Privacy Policy

1. Processing of Personal Data

1.1. Types of Personal Data

Every detail on each type of Personal Data is provided in the dedicated section of this Document and/or through specific informative texts displayed before the data is collected. The Personal Data collected, independently or by Third Parties, are:

1.1.1. Personal Data

Name, surname, e-mail address and/or PEC, fixed and/or mobile telephone, country of residence, location, tax code and/or VAT number.

1.1.2. Usage Data

Personal Data communicated during the use of the Service is the information collected automatically. These are the IP addresses or domain names of the computers used by the Data Subject who connects to Sbuch.it, the notation addresses URI (Uniform Resource Identifier), the time of the request, the method used to forward the request to the server, the size of the file obtained in response, the numeric code indicating the status of the reply from the server, the country the characteristics of the browser and the operating system used by the Data Subject, the various temporal connotations of the visit (e. g. the time spent on each page) and details relating to the behaviour of the Data Subject within Sbuch.it, with particular reference to the sequence of the pages consulted.

1.1.3. Specific Data

Sbuch.it does not require the Data Subject to provide so-called particular data, i. e. Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, health data or the person’s sexual life or sexual orientation. In the event that the Service requested from Sbuch.it requires the Processing of such data, the Data Subject will receive prior information and will be asked to give his consent.

1.2. Methods of Collection of Personal Data

Personal Data may be freely provided by the Data Subject or, in the case of Personal Data usage, collected automatically during the use of Sbuch.it. Unless otherwise specified, all Personal Data requested by Sbuch.it are mandatory. If the Data Subject refuses to communicate them, it may be impossible for Sbuch.it to provide the Service. In cases where Sbuch.it indicates some Personal Data as optional, the Data Subject is free to refrain from communicating such Personal Data, without this having any effect on the availability of the Service.

The Data Subject assumes responsibility for the Personal Data of Third Parties obtained, published or shared through Sbuch.it and guarantees to have the right to communicate or disseminate them, freeing the Controller from any responsibility towards Third Parties.

The communication of the Personal Data of the Data Subject takes place mainly towards Third Parties and/or recipients whose activity is necessary for the performance of the activities inherent to the relationship established and to meet certain legal obligations.

1.3. Methods of Treatment

The Controller provides for the use of appropriate security measures in order to preserve the confidentiality, integrity and availability of the Personal Data of the Data Subject. In addition, the Controller requires its Third Parties suppliers and the Processors to comply with security measures equal to those adopted against the Data Subject, restricting the scope of action of the Controller to the requested Service.

The Processing is carried out by means of computer and/or telematic tools, with organizational methods and with logics strictly related to the purposes indicated. In addition to the Controller, in some cases, other parties involved in the organisation of Sbuch.it (administrative, commercial, marketing, legal, system administrators) or external parties (such as postal couriers, hosting providers, IT companies, communication agencies) may have access to Personal Data, also appointed, if necessary, Processors by the Controller.

1.4. Legal Basis of the Treatment

The Controller processes Personal Data relating to the Data Subject if one of the following conditions is met:

  • the Data Subject has given consent for one or more specific purposes

  • the Processing is necessary for the execution of a contract with the Data Subject and/or for the execution of pre-contractual measures

  • the Processing is necessary to fulfil a legal obligation to which the Controller is subject

  • the Processing is necessary for the performance of a task of public interest vested in the Controller

  • the Processing is necessary for the pursuit of the legitimate interest of the Controller or of Third Parties

However, it is always possible to ask the Controller to clarify the concrete legal basis of each Processing and specify whether the Processing is based on law, provided for in a contract or necessary to conclude a contract.

1.5. Place of Processing

The Personal Data of the Data Subject is stored in paper, computer and telematic archives located in countries where the GDPR is applied. Personal Data are processed at the operating offices of the Controller and in any other place where the parties involved in the Processing are located. The Personal Data of the Data Subject may be transferred to a country other than the one in which the Data Subject is located.

The Data Subject has the right to obtain information about the legal basis for the transfer of Personal Data outside the European Union or to an international organisation governed by public international law or constituted by two or more countries, such as the UN, as well as about the security measures taken by the Controller to protect Personal Data.

