Privacy Notice Shoppy web site and Shoppy (App)

Last update: January 21, 2025

The privacy notice is that document that explains how we process your personal data, both on the website https://shoppy.is/ (“Site”) and on the platform “Shoppy.is” (the “App” or “Shoppy”) in compliance with Articles 13 and 14 of the European Data Protection Regulation (Reg. (EU) No. 679/2016, from now on the “Regulation” or “GDPR”) Whenever this document is updated or modified, we will notify you.

1. Who is the Data Controller?

The Data Controller, in this case Mumble S.r.l., P.IVA 03525740365, with registered office in Via Tacito 17 – 41123 – Modena (MO), email: [email protected] (hereinafter the “Data Controller”, the “Company” or “Mumble”).

2. Processed data

As you browse and use the Site and App, we may collect and process various information (the “Data”) about you, whether you are a Merchant or an End-User. In particular, because Shoppy is an App developed on the basis of Shopify, some Data will be obtained directly from Shopify. We may request additional data directly from you.

1) Data transmitted directly by Shopify, Inc:

Type od Data Data Subject

Anagraphical data: name, surname

Contact data: address,e-mail, phone number

Merchant

Anagraphical data: name, surname

Contact data: address,e-mail, phone number

Browsing data: IP address, geolocalization, Information about the operating system used

Usage data: information generated in the context of Site and App usage, such as e.g., log data, data related to registrations made, interaction processes, performance indicators, data related to navigation flows and feature usage, user IDs, and device IDs

Data related to requests for assistance: request content

End-user

2) Data collected directly from Mumble:

Type of Data Data Subjects

Anagraphical data: name, surname

Contact data: address,e-mail, phone number

Industry

Merchant

3. What do we need your data for? What legal basis authorizes us to process it and how long do we keep it?

Mumble acquires and processes your Data for the purposes specified below. Processing is legitimized by the legal basis highlighted for each purpose under Article 6 of the Regulations. 

The data will be kept in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the stated purposes, in accordance with the principle of minimization under Art. 5.1 c) GDPR.

Purpose Legal Basis Data Retention

A. Registration and Authentication to the App

Data will be processed for registration or authentication to the App in order to allow you access to the services offered in Shoppy.

Execution of pre-contractual and contractual measures.

[Art. 6.1(b) GDPR].

Data will be retained until the account is deleted, unless the data is retained to fulfill legal purposes.

B. Provision of services offered through the Site and App.

Data will be processed to provide you with the requested services, (e.g., account management, credential retrieval, etc.).

Execution of pre-contractual and contractual measures.

[Art. 6.1(b) GDPR].

Data will be retained until the account is deleted, unless the data is retained to fulfill legal purposes.

C. Handling and processing of requests for information and support.

The Data provided will be processed to manage and respond to requests for information and technical support, as well as for the purpose of assisting you before, during, and after the provision of our services.

Execution of pre-contractual and contractual measures.

[Art. 6.1(b) GDPR].

The data will be kept for the period necessary to process the request, except for the period necessary to defend Data Controller’s rights.

D. Fulfillment of legal obligations 

Your Data will be processed by Mumble in order to fulfill obligations arising from applicable laws, regulations or EU legislation (e.g. tax and accounting obligations) or management and response to requests from competent administrative and tax authorities as well as judicial authorities.

Legal Obligation.

[Art. 6.1(c) GDPR].

According to applicable regulations.

E. Customer Satisfaction e miglioramento dei prodotti/servizi del Titolare.

Potremo trattare i tuoi Dati per svolgere survey/sondaggi al fine di valutare il rendimento e il livello di gradimento dei servizi offerti.

Legitimate interest

[art. 6.1 f) GDPR]

attributable to the need to improve the services offered to Users.

Personal data will be kept for no more than 6 months after participation in the survey.

F. Operation, maintenance and improvement of the Site and App.

Data Controller will process Users’ Data to enable navigation, consultation of the Site, as well as to improve your browsing experience.

