Privacy Policy
Last update: Version: 1.0 of 24.01.2025
SNAP S.r.l.s., with registered office in via Luigi Settembrini n. 30, 00195 Rome, as the Data Controller (hereinafter "Data Controller"), collects and processes personal data in compliance with Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR"), Legislative Decree 30 June 2003, n. 196, consolidated text ("Privacy Code"), provisions and guidelines of the Data Protection Authority ("Garante") and the European Data Protection Board ("EDPB"), all cumulatively referred to as ("Italian Privacy Legislation"), in observance of privacy principles and the rights of Data Subjects.
Pursuant to Articles 13 and 14 GDPR, the Data Controller communicates through this Privacy Policy how and why it collects and processes personal data of users and customers ("Data Subjects") of the website https://www.SerenoWaves.com/ ("Website").
This Privacy Policy must be read and applies to the processing of personal data of Data Subjects together with the Website's Cookies Policy, which can be found at the following link.
Please note that this Privacy Policy does not concern and does not apply to the processing of personal data that Data Subjects may provide and/or publish on third-party websites, applications and/or services that may be integrated on the Website, if such third parties do not act on behalf of the Data Controller, as specified in this Privacy Policy.
Please read this Privacy Policy carefully before browsing, registering, using the Website and purchasing the products offered through it.
1. Definitions
The terms used in this Privacy Policy and defined in Art. 4 GDPR, even if not written in capital letters, regardless of singular and/or plural, masculine and/or feminine form, have the same meaning attributed by the GDPR and apply in addition to the definitions identified in this Privacy Policy, for example:
§ Data Controller: the natural or legal person, public authrity, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
§ personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
§ Data Subject: the identified or identifiable natural person to whom the personal data refers;
§ processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
§ Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
§ third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
2. Types of personal data
The Data Controller collects and processes personal data provided and/or indicated by Data Subjects at different times during interaction with them through the Website.
2.1 During navigation and use of the Website.
The mere navigation by Data Subjects on the Website entails that the Data Controller may collect and process some data concerning them:
§ System and maintenance logs: files that record the interactions of Data Subjects within the Website, and which may also contain personal data, such as the IP address of the Data Subject's device;
§ usage data: personal data collected automatically through the Website, including through tracking tools such as cookies, as regulated in the Website's Cookies Policy, and/or third-party applications integrated within it, such as Facebook, TikTok, Google Support, [•] to whose corresponding privacy and cookies policies reference is made;
Such personal data may include: IP addresses of the Data Subjects' device or MAC addresses of the devices used by them, URI (Uniform Resource Identifier) addresses, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) the country of origin, the characteristics of the browser and operating system used by the Data Subjects, the various temporal connotations of the visit (e.g. time spent on each page) and details relating to the itinerary followed within the Website, with particular reference to the sequence of pages consulted, the parameters relating to the operating system and the IT environment of the Data Subject;
§ segmentation and/or profiling data: personal data collected automatically through tracking tools such as cookies, as regulated in the Website's Cookies Policy such as, by way of example, products added to the cart, items added to a wishlist, the initiation of the checkout process for an online purchase, the addition of payment data, the completion of a registration form, visits, purchases, page metadata visited, button clicks, geographic location given by the order, email address provided at the time of purchase, [complete and add type of attributes, elements tracked by pixels and cookies on website users].
2.2 At the time of requesting information and/or registering an account on the Website.
To allow interaction with the Data Controller in relation to the purchase of products promoted on the Website, Data Subjects can ask questions and make purchases as guests or can register on the Website.
In addition, Data Subjects can request information on the use of the Website and/or on the purchase of products, using the contact means provided by the Data Controller on the Website itself.
In both cases, both for the purpose of registering an account on the Website and with respect to the request for information, the Data Controller may and will need to collect and process a series of personal data concerning the Data Subjects, namely:
§ personal details: name, surname, date of birth;
§ contact details: email address, mobile phone number;
§ registration data: username and password;
§ data relating to requests sent by Data Subjects: questions, preferences, opinions related to the services promoted and offered on the Website.
