Privacy Policy

1. Data controller

Grandin Group srl
Via Sansonessa 39, 30021 Caorle (VE), Italy
VAT number: 03088090273
E-mail: acquisti@grandingroup.it
Telephone: +39 0421 81380
Data Protection Officer: Massimo Grandin

2. Personal data collected

In relation to the various processing purposes, we collect the following categories of personal data:

2.1 Buyer data (e-commerce and marketplace)

Through online sales platforms (Amazon, eBay, Temu) and our order management system, we collect:

  • Identification data: name, surname, company name
  • Contact details: email address, telephone number
  • Shipping information: full address (street, house number, postal code, city, province, country)
  • Tax information: VAT number, tax code (for B2B orders / invoicing only)
  • Order data: Order ID, products purchased, amount, purchase date, shipping status

2.2 Website visitor data

  • Browsing data: IP address, browser type, pages visited, usage data
  • Cookies and tracking: Google Analytics 4, Google Tag Manager (subject to consent)
  • Data provided voluntarily: emails and messages sent via contact form

3. Purpose and legal basis of the processing

Purpose Data used Legal basis
Order fulfillment and shipping via GLS and SDA-Poste Italiane couriers Name, full address, telephone number Contract execution (GDPR art. 6.1.b)
Electronic invoicing and tax compliance Name, address, VAT number, tax code Legal obligation (GDPR art. 6.1.c)
Post-sales communications (tracking, assistance) Email, order data Contract execution (GDPR art. 6.1.b)
Inventory and pricing management on marketplaces Order data (aggregated, no PII) Legitimate interest (GDPR art. 6.1.f)
Website traffic analysis Browsing data (anonymized) Consent (GDPR art. 6.1.a)

We do not use personal data for direct marketing, profiling, transfer to third parties, or sales.

4. Sources of personal data

The personal data of buyers comes exclusively from:

  • Amazon — via SP-API (Selling Partner API) from our authorized seller account
  • eBay — via Trading API from our seller account
  • Temu — via the seller interface
  • Website — data provided voluntarily by the user (contact form)

We do not purchase or receive data from aggregators, brokers, or third-party sources.

5. Recipients and data sharing

Personal data They are not sold or shared for commercial purposes. They are communicated exclusively to:

Recipient Purpose Base
GLS Italy (courier) Parcel shipment - recipient name and address Contract execution
SDA – Poste Italiane (courier) Parcel shipment - recipient name and address Contract execution
Revenue Agency / SDI Mandatory electronic invoicing Legal obligation
Kamatera (hosting provider) Server infrastructure — does not access application data Legitimate interest
Iubenda (cookie policy) Cookie consent management on the website Consent

No data transfer outside the European Union. The server is located in Italy (Kamatera, IP 113.30.150.43).

6. Data retention

Data type Duration of storage Motivation
Order and invoice data 10 years from the date of order Italian tax obligation (Presidential Decree 600/1973, art. 22)
Shipping information (address, telephone number) 10 years (included in tax documentation) Tax obligation and proof of delivery
Buyer Email Duration of the commercial relationship + 2 years After-sales assistance and legal guarantee
Browsing data (cookies, analytics) 26 months (Google Analytics 4) Website traffic analysis
Security log (audit log) 12 months Cybersecurity and compliance

At the end of the retention period, the data is securely deleted by overwriting the database and rotating backups.

7. Data security

We adopt the following technical and organizational measures to protect personal data:

  • Encryption at rest: MariaDB database with AES-256 CBC tablespace encryption (InnoDB encryption)
  • Encryption in transit: HTTPS required with TLS 1.2+, Let's Encrypt certificate, HSTS enabled
  • Key Management: encryption keys stored outside the web root with restrictive permissions (0600)
  • Access control: SSH authentication only with Ed25519 cryptographic key, Basic Auth on management interface, IP whitelist
  • Firewall and Intrusion Prevention: UFW with default-deny policy, Fail2ban on SSH and web
  • Audit log: Each access to personal data is recorded with user, IP, timestamp and action
  • Security scans: automated monthly vulnerability scans (Lynis, RKHunter, Trivy)
  • Updates: operating system security patches applied automatically

8. Rights of the interested party

Pursuant to EU Regulation 2016/679 (GDPR), the interested party has the right to:

  • Access (art. 15) — obtain confirmation of the processing and a copy of the data
  • Correction (art. 16) — correct inaccurate or incomplete data
  • Cancellation (art. 17) — request the deletion of data, except for legal retention obligations
  • Limitation (art. 18) — limit processing in certain cases
  • Portability (art. 20) — receive data in a structured and readable format
  • Opposition (art. 21) — object to processing for legitimate reasons

To exercise your rights, please contact:

E-mail: acquisti@grandingroup.it
Reply by: 30 days from receipt of the request

The interested party also has the right to lodge a complaint with the Guarantor for the protection of personal data (www.garanteprivacy.it).

9. Cookie

The website uses technical cookies necessary for its operation and, with your consent, analytical cookies (Google Analytics 4). For more information, see the Cookie Policy.

10. Changes to the privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time. Changes will be posted on this page with the updated date indicated at the bottom. We recommend checking this page periodically.


Last updated: April 16, 2026