software;
b. providers of development, management, support and maintenance of the Site;
c. providers of connectivity services, support and maintenance of electronic mail;
d. providers of transportation services such as couriers, including intercontinental couriers, and transportation companies;
e. payment intermediaries;
f. legal, accounting, tax consultants, as well as consultants working in the marketing/communications sector;
g. credit and insurance institutions;
h. Public Authorities and bodies, even beyond the purposes for which Data was originally collected.

In any case, upon request by the Data Subject, the Controller may provide specific information regarding the recipients of the Data.

6. Privacy rights and protection

The Data covered by this Policy are processed mainly by automated means, using IT systems or, in a limited number of cases, manually, always with logic strictly related to the purposes for which they were collected and in a manner that ensures their security, in compliance with the provisions of the GDPR.

The Website and, in general, the supporting IT infrastructure are located within the European Union. For the processing of personal data performed by payment intermediaries, please refer to the privacy policies available on the intermediaries’ websites, just as reference is made to the privacy policies of Poste Italiane and DHL for information regarding the processing of Data performed by the courier appointed for shipping the products.

7. Processing of navigation data

Rights. By sending a request to the Controller’s email address, Data Subjects can exercise the rights provided by the GDPR (Articles 15 and following), in particular, to access their Personal Data, request their rectification and updating or deletion, restriction and portability.

Withdrawal of consent. If the processing is based on consent, the Data Subject may withdraw it at any time by contacting the Controller in writing, who will carry out all necessary activities resulting from the withdrawal, which will not affect the lawfulness of the processing based on consent before its withdrawal.

Right to object. In the same manner as provided in the preceding section, Data Subjects may also object, in whole or in part, to the processing of personal data concerning them, in the cases provided for by Article 21 of the GDPR, where the relevant legal basis consists of the legitimate interest of the Controller, such as in cases of so-called Soft spam.

Complaint. Notwithstanding the above, the Data Subject who believes that the processing is carried out in violation of the GDPR, may lodge a complaint with the supervisory authority pursuant to Article 77 of the GDPR.


8. Processing of navigation data

Information regarding the processing of Website users’ Data, collected and processed by the company through the use of cookies while browsing the Website, is contained in the Cookie Policy, to which reference is made.