This privacy policy describes how Irille Team (hereinafter "we", "our", or the "Data Controller") collects, uses, stores, and protects the personal data of users (hereinafter "you" or the "Data Subject") in connection with the Irille Store B2B commerce platform, in accordance with Regulation (EU) 2016/679 ("GDPR"), Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Privacy Code), and all applicable data protection legislation.
This policy applies to all services provided through the Irille Store mobile application, including account registration, catalogue browsing, order placement, B2B business relationship management, and access to the restricted area.
The Data Controller responsible for processing your personal data is:
The Data Controller is responsible for ensuring that personal data is processed in compliance with applicable legislation and for responding to data subject requests regarding their rights.
The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR. The DPO may be contacted at the following:
The DPO is available to address any questions or requests concerning the processing of personal data and the exercise of rights under the GDPR. The DPO will respond within 30 days of receiving the request.
Personal data is processed for the following purposes, each with its corresponding legal basis:
| Purpose | Legal Basis (Art. 6 GDPR) | Description |
|---|---|---|
| Account registration and management | Performance of a contract (Art. 6.1.b) | Creation and management of the user account, authentication, business profile management, and identity verification within the B2B platform. |
| Order processing and management | Performance of a contract (Art. 6.1.b) | Managing the full order lifecycle including processing, shipping, invoicing, cart management, returns, and after-sales support. |
| Direct marketing communications | Consent (Art. 6.1.a) | Sending newsletters, promotions, personalised offers, and commercial communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing. |
| Marketing for similar products or services | Legitimate interest (Art. 6.1.f) | Sending communications about products or services similar to those previously purchased (soft opt-in), pursuant to Article 130(4) of the Italian Privacy Code. You may object at any time. |
| Analytics and service improvement | Legitimate interest (Art. 6.1.f) | Analysis of platform usage patterns to improve user experience, optimise features, and ensure service security. Data is aggregated and, where possible, anonymised. |
| Tax and legal obligations | Legal obligation (Art. 6.1.c) | Retention and processing of data to comply with tax, accounting, and regulatory requirements under Italian and European legislation, including anti-money laundering regulations. |
| Protection of legal rights | Legitimate interest (Art. 6.1.f) | Retention of data for the defence of legal claims or the management of disputes. |
In the course of your use of the Irille Store platform, we collect the following categories of personal data:
a) Identity data
b) Contact data
c) Commercial data
d) Device data
e) Usage data
We do not collect special categories of personal data (sensitive data) within the meaning of Article 9 of the GDPR, nor data relating to criminal convictions and offences under Article 10 of the GDPR.
Personal data is retained only for the period strictly necessary to fulfil the purposes for which it was collected, in accordance with the principles of data minimisation and storage limitation under the GDPR.
| Data Category | Retention Period | Justification |
|---|---|---|
| User account data | Duration of contractual relationship + 12 months after account closure | Performance of contract and legitimate administrative interest |
| Order and billing data | 10 years from the end of the relevant financial year | Tax and accounting obligations under Italian Civil Code Art. 2220 and Presidential Decree 600/1973 |
| Marketing data (consent-based) | 24 months from consent collection, unless renewed | Italian Data Protection Authority (Garante) marketing guidelines |
| Similar-product marketing data (soft opt-in) | 24 months from the last purchase | Article 130(4) of the Italian Privacy Code |
| Device and usage data | 13 months from collection | EDPB and Garante guidelines on cookies and tracking |
| Access logs | 6 months from recording | System security and fraud prevention |
| Data for legal defence | Until expiry of applicable limitation periods (generally 10 years) | Legitimate interest in defence of legal rights |
Upon expiry of the applicable retention periods, personal data will be deleted or irreversibly anonymised.
As a data subject, you are entitled to exercise the following rights in relation to your personal data by contacting the Data Controller or the DPO at the details provided in this policy:
To exercise your rights, please send a request to the DPO at: privacy@irille.com. The Data Controller will respond within 30 days of receiving the request, which may be extended by a further 60 days in case of complexity or volume of requests, with prior notification.
The exercise of rights is free of charge, except in cases of manifestly unfounded or excessive requests, for which a reasonable administrative fee may be charged.
Without prejudice to any other administrative or judicial remedy, if you believe that the processing of your personal data infringes the GDPR or Italian data protection legislation, you have the right to lodge a complaint with the competent supervisory authority.
The Italian supervisory authority is:
If you reside or work in another EU Member State, you may alternatively lodge a complaint with the supervisory authority of the Member State where you habitually reside, work, or where the alleged infringement has occurred.
Not applicable. At present, Irille Team does not employ decision-making processes based solely on automated processing, including profiling, which produce legal effects concerning the data subject or similarly significantly affect them, within the meaning of Article 22 of the GDPR.
Any product recommendation systems implemented on the platform are based on logic that is not exclusively automated and do not produce legal effects on data subjects. Should such processes be introduced in the future, this policy will be updated and, where required, specific consent will be obtained from the data subject.
Personal data is processed and stored within the European Economic Area (EEA). Should it become necessary to transfer personal data to third countries outside the EEA, Irille Team will ensure that such transfers comply with Chapter V of the GDPR by adopting one of the following safeguards:
In all cases, Irille Team will conduct a Transfer Impact Assessment to verify that the level of data protection in the third country is essentially equivalent to that guaranteed within the EU. The data subject has the right to obtain a copy of the safeguards adopted by contacting the DPO.
The Irille Store platform, as a mobile application, does not use cookies in the traditional sense. However, equivalent tracking technologies may be employed for the following purposes:
a) Strictly necessary technologies
Legal basis: No consent required, as these are necessary for service operation.
b) Analytical technologies
Legal basis: Legitimate interest of the Controller, with the possibility of objection.
c) Marketing technologies (if activated)
Legal basis: Consent of the data subject, revocable at any time through the application settings.
For detailed information about the tracking technologies used, you may consult the full cookie policy available in the application settings or contact the DPO.