Legitimate interest

[art. 6.1 f) GDPR] 

traceable to the Data Controller’s need to enable the enjoyment and improvement of the Site.

Not applicable (aggregate or anonymous data).

G. Direct Marketing

Data will be processed for direct marketing activities, i.e. for sending (by text message, e-mail, paper mail, social media, operator call, push notification etc.) communications having promotional and/or advertising content of the products or services offered by Data Controller.

Consent

[art. 6.1 a) GDPR].

Data will be retained until consent is withdrawn or objection to processing is made, but no longer than 2 years from the date of last contact.

H. Newsletter

Data will be processed to send the newsletter and to send information about new Data Controller App features, updates and events.

Consent

[art. 6.1 a) GDPR].

Data will be retained until consent is withdrawn or objection to processing is made, but no longer than 2 years from the date of last contact.

I. Soft spam

The Data will be processed for the purpose of sending, via e-mail and/or paper mail, communications having promotional, informational and/or advertising content, in relation to products or services similar to those being sold pursuant to art. 130 co. 4 D. Lgs. 196/2003 (“Privacy Code”).

Legitimate interest 

[art. 6.1 f) GDPR]

referring to Data Controller’s desire to maintain the business relationship with the user by forwarding communications consistent with the customer’s past business experience.

Data will be retained for as long as is strictly necessary to achieve the legitimate interest and until the data subject objects to the processing.

L. Profiling

Subject to your consent, we may process Data voluntarily provided by you and Data acquired in the course of using the services through the App to conduct analyses, automated and/or manual, aimed at proactively and/or reactively detecting your preferences/choices in order to meet your needs and direct proposals consistent with your profile and interests.

Consent

[art. 6.1 a) GDPR].

Personal data will be retained until consent is withdrawn or objection to processing is made, but no longer than 12 months from the date of last contact.

M. Complaint handling, protection of interests and exercise of the right of defense 

Mumble may process Users’ data to exercise and protect their rights in extrajudicial and judicial proceedings.

Legitimate interest

Legitimate interest

[Art. 6.1 f) GDPR] attributable to the need to establish, exercise or defend a right and/or interest.

Personal data will be retained for the period necessary to defend or exercise the right.

N. Interaction with social networks and external platforms

The Site incorporates so-called “social plug-ins” that, through the Site and the App, allow direct access to the Data Controller’s institutional social channels. Information on how data is processed there will be provided by the relevant social networks. Each of the social plug-ins on the Site is identified by the logo owned by the social platform. Should you interact with the social plug-in, your information is directly communicated to the social platform that processes your Data.

Legitimate interest

[art. 6.1 f) GDPR]

Data will be stored for as long as necessary to enable interaction with social networks and external platforms.

O. Statistical activities and market surveys

Your Data may be processed in order to enable statistical analysis and market surveys to be carried out.

Legitimate interest

[art. 6.1 f) GDPR]

Data will be kept for as long as necessary to carry out market analysis.

P. Activities related to the completion of corporate transactions.

Your Data will be processed for the purpose of enabling communication in the event of corporate transactions.

Legitimate interest

[Art. 6.1 (f) GDPR] attributable to the need to finalize corporate operations.

Personal data will be kept for as long as necessary for this purpose.

With reference to the purposes in points a), b) for communications related to the contractual relationship, c), e), through the mobile app, Mumble may send email communications to you.

 

The provision of your Data for the purposes set out in points a), b), c) and d) is necessary and mandatory. In case of denial, we will not be able to follow up on the contractual relationship with you and the related provision of the requested services.

 

The processing activities under e), f), i), l), m), n) and o) do not require your specific consent as they are based on the Data Controller’s legitimate interest provided for in Article 6, c. 1, lett. f) of the GDPR. In any case, in accordance with the GDPR, we have carried out a thorough balancing of interests aimed at protecting and ensuring the privacy and fundamental rights of data subjects.

