Privacy Policy

The Data Controller for the personal data collected through the website www.tenutachiaramonte.com is:

Tenuta Chiaramonte Società Agricola s.r.l. Registered and operational address: C.da Gisolfo SP 81 Km 7,400 – 97100 Ragusa (RG), Sicily, Italy VAT number: 00933490880 Email: info@tenutachiaramonte.com

The Data Controller can be contacted at the above address or email for any matter concerning the processing of personal data.

Your personal data are processed in accordance with Regulation (EU) 2016/679 (GDPR) and D.Lgs. 30 June 2003, no. 196 (Personal Data Protection Code), as amended by D.Lgs. 10 August 2018, no. 101. The legal bases and corresponding purposes of processing are as follows:

a) Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR): processing of data necessary for the execution of a purchase order, management of shipping and delivery, invoicing, handling of returns, withdrawals and complaints, and management of after-sales customer service.

b) Compliance with a legal obligation (Art. 6(1)(c) GDPR): processing necessary to fulfil obligations under tax, accounting and food-safety legislation applicable to the Seller.

c) Legitimate interest of the Data Controller (Art. 6(1)(f) GDPR): processing for the prevention and detection of fraud, protection of the security of systems and data, and direct marketing of similar products and services to existing customers (so-called soft spam), subject to the right to object at any time.

d) Consent of the data subject (Art. 6(1)(a) GDPR): processing for commercial communications, promotional newsletters and profiling activities, where carried out exclusively on the basis of explicit and freely given consent, which may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

The Data Controller collects and processes the following categories of personal data:

Identification and contact data: first name, last name, email address, telephone number, shipping and billing address.

Order and transaction data: products purchased, order amounts, payment method used (no card details are stored by the Seller — these are handled exclusively by the payment processor Stripe), order history.

Navigational and technical data: IP address, browser type, operating system, pages visited, time and duration of visit, referring URL. These data are collected automatically through technical and analytical cookies and similar technologies (see Section 8 — Cookie Policy).

Communication data: content of messages sent through the contact form or by email, for the purpose of handling requests.

Marketing data: newsletter subscription preferences and, where consent has been given, profiling information derived from browsing and purchase behaviour.

No special categories of data as defined in Art. 9 GDPR (e.g. health data, political opinions, religious beliefs) are collected.

Personal data are processed using both manual and electronic means, with organisational and technical security measures designed to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR.

The Data Controller has implemented technical and organisational measures including: SSL/TLS encryption of data in transit, access controls and authorisation management, system activity logs, regular security assessments, and staff training on data protection obligations.

Data processing is carried out exclusively by persons specifically authorised by the Data Controller (employees, collaborators) or by external Data Processors appointed pursuant to Art. 28 GDPR (e.g. IT service providers, courier companies, payment processors, email marketing platforms). A list of Data Processors is available on request.

Data are not subject to automated decision-making or profiling that produces legal effects or similarly significantly affects the data subject, within the meaning of Art. 22 GDPR, unless explicit consent is given for such activities.

Personal data may be disclosed to the following categories of recipients, where strictly necessary for the purposes described in Section 2:

a) Service providers acting as Data Processors (Art. 28 GDPR): IT and hosting providers, e-commerce platform managers, payment processors (Stripe), courier and logistics companies, email marketing platforms, accounting and tax consultants.

b) Public authorities and supervisory bodies: where required by law or regulatory obligation (e.g. Agenzia delle Entrate, customs authorities, law enforcement bodies).

c) Legal and corporate advisors: where necessary for the establishment, exercise or defence of legal claims.

Personal data are not sold, rented or otherwise transferred to third parties for their own commercial or marketing purposes.

Some of the above recipients may be located outside the European Economic Area (EEA). In such cases, the transfer is carried out only where adequate safeguards are in place pursuant to Arts. 44–49 GDPR (e.g. European Commission adequacy decisions, Standard Contractual Clauses). Upon request, the Data Controller will provide information on the safeguards adopted for international transfers.

Personal data are retained for the period strictly necessary to fulfil the purposes for which they were collected, in accordance with the following criteria:

Order and contract data: retained for 10 (ten) years from the conclusion of the contract, in compliance with civil and tax law obligations (Arts. 2214 et seq. of the Civil Code; D.P.R. 633/1972 on VAT).

Customer service and complaint data: retained for 3 (three) years from the date of the last communication, unless a longer retention period is required for the establishment, exercise or defence of legal claims.

Newsletter and marketing data: retained until withdrawal of consent, or until the data subject objects to processing based on legitimate interest. Following withdrawal or objection, data will be deleted within 30 days, subject only to retention required by applicable law.

Navigational and technical data (cookies): retained for the periods indicated in the Cookie Policy (Section 8).

