Privacy Policy

Last Update:

21-07-2023

Introduction

With this Privacy Policy, provided pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR" or "Regulation"), we wish to inform the User about the methods by which their Personal Data (i.e., any information that can directly or indirectly identify them) will be processed when visiting and/or making purchases on the website www.thundervm.com (hereinafter, the "Site"). This information, together with the Cookie Policy and the Terms of Use and General and Specific Service Conditions, establishes the basis on which Users' personal data will be processed.

Controller of Personal Data Processing

The Data Controller for the personal data collected through the Site is: VirtSYS IT S.r.l.s. unipersonale, with registered office in Gela (CL), via Venezia 175, zip code 93012, VAT number IT02111100851 (hereinafter referred to as the "Data Controller"), email address: [email protected].

Methods of Personal Data Processing

We greatly value the right to privacy and the protection of personal data of our Users, which will be processed lawfully. The Personal Data provided or acquired will be subject to processing based on the principles of fairness, lawfulness, transparency, and protection of confidentiality, in accordance with applicable regulations, through appropriate security measures aimed at preventing unauthorized access, disclosure, alteration, or destruction of Personal Data. The processing is carried out using computer and/or telematic tools, with organizational methods and logics strictly related to the specified purposes.

Processed Personal Data

When the User visits the Site, contacts us (via email, telephone, postal mail, etc.), subscribes to the newsletter, or places an order, we process certain Personal Data, either independently or through third parties. We list the categories of personal data processed:

1. Identification, contact, and access data: name and surname, email address, shipping address, telephone number, and account login credentials, as well as any other Personal Data voluntarily provided by the User.

2. Purchase data: data related to the purchases made.

3. Browsing data: related to the connection, IP addresses, domain names, and other parameters concerning the browser and operating system used.

4. Usage data: information generated by visiting the Site or making purchases, including log data, registration data, interaction and transaction processes, performance indicators, navigation flows, and usage of features.

5. Billing and payment data: any VAT number, bank account number or IBAN for bank transfer payments, tax code, address, and, if applicable, company name.

Please note that this information is subject to processing according to the principles of fairness, lawfulness, transparency, and confidentiality protection as per the applicable regulations and through appropriate security measures.

Purpose of Processing and Legal Basis

The Data Controller will process the Users' Personal Data, as listed above, for the performance of its economic and commercial activities, for the specific purposes indicated below.

1. Purposes related to the Contract and Legal Obligations:

a. Website navigation;

b. Registration and management of the account (recovery of credentials, deletion, etc.) and use of related services;

c. Activities necessary for the conclusion of the contract for the purchase of products sold through the Site and its execution;

d. Processing of orders;

e. Customer support and care, as well as responding to requests, complaints, reports, and disputes from Users via email to the Data Controller's addresses or through other communication channels;

f. Handling User requests through remote communication tools, such as email, chat, phone, SMS, chatbot, banners, notification systems, and other remote communication tools present on the Site;

g. Fulfillment of obligations arising from current laws, regulations, or community legislation (e.g., tax and accounting obligations), or management and response to requests from competent administrative, tax, and judicial authorities;

h. Administrative, accounting, and tax activities related to the contract concluded through the Site, such as issuing receipts and/or invoices, keeping accounting records;

i. Responding to requests for the exercise of rights recognized to Users by the contract concluded with the Data Controller, by law in relation to such contract, or by the GDPR, and related activities.

For these purposes, the legal basis is the necessity to fulfill pre-contractual and contractual obligations in which the User is a party (Art. 6.1.b) of the GDPR), or the compliance with legal obligations to which the Data Controller is subject (Art. 6.1.c) of the GDPR). Therefore, except for the optional account registration data, their processing is necessary to allow the conclusion and execution of the contract through the Site or to respond to pre-contractual requests made by the User regarding the Site. Failure to provide the data will result in the User's inability to conclude a contract through the Site and/or receive a response to the requests made.

2. Purposes of analysis and statistics and other purposes not based on consent:

j. Conduct statistical analysis regarding the use of the Site, navigation, product searches, to improve the site and the offering of products sold through it;

k. Ensure compliance with the contractual rights of the Data Controller or demonstrate compliance with obligations arising from the contract with the data subject or imposed by the law, to prevent and/or suppress fraudulent or harmful actions;

l. Remind the User, who has initiated the purchase process, that they have placed a product in their shopping cart.

The legal basis for this processing is legitimate interest (Art. 6.1.f) of the Regulation). Sometimes, the legal basis consists of legitimate interest (Art. 6, paragraph 1, letter f) combined with Recital 47 of the Regulation) for sending transactional email communications (e.g., abandoned cart emails).

3. Direct Marketing and Profiling Purposes:

m. With the User's consent, we will send commercial emails to show updates, news, offers, promotions, market research, also through automated processing tools such as emails and newsletters.

n. With the User's consent, we will process their Personal Data to attribute specific characteristics and preferences, and send personalized and diversified commercial communications based on their profile, also through automated processing tools such as "retargeting" or by placing them in clusters of subjects with common characteristics.

