Privacy Policy
Last Updated: December 5, 2025
1. INTRODUCTION AND IDENTITY OF THE DATA CONTROLLER
1.1. Global Distribution S.A.S. di Fabio Niccolai & C. (hereinafter referred to as "we"; "us"; or the "Data Controller") regards the protection of personal data and the privacy of our Clients and Users as a foundational commitment of our business operations. This Privacy Policy describes how we collect, process, store, disclose, and safeguard personal data acquired through the operation of our e-commerce Website, www.eizosport.com (the "Website"). Italy is a member country of the European Union where the GDPR is fully effective, and Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR.
1.2. The entity bearing responsibility for the processing of personal data is:
Global Distribution S.A.S. di Fabio Niccolai & C.
Registered Office: Via Lorenzo il Magnifico 10, 50129, Firenze (FI), Italy
Tax Code and VAT Number: 02342200488
Contact Email: info@eizosport.com
1.3. The Italian regulatory framework on the protection of personal data and privacy is dictated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (GDPR). The domestic data protection regulation is represented by legislative decree n. 196 of 30 June 2003 (the "talian Privacy Code") modified by legislative decree n. 101 of 10 August 2018, implementing the provisions of the GDPR. The Italian Privacy Code includes Title X on electronic communications (from Article 121 to Article 132quater), which implements the requirements of Directive 2002/58/EC (as amended by Directive 2009/136/EC) ("Privacy Directive").
1.4. In Italy, the competent supervisory authority is the Garante per la Protezione dei Dati Personali (so-called Garante or GPDP), whose decisions can be appealed by applying to the ordinary tribunal at the second level, and to the Supreme Court of Cassation at the third.
2. CATEGORIES OF PERSONAL DATA WE COLLECT
We collect various categories of personal data contingent upon the nature of your interaction with our Website. We adhere strictly to the principle of data minimization and shall not collect data exceeding that which is necessary for the purposes specified herein.
2.1. Data Provided Directly by the User
This category encompasses data voluntarily submitted by you when creating an account, placing an order, completing forms, or subscribing to communications.
(a) Identification Data: Name, surname, email address, physical shipping and billing addresses, and telephone number. Such data is indispensable for contract execution and communication regarding orders.
(b) Account Data: Login credentials, unique client identifier, and preference established within the user account.
(c) Transaction Data: Details concerning products purchased, payment amounts, order history, and payment method utilized (including American Express, PayPal, Visa, Mastercard, Google Pay, Apple Pay, Shop Pay, Bancontact, UnionPay, and Maestro). We do not retain complete payment card details; such information is processed exclusively by certified third party payment gateways.
(d) Communication Data: Information contained in correspondence directed to us, including inquiries, return requests, and support communications.
(e) Marketing Preferences: Opt in or opt out status for promotional and commercial communications.
2.2. Data Collected Automatically (Technical and Usage Data)
When you access and navigate the Website, certain technical data is collected automatically through server logs, cookies, and analogous tracking technologies.
(a) Browsing and Usage Data: Information concerning your interaction with the Website, including pages viewed, time spent on specific pages, product interest patterns, internal search queries, and referring website addresses.
(b) Device Information: IP address, browser type and version, time zone setting, operating system, screen resolution, and platform.
(c) Location Data: General geographic location derived from IP address analysis.
2.3. Data from Third Party Sources
We may receive data from third party service providers integrated with our operations:
(a) Analytics Providers: Information regarding browsing patterns and Website activity from services such as Bugsnag for error reporting and analytics.
(b) Advertising Platforms: Data related to advertising campaign effectiveness and user interaction with advertisements, including through Google Tag Manager.
(c) Payment Processors: Confirmation of payment status and masked payment identifiers from services including PayPal and Shopify Payments.
3. PURPOSES AND LEGAL BASIS FOR PROCESSING
Pursuant to Article 6(1)(a) GDPR, the consent of the data subject constitutes a lawful
basis for the processing of personal data only insofar as it is "freely given, specific,
informed and unambiguous. Article 4(11) GDPR further defines consent as any freely
given, specific, informed and unambiguous indication of the data subject wishes; We
process personal data only where a valid legal basis exists as defined by Article 6 of the GDPR.
