PRIVACY POLICY – WEBSITE
Information document pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (GDPR)
WHY THIS INFORMATION?
Pursuant to Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes how we process personal data. This notice is provided pursuant to Art. 13 of the GDPR. It does not apply to other third-party websites that may be accessed via links on this website, for which we assume no responsibility.
Processable personal data
- Personal data : any information relating to an identified or identifiable natural person (' data subject '); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (C26, C27, C30 GDPR).
- Contractor/user data.
- Browsing data: The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters relating to the user's operating system and IT environment.
- Data communicated voluntarily: The optional, explicit, and voluntary sending of messages to the contact addresses indicated on this site and/or the completion of data collection forms entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data entered.
Information on the processing of personal data carried out through social media platforms
Regarding the processing of personal data by the managers of the social media platforms used by the Data Controller, please refer to the information provided in their respective privacy policies. The Data Controller processes the personal data provided by users through the pages of dedicated social media platforms to manage interactions with users (comments, public posts, etc.) and in compliance with applicable legislation.
Specific information
Specific information may be present on the pages of the Site in relation to particular services or processing of the data provided.
Cookies and other tracking systems. What are they? What are they used for?
For cookies and other tracking systems, see the cookie policy in the footer of the site and at the following link .
1. WHO IS THE DATA CONTROLLER? HOW CAN I CONTACT THEM?
The Data Controller is A&D SpA Food and Dietetic Group , with registered office in Strada 2, Palazzo C1, Assago Milanofiori (MI), in the person of its legal representative pro-tempore, who can be contacted for any information by telephone +39 02 5770791, e-mail address privacy@aedgruppo.it .
2. PURPOSE OF THE PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD AND NATURE OF THE PROVISION
|
PURPOSE OF THE PROCESSING |
LEGAL BASIS |
RETENTION PERIOD |
NATURE OF THE CONTRIBUTION |
|
Browsing this website. The data necessary for the use of web services are also processed for the purpose of: •obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or day, geographical areas of origin, etc.); •check the correct functioning of the services offered. |
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the operation of the site and for navigation itself (Art. 6, par. 1, letter f, and C47 of the GDPR).
|
Browsing data will be stored for the duration of the browsing session and in any case will not persist for more than seven days. (except where the judicial authorities may need to ascertain crimes).
|
Providing your data is necessary to navigate the website.
|
|
Use of cookies and similar technologies. See the cookie policy in the footer of the site. |
For cookies and similar non-technical/necessary technologies, processing is based on consent to the processing of personal data (Article 6, paragraph 1, letters a and C42 and C43 of the GDPR). Consent is given through the banner and the site's cookie policy. |
See the cookie policy in the footer of the site. |
See the cookie policy in the footer of the site. |
In addition to browsing, personal data will be processed for:
|
PURPOSE OF THE PROCESSING |
LEGAL BASIS |
RETENTION PERIOD |
NATURE OF THE CONTRIBUTION |
|
A) CONTACTS, INFORMATION REQUESTS , and CUSTOMER CARE : Through the contact details provided, we will collect and respond to requests and provide assistance for any needs related to the use of the site and the purchase of our products.
|
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, letter b) and C44 of the GDPR). |
Maximum 12 months |
The transfer is necessary. Failure to provide the necessary data will make it impossible to be contacted or obtain what you have requested from the Data Controller. |
|
B) ONLINE PURCHASES AND RELATED ADMINISTRATIVE ACCOUNTING ACTIVITIES (e.g. order management, invoicing, payments, shipment processing and management of any returns, management of any credit and related pre-contractual/contractual obligations).
|
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, letter b) and C44 of the GDPR). |
10 years from purchase for administrative and accounting purposes. |
The transfer is necessary. Failure to provide the necessary data will make it impossible to conclude and execute the purchase contract for goods offered by the Data Controller. |
|
C) DIRECT MARKETING , for sending advertising or direct sales material or for carrying out market research, commercial and promotional communications, newsletters, via automated means (email, SMS, instant messaging) and traditional means (telephone and paper mail). [SM4] Communications may contain promotional activities and/or logos of third-party partners and companies belonging to the Group. Personal data will not be disclosed. For a complete list of Group companies and partners, interested parties can write to privacy@aedgruppo.it .
|
The processing is based on consent to the processing of personal data (Article 6, paragraph 1, letter a) and C42-43 of the GDPR). |
Until consent is revoked (or opt-out). |
Providing data is optional. Failure to provide the necessary data will make it impossible to receive direct marketing communications. |
|
D) NON-AUTOMATED PROFILING: Personal data will be entered into company databases/CRMs/platforms for the purpose of carrying out analyses, evaluations, and dividing interested parties into homogeneous groups based on specific company activity characteristics, for better management of services, and for sending targeted promotional communications.
|
The processing is based on consent to the processing of personal data (Article 6, paragraph 1, letter a) and C42-43 of the GDPR). |
Until consent is revoked and in any case for a maximum of 12 months. |
Providing data is optional. Failure to provide the necessary data will make it impossible to perform analyses and send targeted promotional communications.
