top of page

Privacy Policy

1. Data Controller

The Data Controller of personal data is Gembox S.r.l.s., with registered office at Viale Giuseppe Mazzini, 132 – 00195 Rome (RM) – Italy, VAT No. 17621751001, contactable through the contact details indicated on the Website www.gembox.com

E.mail: madeinitaly@gembox.it

The processing of personal data is carried out in compliance with Regulation (EU) 2016/679 (“GDPR”), Legislative Decree no. 196/2003 as amended by Legislative Decree no. 101/2018, and the applicable national legislation on the protection of personal data.

 

2. Scope of application

This notice applies to:

  • users browsing the Website;

  • users registering on the Website and creating a personal account;

  • users making purchases through the Website;

  • users sending communications through the contact form;

  • users contacting the Data Controller via email, telephone, or WhatsApp;

  • users subscribing to the newsletter;

  • users interacting with any third-party content present on the Website, subject to consent where required.

This Privacy Policy does not apply to third-party websites or services that may be reached through external links present on the Website.

3. Types of personal data processed

3.1 Data voluntarily provided

The Data Controller processes personal data voluntarily provided by the user through the contact form, registration on the Website, subscription to the newsletter, the placing of orders or online purchases, or through direct communication.

Such data may include:

  • first and last name;

  • email address;

  • telephone number;

  • billing and/or shipping address;

  • data necessary for the creation of the user account;

  • content of the message sent;

  • data relating to orders placed;

  • any information voluntarily entered in the free text fields of the Website, in order notes, or in communications sent to the Data Controller.

The provision of data is optional, but necessary, depending on the case, in order to respond to requests, complete registration on the Website, manage the user account, carry out orders and purchases, activate the newsletter, or provide the requested services. Failure to provide such data may make it impossible to respond, complete registration, or perform the contract.

 

3.2 Browsing data

The IT systems and software procedures used for the operation of the Website automatically acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

Such data may include:

  • IP address;

  • server log data;

  • information relating to device, browser, and operating system;

  • date and time of the request;

  • pages visited;

  • technical information necessary for the security and proper functioning of the Website.

Such data are processed exclusively in order to ensure the correct technical functioning of the Website, the security of the infrastructure, the prevention of unauthorized access, and the possible ascertainment of liability in the event of unlawful acts.

 

3.3 Data relating to registration and restricted area

Where the Website allows the registration of a personal account, the Data Controller may process the data necessary for the creation and management of the account, user authentication, the management of preferences, order history, saved addresses, and functions reserved for registered users.

Such data may include:

  • identification data;

  • login credentials;

  • order history;

  • account preferences;

  • data relating to the use of reserved functions.

 

3.4 Data relating to online purchases

In the event of purchases made through the Website, the Data Controller may process personal data necessary for the management of the order, shipping, invoicing, customer assistance, any returns, or after-sales requests.

Such data may include:

  • first and last name;

  • contact details;

  • billing address;

  • shipping address;

  • details of the products or services purchased;

  • order information;

  • order status, shipping, and assistance.

Data relating to payment methods are not necessarily processed directly by the Data Controller, but may be processed by the payment service providers selected by the user, such as Stripe and PayPal, as independent data controllers for the matters within their respective competence.

3.5 Any special categories of personal data

The Website is not normally intended for the collection or processing of special categories of personal data pursuant to Article 9 of the GDPR (such as, by way of example, data relating to health, religious beliefs, political opinions, or trade union membership).

The user is invited not to enter such data in forms, messages, order notes, or communications sent through the Website, unless this is strictly necessary and legally justified.

Where the user spontaneously transmits special categories of personal data, such data will be processed only to the extent strictly necessary for the management of the request received and in compliance with the conditions for lawfulness provided for by the applicable legislation.

