Privacy policy

• Who is the data controller? Who is the DPO?
• When do you collect my data?
• What data will you process?
• For what other purposes might you use my data?
• With whom will you share my data?
• How will you process my data?
• Will my data be processed outside the European Union?
• How long will you retain my data?
• What are my rights and how can I protect my privacy?
• Can I file a complaint?
• How can I contact the Data Controller?

1. WHO IS THE DATA CONTROLLER? WHO IS THE DPO?

The data controller, who determines the means and purposes of processing your personal data, is DB S.r.l., with its registered office at Via Trentola 40c, 47121 Forlì (FC), Tax Code and VAT no. 02620630984 (hereinafter, the “Controller”), under the management and coordination of B&T S.r.l., based in Via Due Ponti 9, 47122 Forlì (FC), Tax Code 00903510402.
The Controller has appointed a Data Protection Officer (DPO), whom data subjects may contact for matters related to exercising their rights and requesting information about their personal data processed by the Controller. The DPO can be reached at the following email address: dpo@dorelan.it.

2. WHEN DO YOU COLLECT MY DATA?
The Controller will collect information directly provided by you:

• when you browse the Website;
• when you access your personal account on the Website;
• when you use services or request activation of the newsletter service;
• when you make a purchase on the e-commerce platform;
• when you submit inquiries using dedicated sections;
• when you seek assistance through specific tools.

3. WHAT DATA WILL YOU PROCESS?

When you browse, use services, or make purchases via the Website, the following types of data may be processed:

a) Browsing Data

Certain personal data—implicitly transmitted while navigating websites, including but not limited to data traffic, location data, weblogs, and other communication data for billing or resource access purposes—are acquired by the computer systems enabling the site to function correctly. Although this information is not collected to identify users, it could, by its nature and through processing and association with third-party data, allow user identification. Examples include IP addresses or domain names of the computers used to access the Website, unique resource request addresses, request time, the method used to submit the request to the server, the size of the response file, the numerical code indicating the server’s response status, and other parameters related to the operating system and browser used.
Purpose: To enable you to navigate the site.
Legal basis for processing: The legitimate interest of the Controller in ensuring the proper functioning and security of the Website, balanced with the data subject’s rights (Art. 6(1)(f) GDPR).

b) Information Requests via Email or Contact Forms

You can contact us through the contact details provided on the Website, using links, contact forms, or customer support tools, to request information or assistance. Doing so entails acquiring the data you communicate (e.g., your email address and the information included in the communication), which authorizes us to respond using the details provided.
Purpose: To ensure adequate support regarding your needs or inquiries.
Legal basis for processing: The legitimate interest of the Controller in ensuring the proper functioning of the Website and security of navigation, balanced with the data subject’s rights (Art. 6(1)(f) GDPR).

c) Registration and Access to Personal Accounts

When making a purchase on the Website, you can create a personal account by filling out the form on the dedicated registration page. Personal identification data, such as email addresses and identifiers, are collected. The access password is created by the user, and the Controller will not have access to it.
Purpose: To allow you to use the functionalities and services available to account holders, such as viewing your activity history, saving delivery addresses, and payment methods.
Legal basis for processing: The performance of the requested service (Art. 6(1)(b) GDPR).
Providing the data described in section c) is optional. However, refusal to provide such data will prevent account registration and creation.

d) Purchase of Products

Through the Website, you can purchase products either as a registered user or as a guest. When purchasing products, we may require additional information, such as payment details, tax codes, and billing or shipping addresses.
Purpose: To process purchases via our e-commerce platform.
Legal basis for processing: The performance of the requested service (Art. 6(1)(b) GDPR).
Providing the data described in section d) is optional. Refusal will make it impossible to provide the services described and to conclude product sales contracts.

4. FOR WHAT OTHER PURPOSES MIGHT YOU USE MY DATA?
Your personal data may also be processed for the following purposes:

4.1 Compliance with legal obligations and requests from public and government authorities.

4.2 Managing disputes or legal matters, thereby protecting the Controller's rights both judicially and extrajudicially.

In these cases, the legal bases for processing will be:
a. compliance with a legal obligation under section 4.1 (Art. 6(1)(c), GDPR);
b. the Controller’s legitimate interest in protecting its rights, balanced with the data subject’s rights, under section 4.2 (Art. 6(1)(f), GDPR).

