Privacy Policy

  1. Scope of the Policy

The following Privacy Policy, pursuant to Article 13 of the European Regulation 2016/679 (“General Data Protection Regulation” or “GDPR”), describes the procedures for collecting and using personal data through the Company’s website at (hereinafter, the “Website”) and is addressed to users of the Website and to anyone who enjoys the services offered through the Website.

Visiting the Website may involve the processing of data, including personal data. In this Policy we define the personal information that the Company can collect when you visit the Website and the ways in which this data is managed.


  1. Data Controller

The Data Controller of personal data is:

Spina Group S.r.l.

Registered office: San Giuliano Milanese (MI), Via del Tecchione, 36 / B

Operational headquarters: San Giuliano Milanese (MI), Via del Tecchione, 36 / B

VAT number: IT03063880961

TAX CODE: 11065440155

Tel: 02-9886261



  1. Subject, purpose and legal basis of the processing

Personal data collected through the Website includes data collected with automated tools and cookies.

We will collect personal information about visits to the Website, including, but not limited to, traffic data and location data. Some information is collected through cookies, as described more in detail in the Cookie Policy below.

Personal data will be collected and processed by us for the following purposes:

- To make visiting the Website easier in the future;

- To suggest relevant content based on the pages visited and the location from which you access the Website;

- To adapt the contents and resources of the Website to the preferences of the users;

- To ensure that the content provided through the Website is presented in the most effective way for users, based on their device;

- To further develop and improve the Website and the systems to better serve the user;

- To allow the management and the delivery of purchase orders.


  1. Data provided by the user by filling in forms or by contacting Spina Group

We will collect all information provided by users, also during registration and account creation or in the exchange of correspondence (for example “Contacts”, “Download Area”, “Account Area”) and, in particular: first name, last name, e-mail address, telephone number, location, date of birth, VAT number, company name, address, password. In general, providing personal information is not a legal or contractual requirement; however, please note that the fields marked with an asterisk (*) are mandatory fields, as we need this information to respond to your request and manage your purchase orders. Other information or personal data are shared when filling in the account area, at the user’s discretion.

Personal data will be collected and processed by us for the following purposes:

To allow the management of the purchase order and all activities (including administrative activities) related to the online sale and delivery of products;

To respond to your requests or questions by email or by telephone;

To send other information and communications via email that may be of interest to you.


We use personal data for direct marketing via e-mail, only and exclusively if this option has been accepted. You can decide not to receive marketing communications anymore and communicate it to us at any time. See below Section 10 of this Policy for further details.

The legal ground of all the processing of personal data carried out through the Website is the consent of the interested party.


  1. Period of data retention

The criteria used to determine the applicable period of data retention are as follows.

The data retention period depends on:

(I) The purpose for which the data is collected and processed. We will retain the personal data given by consent by the user for the time necessary for its purpose;

(II) The consent expressed by the user or the revocation of the consent itself or the opposition to the processing;

(III) Our unquestionable decision to cease the processing of data through the Website;

(IV) The applicable legal or regulatory provisions.


  1. Data communication to third parties

Disclosure of the personal data to third parties will only occur in the following circumstances:

  • To suppliers, contractors and agents: we may involve or use other companies and individuals to perform certain functions on our behalf, which entail the processing of personal data, such as hosting and/or maintenance of the Website or the provision of certain functions contained therein, or the provision of marketing services. The recipients will have access to personal data only to the extent required by the performance of their functions and will not be able to use them for other purposes. The recipients will be bound by contractual confidentiality obligations; May use them for other purposes. Recipients will be bound by contractual obligations of confidentiality. Specifically, to process the purchase orders (ecommerce) we use the Big Commerce platform, provided by BigCommerce, Inc. headquartered at 11305 Four Points Drive Building 2, First Floor Austin, TX 78726, whose privacy policy can be found at: The platform is controlled by Spina Group but Big Commerce may access personal data processed through the platform to perform support or service activities. The data on the Big Commerce platform is hosted on Google Cloud. The Google Cloud privacy policy can be viewed at the following address:;

  • To our subsidiaries or affiliates, if their involvement is necessary for the achievement of the purposes for which the data is collected and processed;

  • To governmental or judicial authorities if we determine, in our sole discretion, that we are legally required to do so.


  1. Place of personal data processing

Personal data is processed and stored at our headquarters. If necessary, data is processed at the offices of other companies of our Group, or at the headquarters of our service providers, chosen from subjects of proven reliability and who have taken, in accordance with current legislative provisions, suitable undertakings with respect to confidentiality and security of personal data.

Also in this second case, personal data remains under our control. In both cases, we have implemented or ensured systems to ensure that personal information is adequately protected.

We are committed to taking all steps necessary to ensure that personal data is treated securely and in accordance with this Policy. We will apply rigorous operating procedures and appropriate technical and organizational security measures based on the available technical means to prevent breaches of personal data.


  1. Data transfer outside the European Union

As explained in paragraph “Data communication to third parties” above, your personal data may be transferred and processed in one or more countries within or outside the European Union. We will transfer data outside the EU only to Countries that the European Commission believes to offer an adequate level of protection, or where our Group has implemented appropriate safeguards to preserve the confidentiality of such information, in accordance with current legislative provisions or if the service provider processing the data outside the European Union has provided appropriate guarantees that it will implement the transfer in accordance with European Union regulatory requirements (e.g. through standard contractual clauses).


  1. User rights. How you can access, correct and delete your personal data

Under applicable data protection law, the user has the following rights:

  • To access and obtain a copy of your personal data: user has the right to request the confirmation that we are processing any of your personal data. In this case, the users can have access to their personal data and to the information on how they are treated. In some cases, he/she may require to provide an electronic copy of the data;

  • To rectify personal data: if the user is able to prove the incorrectness of personal data in our possession, he/she has the possibility to request the updating or correction of such data. The user also has the right to have incomplete personal data completed, including by means of providing a supplementary statement;

  • To be forgotten/to obtain the deletion of their data: in certain circumstances, the user has the right to have their personal data deleted. The request can be presented at any time; Spina Group will assess whether it can be granted. However, this right is subject to legal rights or obligations that could force us to retain the data. For situations in which, in accordance with the law, it is established that the request for cancellation of personal data must be granted, Spina Group will proceed without delay.

To exercise their rights, the users can write us at the following email address:

To the extent that the processing of personal data is based on your consent, users have also the right to withdraw consent at any time. Withdrawal of consent does not affect the legitimacy of any treatment based on consent given prior to such withdrawal. It is also possible to file a complaint regarding the processing of personal data to the competent Data Protection Authority.


  1. Marketing communications

We will send marketing communications via e-mail only if the user has consented to this operation.

Normally the forms we use to collect personal data contain a box to select in case you wish to receive marketing communications. When we send marketing communications by e-mail, we may decide not to receive further communications by clicking on “unsubscribe” or on the renounce function in the e–mail. Furthermore, it is possible to exercise the right of withdrawal at any time by contacting us at the e–mail address: and providing the following information: name, email address, telephone number and marketing communications that you don’t longer want to receive.