Dear visitor,
On this page you will find, as a User of this website, the information that ilmioviaggioanewyork.com, as the Owner, provides, pursuant to US and European regulations. California Consumer Privacy Act 2018 (“CCPA”) and Regulation UE 2016/679 (“GDPR”), regarding the processing of personal data of site visitors. Access to this site, viewing its content, and using its services may involve the collection of personal data by the Owner or third parties (better specified in the following information). For information on cookies, please refer to the specific Cookie Policy.
- Data controller
1.1. The Data Controller is ilmiovaggio Inc., 235 W 56 Street, Suite 21D, New York NY 10019, email: info@ilmioviaggioanewyork.com, will process data according to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.
- Categories of data processed, purposes, and legal bases of the processing
2.1 The personal data processed by the Data Controller fall into the category of common data.
2.2 Browsing data. Some of your data are processed for the proper technical functioning of the site, therefore, for the purpose of: providing the service, maintaining or restoring service security, preventing fraud or detecting technical faults, measuring the site’s audience. The computer systems and software procedures involved in the ordinary operation of the site, in fact, acquire some personal data (session or browsing data) the transmission of which is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the response file, the numerical code indicating the status of the response given by the server (successful, error, etc.), browser version, time zone, and other parameters related to the user’s operating system and computer environment. This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the response file, the numerical code indicating the status of the response given by the server (successful, error, etc.), browser version, time zone, and other parameters related to the user’s operating system and computer environment. The communication of personal data necessary to achieve the stated purposes is mandatory, and any refusal to provide your data will prevent the provision of the requested services.
2.3 Data necessary for the provision of services. When the user makes a purchase in the Owner’s store, as part of the sales and purchase process, the personal information provided by the user such as name, email, shipping and billing address, payment details including credit card numbers, company name, phone number, and order information are collected.
These and other data are collected for the following purposes:
- provision of services provided through this website, particularly for the creation and management of your account in the reserved area in order to: purchase and enjoy the services advertised on the site (including tours and events); respond to your inquiries and provide assistance in using our site and services; enable you to take advantage of the offered services, and answer any questions;
- administrative management of relationships, including commercial ones, between the Owner and third parties;
The legal basis for processing for these purposes is found in the performance of a contract of which the data subject is a part or in the performance of pre-contractual measures adopted at the data subject’s request. The communication of personal data necessary to achieve the stated purposes is mandatory, and any refusal to provide your data will prevent the provision of the requested services. For the processing of personal data relating to these purposes, please refer to the information provided in point 4 of this notice.
2.4 Data collected for promotional, commercial, and direct and indirect marketing purposes. Furthermore, the Owner may use your personal data, after obtaining your consent, for the following purposes:
- Periodic updates on offers, promotions, and discounts, including through the use of a newsletter service (email);
- Sending promotional communications and advertising material, offering products and/or services from the Owner or third parties, conducting surveys and market research, through the use of operator-assisted phone calls and/or automated systems (SMS);
- Collection and management of customer feedback on the services provided;
- Market research and analysis;
- User profiling for commercial and marketing purposes based on the user’s usage patterns of the site, demonstrated interest in different products, exposure to advertising communication.
The legal basis for processing, for such purposes, is found in the explicit consent of the Data Subject, which may be revoked by the same at any time by contacting the Data Controller. The provision of data for the purposes indicated in point 2.4 is optional, and if you choose not to consent to the collection of such data, it will not affect the possibility of using the services of the Data Controller. Simply, you will not benefit from the services for which you have denied consent (for example, offers, promotions, discounts, promotional communications, surveys, market research, etc.). Some services on the site are provided, for example, by Google, Facebook, Shopify, Paypal. which operate as independent Data Controllers, therefore reference should be made to their respective policies.
2.5 Data voluntarily provided by the user. The optional, explicit, and voluntary sending of messages to the contact addresses of the Data Controller, as well as the completion and submission of forms on the site, involve the acquisition of the sender’s contact data, necessary to respond, as well as all personal data included in the communications, in order to best manage the requests. The processing of personal data by the Data Controller is in this case voluntarily activated by the user and necessary to fulfill their requests, therefore, the legal basis for this purpose is found in the performance of a contract of which the Data Subject is a part or in the performance of pre-contractual measures adopted at the Data Subject’s request. For these purposes, providing data is obviously optional; however, failure to provide the necessary data will result in the inability to forward the visitor’s request or follow up, or a less precise and detailed response, or greater difficulty in being able to contact the Data Subject for further details regarding the request.
- Processing methods
3.1 The processing of your personal data will take place in compliance with the CCPA and GDPR, using paper, computer, or telematic means, manual and automated, for the purposes indicated in point 2 of this notice. The personal data processed are not subject to disclosure and can only be processed by the employees of the Data Controller, previously authorized and instructed for processing.
