PRIVACY AND COOKIES POLICY PURSUANT TO ART. 13 OF EU REGULATION NO. 2016/679 OF 27 APRIL 2016

This policy is issued pursuant to Art. 13 of EU Regulation No. 2016/679 of 27 April 2016 (hereinafter "GDPR") on the protection of natural persons with regard to the processing of personal data. Fashion S.r.l.s., as Data Controller, wishes to inform users that, in compliance with the obligations arising from the GDPR, it is required to provide information regarding the methods and purposes of processing personal data collected through the use of this website.

1. DATA CONTROLLER

The Data Controller for all personal data collected, processed and used in connection with the management of this website is Fashion S.R.L.S., registered office at Via Euripide, 4/6 - 00125 Rome, owner of the "Eight-Roma" website.

Website: https://eight-roma.it
Email: eightstore@libero.it

Data collected on the "Eight Roma" website is processed by the data processor, which uses the data solely to carry out purchase operations and shipment tracking:

Shopify Inc.
151 O'Connor Street, Ground floor
Ottawa, ON K2P 2L8, Canada

Data processed: personal data and usage data.
Place of processing: Ireland (Shopify Ltd) and United States – Privacy Policy

2. DATA PROCESSED AND PURPOSES OF PROCESSING

Data protection law governs the handling of personal data. Personal data is information relating to identified or identifiable natural persons.

2.1 CATEGORIES OF DATA PROCESSED

2.1 a) Data voluntarily provided by the user:

- Personal data provided by you: any information that, during your orders, directly or indirectly — including in combination with any other information, such as a personal identification number — makes a natural person identified or identifiable. The type of data you provide depends on the information entered in the relevant form. This may include: name, email address, phone number, and other contact details, including address and payment data. When completing the form, we will inform you which fields are mandatory.

- Usage data: information collected automatically through this website (including via third-party applications integrated into it), such as: IP addresses or domain names of computers used to connect to the website, URI (Uniform Resource Identifier) addresses, time of request, method used to submit the request to the server, file size received in response, numeric status code of the server response (success, error, etc.), country of origin, browser and operating system characteristics, time-related details of the visit (e.g. time spent on each page), and details of the navigation path within the application, including the sequence of pages visited, operating system parameters, and the user's IT environment.

- All content voluntarily submitted by the user will be visible to the Data Controller and its authorised personnel.

Personal data collected and recorded to access e-commerce and newsletter services will be processed in strict confidence by the Data Controller and its authorised personnel, and may be used solely for the purposes indicated above and for statistical purposes in aggregated or anonymised form.

2.1 b) Browsing data: the IT systems and software procedures used to operate the e-commerce service automatically collect, in the course of their normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols.

This category includes IP addresses or domain names of computers used by visitors connecting to the website, URI addresses of requested resources, time of request, method used to submit the request to the server, file size received in response, numeric status code of the server response (success, error, etc.), and other parameters relating to the user's operating system and IT environment.

This data is used solely to obtain anonymous statistical information about website usage and to verify its correct operation. It may be used to establish liability in the event of hypothetical cybercrimes against the e-commerce service and the Data Controller, only upon request from the relevant supervisory authorities.

Data collected from third parties: when you place an order on our online shop, we may also collect your data through third parties, such as information agencies and payment service providers.

2.2 PURPOSES OF PROCESSING

2.2 a) Personal data will be processed for the correct operation of the e-commerce platform and to carry out the operations requested by users. Personal data collected is processed to enable the use of the online purchase service. Such data may also be processed to fulfil all obligations imposed by law (including, without limitation: tax purposes and anti-money laundering obligations under Law 231/07 and subsequent amendments).

2.2 b) Personal data — specifically email address and mobile number — will be processed only with your specific and separate consent (pursuant to Arts. 23 and 130 of the Privacy Code and Art. 7 GDPR) for the following Marketing Purposes:

- sending newsletters, commercial communications and/or advertising material regarding products or services offered by the Data Controller, and measuring satisfaction with service quality;
- sending marketing SMS containing commercial communications and offers regarding products or services offered by the Data Controller;
- identifying, including through electronic processing, consumption behaviours and habits in order to improve products and services, meet specific needs, and direct relevant commercial proposals.

Personal data processed for direct marketing purposes includes: first name, last name, email address, and phone number. Where the user has given consent at the time of newsletter or SMS marketing subscription, or provides it subsequently until revocation, personal data may be processed by the Data Controller for direct marketing purposes, including sending informational, advertising and/or promotional emails and SMS, and more generally for sending commercial communications via automated means, specifically email and SMS (where consent has been provided).

2.3 The Data Controller reserves the right to process the above data in anonymous and aggregated form, in compliance with EU Regulation requirements and the guidelines of the Italian Data Protection Authority (Garante), and pursuant to the specific consent exemption provided by the same Authority, for electronic analysis and processing (e.g. classifying the entire user base into homogeneous categories by service level, consumption, spend, etc.) aimed at periodically monitoring the development and economic performance of its activities for the purpose of improving services and optimising the e-commerce service.

