Luna SRL

Information pursuant to Article 13 of Regulation (EU) No. 679/2016 (“GDPR”)

Luna SRL protects the confidentiality of personal data and ensures the necessary protection against any event that could put them at risk of violation.

As required by European Union Regulation No. 679/2016 (“GDPR”), and in particular Article 13, the following information is provided to the user (“Data Subject”) regarding the processing of their personal data.

SECTION I

Who we are and what data we process (Article 13, 1st paragraph, letter a, Article 15, letter b GDPR)

Luna SRL, represented by its legal representative, with registered office at Via Alfredo Calzoni 1/3 – 40128 Bologna (BO), operates as the Data Controller and can be contacted at info@lunaflpartner.it. It collects and/or receives information related to the Data Subject, such as:

Category of Data	Exemplification of data types
Personal data	first name, last name, physical address, nationality, province and municipality of residence, landline and/or mobile phone, fax, tax code, email address
Telematic traffic data	Logs, originating IP address.

Luna SRL does not require the Data Subject to provide so-called ‘special categories of data,’ meaning personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a person, health data, or data concerning the sexual life or sexual orientation of the individual. If the service requested from Luna SRL involves the processing of such data, the Data Subject will be provided with a specific notice in advance, and their explicit consent will be required.

SECTION II

For what purposes do we need the Data Subject’s data (Article 13, 1st paragraph GDPR)?

The data are needed by the Data Controller to process the registration request and the contract for the provision of the chosen Service and/or purchased Product, manage and fulfill the contact requests submitted by the Data Subject, provide assistance, and comply with the legal and regulatory obligations to which the Data Controller is subject based on the activity carried out. Under no circumstances will Luna SRL sell the Data Subject’s personal data to third parties or use them for undisclosed purposes.

In particular, the Data Subject’s data will be processed for:

a) registration and contact requests and/or requests for informational material.

The processing of the Data Subject’s personal data is carried out to perform the preliminary activities related to the registration request, the management of information and contact requests, and/or the sending of informational material, as well as to fulfill any other related obligations.

The legal basis for such processing is the fulfillment of services related to the registration request, information and contact requests, and/or the sending of informational material, as well as compliance with legal obligations.

b)the management of the contractual relationship

The processing of the Data Subject’s personal data is carried out to perform the preliminary and subsequent activities related to the purchase of a Service and/or Product, the management of the corresponding order, the provision of the Service itself and/or the production and/or shipment of the purchased Product, the related invoicing and payment management, the handling of complaints and/or reports to the customer service, and the provision of assistance, the prevention of fraud, as well as the fulfillment of any other obligation arising from the contract.

The legal basis for such processing is the fulfillment of services related to the contractual relationship and compliance with legal obligations.

c) Promotional activities on Services/Products similar to those purchased by the Data Subject (Recital 47 GDPR).

The Data Controller, even without your explicit consent, may use the contact data provided by the Data Subject for direct sales of its own Services/Products, limited to cases where the Services/Products are similar to those subject to the sale, unless the Data Subject explicitly objects.

d) Commercial promotional activities on Services/Products different from those purchased by the Data Subject.

The Data Subject’s personal data may also be processed for commercial promotion purposes, market research, and surveys regarding Services/Products offered by the Data Controller, only if the Data Subject has authorized the processing and does not object to it.

Such processing may occur, in an automated manner, through the following means:

• email;
• SMS;
• telephone contact.

This processing can take place:

1. if the Data Subject has not revoked their consent for the use of the data;
2. if, in the case of processing via telephone contact, the Data Subject is not registered in the opposition register pursuant to Presidential Decree No. 178/2010.

The legal basis for such processing is the consent given by the Data Subject prior to the processing, which can be freely revoked by the Data Subject at any time (see Section III).

e) cybersecurity

The Data Controller, in line with the provisions of Recital 49 of the GDPR, processes the Data Subject’s personal data related to traffic, also through its suppliers (third parties and/or recipients), to the extent strictly necessary and proportionate to ensure the security of networks and information, meaning the ability of a network or information system to withstand, at a given level of security, unforeseen events or illegal or malicious acts that compromise the availability, authenticity, integrity, and confidentiality of personal data stored or transmitted.

The Data Controller will promptly inform the Data Subjects if there is a particular risk of breach of their data, subject to the obligations set out in Article 33 of the GDPR regarding personal data breach notifications.

