We process personal data of our customers and suppliers in connection with the management of active and passive electronic invoices and the maintenance of corporate accounting records containing personal data (VAT registers, general ledger, inventory book, auxiliary ledgers).

• First name and last name
• Tax residence
• Tax code
• VAT number
• SDI code
• Tax regime
• Payments made and received
• Credits and debts
• Products and/or services purchased and/or sold

• Keeping of accounting records
• Tax and accounting compliance

Legal obligation (Art. 6(c) GDPR) with respect to tax and accounting requirements.

We may disclose the data to the following processors:

• Huroos S.r.l. (software house)
• Professionisti Associati Prato (accountants)
• Google Ireland Ltd. (workspace services)
• Odoo SA (software house)

We may also disclose the data to the following categories of third parties:

• Lawyers (in case of disputes and debt recovery)
• Statutory auditors
• Revenue Agency
• Financial Police (in case of inspections)

The use of Google Workspace services, in particular email, calendars and storage via Google Drive, may involve the transfer of data to the USA.

Data are transferred on the basis of the Standard Contractual Clauses included in the DPA with Google. Google has obtained EU-US DPF certification, pursuant to an adequacy decision of the European Commission.

Odoo uses subprocessors located in the USA. Odoo contractually commits to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

Administrative data are retained for 10 years under Article 2220 of the Italian Civil Code.

Customer master data are retained for 10 years from the end of the last contract with the customer.

Providing this data is mandatory. Without the requested personal data, it is not possible to enter into and perform contracts with customers.

We process customers’ personal data in connection with administrative and contract management activities. In particular, we carry out: registration of master data; management of the customer database; archiving of invoices issued to customers and payment processing; management of communications with customers via available channels (postal mail, email, telephone).

• First name and last name
• Residential address
• Business address
• Tax code
• VAT number
• Age and date of birth
• Email
• Phone number
• Purchase history
• Payment method
• Bank details
• Language spoken
• Shipping address
• Country of origin

• Management of customer relationships
• Service communications
• Payment processing

Performance of a contract or pre-contractual measures (Art. 6(b) GDPR).

We may disclose the data to the following processors:

• Huroos S.r.l. (software house)
• Google Ireland Ltd. (workspace services)
• Odoo SA (software house)
• Professionisti Associati Prato (accountants)

We may also disclose the data to the following categories of third parties:

• Lawyers (in case of disputes and debt recovery)
• Statutory auditors
• Revenue Agency
• Financial Police (in case of inspections)

The use of Google Workspace services, in particular email, calendars and storage via Google Drive, may involve the transfer of data to the USA.

Data are transferred on the basis of the Standard Contractual Clauses included in the DPA with Google. Google has obtained EU-US DPF certification, pursuant to an adequacy decision of the European Commission.

Odoo uses subprocessors located in the USA. Odoo contractually commits to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

Accounting and tax data are retained for 10 years pursuant to Article 2220 of the Italian Civil Code.

Providing this data is mandatory. Without the requested personal data, it is not possible to enter into and perform contracts with customers and suppliers.

We collect and use customers’ personal data to process purchases made through our online platform. Processing includes order registration, payment processing, invoicing, order preparation and shipment, as well as handling returns and after-sales support. Data are processed to ensure proper performance of the sales contract, fulfil tax and accounting obligations, and improve the customer’s shopping experience.

• First name and last name
• Email
• Phone number
• Delivery address
• Billing address
• Tax code or VAT number
• Payment method
• Order details
• Service communications

• Process and manage orders placed via the e-commerce platform
• Provide order confirmation, shipping updates and post-sale support
• Handle payments, invoicing and returns
• Comply with legal and tax obligations relating to online transactions

Performance of a contract or pre-contractual measures (Art. 6(b) GDPR) for purposes 1–3.

Legal obligation regarding tax and accounting (Art. 6(c) GDPR) for purpose 4.

We may disclose the data to the following processors:

• Huroos S.r.l. (software house)
• Odoo SA (software house)
• Shopify Inc. (e-commerce platform)

We may also disclose the data to the following categories of third parties:

• Couriers and logistics companies
• Payment service providers

Data processed via Shopify are transferred to Canada.

Canada is subject to the European Commission’s adequacy decision of 20/12/2021.

Odoo uses subprocessors located in the USA. Odoo contractually commits to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

Online transaction data are retained for 10 years from the date of the transaction.

Processing is mandatory. Without the requested data, it is not possible to execute purchase orders.

We collect and use users’ personal data to provide support and assistance regarding inquiries, orders, complaints and returns. Processing includes handling communications via email, chat, chatbot or telephone, reviewing order history and resolving technical or logistical issues. Data are processed to ensure efficient service and improve the customer experience.

