This policy applies to the website shop.puntoluce.net and the blog puntoluce.net, owned by Web-E SRL (hereinafter also "Punto Luce" or "we").
| Category | Type of data | Collection method |
|---|---|---|
| Billing and shipping data | Name, surname, address, Tax Code / VAT number, phone, email | Provided directly by the user during registration or purchase |
| Login and authentication data | Email, password (encrypted), social login provider data (Google, Facebook) | Provided directly or via OAuth at registration |
| Browsing data | IP address, browser and device type, pages visited, visit duration, traffic source | Collected automatically during browsing via cookies and system logs |
| Communication data | Name, email, message content | Provided directly via contact forms, chat or email |
| Marketing data | Purchase preferences, order history, interactions with commercial communications | Collected automatically or provided with consent |
Minors' data: Punto Luce's services are intended for adults. We do not knowingly collect personal data from persons under 18. If you believe a minor's data has been provided in error, please contact us at [email protected].
| Purpose | Description | Legal basis (art. 6 GDPR) |
|---|---|---|
| Order fulfilment | Order processing, invoicing, shipping and returns management. | Contract (6.1.b) |
| Tax and accounting obligations | Retention of invoices and accounting records for the period required by Italian law. | Legal obligation (6.1.c) |
| Customer support | Responding to support requests, managing complaints, order updates. | Contract (6.1.b) Legitimate interest (6.1.f) |
| Site analysis and improvement | Aggregate statistics on site usage to improve usability and performance. | Legitimate interest (6.1.f) |
| Security and fraud prevention | Monitoring abnormal access, protection against bots and fraudulent activity. | Legitimate interest (6.1.f) |
| Direct marketing (existing customers) | Commercial communications about products similar to those already purchased. | Legitimate interest (6.1.f) |
| Newsletter and consent-based marketing | Promotional communications and personalised notifications for users who have given explicit consent. | Consent (6.1.a) |
| Targeted advertising and remarketing | Personalised ad campaigns on third-party platforms (Google, Meta, Microsoft). | Consent (6.1.a) |
This website uses cookies and similar tracking technologies for technical, statistical and marketing purposes. Consent to the use of non-essential cookies is collected via the Cookiebot banner and can be changed at any time via the Cookie settings panel in the footer.
The main tracking tools active on the site are:
| Tool | Provider | Category | Purpose |
|---|---|---|---|
| Google Analytics 4 | Google LLC (USA) | Statistics | Traffic analysis and user behaviour. |
| Microsoft Clarity | Microsoft Corp. (USA) | Statistics | Anonymous heatmaps and session recordings to improve usability. |
| Meta Pixel | Meta Platforms Inc. (USA) | Marketing | Conversion tracking and remarketing on Facebook and Instagram. |
| Google Ads / Conversion Linker | Google LLC (USA) | Marketing | Conversion tracking and remarketing via Google Ads. |
| Microsoft Advertising (UET) | Microsoft Corp. (USA) | Marketing | Conversion tracking and remarketing on Bing Ads. |
| Kelkoo Sales Tracking | Kelkoo SAS (FR) | Marketing | Attribution of sales from the Kelkoo price comparison site. |
| Trovaprezzi Trusted Program | Connexance SRL (IT) | Marketing | Verification of transactions from Trovaprezzi. |
| Brevo (Tracker + Chat) | Sendinblue SAS (FR) | Marketing / Preferences | Personalised email marketing and live customer chat. |
| Doofinder | Doofinder SL (ES) | Preferences | Internal product catalogue search engine. |
| YouTube (embedded video) | Google LLC (USA) | Marketing | Playback of videos embedded in site pages. |
| Cookiebot CMP | Usercentrics A/S (DK) | Necessary | Cookie consent collection and management. |
For the full list of cookies, retention periods and management instructions, see our Cookie Policy.
| Category of recipient | Reason |
|---|---|
| IT and hosting service providers | Management of the site's technical infrastructure (servers, CDN, security). |
| Couriers and carriers | Delivery of purchased products (name, address, phone). |
| Payment processors | Secure payment processing (e.g. PayPal). Card data is never processed by Punto Luce. |
| Professional firms (accountants, lawyers) | Accounting, tax and legal compliance. |
| Email marketing and CRM platforms | Sending commercial and transactional communications (Brevo). |
| Advertising platforms | Targeted advertising and campaign measurement (Google, Meta, Microsoft), only after obtaining consent. |
| Public authorities | When legally required by applicable law. |
An up-to-date list of data processors is available on written request to [email protected]. Your data is never sold to third parties.
Some of our providers are based or process data in the United States or other third countries. Such transfers comply with art. 46 of the GDPR on the basis of Standard Contractual Clauses (SCC) adopted by the European Commission.
| Provider | Country | Transfer safeguard |
|---|---|---|
| Google LLC (Analytics, Ads, YouTube, Sign-In) | USA | Standard Contractual Clauses (SCC) — EC decision 2021/914 |
| Meta Platforms Inc. (Facebook Pixel) | USA | Standard Contractual Clauses (SCC) — EC decision 2021/914 |
| Microsoft Corporation (Clarity, Advertising) | USA | Standard Contractual Clauses (SCC) — EC decision 2021/914 |
| Cloudflare Inc. | USA | SCC + EU-US Data Privacy Framework |
| Sendinblue SAS (Brevo) | France (EU) | No extra-EU transfer |
| Kelkoo SAS | France (EU) | No extra-EU transfer |
You may request a copy of the safeguards in place for extra-EU transfers by writing to [email protected].
| Data category | Period | Reason |
|---|---|---|
| Billing data | 10 years | Tax and accounting obligation (Italian law) |
| Customer account data | Until account deletion + 12 months | Contract management and legitimate interest |
| Browsing data (logs) | 12 months | Security and fraud prevention |
| Consent cookie (Cookiebot) | 12 months | Proof of consent under GDPR |
| Email marketing data (newsletter) | Until consent is withdrawn | Consent-based — revocable at any time |
| Communication data (email/chat) | 24 months from last interaction | Customer support and legal protection |
Under arts. 15–22 of the GDPR, you have the right to:
Send a written request to [email protected]. We will respond within 30 days of receipt, as required by art. 12 of the GDPR. Responses are free of charge unless requests are manifestly unfounded or excessive.
Punto Luce implements technical and organisational measures appropriate to the risk of processing, including: data transmission encrypted via HTTPS/TLS, access to systems restricted to authorised personnel, infrastructure protection via Cloudflare WAF and application firewall, and monitoring of abnormal access.
In the event of a data breach that may pose risks to your rights, we will notify the supervisory authority within 72 hours and, where necessary, inform you directly.
Punto Luce may update this policy following regulatory changes, the introduction of new services or changes to processing activities. The updated version will always be available on this page with the date of last modification.
For substantial changes affecting consent-based processing, we will notify you by email or via a prominent notice on the site before the changes take effect.