For these purposes, the processing, including the final decision on the promotional communication to be sent or displayed to the user based on their cluster(s), is carried out in an automated manner, without human intervention, based on algorithms with pre-set parameters. The legal basis is the User's expressed consent to the processing of personal data for these purposes (Art. 6.1.a) of the Regulation). Providing data for these purposes is optional. In case of lack of consent, withdrawal of consent, or exercise of the right to object, it will not in any way affect the User's ability to make purchases on the Site.

4. Soft-spam:

To send commercial communications proposing the direct sale of similar products to the email address provided by the User during the purchase of products through the Site. This activity does not require obtaining the prior explicit consent of the data subject, as it is based on the legal basis provided by Art. 130, paragraph 4, of the Privacy Code (Legislative Decree of June 30, 2003, no. 196), which expressly allows it, provided that the user does not refuse such use initially or on the occasion of subsequent communications.

Changes to Choices and Withdrawal of Consent

If consent is given, the User may revoke the provided consent and/or object to the processing of personal data for generic marketing and profiling purposes at any time through the methods indicated in the 'Rights of Data Subjects' section later in this notice. In case of revocation of consent, the processing carried out based on the consent given before its revocation will still be considered legitimate. If consent is revoked and/or there is an objection to the processing of data for generic marketing purposes, the User's data will no longer be processed for such purposes and will be retained by the Data Controller only if there is another legal basis that legitimizes the processing (e.g., contractual performance; legal obligation; legitimate interest).

Retention Period

The Data Controller will process the Users' personal data for the time necessary to achieve the purposes for which such data were collected, as defined in this notice. However, for each of the indicated purposes, the collected personal data will be retained for the following specified periods:

1. For purposes related to the Contract, the Data Controller will process the User's data for the time strictly necessary to carry out individual processing activities. After this period, the Data Controller may retain the data for the purposes and maximum retention periods indicated in other sections of this notice, if relevant, and/or in cases established by the GDPR and/or the law.

2. For tax, administrative, accounting, and legal purposes, until the expiration of the legal terms required for each compliance and/or for the retention periods provided by law. In case of account closure initiated by the User, the data contained in it will be retained for administrative purposes for a period of 3 months from the account closure request.

3. For purposes based on the Data Controller's legitimate interest, the data of the User will be processed for the time strictly necessary to fulfill such interest, except in cases where the Data Controller needs to retain personal data to defend against disputes and/or claims (letter k) for 10 years (statute of limitations) or, in the presence of litigation, further retention is determined by the duration of the litigation or specific requests from authorities. The User can obtain more information about the legitimate interest pursued by contacting the Data Controller.

4. For direct marketing and profiling purposes, the data will be processed until the consent is revoked and in any case for a period of 12 months from when the consent was given or renewed by the User, on the occasion of a new purchase or from the date of the last contact with the User, including, for example, the opening of the newsletter.

After these retention periods, the Personal Data will be deleted, and the User will no longer be able to exercise the rights of access, deletion, rectification, and data portability.

Communication and Disclosure of Data

In addition to the Data Controller, in some cases, the Data may be accessed by:

1. Subjects involved in the organization of the Website (for example: administrative, commercial, marketing personnel);

2. Third-party entities performing ancillary and instrumental tasks related to the Data Controller's activities and processing personal data on behalf of the Data Controller (for example: payment services, legal advisors, accountants, system administrators, logistics companies, newsletter services);

3. Public or private entities that may access the Data in compliance with the law, regulations, and measures issued by the competent authorities;

4. Potential buyers of the Data Controller's company and entities resulting from mergers or any other form of transformation.

Depending on the cases, these recipients may process Users' personal data as data processors, data controllers, or independent data controllers. The User can request an updated list of data processors as referred to in Art. 28 of the GDPR.

Location of Processing and Transfer of Data Abroad

The processing of data takes place mainly in Italy and in countries of the European Union. Some third-party tools may process data of users of this website in countries outside the European Economic Area (the "Third Countries"). The transfer of data to Third Countries may also occur through the use of external tools that provide certain services (e.g., newsletter, remarketing, advertising, social media sharing, video display). Sometimes, the use of such tools may involve the transfer of personal data of users visiting this website to a Third Country, such as the United States, for which there is no decision of adequacy by the European Commission. If there is a need to transfer data to Third Countries, the Data Controller commits to ensuring that the country to which the data will be sent provides an adequate level of protection, as provided for in Article 45 of the GDPR. Such transfer will be governed based on the standard contractual clauses for the transfer of personal data outside the EEA approved by the European Commission in accordance with Article 46.2 of the GDPR.

Cookies

This website uses cookies. Cookies are small text files that websites can install on users' devices to make browsing experience more efficient, personalize content and ads, provide social media functions, and analyze traffic. For more information, please read the Cookie Policy.

