Skip to content

Privacy Policy


This privacy policy is provided pursuant to art. 13 of the Regulation EU 2016/679 (the “Regulation”) and applies to the visitors of the website (the “Website”), which may browse the Website or make use of specific services made available through the Website itself (among which, registration and access to your personal area, conclusion and execution of purchase contracts, handling returns, customer assistance). 

In compliance with the privacy legislation, user’s personal data will be processed in accordance with the principles of lawfulness, fairness, transparency, purpose limitation and storage limitation, data minimization and confidentiality, as well as to the principle of accountability pursuant to art. 5 of the Regulation.

This privacy policy does not apply to the processing of personal data carried out by controllers of websites to which the Website may refer, by service providers acting on their own behalf (e.g., payment services or when the user shares information about him or herself through social networking platforms.  

  1. Data Controller  

    The data controller is Fabio Toma S.r.l. (the “Data Controller”) with registered office in Via della Maglianella, 318 00166 Roma.   

    The Data Controller can be addressed at any time with reference to this privacy policy and for any questions regarding data processing by sending an email to the following email address:

       2. Which Personal Data are processed?

    The personal data processed may consist of an identifier such as name, an identification number, an online identifier (username), address and billing data, address and shipping data, age, gender, purchase history and IBAN in case of refund (hereinafter the "Personal Data"). 

    The following categories of data are additionally processed through the Website:    

    Browsing data  

    Computer systems and software procedures used to operate the Website obtain, during their normal operations, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This information is not collected with the intent of associating it with identified users but, by its nature, it could lead to the identification of users by processing and associating them with data held by third parties. IP addresses or domain names of computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply given by the server (successful, error, etc.) and other parameters regarding the user's operating system and computer environment fall into this category. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website to check its correct functioning, to identify anomalies and/or abuses; in any case it is deleted immediately after the processing itself. The data may be used to ascertain responsibility in the event of potential cybercrimes against the Website or third parties 

    Data voluntarily provided by the user. 

    Except in cases of specific policies contained herein, this privacy policy is also intended for the processing of Personal Data that user voluntarily provides us by filling in the forms contained in the Website (including by way of example, information request forms, in the execution and performance of a purchase within which identification information, contact data and data relating to the address of delivery of the products purchased will be processed, and any information inherent to the purchase experience, including confirmation of payment; and in relation to any return, identification information, contact data and data relating to the address of any collection of the returned products and any information provided by the user regarding the purchase and return experience will be processed). With reference to the suppliers of the payment service, it should be noted that, after the user to use selected such payment methods, these suppliers, as autonomous data controllers, notify the payment to the Data Controller. 

    We invite users not to provide information that may fall within the special categories of personal data listed in art. 9 of the Regulation (i.e. [...] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relative to a person's health, sex life or sexual orientation). 

    Data of third parties provided by the user  

    If the user provides Personal Data of third parties to the Data Controller (such as, for example, in the case of the purchase of products to be sent to third parties) the user acts as autonomous data controller, assuming any and all responsibilities provided for by law. As a consequence, user shall indemnify and hold the Data Controller harmless from any request, dispute, claim for damages, etc. that may arise against the Data Controller by third parties whose Personal Data have been processed through user’s use of the services of the Website, in violation of the applicable law on the protection of personal data. In any case, if the user provides or otherwise process personal data of third parties while using the Website, user guarantees that, and is liable for, such processing being legal and, where necessary, grounded on the prior third party's consent.

    Cookie and additional tracking technologies 

    Information about the cookies served by the Website is available in the Cookie Policy, which is an integral part of this Privacy Policy

      3. What is the purpose of the processing by the Data Controller? 

    User’s Personal Data will be processed with user’s consent where necessary, for the following purposes:  

    (i) to allow browsing the Website and to provide user with the services offered by the Data Controller, including the management of the security of the Website, as well as contractual and administrative-accounting relations; 
    (ii) to address the requests to the Data Controller, including customer support requests;
    (iii) to fulfil any obligations set forth by applicable laws, regulations or European legislation, or to fulfill requests from authorities; 
    (iv) to conduct direct marketing by e-mail for services and products which are alike those user has already purchased, pursuant to art. 130 (4) of Legislative Decree no. 196/2003 ("Privacy Code") unless user expressly refuses to receive such communications upon registration to the Website, subscription or at any later time; 
    (v) to send to the user commercial communications and marketing material, including newsletters and market research, through automated tools (sms, mms, e-mail and push notifications) and other means (paper mail, telephone with operator); please note that the Data Controller collects a single consent for marketing purposes, in accordance with the provision issued by the Italian Data Protection Authority "Guidelines on promotional activity and countering spam" dated July 4th 2013; if user wishes to object to the processing of his Personal Data for marketing purposes carried out as specified here, user has the right to contact the Data Controller at any time using the contact details indicated in the section 1, without prejudice to the lawfulness of the processing based on the consent given before the opt out;

    (vi) to analyze and profile preferences, consumer habits and choices, browsing behavior for marketing purposes; 
    (vii) for statistical purposes, without tracing user’s identity. 

      Specific security measures are in place to prevent data loss, unlawful or incorrect use and unauthorized data access in accordance with art. 32 of the Regulation.  