2.3 During the use of sales services through the Website.
The Data Controller may also collect and process personal data of Data Subjects as part of the process of purchasing products on its e-commerce store hosted on the Website. In particular, the Data Controller will need to process purchase orders for products received from Data Subjects and forward such orders to suppliers who sell the products in question, so that these suppliers can ship the products to the Data Subjects. Therefore, in relation to the sale of products, the Data Controller may collect the following personal data attributable to Data Subjects:
§ personal details: name and surname, citizenship;
§ contact details: email address, mobile phone number, physical address;
§ payment data: payment method, credit card data and/or PayPal account details of Data Subjects;
§ billing data: tax code; VAT number;
§ data relating to the purchased product: type of product, purchase history.
In addition, in order to allow the shipment of products purchased by Data Subjects, the Data Controller may share with the suppliers of the products themselves, responsible for shipping, some of the personal data of the Data Subjects, such as personal data, such as name and surname, and contact data, for example the physical shipping address, including the country of destination, the email address.
3. Purposes and Legal bases of processing
The Data Controller collects and processes the personal data of Data Subjects for the following purposes, relying on the following legal bases:
For the "Purposes and Legal bases of processing" section, I'll rewrite it in a non-table format so you can easily copy and paste it:
3. Purposes and Legal bases of processing
The Data Controller collects and processes the personal data of Data Subjects for the following purposes, relying on the following legal bases:
a. Purpose of processing: Response to the Data Subject's request for information regarding the registration of an account and navigation on the Website.
Legal basis of processing: The processing is necessary for the performance of pre-contractual measures adopted at the request of the Data Subject.
b. Purpose of processing: Management of the Data Subject's registration on the Website through the compilation of the form for creating their own account. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party.
c. Purpose of processing: Management of the closure/dismissal and deletion of the Data Subject's registered account on the Website. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party.
d. Purpose of processing: Management of communications with the Data Subject about the products offered for sale on the Website. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party.
e. Purpose of processing: Management of relationships with payment service providers in relation to the verification of Data Subjects' payments for the purchase of products. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party.
f. Purpose of processing: Management of accounting and tax obligations in relation to payments for the purchase of products promoted and offered on the Website. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party. The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
g. Purpose of processing: Processing of product purchase orders and related communication to product suppliers for shipping the same to Data Subjects. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party.
h. Purpose of processing: Processing and management of invoices communication to Data Subjects. Legal basis of processing: The processing is necessary for the performance of a contract to which the Data Subject is a party. The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
i. Purpose of processing: Execution of orders and/or requests from judicial and/or administrative authorities, including for combating online crime. Legal basis of processing: The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
l. Purpose of processing: Provision of the Website for navigation and use of the same and management of the IT security of the Website. Legal basis of processing: The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which consists in providing its services through the Website and protecting and ensuring the IT security of the Website and the personal data of the Data Subject.
m. Purpose of processing: Management of the IT security of the infrastructure and network of the Data Controller, to allow the provision of the Website. Legal basis of processing: The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which consists in protecting and ensuring the IT security of the digital assets of the Data Controller necessary for the provision of the Website and related services.
n. Purpose of processing: Management of complaints and/or grievances of the Data Subject and requests for exercise of related rights, including privacy rights. Legal basis of processing: The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which consists in responding to complaints and/or grievances of the Data Subject and allowing the exercise of corresponding rights.
o. Purpose of processing: Exercise and/or defense of interests and/or rights of the Data Controller before the competent authorities. Legal basis of processing: The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which consists in asserting and protecting its rights and interests.
p. Purpose of processing: Management of preparatory and executive activities of possible extraordinary operations in which the Data Controller might be involved. Legal basis of processing: The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which consists in the management and/or enhancement of its corporate structure and/or its business.
q. Purpose of processing: Sending promotional and/or marketing communications to the Data Subject via email, newsletter, SMS/MMS, instant messaging, telephone, about promotions, discounts, new items, events and initiatives regarding the services promoted and offered on the Website. Legal basis of processing: The processing is based on the consent of the Data Subject.
r. Purpose of processing: Management of analytical and/or profiling functionalities of cookies and other tracking tools as better explained in the Website's Cookies Policy. Legal basis of processing: The processing is based on the consent of the Data Subject, according to preferences expressed in the CMP (consent management platform) of the Website.
s. Purpose of processing: Collection of information and creation of profiles on preferences, habits and navigation methods on the Website, on the Data Subject's purchases to create group and individual profiles ("profiling") to send personalized communications via email, SMS/MMS, instant messaging/send personalized announcements, measure the effectiveness of marketing campaigns and optimize them. Legal basis of processing: The processing is based on the consent of the Data Subject.
