PRIVACY POLICY

PRIVACY POLICY — VINTAGE BRO

Last updated: March 5, 2026

This information (“ Privacy Policy ”) is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“ GDPR ”) and applicable Italian legislation (Legislative Decree 196/2003 as amended).


This policy applies to users who browse, register, and/or purchase on the Vintage Bro website (the " Site "). This policy does not apply to third-party websites/services that may be accessed via links.

1) Data controller

Paolo Musolino Company - VINTAGE BRO
Registered office and operational headquarters: Via Flaminia, 86 – 00060 Castelnuovo di Porto (RM) – Italy
VAT No.: 17754831000 – REA: RM – 1740894
Email: info@vintagebro.it

2) DPO (Data Protection Officer)

The Data Controller has not appointed a DPO, as the mandatory requirements set forth in Article 37 of the GDPR do not apply.

3) Types of data processed

3.1 Browsing data

During navigation, technical data such as IP address, device/browser identifiers, pages visited, access date/time, system parameters, security logs, and diagnostics may be collected. This data is processed for operational and security purposes.

3.2 Data provided voluntarily by the user

Depending on the features used, we can cover:

  • Registration/Account: first name, last name, email, phone number (if provided), addresses, order history, preferences (e.g., wishlist if active).

  • Purchases: data required to process the order (personal details, email, telephone number, shipping/billing address, order contents, amounts, and tax code if required).

  • Support/Contacts: data entered in communications (name, email, telephone number, message content).

  • Newsletter: email and marketing preferences.

3.3 Payment data

Payment data (e.g., credit cards, PayPal, Klarna, or other methods) are not managed directly by the Owner , but by the relevant payment providers. The Owner generally receives only the outcome and/or technical identifiers of the transaction. For PayPal, please refer to the relevant information.

3.4 Cookies and tracking tools (Analytics and Marketing)

The Site uses cookies and similar tools. In particular, if activated:

  • Google Analytics (measurement and statistics);

  • Meta Pixel (conversion measurement and marketing/remarketing activities);

  • TikTok Pixel (conversion measurement and marketing/remarketing activities).

The use of profiling/marketing cookies requires the user's consent , and only with prior consent via the cookie banner. The information and consent rules are described in the Site's Cookie Policy and in the banner/cmp.

4) Purpose of the processing and legal bases

A) Operation, safety and abuse prevention

  • technical management of the Site, security, logs, fraud prevention, system protection.
    Legal basis: legitimate interest of the Data Controller (art. 6(1)(f) GDPR) and technical necessity.

B) Registration and account management

  • Account creation, personal area access, profile management, order history, preferences.
    Legal basis: performance of the contract / pre-contractual measures (Art. 6(1)(b) GDPR).

C) Order fulfillment and online sales

  • checkout management, confirmations, shipping/delivery, operational and post-sales communications.
    Legal basis: contract (art. 6(1)(b) GDPR).

D) Legal and tax obligations

  • Accounting, invoicing, legal obligations, requests from authorities.
    Legal basis: legal obligation (art. 6(1)(c) GDPR).

E) Customer service

  • responses to requests and complaints, customer care.
    Legal basis: contract and/or legitimate interest (Article 6(1)(b)/(f) GDPR, as applicable).

F) Marketing (newsletter, promotions, new arrivals)

  • sending newsletters and promotional communications via Klaviyo, GetResponse, or Mailchimp .
    Legal basis: consent (Article 6(1)(a) GDPR).

  • The user can revoke consent at any time (see § 10).

G) Soft spam

If you purchase from the Site, we may send you emails about products/services similar to those you purchased, within the limits permitted by Italian law (Article 130 of the Privacy Code) and the guidelines of the Guarantor, with the option of a simple and free opt-out in each communication.

H) Statistics and measurement (Google Analytics)

  • traffic and performance analysis (including aggregated).
    Legal basis: Consent via cookie banner, except for any configurations that make analytics comparable to technical analytics according to applicable guidelines.

I) Advertising/remarketing and conversion measurement (Meta Pixel / TikTok Pixel)

  • Campaign measurement, conversion tracking, custom audiences/remarketing.
    Legal basis: consent via cookie banner (profiling/marketing).