| Purpose of Processing | Categories of Data | Legal Basis (GDPR Art. 6) | Retention Period |
|---|---|---|---|
| A. Contract Execution and Pre Contractual Measures | Identification Data, Account Data, Transaction Data | Contractual Necessity (Art. 6(1)(b)): Processing necessary to fulfill the sales contract, process payments, ship goods, and manage returns | Ten years from termination of the contract or last order, pursuant to Italian Civil Code Art. 2946 |
| B. Compliance with Legal Obligations | Identification Data, Transaction Data | Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with tax, accounting, and fiscal record keeping obligations under Italian law | Ten years as required by Italian fiscal legislation (DPR 600/1973) |
| C. Direct Marketing Communications | Identification Data, Marketing Preferences | Consent (Art. 6(1)(a)): Where you have freely consented to receive promotional communications | Until withdrawal of consent |
| D. Website Analytics and Optimization | Browsing Data, Device Information | Legitimate Interest (Art. 6(1)(f)): To monitor and analyze Website usage, identify technical errors, and improve performance | As specified in Cookie Policy |
| E. Advertising and Retargeting | Browsing Data, Device Information | Consent (Art. 6(1)(a)): To present relevant advertisements based upon your interests | As specified in Cookie Policy |
| F. Prevention of Fraud and Security | Identification Data, Device Information | Legitimate Interest (Art. 6(1)(f)): To protect the rights and assets of Global Distribution S.A.S. and ensure transaction security | Up to twelve months after incident resolution |
4. METHODS OF PROCESSING AND DATA SECURITY
4.1. We execute data processing operations using both manual and automated means, adhering strictly to the security measures mandated by Article 32 of the GDPR and the Italian Privacy Code. The GDPR introduces specific security measures for those handling the personal data of individuals. Security measures such as encryption,
pseudonymization, and minimization must be implemented.
4.2. Security Measures: We implement physical, technical, and administrative security measures designed to protect data from unauthorized access, disclosure, alteration, and destruction. Such measures include encryption protocols (SSL/TLS) for data transmission, firewalls, intrusion detection systems, and access controls for internal personnel. The principle of accountability, enshrined in Article 5(2) GDPR, places the onus on the controller to not only comply with all the aforementioned principles, but also to be able to demonstrate such compliance at all times.
4.3. Data Minimization: We process only data that is relevant, adequate, and limited to what is necessary for the stated purposes. We conduct periodic reviews of data retention schedules to ensure continued compliance with minimization principles.
4.4. Data Breach Notification: The GDPR requires data controllers to notify the DPA no later than 72 hours after becoming aware of the data breach and the affected data subjects. Should a personal data breach occur that is likely to result in a risk to your rights and freedoms, we shall notify the Garante without undue delay and, where feasible, communicate the breach to affected data subjects.
5. DATA DISCLOSURE AND RECIPIENTS
We may disclose your personal data to specific categories of recipients, acting either as independent Data Controllers or as Data Processors operating on our behalf pursuant to Article 28 GDPR. Data is shared only to the extent necessary for the stated purposes.
5.1. Data Processors (Operating on Our Behalf)
These third parties are engaged under formal data processing agreements:
(a) Shipping and Logistics Companies: To deliver ordered products to your specified address.
(b) IT Service Providers: For Website hosting, maintenance, development, and data storage, including Shopify platform services.
(c) Payment Gateways and Financial Institutions: To process transactions, including PayPal and Shopify Payments.
(d) Marketing and Analytics Providers: To analyze Website performance and deliver advertisements, including services utilizing Google Tag Manager and Bugsnag.
5.2. Independent Data Controllers
These entities process data for their own purposes:
(a) Public Authorities and Law Enforcement: When required by law or legitimate request from a competent authority, including the Italian Revenue Agency (Agenzia delle Entrate).
(b) Professional Advisors: Accountants, auditors, and legal consultants requiring access to data for professional services and legal compliance verification.
6. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA
6.1. Given our reliance on certain global service providers, particularly for e-commerce hosting (Shopify) and analytics services, personal data may be transferred outside the European Union or the European Economic Area.
6.2. Legal Basis for Transfer: We ensure that all such transfers comply with Chapter V of the GDPR by implementing one of the following safeguards:
(a) Adequacy Decision: Transfer to countries recognized by the European Commission as providing an adequate level of data protection pursuant to Article 45 GDPR.
(b) Standard Contractual Clauses (SCCs): Implementation of the standard data protection clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR, combined with appropriate supplementary measures where necessary.
(c) Binding Corporate Rules (BCRs): Where the recipient organization has adopted approved binding corporate rules pursuant to Article 47 GDPR.
6.3. We engage only with service providers that commit to maintaining GDPR compliant data protection standards and who provide appropriate safeguards for international data transfers.
7. YOUR DATA PROTECTION RIGHTS (Articles 15 to 22 GDPR)
As a data subject, you are granted several fundamental rights concerning your personal data. We are obligated to facilitate the exercise of these rights without undue delay.
7.1. Right of Access (Art. 15): You have the right to obtain confirmation as to whether personal data concerning you are being processed and, where that is the case, access to the personal data together with specific information regarding the processing activities.
7.2. Right to Rectification (Art. 16): You have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
7.3. Right to Erasure ("Right to be Forgotten") (Art. 17): You have the right to request the deletion of your personal data where, for instance, the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal ground for processing exists.
7.4. Right to Restriction of Processing (Art. 18): You have the right to restrict the processing of your personal data under specific circumstances, including where you contest the accuracy of the data or where processing is unlawful but you oppose
erasure.
7.5. Right to Data Portability (Art. 20): You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used, and machine readable format and to transmit that data to another controller without hindrance.
7.6. Right to Object (Art. 21): You have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you which is based on legitimate interest. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).
7.7. Right to Withdraw Consent (Art. 7): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.
7.8. Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement. The competent Italian Supervisory Authority is the Garante per la protezione dei dati personali.