 

4. Purposes of processing

Personal data are processed in order to:

  • enable browsing on the Website;

  • manage registration on the Website and access to the personal account;

  • enable the use of the restricted area and the functions connected to it;

  • manage orders, online purchases, payments, shipping, invoicing, returns, and after-sales assistance;

  • respond to requests sent through the contact form, email, telephone, or WhatsApp;

  • manage communications with the user;

  • send informational, promotional communications and updates through the newsletter, subject to the explicit consent of the data subject where required;

  • ensure the security of the Website and prevent unlawful use, fraud, unauthorized access, and technical anomalies;

  • comply with legal, accounting, tax, and administrative obligations;

  • protect the rights of the Data Controller, including in court;

  • collect statistical data on the use of the Website, through tools such as Google Analytics, subject to consent where required;

  • manage technical, statistical, or marketing tools through Google Tag Manager, subject to consent where required;

  • load any third-party content, such as the Instagram feed, subject to consent expressed through the cookie banner, where required.

No profiling activities or automated decisions producing legal effects on the data subject are carried out, except for any technical processing strictly necessary for the functioning of the requested services.

The Website may integrate an Instagram feed. The loading of the content is subject to the user’s consent expressed through the cookie banner. In the event of consent, interaction with the feed may involve the processing of personal data (such as IP address and browsing data) by Meta Platforms Ireland Limited.

5. Legal basis for processing

The processing of data is based, depending on the specific purpose pursued, on one or more of the following legal bases:

  • art. 6, para. 1, lett. b) GDPR – performance of a contract to which the data subject is party or implementation of pre-contractual measures taken at the request of the same;

  • art. 6, para. 1, lett. c) GDPR – compliance with legal obligations to which the Data Controller is subject;

  • art. 6, para. 1, lett. f) GDPR – legitimate interest of the Data Controller in the security of the Website, the prevention of fraud and abuse, the protection of its rights, and the technical and organizational management of the services offered;

  • art. 6, para. 1, lett. a) GDPR – consent of the data subject, in cases where it is required, for example for sending the newsletter, for the installation of non-technical cookies, for the activation of Google Analytics where configured in a non-technical mode, for the loading of third-party content, and for the use of any additional tracking tools.

Subscription to the newsletter, where provided for, may take place through a double opt-in system, with the sending of a subscription confirmation email.

6. Methods of processing

The processing of personal data is carried out by means of IT and telematic tools, according to logic strictly related to the purposes indicated in this notice and in compliance with the principles of lawfulness, fairness, transparency, minimization, accuracy, storage limitation, and integrity set out in Regulation (EU) 2016/679.

Data are processed exclusively by persons authorized by the Data Controller or by providers of technical services acting as data processors pursuant to art. 28 of the GDPR, limited to the activities strictly necessary for the management of the Website, any restricted area, e-commerce, newsletter, and related services.

Processing may include operations of collection, recording, organization, structuring, storage, consultation, use, communication within the permitted limits, deletion, and destruction of data, carried out in ways suitable to guarantee their security and confidentiality.

Appropriate technical and organizational measures are adopted to prevent unauthorized access, loss, disclosure, modification, or unlawful use of personal data, taking into account the state of the art, implementation costs, the nature of the data processed, the context, and the purposes of the processing.

No automated processing is carried out that involves decisions based solely on automated processes, nor profiling activities of users, except for what may be necessary for the technical functioning of the platforms used or for consent management.

7. Data retention

Personal data are retained for the time strictly necessary for the purposes for which they are collected and processed, in compliance with the principles of storage limitation and minimization.

In particular:

  • data provided through the contact form or direct communications are retained for a maximum period of 12 months from the conclusion of the communication, except for further needs connected to the protection of the rights of the Data Controller;

  • data relating to registration on the Website and the user account are retained until the account is deleted by the user or for the time necessary for the management of the contractual relationship and related obligations;

  • data relating to orders, purchases, invoicing, and administrative-accounting documentation are retained for the period provided for by the applicable civil, tax, and accounting legislation;

  • data relating to newsletter subscription are retained until consent is withdrawn or a deletion request is made;

  • technical browsing data are retained for the time necessary for the security, stability of the system, and technical management of the Website;

  • data possibly processed through cookies and similar tools follow the retention periods indicated in the Website’s Cookie Policy.