5. WITH WHOM WILL YOU SHARE MY DATA?

To achieve the purposes outlined in this privacy policy, your data may be processed by the Controller's personnel authorized to provide the requested services, information, or support.
Additionally, the Controller shares your data with B&T S.r.l., its controlling company located at Via Due Ponti 9, 47122 Forlì (FC), as part of the same business group. Access to your personal data will only be authorized by the Controller, who may also appoint third-party service providers as Data Processors under Articles 28 and 29 of the GDPR.
Notably:

• Marketing and newsletter services: Provided via Brevo, owned by Sendinblue SAS, headquartered at 106 Boulevard Haussmann, 75008 Paris, France (Registration no. 498 019 298; email: privacy@sendinblue.com or dpo@sendinblue.com).
• Cookie provider list: Available in the Cookie Policy.
• Google Ireland Limited (Registered Number: 368047), based at Gordon House, Barrow Street, Dublin 4, Ireland, which provides Google Maps services.

The full list of authorized individuals and Data Processors is available at the Controller's registered office or can be requested via the contact details provided in the section “How can I contact the Data Controller?”

6. HOW WILL YOU PROCESS MY DATA?
Your personal data will be processed electronically for the time strictly necessary to achieve the purposes outlined at the time of collection.
The Controller will implement technical and organizational measures to prevent data loss, misuse, or unauthorized access by third parties, ensuring your data’s security.

7. WILL MY DATA BE PROCESSED OUTSIDE THE EUROPEAN UNION?
The data processed by the Controller is stored on servers within the European Union.
Some service providers may be based in non-EU countries, such as the United States. In such cases, the Controller ensures compliance with Articles 45 and subsequent provisions of the GDPR by adopting necessary measures to ensure the highest protection for personal data, including:
a. adequacy decisions by the European Commission regarding third countries;
b. adequate guarantees expressed by the recipient under Art. 46 of the GDPR;
c. adoption of binding corporate rules and technical safeguards as required by EU law.

8. HOW LONG WILL YOU RETAIN MY DATA?
Your personal data will be processed for the time reasonably necessary to fulfill the purposes described in this notice.
At the end of the retention period, your personal data will be deleted or irreversibly anonymized and aggregated.
For cookie-related data retention periods, refer to our Cookie Policy.

9. WHAT ARE MY RIGHTS AND HOW CAN I PROTECT MY PRIVACY?
Under the GDPR, you have the right to request:

• Access to your data;
• Modification or correction of any errors in our databases;
• Deletion of your data if it is held without a legal basis;
• Restriction of processing;
• Objection to processing;
• Data portability.

Detailed information on exercising your rights can be found here: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.
The following table explains how to exercise your rights:

YOUR RIGHT	HOW TO EXERCISE IT
Access	Request confirmation of whether your personal data is being processed and obtain a copy of your data.
Rectification	Request correction of inaccurate or incomplete personal data. Accuracy will be verified prior to rectification.
Deletion	Request deletion of personal data under specific circumstances (e.g., no longer needed, withdrawal of consent, or unlawful processing).
Restriction	Request restricted processing under certain conditions (e.g., disputed accuracy or pending legal action).
Portability	Request a copy of your data in a structured, commonly used, and machine-readable format.
Objection	Object to processing for direct marketing or when based on legitimate interest, unless overriding legal grounds exist.

The Controller will respond to all requests within 30 days. If you believe your data has been unlawfully processed, you may file a complaint with the relevant authority (in Italy, the Garante per la protezione dei dati personali).

10. CAN I FILE A COMPLAINT?
Yes, you have the right to file a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if you believe the processing of your data violates EU Regulation 679/2016. Contact details are available at http://www.garanteprivacy.it/. You may also seek legal remedies under Articles 78 and 79 of the GDPR.ì

11. HOW CAN I CONTACT THE DATA CONTROLLER?
You can contact the Controller as follows:

• By post: DB S.r.l., Via Trentola 40c, 47122 Forlì (FC), Italy
• By email: privacy@dorelan.it
• By certified email (PEC): dbcertificata@legalmail.it

The DPO can be reached at: dpo@dorelan.it.