📣 Free shipping to EU over 49€📣

Sign up to the newsletter, 50% off shipping

Step into the new Legami world online!

Boutique Locator

Assistance

Privacy Policy

PRIVACY POLICY

Information document pursuant to and for the effects of Article 13 of Regulation (EU) 2016/679 (GDPR)

WHY THIS INFORMATION?

Pursuant to Regulation (EU) 2016/679 (hereinafter "GDPR"), this page describes the methods of processing personal data. This is an information notice provided pursuant to Article 13 GDPR. This information notice is not to be considered valid for other third-party websites, possibly accessible through links present on this website, for which no responsibility is assumed.

Processable Personal Data

  • Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (C26, C27, C30 GDPR).
  • Contractor/user data.
  • Navigation data: the computer systems and software procedures responsible for the operation of this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of requested resources, request time, method used in submitting the request to the server, size of the file obtained in response, numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment.
  • Voluntarily communicated data: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms results in the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data entered.

Information about the processing of personal data carried out through Social Media platforms

Regarding the processing of personal data carried out by the managers of Social Media platforms used by the Controller, reference is made to the information provided by them through their respective privacy policies. The Controller processes personal data provided by users through dedicated Social Media platform pages, to manage interactions with users (comments, public posts, etc.) and in compliance with current regulations.

Specific information notices

Specific information notices may be present on the Website pages in relation to particular services or data processing provided.

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY FOR?

For Cookies and other tracking systems, see the cookies policy shown in the website footer and at the following link.

1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT THEM?

The Data Controller is Legami S.p.A. Benefit Company, with registered office in Via Stezzano No. 18 - 24052 Azzano San Paolo (BG), in the person of its pro-tempore Legal Representative, who can be contacted via email: privacy@legami.com

HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THEIR CONTACT DETAILS?

Legami S.p.A. Benefit Company has appointed its Data Protection Officer (DPO - Data Protection Officer) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO can be reached at the Controller's registered office indicated above and via email by writing to: dpo@legami.com.

2. PROCESSING PURPOSES, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF DATA PROVISION

Navigation on this website

PROCESSING PURPOSELEGAL BASISDATA RETENTION PERIODNATURE OF DATA PROVISION
Navigation on this website.

Data necessary for the use of web services are also processed for the purpose of:
• obtaining statistical information on the use of services (most visited pages, number of visitors by time slot or daily, geographical areas of origin, etc.);
• controlling the correct functioning of the services offered.		Processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail, taking into account the reasonable expectations of the data subject and activities strictly necessary for the operation of the website and navigation itself.
(Art. 6, par. 1 lett. f and C47 of the GDPR).

Data subjects are guaranteed the possibility to obtain, upon request, information on the balancing test carried out.		Navigation data will be retained for the duration of the browsing session.Data provision is necessary for website navigation.

Use of cookies and similar technologies

PROCESSING PURPOSELEGAL BASISDATA RETENTION PERIODNATURE OF DATA PROVISION
Use of cookies and similar technologies.
See the cookies policy in the website footer.		For non-technical necessary cookies and similar technologies, processing is based on consent to the processing of personal data (art. 6 par. 1 lett. a and C42, C43 of the GDPR).

Consent is given through the banner and cookie policy of the website.		See the cookies policy in the website footer.See the cookies policy in the website footer.

In addition to navigation, personal data will be processed for:

PROCESSING PURPOSELEGAL BASISDATA RETENTION PERIODNATURE OF DATA PROVISION
A) CONTACTS
Sending contact requests, information.		Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44).
Art. 6 par. 1 lett. b) of the GDPR.		12 monthsData provision is necessary.
Failure to provide the necessary data will result in the inability to be contacted and receive information.
B) RESPONSE TO CONTACT REQUESTS
From end customers of any channel for post-sales issues (for example: requests regarding returns, non-conforming products, withdrawals).		Processing is necessary for the performance of a contract to which the data subject is party.
Art. 6 par. 1 lett. b) of the GDPR.		10 years from the termination of the contractual relationship.Data provision is necessary.
Failure to provide the necessary data will result in the inability to receive feedback regarding the existing relationship.
C) USER PURCHASE MANAGEMENT
Made both through the "guest checkout" section and through a registered account. For the correct management of the purchase, the Controller may contact you via email or instant messaging services to communicate only information related to the order placed.		Processing is based on pre-contractual and contractual measures (C42, C43).
art. 6 par. 1 lett. b) of the GDPR.		Data will be retained for 10 years from the conclusion of the commercial transaction.Data provision is necessary to allow the user to complete the purchase order and subsequently proceed with payment.
D) CUSTOMER AREA
Registration and access to reserved area.		Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44).
Art. 6 par. 1 lett. b) of the GDPR.		Until contract termination and for the technical time necessary to disable credentials.Data provision is necessary.

