This page describes the management methods of the site concerning the processing of personal data of users who consult it.

This information (or “privacy policy”) is provided under Article 13 of EU Regulation 2016/679 (personal data collected directly from the data subject), the European Regulation on the Protection of Personal Data (hereinafter “Regulation” or “GDPR”), to those who interact with the web services of the website www.stempassion.com

In any case, the logical and physical security of the data and, in general, the confidentiality of the processed personal data will be guaranteed by implementing all necessary and appropriate technical and organizational measures to ensure their security.

A) Identity and Contact Details of the Data Controller

STEM PASSION
 Legal Representative:
 Elisabetta Citterio, Email: info@stempassion.com

B) Types of Data Processed

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); a natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more elements characteristic of their physical, physiological, genetic, mental, economic, cultural, or social identity (Recitals 26, 27, 30 of the “GDPR”).

The personal data collected and processed through this website are as follows:

• Browsing data. The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, and other parameters related to the user’s operating system and computer environment. These data are used solely to obtain anonymous statistical information on the use of the site and to check its correct functioning.

• Data provided by the user. This refers to data voluntarily entered by the user at the contact addresses on the site, which leads to the acquisition of the sender’s contact details necessary to respond to requests, as well as all personal data included in the communications (e.g., contact or information requests).

• Cookies. These are small text files that websites send to users’ devices, where they are stored to be retransmitted to the same sites during subsequent visits. Cookies are used for various purposes, have different characteristics, and can be used both by the site owner and by third parties.

What personal data does our site use?

C) Purpose of the Processing of Personal Data and Legal Basis

Your personal data will be processed:

(i) Without the need for consent, for the following purposes:

• Online account registration, order management, purchases, sales, customer service management, payment management, and customer contact management.

• Administrative-accounting management and related obligations (issuance of receipts, invoices, preparation of payments), potential protection of creditor positions, and defense in court.

• Internal statistics, economic analysis and business management, as well as sending advertisements for similar products based on the contact details provided in the contract, with the option for immediate deletion upon request.

The above processing corresponds to the following legal bases:

• Fulfillment of a contract or pre-contractual measures, satisfaction of the data subject’s request – legal condition under Article 6, letter b) GDPR;

• Legal obligation to which the Data Controller is subject – legal condition under Article 6, letter c) GDPR – or for the establishment, exercise, or defense of a legal claim;

• Pursuit of a legitimate interest of the Data Controller – legal condition under Article 6, letter f) GDPR – related to improving business operations, market research, enhancing the services provided to its customers, direct marketing, and customer loyalty. Providing the data marked with (*) in the form for the purposes referred to in section (i) is mandatory, and the lack of such data and/or any explicit refusal to process it will make it impossible for the Data Controller to execute the contract or pre-contractual measures, fulfill the obligation, potentially leading to the data subject’s non-compliance and liability, including sanctions provided for by the legal system.

(ii) With your consent (Article 7, GDPR), for the following purposes:

• Various marketing activities, including the promotion of products and services, distribution of leaflets and promotional material in paper and/or digital format, sending newsletters and commercial communications via email, invitations.

• Various profiling activities, including behavioral analysis for promotional purposes, creation of lists for promotional purposes, commercial communication, and newsletter sending, creation of profiles to provide targeted and personalized services according to customer needs. Providing data for the purposes mentioned in section (ii) is optional, meaning you can choose not to provide your consent or to revoke it at any time. Automated processes using software are employed for such processing, which always includes human decision-making to avoid unwanted consequences for the data subject, limited in any case to receiving communications from the Data Controller.

D) Categories of Recipients of Personal Data

For the purposes mentioned in the previous paragraph, the personal data you provide may be communicated or made accessible:

• To employees and collaborators of the Data Controller, in their capacity as persons authorized to process data (or so-called “data processors”); to third parties who carry out outsourcing activities on behalf of the Data Controller, in their capacity as Data Processors, including: service providers for the management of the information system and telecommunications networks, companies responsible for e-commerce management, service providers for managing paper and/or computerized documentation storage, service providers for managing customer assistance activities, including via websites (e.g., call centers, help desks, etc.), service providers for managing commercial communication activities;

• To professionals, studios, or companies in the context of assistance and consultancy relationships, including organizational management control;

• To banks and credit and insurance institutions for economic activities (payments/collections) and insurance purposes;

• To entities that carry out control, auditing, and certification of activities carried out by the Museo della Racchetta, also in the interest of clients;

• To judicial or supervisory authorities, administrations, public bodies, and agencies (national and international).

