PURSUANT TO ART. 13 OF EU REGULATION 2016/679 (GDPR) and subsequent amendments
For website users www.ourtoscana.com Rev 0 of 27/09/2025

Dear User,

this policy describes how OUR TOSCANA S.R.L., as Data Controller, collects, uses and manages your personal data through this website www.ourtoscana.com

  1. Identity and contact details of the Data Controller

The Data Controller is OUR TOSCANA S.R.L. (hereinafter also referred to as the “Controller” and/or “Company”) with registered office in Via Mezzomiglio 26 – 51018 Pieve a Nievole (PT) – Italy VAT number IT01910470473, which can be contacted at the above address or at the following contact details:

email: contact@ourtoscana.com

certified email: ourtoscana@pec.it

  1. Types of Data Processed and Purposes of Processing

Through this website, we collect and process the following categories of data:

  • Browsing data:
    • What they are: during normal operation, the IT systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.
    • Purpose: this data is used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning, and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site.
    • Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR) to ensure the proper technical functioning and security of the website.
  • Data provided voluntarily by the user (through direct contact):
    • What it is: this is personal data (e.g. name, surname, email address, telephone number and any other personal data provided) that you choose to provide us with voluntarily by contacting us directly via the email address or telephone number indicated on the website.
    • Purpose: we will use this data exclusively to respond to your requests for information, to provide you with clarifications about our services or to manage your specific communication.
    • Legal basis: the implementation of pre-contractual measures taken at your request or the legitimate interest in responding to your communications (Art. 6(1)(b) or (f) of the GDPR).
  • Data provided during interactions – by social network users – with the Company’s social media pages:
    • What they are: this is personal data that can be inferred from users’ social profiles and provided by them during interaction with the Company’s pages.
    • Purpose: the personal data of social media users who interact with the Data Controller’s pages may be processed for the management of user requests sent by the user themselves through social networks.

The platforms that can be defined as “social” used by the Company, through the creation of accounts to which dedicated pages are associated, are currently present on Facebook, Instagram and LinkedIn. These channels operate through the application of their own privacy policies, which the user accesses and reads and accepts. In this sense, the management of potentially acquirable and processable data is carried out directly by the platforms and the user, in which case OUR TOSCANA S.R.L uses it in the manner and for the purposes specified in this section. The contents reported are to be understood as the implementation of the privacy policies applied by the social network platforms on which the Company has its own account used solely and exclusively for the presentation of its activities and for the purposes specified. In this sense, OUR TOSCANA S.R.L, as a legal entity with its own privacy management body in accordance with and pursuant to EU Regulation 2016/679 and Legislative Decree 101/2018, is relieved of any actions taken by social network platform operators that do not comply with the relevant regulations and that could potentially infringe on the freedom of individuals.  The references, which can be consulted at any time and are continuously updated, regarding the privacy policies applied by the aforementioned social network platforms are therefore provided below:

Facebook: https://it-it.facebook.com/privacy/explanation

Instagram: https://help.instagram.com/519522125107875

LinkedIn: https://it.linkedin.com/legal/privacy-policy

  • Legal basis: the implementation of pre-contractual measures taken at your request or the legitimate interest in responding to your communications (Art. 6(1)(b) or (f) of the GDPR).
  1. Cookies and Other Tracking Technologies

This website only uses technical cookies, which are necessary for the proper functioning of the website (necessary first-party cookies). No third-party cookies are used (e.g. profiling cookies, analytical cookies with non-anonymised IP addresses, social media plug-in cookies that collect user data). Your browsing is not tracked for marketing or profiling purposes by us or by third parties. Therefore, there are no cookies that require your prior consent and, for this reason, there is no cookie banner on the website.

  1. Methods of processing

Your personal data is processed using IT and/or telematic tools. The data is stored on secure servers. Appropriate security measures are taken to prevent data loss, illicit or incorrect use and unauthorised access.

  1. Nature of Data Provision
  • The provision of browsing data is implicit in the use of Internet communication protocols and necessary for the proper functioning of the website.
  • The provision of data provided voluntarily through direct contact is optional. However, failure to provide such data may make it impossible for the Data Controller to respond to your requests.
  • The provision of data provided voluntarily through interaction with the Company’s social media pages is optional.
  1. Recipients of Personal Data

Your data will not be disclosed. It may be communicated to:

  • Internal Company personnel authorised to process data.
  • Technical service providers (e.g. hosting providers, website developers, communication consultants) who act as Data Processors pursuant to Art. 28 GDPR and are bound by specific contractual agreements to ensure the security and confidentiality of the data.
  • Judicial or administrative authorities, where required by law.
  1. Transfer of Data Abroad

The Data Controller does not transfer your personal data outside the European Economic Area (EEA), except for the proper functioning of the essential services of the website and only if strictly necessary (e.g. server hosting in countries with adequacy decisions or adoption of standard contractual clauses).

  1. Data Retention Period
  • Browsing data is retained for the time strictly necessary to pursue the purposes for which it is collected and is deleted immediately after processing (usually a few hours or days).
  • Data provided voluntarily by the user (through direct contact) will be retained for the time necessary to respond to your requests and, subsequently, for the time necessary to fulfil legal obligations or to defend a right in court.
  1. Your Rights

As a data subject, you have the right to exercise the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to the data.
  • Right to rectification (Art. 16 GDPR): to obtain the rectification of inaccurate personal data concerning you and the completion of incomplete data.
  • Right to erasure (right to be forgotten) (Art. 17 GDPR): to obtain the erasure of personal data concerning you, if the reasons provided for in the GDPR exist.
  • Right to restriction of processing (Art. 18 GDPR): to obtain restriction of processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR): to receive your personal data in a structured, commonly used and machine-readable format and/or request its direct transmission to another controller, if technically feasible (applicable only to data provided on the basis of a contract or consent).
  • Right to object (Art. 21 GDPR): object at any time to the processing of personal data concerning you for reasons related to your particular situation, based on the legitimate interest of the Data Controller.
  • Right to lodge a complaint with the Supervisory Authority (Art. 77 GDPR): lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) if you believe that the processing of your data violates the GDPR.

To exercise your rights, or for any questions or clarifications regarding this policy, you may contact the Data Controller at the above addresses.

  1. Changes to this Policy

This policy may be subject to changes and updates over time. We invite you to consult this page periodically to stay up to date on how your personal data is processed.

Date of last revision: 27/09/2025