PRIVACY POLICY

Kind User,
welcome to our website (hereinafter also the “Site”).

FATTORIA LA LECCIA SOCIETÀ AGRICOLA a r.l. (hereinafter also “Fattoria La Leccia”), always careful to respect and protection of personal data, invites you to carefully read this Privacy Policy, provided in accordance with Article 13 of EU Regulation 2016/679 (hereinafter also “Regulation” or “GDPR”), to communicate to you its policy regarding the processing of personal data collected during your browsing and/or following the use of the services provided.

We anticipate to you that the personal data collected will be processed in compliance with the national and European legislation on data protection and in accordance with the principles of fairness, lawfulness, transparency and protection of your privacy and your rights.

This document is to be considered an integral part of the General Conditions of Sales available at https://www.laleccia.it/content/dam/laleccia-website/legal-documents/General_Conditions_Sale.pdf as well as of others notice provided on the Site, including any detailed privacy notices on the processing of personal data in its various sections, designed to specify the methods and purposes of processing related to the provision of specific services and/or information of various kinds and subject, where appropriate, to the consent of the data subject.

This Privacy Policy regards this Site only, and no other website User may have consulted following a link or banner.

Table of Contents

1. Data Controller
2. Type of personal data processed
3. Purpose and methods of data processing
4. Legal basis for processing
5. Recipients/Categories of recipients of personal data
6. Collection of data and consequences should they not be provided
7. Revocation of consent
8. Data retention period
9. Data subject’s rights
10. Complaint to the Supervisory Authority for the Protection of Personal Data
11. Minor’s personal data
12. Updates and changes
13. Interactions with Social Networks
14. Processing of statistical data with Facebook

1. Data Controller

The Controller is FATTORIA LA LECCIA SOCIETÀ AGRICOLA a r.l, via Lorenzo il Magnifico n. 14, 50129 Firenze (FI), e-mail: privacy@laleccia.it.

2. Type of personal data processed

Fattoria La Leccia collects and processes User’s personal data (hereinafter jointly referred to as "Personal Data" or "Data") and, specifically:

- Data voluntarily provided by the User, also by means of special forms: identification and contact data,

e.g. name, surname, address, telephone number, e-mail address.

- Browsing data: within their normal operation, computer systems and software procedures used to operate this Site acquire some personal data whose transmission is implicit in the use of internet communication protocols.

However, this information is not collected in order to be associated with identified data subjects, but are information which could, through processing and associations with data held by third parties, allow Users to be identified. This category of data includes IP addresses or domain names of computers used by Users who connect to the Site, the URI (Uniform Resource Identifier) of requested resources addressed, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the reply provided by the server (successful, error, etc.) and other parameters regarding the User's operating system and computer environment.

These data are not disseminated, but used only to obtain anonymous statistical information on Site use and to check its proper functioning and they are stored for the times defined by the relevant legal legislation. However, this data may be used to ascertain responsibility in case of hypothetical computer crimes against the Site.

- Cookie: the Site uses automated data collection systems, like cookie, for data not directly released by User. A cookie is a kind of reminder of the Internet page you visit: it contains brief information that can be saved on your computer when your browser recalls a particular website. This enables the Site to automatically adapt to the User, for example by sending content in a format that is compatible with the browser used, or with given user settings (style, colours, etc.).

There are various types of cookie, with different characteristics and functions, that may be saved on User’s computers for varying amounts of time.

This Site uses the following types of cookie:

- technical cookie (navigation cookie or session cookie): they ensure standard browsing and use of the Site (for example enabling purchases or login authentication in order to access reserved members’ pages). They are also used to carry out the transmission of a communication on an electronic communication network or to provide a service explicitly requested by the User; they are not used for further purposes and are normally installed directly by the website operator;

- analysis cookie: these are tools for aggregated and anonymous web analyses, which gather information on how Users utilize the Site, how they arrived there, the number and duration of their visits. These cookie are not necessary for an optimal Site experience, and therefore can be disabled;

- profiling cookie: this are cookie used to trace specific actions or recurrent behavioral patterns using the functions offered (patterns) back to specific identified or identifiable subjects, in order to group the various profiles into homogeneous clusters of different sizes, so that increasingly targeted advertising messages can be sent, e.g. in line with the preferences expressed by the User when browsing.

- third party cookie: cookie installed by third party websites different from the one the User is visiting. On each site there may be items (images, maps, sounds, specific links to web pages of other domains, etc.) that reside on different servers from the site visited.

For further information on the use of cookie through this Site, including information on how to set your preferences, please read our “Cookie Policy”.

Fattoria La Leccia does not collect and process information relating to User's payments in case of online shopping through the appropriate section of the Site.