The Data Subject may verify whether one of the transfers described above takes place by examining the section of this Document relating to the details of the Processing of Personal Data or request information from the Controller by contacting him at the address.

1.6. Storage Period

Unless the Data Subject expressly expresses his/her wish to remove it, the Personal Data of the Data Subject will be kept for as long as it is necessary for the legitimate purposes for which it was collected.

In particular, they will be kept for the duration of your registration and in any case not beyond a maximum period of 12 (twelve) months of your inactivity, or if, within this period, you are not associated with a Service through the registration itself. In the case of Personal Data provided to the Controller for the purposes of commercial promotion for services other than those already acquired by the Data Subject, for which he initially gave consent, these will be kept for 24 months, unless the consent given is revoked. In the case of data provided to the Controller for profiling purposes, these will be kept for 12 months, unless the consent given is revoked. It should also be added that, in the event that a Data Subject provides Sbuch.it with some Personal Data not requested or not necessary for the performance of the requested Service or for the provision of a Service strictly related to it, Sbuch.it cannot be considered the owner of such Personal Data, and will arrange for their deletion as soon as possible. Regardless of the Data Subject’s determination to remove them, Personal Data will in any case be stored according to the terms provided by current legislation and/or national regulations, for the sole purpose of guaranteeing the specific requirements of certain services. Furthermore, Personal Data will in any case be stored for the fulfillment of obligations (e. g. tax and accounting) that remain even after the termination of the contract, for these purposes the Controller will only keep Personal Data necessary for its pursuit. Without prejudice to the cases in which the rights deriving from the contract and/or from the registration should be asserted in court, in which case the Personal Data of the Data Subject, exclusively those necessary for these purposes, will be processed for the time necessary to pursue them.

The Data are processed and stored for the time required by the purposes for which they were collected. Therefore:

  • Personal Data collected for purposes related to the execution of a contract between the Controller and the Data Subject will be retained until the execution of such contract is completed.

  • Personal Data collected for purposes related to the legitimate interest of the Controller will be retained until such interest is satisfied. The Data Subject may obtain further information about the legitimate interest pursued by the Controller in the relevant sections of this Document or by contacting the Controller.

Where the Processing is based on the Data Subject’s Consent, the Controller may retain the Personal Data for a longer period until such consent is revoked. In addition, the Controller may be obliged to retain Personal Data for a longer period in compliance with a legal obligation or by order of an authority.

At the end of the retention period, the Personal Data will be deleted. Therefore, at the end of this period, the right of access, cancellation, rectification and the right to portability of Personal Data can no longer be exercised.

1.7. Purposes of the Processing

The Personal Data of the Data Subject is collected to enable the Controller to provide the Service, to comply with legal obligations, to respond to requests or enforcement actions, to protect its rights and interests (or those of other Data Subject or Third Parties), to detect possible fraudulent or fraudulent activities, as well as for the purposes described in this Document. If the Data Subject does not provide the Personal Data expressly provided as necessary within the order form or the registration form, the Controller may not proceed with the Processing related to the management of the services requested and / or the Service related to it, nor with the obligations that depend on them. Under no circumstances does Sbuch.it sell the Personal Data of the Data Subject to Third Parties or use them for undeclared purposes.

The Personal Data of the Data Subject may also be processed for profiling purposes (such as analysing the data transmitted and the Service chosen, proposing advertising messages and / or commercial proposals in line with the choices made by the Data Subject themselves) only if the Data Subject has given explicit and informed consent.

The Personal Data of the Data Subject, with the exception of particular or judicial data, will be processed to allow controls for the purpose of monitoring and preventing fraudulent payments, by software systems that carry out an automated verification and prior to the negotiation of the Service. If these checks are passed with a negative result, it will be impossible to carry out the transaction, the Data Subject may in any case express his or her opinion, obtain an explanation or challenge the decision, justifying his or her reasons to the Customer Service. The Personal Data collected for anti-fraud purposes only, unlike the data necessary for the correct execution of the requested Service, will be deleted immediately at the end of the control phases.

The Service offered by the Controller is reserved for persons legally able, on the basis of national legislation, to enter into contractual obligations. The Controller, in order to prevent unlawful access to the Service, implements preventive measures to protect its legitimate interest, such as checking the tax code, the correctness of the identification data of the identity documents issued by the competent authorities and/or other checks.

