(pursuant to Regulation (EU) 2016/679 – “GDPR”)
This privacy policy (hereinafter, the “Privacy Policy”) describes how personal data are collected and processed through the e-commerce website operated by the Company (the “Website”), in accordance with Article 13 of Regulation (EU) 2016/679 (“GDPR”) and applicable Italian data protection laws.
The data controller is: FLYPER S.r.l., Via Umberto I, 25/A, 86100 Campobasso (CB), Italy – VAT No. 01775190703 – Email: customercare@flyper.it (hereinafter, the “Company” or the “Controller”).
The Company respects the privacy of users and customers and is committed to ensuring that personal data are processed in a lawful, fair and transparent manner. This Privacy Policy applies to all personal data collected through the Website in connection with: browsing the Website, creation of an account (if applicable), purchase of products, customer support requests, newsletter or marketing subscriptions, and interactions with the Company.
Certain processing activities may be carried out by third-party service providers acting as data processors pursuant to Article 28 GDPR, including providers of hosting, payment services, logistics, IT infrastructure and analytics tools. Some of these providers may be located outside the European Economic Area. Where applicable, transfers of personal data shall be carried out in compliance with Chapter V of the GDPR.
Based on the nature and scale of processing activities currently carried out, the Company is not required to appoint a Data Protection Officer pursuant to Article 37 GDPR. Should such appointment become mandatory or appropriate, this Privacy Policy will be updated accordingly.
This Privacy Policy forms an integral part of the Terms and Conditions of Sale and of the Cookie Policy and must be read together with them.
Definitions
“Personal Data”: means any information relating to an identified or identifiable natural person, including but not limited to name, surname, billing and shipping address, email address, phone number, payment details, order history, and any other information relating to an identified or identifiable individual, as defined under Article 4(1) GDPR;
“Processing”: means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, consultation, use, disclosure, erasure or destruction, as defined under Article 4(2) GDPR;
“Controller”: means FLYPER S.r.l., which determines the purposes and means of the processing of Personal Data;
“Processor”: means any natural or legal person processing Personal Data on behalf of the Controller pursuant to Article 28 GDPR (e.g. payment providers, hosting providers, logistics providers);
“Data Subject”: means the natural person to whom the Personal Data relate (e.g. customer, website visitor);
“Website”: means the e-commerce website operated by the Controller through which Products are offered for sale;
“Products”: means the goods offered for sale through the Website;
“Browsing data”: means information automatically collected through the Website during its normal operation, including IP address, device identifiers, browser type, pages visited, date and time of access and similar technical data. Such data are used for security, technical operation and statistical purposes;
“Analytics data”: means data collected through cookies or similar technologies relating to the use of the Website, subject to the User’s consent where required by law;
“Marketing data”: means contact details and interaction data used for sending newsletters, commercial communications or promotional content, where the User has provided consent or where otherwise permitted by law.
Categories of Personal Data Processed
Users may access and browse the Website operated by FLYPER S.r.l. without actively providing personal data. However, the IT systems and software procedures used to operate the Website automatically collect certain personal data whose transmission is implicit in the use of Internet communication protocols. Such data may include, by way of example, IP addresses, device identifiers, browser type, operating system, date and time of access, pages visited, navigation paths and other technical information relating to the User’s interaction with the Website. These data are processed for the sole purpose of ensuring the proper functioning, security and stability of the Website, preventing fraudulent activity and obtaining aggregated statistical information on Website usage.
Where a User purchases Products through the Website, the Company collects and processes the personal data necessary to conclude and perform the distance sales contract. Such data may include the User’s name and surname, billing and shipping address, email address, telephone number, payment-related information and any additional data voluntarily provided by the User during the checkout process or in communications with customer support. Payment details are processed through third-party payment service providers and are not fully stored by the Company.
Personal data may also be processed where the User contacts the Company for information requests, customer support, after-sales assistance or the exercise of data protection rights. In such cases, the Company processes the personal data contained in the communications and any additional data strictly necessary to handle the request.