The user may at any time withdraw consent to the newsletter through the unsubscribe link present in each email communication, where available, or by contacting the Data Controller.

8. Data disclosure and parties involved

Personal data may be processed by providers of technical services strictly necessary for the management of the Website, any restricted area, e-commerce, newsletter, statistical analysis systems, and payments.

In particular, the Website may make use of providers such as:

  • Wix.com Ltd., as provider of the platform on which the Website is created and hosted, as well as of the services connected to the management of the Website, the user account, any e-commerce, and the newsletter, acting as data processor pursuant to art. 28 GDPR, within the applicable limits;
    Wix Privacy Notice:
    https://www.wix.com/about/privacy

  • Stripe, as payment service provider, which may process personal data as an independent data controller for the processing activities within its own competence;
    Stripe Privacy Notice:
    https://stripe.com/it/privacy

  • PayPal, as payment service provider, which may process personal data as an independent data controller for the processing activities within its own competence;
    PayPal Privacy Notice:
    https://www.paypal.com/it/legalhub/privacy-full

  • Google, in relation to services such as Google Analytics and Google Tag Manager, to the extent that such tools are activated on the Website and subject to the user’s consent where required;
    Google Privacy Notice:
    https://policies.google.com/privacy

  • WhatsApp Ireland Limited and Meta Platforms Ireland Limited, where the user uses WhatsApp or interacts with Meta/Instagram content, as independent data controllers for the processing activities within their respective competence;
    WhatsApp Privacy Notice:
    https://www.whatsapp.com/legal/privacy-policy-eea
    Instagram / Meta Privacy Notice:
    https://privacycenter.instagram.com/policy

Personal data may also be disclosed to parties to whom disclosure is required by law or for the performance of contractual obligations.

Personal data are not subject to dissemination.

9. Transfer of data to third countries

The use of services provided by Wix, Meta, Google, Stripe, and PayPal may involve the transfer of personal data to countries located outside the European Union or the European Economic Area.

Such transfers take place in compliance with the safeguards provided for by the GDPR, including, where applicable, adequacy decisions, standard contractual clauses approved by the European Commission, or other suitable legal instruments provided for by the legislation in force.

10. Cookies

The Website uses technical cookies necessary for the functioning of the platform, any restricted area, the shopping cart, checkout, and security systems.

The Website may also use, subject to consent where required:

  • cookies and statistical tools connected to Google Analytics;

  • tag management tools such as Google Tag Manager;

  • third-party cookies or technologies linked to external content, such as the Instagram feed;

  • cookies or technologies possibly connected to the payment services selected by the user, such as Stripe and PayPal, to the extent necessary for the correct execution of the transaction.

For detailed information, please refer to the Cookie Policy published on the Website.

11. Rights of the data subject

The data subject may exercise, in the cases provided for by Articles 15 et seq. of the GDPR, the following rights:

  • right of access to personal data;

  • right to rectification of inaccurate or incomplete data;

  • right to erasure of personal data;

  • right to restriction of processing;

  • right to object to processing, in the cases provided for by law;

  • right to data portability, where applicable;

  • right to withdraw at any time the consent previously given, without affecting the lawfulness of processing carried out before the withdrawal;

  • right to lodge a complaint with the Italian Data Protection Authority.

The data subject may exercise their rights by contacting the Data Controller through the contact details indicated on the Website.

12. Changes to this Privacy Policy

The Data Controller reserves the right to amend this Privacy Policy at any time, including due to regulatory changes, technical updates to the Website, the integration of new services, or organizational changes. Any changes will be published on this page and will take effect from the update date indicated in the version published online.

Last updated: 07/04/2026

Gembox S.r.l.s P.IVA: 17621751001

bottom of page