2. Details on the Processing of Personal Data

2.1. Contact the Data Subject

2.1.1. Contact Form (Sbuch.it)

By filling in the contact form with their Personal Data, the Data Subject agrees to their use to respond to requests for information, quotes, or any other kind indicated by the header of the form.

2.1.2. Mailing List or Newsletter (Sbuch.it)

The registration to the mailing list or newsletter implies that the Data Subject is automatically included in a list of contacts to which emails containing information, including commercial and promotional information, relating to Sbuch.it may be sent. The e-mail address of the Data Subject may also be added to this list as a result of registration at Sbuch.it or after making a purchase.

2.1.3. Contact by Telephone (Sbuch.it)

The Data Subject who has provided their telephone number may be contacted for commercial or promotional purposes related to Sbuch.it, as well as to satisfy requests for support.

2.2. Social Features (Sbuch.it)

The Data Subject may have a public profile viewable by other Data Subject. In addition to the Personal Data provided, this profile may contain the Data Subject’s interactions with Sbuch.it and/or a symbolic image of the Data Subject or the face of the same.

2.3. Hosting and Backend Infrastructure (Aruba S.p.A.)

Aruba S.p.A. is the company that manages the domain registration of this website, the web hosting service and database necessary to ensure the functioning of the web platform.

  • Legal Basis of the Treatment: legitimate interest

  • Place of Treatment: the Personal Data are stored in archives located in countries of the European Union. Where necessary for the pursuit of the stated purposes, the Personal Data may be transferred abroad, to countries organisations outside the European Union that guarantee a level of protection of Personal Data deemed appropriate by the European Commission with its own decision, or in any case on the basis of other appropriate guarantees, such as the Standard Contractual Clauses adopted by the European Commission.

  • Storage Period: Personal Data will be stored in a form that allows the identification of the Data Subject for a period of time not exceeding that necessary to achieve the purposes for which they were collected, taking into account the laws applicable to the activities and sectors in which the Controller operates. After the terms established in this way, the Personal Data will be deleted or transformed anonymously, unless their further storage is necessary to fulfill obligations (e. g. tax and accounting) that remain even after the termination of the contract or to fulfill orders issued by Public Authorities and/or Supervisory Bodies.

  • Purposes of the Processing

    • Registration

    • Management of contact requests and/or information material

    • Management of the contractual relationship

    • Defending a right in judicial or extrajudicial proceedings

    • Physical and computer security

    • Prevention of fraud

    • Promotional activities on Services/Products similar to those purchased

    • Promotional activities on Services/Products offered by Aruba

    • Promotional activities on Services/Products of the companies of the Aruba Group

    • Profiling

2.4. Hosting and Backend Infrastructure (Sbuch.it)

  • Legal Basis of the Treatment: legitimate interest

  • Place of Treatment: the Personal Data are stored in archives located in countries of the European Union. Where necessary for the pursuit of the stated purposes, the Personal Data may be transferred abroad, to countries organisations outside the European Union that guarantee a level of protection of Personal Data deemed appropriate by the European Commission with its own decision, or in any case on the basis of other appropriate guarantees, such as the Standard Contractual Clauses adopted by the European Commission.

  • Storage Period: Personal Data will be stored in a form that allows the identification of the Data Subject for a period of time not exceeding that necessary to achieve the purposes for which they were collected, taking into account the laws applicable to the activities and sectors in which the Controller operates. After the terms established in this way, the Personal Data will be deleted or transformed anonymously, unless their further storage is necessary to fulfill obligations (e. g. tax and accounting) that remain even after the termination of the contract or to fulfill orders issued by Public Authorities and/or Supervisory Bodies.

2.5. Directly collected statistics (Sbuch.it)

Sbuch.it uses a system of statistics that allows to monitor and analyze web traffic data, as well as to keep track of the behavior of the Data Subject.

2.6. Indirectly collected statistics (SmarterTools Inc.)

SmarterStats is a comprehensive suite of business analytics tools that helps a company manage its online presence.

2.7. Displaying content from external platforms

This type of Service allows you to view content hosted on external platforms directly from the pages of Sbuch.it and interact with them. This type of Service may still collect data on web traffic related to the pages where the Service is installed, even when users are not using it.