The details of the payment instruments used (e.g. credit card number, holder, expiration date, security code, etc.) will be encrypted and sent directly to the payment manager chosen by the User, as indicated in Article 8 of the General Conditions of Sales available at https://www.laleccia.it/content/dam/laleccia-website/legal- documents/General_Conditions_Sale.pdf.

3. Purpose and methods of data processing

User’s Personal Data are collected and processed by the Controller for the following purposes:

A) to allow the User to access and browse on Site;

B) to allow the User to register on the Site by setting an account ("My Account") in order to buy products and to use any services reserved for registered Users;

C) to maintain and manage the User's account by allowing the storage of data and information (e.g. tracking order status, order history and any returns, etc.);

D) to allow the User, whether registered or not, to add the products he/she intends to buy to the cart and to conclude the purchase contract through the Site by issuing and sending the Order Confirmation by the Controller;

E) for security purposes such as, for example, preventing possible fraud relating to credit card payments;

F) to prevent the improper use of the Site, for example by verifying the age of the User making purchases or by refusing, cancelling and/or deleting Purchase Orders for products coming from Users with whom the Controller has a legal dispute in progress, from Users who have violated the General Conditions of Sales, or from Users who have issued false, incomplete or otherwise inaccurate identification data during the registration and/or issue of the Order.

G) to fulfil the contractual obligations through the execution of the purchase contract concluded by the User through the Site, including the shipment of the purchased products and the eventual management of stock of the products for failure to collect them;

H) to inform the User of any cases of failure to complete the purchase, e.g. due to the unavailability of the product sold through the Site and indicated in the Purchase Order or in cases of cancellation/deletion of the Purchase Order (e.g. due to non-payment by the User or in the case of unconfirmed payments or non-delivery of the products "in stock" caused by the absence of the recipient);

I) to proceed with the communication and execution of any refunds related to purchases made through the Site;

L) to contact back the User and reply to the messages received;

M) to carry out general assistance to the User (Customer Care) by responding to information’s requests, to sending communications, assistance requests and responding to and handling complaints or any returns from the User;

N) to fulfil administrative, accounting and/or fiscal obligations, connected with the provision of the Site's services and/or the purchase contract concluded online, such as, for example, the issue and sending, if requested by the User, of the sales invoice;

O) to respond to requests to exercise the right of withdrawal and/or the requests to exercise the legal warranty of conformity and/or other rights arising from the purchase contract concluded through the Site and/or provided for by law in relation to such contract, carrying out the activities that prove necessary as a result of the exercise of such rights (e.g. management of refunds);

P) to handle any out-of-court disputes (e.g. by means of alternative dispute resolution procedures also through EU platforms for the online disputes resolution), in judicial and/or administrative courts, or in the European Small Claims procedure;

Q) with User’s express consent, for direct marketing purposes and, specifically:

a) to send information and promotional material regarding goods and services and future promo- advertising activities by the Controller, also via post, e-mail and sms;

b) to send commercial communications and information, promotional and advertising material (e.g. brochures, catalogues, samples, e-mail, etc.), material relevant to marketing campaigns and events, carry out market research through questionnaires, also via post, e-mail and sms containing information relevant to products, events or promotions;

c) anonymously and/or pseudonymised, to carry out market research and statistical analysis on the methods and/or propensities to consume with the possible creation of profiles which refer to anonymous consumer groups defined by common characteristics (age groups, geographical area of residence, etc.);

d) to contact back the User and keep him updated regarding Fattoria La Leccia’s new initiatives by sending communications, special offers and promotional material or similar initiatives via post, e-mail and sms;

R) to send, with User’s express consent, Fattoria La Leccia’s newsletter.

Personal Data will be processed by the Controller, Processors and third parties authorised to process the data (“Authorized” or “Appointees”), in compliance with all of the measures appropriate to guarantee security and confidentiality, using paper and with the aid of IT instruments (including management and use of database marketing), pursuant to principles of law, protecting the data subject’s confidentiality and his/her rights, by adopting appropriate technical and organisational measures to guarantee an adequate level of security for the risk.

Specific and appropriate technical and physical security measures will also be adopted to avoid the risks of loss, destruction and unauthorised access to data, including encryption systems for data relating to the methods of payment used by the User to shop on the Site.

4. Legal basis for processing

The legal basis of the processing for the purposes set out in point 3 are:

lett. B), L), Q) e R) is freely expressed consent pursuant to Article 6, par. 1, lett. a), of the Regulation;

lett. A), C), D), G), H), I) e M) is the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in accordance with Article 6 par. 1 lett. b) of the Regulation;

lett. N) e O) is the performance of a contract to which the data subject is party in accordance with Article 6 par. 1 lett. b) of the Regulation, as well as to comply with a legal obligation to which the Controller is subject in accordance with Article 6, par. 1 lett. c) of the Regulation;

lett. E), F) e P) is the purposes of the legitimate interests pursued by the Controller or by a third party in accordance with Article 6, par. 1 lett. f) of the Regulation.