 

The provision of your Data for the purposes under g), h), k) is not mandatory. Your prior consent is therefore required, which Mumble will request from time to time in the most appropriate form for each of the activities described above. In any case, the consent given is revocable by you at all times without any consequences with respect to your contractual relationship with the Company.

 

With respect to the purpose under n) (data collected through interaction with Meta Platforms Ireland Limited’s (“Meta”) social plug-in), the data collected relates to HTTP header information that includes information about the web browser or app used (e.g., user agent, country/language) and other identifiers, including IP addresses and, if provided, Meta-related identifiers or device identifiers (e.g., mobile operating system advertising IDs) and information about refusal/restricted ad tracking status. For this purpose, the Company and Meta act as joint data controllers under Article 26 GDPR by jointly determining the manner and purpose of processing. The Company and Meta have entered into a special agreement (available at the following link) to determine their respective responsibilities regarding compliance with their obligations under the GDPR in connection with the Joint Processing.

 

When accessing the Site or App, LinkedIn Corporation will collect certain data about you such as IP addresses, time, device and browser information from which you are connecting for security, fraud prevention and traffic management purposes. For more information visit the following page.

4. To whom do we communicate your data?

Mumble may disclose certain of your Data to entities it uses to perform activities necessary to achieve the purposes set forth and described in Section 4 above, including but not limited to:

(i) Internet or application service providers and platforms used by Mumble;

(ii) Shopify, Inc. for the management of the commercial platform, whose privacy policy is available at the following link;

(iii) consultants and other service providers who perform activities on behalf of Mumble and who need to know this information in order to provide such services (e.g., tax consultant); 

(iv) public entities to which such data must be mandatorily disclosed due to legal provisions or orders of the Authority.

 

These subjects act as autonomous Data Controllers or Data Processors. In the latter case, Mumble has entered into a specific agreement pursuant to Article 28 GDPR (Appointment as Data Processor). The list of Data Processors can be requested by contacting Mumble at the contact details indicated in paragraph 2 above.

 

Your Data will be processed by Mumble’s internal staff specifically authorized under Article 29 GDPR.

5. Is your data being transferred to a country outside the EU?

As some important service providers to our infrastructure are based outside the European Union (e.g. Cloud service providers), by using our services your Data may be stored on servers located outside the European territory.

In such cases, we ensure that your Personal Data is processed in accordance with applicable law by adopting appropriate safeguards (such as adequacy decisions, standard contractual clauses approved by the European Commission, or other safeguards under the GDPR) as well as suitable and appropriate security measures to protect the confidentiality of your Data.

More information about the transfers and safeguards adopted can be obtained by writing to the contact details set out in paragraph 2 above.

6. What are your rights and how can you exercise them?

As a data subject, you have the right to:

  • receive confirmation of the processing of your Data; request access to and copies of your Data;
  • request rectification or updating of your Data, where inaccurate or incomplete;
  • request, under certain circumstances, the deletion of the Data relating to you or the restriction of the processing involving your Data;
  • object to the processing, including profiling (right to object), subject to the existence of an overriding legitimate reason for the Company to continue processing
  • withdraw consent, where given, to marketing activities;
  • request data portability, where applicable;
  • propose a complaint to the Control Authority or appeal to the Judicial Authority. In Italy, said supervisory authority is represented by the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).  

Pursuant to Article 2-terdecies of the Privacy Code, in the event of your death, the aforementioned rights referring to your personal data may be exercised by those who have an interest of their own, or act as your proxy, or for family reasons worthy of protection. You may expressly prohibit the exercise of some of the rights listed above by your assignees by sending a written statement to the Company at the e-mail address listed below. The statement may be revoked or modified later in the same manner.

The above rights may be exercised against Data Controller by writing to the e-mail address [email protected] at the contact details given in paragraph 1 above.