1. Data controller
Grandin Group srl
Via Sansonessa 39, 30021 Caorle (VE), Italy
VAT number: 03088090273
E-mail: acquisti@grandingroup.it
Telephone: +39 0421 81380
Data Protection Officer: Massimo Grandin
2. Personal data collected
In relation to the various processing purposes, we collect the following categories of personal data:
2.1 Buyer data (e-commerce and marketplace)
Through online sales platforms (Amazon, eBay, Temu) and our order management system, we collect:
- Identification data: name, surname, company name
- Contact details: email address, telephone number
- Shipping information: full address (street, house number, postal code, city, province, country)
- Tax information: VAT number, tax code (for B2B orders / invoicing only)
- Order data: Order ID, products purchased, amount, purchase date, shipping status
2.2 Website visitor data
- Browsing data: IP address, browser type, pages visited, usage data
- Cookies and tracking: Google Analytics 4, Google Tag Manager (subject to consent)
- Data provided voluntarily: emails and messages sent via contact form
3. Purpose and legal basis of the processing
| Purpose | Data used | Legal basis |
|---|---|---|
| Order fulfillment and shipping via GLS and SDA-Poste Italiane couriers | Name, full address, telephone number | Contract execution (GDPR art. 6.1.b) |
| Electronic invoicing and tax compliance | Name, address, VAT number, tax code | Legal obligation (GDPR art. 6.1.c) |
| Post-sales communications (tracking, assistance) | Email, order data | Contract execution (GDPR art. 6.1.b) |
| Inventory and pricing management on marketplaces | Order data (aggregated, no PII) | Legitimate interest (GDPR art. 6.1.f) |
| Website traffic analysis | Browsing data (anonymized) | Consent (GDPR art. 6.1.a) |
We do not use personal data for direct marketing, profiling, transfer to third parties, or sales.
4. Sources of personal data
The personal data of buyers comes exclusively from:
- Amazon — via SP-API (Selling Partner API) from our authorized seller account
- eBay — via Trading API from our seller account
- Temu — via the seller interface
- Website — data provided voluntarily by the user (contact form)
We do not purchase or receive data from aggregators, brokers, or third-party sources.
5. Recipients and data sharing
Personal data They are not sold or shared for commercial purposes. They are communicated exclusively to:
| Recipient | Purpose | Base |
|---|---|---|
| GLS Italy (courier) | Parcel shipment - recipient name and address | Contract execution |
| SDA – Poste Italiane (courier) | Parcel shipment - recipient name and address | Contract execution |
| Revenue Agency / SDI | Mandatory electronic invoicing | Legal obligation |
| Kamatera (hosting provider) | Server infrastructure — does not access application data | Legitimate interest |
| Iubenda (cookie policy) | Cookie consent management on the website | Consent |
No data transfer outside the European Union. The server is located in Italy (Kamatera, IP 113.30.150.43).
6. Data retention
| Data type | Duration of storage | Motivation |
|---|---|---|
| Order and invoice data | 10 years from the date of order | Italian tax obligation (Presidential Decree 600/1973, art. 22) |
| Shipping information (address, telephone number) | 10 years (included in tax documentation) | Tax obligation and proof of delivery |
| Buyer Email | Duration of the commercial relationship + 2 years | After-sales assistance and legal guarantee |
| Browsing data (cookies, analytics) | 26 months (Google Analytics 4) | Website traffic analysis |
| Security log (audit log) | 12 months | Cybersecurity and compliance |
At the end of the retention period, the data is securely deleted by overwriting the database and rotating backups.
7. Data security
We adopt the following technical and organizational measures to protect personal data:
- Encryption at rest: MariaDB database with AES-256 CBC tablespace encryption (InnoDB encryption)
- Encryption in transit: HTTPS required with TLS 1.2+, Let's Encrypt certificate, HSTS enabled
- Key Management: encryption keys stored outside the web root with restrictive permissions (0600)
- Access control: SSH authentication only with Ed25519 cryptographic key, Basic Auth on management interface, IP whitelist
- Firewall and Intrusion Prevention: UFW with default-deny policy, Fail2ban on SSH and web
- Audit log: Each access to personal data is recorded with user, IP, timestamp and action
- Security scans: automated monthly vulnerability scans (Lynis, RKHunter, Trivy)
- Updates: operating system security patches applied automatically
8. Rights of the interested party
Pursuant to EU Regulation 2016/679 (GDPR), the interested party has the right to:
- Access (art. 15) — obtain confirmation of the processing and a copy of the data
- Correction (art. 16) — correct inaccurate or incomplete data
- Cancellation (art. 17) — request the deletion of data, except for legal retention obligations
- Limitation (art. 18) — limit processing in certain cases
- Portability (art. 20) — receive data in a structured and readable format
- Opposition (art. 21) — object to processing for legitimate reasons
To exercise your rights, please contact:
E-mail: acquisti@grandingroup.it
Reply by: 30 days from receipt of the request
The interested party also has the right to lodge a complaint with the Guarantor for the protection of personal data (www.garanteprivacy.it).
9. Cookie
The website uses technical cookies necessary for its operation and, with your consent, analytical cookies (Google Analytics 4). For more information, see the Cookie Policy.
10. Changes to the privacy policy
The Data Controller reserves the right to make changes to this privacy policy at any time. Changes will be posted on this page with the updated date indicated at the bottom. We recommend checking this page periodically.
Last updated: April 16, 2026