5) Nature of the transfer

  • The data required for the order/account is essential: without it we cannot provide the service (registration, purchase, delivery).

  • Providing data for newsletters and marketing purposes is optional: if you do not consent, you can still purchase.

  • Consent to marketing cookies/trackers is optional: the Site remains usable even if you refuse them (except for technical cookies).

If the user enters data of third parties (e.g. gift recipient), he/she guarantees that he/she is entitled to communicate such data.

6) Processing methods and security

The data is processed using computerized tools and, if necessary, paper-based ones, using logic consistent with the purposes and with appropriate security measures (access controls, procedures, credential protection, etc.).

7) Shopify platform, place of processing and transfers outside the EU

The Site is powered by Shopify , which operates with its own Data Processing Addendum (DPA) .


The infrastructure and some providers may involve data processing and/or transfers to countries outside the EEA. In such cases, transfers are carried out with appropriate safeguards required by the GDPR (e.g., standard contractual clauses) and/or in accordance with adequacy decisions.

8) Newsletter (Klaviyo / GetResponse / Mailchimp or similar) and transfers

To manage newsletters and promotional communications, we use platforms such as Klaviyo, Mailchimp, or similar , which provide data processing agreements (DPAs) and mechanisms for international transfers (e.g., SCCs ).


Klaviyo also indicates certification/adherence to the Data Privacy Framework (DPF) and the inclusion of SCC in its DPA.

9) Data recipients (entities who may process them)

The data may be communicated to:

  • personnel/collaborators authorized by the Owner;

  • IT providers (Shopify and related apps), hosting, maintenance;

  • couriers and logistics (shipping/delivery);

  • payment providers (e.g. PayPal, Klarna, PSP cards) according to their policies;

marketing/newsletter tools (Klaviyo/Mailchimp or similar);

Google (Analytics) / Meta / TikTok only if the user gives consent via a cookie/marketing banner, according to the Cookie Policy;

  • professionals (accountants, lawyers) and public authorities in the cases provided for.

The data is not disclosed to unspecified parties. The updated list of Data Processors pursuant to Art. 28 GDPR can be requested by writing to info@vintagebro.it .

10) Retention periods

Except as indicated in the Cookie Policy for cookies and trackers:

  • Orders, invoices, accounting: up to 10 years (or different term imposed by law).

  • Account: until the user requests deletion, unless it is necessary to retain data relating to orders/legal obligations.

  • Customer support: up to 12 months from the requested closure, barring disputes.

  • Newsletter/marketing: until consent is revoked and in any case for a reasonable period; as a general rule, no longer than 24 months in the absence of further interactions, unless consent/interest is renewed.

  • Data for the protection of rights: for the time necessary to manage disputes/legal actions.

11) Rights of the data subject (Articles 15–22 GDPR)

The user can exercise the rights: access, rectification, deletion, limitation, opposition, portability, as well as revocation of consent, by contacting info@vintagebro.it

The Data Controller responds within the terms set by the GDPR.

Revoke marketing consent

You can withdraw your consent:

Complaint

It is always possible to lodge a complaint with the Data Protection Authority .

12) Cookie management and consents (banners/cmp)

Consent to profiling/marketing cookies and trackers (Meta/TikTok and, as a rule, third-party Analytics) is managed via banners/cmps, in line with the guidelines of the Guarantor (e.g., the option to opt out, granular choice, non-invasive re-presentation, etc.).


Preferences can be changed at any time via the cookie management system indicated in the Cookie Policy.

13) Minors

The Site is not intended for minors who are not old enough to provide valid consent under applicable law. If you believe a minor has provided us with data, please contact us to have it removed.

14) Transfers to the USA – Data Privacy Framework and other guarantees

Some providers may require data transfers to the United States. The EU adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) (July 10, 2023) and conducted subsequent revisions; furthermore, in 2025, the EU General Court upheld the framework's validity in a relevant case, increasing the legal certainty of transfers to certified organizations.


Where required or appropriate, suppliers also adopt Standard Contractual Clauses (SCCs) .

15) Changes to this Privacy Policy

The Privacy Policy may be updated. If we make any significant changes, we will update the "Last Updated" date and may post a notice on the Site.