The complete and updated list of Data Processors is available upon written request at the following email address: info@stempassion.com

E) Storage and Transfer of Personal Data Abroad

The management and storage of personal data are carried out in cloud and on servers located inside and outside the European Union, owned and/or available to the Data Controller and/or duly appointed third-party companies as Data Processors.

The transfer of data abroad to non-EU countries may occur, but only and exclusively within intra-group communications for customer loyalty purposes and in compliance with the provisions of Chapter V, GDPR (Article 46).

Your personal data will not be disclosed.

F) Period of Storage of Personal Data

Personal data collected for the purposes mentioned in paragraph (C), section (i), will be processed and stored for the entire duration of any contractual relationship established.

From the date of termination of such a relationship, for any reason or cause, the data will be retained for the duration of the applicable legal prescription terms, i.e., 10 years.

Personal data collected for the purposes mentioned in paragraph (C), section (ii), will be processed and stored for the time necessary to fulfill these purposes, and in any case, for a period not exceeding 24 months for marketing and 12 months for profiling from the date we receive your consent.

After this retention period, the data will be destroyed or anonymized.

G) Methods of Processing Personal Data

The processing of your personal data is carried out through the operations indicated in Art. 4, no. 2 GDPR 2016/679, specifically: collection and registration, organization, storage, consultation, cancellation, and destruction of data. The processing of your data will be based on principles of correctness, lawfulness, and transparency and may also be carried out through automated methods to store, manage, and transmit them. It will be carried out using appropriate tools, as far as reasonably possible and according to the state of the art, to ensure security and confidentiality by using suitable procedures to prevent the risk of loss, unauthorized access, illegal use, and dissemination. Your personal data are processed both on paper and electronically.

H) Rights and Methods of Exercise

In accordance with the provisions of Chapter III, Section I, GDPR, you can exercise the rights indicated therein by simply sending a request via email to the Data Controller at mail info@stempassion.com, in particular:

• Right of access – Obtain confirmation as to whether or not personal data concerning you is being processed and, if so, receive information, in particular, on: the purposes of the processing, the categories of personal data processed, and the retention period, recipients to whom they may be communicated (Article 15, GDPR),

• Right to rectification – Obtain, without undue delay, the rectification of inaccurate personal data concerning you and the integration of incomplete personal data (Article 16, GDPR),

• Right to erasure – Obtain, without undue delay, the erasure of personal data concerning you, in the cases provided for by the GDPR (Article 17, GDPR),

• Right to restriction – Obtain the restriction of processing, in the cases provided for by the GDPR (Article 18, GDPR),

• Right to data portability – Receive in a structured, commonly used, and machine-readable format the personal data concerning you, and have the right to transmit those data to another controller without hindrance, in the cases provided for by the GDPR (Article 20, GDPR),

• Right to object – Object to the processing of personal data concerning you unless there are legitimate reasons for the Data Controller to continue the processing (Article 21, GDPR),

• Right to Lodge a Complaint with the Supervisory Authority – You have the right to lodge a complaint with the Data Protection Authority, located at Piazza di Montecitorio n. 121, 00186, Rome (RM).

I Data Breach and Notification to the Privacy Authority and/or Communication of the Breach to the Data Subject

In the event of a personal data breach – understood as a security breach that accidentally or unlawfully leads to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed – where the risk to the rights and freedoms of individuals is deemed likely and/or significant, the Data Controller will notify the Privacy Authority without delay and, in any case, no later than 72 hours, providing a description of the nature of the data breach, including the number of affected individuals and the categories of data involved. The name and contact details of the Data Controller or, if applicable, the DPO (Data Protection Officer) will also be provided.