2.8. Google Fonts (Google Ireland Limited)

Google Fonts is a font Style Display service operated by Google Ireland Limited which allows Sbuch.it to integrate such content into its pages.

2.9. Font Awesome (Fonticons Inc.)

Font Awesome is a Font Styles Viewing Service operated by Fonticons, Inc. which allows Sbuch.it to integrate such contents within its pages.

3. The rights of the Data Subject

3.1. What are the Rights of the Data Subject

The Data Subject, with reference to the Personal Data processed by the Controller, has the right to:

  • revoke consent at any time. The Data Subject may revoke the previously expressed consent to the Processing of his/her Personal Data.

  • object to the Processing of your Personal Data. The Data Subject may object to the Processing of their Personal Data when it is done on a legal basis other than the Data Subject’s Consent.

  • access your Personal Data. The Data Subject has the right to obtain information on the Personal Data processed by the Controller, on certain aspects of the Processing and to receive a copy of the Personal Data processed.

  • verify and request correction. The Data Subject may verify the correctness of their Personal Data and request its updating or correction.

  • to obtain the limitation of the Treatment. When certain conditions are met, the Data Subject may request the restriction of the Processing of his/her Personal Data. In this case, the Controller will not process the Personal Data for any purpose other than their storage.

  • obtain the erasure or removal of your Personal Data. When certain conditions are met, the Data Subject may request the erasure of their Personal Data by the Controller.

  • receive your Personal Data or have them transferred to another Controller. The Data Subject has the right to receive their Personal Data in a structured, commonly used and machine-readable format and, where technically feasible, to obtain its transfer without hindrance to another Controller. This provision is applicable when Personal Data are processed by automated means and the Processing is based on the Data Subject’s Consent, on a contract to which the Data Subject is a party or on contractual measures related to it.

  • lodge a complaint. The Data Subject may lodge a complaint with the competent supervisory authority for the protection of Personal Data or take legal action.

3.2. Details on the Right of Opposition

When Personal Data are processed in the public interest, in the exercise of public authority vested in the Controller or in pursuit of a legitimate interest of the Controller, the Data Subject has the right to object to the Processing for reasons related to their particular situation.

We inform the Data Subject that, if their Personal Data are processed for direct marketing purposes, they may object to the Processing without providing any reason. To find out whether the Controller processes Personal Data for direct marketing purposes, the Data Subject may refer to the respective sections of this Document.

3.3. How to exercise the Rights of the Data Subject

In order to exercise the Data Subject’s rights, the Data Subject may send a request to the contact details of the Controller indicated in this Document. Requests are submitted free of charge and processed by the Controller as soon as possible, in any case within one month.

The Data Subject has the right to obtain from the Controller the following:

  • confirmation of whether or not Personal Data concerning him is being processed and, if so, to obtain access to the Personal Data and the following information:

    • the purposes of the Processing

    • the categories of Personal Data in question

    • the recipients or categories of recipients to whom the Personal Data has been or will be disclosed, in particular if recipients from third countries or international organisations

    • where possible, the period of retention of Personal Data envisaged or, if not possible, the criteria used to determine this period

    • the existence of the right of the Data Subject to request the Controller to rectify or erase the Personal Data or to restrict the Processing of Personal Data concerning him or to object to their Processing

    • the right to lodge a complaint with a supervisory authority

    • if Personal Data are not collected from the Data Subject, all available information on their origin

    • the existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such Processing for the Data Subject

    • the appropriate safeguards provided by the third country (non-EU) or an international organisation for the protection of Personal Data that may be transferred

  • a copy of the Personal Data subject to Processing, provided that this right does not infringe the rights and freedoms of others. In the event of additional copies requested by the Data Subject, the Controller may charge a fee based on administrative costs

  • the right to obtain from the Controller the rectification of their inaccurate Personal Data without undue delay

  • the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay, if the reasons provided by law exist. For example, in the event that they are no longer necessary for the purposes of the Processing or if it is assumed to be unlawful, and provided that the conditions laid down by law are met and in any case if the Processing is not justified by another equally legitimate reason