3.2 Personal data may be communicated to the following external parties, who act as independent Data Controllers or are appointed by the Data Controller as Data Processors, as they meet the requirements required by the regulations:
- private and public entities for the completion of administrative and legal practices;
- professionals, consultants, companies assisting the Data Controller from an IT and infrastructural perspective, such as hosting and cloud providers like Shopify Inc. (see point 4), or companies providing email services;
- professionals, consultants, companies providing services related to the delivery, monitoring, analysis of navigation, measurement, and optimization of websites;
- professionals, consultants, companies assisting the Data Controller from a tax, accounting, commercial, and legal perspective;
- professionals, consultants, companies assisting the Data Controller in gathering information such as service quality, customer satisfaction, etc., as well as providing data processing, storage, and/or analysis services;
- professionals, consultants, companies specialized in marketing activities, re-marketing, social media, operational management of communication campaigns via the Internet, email, and/or telephone systems;
- professionals, consultants, companies providing services related to the organization and execution of our tours and events (e.g., hotels, transportation service operators).
Pending legislative intervention regarding transfers of personal data outside the European Economic Area, Ilmioviaggio Inc adopts measures to protect personal data by requiring suppliers to enter into contracts that provide for the adoption of a level of data protection equivalent to that provided by the GDPR. Data subjects also have actionable rights and effective remedies.
3.3 Personal data may also be disclosed to further external parties acting as independent Data Controllers, such as judicial, administrative, or police authorities, or other public entities authorized to request them, in cases provided for by law, in order to fulfill legal obligations and/or regulations, including tax obligations. Ilmioviaggio Inc may disclose your personal information if the law requires us to do so or if you violate our Terms of Service. Ilmioviaggio Inc is subject to the investigative and enforcement powers of the Federal Trade Commission (FTC) and/or the United States Department of Transportation.
3.4 The website is not intended for individuals under the age of 14. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us to request its deletion.
3.5 The Data Controller does not carry out profiling. Shopify, however, may use automated decision-making limited to fraud prevention, which does not have a legal or otherwise significant effect on users of the website. Services that include elements of automated decision-making include: temporary denial list of IP addresses associated with repeated unsuccessful transactions (for a limited number of hours); temporary denial list of credit cards associated with disallowed IP addresses (for a few days).
- Data processing by Shopify
4.1 The e-commerce platform of the website is provided by Shopify Inc., a Canadian company with offices at 150 Elgin Street, Suite 800, Ottawa, ON, K2P 1L4, on its own behalf and on behalf of its Irish affiliate Shopify International Ltd.Shopify”), headquartered at Intertrust Ireland, 2nd Floor 1–2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland, Tel. +1 571 409 6451, email: privacy@shopify.com. For such data processing, Shopify is an independent Data Controller, so please refer to the page https://it.shopify.com/legal/privacy.
Additionally, Shopify collects and uses the aforementioned information about you on behalf of the Data Controller and on its own for the provision of other services, for which please refer to the page https://www.shopify.com/legal/privacy/customers. In the event of visiting the website, using the offered services, or interacting via email, web forms, instant messages, phone, or posting content through forums, blogs, or messaging features, information related to the device and browser used, network connection, IP address, and cookies installed on the device are collected, in addition to information voluntarily provided by you for account verification and to offer assistance (info on https://www.shopify.com/legal/privacy/visitors). Such information is used to provide merchants with the Services, including risk and fraud control, authentication, and payments, as well as to improve the services offered. Some of the personal information provided by the data subject is intended to conduct a certain level of automated decision-making, for example, certain personal information (IP addresses or payment information) is used to automatically block some potentially fraudulent transactions for a short period of time.
5.2 User data is stored through Shopify’s infrastructure, data storage, and databases on secure servers protected by firewalls. Shopify collects the name, email address, shipping and billing address, payment details, company name, phone number, IP address, information on initiated orders, information on Shopify-supported business stores visited, and information on the device and browser used. If a direct payment gateway is chosen to complete the purchase, Shopify stores credit card data. The data is encrypted using the Payment Card Industry Data Security Standard (PCI-DSS) for payment card information. Purchase transaction data is stored only for the time necessary to complete the purchase. At the end, the purchase information is deleted. All direct payment gateways adhere to PCI-DSS standards as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. In order to protect the processed personal data, Shopify takes reasonable precautions and follows industry best practices to ensure that data is not lost, used improperly, accessed, disclosed, altered, or mistakenly destroyed. Credit card data is managed by payment service providers, the information is encrypted using Secure Socket Layer (SSL) technology and stored with AES-256 encryption. For further information, it is also recommended to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Shopify’s Privacy Policy (https://www.shopify.com/legal/privacy). Some providers, such as payment gateways and other payment transaction processors, have their own privacy policies regarding the information required for purchase-related transactions. For these providers, it is advisable to read their privacy policies in order to understand how User’s personal information will be handled by these providers.