4. Nature of the provision of Personal Data and consequences of their non-provision
Regarding personal data whose processing is necessary for compliance with laws and regulations or for the performance of pre-contractual measures or a contract between the Data Controller and the Data Subjects, as outlined in the General Terms and Conditions of Sale,
i.e. for the purposes indicated in points a.-i. of the table in section 3. above, the provision of the Data Subject's personal data is mandatory; any refusal would make it impossible for the Data Controller to make the Website available and/or offer its services to Data Subjects.
For the processing of Data Subjects' personal data based on the legitimate interest of the Data Controller, in relation to the purposes indicated in points l.-p. of the table in section 3. above, the provision of the Data Subjects' personal data is necessary and any refusal would make it impossible for the Data Controller to make the Website available and/or offer its services to Data Subjects.
For the processing of Data Subjects' personal data for which their consent is required, in relation to the purposes indicated in points q.-s. of the table in section 3. above, the provision of the Data Subjects' personal data is optional and any refusal does not prejudice or prevent the use of the Website and the use of the services offered by the Data Controller by the Data Subjects.
5. Processing methods
The Data Controller processes the personal data of the Data Subject through the aid of electronic or, in any case, automated, IT and telematic tools, with organizational methods and with logic strictly related to the purposes indicated in this Privacy Policy and in compliance with the Italian Privacy Legislation.
In particular, the Data Controller processes the personal data of Data Subjects through automated systems to receive information requests and interact with Data Subjects as well as to allow navigation on the Website.
During the processing of Data Subjects' personal data, the Data Controller adopts appropriate security measures aimed at preventing unauthorized or unlawful access, disclosure, modification or destruction of personal data.
6. Retention period
The Data Controller keeps the personal data of Data Subjects only for the time strictly necessary to fulfill the purposes for which the personal data are collected and processed.
The Data Controller keeps the personal data of Data Subjects to allow the registration of an account on the Website and until its closure by the Data Subjects. If Data Subjects decide to close their account on the Website, such account will be deactivated within 2 days from the submission of the account closure request. Within 30 days from the aforementioned deactivation of the account, the Data Controller will proceed to delete the personal data contained in the account of the Data Subjects and the account itself.
Please consider that personal data contained within contracts, commercial communications and letters, invoices, bank statements may be subject to retention periods established by law, which may provide for a retention period of up to 10 years, based on the ordinary limitation period in force and/or specific provisions of the civil code.
The personal data of Data Subjects collected and processed for accounting and tax purposes will be kept for a period of 10 years from the date of invoice issuance.
Data relating to the use of the Website and/or the response to the questions and requests of Data Subjects will be kept for a period of 3 years from the date of the last iteration of Data Subjects with the Website itself.
In case of disputes with Data Subjects, personal data will be kept until the exhaustion of the last degree of judicial and/or administrative proceedings.
If the processing of Data Subjects' personal data is based on their consent to processing, personal data will be kept until the consent is revoked. The above also applies in case consent of Data Subjects has been given for personal data processing for marketing purposes, subject to verification by the Data Controller of the validity and currentness of such consent at regular intervals (e.g. every twenty-four (24) months).
Regarding the duration of the processing of personal data collected and processed through cookies and other tracking tools, please refer to the Cookies Policy of the Website.
At the end of each retention period of personal data, the Data Controller will permanently delete them from its systems and/or make them anonymous. In any case, the Data Controller may retain the personal data of Data Subjects further if necessary to comply with a legal obligation or for the exercise of its rights of defense in court.
7. Communication and international transfers of personal data
7.1 Persons authorized to process personal data
The Data Controller's personnel, duly trained, authorized and instructed for the processing of personal data, may have access to the personal data of the Data Subject, based on the principle of minimum privilege.