• First name and last name
• Email
• Phone number
• Subject of the inquiry
• Purchases made

• Provide pre- and post-sale assistance to customers
• Respond to information requests, technical support, complaints and returns

Performance of a contract (Art. 6(b) GDPR).

We may disclose the data to the following processors:

• Huroos S.r.l. (software house)
• Odoo SA (software house)
• Shopify Inc. (e-commerce platform)
• Gorgias Inc. (help desk services)
• Google Ireland Ltd. (workspace services)

Data processed via Shopify are transferred to Canada.

Canada is subject to the European Commission’s adequacy decision of 20/12/2021.

Data processed via Gmail, Odoo and Gorgias may be transferred to the USA.

Transfers to Google are based on Standard Contractual Clauses and Google’s adherence to the EU-US DPF.

Transfers to Gorgias are based on Standard Contractual Clauses.

Odoo contractually commits to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

Data collected for Customer Service purposes may be retained for up to 10 years from the date of collection.

Processing is mandatory. Without the requested data, it is not possible to respond to Customer Service requests.

We invite customers to hand in wool, cashmere and denim garments that are no longer used, in order to regenerate them into new sustainable products. Customers can participate by dropping off items at designated collection points or scheduling a home pick-up. In exchange, they receive a discount to use on future purchases. During this process, Rifò collects and manages the personal data necessary to organize logistics, communicate with participants and promote circular economy practices, always ensuring protection and confidentiality of the information provided.

• First name and last name
• Email
• Items to be recycled
• Pickup address

• Manage used garment collection
• Handle logistics
• Communicate with initiative participants

Performance of a contract or pre-contractual measures (Art. 6(b) GDPR).

We may disclose the data to the following processors:

• Huroos S.r.l. (software house)
• Odoo SA (software house)
• Typeform S.L. (form management)

We may also disclose the data to the following categories of recipients:

• Couriers and logistics companies

Odoo and Typeform use subprocessors located in the United States.

Odoo and Typeform contractually commit to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US Data Privacy Framework.

Data relating to used garment transactions are retained for 10 years.

Provision of this data is mandatory. Without it, it is not possible to fulfill the request for used garment collection.

We collect leads of potential customers through online form completion. Access to the forms can be via web or by using QR codes located in stores partnering with Rifò.

• First name and last name
• Email
• Interaction data (form access method)
• Form content (e.g., requests, interest in particular products, etc.)

• Collect leads of potential customers
• Contact users to provide information on products, offers and initiatives
• Respond to user inquiries

Performance of a contract or pre-contractual measures (Art. 6(b) GDPR) for purposes 1 and 2.

Consent (Art. 6(a) GDPR) for purpose 3.

We may disclose the data to the following processor:

• Typeform S.L. (form management)

Typeform uses subprocessors processing data in the United States.

Typeform has committed in its Data Processing Agreement to transfer data only on the basis of Standard Contractual Clauses or adequacy decisions.

If consent has been obtained for marketing purposes, the data may be processed for 24 months from the date consent was given.

If data are used to respond to a user request, they are retained only as long as necessary to address that request.

Processing of these data is optional and does not affect users’ ability to purchase products or use related services.

You may withdraw consent at any time by following the instructions provided in the first layer of this notice.

We collect and use personal data of users to send automated communications, including welcome emails, promotional messages, abandoned cart recovery emails, post-purchase follow-ups and re-engagement campaigns, to improve the customer experience, encourage purchases and foster loyalty. In addition to email, we also use SMS and WhatsApp messages.

• Name or nickname
• Email
• Phone number
• Link click tracking
• Email opens
• Email read time
• Reviews and feedback
• Purchases made
• Initiated purchase processes

• Remind users of items left in their cart
• Send follow-up emails to evaluate the purchase experience and gather reviews
• Send promotional emails for products related to previous purchases (soft spam)
• Send re-engagement emails to inactive customers
• Communicate offers and promotions

Legitimate interest in sending transactional emails related to a purchase process initiated or completed, and evaluating service quality (Art. 6(f) GDPR) for purposes 1 and 2.

Legitimate interest recognized under Art. 130(4) of Italian Legislative Decree 196/03 for sending soft spam communications for purpose 3.

Consent (Art. 6(a) GDPR) for purposes 4 and 5.

We may disclose the data to the following processors:

• Klaviyo Inc. (marketing platform)
• Huroos S.r.l. (software house)
• Odoo SA (software house)
• Shopify Inc. (e-commerce platform)

The use of Klaviyo for sending and managing newsletters involves data transfers to the United States. Data processed via Shopify are transferred to Canada.

For Klaviyo, data are transferred based on Standard Contractual Clauses in the DPA. Klaviyo has also obtained EU-US DPF certification under the European Commission’s adequacy decision.

Canada is subject to the European Commission’s adequacy decision of 20/12/2021.