  • the right to obtain from the Controller the restriction of the Processing, in the cases provided for by law, for example where you have contested its accuracy, for the period necessary for the Controller to verify its accuracy. The Data Subject must also be informed, in an appropriate time, when the suspension period has expired or the reason for the restriction of the Processing has ceases, and therefore the restriction itself revoked

  • the right to obtain notification from the Controller of any recipients to whom requests for any corrections or deletions or restrictions of the Data have been transmitted, unless this proves impossible or involves a disproportionate effort

  • the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning him or her and the right to transmit such Personal Data to another Controller without hindrance by the Controller to whom he or she has provided them, in the cases provided by law, and the right to obtain the direct transmission of Personal Data from a Controller Treatment to the other, if technically feasible

3.4. Further information on Rights of the Data Subject

For any further information and in any case to send your request you must contact the Controller. In order to ensure that the above-mentioned rights are exercised by the Data Subject and not by unauthorized Third Parties, the Controller may request the same to provide any additional information necessary for this purpose.

4. Cookie Policy

Cookies and Identifiers are data that are stored by the browser on the computer or other device (e. g. tablet or mobile phone) of the Data Subject. Any use of Cookies and Identifiers, or other tracking tools, by Sbuch.it or by Third Parties, unless otherwise specified, has the purpose of providing the Service requested by the Data Subject, in addition to the other purposes described in this Document and in the Cookie Policy.

5. Further information on Treatment

5.1. Automated Decision-Making Processes

Where a decision which may produce legal effects for the Data Subject or which may have a similarly significant impact on the person concerned is taken exclusively by means of technological means and without human intervention, an automated decision-making process shall be established. Within the scope of the purposes described in this Document, Sbuch.it may use the Personal Data of the Data Subject to make decisions based entirely or partially on automated processes. Sbuch.it uses automated decision-making processes to the extent necessary to conclude or execute a contract between the Data Subject and the Controller or, if required by law, with prior consent given by the Data Subject.

Automated decisions depend on technological tools provided by the Controller or Third Parties and are generally based on algorithms that meet predefined criteria. The logic behind automated decision-making processes aims to:

  • enable or improve decision-making

  • guarantee to the Data Subject a fair and impartial Treatment

  • to reduce the potential harm resulting from human error, personal bias or other similar circumstances which could lead to discrimination or imbalance in the treatment of individuals

  • reduce the risk of non-performance of the obligations of a contract by the Data Subject

The Data Subject subject to this type of Processing may exercise specific rights aimed at preventing or limiting the potential effects of automated decision-making processes. In particular, the Data Subject has the right to:

  • receive an explanation of, and express an opinion on, any decision taken as a result of automated decision-making

  • challenge the decision asking the Controller to reconsider it or to adopt a new decision on different grounds

  • request and obtain from the Controller a human intervention in the Data Processing

5.2. Defense in Judgment

The Personal Data of the Data Subject may be used by the Controller in court or in the preparatory stages to its eventual establishment to defend against abuse in the use of Sbuch.it or the related Service by the Data Subject. The Data Subject declares to be aware that the Controller may be obliged to disclose Personal Data by order of public authorities.

5.3. Specific information

At the request of the Data Subject, in addition to the information contained in this Document, Sbuch.it may provide additional and contextual information regarding specific services, or the collection and Processing of Personal Data.

5.4. System Log and Maintenance

For needs related to operation and maintenance, Sbuch.it and any Third Parties services used by it may collect system logs, i. e. files that record interactions and may also contain Personal Data.

5.5. Information not contained in this Document

Further information in relation to the Processing of Personal Data may be requested at any time from the Controller using the contact details.

Contact Information

Controller: Sbuch.it
Processor: Alessio Bucciarelli
Registered Office: 53100 Siena - Italy
Controller Contact Email: alessiobucciarelli@pec.sbuch.it

Modification of this Document

The Controller reserves the right to make changes to this Document at any time, any update will be communicated promptly and by appropriate means. It will always be notified if the Controller carries out a Processing of the Personal Data of the Data Subject for purposes other than those indicated in this Document before proceeding and after the expression of the respective consent of the Data Subject if necessary. The Data Subject who continues to use Sbuch.it after the publication of the changes, accepts the new Document without reservation. In addition, if any provision of these conditions is deemed invalid, void or for any reason unenforceable, such provision shall not affect the validity and effectiveness of the other provisions.