Legal
Privacy Policy
01 About this policy
This Privacy Policy explains how Donzella di Thomas Donzella ("Donzella", "we", "us") collects, uses, shares and protects your personal information when you visit atdonzella.com, contact us, purchase our products or otherwise interact with our brand.
It applies worldwide and includes specific disclosures for residents of the European Economic Area, the United Kingdom, and several US states. For cookies and similar tracking technologies, please also see our Cookie Policy.
02 Personal information we collect
We collect the following categories of personal information, using the taxonomy defined by the California Consumer Privacy Act (CCPA) for clarity.
Categories collected in the last 12 months
| Category | Examples | Collected |
|---|---|---|
| A · Identifiers | Name, email, postal address, phone number, IP address, account ID | Yes |
| B · Customer records | Billing and shipping addresses, payment information (processed by our payment provider, not stored by us) | Yes |
| C · Protected classifications | Age, gender (only if voluntarily provided) | Optional |
| D · Commercial information | Purchase history, products viewed, wishlist items | Yes |
| E · Biometric information | Not collected | No |
| F · Internet activity | Pages visited, time on page, referrer, device and browser data | With consent |
| G · Geolocation | Approximate location derived from IP (country/region level) | With consent |
| H · Sensory data | Not collected | No |
| I · Professional information | Only for B2B / press / trade-partner enquiries | If applicable |
| J · Education information | Not collected | No |
| K · Inferences | Style preferences derived from browsing and purchase behaviour | With consent |
| L · Sensitive personal information | We do not collect sensitive personal information as defined under CPRA (e.g. precise geolocation, racial or ethnic origin, religious beliefs, health, sexual orientation, government IDs). | No |
03 How we collect it
We collect personal information from the following sources:
- Directly from you · when you fill in a form, place an order, create an account, subscribe to our newsletter, contact customer service or interact with us on social media.
- Automatically · when you browse our website (cookies, log files, analytics; only with your consent for non-essential tracking).
- From third parties · payment processors, shipping providers, advertising platforms (if you arrive from a campaign), and publicly available sources for press contacts.
04 Why we use it
We process your personal information for the following purposes. For EU/UK residents, we also indicate the legal basis under Article 6 GDPR.
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Order fulfilment | Processing purchases, payment, shipping, returns | Contract · Art. 6(1)(b) |
| Customer service | Responding to enquiries, after-sales support | Contract · Legitimate interest |
| Account management | Creating and maintaining your account | Contract |
| Marketing communications | Newsletter, product updates, invitations | Consent · Art. 6(1)(a) |
| Personalisation | Product recommendations, tailored content | Consent |
| Analytics and improvement | Understanding website usage to improve UX | Consent |
| Security and fraud prevention | Protecting our website and customers | Legitimate interest · Art. 6(1)(f) |
| Legal compliance | Tax, accounting, regulatory obligations | Legal obligation · Art. 6(1)(c) |
05 Who we share it with
We do not sell your personal information in the traditional sense. We do, however, share certain data with the following categories of recipients, only as necessary for the purposes above:
- Service providers acting as data processors on our behalf: hosting (web infrastructure), payment processors, shipping carriers, email and CRM platforms, customer service tools.
- Analytics and advertising partners such as Google, Meta and similar (only with your consent).
- Professional advisors such as accountants, lawyers and auditors, where necessary.
- Public authorities when required by law (tax authorities, courts, regulators).
- Successors in the event of a merger, acquisition or sale of assets, with prior notice where required.
For California residents: certain disclosures to advertising partners may be considered "sharing" under CPRA, even when no money changes hands. See section 10 to opt out.
06 International transfers
Some of our service providers, including Google, Meta, Vimeo and others, are based in the United States or other countries outside the European Economic Area. When we transfer your personal information internationally, we rely on one or more of the following safeguards:
- EU-US Data Privacy Framework certification, where the recipient is certified.
- Standard Contractual Clauses approved by the European Commission.