The Company does not intentionally collect or process special categories of personal data within the meaning of Article 9 of Regulation (EU) 2016/679. The Products sold through the Website consist exclusively of non-prescription sunglasses and no medical prescriptions or health-related data are required for the purchase of such Products.
Additional personal data may be processed where the User subscribes to marketing communications, newsletters or promotional initiatives, where available, or where analytics and advertising tools are used, in compliance with applicable data protection laws and, where required, with the User’s consent. The provision of personal data for marketing purposes is entirely optional, and any refusal shall not affect the User’s ability to purchase Products through the Website.
Personal data are collected through electronic forms available on the Website, during the purchase process, through cookies and tracking technologies where applicable, and through communications sent directly by the User to the Company using the contact details provided at the end of this Privacy Policy.
Legal Basis and Purposes of Processing
The Company processes Personal Data for specific, explicit and legitimate purposes and only where a valid legal basis exists under applicable data protection laws, including Regulation (EU) 2016/679.
Personal Data may be processed in accordance with Article 6(1)(a), (b), (c) and (f) GDPR where:
- the data subject has given consent to the processing of their Personal Data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Company is subject;
- processing is necessary for the purposes of the legitimate interests pursued by the Company or by third parties, provided that such interests are not overridden by the rights and freedoms of the data subject.
The table below sets out the purposes for which Personal Data are processed by the Company and the corresponding legal basis for each processing activity.
| Purpose of processing | Legal basis |
|---|---|
| Provision of the Website and related services, including account management (where applicable) and browsing functionality | Performance of a contract or pre-contractual measures |
| Processing and fulfillment of Orders, including payment, shipping, delivery and customer support | Performance of a contract |
| Management of returns, refunds and warranty claims | Performance of a contract |
| Compliance with legal, accounting, tax and regulatory obligations | Legal obligation |
| Prevention of fraud, misuse of the Website, security monitoring and protection of the Company’s rights | Legitimate interest |
| Sending transactional communications relating to Orders or customer support | Performance of a contract |
| Sending newsletters, marketing communications and promotional materials relating to the Company’s products and services | Consent |
| Direct marketing by electronic means (email, SMS, messaging apps) where required by law | Consent |
| Customer satisfaction surveys and soft-marketing communications relating to previous purchases, where permitted by applicable law | Legitimate interest or consent (where required) |
| Analytics and improvement of Website performance and user experience | Legitimate interest |
| Personalization of communications and offers | Consent |
Nature of Data Provision
Except for simple browsing of the Website, the provision of Personal Data is generally necessary in order to allow the Company to provide its services and fulfill contractual and legal obligations.
Where Personal Data are required for the conclusion and performance of a contract, including the processing of Orders, payment, delivery and customer support, failure to provide such data may make it impossible for the Company to process the Order, deliver the Products or otherwise perform its contractual obligations.
Providing accurate and complete Personal Data is therefore a necessary condition for the proper execution of the contractual relationship. Incomplete, inaccurate or outdated information may result in delays, inability to process Orders or suspension of the requested services.
Where processing is based on consent (for example, for marketing communications, newsletters, promotional messages or profiling activities), the provision of Personal Data is optional. Failure to provide such data, or withdrawal of consent at any time, shall not affect the Customer’s ability to purchase Products or use the Website, but may result in the Customer no longer receiving marketing communications or personalized offers.
Where consent is withdrawn, the withdrawal shall not affect the lawfulness of processing carried out prior to such withdrawal.
Methods of Processing
Personal Data are processed in accordance with Article 32 GDPR and applicable data protection laws through both automated and manual means. Processing activities may include collection, recording, organization, storage, consultation, use, transmission, alignment, restriction, deletion and destruction of data.
Personal Data may be processed in electronic, automated and, where necessary, paper-based form, using appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
Personal Data are processed by personnel duly authorized by the Company and acting under its authority. Processing may also be carried out by third-party service providers appointed as data processors pursuant to Article 28 GDPR, including providers of payment services, logistics, IT infrastructure, hosting, analytics and customer support. Such processors act on documented instructions from the Company and in accordance with applicable data protection laws.
