Privacy policy

Privacy Policy Last updated: April 29, 2026

This Privacy Policy describes how the www.giulianotartufi.it website manages the processing of personal data of users and visitors, in compliance with Legislative Decree 196/2003, Legislative Decree 101/2018, and EU Regulation 2016/679 (GDPR).

Data Controller

The Data Controller is GIULIANO TARTUFI S.p.A., headquartered in Pietralunga (PG), Zona Industriale Sud (VAT no. 02381170543), which guarantees compliance with data protection regulations. The Controller acts as the primary guarantor of the correct application of current regulations, promoting a proactive approach to data protection.

For any requests or information, you can contact the Controller at: info@giulianotartufi.it.

Data Processors and Recipients of Data

Personal data may be accessible to authorized staff of the Controller and to external parties appointed as Data Processors under Article 28 of the GDPR, such as technical service providers, hosting providers, communication and marketing agencies, and newsletter management platforms (Mailchimp).

When processing is entrusted to third parties, the Controller enters into a contract or other legal act with each Processor that binds the Processor to the Controller, setting out the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the Controller, as well as appropriate data protection safeguards.

The updated list of Data Processors is available upon request at info@giulianotartufi.it.

Purpose of Processing

The data processed through the Site are as follows:

Browsing data: The computer systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols (e.g., IP addresses, domain names of the computers used to connect to the site). This data is used exclusively for statistical purposes and to verify the correct functioning of the site. No data derived from the web service is disclosed or disseminated, except as necessary to comply with legal obligations.

Data voluntarily provided by the user: When a user contacts us by email or fills out a form on the site to access a service, we collect their email address and any other data they provide. We will use this information exclusively to respond to the request or to provide the requested service.

Data processed for the protection of company assets and regulatory compliance:

  • Data for the protection of Intellectual Property: To protect the content, trademarks, and other intellectual property assets on the site, browsing data (e.g., IP addresses) may be processed in order to identify and combat unlawful activities such as plagiarism, counterfeiting, data scraping, or unauthorized reproduction of content.
  • Data submitted through the Whistleblowing channel: Personal data provided as part of a report through the WHISTLELINK platform (including, where provided, identifying information of the whistleblower and of individuals mentioned in the report) is processed with the utmost confidentiality safeguards in order to manage the report in compliance with Legislative Decree 24/2023.

Newsletter Service

If a user subscribes to our Newsletter to receive promotions and updates, their email address will be used only to send the requested communications.

  • Service management: The Newsletter is managed through the Mailchimp platform. The user’s address is stored on Mailchimp’s servers and in our backups, always in a secure and confidential manner. For more details, you can review Mailchimp’s privacy policy: https://mailchimp.com/legal/privacy/.
  • Statistics: Mailchimp provides us with statistical data on who opens the Newsletter and clicks on links. We use this information to improve our content. If you prefer to avoid this tracking, you can read the Newsletters without downloading images, or copy the links in the email and paste them directly into your browser instead of clicking them.
  • Unsubscribing: Users can unsubscribe at any time by following the instructions at the bottom of each email. To permanently delete your personal data, you can write to info@giulianotartufi.it.

Cookies

In addition to the data expressly provided, other data resulting from the user’s browsing of the site may be recorded through cookies. For more details and to manage cookies, please refer to the site’s Cookie Policy.

Processing Methods

Processing is carried out using automated and/or manual tools for the time strictly necessary to achieve the purposes for which the data was collected, and in any case in compliance with applicable regulatory provisions.

Appropriate technical and organizational measures are adopted to ensure the security, integrity, and confidentiality of personal data, in compliance with Article 32 of the GDPR, including: pseudonymization and encryption of personal data where appropriate; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; procedures to promptly restore the availability of and access to personal data in the event of a physical or technical incident; and procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Purposes of Processing

The purposes of personal data processing are as follows:

  • Managing the contractual relationship and providing the services requested by the user;
  • Sending communications related to purchased services;
  • Personalizing the browsing experience on the site;
  • Conducting statistical analyses in anonymous form to improve the site and the services offered;
  • Sending Newsletters and promotional communications, solely with the user’s consent;
  • Conducting market research and sending advertising material, with consent;
  • Preventing and countering unlawful acts that could harm company assets, including intellectual property rights, and ensuring the security of IT infrastructure;
  • Managing reports of wrongdoing received through the dedicated channel, in fulfillment of the obligations set out in Legislative Decree 24/2023, ensuring the confidentiality of the whistleblower and the proper handling of the report.

Legal Basis for Processing

The legal basis for personal data processing is:

  • Performance of a contract: for managing the services requested by the user (Art. 6(1)(b) GDPR).
  • Compliance with legal obligations: for managing whistleblowing reports and other regulatory obligations (Art. 6(1)(c) GDPR).
  • Legitimate interest of the Controller (Art. 6(1)(f) GDPR): for the protection of intellectual property, IT security, and legal defense, following a balancing assessment between the interests of the Controller and the fundamental rights and freedoms of data subjects, based on criteria of necessity, proportionality, and non-excess. The Controller has internally documented this balancing test in accordance with the accountability principles set out in Art. 5(2) of the GDPR, demonstrating that the processing does not cause disproportionate harm to data subjects and adopting appropriate technical and organizational safeguards to minimize the impact on their rights.
  • User consent (Art. 6(1)(a) GDPR): for sending promotional communications, profiling, geolocation, and disclosure to third parties for marketing purposes. Consent is always optional, specific, informed, and can be withdrawn at any time.