7.2 Data Processors and third parties
Furthermore, in making the Website available and in providing related sales services, the Data Controller may communicate the personal data of the Data Subject to external subjects such as:
a) Technology service providers. In order for Data Subjects to register and access the Website and use the services promoted and offered by the Data Controller, the latter may share the personal data of Data Subjects with its providers of technology services or services dedicated to sending marketing and/or promotional communications, which will act as Data Processors on the basis of a corresponding appointment as data processor and related instructions pursuant to a data processing agreement pursuant to Art. 28 GDPR such as marketing service providers (e.g. Mailchimp), IT service providers (e.g. Shopify International Ltd., Zendesk/Gorgias,];,), Judge.me Ltd. (for the purpose of managing reviews left by Data Subjects on the Website);
b) Third parties, independent data controllers, in relation to the provision of services related to the shipping of products (e.g. product suppliers).
c) Third parties, independent data controllers, in relation to online advertising services and on social networks (e.g. Google ads, Facebook ads, TikTok ads).
d) Third parties, independent data controllers, such as payment services, such as PayPal, Shopify International Ltd., Apple Pay, banking institutions.
e) Third parties, independent data controllers, that provide assistance and consulting services to the Data Controller, such as consultants and professionals in legal, tax and commercial matters.
f) Third parties, independent data controllers, in accordance with a legal obligation or to ascertain, exercise or defend a right in court. The Data Controller may communicate the personal data of the Data Subject to institutions, law enforcement, judicial authorities, administrative authorities or public security, which request access to data in the context of carrying out their institutional tasks (e.g. during a judicial or administrative procedure), or in order to comply with a legal obligation or protect its rights.
g) Third parties, independent data controllers, in the case of corporate operations. The communication of personal data of Data Subjects may finally occur in the presence of events such as mergers, acquisitions, sales of companies (or its assets) or other extraordinary operations in which the Data Controller might have to share information with potential buyers or counterparties and their consultants.
Data Subjects can contact the Data Controller, as indicated in section 10 of this Privacy Policy, to request the updated list of Data Processors and third parties to whom personal data may be communicated.
7.3 International data transfers
The personal data of Data Subjects may be transferred outside the European Economic Area/European Union, to product suppliers who materially produce and/or distribute such products and will be responsible for shipping them.
Some of these recipients of Data Subjects' personal data may be located in jurisdictions that do not have an adequate level of protection of personal data as required by the Personal Data Protection Legislation. In such cases, the Data Controller may transfer personal data only for the purposes of this Policy, adopting appropriate measures (e.g. adoption of standard contractual clauses adopted by the European Commission implementing decision 2021/914 of June 4, 2021) aimed at ensuring a level of protection of personal data equivalent to that provided by the Personal Data Protection Legislation, together with any additional appropriate measures that may be necessary for this purpose (e.g. Transfer Impact Assessment).
Data Subjects may contact the Data Controller at any time to request a copy of the transferred data and/or the place where they have been made available and additional information on the adoption of appropriate measures for international transfers of personal data (e.g. copy of the Standard Contractual Clauses where eventually adopted by the Data Controller), by sending a request to the email address
8. Automated processing
Normally, the Data Controller does not perform automated processing of Data Subjects' personal data.
However, such processing could be carried out in the following circumstances:
§ for the purpose of collecting, storing and managing log files proving the Data Subject's express consent regarding the receipt of marketing communications, with the date and time the consent was provided;
§ for the purpose of managing the preferences expressed by Data Subjects in relation to the use by the Data Controller of Cookies and other tracking technologies;
§ for the purpose of creating profiles on preferences, habits and navigation methods on the Website, on the Data Subject's purchases to create group and individual profiles ("profiling") to send personalized communications via email, SMS/MMS, instant messaging/send personalized announcements, measure the effectiveness of marketing campaigns and optimize them.
9. Rights of Data Subjects
Data Subjects may at any time request free information on this Privacy Policy and on the processing of their personal data by the Data Controller using the contact details indicated in section 10 of this Privacy Policy.
In addition, Data Subjects may contact the Data Controller, by filling out the form found at this link and/or sending it to the addresses also indicated in section 10 to exercise their privacy rights under Articles 7, 15 et seq. GDPR:
Right of access: in certain circumstances, Data Subjects have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed and, if so, to request access to such personal data. Access information includes, among others, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the sources of personal data, the duration of retention, the technical security measures adopted and the appropriate measures to safeguard personal data in case of transfer outside the European Single Area/European Union. However, this is not an absolute right and the interests of other people may limit the right of access.