The legal basis for such processing is compliance with legal obligations and the legitimate interest of the Data Controller in conducting processing related to the protection of the company’s assets and the security of the premises and systems of Luna SRL.

f) profiling

The Data Subject’s personal data may also be processed for profiling purposes (such as analyzing the data transmitted and the chosen Services/Products, and offering advertisements and/or commercial proposals in line with the preferences expressed by the users themselves) exclusively if the Data Subject has provided explicit and informed consent.

The legal basis for such processing is the consent given by the Data Subject prior to the processing, which can be freely revoked by the Data Subject at any time (see Section III).

g) fraud prevention (Recital 47 and Article 22 GDPR)

The Data Subject’s personal data, excluding special categories of data (Article 9 GDPR) or judicial data (Article 10 GDPR), will be processed to allow checks for monitoring and preventing fraudulent payments, by software systems that conduct an automated verification prior to the negotiation of Services/Products.

If these checks result in a negative outcome, the transaction will not be possible; however, the Data Subject may express their opinion, obtain an explanation, or challenge the decision by providing their reasons to the Customer Service or by contacting info@lunaflpartner.it.

Personal data collected solely for anti-fraud purposes, unlike data necessary for the correct execution of the requested service, will be immediately deleted at the end of the control process.

h) the protection of minors

The Services/Products offered by the Data Controller are reserved for individuals who are legally capable, under the applicable national laws, of entering into contractual obligations.

The Data Controller, in order to prevent unauthorized access to its services, implements preventative measures to protect its legitimate interest, such as verifying the tax code and/or conducting other checks when necessary for specific Services/Products, and ensuring the accuracy of the identifying data on identity documents issued by the competent authorities.

Communication to third parties and categories of recipients (Article 13, 1st paragraph GDPR)

The communication of the Data Subject’s personal data mainly occurs with third parties and/or recipients whose activities are necessary for carrying out the tasks related to the established relationship and to comply with certain legal obligations, such as:

Categories of recipients	Objectives
Third-party suppliers and companies of Luna SRL*	Provision of services (assistance, maintenance, delivery/shipping of products, provision of additional services, network and electronic communication services providers) related to the requested service
Credit institutions and digital payment institutions, banking/postal institutions	Management of collections, payments, refunds related to the contractual performance
External professionals/consultants and consulting companies.	Compliance with legal obligations, exercise of rights, protection of contractual rights, debt collection
Tax authorities, public entities, judiciary authorities, supervisory and regulatory authorities	Compliance with legal obligations, defense of rights; lists and registers maintained by public authorities or similar entities pursuant to specific legislation, in relation to the contractual performance.
Formally delegated parties or those with recognized legal entitlement	Legal representatives, curators, guardians, etc.

The Data Controller requires third-party suppliers and Data Processors to comply with security measures equivalent to those applied to the Data Subject, limiting the scope of the Data Processor’s actions to processes related to the requested service.

The Data Controller does not transfer your personal data to countries outside the EU where the GDPR is not applied (non-EU countries) unless specifically stated otherwise, in which case you will be informed in advance and, if necessary, your consent will be requested.

The legal basis for such processing is the fulfillment of the performance related to the established relationship, compliance with legal obligations, and the legitimate interest of Luna SRL in carrying out processing necessary for these purposes.

SECTION III

What happens if the Data Subject does not provide the data identified as necessary for the execution of the requested service? (Art. 13, 2nd paragraph, letter e GDPR)

The collection and processing of personal data is necessary to fulfill the requested services and/or to provide the requested product. If the Data Subject does not provide the personal data expressly required in the order form or registration form, the Data Controller will not be able to proceed with the processing related to managing the requested services and/or the contract and the associated services/products, nor with the compliance obligations dependent on them

What happens if the Data Subject does not give consent to the processing of personal data for commercial promotion activities on Services/Products different from those purchased?

If the Data Subject does not give consent to the processing of personal data for such purposes, the processing will not take place for those purposes, without affecting the provision of the requested services or any purposes for which the Data Subject has already given consent, if required.

If the Data Subject has given consent and later withdraws it or objects to the processing for commercial promotional activities, their data will no longer be processed for those activities, without any consequences or adverse effects on the Data Subject or the requested services.