        4. Is the data processing lawful, compulsory or optional? 

      The legal basis for the processing of Personal Data for the purposes under points 3(i) e 3(ii) is art. 6 (1)(b) of the Regulation that states that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, as processing is necessary for the provision of services. The provision of Personal Data for these purposes is optional, but failure to provide it would make it impossible to provide user with the services requested.  

      The legal basis for the processing of Personal Data for the purpose under point 3(iii) is art. 6 (1)(c) of the Regulation according to which “processing is necessary for compliance with a legal obligation to which the controller is subject”. Indeed, once Personal Data have been provided, the processing of such data is mandatory to fulfil with a legal obligation to which the Data Controller is subjected.

      With respect to the purposes under point 3(iv), please note that pursuant to art. 130 (4) of the Privacy Code, the Data Controller may use the email address provided by the data subject while purchasing the product, without the prior specific consent of the data subject if such communication pertains to products of the same kind of those purchased by the data subject, unless the data subject, properly informed, refuses at the moment of purchase or on the occasion of later communications such processing. 

      The legal basis for the purposes of marketing and communication under points 3(v) and 3(vi), is art. 6 (1)(a) of the Regulation, under which “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” and art.22(2)(c) of the Regulation. The provision of Personal Data for these purposes is optional and does not affect the provision of the services. User has the right to object to the processing of his Personal Data for marketing or communication purposes by contacting the Data Controller at any time using the contact details indicated in the section 1. 

      The purposes referred to in point 3 (vii) is not carried out on Personal Data and, therefore, can be freely performed by the Data Controller.

        5. Are the data disclosed to any third party? 

      Data Controller does not transfer user’s Personal Data to third parties for commercial purposes. User’s Personal Data may be shared exclusively with the following recipients (the “Recipients”), for the abovementioned purposes:  

      (i) third parties that typically act as data processors pursuant to 28 of the Regulation, namely: i) persons, companies or professional firms that provide assistance and advice to the Data Controller on accounting, administrative, legal, tax and financial issues; ii) third parties delegated to carry out technical maintenance activities on the Website and the information system; iii) providers of services used by the Data Controller to achieve the purposes referred to in point 3 (e.g. developers and service providers of server hosting, mailing list sending, electronic communication systems, shippers), always in compliance with the principle of minimization by limiting the processing to those data that are necessary to achieve this specific purposes; 

      (ii) individuals, entities or authorities to whom it is mandatory to disclose your Personal Data by virtue of legal provisions or orders of the authorities;

      (iii) persons authorized by the Data Controller, pursuant to art. 29 of the Regulation, to process Personal Data necessary to carry out activities strictly related to the provision of services and products, who are under the obligation to keep your Personal Data confidential. 

        The complete list of data processors is available by sending a written request to the Data Controller using the contact details indicated in the section 1.   

        Some of user’s Personal Data is shared with Recipients who may be situated outside the European Economic Area. The Data Controller ensures that these Recipients process Personal Data in compliance with articles 44–49 of the Regulation. With regard to the transfer of Personal Data to third countries, the processing will be undertaken according to one of the methods permitted by current legislation, such as the consent of the data subject, the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international programs for the free transfer of data or operating in countries considered safe by the European Commission based on an adequacy decision.    

         6. For how long will the data be retained? 

        Personal Data processed for the purposes set out at points 3(i) and 3(ii) will be retained for the time strictly necessary to achieve their purposes. In any case, since Personal Data are processed for the provision of services, Personal Data will be retained by the Data Controller for the period of time envisaged and permitted by Italian law to protect its own interests (Art. 2946 of the Italian Civil Code). 

        Personal Data processed for the purposes set out at point 3(iii) will be retained up until the time stipulated by the specific obligation or applicable law.

        Personal Data processed for the purposes set out at point 3(iv) will be retained until user objects to its processing.  

        For the purposes set out in point 3(v) and 3(vi), Personal Data will be retained for a maximum of 24 months after the last interaction on the Website or until the user withdraws the consent to the processing if earlier. 

        In any case, the Data Controller is granted the possibility to retain Personal Data for the period of time provided for by Italian law to protect its interests (Art. 2947 (1)(3) of the Italian Civil Code). 

          7. Which are the rights of the data subjects?

        Pursuant to articles 15 to 22 of the Regulation, users have the right to withdraw at any time the consent given without prejudice to the lawfulness of the processing carried out before the withdrawal, to obtain confirmation of the existence or non-existence of the Personal Data processing and to have access to the Personal Data, verify their accuracy or request their integration or update, or rectification; to request the erasure of Personal Data in the cases provided for by art. 17 of the Regulation; to request the restriction of data processing in the cases provided for by art. 18 of the Regulation, where technically possible; to obtain in a structured, commonly used and machine-readable format the Personal Data concerning the user, in the cases provided for by art. 20 of the Regulation; and to object to the processing in the cases provided for by articles 21 and 22 of the Regulation.

        The user has always the right to file a complaint with the competent supervisory authority (the Italian Personal Data Protection Authority), pursuant to art. 77 of the Regulation, if the user believes that the processing of the Personal Data is contrary to the legislation in force. 

          8. Amendments 

        The Data Controller may modify and update the content of this privacy policy, in part or completely, also due to changes in the applicable legislation. Therefore, the Data Controller invites users to regularly visit this section to become aware of the most recent and updated version of the privacy policy.