Data Retention
Personal Data are retained only for as long as necessary to fulfill the purposes for which they were collected and processed, in accordance with the principles of purpose limitation and data minimization set out in Article 5 GDPR.
Personal Data relating to Orders, payments, accounting and contractual relationships shall be retained for the period necessary to perform the contract and to comply with applicable legal and tax obligations, generally up to ten (10) years from completion of the transaction, unless a longer retention period is required by law.
Personal Data processed for customer support or service-related purposes shall be retained for the time necessary to manage the request and for a reasonable period thereafter in order to handle any follow-up issues or disputes.
Personal Data processed for marketing purposes shall be retained until consent is withdrawn or, in any event, for no longer than twelve (12) months from the last interaction with the Customer, unless a longer period is permitted under applicable law.
At the end of the applicable retention period, Personal Data shall be deleted, anonymized or securely archived in accordance with applicable legal requirements.
Marketing and Newsletters
Where the Customer has given consent to receive marketing communications, Personal Data may be processed for the sending of newsletters, promotional communications and information regarding products, offers and initiatives of the Company through email or other electronic means.
Such processing is based on the Customer’s consent. Consent may be withdrawn at any time by using the unsubscribe link included in communications or by contacting the Company using the contact details indicated in this Privacy Policy.
Withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal. The Customer may continue to purchase Products and use the Website even if they choose not to receive marketing communications.
Profiling and Non-Automated Decision-Making
Where the Customer has provided specific consent for profiling activities, Personal Data may be processed in order to provide personalized services, offers and communications. Such profiling activities are carried out primarily through non-automated or semi-automated analysis of information relating to the Customer’s interactions with the Website, purchase history, preferences and engagement with communications.
The Company may collect and analyze Personal Data generated through the Customer’s use of the Website and related services. These data may include, by way of example, browsing behavior, purchase patterns, interactions with customer care, responses to marketing communications and general preferences expressed by the Customer. The processing is aimed at improving the Customer experience, tailoring communications and offers, sending invitations to events or initiatives that may be of interest, and providing content and product suggestions aligned with the Customer’s preferences.
Such profiling activities are carried out only where the Customer has provided explicit consent and may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal. Profiling activities do not produce legal effects concerning the Customer and are not based solely on automated decision-making within the meaning of Article 22 GDPR.
Where appropriate, aggregated or anonymized data derived from profiling activities may be used for analytical and promotional purposes, provided that such data can no longer be attributed to an identified or identifiable individual.
In all cases, the Customer retains the right to request information about the logic involved in any profiling activity, to object to such processing, and to request human intervention, in accordance with applicable data protection laws.
Recipients of Personal Data
In accordance with Articles 28 and 29 of Regulation (EU) 2016/679 (“GDPR”), Personal Data shall not be disclosed to the public but may be communicated, where necessary for the provision of services and the performance of contractual obligations, to authorized personnel of the Company and to selected third parties.
Personal Data may be processed by employees and collaborators of the Company who have been duly authorized to process such data under the direct authority and instructions of the Company and who are bound by confidentiality obligations.
Where necessary for operational, technical or organizational purposes, Personal Data may also be communicated to third-party service providers acting on behalf of the Company as data processors within the meaning of Article 28 GDPR. These may include, by way of example, providers of IT infrastructure and hosting services, logistics and shipping partners, payment service providers, customer support providers, marketing and communication service providers, and professional advisors. Such parties process Personal Data on the basis of documented instructions from the Company and are subject to appropriate contractual safeguards ensuring compliance with applicable data protection laws.
Personal Data may also be communicated to third parties acting as independent data controllers, such as financial institutions, payment intermediaries, insurers, professional firms, auditors, consultants or public authorities, where such communication is necessary for the performance of contractual obligations, for compliance with legal obligations, or for the protection of the Company’s rights.
