Published on 27/03/2025
alpoma, with its registered office at Jakobistraße 1/A, Terlan (BZ) – 39018, Tax Code/VAT No. IT02320260215(hereinafter “Data Controller” or “Controller”), is committed to protecting the privacy of website visitors during their browsing activities and the use of the services available on the website https://www.alpoma.it (hereinafter “Portal” or “Website”).
This document, drafted in accordance with Article 13 of the European General Data Protection Regulation No. 679/2016 (hereinafter: GDPR), describes all aspects of the processing of users’ personal data carried out in connection with the use of this website. In compliance with the provisions of the GDPR, processing by the Controller is based on the principles of lawfulness, fairness, transparency, purpose limitation, storage limitation, data minimisation, accuracy, integrity and confidentiality.
1. Data Controller
The Controller responsible for the processing of data carried out through the Portal is Alpoma, as indicated above. The Controller can be contacted via the email address info [at] alpoma.it (info[at]alpoma[dot]it) or at the telephone numbers listed in the legal notice.
2. Categories of Personal Data Processed
Navigation / Usage Data
Information collected during the user’s visit to the website (e.g., IP address, URI-requested addresses, browser history, information on interactions with the website, details concerning the user’s computer environment, browser type and language, operating system, location, date and time of the request). These data are not collected for the purpose of associating them with identified individuals, but due to their nature, they may allow users to be identified through processing or association with data held by third parties.
Data Voluntarily Provided by the User
Personal data voluntarily provided by the user through dedicated forms on the website (e.g., registration/sign-up, contact forms, comments, reviews, submissions, etc.). Such information may include: identification data (first name, last name, tax identification number, username, user ID, password, place and date of birth, etc.), personal image, contact and location data (residential/private address, email address, telephone number, mailing address, etc.).
Business Data
Information necessary to fulfil economic and tax obligations related to the provision of website services (e.g., payment information, VAT number, purchase history, information about the use of the product or service, billing and invoicing data, support requests, etc.).
Localization or Geolocation Data (or Mobility Data)
Information indicating the geographical location (latitude, longitude, altitude, direction of movement, time of location recording) of the user’s end device (e.g., smartphone, PC) when using the website’s services.
3. Purpose of Data Processing
The Controller uses the personal data collected through this website for the following purposes:
Provision of Services
Responding to information requests received via the website; providing the content and services offered on the website; sending notifications and updates related to the service requested by the user.
Ensuring Security, Prevention of Misuse and Fraud, Debugging
Monitoring and preventing fraudulent activities and ensuring that systems and processes function properly and securely.
Legal Protection
Enabling the Controller to protect or exercise a right in court.
Legal Obligation
Fulfilling a legal obligation to which the Controller is subject.
4. Legal Bases for Data Processing
The Controller relies on the following legal bases for processing personal data for the purposes described above:
Contract / Pre‑contractual Measures
The processing of personal data is carried out on the basis of Article 6(1)(b) GDPR (“[…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).
This legal basis applies in particular when using the contact forms provided on the website.
Consent of the Data Subject
The processing of personal data is carried out on the basis of Article 6(1)(a) GDPR (“[…] the data subject has given consent to the processing of his or her personal data for one or more specific purposes”). The consent given by the user is free and voluntary, and it does not affect access to other services of the website. Consent may be withdrawn at any time via the cookie preference selection tool or by contacting the Controller using the contact details provided in the section [Controller Contact Information].
Legitimate Interests of the Controller
The processing of personal data is carried out on the basis of Article 6(1)(f) of the Regulation (“[…] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”).
Legal Obligation
The processing of personal data is carried out on the basis of Article 6(1)(c) of the Regulation (“[…] processing is necessary for compliance with a legal obligation to which the controller is subject”).
5. Method of Data Processing
Data processing is carried out using manual and/or automated means, including the use of computer and telematic technologies (e.g., CRM systems, management software, mailing list services). Appropriate technical and organisational security measures are applied to ensure the security, integrity, and confidentiality of personal data, and to minimise the risks of destruction, loss, unauthorised access, alteration, and unlawful disclosure, in accordance with Articles 6 and 32 of the GDPR.
6. Transfer of Personal Data Outside the EU/EEA
The Data Controller does not intend to transfer personal data to countries outside the European Union.
However, should it become necessary for organisational or operational reasons (for example, but not limited to, the use of service providers and/or cloud services that require the transfer of data abroad), appropriate safeguards will be implemented for any transfer of personal data to a third country. Depending on the case, such safeguards may include: verification of the existence of adequacy decisions issued by the European Commission, the signing of Standard Contractual Clauses (SCCs) and/or Binding Corporate Rules (BCRs), assessment and adoption of additional measures in accordance with EDPB Recommendation 01/2020.
| Supplier | Supplier Privacy Policy |
|---|---|
| Microsoft Clarity | https://privacy.microsoft.com/en-us/privacystatement |
| TikTok | https://www.tiktok.com/legal/privacy-policy |
| Consisto | https://www.consisto.it/it/privacy-policy.html |
| Avacy CMP | https://jumpgroup.it/privacy-policy/ |
| Google Advertising Products | https://business.safety.google/privacy/ |
7. Retention Periods
Personal data are stored only for as long as necessary to fulfil the purposes described in this document, or for the period required by the applicable legal provisions.
In detail:
- Data processed for the purpose of “provision of the service” are stored until the service has been fully provided and for the time necessary to manage any subsequent requests. If the request results in a commercial transaction, the data will be stored for a maximum period of 10 years.
- Data processed for direct marketing purposes are stored for a maximum of 2 years, or until the data subject withdraws their consent to the processing of personal data.
- The duration of individual cookies is specified in the “Cookie Policy”.
- The above is without prejudice to the Controller’s right to store personal data for the period permitted and required under Italian law for legal protection purposes (Articles 2946 and 2947, paragraphs 1 and 3 of the Italian Civil Code).
After the expiry of the respective retention periods, personal data will be deleted or anonymised, unless they must be retained for other purposes based on an appropriate legal basis.
8. Data Recipients
The personal data collected by the Data Controller may be communicated or made accessible, for the purposes described above, to the following categories of recipients:
- Employees and collaborators who support the Controller in processing activities, subject to explicit authorization to process the data and the signing of confidentiality agreements where required.
- Third-party service providers acting as data processors, such as cloud service providers, freelancers, companies or professional firms offering support or consultancy to the Data Controller, and entities responsible for hosting and technical maintenance, including software, network equipment, and electronic communication networks.
- Independent data controllers to whom the data must be transmitted for the provision of the service requested by the data subject.
- Independent data controllers processing data for their own purposes (subject to the data subject’s consent).
- Public authorities, where such disclosure is required by law.
9. Rights of the Data Subject
The data subject may exercise the following rights at any time: request access to their personal data; request rectification; request erasure; request restriction of processing; request data portability. The data subject may also object to the processing of their personal data, in whole or in part, and has the right not to be subject to a decision based solely on automated processing — including profiling.
To exercise the rights set out in Articles 15–22 of the GDPR, the data subject may contact the Data Controller using the methods indicated in the “Contact” section (see Article 10).
The Data Controller must respond within 1 month. In the case of numerous and/or complex requests, the Controller may extend the deadline; however, the extension may not exceed 2 months. In any case, the data subject has the right to lodge a complaint with the competent Supervisory Authority (Garante per la protezione dei dati personali) pursuant to Article 77 of the GDPR if they believe that the processing of their personal data violates applicable legislation.