Privacy Policy

This Privacy Policy has been translated for convenience. In the event of any discrepancy or conflict between the translated version and the original Italian version, the Italian text shall prevail and be the legally binding version.

With this Privacy Policy, provided pursuant to art. 13 of Regulation (EU) 2016/679 (“GDPR” or “Regulation”), we wish to inform the User about how their Personal Data (meaning any information capable of identifying them directly or indirectly) will be processed when they visit and/or purchase on the website www.elenapenza.com (hereinafter, the “Site”). This notice, together with the Cookie Policy and the Terms of Use and General Conditions of Sale, establishes the basis on which Users’ personal data will be processed.

DataController

The Data Controller for the personal data collected through the Site is: ELENA PENZA S.R.L., with registered office in Piazza Addis Abeba 1 – 00199 Roma (RM) VAT ID: 16409771009 Rea: RM-1654959 (hereinafter the ‘Data Controller‘), email address: info@elenapenza.com.

Methods of Personal Data Processing

We hold the right to privacy and the protection of the personal data of our Users in the highest regard, and their data will be processed lawfully.

The Personal Data provided or acquired will be subject to Processing based on the principles of fairness, lawfulness, transparency, and the protection of confidentiality in accordance with current regulations, through appropriate security measures aimed at preventing unauthorized access, disclosure, modification, or destruction of the Personal Data. 

Processing is carried out using computer and/or telematic tools, with organizational methods and logic strictly related to the indicated purposes.

Personal Data Processed

When the User visits the Site, contacts us (via email, phone, mail, etc.), subscribes to the newsletter, or submits an order, we process some of their Personal Data, either independently or through third parties.

The categories of personal data processed are listed below:

  1. Identification, Contact, and Access Data: name and surname, email address, shipping address, telephone number, and account access credentials, as well as any other Personal Data voluntarily communicated by the User.
  2. Purchase Data: data relating to purchases made.
  3. Navigation Data: relating to the connection, IP addresses, domain names, and other parameters relating to the browser and the operating system used.
  4. Usage Data: information generated by visiting the Site or making purchases on it: log data, data relating to registrations made, interaction and transaction processes, performance indicators, data relating to navigation flows and the use of features.
  5. Billing and Payment Data: VAT number (if applicable), tax code, address.

Purposes of Processing and Legal Basis

The Data Controller will process the Users’ Personal Data, as listed above, for the performance of its economic and commercial activities, for the specific purposes indicated below:

1. Purposes related to the Contract and Legal Obligations

  1. Navigation on the Site;
  2. Account registration and management (credential recovery, cancellation, etc.) and use of related services;
  3. Activities necessary for the conclusion of the contract for the purchase of products sold by the Site and its execution;
  4. Order processing;
  5. Assistance and customer care activities, as well as responding to requests, complaints, reports, and disputes from Users via email to the Data Controller’s addresses or through other communication channels;
  6. Management of User requests through remote communication tools, such as e-mail, banners, notification systems, and other remote communication tools present on the Site;
  7. Fulfillment of obligations deriving from current law, regulations, or EU law (e.g., tax and accounting obligations) or management and response to requests from competent administrative, tax, and judicial authorities;
  8. Administrative, accounting, and fiscal activities such as activities related to the contract concluded through the Site, such as, by way of example, the issuance of receipts and/or invoices, the keeping of accounting records;
  9. Responding to requests for exercising the rights recognized to Users by the contract stipulated with the Data Controller, by law in relation to that contract or by the GDPR, and consequent activities.

For these purposes, the Legal Basis is the necessity to perform the pre-contractual and contractual obligations of which the User is a party (art. 6.1.b) of the GDPR) or the fulfillment of legal obligations to which the Data Controller is subject (art. 6.1.c) of the GDPR). 

Therefore, with the exception of account registration data which is optional, their processing is necessary to allow the conclusion and execution of the contract through the Site or to respond to pre-contractual requests made by the User in relation to the Site. Failure to communicate the data, therefore, will make it impossible for the User to conclude a contract through the Site and/or receive a response to the requests made.

2. Analysis and Statistical Purposes and Other Purposes Not Based on Consent

  1. Carrying out statistical analyses regarding the use of the Site, navigation, and product searches, to improve the site and the product offering sold through it;
  2. Ensuring compliance with the contractual rights of the Data Controller or demonstrating that it has fulfilled the obligations arising from the contract with the data subject or imposed by law, to prevent and/or suppress fraudulent or harmful actions;
  3. Reminding the User who has started the purchase process that they have added a product to their shopping cart.

The Legal Basis for this processing is legitimate interest (art. 6.1.f) of the Regulation). Sometimes the Legal Basis consists of legitimate interest (art. 6, paragraph 1, letter f) in conjunction with recital 47 of the Regulation) for sending transactional email communications (e.g., abandoned cart).