Tools for Processing Personal Data

LIVE CHAT

Crisp Chat (Crisp IM SAS)

The live chat service "Crisp Chat" can be used by users to access assistance or customer care services before, during, and after purchase. The service is provided by Crisp IM SAS and may use various technologies to collect and store information when using the integrated services, which may include the use of cookies and similar tracking technologies. For details about the processing methods, please review the Data Processing Terms of Crisp Chat and the Terms of Service of Crisp Chat. Collected data: phone number, email, usage data, cookies. Location of processing: FRANCE - Privacy Policy.

NEWSLETTER

The newsletter service allows the Data Controller to send promotions and commercial communications to users via email. This Website uses the following service:

Mailjet (Sinch Email)

Mailjet is an address management and email sending service provided by Sinch Email. Processing location: GERMANY - BELGIUM – View the Privacy Policy of the service to learn about the data processed by it. If the User does not want their personal data to be managed by Mailjet, they will need to unsubscribe from the newsletter. For this purpose, the Data Controller provides an unsubscribe link in each commercial communication.

PAYMENT MANAGEMENT

Stripe (Stripe Inc.)

Stripe is a payment service provided by Stripe Inc., which allows the User to make online payments using a credit card.

Processed Personal Data: various types of Data as specified in the privacy policy of the service. Location of processing: Refer to Stripe's Privacy Policy for more information.

PayPal (Paypal Europe S.à.r.l. et Cie, S.C.A Inc.)

PayPal is a payment service provided by Paypal Europe S.à.r.l. et Cie, S.C.A Inc., which allows the User to make online payments using their PayPal credentials. Collected personal data: Cookies and various types of Data as specified in the privacy policy of the service. Location of processing: LUXEMBOURG - Refer to PayPal's Privacy Policy for more information.

STATISTICS

Statistical services allow the Data Controller to monitor and analyze traffic data and track User behavior. This website uses the following third-party services:

Google Analytics (Google Ireland Limited)

Google Analytics is an analytics service provided by Google Ireland Limited. Google uses the Personal Data collected to track and examine the use of this website, compile reports, and share them with other Google services. Google may use the Personal Data to contextualize and personalize the ads of its own advertising network. Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google's behalf. The IP address transmitted by the User's browser as part of Google Analytics will not be associated with any other data held by Google. In some cases, the use of Google Analytics may involve the transfer of personal data of users visiting this website to a third country, such as the United States, for which there is no adequacy decision by the European Commission. The following link https://tools.google.com/dlpage/gaoptout?hl=it provides the browser add-on by Google for disabling Google Analytics. Personal Data collected: Cookies, IP address, Usage Data, and other personal data as defined in Google's privacy policy. Location of processing: IRELAND and in some cases UNITED STATES – Privacy Policy (https://policies.google.com/privacy?hl=it)

Rights of Data Subjects

Interested parties have the right to exercise the rights provided by Articles 7, 15-22 of the Regulation. In particular, Users have the right to obtain: access, update, rectification, or, when interested, integration of data; erasure, anonymization, or blocking of data processed unlawfully, including data that does not need to be retained for the purposes for which it was collected or subsequently processed; certification that the operations mentioned above have been made known to those to whom the data was communicated or disclosed, except in cases where this proves impossible or involves a disproportionate effort compared to the protected right. Furthermore, Users have the right to revoke consent at any time if the processing is based on their consent, to request data portability (i.e., to receive all personal data concerning them in a structured, commonly used, and machine-readable format), to request the limitation of the processing of personal data and/or the deletion ("right to be forgotten"), as well as the right to object to the processing of personal data concerning them and to the processing for the purposes of sending advertising material, direct sales, and conducting market research. According to the Applicable Law, the Data Controllers inform that Users have the right to obtain information on (i) the origin of personal data; (ii) the purposes and methods of processing; (iii) the logic applied in case of processing carried out with the help of electronic means; (iv) the identity details of the Data Controllers and processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it as processors or persons in charge. Interested parties can exercise their rights by sending a specific communication to the Data Controller or using the form to exercise the rights of interested parties, available at this link, duly filled out and signed, to the Data Controller via email at: [email protected]. If interested parties believe that the processing concerning them violates the Regulation, they also have the right to lodge a complaint with the Privacy Authority, the supervisory authority for the protection of personal data (Garante per la protezione dei dati personali), with its headquarters located at Piazza Venezia n. 11 - 00187 – Rome (https://www.garanteprivacy.it/).

Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to Users on this page. Therefore, please review this page often, referring to the last modified date shown at the bottom. If the User does not agree with the modifications made to this Privacy Policy, they must discontinue using this website and may request the Data Controller to remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that point. The Controller is not responsible for updating all the links displayed in this Privacy Policy; therefore, whenever a link is not working and/or updated, Users acknowledge and agree that they should always refer to the document and/or section of the websites referenced by that link.