2.4 Data collected to process payments via PayPal will be handled by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Please note that the Data Controller does not process your payment data directly but receives only confirmation of payment from PayPal.

2.5 For information on disabling cookies, please refer to the privacy and cookies policy at www.eight-roma.it.

3. LEGAL BASIS FOR PROCESSING

3.1 As Data Controller, the legal basis for processing the personal data described above (pursuant to Art. 6(1) GDPR) is:

- with regard to section 2.1(a): the necessity to perform the services requested by the user making a purchase through the e-commerce service, and compliance with legal obligations relating to invoicing;
- with regard to section 2.1(b): the necessity to enable browsing of the website;
- with regard to section 2.2(a): compliance with legal obligations and the necessity to perform the services provided by the Data Controller. Accordingly, provision of data is mandatory and failure to provide it may result in the non-performance, suspension or termination of the services offered;
- with regard to section 2.2(b): the legitimate interest of the Data Controller;
- where you have expressly provided consent to the processing of your data for one or more specific purposes, the legal basis is Art. 6(1)(a) GDPR.

3.2 For information on disabling cookies, please refer to the cookie settings at www.eight-roma.it.

4. METHODS OF PROCESSING

4.1 Personal data will be processed using appropriate electronic or automated IT and telematic tools, with logic strictly related to the purposes for which the data was collected, and in a manner that ensures its security and confidentiality through the adoption of measures designed to prevent alteration, deletion, destruction, unauthorised access, or processing that is unlawful or inconsistent with the purposes of collection.

4.2 Personal data will be processed by our internal staff, who are bound by confidentiality obligations and duly authorised to process data within the scope of their assigned duties and solely for the purposes indicated above.

5. DATA RETENTION

5.1 Data necessary for the provision of the service will be retained by the Data Controller for the time required to provide the services, or until the service is concluded. The Data Controller may also retain user personal data after the service has been provided if such retention is reasonably necessary to comply with legal and tax obligations, meet regulatory requirements, resolve disputes between users, prevent fraud and abuse, or enforce this privacy policy. Except where retention is required for tax and/or legal purposes, data will be retained for a maximum period of 24 months from the date the order is placed.

5.2 Browsing data will be retained for the technical time necessary to fulfil the functions for which it was collected, and in any case for a maximum period of 6 months. The Data Controller will retain email addresses for newsletter purposes until consent is withdrawn by the user.

5.3 In both cases described above, upon expiry of the relevant retention period, data will be automatically deleted or permanently and irreversibly anonymised.

6. COOKIES

Please refer to the cookie settings at www.eight-roma.it.

7. DATA DISCLOSURE

7.1 Personal data, to the extent necessary and/or instrumental to the fulfilment of the purposes described above, may be processed on behalf of the Company by external parties (third parties) appointed by the Company for such purposes, including:

Service providers: third-party suppliers, consultants and companies providing support and/or advisory services, or services related and instrumental to the processing of personal data on behalf of the Company, including web analytics, hosting, transaction and payment processing, promotional campaign management, fraud prevention, product delivery, IT maintenance, etc.

7.2 All third parties appointed by the Company are bound by a confidentiality agreement that includes a contractual obligation to implement appropriate security measures to protect the personal data shared with them and to process such data exclusively within the scope of the activities assigned to them.
We may also disclose specific information where such disclosure is necessary to comply with legal obligations, a subpoena or other legal proceedings, or to protect the interests or safety of our visitors and customers, employees or others.

7.3 For the purposes described above, data may be transferred abroad, including temporarily and/or to countries outside the European Union, in compliance with applicable legislation and with the adoption of all appropriate security measures and safeguards to ensure an adequate level of data protection.

8. DATA SUBJECT RIGHTS

8.1 As a data subject, you may exercise the rights provided for under applicable data protection law (in particular Arts. 15 to 21 GDPR), including the right to:

- request access to, rectification, erasure, restriction of, and objection to the processing of your data;
- receive and transfer, without hindrance from the Data Controller, your data in a structured, commonly used and machine-readable format (data portability);
- withdraw consent to processing at any time, without prejudice to the lawfulness of processing carried out prior to withdrawal.

8.2 The Data Controller will respond to all requests within one month of receipt, extendable to three months in cases of particular complexity.

8.3 You may exercise the above rights by sending a written request by email to: eightstore@libero.it, or by registered mail to: Eight - Roma, Via Euripide, 4/6 - 00125 Rome.

9. COMPLAINT TO THE SUPERVISORY AUTHORITY

9.1 You have the right to lodge a complaint with the competent data protection supervisory authority.

9.2 A complaint is the mechanism by which a data subject may contact the supervisory authority to report an alleged violation of data protection law pursuant to Art. 77 GDPR and request an investigation.

9.3 A complaint may be lodged with the supervisory authority of the country where you reside, work, or where the alleged violation occurred.

9.4 You also have the right to bring judicial proceedings before the competent court if you believe your rights have been infringed as a result of the processing of your personal data.

We reserve the right to amend this privacy policy at any time.
The version published on the website is the one currently in force.