Pursuant to Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), concerning the protection of natural persons with regard to the processing of personal data, we hereby inform you that the personal data you provide will be processed in compliance with the aforementioned regulation and the confidentiality obligations to which IMO S.p.A. is subject.

Data Controller

The Data Controller is IMO S.p.A., with registered office at Via Puccini, 1 – Milan (Italy), Tax Code/VAT No. 00714820156.

Purposes of Processing and Legal Basis

Your personal data are processed:

A) Without your explicit consent (Art. 6(1)(b), (c) GDPR), for the following Service Purposes:

• to allow registration on the Website, necessary for accessing and managing the services offered;
  
• to enable users to place product orders on the Website;
  
• to provide customer support and respond to inquiries related to purchased products;
  
• to fulfill pre-contractual, contractual, and tax obligations arising from orders;
  
• to send communications related to orders and shipments (e.g., order confirmation, shipping confirmation, service feedback requests);
  
• to comply with tax and accounting obligations;
  
• to comply with legal obligations, regulations, EU legislation, or orders from authorities (e.g., anti-money laundering requirements).
  

B) Only with your specific and explicit consent (Art. 6(1)(a) GDPR), for the following Marketing Purposes:

• to send newsletters, promotional communications, and advertising material via email, post, SMS, or phone calls regarding products or services offered by the Data Controller.
  

Please note that if you are already our customer, we may send you commercial communications related to products or services similar to those you have already purchased, unless you object (Art. 130 Italian Privacy Code).

Processing Methods and Data Retention

Your personal data are processed using the operations indicated in Article 4(2) GDPR, including collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, restriction, communication, deletion, and destruction.

Processing is carried out both in paper and electronic form.

• Data processed for Service Purposes (Section A) are retained for the duration of the contract and for an additional 10 years after its termination.
  
• Data processed for Marketing Purposes (Section B) are retained for 2 years, unless consent is withdrawn earlier.
  

Categories of Personal Data Processed

In addition to personal data provided directly by users (such as name, surname, postal address, email address, delivery date and time), the IT systems and software procedures used to operate the Website automatically and indirectly acquire certain personal data during normal operation.

This includes:

• IP addresses or domain names of users’ devices;
  
• URI (Uniform Resource Identifier) addresses of requested resources;
  
• time of request;
  
• method used to submit the request to the server;
  
• size of the file obtained in response;
  
• numerical code indicating the status of the server response;
  
• other parameters relating to the user’s operating system and IT environment.
  

Scope of Communication and Disclosure

Personal data provided directly by users through online forms will not be disclosed or communicated to third parties, except where necessary, including:

• entities authorized by law or by orders of competent authorities;
  
• entities required for fulfilling tax or administrative obligations;
  
• entities necessary for the performance of the contract (e.g., order fulfillment, payment processing, credit card management, debt collection, website and e-commerce platform operation, support services, marketing activities, website development, email delivery services);
  
• employees, collaborators, and internal data processors of the Data Controller (if appointed);
  
• the e-commerce platform provider.
  

Data Subject Rights

You have the right to exercise the rights provided by the GDPR, including:

• access your personal data and obtain information about purposes, categories, recipients, retention period, profiling, and automated decision-making;
  
• request rectification of inaccurate data or deletion of your personal data without undue delay;
  
• request restriction of processing;
  
• object, in whole or in part, to the processing of your personal data for legitimate reasons;
  
• request data portability, receiving your data in a structured, commonly used, and machine-readable format, and transmit them to another controller;
  
• lodge a complaint with the competent supervisory authority (Italian Data Protection Authority – Garante per la Protezione dei Dati Personali).
  

How to Exercise Your Rights

You may exercise your rights by sending a written request to:

IMO S.p.A.

Via Firenze, 34 – 20060 Trezzano Rosa (MI), Italy

Email: imo@imospa.it

Certified Email (PEC): imo@pec.imospa.it

Last updated: November 25, 2025