Privacy Policy

Information on the Protection of Personal Data

Data Controller: for the purposes of this policy, Data Controller means Nabu Srls, VAT number and tax code:17068421001, located at Via Umberto Biancamano 23, 00185 Rome (RM), e-mail: info@nabufashion.it, tel: 06.69403706.

*****

Pursuant to and for the purposes of Article 13 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such Data (the “Regulations” or the “GDPR”) and Legislative Decree No. 196 of June 30, 2003, no. 196 “Code for the Protection of Personal Data” (“Code“) (Code and Regulations also jointly defined as “Regulations“), data subjects (“Data Subjects“) are hereby informed that their Personal Data will be processed in accordance with the applicable Regulations and as specified below.

Definitions

• Authorized, the natural persons authorized to carry out Processing operations under the direct authority of the Controller or the Person in charge, pursuant to Article 29 of the Regulations and Article 2-quaterdecies of the Code.
• Communication, the giving of knowledge of the Personal Data to one or more determined parties other than the Data Subject, the Data Controller’s representative in the territory of the State, the Data Processor and the Authorized Persons, in any form, including by making them available or consulting them.
• Designates, the natural persons who are assigned specific tasks and functions related to the processing of Personal Data and who operate under the authority of the Data Controller or the Data Processor, pursuant to Article 2-quaterdecies of the Code.
• Personal Data or Data, any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, with particular reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural, or social identity.
• Dissemination, the giving of knowledge of Personal Data to unspecified individuals, in any form, including by making it available or consulting it.
• Guarantor, the supervisory authority referred to in Article 51 of the Regulations.
• Information or Privacy Policy, this document.
• Data Subject means the natural person to whom the Personal Data refers. For the purposes of this Policy, the terms “Data Subject” and “User” are synonymous.
• Security Measures, the set of technical, IT, organizational, logistical and procedural measures taken by the Controller to ensure a level of security appropriate to the risk of the Processing, pursuant to Article 32 of the Regulation.
• Products, means the products sold by the Owner through the Site.
• Data Controller means the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller.
• Site, means the site that can be reached at nabukids.com and/or nabufashion.co.uk
• Data Controller means the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Data Controller or the specific criteria applicable to its designation may be determined by Union or Member State law. For the purposes of this Notice, the terms “Data Controller” and “Vendor” are synonymous.
• Processing means any operation or set of operations, performed with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, Communication by transmission, Dissemination or any other form of making available, comparison or interconnection, restriction, erasure or destruction.

Information on the Processing of Personal Data

1. Context of Treatment

This Policy is made by the Owner in relation to the following context: e-commerce of Nabu Srls.

2. Treatments performed

The Data collected, the purposes for which it is processed, the legal basis, and the retention times are given below in analytical form.

Data processed	Purpose	Legal basis	Storage time
IP address browsing data	Delivery of services offered by the Site.	The Processing is necessary for the performance of a contract to which the Data Subject is a party or for the performance of pre-contractual measures taken at the request of the same [Art. 6 letter b) GDPR].	Browsing Data are deleted within 30 days from the time of collection, without prejudice to any need to ascertain crimes by the judicial authorities.
Whatsapp user name IP address	Provision of the whatsapp chat service accessible from the Site.	The Processing is necessary for the performance of a contract to which the Data Subject is a party or the execution of pre-contractual measures taken at the request of the same [Art. 6 lett. b) GDPR]	Messages received by the Data Controller will be retained for a maximum period of 24 months.
IP address browsing data	The Processing is carried out to perform statistical analysis on the use of the site in order to improve the services offered by the site and the user experience.	Processing is necessary for the pursuit of the legitimate interest of the data controller or third parties[art. 6 lett. f) GDPR]	24 months after connection
NameSurnameE-mail or telephone numberDelivery address	Fulfillments related to the delivery of the purchased Products and possible return.	The Processing is necessary for the performance of a contract to which the Data Subject is a party or the performance of pre-contractual measures taken at the request of the same [art. 6 letter b) GDPR]	10 years from the purchase of the Products (expiration of the statutorily applicable limitation period)
NameSurnameData related to the purchase made.	Accounting Management	Processing is necessary to fulfill legal obligations	10 years from the issuance of the relevant accounting document (expiration of the statutorily applicable limitation period)
LastNamee-mail	Sending of e-mails by which the Vendor notifies the User that the product of which he/she had requested to be put into production, because it was no longer available, is now available again.	The Processing is necessary for the performance of a contract to which the Data Subject is a party or the execution of pre-contractual measures taken at the request of the same [Art. 6 lett. b) GDPR]	1 year from the sending of the first e-mail notice by the Seller
e-mail	Sending to the Interested Party commercial communications by e-mail regarding Products similar to those purchased by the User (so-called soft spam).	The Treatments put in place for this purpose are carried out on the basis of a legitimate interest of the Data Controller (recital 47 Regulations and art. 130 paragraph IV° Legislative Decree 196/2003) and the consent of the Interested Party is not required, subject to the right to oppose subsequent	48 months from the last purchase
e-mail	Sending of commercial communications to the Data Subject by e-mail.	Processes put in place for this purpose are carried out based on the consent of the Data Subject	48 months from the provision of consent or until the revocation of consent by the Data Subject, whichever is earlier

