Privacy policy
Last updated: March 11, 2026
PERSONAL DATA PROCESSING INFORMATION
Identity and Contact Details of the Data Controller
Rudy Project S.p.A., hereinafter also "Rudy Project" or "Controller", with registered office at Via Benedetto Marcello, 44 – 31100 – Treviso (TV), contactable at email privacy@rudyproject.com, PEC info@pec.rudyproject.com or phone +39 0422 433011.
Purposes and Legal Bases
A. Application management: personal data is processed for all needs related to verifying profiles of interest.
B. Information request management: personal data is processed for all needs related to handling information requests and/or quotes.
C. User registration management: personal data is processed to enable the creation of an account and subsequent access to the e-commerce reserved area.
D. Abandoned cart reminder: communications via email regarding uncompleted orders may be sent exclusively to registered users, in order to facilitate the completion of the purchase.
E. Purchase management: personal data is processed for all needs related to managing the contractual relationship in all its phases (e.g. logistics organisation, customer support activities and compliance with legal obligations incumbent on the Controller).
F. Marketing: to send commercial communications about initiatives, products, loyalty points, abandoned cart, activities.
G. Profiling: data is processed to analyse behaviours, habits and consumption trends in order to meet specific needs and improve the products and services offered by the Controller. In particular, the data is used to place users in dynamic segments and personalise commercial communications, offers, promotions and product suggestions. This processing may result in receiving personalised content or discounts and exclusion from irrelevant communications. No fully automated decisions with legal or similarly significant effects on the data subject are made.
H. Consent management and revocation: the Controller processes personal data to confirm that subscription to marketing communications takes place with verified consent (double opt-in). The Controller records consent revocations to avoid sending further communications to those who do not wish to receive them (blacklist).
I. Defensive purposes: the Controller may need to process personal data for the management of out-of-court or judicial disputes and litigation.
|
Purpose |
Legal basis (common data) |
Legal basis (special data) |
|
A. |
Performance of pre-contractual measures. |
Fulfilment of obligation in the field of labour law. |
|
B. |
Performance of pre-contractual measures; Legitimate interest of the Controller in responding to received requests. |
/ |
|
C. |
Performance of the contract. |
/ |
|
D. |
Legitimate interest of the Controller. |
/ |
|
E. |
Performance of the contract; Compliance with legal obligations. |
/ |
|
F. |
Consent. |
/ |
|
G. |
Consent. |
|
|
H. |
Legitimate interest of the Controller in collecting validly expressed consents and keeping track of revocations to avoid unwanted contacts. |
/ |
|
I. |
Legitimate interest of the Controller in establishing, exercising or defending a right. |
Establishing, exercising or defending a right. |
Retention Period
|
Purpose |
Retention period |
|
A. |
24 months from collection. |
|
B. |
Time necessary to fulfil received requests and subsequent communications. |
|
C. |
36 months from the last user interaction (e.g. login). |
|
D. |
15 days from cart abandonment. |
|
E. |
10 years from contract termination. |
|
F. |
Until consent is revoked. Every 2 years, the validity of consent is verified via opt-out. |
|
G. |
12 months. |
|
H. |
1 month from data registration. Data stored on the blacklist is kept for 3 years. |
|
I. |
10 years from the final resolution of the dispute. |
Nature of Processing and Consequences of Refusal
|
Purpose |
Nature |
Consequences |
|
A. |
Mandatory |
Impossibility for the data subject to submit their application and for the Controller to manage the selection. |
|
B. |
Mandatory |
Impossibility of receiving the requested information. |
|
C. |
Mandatory |
Impossibility of registering an account and receiving additional services provided for registered users. |
|
D. |
Mandatory |
Impossibility of receiving abandoned cart communications. |
|
E. |
Mandatory |
Impossibility of starting or continuing the commercial relationship. |
|
F. |
Optional |
Impossibility of receiving commercial communications from the company. |
|
G. |
Optional |
Impossibility of receiving profiled commercial communications from the company. |
|
H. |
Optional |
Impossibility of receiving promotional and marketing communications. |
|
I. |
Mandatory |
Impossibility of managing the dispute. |
Scope of Communication
Data is processed by authorised internal personnel for specific tasks and communicated externally according to the following rules:
|
Purpose |
Categories of external recipients |
|
A. |
Occupational physician, labour consultant, recruitment agency, employment agencies. |
|
B. |
Agents, commercial consultants, distributors, companies offering hosting/technology platform management services. |
|
C. |
Companies offering hosting/technology platform management services. |
|
D. |
Credit institutions, external consultants, subjects to whom communication is required by law, commercial partners (clients/suppliers), companies offering hosting/technology platform management services. |
|
E. |
External consultants, companies offering hosting/technology platform management services. |
|
F. |
External consultants, companies offering hosting/technology platform management services. |
|
G. |
External consultants, companies offering hosting/technology platform management services. |
|
H. |
Marketing consultancy companies, companies offering hosting/technology platform management services. |
|
I. |
Law firms; debt recovery or assignment companies; Judicial authority. |
Since data is also processed using IT tools, it may also be visible to those performing maintenance/assistance on such systems.
Transfer of Data to a Third Country or an International Organisation
If we transfer personal data from the European Economic Area or the United Kingdom, we will rely on recognised transfer mechanisms, such as the European Commission's standard contractual clauses or equivalent contracts approved by the competent UK authority, where applicable, unless the transfer is to a country deemed capable of ensuring an adequate level of data protection.
Rights of Data Subjects
The following rights are granted to the person to whom personal data relates:
Access: you can find out whether your personal data is being processed and, if so, obtain access to it and request a copy.
Rectification: you can request the updating of your personal data, their correction (if inaccurate) and the completion of incomplete data.
Erasure: you can obtain the erasure of your personal data when certain conditions are met (for more information, contact the Controller).
Restriction: you can request that data be flagged, so as to restrict its future processing, when certain conditions are met (for more information, contact the Controller).
Objection: you can object to the processing of personal data, for reasons related to your particular situation, where the processing is based on legitimate interest or is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the Controller; you can also object to the processing of personal data for direct marketing purposes.
Portability: you can receive in a structured format the personal data provided to the Controller and ask for it to be transmitted to another data controller where the processing is based on consent or contract and is carried out by automated means.
Withdrawal of consent: you can withdraw your consent for the purposes that required it, without affecting the lawfulness of processing carried out until that point.
|
Purpose |
Access |
Rectification |
Erasure |
Restriction |
Objection |
Portability |
Withdrawal |
|
A. |
X |
X |
X |
X |
|
|
|
|
B. |
X |
X |
X |
X |
X |
|
|
|
C. |
X |
X |
X |
X |
|
X |
|
|
D. |
X |
X |
X |
X |
X |
|
|
|
E. |
X |
X |
X |
X |
|
X |
|
|
F. |
X |
X |
X |
X |
|
X |
X |
|
G. |
X |
X |
X |
X |
X |
X |
X |
|
H. |
X |
X |
X |
X |
X |
|
|
|
I. |
X |
X |
X |
X |
X |
|
|
To exercise the above rights, you can use the form available at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924 and send it to: privacy@rudyproject.com. The data subject may request further details at the same address regarding the information provided above (e.g. legitimate interest balancing test or the list of data processors).
You can lodge a complaint with a supervisory authority: for Italy, the Italian Data Protection Authority (www.garanteprivacy.it).