Privacy Policy

PRIVACY POLICY (Art. 13 GDPR)

Last updated: 10/05/2026

Pursuant to Regulation (EU) 2016/679 GDPR (hereinafter the “Regulation”), this page describes how the personal data of users visiting this website is processed.

This information does not apply to other websites, pages, or online services that may be accessed through hyperlinks published on this website.

Following consultation of the website, data relating to identified or identifiable natural persons may be processed.

1. DATA CONTROLLER

The Data Controller is:

Biosa Onofrio
VAT No. 01560090118
Via Vallarsa, 2 – 19123 La Spezia (SP), Italy
Phone: +39 3207112159
Email: info@onytcg.it

The regulations mentioned above govern the confidentiality of personal data and impose a series of obligations on those who process information relating to other individuals. Among these obligations is the duty to adequately inform the data subject about how their personal data is used, so that consent to processing may be freely given and unequivocal.

Where required by applicable law, the user’s consent will be requested before processing personal data.

If the user provides personal data relating to third parties, the user must ensure that the communication of such data to the Data Controller and the subsequent processing for the purposes specified in this Privacy Policy comply with applicable data protection laws. For example, users may provide third-party personal data only after properly informing the relevant individuals and obtaining their consent to the processing.

2. TYPES OF DATA PROCESSED

The website collects and processes the following categories of data:

Identification and Contact Data

First name, last name, email address, phone number, shipping address, and billing address.

Payment Data

Transactional information necessary to complete purchases.

Note: The Data Controller does not access or store full credit card details, which are managed exclusively by payment gateway providers.

Browsing and Tracking Data

Information systems automatically collect certain data, such as IP addresses, system logs, and details regarding user interaction with the platform.

The website also uses cookies and similar technologies for technical, analytical, and marketing purposes. For the complete list and management of preferences, please refer to the dedicated Cookie Policy.

3. PURPOSES AND LEGAL BASES OF PROCESSING

Personal data is processed for the following purposes:

1. Contract Performance (Art. 6.1.b GDPR)

Management of orders, shipment of products, management of pre-orders, and customer support.

2. Legal Obligations (Art. 6.1.c GDPR)

Compliance with tax, accounting, and legal obligations arising from online sales.

3. Payment Management (Art. 6.1.b GDPR)

Processing transactions through secure payment systems.

4. Direct Marketing (Art. 6.1.a GDPR)

Sending newsletters and promotional communications, only after the user has provided explicit consent through a dedicated checkbox.

Users may withdraw their consent at any time through the unsubscribe link included in every communication.

5. Security and Fraud Prevention (Art. 6.1.f GDPR)

Based on the legitimate interest of the Data Controller in protecting the platform against unlawful activities.

4. SERVICE PROVIDERS AND PAYMENT MANAGEMENT

For the provision of services, the Data Controller may share personal data with the following parties, acting either as Data Processors or Independent Data Controllers:

Hosting and Technical Infrastructure

Website hosting service providers.

Payment Services

  • PayPal: Payment processing through PayPal accounts and credit card networks.

  • Satispay: Mobile payment services.

  • Scalapay: Installment payment and financing services. In this case, data may be shared with Scalapay for creditworthiness assessments.

  • Klarna (currently being activated): Deferred payment solutions.

Logistics Services

Couriers responsible for product delivery.

5. TRANSFER OF DATA OUTSIDE THE EU

Where processing involves the transfer of personal data to countries outside the European Economic Area (for example through third-party service providers), such transfers will be governed by the Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an equivalent level of protection.

6. DATA RETENTION PERIOD

  • Contractual and tax-related data: retained for 10 years as required by applicable law.

  • Marketing data: retained until consent is withdrawn (opt-out).

  • Technical data: retained for the time strictly necessary to provide the service (e.g. abandoned cart management).

7. DATA SUBJECT RIGHTS

Pursuant to Articles 15-22 of the GDPR, users may exercise the following rights:

  • Access their personal data and request copies.

  • Request rectification or deletion (“right to be forgotten”).

  • Restrict or object to processing (e.g. for marketing purposes).

  • Receive data in a structured and portable format.

  • Lodge a complaint: Users have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. EXERCISING YOUR RIGHTS

Pursuant to Articles 15-22 of the GDPR, users may exercise their rights (access, rectification, deletion, restriction, objection, and portability).

How to exercise your rights

  • Rights may be exercised through the contact details provided in the “Data Controller” section.

  • Requests are free of charge and do not require any special formalities. The Data Controller will respond within one month of receiving the request.

  • If users believe that the processing of their personal data violates the GDPR, they have the right to lodge a complaint with the Italian Data Protection Authority through www.garanteprivacy.it or to take legal action before the competent courts.