3. Methods of Processing and Categories of Recipients.

1. Unless otherwise expressly provided for in this Notice, the Data Subject is informed that the Processing of his or her Personal Data is carried out by means of manual systems and/or computer, telematic or otherwise automated systems, in accordance with the principles of relevance, lawfulness, correctness and purpose provided for in the Regulations.
2. The Data Controller processes the Personal Data of the Data Subject by adopting appropriate Security Measures aimed at minimizing the risks of unauthorized access, Dissemination, loss and destruction of the said Data, pursuant to the Regulations.
3. The Data Subject is also informed that the Processing of Personal Data for the fulfillment of the aforementioned purposes may be carried out by the Data Controller either directly or by availing itself of the collaboration of other parties, in the capacity of Responsible, Designated or Authorized Persons (e.g., employees and/or collaborators of the Data Controller).
4. The Data Subject is informed that Personal Data may be disclosed to the following categories of External Data Processors:

• Analytics service providers (GA4, Facebook Pixel, Google Tag Manager)
• Hosting service providers
• E-mail service providers
• Transportation company for product delivery
• Messaging service providers
• Newsletter and email-marketing service providers
• Accountant

The Data Subject is hereby informed that the processing put in place by the following categories of recipients is put in place by them as autonomous data controllers:

• third party payment services. The Data Subject is informed, in fact, that in the case of payments made through third-party payment services, the Personal Data provided by the Data Subject to make the payment will be processed exclusively by the latter and will not pass through the Data Controller’s servers.

1. The complete and updated list of Responsible Persons may be consulted at any time by request to be sent to the e-mail address indicated at the beginning of this Notice.

4. Data Transfer

1. The Data Subject is informed that the Personal Data processed by the Data Controller may be transferred to other countries that are part of the European Union.
2. The Data Subject is informed that the Personal Data processed by the Data Controller may be transferred to other countries outside the European Union, for which there is a Commission adequacy decision or for which additional security measures are applied as a result of an assessment by the Data Controller of the impact of the transfer on the rights and freedoms of the Data Subject.
3. Rights of the Interested Party
4. The Interested Party may exercise at any time, by means of a notice to be sent to the addresses indicated at the beginning of this Notice, the rights provided for in the Regulations under Articles 15-22. In particular:

• The Data Subject has the right to request access to Personal Data from the Data Controller, pursuant to and within the limits of Article 15 of the Regulations.
• The Data Subject has the right to request the Data Controller to rectify inaccurate Personal Data, pursuant to and within the limits of Article 16 of the Regulations.
• The Data Subject has the right to request from the Data Controller the deletion of Personal Data, pursuant to and within the limits of Article 17 of the Regulations.
• The Data Subject has the right to request the Data Controller to restrict the Processing of Personal Data, pursuant to and within the limits of Article 18 of the Regulations.
• The Data Subject has the right to request from the Data Controller the communication of his or her Personal Data in a structured and machine-readable format, pursuant to and within the limits of Article 20 of the Regulations.
• The Data Subject has the right to object to the Processing by the Data Controller, pursuant to and within the limits of Article 21 of the Regulations.
• The Data Subject has the right to file a complaint with a supervisory authority.
• The Data Subject has the right to revoke consent with respect to those Processing operations that are based on this legal basis. Pursuant to Articles 7(3) and 13(2)(c) of the Regulations, the Data Subject is informed that, in any case, revocation of consent does not affect the lawfulness of the Processing based on the consent prior to the revocation.

6. Changes to this Privacy Policy
7. The Owner reserves the right to make changes to this Privacy Policy at any time, giving notice to Data Subjects by posting it on the Site.

This Policy was published on 5/20/2024.