Recipients and Data Transfer

Data may be accessible to authorized staff of the Controller and to external parties (e.g., technical service providers, hosting providers, communication agencies) appointed as Data Processors under Article 28 of the GDPR. The data will not be disclosed, but may be shared with entities or authorities to comply with legal obligations.

The updated list of processors is available upon request at info@giulianotartufi.it.

Transfer to Third Countries

Personal data is processed on servers located within the European Union.

Should a transfer to non-EU countries lacking an adequacy decision from the European Commission under Article 45 of the GDPR become necessary, the Controller will adopt appropriate safeguards as provided for in Articles 46 et seq. of the GDPR, such as:

  • Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) of the GDPR;
  • Binding Corporate Rules under Art. 47 of the GDPR;
  • Approved codes of conduct under Art. 40 of the GDPR, together with the binding commitment of the recipient in the third country;
  • Approved certification mechanisms under Art. 42 of the GDPR, together with the binding commitment of the recipient in the third country.

In any case, before proceeding with the transfer, the Controller will ensure that data subjects have enforceable rights and effective remedies available, informing them of the transfer and the safeguards adopted in accordance with Articles 13 and 14 of the GDPR.

Currently, no systematic transfers of personal data to third countries are planned. Should this situation change, data subjects will be informed in advance through an update to this Privacy Policy.

Place of Data Processing

Processing related to the web services of this site takes place at the Controller’s headquarters and is handled only by designated technical staff. If necessary, data related to the Newsletter service may be processed by staff of the company that manages the data center (a Data Processor under Art. 28 GDPR).

Data Retention Periods

The Controller retains personal data for the time strictly necessary to achieve the purposes for which it was collected, in compliance with the storage limitation principles set out in Art. 5(1)(e) of the GDPR:

  • Contractual data: retained for the duration of the relationship and, thereafter, for the period required by law for civil and tax purposes (10 years from the end of the relationship, unless specific legal obligations require longer retention). At the end of this period, the data will be deleted or anonymized, unless further retention is necessary to establish, exercise, or defend a legal claim, or to comply with specific legal obligations.
  • Data for marketing purposes: retained until the data subject withdraws consent. In the absence of express withdrawal, the data will in any case be deleted 24 months after the user’s last active contact (opening a newsletter, clicking a link, interacting with communications), unless consent is renewed.
  • Data collected through the whistleblowing channel: retained for the time necessary to manage the report and any resulting proceedings. In the absence of specific regulatory provisions on the retention period, the Controller applies the principle of storage minimization under Art. 5(1)(e) of the GDPR, deleting the data within a maximum period of five years from the date the final outcome of the reporting procedure is communicated. After this period, the data will be deleted using secure destruction methods, unless retention is necessary to establish, exercise, or defend a legal claim, or to comply with specific legal obligations.
  • Data for the protection of intellectual property: retained for the time necessary to ensure legal defense or to pursue the unlawful act, in compliance with the applicable statute of limitations under the Italian Civil Code (ordinarily 10 years under Art. 2946 of the Civil Code, reduced to 5 years for tort liability claims under Art. 2947 of the Civil Code). Once the statute of limitations has expired and in the absence of pending litigation, the data will be deleted.

The Controller adopts internal procedures for periodic review of retained data and automatic deletion once the relevant deadlines are reached, in compliance with the accountability principle under Art. 5(2) of the GDPR.

Mandatory or Optional Nature of Data Provision

Aside from what is specified regarding automatically acquired browsing data, users are free to provide their personal data. Failure to provide such data may make it impossible to obtain the requested service.

Rights of Data Subjects

Data subjects may exercise the following rights under the GDPR at any time:

  • Right of access (Art. 15 GDPR),
  • Rectification (Art. 16 GDPR), Erasure (Art. 17 GDPR),
  • Restriction of processing (Art. 18 GDPR),
  • Data portability (Art. 20 GDPR),
  • Objection to processing (Art. 21 GDPR),
  • Withdrawal of consent for optional processing, without affecting the lawfulness of processing based on consent given before withdrawal,
  • Lodging a complaint with the Supervisory Authority (Garante per la Protezione dei Dati Personali, garanteprivacy.it).

Requests must be sent in writing to info@giulianotartufi.it. The Controller will respond without undue delay and, in any case, within one month of receiving the request, as provided by Art. 12(3) of the GDPR. This period may be extended by two months if necessary, taking into account the complexity and number of requests; in such cases, the Controller will inform the data subject of the extension and the reasons for the delay.

Automated Decision-Making

No automated decision-making processes, including profiling under Art. 22 of the GDPR, are carried out on the data collected.

Consent Management

Consent is requested separately for each of the following optional activities:

  • Geolocation: the user may consent to the Controller detecting their geographic location, including through third-party applications, solely to improve the management and operation of the site.
  • Profiling: the user may consent to the processing of their personal data for profiling activities aimed at analyzing purchasing tastes and preferences, including through the use of cookies.
  • Disclosure to third parties for marketing purposes: the user may consent to the use of their personal data for disclosure to third-party, controlled, or affiliated companies for marketing purposes.

Consent for each purpose is freely given, specific, and can be withdrawn at any time without affecting the lawfulness of processing based on consent given before the withdrawal.

Updates

This Privacy Policy may be updated and modified over time. Users are encouraged to periodically check this page. The updated version will be published on the site along with the date of the last update.