Privacy policy for processing personal data


Kopjra S.r.l. (hereinafter “Kopjra” or “Data Controller”), as Data Controller, informs you in accordance with Article 13 of the EU Regulation 2016/679 (“GDPR”) and the current legislation on the protection of personal data that your data, within the context of this website (hereinafter “Website”) will be processed in the following manner and for the following purposes.

Unless otherwise indicated, what is contained in this notice shall be understood to apply to personal data processed in the context of the use of the Website. It is understood that for the processing of personal data carried out for purposes other than those indicated below, the processing notices relating to the services considered from time to time will apply.


1. Data controller

The data controller is Kopjra S.r.l., with registered office in Via Rizzoli n. 1/2, Bologna (BO), Italy, VAT 03904120247.

This information notice may be subject to updates and changes, in relation to which the Data Controller will inform the interested party.


2. Types of data processed

We receive and store information and the following categories of personal data, to be distinguished as the Data Controller and acting as the external Data Controller:

  • As the Data Controller, Kopjra processes:
    • common personal data collected from users while using the Website and/or while purchasing products online at Store and/or during telephone contacts for market research or telemarketing purposes, in particular, by way of example: first and last name, VAT number, telephone number, e-mail address, data necessary for registering an account on Kopjra's sites, payment data, profession data, browsing data (such as IP address and session ID).
  • As the Data Processor, Kopjra processes on behalf of and at the instruction of the client Holder:
    • personal data uploaded by the Client to the Responsible Party's software through the use of the services offered therein or, in general, all personal data processed by the Responsible Party on behalf of the Client in the provision of the Services.

3. Purposes and legal bases of processing

Personal data are processed for the purposes and legal bases described below:

  1. the fulfillment of contractual and pre-contractual commitments (art. 6.1.b GDPR), in particular in order to:
    1. give feedback to user requests (by way of example, for the management of contact requests via contact form, to calculate the quote requested by the user or for the management of registration requests for events organized by Kopjra);
    2. creating and managing accounts on the Website;
    3. managing purchases made on the Store and providing related services/products to customers;
    4. viewing and downloading resources made available on the Website;
    5. enabling the user to use the Website, including technical management of the Websites and their operational functions;
  2. only with your express consent (art. 6.1.a GDPR) Kopjra will process your data in order to:
    1. send communications of a commercial and/or promotional nature through special mailing lists in which the user has freely decided to subscribe or as a result of telephone contact referred to in point IV.c) below;
  3. the fulfillment by the Controller of obligations by law, regulations or by national and EU legislation or imposed by the competent authorities (art. 6.1.c. GDPR).
  4. the pursuit of a legitimate interest of the Data Controller (Art. 6.1.f. GDPR), such as:
    1. exercise or defense of a right in court or before an Authority;
    2. management and maintenance of the Website and its subdomains: the interest of the Data Controller relates to the general interest of a business in ensuring business operations, including through the operation of the Website and possible efficiencies in the service offered;
    3. telephone contact to companies and professionals for the purpose of market research and/or telemarketing, subject to proper registration with the Public Register of Oppositions (RPO);
    4. prevention and detection of fraudulent activities or abuses harmful to the Website: the Holder's interest refers to the legitimate, real and current interest in not suffering damage as a result of the unlawful conduct of others.

4. Methods of processing

The processing of your data is carried out, both in paper and computerized mode so as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use or use incompatible with the initial purpose of collection. This is achieved with the technical and organizational security measures implemented by the Data Controller.


5. Data retention

The Data Controller processes personal data for the time necessary to fulfill its purposes, and in any case no longer than the periods of time indicated below. It is understood that, at the end of these periods, the Controller will nevertheless be entitled to further retain personal data, in whole or in part, for certain purposes, as expressly required by specific legal provisions or to assert or defend a right in court.

In the context of the use of the Website, the Data Controller processes personal data for the time necessary to fulfill the purposes set out in Section 3 (Purposes and legal bases of processing) and in any case by way of example:

  • for the fulfillment of contractual and pre-contractual commitments, the data will be retained for the duration of the contract and, thereafter, for a period of 10 years starting from the termination of the contract;
  • for the time required by the applicable regulatory provisions in relation to the purposes of fulfilling the Holder's legal obligations.