3. Direct Marketing and Profiling Purposes

  1. With the User’s consent, we will send commercial emails to show them updates, news, offers, and promotions, and market research, including through automated processing tools such as emails and newsletters.
  2. With the User’s consent, we will process their Personal Data to assign them particular characteristics, preferences, and send them, also through automated processing tools such as “retargeting” or through inclusion in clusters of subjects with common characteristics, personalized and diversified commercial communications, based on their profile.

For these purposes, the processing, including the final decision regarding the promotional communication to send or display to the user based on the cluster(s) of belonging, takes place automatically, without human intervention, based on algorithms whose parameters have been previously set.

The Legal Basis is the User’s express consent to the processing of personal data for these purposes (art. 6.1.a) of the Regulation). The provision of data for these purposes is optional. In case of lack of consent, revocation thereof, or exercise of the right to object, the User’s ability to make purchases on the Site will not be prejudiced in any way.

4. Soft-spam

To send commercial communications proposing the direct sale of similar products to the User’s email address provided during the purchase of products through the Site. This activity does not require the acquisition of the data subject’s prior express consent as it is exercised on the legal basis referred to in art. 130, paragraph 4, of the Privacy Code (Legislative Decree no. 196 of 30 June 2003), which expressly permits it, provided that the user does not refuse such use, initially or on the occasion of subsequent communications.

Modification of Choices and Withdrawal of Consent

In case of consent, the User may withdraw the consent given and/or object to the processing of personal data for generic marketing and profiling purposes at any time through the methods indicated in the ‘Data Subjects’ Rights’ section later in this notice.

In case of withdrawal of consent, processing carried out based on the consent given before its withdrawal will still be considered legitimate. In case of withdrawal of consent and/or objection to the processing of their data for generic marketing purposes, the user’s data will no longer be processed for that purpose and will be retained by the Data Controller only if another legal basis exists that legitimizes the processing (e.g., contractual execution; legal obligation; legitimate interest).

Retention Time

The Data Controller will process Users’ personal data for the time necessary to achieve the purposes for which such data were collected, as defined in this notice. In any case, for each of the purposes indicated, the personal data collected will be stored for the time specified below:

  1. For purposes related to the Contract: the Data Controller will process the User’s data for the time strictly necessary to carry out the individual processing activities, provided that, upon expiry of this term, the Data Controller may retain the data for the purposes and for the maximum retention periods referred to in the other sections of this notice, if relevant, and/or, in any case, in the cases established by the GDPR and/or by law.
  2. For fiscal, administrative, accounting, and legal purposes: until the expiry of the legal terms provided for the performance of each compliance and/or for the retention times provided by law. In case of account closure at the User’s initiative, the data contained therein will be retained for administrative purposes for a period of 3 months from the request for account closure.
  3. For purposes based on the legitimate interest of the Data Controller: this will process the User’s data for the time strictly necessary to satisfy that interest, unless, in the face of disputes and/or complaints, the Data Controller needs to retain the personal data to carry out defense activities (letter k) for the subsequent 10 years (statute of limitations) or, in the presence of litigation, the further retention is determined by the duration of the litigation or by specific requests from the authority. The User can obtain more information on the legitimate interest pursued by contacting the Data Controller.
  4. For direct marketing and profiling purposes: as long as the consent is not withdrawn and in any case for a period of 12 months from when the consent was given or renewed by the User, on the occasion of a new purchase or from the date of the last contact with the User, which is understood to be, for example, the opening of the newsletter.

After these retention times, the Personal Data will be deleted, and the User will no longer be able to exercise the rights of access, erasure, rectification, and data portability.

Communication and dissemination of data

In addition to the Data Controller, in some cases, the following may have access to the Data:

1. subjects involved in the organization of the Website (for example: administrative, commercial, and marketing staff);

2. third parties who perform ancillary and instrumental tasks in relation to the Data Controller’s activities and who process personal data on behalf of the Data Controller (e.g., payment services, lawyers, accountants, system administrators, logistics companies, newsletter services);

3. public or private entities who may access the Data in compliance with the law, regulations, and provisions issued by the competent authorities; 

4. potential buyers of the Data Controller’s company and entities resulting from mergers or any other form of transformation.

These recipients, depending on the case, process Users’ personal data as persons in charge of processing, data processors, or independent data controllers. The User may request an updated list of Data Processors pursuant to Article 28 of the GDPR.

Place of Data Processing and Transfer of Data Abroad 

Data processing takes place mainly in Italy and in European Union countries. Some third-party tools may process the data of users of this website in countries outside the European Economic Area (the “Third Countries”).

Data may also be transferred to Third Countries through the use of external tools that enable certain services (e.g., newsletters, remarketing, advertising, use of social media buttons, video viewing). 

In some cases, the use of these tools may involve the transfer of personal data of users visiting this website to a Third Country for which there is no adequacy decision by the European Commission.

