Privacy Statement Pursuant to Articles 13 and 14 of Reg. (EU) 2016/679 ("GDPR")

Please find below the information required by the GDPR concerning the processing of personal data provided as part of the registration to the B2B e-commerce website “Gift Card Store” (“Site”) and the use of the related services, as better defined in the relative general terms and conditions.

The data subjects to whom the personal data refer are hereinafter referred to as “Data subjects“ or, individually, ”Data subject“.

The information on the processing of the browsing data of the Data subjects who browse the Site and those relating to the use of cookies can be consulted in the privacy and cookie policy made available in the cookie banner that appears at first access and in the footer of the Site.

  1. Identity and contact details of the controller

The controller is Amilon Srl, Tax ID and VAT number 05921090964, with registered office in via Natale Battaglia 12, Milan, e-mail address [email protected] (“Amilon” or “Controller”).

  1. Contact details of the data protection officer (DPO)

The DPO can be contacted at the e-mail address [email protected].

  1. Categories and source of the data processed
  1. Data processed: common data (e.g. name and surname, e-mail address, phone number, as well as the voice when audio is sent to the support chatbot) of natural persons who use the Site, referable to the legal person to be registered on the Site, whether it is the legal representative or another person duly authorized for this purpose, as well as company contact persons
  2. Data source: the data are provided directly by the Data subjects or, as in the case of company contacts, by the person who registers on the Site and uses its services.
  1. Purpose of the processing, legal basis and data retention periods

The data are processed in order to:

  1. allow registration on the Site and use of the related services. Among the services provided there could be a special chatbot, based on an artificial intelligence system, for the management of assistance requests by the Data subject. It should be noted that the data provided will also be processed in order to improve the effectiveness of the chatbot, so that over time it provides increasingly adequate and relevant answers to assistance requests. It is always possible to contact a human operator to receive assistance. The legal basis is (i) the performance of a contract to which the Data subject is party for the processing of data of the legal representative and (ii) the legitimate interest of the Controller and of third parties, for the processing of data of the company contact person and for chatbot training purposes. Therefore, the data will be kept for the entire duration of the contractual relationship and, as an ordinary limitation period, for the following 10 years;
  2. keep the data relating to the credit card used for purchases on the Site and, therefore, facilitate the execution of further purchase transactions. In this case, the legal basis of the processing is the consent of the Data subject. The data will be kept until the expiry date of the card, without prejudice to the right of the Data subject to request deletion of the data at any time;
  3. fulfil administrative and accounting, tax and other legal obligations, in compliance with the requirements of current legislation (for ex. invoicing obligations). The legal basis for this processing is the fulfilment of a legal obligation to which the Controller is subject. Therefore, the data will be kept for 10 years, which is the general ten-year retention period prescribed by law;
  4. if necessary, to ascertain, exercise or defend the rights of Amilon. In particular, in order to mitigate the risk of illegal activity on the Site (e.g. computer fraud), there will be (i) the possible submission of a questionnaire to the Data subject aimed at verifying his or her identity and (ii) the verification of the payment data entered during the purchase phase. The legal basis of this processing is the pursuit of a legitimate interest of the Controller. Therefore, the data will be kept for the entire duration of the contractual relationship and, as an ordinary limitation period, for the following 10 years, as well as for the duration of any litigation, until the time limits for appeals have been exhausted;
  5. send – to the email address provided by the user – promotional communications relating to products sold by Amilon similar to the ones on sale on the Site (e.g., relating to a new gift card added to the catalogue or to a given discount applied on the gift cards of a brand on the Site). The legal basis of the processing for such purposes is the so called “soft spam”, referred to in art. 130, c.4 of the Legislative Decree 196/2003 (“Privacy Code”). The data will be kept until the Data subject's right to object (by clicking on the "unsubscribe" link present in each communication).
  6. carry out profiled marketing activities, i.e. the creation of a profile of the Data subject on the basis of the data provided (upon registration and purchase), combined with the browsing data (obtained, specifically, from the online click of specific sections/products of the Site) collected via cookies, in order to enable Amilon to offer promotional messages and/or online content more closely matching this profile, through automated contact methods (such as personalised e-mails) and/or online advertising banners. The legal basis of the processing for such purposes is the consent of the Data subject. The data will be kept for 3 years, without prejudice to the Data subject's right to object (by clicking on the "unsubscribe" link present in each communication) or the withdrawal of the consent.
  7. communicate the data to companies belonging to the Zucchetti group (to which Amilon belongs) for their marketing purposes (sending promotional communications by e-mail and telephone calls). The legal basis for the processing for these purposes is the consent of the Data subject. The data will be kept until it is communicated to the third party, without prejudice to the Data subject's right to revoke his or her consent and to object to the processing of his or her data for marketing purposes with respect to the third party, at any time.

Once the storage terms indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatibly with the technical timing of cancellation and backup.

  1. Provision of data

The provision of data is necessary for registration on the Site and the use of the services it provides; therefore, failure to provide such data will make it impossible for Data subjects to register and use the services offered by Amilon on the Site.

  1. Categories of data recipients

Data can be processed:

  1. by the parties involved in the payment process, i.e. the payment service provider and the anti-fraud service provider (Riskified Ltd);
  2. on behalf of the Controller, by third parties, designated as data processors pursuant to Article 28 of the GDPR, who carry out activities that serve the aforementioned purposes (e.g. IT service providers, customer care and marketing);
  3. by third parties operating as independent controllers, such as public authorities and professional firms, which are entitled to receive them;
  4. where the Data subject gives his/her consent, as set out in paragraph 4 letter g) above, by the companies of the Zucchetti group, the list of which is available at the following link;
  5. by Amilon employees - belonging to the corporate departments in charge of pursuing the above- mentioned purposes - who have been expressly authorised to process the data and have received adequate operational instructions.

The entities mentioned in (a) and (b) above may be established outside the EU/EEA - specifically: the processing of the anti-fraud service provider may be carried out in the United States and Israel, that of the IT service providers in the United States - in countries with an adequacy decision pursuant to Article 45 of the GDPR; if Amilon proceeds with the transfer of data to countries without an adequacy decision, it will use appropriate transfer mechanism pursuant to Article 46 of the GDPR (in particular, SCCs).

  1. Rights of the Data subjects

Data subjects can exercise the rights referred to in articles 15-22 of the GDPR, by sending a communication to the contact points indicated in par. 1.

In particular, Data subjects may obtain confirmation from the Controller whether or not the processing of personal data concerning them is in progress and, in that case, access to them and to the information referred to in Article 15, the rectification of inaccurate data, integration of incomplete data, erasure of data in the cases referred to in Article 17, and limitation of processing in the cases referred to in Article 18 of the GDPR. They may also object, for reasons related to their particular situation, the processing carried out for the legitimate interest of the data controller; furthermore, if the processing is based on consent or contract and is carried out with automated tools, they may request to receive the data in a structured format, commonly used and machine-readable format and, if technically feasible, to transmit them to another data controller without hindrance (“right to portability”).

Data subjects may, at any time, revoke the consent given and oppose the processing for direct marketing purposes (by clicking on the "unsubscribe" link present in each communication).

In any case, Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they usually reside or work or in the State where the alleged violation has occurred.