How we process the Data Subject’s data (Art. 32 GDPR)

The Data Controller implements appropriate security measures to preserve the confidentiality, integrity, and availability of the Data Subject’s personal data and requires third-party suppliers and processors to adopt similar security measures.

Where we process the Data Subject’s data

The Data Subject’s personal data are stored in paper, digital, and electronic archives located in countries where the GDPR is applied (EU countries).

For how long is the Data Subject’s data retained? (Article 13, 2nd paragraph, letter a GDPR)

Unless the Data Subject explicitly expresses their wish to have the data removed, the personal data of the Data Subject will be retained as long as necessary to fulfill the legitimate purposes for which they were collected.

In particular, the data will be retained for the entire duration of the Data Subject’s registration and, in any case, for no more than a maximum period of 12 (twelve) months of inactivity, or if no Services and/or Products have been associated with the registration within this period.

In the case of data provided to the Data Controller for promotional purposes regarding services different from those already acquired by the Data Subject, for which they initially gave consent, this data will be retained for 24 months, unless the consent is revoked.

For data provided for profiling purposes, this data will be retained for 12 months, unless consent is revoked.

Additionally, if a user submits personal data to Luna SRL that was not requested or is unnecessary for the execution of the requested service or a service directly related to it, Luna SRL will not be considered the controller of this data and will proceed to delete it as soon as possible.

Regardless of the Data Subject’s decision to remove their data, personal data will in any case be retained according to the time limits provided by applicable laws and/or national regulations, exclusively for the purpose of ensuring compliance with specific requirements related to certain services (such as Certified Email, Digital Signature, Legal Archiving – refer to the relevant section).

Furthermore, personal data will be retained for the fulfillment of legal obligations (e.g., fiscal and accounting obligations) that may persist even after the contract has ended (Art. 2220 of the Italian Civil Code); for such purposes, the Data Controller will only retain the data necessary for those specific obligations.

The data will also be retained if the rights arising from the contract and/or registration need to be enforced in court. In such cases, the personal data of the Data Subject, limited to what is necessary for these purposes, will be processed for the time required to pursue those claims.

What are the rights of the Data Subject? (Articles 15 – 20 GDPR)

The Data Subject has the right to obtain from the Data Controller the following:

a) Confirmation as to whether or not personal data concerning them are being processed, and, if so, to obtain access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right of the data subject to request from the Data Controller the rectification or erasure of personal data, or the restriction of processing of personal data concerning them, or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the data were not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject.
9. the appropriate safeguards provided by the third country (non-EU) or an international organization to protect any personal data transferred.

b) The right to obtain a copy of the personal data undergoing processing, provided that this right does not infringe upon the rights and freedoms of others; In the case of additional copies requested by the data subject, the Data Controller may charge a reasonable administrative fee based on the costs involved.

c) The right to obtain from the Data Controller the rectification of inaccurate personal data concerning them, without undue delay.

d) The right to obtain from the Data Controller the erasure of personal data concerning them, without undue delay, if one of the reasons provided for by Article 17 of the GDPR applies, such as when the data are no longer necessary for the purposes of processing, or if the processing is deemed unlawful, and always if the conditions for erasure provided by law are met; and in any case, if the processing is not justified by another equally legitimate reason.

e) The right to obtain from the Data Controller the restriction of processing, in the cases provided for in Article 18 of the GDPR, such as when the accuracy of the data is contested, for the period necessary for the Controller to verify its accuracy. The Data Subject must be informed in due time when the suspension period has ended or the cause of the restriction of processing has ceased, and the restriction will then be lifted.

f) The right to be informed by the Controller of the recipients to whom the rectifications, erasures, or restrictions on processing have been communicated, unless this proves impossible or involves disproportionate effort.

g) The right to receive the personal data concerning them in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the Controller to whom the data have been provided, in the cases provided for in Article 20 of the GDPR, and the right to obtain the direct transmission of personal data from one Controller to another, where technically feasible.

For further information or to submit your request, you should contact the Data Controller at the address info@lunaflpartner.it. In order to ensure that the above-mentioned rights are exercised by the Data Subject and not by unauthorized third parties, the Data Controller may request additional information to verify the identity of the Data Subject.