Data Subjects have the right to request a copy of the personal data. For additional copies requested, the Data Controller may charge a reasonable fee taking into account the administrative costs incurred.
Right to rectification: in certain circumstances, Data Subjects have the right to obtain from the Data Controller the rectification of inaccurate personal data concerning them. In addition, Data Subjects may have the right to have incomplete personal data completed, including by providing a supplementary statement.
Right to erasure (right to be forgotten): Data Subjects have the right to obtain the erasure of personal data concerning them, in certain circumstances, namely (i) when the personal data are no longer necessary for the purposes for which they were collected or processed, or (ii) Data Subjects have withdrawn consent to processing and there is no other legal basis for continuing the processing, or (iii) Data Subjects have objected to the processing and there is no legitimate reason to proceed with the processing (iv) Data Subjects have objected to processing for direct marketing purposes, including profiling associated with marketing, or (v) personal data have been unlawfully processed, or (vi) must be erased to comply with a legal obligation. In such cases, the Data Controller will take measures to erase, or make permanently unintelligible, such personal data.
Right to restriction of processing: Data Subjects have the right to obtain the restriction of processing of their personal data when (i) Data Subjects contest the accuracy of the personal data for as long as necessary for the Data Controller to verify their accuracy, or (ii) the processing is unlawful and Data Subjects oppose the erasure of their data, or (iii) the data are no longer necessary for the Data Controller but Data Subjects need them to establish, exercise or defend their rights in court, or (iv) Data Subjects object to the processing, pending the Data Controller's verification of the existence of legitimate reasons to continue the processing. In this case, the data will be marked and may be processed by the Data Controller only for certain purposes, namely for the conservation of data, or for the establishment, exercise or defense of a right in court, or to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or Italy.
Right to data portability: in the case of automated processing, when the processing is based on the consent of Data Subjects or on the contract with the Data Controller, Data Subjects have the right to receive in a structured, commonly used and machine-readable format the personal data concerning them and which they have provided to the Data Controller as well as the right to transmit such personal data to another entity.
Right to object: in certain circumstances, the Data Subject has the right to object, at any time, on grounds relating to his or her particular situation, to the processing of personal data by the Data Controller and may request that such personal data no longer be processed. If the Data Subject has the right to object and exercises this right, his or her personal data will no longer be processed by the Data Controller for such purposes unless the Data Controller demonstrates compelling legitimate grounds pursuant to the GDPR to continue the processing or for the establishment, exercise or defense of a right in court.
If the data are processed for marketing purposes, Data Subjects have the right to object at any time to processing for such purposes, including profiling to the extent that it is related to direct marketing. If Data Subjects object to processing for direct marketing purposes, personal data are no longer processed for such purposes.
Automated decision-making: Data Subjects have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them. The preceding prohibition is waived by the consent given by Data Subjects to the decision based on automated processing of their personal data or the necessity of such decision for the conclusion or performance of a contract between Data Subjects and the Data Controller or if the decision is authorized by European Union or Italian law.
Withdrawal of consent: Data Subjects also have the right to withdraw consent where given with regard to certain types of personal data processing activities. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Please note that, in certain circumstances pursuant to Article 2-undecies of the Privacy Code, the exercise of privacy rights may be delayed, limited or excluded. In such case, the Data Controller will provide the Data Subject with a reasoned statement without delay and the Data Subject may nevertheless request that the Garante verify that the delay, limitation and exclusion referred to above are based on legitimate grounds.
Finally, Data Subjects have the right to lodge a complaint with the national supervisory authority, i.e. the Garante.
10. Contacts of the Data Controller
The Data Controller is SNAP S.r.l.s. with registered office in via Luigi Settembrini n. 30, 00195 Rome, also contactable at the email address Snapsrls@gmail.com.
11. Changes to this privacy policy
The Data Controller reserves the right to make changes to this Privacy Policy at any time by informing Data Subjects by publishing updates and changes on the Website.
Please therefore regularly consult the page dedicated to the Privacy Policy of the Website, referring to the date of last modification of the same.
If the changes concern processing whose legal basis is consent, the Data Controller will collect such consent of Data Subjects to the processing of their personal data, if necessary.
https://snapsrls.systeme.io/302e7d60--f270f3ae