|
|
E) REGISTRATION IN THE CUSTOMER AREA , to allow the user to create an account, to manage it and to be able to use the related services. |
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6, paragraph 1, letter b) and C44 of the GDPR). |
Until the contract is terminated or the account is deleted, in any case without prejudice to the technical time required to disable the credentials. |
The transfer is necessary. Failure to provide the required data will result in the inability to access the reserved area.
|
|
F) MANAGEMENT OF LEGAL ISSUES that may arise in relation to the contractual or non-contractual relationship. |
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6, paragraph 1, letter f) and Articles 47–50 of the GDPR).
|
Until the existing relationship exists and until it expires for the time necessary for the defense in court. |
Providing data is necessary. The refusal must be balanced against the legitimate interest of the Data Controller indicated in the purposes of this point. |
|
G) ABANDONED CART REMINDER. |
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6, paragraph 1, letter f) and Articles 47–50 of the GDPR).
|
For the time needed to send reminder emails for your abandoned cart ( maximum 48 hours ). |
This information becomes mandatory only when finalizing the purchase (adding the product to the cart). |
|
H) MANAGEMENT OF YOUR REQUESTS and requests from other interested parties, pursuant to art. 15 et seq. of the GDPR (rights of the interested party). |
Processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6, paragraph 1, letter c) and Article 45 of the GDPR). |
5 years from the closure of the request, barring disputes.
|
The provision of personal data is mandatory, as it is essential to comply with legal obligations.
|
3. TO WHOM WILL THE PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS
Personal data will be disclosed to entities that will process the data as independent Data Controllers or Data Processors (Article 28 GDPR) and processed by natural persons (Article 29 GDPR) acting under the authority of the Data Controller and the Processors based on specific instructions provided regarding the purposes and methods of processing, for specific purposes based on the relevant area. The data will be disclosed to recipients belonging to the following categories: - entities that provide services for the website and communication networks, including email, hosting, and website management; - freelancers, firms, or companies in the context of assistance and consultancy relationships; - Group companies and commercial partners of the Data Controller, entities belonging to the distribution network and service and logistics companies, couriers; - entities that provide services for the management of the activities indicated in the purposes above (communications entities, press agencies, websites, etc.); - banks and credit institutions; - Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.
Additionally, your data will be processed by Whatsapp (Meta) for participation in the contest, both within and outside the European Economic Area (EEA). For data transfers outside the EEA, see paragraph 6 below.
The list of Data Processors is available by writing to privacy@aedgruppo.it or using the other contact details indicated above.
4. WILL THE DATA BE TRANSFERRED TO NON-EEA COUNTRIES?
The personal data provided will be transferred outside the EEA.
In any case, the Data Controller has decided to rely on providers that provide adequate guarantees, specifically adherence to the "Data Privacy Framework," an adequacy decision that allows data to be securely transferred from the European Economic Area to participating US companies, without the need for additional data protection guarantees (Article 45 GDPR). For more information about WhatsApp, click here.
5. IS THERE AN AUTOMATED PROCESS?
Personal data will be processed manually, electronically, and automatically. Please note that no fully automated decision-making processes are used.
6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?
You may exercise your rights as set forth in Articles 15 et seq. of the GDPR by contacting the Data Controller at the email address privacy@aedgruppo.it , or to the contact details indicated above. You have the right, at any time, to request access to your personal data (Article 15), rectification (Article 16), erasure (Article 17), and restriction of processing (Article 18). The Data Controller communicates (Article 19) any rectification, erasure, or restriction of processing to each recipient to whom the personal data has been disclosed. The Data Controller informs the data subject of these recipients upon request. In the cases provided for, you have the right to data portability (Article 20), and, in such case, your data will be provided to you in a structured, commonly used, and machine-readable format. You have the right to object (Article 21) at any time to data processing based on legitimate interest, and, where the legal basis is consent, you have the right to withdraw your consent without affecting the lawfulness of processing based on consent before its withdrawal.
To stop receiving automated direct marketing communications (email, SMS, instant messaging), data subjects are invited to send an email to privacy@aedgruppo.it with the subject "unsubscribe from automated marketing" or to use our automatic unsubscription systems designed only for emails (opt-out).
To no longer receive traditional direct marketing communications (telephone calls with an operator and postal mail), interested parties are invited to write an email to privacy@aedgruppo.it with the subject “cancellation from traditional”.
To no longer receive marketing communications, interested parties are invited to write an email to privacy@aedgruppo.it with the subject “marketing cancellation”.
If you believe that the processing of your personal data by the Data Controller violates Regulation (EU) 2016/679, you have the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in which you habitually reside or work, or in the place where the alleged violation of the regulation occurred (Italian Data Protection Authority https://www.garanteprivacy.it/ ), or to take appropriate legal action.
7. CHANGES TO THE INFORMATION NOTICE
The Data Controller may change, modify, add, or remove any portion of this Privacy Policy. To facilitate verification of any changes, the policy will contain the date it was last updated.
Updated: October 31, 2025