Odoo uses subprocessors located in the USA. Odoo commits contractually to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

Data processing is carried out for 24 months from obtaining consent or from the last purchase (for soft spam communications).

Transactional emails related to cart abandonment and feedback collection may be sent within 7 days following purchase or abandonment.

Processing of these data is optional and does not affect users’ ability to purchase products or use related services.

You may withdraw consent at any time and object to processing based on legitimate interest, following the instructions provided in the first layer of this notice.

We collect and use personal data of newsletter subscribers to send commercial communications and provide information about our activities, such as offers, promotions, events, etc.

• Name or nickname
• Email
• Link click tracking
• Newsletter opens
• Newsletter read time

• Promote products or services
• Foster customer loyalty
• Inform about events and other activities of the data controller
• Communicate offers or promotions

Consent (Art. 6(a) GDPR) to receive newsletters or marketing communications via email.

We may disclose the data to the following processors:

• Klaviyo Inc. (marketing platform)
• Huroos S.r.l. (software house)
• Odoo SA (software house)

The use of Klaviyo for sending and managing newsletters involves data transfers to the United States.

Data are transferred on the basis of Standard Contractual Clauses in the DPA. Klaviyo has obtained EU-US DPF certification under the European Commission’s adequacy decision.

Odoo uses subprocessors located in the USA. Odoo commits contractually to transfer data to the United States only on the basis of Standard Contractual Clauses and/or the subprocessors’ adherence to the EU-US DPF.

We collect and use personal data of event participants to manage registration, communication, and execution of the event. Data processed may include personal and contact information and, where necessary, logistical or dietary preferences. Processing aims to ensure proper event organization, provide updates, manage security, and, where applicable, collect post-event feedback. At events, videos and photographs may be taken for online publication.

• First name and last name
• Email
• Phone number
• Logistical or dietary preferences (if any)
• Media (photos and videos captured during events)
• Event participation

• Manage event registration and execution
• Publish event photographs and videos
• Collect leads of potential B2B customers and commercial partners

Performance of a contract for purpose 1 and necessity of pre-contractual measures for purpose 3 (Art. 6(b) GDPR).

Legitimate interest to publish event media (Art. 6(f) GDPR) for purpose 2.

Consent (Art. 6(a) GDPR) for purpose 2 when media depict individuals in close-up.

We may disclose the data to the following processor:

• Eventbrite Inc. (event organization platform)

The use of Eventbrite for managing event registrations involves data transfers to the United States.

Data are transferred on the basis of Standard Contractual Clauses in the DPA with Eventbrite.

Eventbrite has obtained EU-US DPF certification under the European Commission’s adequacy decision.

Event registration data are retained for 2 years from the date of the event, to allow communications regarding future editions or related initiatives.

Media from events may remain published indefinitely until data subjects request removal.

Processing of personal and contact data is necessary to enable registration.

You may refuse consent to close-up images without affecting event participation.

You may object to the collection and use of event images depicting you. In that case, the controller will evaluate the reasons case-by-case. If the controller demonstrates overriding legitimate interest, objection may prevent participation.

You may withdraw consent at any time and object to processing based on legitimate interest, following the instructions provided in the first layer of this notice.

We collect and analyze users’ personal data to outline statistical profiles and create a representation of the “typical customer” (personas), without directly influencing individual purchasing choices or sending personalized advertising. This processing aims to better understand users’ characteristics, needs and behaviors to optimize products, services and business strategies.

We may also use the profiles for aggregated segmentation, dividing users into homogeneous groups based on parameters such as age, location, usage habits or declared preferences. The data are used for market analysis, improving user experience and developing new products or services.

This processing does not qualify as profiling, as it is not intended to influence an individual user’s purchasing decisions but only to analyze data in aggregate form.

• Name or nickname
• Email
• Link click tracking
• Email opens
• Time spent reading emails
• Reviews and feedback
• Purchases made
• Interests and purchasing habits
• Age
• Gender
• Preferred language
• Geographical origin
• Responses to surveys or questionnaires
• Product feedback

• Define a “typical customer” (personas)
• Segment the customer base into homogeneous groups
• Optimize product and service offerings
• Enhance user experience
• Conduct market analysis

Legitimate interest in analyzing the customer target (Art. 6(f) GDPR).

We may disclose the data to the following processor:

• Klaviyo Inc. (marketing platform)

The use of Klaviyo involves data transfers to the United States.

Data are transferred on the basis of Standard Contractual Clauses included in the DPA. Klaviyo has also obtained EU-US Data Privacy Framework certification under an adequacy decision of the European Commission.

Data are retained for 24 months from the user’s last interaction.

Processing is optional.

You may object to the processing of these data without affecting your ability to purchase products or use our services, by following the instructions provided in the first layer of this notice.