If there is a need to transfer data to Third Countries, the Data Controller undertakes to ensure that the country to which the data will be sent guarantees an adequate level of protection, as provided for in Article 45 of the GDPR; such transfer will be governed by the standard contractual clauses for data protection approved by the European Commission for the transfer of personal information outside the EEA pursuant to Article 46.2 of the GDPR.

Cookies

This website uses cookies. Cookies are small text files that can be installed by websites on users’ devices to make browsing more efficient and to personalize content and advertisements, provide social network features, and analyze traffic. For more information, read the Cookie Policy.

Personal Data Processing Tools

CONTACT FORM

By filling out the contact form, the User consents to the processing of the personal data entered therein and to its use to respond to requests for information. The personal data subject to processing is that requested by the form (first name, last name, company, email address, telephone number) and any other personal data that may be entered by the user in the body of the message.

NEWSLETTER

The newsletter service allows the Data Controller to send promotions and commercial communications to users via email. This Site uses the following service:

SOCIAL NETWORK BUTTONS

The User can use the social buttons to visit the social pages of the Site, through the following social tools, which in any case collect personal data of users as traffic data on the pages visited and on which they are installed. The Website provides the following social buttons:

Instagram (Meta Platforms Ireland Limited) The Instagram button is a service for interacting with the Instagram social network, provided by Meta Platforms Ireland Limited. Personal Data collected: Cookies, Usage Data, and other data as per the relevant privacy policy. Place of processing: IRELAND – UNITED STATES – Privacy Policy

Facebook (Meta Platforms Ireland Limited) The Facebook button and social widgets are services for interacting with the Facebook social network, provided by Facebook Ireland Ltd. Personal Data collected: Cookies and Usage Data. Place of processing: IRELAND – UNITED STATES  Privacy Policy 

PAYMENT MANAGEMENT

PayPal (Paypal Europe S.à.r.l. et Cie, S.C.A Inc.) PayPal is a payment service provided by PayPal Europe S.à.r.l. et Cie, S.C.A Inc., which allows the User to make online payments using their PayPal credentials. Personal Data collected: Cookies and various types of Data as specified in the privacy policy of the service. Place of processing: LUXEMBOURG – Privacy Policy

Stripe (Stripe Technology Europe, Limited, e Stripe Payments Europe, Limited) Stripe is a payment management service for credit cards and online payment services provided by Stripe Technology Europe, Limited, and Stripe Payments Europe, Limited, which allows Users to make online payments using their credit cards or certain third-party online payment services. Personal data collected: Cookies and various types of Data as specified in the privacy policy of the service. Place of processing: IRELAND – Privacy Policy

STATISTICS 

Statistics services allow the Data Controller to monitor and analyze traffic data and are used to track User behavior. This Website uses the following third-party services:

REMARKETING

These services allow this Website to communicate, optimize, and offer advertisements based on the User’s past use of this Website. This activity is carried out by tracking Usage Data and using Cookies. This Website uses the following services:

Data Subjects’ Rights

Interested parties have the right to exercise the rights provided for in Articles 7, 15-22 of the Regulation. 

In particular, Users have the right to obtain: access, updating, rectification or, where interested therein, integration of the data; erasure, anonymization or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed; certification that the above operations have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where this proves impossible or involves a manifestly disproportionate effort compared to the right being protected.

Furthermore, Users have the right to withdraw consent at any time, if the processing is based on their consent, to request data portability, i.e. to receive all personal data concerning them in a structured, commonly used and machine-readable format, to request the restriction of the processing of personal data and/or erasure (“right to be forgotten”), as well as the right to object to the processing of personal data concerning them and to the processing for the purposes of sending advertising material, direct sales, and market research.

Pursuant to the Applicable Regulations, the Data Controllers inform Users that they have the right to obtain information on (i) the origin of personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the case of processing carried out with the aid of electronic instruments; (iv) the identification details of the Data Controllers and Data Processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as data processors or persons in charge of processing. 

Data subjects may exercise their rights by sending a specific communication to the Data Controller or by using the form for exercising the rights of data subjects, available at this link, to be sent, duly completed and signed and with attachments, to the Data Controller by email to: customercare@elenapenza.com

If data subjects believe that the processing of their data violates the Regulation, they also have the right to lodge a complaint with the Privacy Guarantor as the supervisory authority for the protection of personal data (Guarantor for the protection of personal data, with headquarters in Piazza Venezia n. 11 – 00187 – Rome, Italy http://www.garanteprivacy.it/).

Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by publicizing it to Users on this page. Users are therefore requested to consult this page frequently, referring to the date of last modification indicated at the bottom. In the event of non-acceptance of the changes made to this Privacy Policy, the User is required to cease using this Website and may request the Data Controller to remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to the Personal Data collected until then. The Data Controller is not responsible for updating all the links visible in this Privacy Policy, therefore whenever a link is non-functional and/or outdated, Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by that link.

Privacy Policy updated in July 2025.

Italian Artisanal Excellence Italian Artisanal Excellence
Secure Payments Secure Payments
Subscribe to the Newsletter Subscribe to the Newsletter