5. Recipients/Categories of recipients of the personal data

User’s Personal Data can be communicated exclusively for the above purposes, to the following categories of recipients:

- companies, consultants or professionals in charge of the design and implementation of websites and technological solutions as well as, in general, of the management of Fattoria La Leccia's hardware and software systems (including the online platform used for the sale of products and the marketing platform used to send newsletters) and the suppliers of cloud computing services, including third parties that the above mentioned subjects may use;

- companies in charge of sending commercial communications both by e-mail and by post, or public or private entities that manage the service of delivery of ordinary and commercial correspondence, including third parties that may be used by the aforementioned parties;

- companies that carry out activities of packaging and/or shipping and delivery or collection of the products purchased on the Site and third parties that they may make use of;

- payment service providers and/or credit institutions in order to allow the payment of the purchases made on the Site or their refund - if applicable - and third parties that they may use;

- persons, companies, associations or professional firms that provide services and activities of assistance and consultancy to the Controller, with particular but not exclusive reference to accounting, administrative, legal, tax and financial matters, who need to access the Data for purposes that are auxiliary to the service provided through the Site and relevant activities, within the limits strictly necessary for the performance of its duties;

- associate companies, companies belonging to the same Corporate Group as Fattoria La Leccia belongs;

- parties whose right to access your Data is recognised by provisions of the law and secondary legislation;

- other parties may gain knowledge of your Personal Data, such as Fattoria La Leccia employees who are assigned tasks necessary to fulfil the requests and provide services.

These parties act as Authorized, Controllers or Processors in accordance with Article 28 of the EU Regulation, parties that Fattoria La Leccia uses to carry out its activities and which offer suitable guarantees of compliance with the regulations on the processing of personal data.

Any transfer of the Data to countries outside the EU, due for example to specific needs related to the location of the services provided by the suppliers, will be made based on an adequacy decision of the European Commission or, in the case of transfers referred to in Articles 46, 47 or 49 of the European Regulation, based on the conditions set out therein and of appropriate guarantees, including, where applicable, standard contractual clauses.

Your Personal Data will not be disclosed in any way.

6. Collection of data and consequences should they not be provided

The provision of Personal Data that are requested on the various occasions of collection is mandatory with reference to the purposes referred to in point 3 letter N) and O) as their processing is necessary to comply with the legal obligations imposed on the Controller or to allow the User to exercise him/her rights based on the law and/or the contract.

The provision of the Data requested with reference to the remaining purposes indicated in point 3 is, instead, optional; however, failure to provide such Data may make it impossible to achieve the relative collection purposes (for example, the impossibility of: accessing and browsing and registering on the Site; using the services reserved for registered Users and the management and maintenance services of My Account; entering into and following up the products purchase agreement or any refunds; receiving communications regarding the purchase or response to requests and in general to use customer care services; receiving direct marketing communications and newsletters, etc.).

7. Revocation of consent

The User has the right to withdraw the consent previously given for the purposes set out in point 3 at any time, without affecting the lawfulness of the processing carried out based on the consent given before its withdrawal. In order to withdraw your consent for the processing, it will be sufficient to send your request for revocation of consent to the Controller by registered letter or e-mail at the addresses and contact details indicated in point 1 of this Privacy Policy.

8. Data retention period

Personal Data will be retained for the period strictly necessary to achieve the purposes indicated in point 3 and, therefore: (i) for the period necessary to allow browsing on Site with reference to the purpose referred to in letter A); (ii) until the revocation of the consent with reference to the purpose referred to in letter B), taking into account the technical time necessary; (iii) for the period of registration to the Site with reference to the purpose referred to under letter C); (iv) until the delivery of the product or the end of the contract for the purposes referred to in letter D) and from F) to I); (v) for the time necessary to provide the information requested by the User with reference to the purpose referred to in lett. L); (vi) for the time necessary to respond to information’s requests, to send communications and requests for assistance from the User or to respond and handle complaints or any returns with reference to the purpose referred to under letter M); (vii) until the terms provided for by the law for the performance of administrative - accounting and/or fiscal obligations, including the retention periods provided for with reference to the relevant documentation for the purpose referred to in letter N); (viii) until the expiry of the legal terms provided for the exercise of the rights or, for the time necessary for the management and closure of the file with reference to the purpose referred to in letter O); (ix) for 10 years from the delivery of the product or from the end of the contract or from the closure of the file relating to the exercise of the rights provided for by law and/or the contract, with reference to the purposes referred to in letters E) and P); (x) for the maximum storage period of 24 months for the purposes referred to in letter Q), without prejudice to the possible revocation of consent in which case Fattoria La Leccia will proceed without delay to the cancellation of Personal Data; (xi) until the revocation of consent for the purposes referred to in letter R).