- Data Retention Period
5.1 Regarding the browsing data collected for the purpose mentioned in point 2.2, they are kept for a period that allows the Data Controller to ensure the security of users’ connection to the site and its proper functioning. With regard to cookies, the retention time of individual cookies is specified in the table provided in the specific Cookie Policy, including cookies from the software provider for publishing, managing, and editing this website, Shopify.com.
5.2 Regarding the data processed for the purpose mentioned in point 2.3, personal data is kept, in accordance with the purpose for which it was provided, for the period strictly necessary to achieve the purposes for which the data was collected, in compliance with the principle of data retention, unless applicable regulations require a longer retention period.
5.3 For data collected directly by Shopify for its own purposes, the information continues to be managed for legitimate business purposes. When Shop Pay is used, account data remains stored as long as the account is active. For the deletion of such data, please visit the page https://shop.app/opt-out.
5.4 Regarding the data processed for the purpose mentioned in point 2.4, personal data is kept until consent is revoked or, at most, for 36 months from the time consent was collected.
5.5 Regarding the data processed for the purpose mentioned in point 2.5, personal data voluntarily provided by the user is kept, at most, for 24 months from the time of provision, in compliance with the principle of data retention, unless applicable regulations require a longer retention period.
- Location and Transfer of Data to Non-EU Countries
6.1 If you are a citizen of the European Economic Area, we inform you that the Data Controller may use, also through its Data Processors, companies providing telematics communication services, especially email, as well as hosting and cloud services, which may transit messages and personal information of users even in countries outside the European Union, or may store backup copies of data in such countries, in order to limit the risks associated with potential data loss. These service companies are selected for reliability, security, and compliance with national and European regulations regarding the processing of personal data and among those that provide adequate guarantees, as required by Article. 46, GDPR. The transfer abroad carried out in this way is in line with such regulations, as it is only carried out to countries that have been the subject of an adequacy decision and therefore guarantee an adequate level of protection of personal data, or based on the “standard contractual clauses” (“SCC”) issued by the June 4, 2021 European Commission.
6.2 Considering the effects of the “Schrems II” ruling of the EU Court of Justice, pending legislative intervention regarding transfers of personal data outside the European Economic Area, Ilmioviaggio Inc adopts measures to protect personal data by requiring suppliers to enter into a contract that provides for the adoption of a level of data protection equivalent to that provided by the GDPR. Data subjects also have enforceable rights and effective remedies.
6.3 Your personal data is stored in databases located in the European Union at the headquarters of the Data Controller and, if you are in the European Union, by the Irish subsidiary of Shopify, Shopify International Ltd (see point 4 of this information). Shopify may transfer your personal data, in accordance with relevant data protection legislation, to other countries, including Canada and the United States. More information is available at the links https://it.shopify.com/legal/privacy and https://www.shopify.com/legal/dpa.
- Third-Party Apps
7.1 When you use “Shop” or another Shopify app to make a purchase, your personal information is shared with the Data Controller. Information may also be shared with service providers to provide the requested services (info at https://www.shopify.com/legal/privacy/app-users). Except in cases where third-party apps are presented as “Made by Shopify” (being directly responsible for Shopify), please refer to the privacy and cookie policy of such applications.
- Rights of the Data Subject
8.1 The Data Controller takes every reasonable measure to ensure the quality of the data and to eliminate incorrect or unnecessary personal data.
8.3 If you are a citizen of the European Economic Area, you are entitled to the rights provided by the GDPR. As a data subject, indeed, you can exercise the following rights by contacting the Data Controller at the contact details provided in point 1 of this information:
- Where provided, Right to withdraw consent (Art. 13, para. 2, letter a, and Art. 9, para. 2, letter a, GDPR);
- Right of access to personal data (Art. 15);
- Right to rectification (Art. 16);
- Right to erasure (Art. 17); in this case, the Data Controller verifies that the requester matches the data subject, confirms that there are no legal grounds for retaining such data, forwards the request to the Shopify “data processor” (e.g., Shopify), which ensures the removal of personal data; however, if erasure proves impossible, Shopify will communicate to what extent it is impossible and why; personal data cannot be erased by Shopify while associated with a pending order or an order made less than 180 days before the request (the usual window within which the buyer can request a refund).
- Right to restriction of processing (Art. 18);
- Right to notification to recipients in case of rectification or erasure of personal data or restriction of processing, and right to be informed of such recipients (Art. 19);
- Right to data portability (Art. 20);
- Right to object (Art. 21);
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them (Art. 22).
8.3 Without prejudice to the possibility of lodging a complaint with the competent supervisory authority for the protection of personal data.
This privacy policy was last updated on March 18, 2022.