- Your explicit consent, where neither of the above applies.
You can request a copy of the safeguards in place by emailing [email protected].
07 How long we keep it
| Data | Retention period |
|---|---|
| Order and invoice records | 10 years (Italian tax law) |
| Customer account | Until deletion request · max 5 years of inactivity |
| Newsletter subscription | Until unsubscribe |
| Customer service correspondence | 3 years from last contact |
| Cookie consent record | 12 months (6 if rejected) |
| Analytics data (aggregated) | 26 months |
| Marketing profiling data | 24 months from last interaction |
After these periods, your personal information is deleted or anonymised, except where longer retention is required by law (e.g. accounting records, legal claims).
08 Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, alteration and disclosure, including TLS encryption for data in transit, access controls, regular security reviews and vendor due diligence.
No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the competent supervisory authority as required by applicable law.
09 Your rights · EU / UK (GDPR)
If you are located in the European Economic Area, the United Kingdom or Switzerland, you have the following rights under the General Data Protection Regulation:
- Access · obtain confirmation of whether we process your data and a copy of it.
- Rectification · correct inaccurate or incomplete data.
- Erasure · request deletion of your data ("right to be forgotten").
- Restriction · limit how we process your data.
- Portability · receive your data in a structured, machine-readable format.
- Objection · object to processing based on legitimate interests, including direct marketing.
- Withdraw consent, at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint with the Italian Garante per la protezione dei dati personali or your local supervisory authority.
To exercise any of these rights, email us at [email protected]. We will respond within one month (extendable to three for complex requests).
10 Your rights · California (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know · what personal information we collect, the sources, the purposes, the categories of third parties with whom we share it, and the specific pieces of information we hold about you.
- Right to delete · request deletion of your personal information, subject to legal exceptions.
- Right to correct · request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing" · including cross-context behavioural advertising. Exercise this right via Do Not Sell or Share My Personal Information or by emailing us.
- Right to limit use of sensitive personal information · not applicable, as we do not collect sensitive personal information.
- Right to non-discrimination · we will not deny you services, charge different prices or provide a lower level of quality because you exercised your rights.
How to submit a request: email [email protected] with the subject line "California Privacy Request". We will verify your identity using information already on file (name, email, recent order) and respond within 45 days (extendable to 90 for complex requests).
Authorised agents: you may designate an agent in writing to submit requests on your behalf. We will require proof of authorisation and verification of your identity.
Global Privacy Control: we honour the GPC browser signal as a valid opt-out request, see our Cookie Policy for details.
Children: we do not knowingly sell or share the personal information of consumers under 16 years of age.
"Shine the Light" (California Civil Code §1798.83): California residents may request a list of personal information we have disclosed to third parties for their direct marketing purposes in the preceding calendar year.
11 Your rights · Other US states
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Nebraska, Tennessee, Indiana, Kentucky, Maryland, Minnesota, Rhode Island or another US state with a comprehensive privacy law, you may have rights similar to those above, including the right to access, correct, delete and opt out of targeted advertising or "sale" of your personal information.
The specific rights and processes vary by state. To exercise any applicable right, contact us at [email protected] and indicate your state of residence. We will respond in accordance with the timeframes set by your state's law.
Where your state law provides an appeal process for denied requests, you will receive instructions in our response.
We honour the Global Privacy Control signal as a universal opt-out mechanism wherever recognised by state law.
12 Children's privacy
Our website is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
13 Automated decision-making
We do not use your personal information for solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. Personalisation of marketing content based on browsing behaviour does not qualify as such.
14 Updates to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The Last updated date at the top of this page indicates the most recent revision. Material changes will be communicated through a banner on our website or, where you have an active relationship with us, by email.
15 Data controller · Contact
Donzella di Thomas Donzella
trading as Donzella
Via S. Francesco d'Assisi 47/E
20073 Opera (MI) · Italy
VAT · IT02865930180