Without the need for specific consent, the Company may disclose Personal Data to competent judicial, administrative or supervisory authorities where required by law or where necessary for the establishment, exercise or defense of legal claims.
An updated list of data processors appointed by the Company may be requested at any time using the contact details available at the end of this Privacy Policy.
Transfers of Personal Data
Personal Data are primarily stored and processed on servers located within the European Union. However, in order to provide the services and operate the Website efficiently, certain processing activities may be carried out by service providers located outside the European Economic Area (EEA).
Where Personal Data are transferred to countries outside the EEA, the Company ensures that such transfers take place in compliance with applicable data protection laws and only where appropriate safeguards are in place pursuant to Articles 44–49 GDPR. Transfers may occur on the basis of:
- an adequacy decision adopted by the European Commission;
- the execution of Standard Contractual Clauses approved by the European Commission; or
- any other appropriate legal mechanism ensuring an adequate level of protection for Personal Data.
Where required by applicable law, the Customer may be informed of such transfers and, where necessary, consent may be requested. In all cases, the Company undertakes to ensure that Personal Data transferred outside the EEA are subject to safeguards ensuring a level of protection substantially equivalent to that guaranteed within the European Union.
Further information on international data transfers may be requested at any time using the contact details provided at the end of this Privacy Policy.
Cookies
The Website uses cookies and similar tracking technologies to ensure its proper functioning, improve user experience and provide certain features and services.
Cookies are small text files stored on the user’s device that allow the Website to recognize the user’s browser, remember preferences and facilitate navigation. Some cookies are strictly necessary for the operation of the Website, while others are used for analytics, functionality or marketing purposes where applicable.
Users may manage or disable cookies at any time through their browser settings. Most browsers allow users to refuse cookies, delete existing cookies or receive a notification before a cookie is stored. Please note that disabling certain cookies may affect the functionality of the Website and limit access to certain features or services.
Further details regarding the types of cookies used, their purposes, retention periods and how to manage cookie preferences are set out in the Cookie Policy, which forms an integral part of this Privacy Policy.
Data Subject Rights
Under Regulation (EU) 2016/679 (GDPR), the Customer may exercise, at any time, the rights provided by Articles 15–22 of the GDPR in relation to the processing of their Personal Data.
In particular, the Customer has the right to obtain confirmation as to whether Personal Data concerning them are being processed and, where that is the case, to access such Personal Data and receive information regarding the purposes of the processing, the categories of data concerned, the recipients to whom the data have been disclosed and the retention period.
The Customer has the right to request the rectification of inaccurate Personal Data and the completion of incomplete Personal Data. The Customer may also request the erasure of Personal Data without undue delay where the conditions set out in Article 17 GDPR are met, as well as the restriction of processing in the cases provided for by Article 18 GDPR.
Where applicable, the Customer has the right to receive the Personal Data provided to the Company in a structured, commonly used and machine-readable format and to transmit those data to another controller, in accordance with Article 20 GDPR.
The Customer may object, at any time, to the processing of Personal Data carried out on the basis of the Company’s legitimate interests. Where Personal Data are processed for marketing or profiling purposes, the Customer may object to such processing at any time without providing any justification.
Where applicable, the Customer also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except where permitted by applicable law.
Where processing is based on consent, the Customer has the right to withdraw such consent at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal.
The Customer also has the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. In Italy, the supervisory authority is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).
Any request relating to the exercise of the above rights may be addressed to the Company using the contact details indicated at the end of this Privacy Policy.
Contact Details
For any request concerning the processing of Personal Data or the exercise of data subject rights, the Customer may contact:
FLYPER S.r.l.
Via Umberto I, 25/A
86100 Campobasso (CB), Italy
VAT No. 01775190703
Email: customercare@flyper.it
Amendments to this Privacy Policy
This Privacy Policy may be updated from time to time to reflect legal, regulatory or operational changes. The updated version shall be published on the Website and shall become effective upon publication. Customers are encouraged to review this Privacy Policy periodically. Where required by applicable law, Users may be notified of material changes.