At the expiry of the retention period, data will be securely deleted or anonymised in such a way that re-identification of the data subject is no longer possible.

Pursuant to Arts. 15–22 GDPR, the data subject has the following rights, which may be exercised at any time:

a) Right of access (Art. 15 GDPR): the right to obtain confirmation as to whether or not personal data concerning them are being processed, and, if so, to obtain a copy of those data and information on the processing.

b) Right to rectification (Art. 16 GDPR): the right to obtain the correction of inaccurate personal data or the completion of incomplete data.

c) Right to erasure — 'right to be forgotten' (Art. 17 GDPR): the right to obtain the deletion of personal data where the conditions set out in Art. 17 GDPR are met (e.g. data no longer necessary for the purposes for which they were collected, withdrawal of consent, unlawful processing).

d) Right to restriction of processing (Art. 18 GDPR): the right to obtain restriction of processing in the cases provided for by law (e.g. where the accuracy of data is contested, or where the data subject has objected to processing pending verification of the legitimate grounds).

e) Right to data portability (Art. 20 GDPR): the right to receive personal data in a structured, commonly used and machine-readable format, and to transmit those data to another controller, where processing is based on consent or on a contract and is carried out by automated means.

f) Right to object (Art. 21 GDPR): the right to object at any time to processing based on the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR), including profiling, and to processing for direct marketing purposes.

g) Right to withdraw consent (Art. 7(3) GDPR): where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Requests may be submitted by email to: info@tenutachiaramonte.com. The Data Controller will respond within 30 (thirty) days of receipt of the request, or within 90 days where the request is complex or numerous requests have been received (in which case the data subject will be informed of the extension within 30 days).

Without prejudice to any other administrative or judicial remedy, the data subject also has the right to lodge a complaint with the supervisory authority. In Italy, the competent authority is the Garante per la protezione dei dati personali (Garante Privacy), reachable at www.garanteprivacy.it.

The website www.tenutachiaramonte.com uses cookies and similar tracking technologies to ensure the correct functioning of the site, to analyse traffic and user behaviour, and — where consent has been given — to deliver personalised content and advertising.

COOKIE CATEGORIES

Technical and functional cookies (no consent required): strictly necessary for the functioning of the website (e.g. session management, shopping cart, language preferences). These cookies cannot be disabled without compromising the functionality of the site.

Analytical cookies (consent required, unless anonymised): used to collect statistical information about how users interact with the website (e.g. pages visited, time spent, traffic sources). Where analytical cookies are anonymised and aggregated, they do not require consent pursuant to the guidelines of the Garante Privacy.

Marketing and profiling cookies (consent required): used to deliver advertising messages consistent with the preferences expressed by users during browsing and to measure the effectiveness of advertising campaigns. These cookies are set only with the user's prior and explicit consent.

Third-party cookies: the website may integrate third-party services (e.g. Google Analytics, Meta Pixel, payment gateways) that set their own cookies. The Data Controller does not have direct control over these cookies; please refer to the privacy policies of the respective third-party providers.

CONSENT MANAGEMENT When users first access the website, a cookie banner is displayed allowing them to give, refuse or customise their consent. Consent may be withdrawn at any time through the cookie settings accessible from the footer of the website or via browser settings.

The retention periods for individual cookies are indicated in the cookie management panel accessible on the website.

The Data Controller reserves the right to amend or update this Privacy Policy at any time, in order to reflect changes in applicable legislation, processing activities or the services offered.

Any changes will be published on this page with an updated 'Last updated' date. Where changes are substantial, the Data Controller will provide notice through a prominent banner on the website or, where possible, by direct communication to the email addresses of registered users.

Users are encouraged to review this page periodically to stay informed of how personal data are processed. Continued use of the website following publication of changes constitutes acceptance of the updated Privacy Policy, to the extent permitted by applicable law.

For questions or clarifications regarding this Privacy Policy or the processing of personal data, please contact the Data Controller at: info@tenutachiaramonte.com.

For any matter relating to this Privacy Policy or to the exercise of rights under the GDPR, data subjects may contact the Data Controller using the following details:

Tenuta Chiaramonte Società Agricola s.r.l. C.da Gisolfo SP 81 Km 7,400 – 97100 Ragusa (RG), Italy VAT number: 00933490880 Email: info@tenutachiaramonte.com

The Data Controller will endeavour to respond to all requests within the terms provided for by the GDPR (30 days, extendable to 90 days for complex requests).

If the data subject considers that their rights under the GDPR have been violated, they may lodge a complaint with the Italian data protection supervisory authority:

Garante per la protezione dei dati personali Piazza Venezia, 11 – 00187 Roma Website: www.garanteprivacy.it Email: garante@gpdp.it Certified email (PEC): protocollo@pec.gpdp.it