8. EXERCISING YOUR RIGHTS
8.1. You may exercise any of the rights enumerated in Section 7 by submitting a written request to us at the following addresses:
Email: info@eizosport.com
Postal Address: Global Distribution S.A.S., Via Lorenzo il Magnifico 10, 50129, Firenze (FI), Italy
8.2. We shall respond to your request without undue delay and, in any event, within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We shall inform you of any such extension within one month of receipt, together with the reasons for the delay.
8.3. We reserve the right to request verification of your identity prior to processing requests, to ensure that personal data is not disclosed to unauthorized persons.
9. DATA PROCESSING CONCERNING CHILDREN
9.1. Our Website and the products we sell are not directed at children. Italy has set the age of consent with regard to data protection at 14 years old. Under Article 2 quinquies of the Code, a child over the age of 14 may consent to the processing of his/her personal data in relation to the direct offer of services of the Information Society. For child under the age of 14, consent is only valid if provided by the person exercising parental responsibility.
9.2. We do not knowingly collect personal data from children under the age of 14. If we become aware that we have collected personal data from a child under 14 without appropriate parental consent, we shall take immediate steps to delete that information from our systems.
10. DIRECT MARKETING AND ELECTRONIC COMMUNICATIONS
10.1. Under Section 130 of the Privacy Code, the legal basis for electronic marketing is consent. The strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms.
10.2. We shall send promotional or commercial communications only where you have provided explicit, informed consent through an affirmative opt in mechanism. Pre checked boxes or implied consent from conduct shall not be relied upon.
10.3. You may withdraw your consent to marketing communications at any time by: (a) clicking the unsubscribe link included in each marketing email; (b) adjusting your preferences within your account settings; or (c) contacting us directly at info@eizosport.com.
10.4. Withdrawal of marketing consent shall not affect the processing of your data for other purposes, including contract execution and legal compliance.
11. AUTOMATED DECISION MAKING AND PROFILING
11.1. We do not engage in fully automated decision making that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR, without your explicit consent or unless otherwise permitted by law.
11.2. Where profiling is employed for analytical or marketing purposes based upon your
consent, you retain the right to object to such profiling at any time.
12. THIRD PARTY LINKS AND SERVICES
12.1. The Website may contain links to third party websites, applications, and services, including those integrated for payment processing and social media connections.
12.2. External Sites: We bear no responsibility for the content or privacy practices employed by external websites or services linked from our Website. Data collected by such third parties is subject to their respective privacy policies. We strongly recommend that you review the privacy policies of any third party websites you visit.
13. COOKIES AND TRACKING TECHNOLOGIES
13.1. Article 122 of the Italian Privacy Code implements Article 5 of the e-Privacy Directive. Pursuant to Article 5 of the EU e-Privacy Directive, the storage of cookies (or other data) on an end user's device requires prior consent (the applicable standard of consent is derived from the GDPR).
13.2. The Website utilizes cookies and similar tracking technologies to enhance functionality, analyze usage patterns, and deliver targeted advertising. Detailed information regarding the specific cookies deployed, their purposes, durations, and your ability to manage preferences is provided in our separate Cookie Policy.
13.3. Technical cookies that are strictly necessary for Website functionality may be deployed without consent. All other cookies, including analytical and advertising cookies, require your prior, informed consent.
14. RETENTION OF PERSONAL DATA
14.1. Personal data shall be retained only for so long as necessary to fulfill the purposes for which it was collected, subject to any longer retention periods mandated by applicable law.
14.2. General Retention Periods:
(a) Transaction data and contractual records: Ten years from the termination of the contract or the last order, in accordance with Italian civil law limitation periods (Art. 2946 Civil Code) and fiscal record keeping requirements (DPR 600/1973).
(b) Marketing consent records: For the duration of the consent and a reasonable period thereafter for accountability purposes.
(c) Analytics data: As specified in the Cookie Policy, typically between thirteen and twenty six months.
(d) Security and fraud prevention data: Up to twelve months following resolution of any
incident.
14.3. Upon expiration of the applicable retention period, personal data shall be securely deleted or anonymized in a manner that prevents reconstruction.
15. CHANGES TO THIS PRIVACY POLICY
15.1. We reserve the right to update this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or operational circumstances. We shall notify you of any material changes by posting the revised Policy on the Website and updating the "Last Updated" date at the beginning of this document.
15.2. Continued use of the Website following the effective date of the revised Policy indicates your acknowledgment of the amended terms. We encourage you to review this Policy periodically.
16. CONTACT INFORMATION
For inquiries concerning this Privacy Policy or the personal data we process, please contact us at:
Global Distribution S.A.S. di Fabio Niccolai & C.
Via Lorenzo il Magnifico 10, 50129, Firenze (FI), Italy
Email: info@eizosport.com
For complaints concerning data protection matters, you may also contact the Italian
Data Protection Authority:
Garante per la protezione dei dati personali
Piazza Venezia, 11
00187 Roma, Italy
Website: www.garanteprivacy.it.