As for telephone contacts for market research and telemarketing activities, in case of manifestation of unwillingness to continue in the possible business relationship, they will be deleted within 30 days.


6. Provision of data

In the context of the use of the Website, the provision of personal data:

  • for the purposes of fulfillment of contractual and pre-contractual commitments of the use of the Website is mandatory. This data is necessary for the relationship with the Owner and the use of services. The user can still decide not to give personal data; however, in the absence of these personal data it will not be possible to use the services of the Owner;
  • for the purposes of fulfillment by the Controller of legal obligations is mandatory. Such processing is necessary to fulfill a legal obligation to which the Controller is subject and does not require the user's consent.
  • for processing where your consent is required, it is optional. Failure to provide your personal data does not prevent the use of the Owner's Services but does not allow you to receive updates on initiatives and offers proposed by the Owner. Equally optional is the processing of data subject to legitimate interest, for which it is always possible for the interested party to object and thus prevent processing.

7. Communication of data

Within the above-mentioned purposes, the Data Controller may communicate your data to:

  • employees and collaborators of the Data Controller, duly instructed and authorized to the processing pursuant to Articles 29 GDPR and 2-quaterdecies Legislative Decree 196/2003;
  • third parties (e.g., IT or storage service providers, hosting providers, etc.) who perform outsourcing activities on behalf of the Data Controller and who will process the data in their capacity as autonomous data processors or controllers;
  • judicial or police public authorities, within the limits established by applicable laws; authorities or administrative bodies involved in the processing (e.g. Fondazione Bordoni for the management of the Register of Oppositions).

You may request from the Data Controller, at any time, the updated list of data processors.


8. Data transfer

Personal data may be transferred to a third country or international organization exclusively for the purposes indicated above. This will be done exclusively on the basis of an adequacy decision pursuant to art. 45 GDPR or, in any case, in compliance with the guarantees set out in Chapter V of the GDPR.


9. Rights of the data subject

The Data Controller informs you that, as a data subject, if the limitations provided by law are not met, you have the right to:

  • obtain confirmation of the existence or otherwise of your personal data, even if not yet recorded, and that such data is made available to you in an intelligible form;
  • obtain access to your personal data and information relating to the processing and request a copy thereof;
  • to obtain, without undue delay, the updating and correction of inaccurate data or, where relevant, the integration of incomplete data;
  • revoke at any time, easily and without hindrance, the consents given, using, if possible, the same channels used to provide them;
  • obtain, pursuant to art. 17 GDPR, the deletion of your personal data;
  • obtain, in the cases referred to in art. 18 GDPR, the restriction of processing;
  • receive, where processing is carried out by automatic means, without hindrance and in a structured format that is commonly used and readable, the personal data concerning you to transmit them to another owner or - if technically feasible - to obtain direct transmission from the Owner to another owner;
  • oppose, in whole or in part, for legitimate reasons related to your particular situation, the processing of personal data concerning you; in the case of marketing purposes or market research, based on legitimate interest, you can always object, without needing to give a reason;
  • submit a complaint to the Data Protection Authority.

In the cases mentioned above, where necessary, the Data Controller will inform the third parties to whom your personal data are communicated of the possible exercise of the rights on your part, except for specific cases (e.g. when such fulfillment proves impossible or involves the use of means that are manifestly disproportionate to the protected right). The data subject has the right to lodge a complaint if he or she believes that his or her rights have been affected.

For any further information, please consult the website of the Authority for the protection of personal data - www.garanteprivacy.it - where you will find a section dedicated to these rights.


10. How to exercise rights

You may at any time exercise your rights:

  • by sending a registered letter a.r. or other postal correspondence to the address of the Controller;
  • by sending an email to privacy@kopjra.com;
  • by sending an email to the Kopjra Data Protection Officer (DPO) at dpo@kopjra.com.