9. Data subject’s rights

At any time, the User can exercise his/her rights towards the Controller in accordance with Articles 15 et seq. of the Regulations that we reproduce here below for your convenience:

— Right of access and rectification (Arts. 15 and 16 of the Regulation): the User have the right to obtain confirmation that his/her Personal Data is being processed and, in this case, to obtain access to them. The User also have the right to request the rectification of inaccurate Personal Data that concerns him/her and to obtain the completion of incomplete Data. If User wish, we will provide him/her with a copy of his/her Data in our possession.

— Right to erasure of the data (Art. 17 of the Regulation): in the cases envisaged by current legislation (e.g. the personal data is no longer necessary for the purposes for which they were collected or otherwise processed, revocation of consent, unlawful processing, etc.), the User can request the erasure of his/her Personal Data, which Fattoria La Leccia will carry out without delay, taking into account the possible need to keep the Data temporarily in order to carry out the purchases made by the User and/or to conclude the relevant administrative - accounting and/or fiscal procedures.

— Right to the restriction of processing (Art. 18 of the Regulation): in the cases provided for by current legislation (inaccuracy of personal data, unlawful processing of data, etc.) the Users have the right to obtain the restriction of the processing of his/her Personal Data.

— Right to data portability (Art. 20 of the Regulation): the User have the right to receive his/her Data in a structured, commonly used and machine-readable format, in order to send the same to another Controller, where the same is required, or we will provide to send your Data directly to the other Controller.

— Right to object (Art. 21 of the Regulation): the User have the right to object at any time, for reasons connected to his/her particular situation, to the processing of the Personal Data that concerns him/her in accordance with Art. 6, paragraph 1, letter e) or f) of the Regulation, including profiling based on such provisions (legitimate interest of the Controller).

To exercise these rights it will be sufficient to contact the Controller by registered letter or e-mail at the addresses indicated in point 1, also using the forms made available on Data Protection Supervisory Authority’s Website (www.garanteprivacy.it).

Upon receipt of your request, Fattoria La Leccia has one month to take all the necessary actions. Within this deadline, despite the exercise of the rights, the User may receive further automated communications whose sending was planned prior to your request.

The deadline of a month can be extended to two months in the event of a complex or numerous requests.

10. Complaint to the Data Protection Supervisory Authority

Should the User believe that there has been a breach of his/her right to the protection of the Personal Data, it is his/her right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data using the methods and in compliance with the terms on the website of the Data Protection Supervisory Authority (http://www.garanteprivacy.it).

11. Minors’ personal data

The services of this Site are aimed at the general public and are not intended for minors under the age of 18. We do not knowingly collect Personal Data from Users under this age group.

By providing the services that require the provision of Personal Data, as well as by proceeding with the purchase through the Site, the User guarantees that he/she is 18 years of age or older.

Should the Personal Data belonging to a minor under the age of 18 be released, the Controller will immediately cancel the same.

12. Updates and changes

The Controller may modify, integrate or simply update, in whole or in part, this Privacy Policy also in consideration of legislative changes or the entry into force of new sector regulations.

Updates and changes will be communicated by publication on this Site.

The User is therefore invited to regularly access this section to check the publication of the most recent and updated Privacy Policy.

13. Interactions with Social Networks

The Site allows to interact with social networks through a direct connection through c.d. social buttons, special clicks on the Site that depict the icons e.g. of Facebook and Instagram and allow Users who are browsing to reach and interact with a "click" directly with social platforms that will be able to acquire the Data related to the User's visit.

For further information we invite the User to refer to the privacy policies of the specific social networks.

14. Processing of statistical data with Facebook

This privacy notice is also provided for the page https://www.facebook.com/fattoriaLL/ for which Fattoria La Leccia is Joint Controller of the statistical data processing together with Facebook Ireland Limited.

The personal data processed are the statistical data acquired through the Fattoria La Leccia Facebook page Insight function, that offers aggregate data that helps to understand how people interact with the social network pages.

At this link User can consult the section of the Facebook page called "Information about Page Insights", which is indicates the responsibilities of Facebook Ireland and the user (in this case Fattoria La Leccia) as administrator of the page https://www.facebook.com/fattoriaLL/.

On this page you can consult the Facebook privacy policy and find, among others, the following information:

— What kinds of information are collected by Facebook
— How Facebook uses this information
— How Facebook shares this information
— How Facebook Companies work together
— Legal basis for processing data
— How exercise the rights provided under the GDPR
— Data retention
— How Facebook respond to legal requests or prevent harm
— Data management and transfer within global services
— Facebook Ireland's contact details for data protection issues
— How to contact Facebook Ireland Data Protection Officer

On this page you will find the Facebook Ireland cookie policy.