Failure to provide the necessary data will result in the inability to access the reserved area and complete any purchases.
E) DIRECT MARKETING
For sending advertising or direct sales material or for conducting market research, commercial and promotional communication, statistical analysis newsletters, through automated means (email).		Processing is based on consent to the processing of personal data (C42, C43).
art. 6 par. 1 lett. a) of the GDPR.		Until consent withdrawal (or opt-out).Data provision is optional.
Failure to provide the necessary data will result in the inability to receive direct marketing communications.
F) PROFILING
Analysis of user preferences, such as viewed products and added to cart, purchasing habits where present, interests, advertising and commercial material received to send targeted promotional communications as well as data communications to third-party social parties to propose targeted advertising based on user interests, behaviors and purchases.		Processing is based on consent to the processing of personal data (C42, C43).
art. 6 par. 1 lett. a) of the GDPR.		Profiling activity is carried out on purchase data from the last 12 months, unless consent is previously withdrawn.Data provision is optional.

Failure to provide the necessary data will result in the inability to perform analysis and send targeted communications.
G) RE-CONTACT
Via email following availability of the product for which the user has expressed interest.		Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (C44).
Art. 6 par. 1 lett. b) of the GDPR.		Until the product for which the user has expressed interest becomes available again/is made available.Data provision is necessary.
Failure to provide the necessary data will result in the inability to be contacted and receive information.
H) REVIEW PUBLICATION
Allow the user to leave a review regarding their purchase experience, as well as being able to contact them to interview them about their purchase experience with the Controller. It is specified that the review will be published anonymously and that consent will only allow Legami to send you communications to ask you to evaluate the experience and product as described above.		Processing is based on consent to the processing of personal data (C42, C43).
art. 6 par. 1 lett. a) of the GDPR.		For the time necessary to send the review request email.Data provision is optional.

Failure to provide the necessary data will result in the inability to contact the user to request product reviews.
I) MANAGEMENT OF YOUR REQUESTS
And requests from other data subjects, pursuant to articles 15 et seq. of the GDPR (data subject rights).		Processing is necessary for compliance with a legal obligation to which the controller is subject (C45).
Art. 6 par. 1 lett. c) of the GDPR.		5 years from request closure, except in case of litigation.The provision of personal data is mandatory, as it is essential to be able to execute legal obligations.
J) PURCHASE VERIFICATION
Verification of purchases made by the user to ascertain any abusive behavior to the detriment of the controller.		Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (C47-C50).
Art. 6 par. 1 lett. f) GDPR.		-Data provision is necessary to allow the Controller to carry out adequate checks in order to avoid incorrect behavior.

3. TO WHOM WILL PERSONAL DATA BE COMMUNICATED? DATA RECIPIENTS

Personal data will be communicated to subjects who will process the data as independent Data Controllers, or Data Processors (art. 28 GDPR) and processed by natural persons (art. 29 GDPR) who act under the authority of the Controller and Processors based on specific instructions provided regarding the purposes and methods of processing.

Data will be communicated to recipients belonging to the following categories:

  • Subjects providing services for the website and communication networks, including email, hosting and website management
  • Subjects with whom the Controller has signed agreements and with prior consent, where required
  • Payment platform providers
  • Shipping and transport companies
  • For direct marketing, with prior consent to subjects for managing related activities
  • Companies for review publication
  • Subjects providing customer care services
  • Social network platforms
  • Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request

The list of Data Processors under art. 28 is available by writing to privacy@legami.com or to the other contacts indicated above.

4. WILL DATA BE TRANSFERRED TO NON-EEA COUNTRIES?

Data may be transferred to Extra-EEA Countries. It is specified that in case of transfer of personal data to countries located outside the European Economic Area, this will be carried out in accordance with the measures established by applicable regulations ensuring an adequate level of protection for data subjects.

For information about guarantees regarding data transfer outside the EEA, data subjects can write to privacy@legami.com.

5. IS THERE AN AUTOMATED PROCESS?

Personal data will be subject to traditional manual, electronic and automated processing. It is specified that fully automated decision-making processes are not carried out.

6. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?

Data subjects can assert their rights as expressed in articles 15 et seq. GDPR, by contacting the DPO at the email address: dpo@legami.com or by contacting the Controller, writing to the contacts indicated above.

Your rights include:

  • Right of access (art. 15): request information about your personal data
  • Right of rectification (art. 16): correct inaccurate data
  • Right of erasure (art. 17): obtain data deletion
  • Right of restriction (art. 18): restrict processing
  • Right to data portability (art. 20): obtain data in structured format
  • Right to object (art. 21): object to processing based on legitimate interest
  • Right to withdraw consent: withdraw given consent

How to exercise your rights:

  • Direct marketing: use automatic unsubscribe systems (opt-out) in emails or by accessing your profile
  • Profiling: withdraw consent in your personal profile section
  • Opposition to legitimate interest: write to the contacts with subject "opposition"

Right to lodge a complaint: In case data subjects believe that the processing of personal data carried out by the Controller violates the provisions of Regulation (EU) 2016/679, they are free to lodge a complaint with the national supervisory authority, particularly in the Member State where they habitually reside or work, or in the place where the alleged violation of the Regulation occurred (Privacy Authority https://www.garanteprivacy.it/), or to resort to appropriate judicial venues.

7. CHANGES TO THE PRIVACY POLICY

The controller may change, modify, add or remove any part of this Privacy Policy. In order to facilitate verification of any changes, the policy will contain an indication of the date of update of the policy itself.

Last update: 09/09/2025