This information notice is provided to users who make purchases on, pursuant to article 13 of European Regulation (EU) 2016/679 regarding personal data protection (GDPR).

Data controller

The Data Controller (hereinafter the "Controller") is the company Ciro Paone Spa, with headquarters at Via San Pasquale a Chiaia, 83, Naples, Italy.

Type of data processed

In order to use the e-commerce service and purchase products on our online store, Users must fill in the payment form and, based on the delivery option chosen, the shipping form and billing form.

The Controller collects and processes the following categories of personal data via such forms:

  • Identifying, personal and contact details such as: name, surname, billing address, shipping address for the products purchased, city, post code, email address, telephone number, and any delivery notes;
  • Payment information: card number, expiry date, security code, and the name and surname of the card holder. Such data is encrypted to guarantee secure transactions.

Purpose and legal basis for processing

The Controller collects such data for the following purposes:

  1. Contractual relationship management: including opening customer files, administrative order management, billing and shipping and/or delivery of the products, to respond to any information requests and manage debt collection; the legal basis for such processing is the fulfilment of the contract/service requested by the interested party [article 6, para. 1, letter b of the GDPR].
  2. Fulfilment of legal obligations related to the contract; the legal basis for such processing is the fulfilment of the obligations set down by law or by community legislations [article 6, para. 1, letter c of the GDPR].
  3. Protection of rights: in the event of disputes or complaints; the legal basis for such processing is the legitimate interest of the Controller to have their rights protected [article 6, para. 1, letter f, of the GDPR].
  4. Statistical analysis: based on anonymous sales performance data; the legal basis for such processing is the legitimate interest of the Controller [article 6, para. 1, letter f, of the GDPR].
  5. Marketing: Subject to your express and freely-given consent, granted by placing the flag in the corresponding box on the Contact details form, your personal data is used to send sales and/or promotional information, to send advertising material and/or conduct direct selling or sales communications about Ciro Paone S.p.A. services and other activities, or to carry out market research using automated contact means (for example, email and SMS). The legal basis for such processing is therefore your consent [article 6, para. 1, letter a) of the GDPR]. This consent may be withdrawn at any time by writing to .
  6. Fraud prevention. Fraud prevention: the legal basis for such processing is the legitimate interest of the Controller [article 6, para. 1, letter f, of the GDPR]. After a certain number of unsuccessful payment attempts, the card number or IP address may be automatically blocked for a short period of time. This will be performed using an automated system managed exclusively by the Service Provider (Shopify), in its independent capacity as data controller. Please note that the Controller does not have access to such data.

The provision of data that is not expressly identified as being "optional" when filling out the form and the personal data related to the purchase is required to complete the sales contract and carry out the subsequent shipping and billing. In the event that such data is not provided, it will not be possible to complete the online purchase of our products. The provision of data for marketing purposes, however, is optional and, as outlined above, consent for such purposes may be withdrawn at any time.

Processing methods

Your personal data will be processed using electronic instruments, including automated means, in compliance with the principles of lawfulness, necessity and relevance, while implementing safeguards aimed at identifying suitable security measures at all stages of processing, with regard to the specific processing purposes. The Controller does not carry out any processing that entails automated decision-making on the data of the users who interact with this website to use this service. Please note that the Service Provider (Shopify), in its independent capacity as data controller and which manages the payment service, uses an automated control system in order to prevent fraud, as described in letter f), above. For more information, please consult the Shopify privacy policy


Data storage period

Users' personal data is kept for the time period strictly necessary to fulfil the purposes outlined above, in compliance with civil and fiscal obligations concerning storage and the limits provided by law. In any case, once the ten-year limitation (article 2946 of the Italian Civil Code; article 8, Law no. 212, 27 July 2000) and the obligatory storage period - also ten years - for accounting records (article 2220 of the Italian Civil Code) have passed and the requirement for the Controller to keep the information for possible tax audits no longer exists, the data will be destroyed, cancelled or converted into an unintelligible form, provided that there are no other requirements that justify their conservation (e.g. pending legal disputes).

For profiling or marketing purposes to which the data subject has given their consent by selecting the flag provided on the forms found on the website, the personal and contact information will be kept for 24 months, at the end of which time the Controller reserves the right to request that the data subject give their consent again.

Communication and dissemination of data

Your personal data will be processed by the staff of the company Ciro Paone S.p.A, who have been duly trained for this purpose and authorised for data processing.

Always in keeping with the limits that are strictly necessary in order to pursue the aforementioned purposes, your personal data may be processed by third parties (for example, companies specialising in website management and maintenance, shipping companies, companies specialising in electronic communication services management etc.) operating in accordance with the Controller's directives and who, to this end, are designated as data processors via specific agreements (known as Data Processing Agreements or DPAs) established pursuant to article 28 of the GDPR.

Lastly, your personal data may be communicated to parties who are legitimately entitled to access it due to legal provisions, regulations or community legislation.

Further information concerning the names of the individual third-party companies can be obtained by writing to

Your personal data will not be disseminated, or be disclosed to unspecified parties.

Transfer of data

Personal data will be managed and stored on the servers of the Controller and of a third-party company assigned to manage the e-commerce platform which has been duly appointed as Data Processor, located within the European Union, and therefore in compliance with the provisions of articles 45 et seq. of the GDPR. The servers are currently located within the European Union and in Canada, a country which is deemed "adequate" under the GDPR by the European Commission (2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act). In any event, it remains understood that were it to become necessary to carry out further transfers outside of the EU, this transfer would always occur in compliance with articles 45 et seq. of the GDPR, by signing agreements that guarantee an adequate level of protection and/or implementing the standard contractual clauses provided by the European Commission, where necessary.

Rights of the interested party

As the interested party, pursuant to articles 15 et seq. of the GDPR, the User may exercise their rights, at any time, including the right to access their personal data, the right to request their rectification and cancellation, or to limit or oppose their processing at any time, as well as the right to data portability where the relevant conditions are met.

Furthermore, in the event that you receive no response or an incomplete response from the Controller regarding the aforementioned requests, you will be entitled to submit a complaint to the Data Protection Authority or the competent Judicial Authority, within the terms and methods provided by Regulation EU 2016/679 (GDPR) and current national legislation.

Methods for exercising your rights

Requests regarding exercising the aforementioned rights should be sent to