Privacy Policy of lumina-gioielli.it

This Privacy Policy describes how the personal data of users who visit and use the website lumina-gioielli.it is processed, in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection laws.

1. Data Controller

The Data Controller responsible for processing personal data is:

Lumina Design
Via Lorenzo Valla 40/A
00152 Rome (RM) – Italy
Email: info@lumina-gioielli.it
Phone: +39 324 6389998
VAT Number: IT14695501008

2. Types of Data Processed

2.1 Data voluntarily provided by the user

Through the website, the following personal data may be collected and processed:

• First and last name;
• Email address;
• Shipping and billing address;
• Phone number;
• Data necessary for order management and returns;
• Data related to the creation and management of a customer account (if available);
• Content of messages sent via contact forms or email.

2.2 Payment data

Payments for purchases made on the website may be handled by third-party providers (e.g., PayPal, credit card processors, or other payment gateways).

The website does not store credit card details or payment credentials, which are processed directly by the respective payment service providers, acting as independent controllers or processors.

2.3 Browsing data

The IT systems and software procedures used to operate this website acquire certain personal data during normal operation, the transmission of which is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified individuals, but could, through processing and association with data held by third parties, allow users to be identified.

This category includes, for example:

• IP address;
• Date and time of visit;
• Pages visited and resources requested;
• Browser type and device used;
• Server logs and response codes.

2.4 Cookies and similar technologies

The website uses technical cookies, analytical cookies, and—subject to consent—profiling cookies and tracking tools (e.g., pixels). For more information on the types of cookies used, their purposes, and how to manage consent, please refer to the dedicated Cookie Policy.

3. Purposes of Processing

Personal data collected through the website is processed for the following purposes:

3.1 Contractual and pre-contractual purposes

• Managing orders and related operations (payments, invoicing, shipping, returns, or complaints);
• Registering and managing the customer account (if active);
• Providing customer support and assistance.

3.2 Administrative, accounting, and legal purposes

• Compliance with legal obligations, regulations, EU directives, and orders from competent authorities;
• Managing accounting and mandatory records;
• Handling disputes or legal claims.

3.3 Communication and marketing purposes

• Responding to requests submitted via contact forms or email;
• Sending newsletters and promotional communications related to the Controller’s products and services, only with the user’s explicit consent;

3.4 Statistical purposes

• Anonymous and aggregated analysis of website usage data;
• Improving website functionality and user experience.

3.5 IT security purposes

• Ensuring the security of the website and its users;
• Monitoring proper website operation;
• Preventing and detecting fraudulent or unlawful activities.

4. Legal Basis for Processing

Personal data is processed on the following legal bases:

• Performance of a contract or pre-contractual measures requested by the user (Art. 6(1)(b) GDPR), for order management, customer accounts, and support;
• Compliance with legal obligations (Art. 6(1)(c) GDPR), including tax and accounting requirements;
• User consent (Art. 6(1)(a) GDPR), for newsletter subscriptions, marketing communications, and profiling cookies;
• Legitimate interest of the Controller (Art. 6(1)(f) GDPR), for website security, fraud prevention, legal defense, and anonymous statistical analysis.

5. Methods of Processing

Personal data is processed using electronic and telematic tools, following principles of lawfulness, fairness, transparency, data minimization, and storage limitation.

The Controller adopts appropriate technical and organizational measures to ensure data security, preventing loss, unlawful or incorrect use, unauthorized access, and unauthorized disclosure.

6. Data Processing via WordPress and Plugins

The website is built and managed using the WordPress platform and may use third-party plugins (e.g., e-commerce plugins, security tools, contact forms, newsletter systems, caching tools, analytics services).

These tools may involve personal data processing (e.g., form submissions, order management, login tracking, automated email notifications).

Plugins are selected and configured to ensure compliance with data protection regulations. Additional details on specific plugins can be provided upon request.

7. Data Retention

Personal data is retained for no longer than necessary to achieve the purposes for which it was collected, unless longer retention is required by law or for the protection of the Controller’s rights.

Specifically:

• Order and invoicing data: up to 10 years, in accordance with tax and accounting obligations;
• Customer account data: until the account is deleted, unless legal obligations require longer retention;
• Marketing data (newsletter): until the user withdraws consent;
• Contact form data: for the time needed to process the request, and no longer than 12 months unless required for legal protection;
• Browsing data and server logs: according to hosting provider policies and security configurations;
• Cookies: as specified in the Cookie Policy.

8. Recipients of Personal Data

Personal data may be shared with third parties acting as independent controllers or processors, in accordance with Art. 28 GDPR.

8.1 Hosting provider – Aruba S.p.A.

The website is hosted on servers provided by:

Aruba S.p.A.
Via San Clemente 53
24036 Ponte San Pietro (BG) – Italy

Aruba S.p.A. provides hosting, server infrastructure, security, and backup services. It is appointed as a Data Processor for the services provided.

8.2 Other recipients

Personal data may be shared, where strictly necessary, with the following categories of recipients:

• couriers and shipping companies responsible for product delivery;
• payment service providers (e.g., PayPal, credit card processors);
• consultants and professionals (e.g., accountants, tax advisors, legal consultants);
• technical, IT, and website maintenance service providers;
• newsletter and email communication platforms (if used);
• competent authorities, where required by law or upon request.

An updated list of data processors is available upon request.

9. Transfer of Data Outside the EU

Some services used by the website (e.g., analytics, newsletter platforms, marketing tools) may involve the transfer of personal data to countries outside the European Economic Area (EEA).

In such cases, data transfers will comply with Articles 44–49 GDPR, based on adequacy decisions by the European Commission or, where necessary, through Standard Contractual Clauses (SCCs) and supplementary measures to ensure an essentially equivalent level of data protection.

10. Rights of the Data Subject

Users may exercise their rights under Articles 15–22 GDPR at any time, including:

• Right of access: to obtain confirmation of whether personal data is being processed and receive related information;
• Right to rectification: to correct inaccurate or incomplete personal data;
• Right to erasure (“right to be forgotten”): to request deletion of personal data in the cases provided by law;
• Right to restriction of processing: to limit processing in the cases provided by law;
• Right to data portability: to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller;
• Right to object: to object at any time to processing based on legitimate interest or for direct marketing purposes;
• Right to withdraw consent: to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal;
• Right to lodge a complaint: to lodge a complaint with the Data Protection Authority or another competent supervisory authority.

To exercise these rights, users may contact the Controller at: info@lumina-gioielli.it.

11. Data Security

The Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• use of secure HTTPS protocol;
• reliable hosting services with advanced protection systems;
• WordPress security plugins (e.g., firewalls, monitoring tools);
• regular data backups;
• restricted access to personal data to authorized personnel only.

12. Profiling

Any profiling or personalized marketing activities based on cookies or tracking tools are carried out exclusively with the user’s explicit consent, collected through the cookie banner or consent management tools.

Users may modify their cookie preferences at any time using the tools provided on the website (e.g., cookie settings panel).

13. Minors

The website and its services are not intended for children under 16 years of age. If the Controller becomes aware that personal data of minors has been collected without parental consent, such data will be deleted as soon as possible.

14. Changes to this Privacy Policy

The Controller reserves the right to modify or update this Privacy Policy at any time. Changes will be published on this page and, if significant, may be communicated to users through available contact channels.

Users are encouraged to review this page regularly to stay informed about any updates.

Last updated: [11.01.2026]

Powered by Ventidieci ADV