How and when can the Data Subject object to the processing of their personal data? (Article 21 GDPR)

For reasons related to the particular situation of the Data Subject, they have the right to object at any time to the processing of their personal data if it is based on legitimate interest or if it is carried out for direct marketing purposes, by sending a request to the Data Controller at info@lunaflpartner.it.

The Data Subject has the right to request the deletion of their personal data if there is no overriding legitimate reason for the Data Controller to retain the data, and in any case, if the Data Subject has objected to the processing for direct marketing purposes.

To whom can the Data Subject file a complaint? (Article 15 GDPR)

Without prejudice to any other administrative or judicial remedy, the Data Subject may file a complaint with the competent supervisory authority in Italy (the Italian Data Protection Authority – Garante per la protezione dei dati personali), or with the supervisory authority in the Member State where the alleged violation of the GDPR took place.

Any updates to this Privacy Notice will be promptly communicated through appropriate means. Additionally, if the Data Controller intends to process the Data Subject’s personal data for purposes other than those stated in this Notice, the Data Subject will be informed before proceeding, and their explicit consent will be obtained where necessary.

SECTION IV

COOKIE

General Information, Deactivation, and Management of Cookies

Cookies are data sent by the website and stored by the internet browser on the user’s computer or other device (such as a tablet or smartphone). Our website or its subdomains may install technical cookies and third-party cookies.

However, the user can manage, or request the general deactivation or deletion of cookies by changing the settings in their internet browser. Please note that disabling cookies may slow down or prevent access to certain parts of the website.

The settings to manage or disable cookies may vary depending on the internet browser used. Therefore, to get more information on how to perform these actions, we suggest that the user consult the manual of their device or the “Help” or “Assistance” feature of their internet browser.

Below are links to guides on how to manage or disable cookies for the most popular internet browsers:

• Internet Explorer: http://windows.microsoft.com/en-IT/internet-explorer/delete-manage-cookies
• Google Chrome: https://support.google.com/chrome/answer/95647
• Mozilla Firefox: http://support.mozilla.org/en-US/kb/manage-cookies
• Opera: http://help.opera.com/Windows/10.00/en/cookies.html
• Safari: https://support.apple.com/kb/PH19255

The use of technical cookies—i.e., cookies necessary for transmitting communications over an electronic communications network or cookies strictly necessary for the provider to deliver the service requested by the customer—ensures the secure and efficient use of our website.

Session cookies may be installed to allow access and continued use of the reserved area of the portal as an authenticated user.

Technical cookies are essential for the proper functioning of our website. They are used to enable users to navigate the site normally and to access the advanced services available on our website. The technical cookies used are divided into:

• Session cookies, which are stored only for the duration of the browsing session and are deleted when the browser is closed.
• Persistent cookies, which are saved in the user’s device memory until they expire or are deleted by the user.

Our website uses the following types of technical cookies:

1. Navigation or session cookies: Used to manage normal navigation and user authentication.
2. Functional technical cookies: Used to store user-selected customizations, such as language preferences.
3. Analytics technical cookies: Used to understand how users interact with our website in order to evaluate and improve its performance.

Third-Party Cookies

Our website may use third-party cookies, including analytical and profiling cookies, from services such as Google Analytics, Google Doubleclick, Criteo, Rocket Fuel, YouTube, Yahoo, Bing, and Facebook. These cookies are sent by external third-party websites, separate from our own site.

• Analytical Cookies: Third-party analytical cookies are used to collect information about user behavior on the site. The data is gathered anonymously to monitor site performance and improve usability.
• Profiling Cookies: Third-party profiling cookies are used to create user profiles in order to serve personalized advertisements based on the users’ browsing behavior.

The use of these cookies is governed by the privacy policies and settings of the third-party services. Therefore, we encourage users to review the privacy notices and cookie management instructions provided by these third parties. Below are the relevant links for managing or disabling cookies for some of the services used:

• Google Analytics Cookies:
  • Privacy Policy: https://www.google.com/intl/en/policies/privacy/
  • Instructions to manage or disable cookies: https://support.google.com/accounts/answer/61416?hl=en

Profiling Cookies

Profiling cookies may be installed by the Data Controller(s) through web analytics software. These cookies are used to generate detailed, real-time reports that provide insights into the following information: visitors to the website, referring search engines, keywords used, language settings, and the most visited pages.

These cookies may collect various types of information, such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, navigation source, pages visited, number of pages viewed, visit duration, and the number of visits made.