Privacy policy

PRIVACY POLICY

Pursuant to and in accordance with Article 13 of the European Regulation 2016/679 concerning the "protection of natural persons with regard to the processing of personal data, as well as the free movement of such data" (the “GDPR”) and Legislative Decree 196/2003, the “Privacy Code,” including subsequent amendments and additions, a series of obligations are imposed on those who process personal data.

SUNO SRL UNIPERSONALE (hereinafter referred to as the “Company” or “SUNO Srl”) wishes to inform you in the following sections, about the methods of processing personal data (as defined in Article 4, paragraph 1, number 2 of the GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is SUNO Srl, with its registered office at Via Sottocastello, 22 - 32100 Belluno (BL), Italy. The Data Controller may be contacted at the following addresses: by email at sunosport@legalmail.it or by regular mail at Via Sottocastello, 22 - 32100 Belluno.

2. CATEGORIES OF PERSONAL DATA

The personal data processed by the Data Controller is comprised of information provided by the user during navigation on the website www.sunosport.com or upon any registration/enrollment in the services/programs offered and/or during any purchase of products offered by the Company. This includes, but is not limited to:

a) first name, last name, date of birth, postal address, email address, phone number;

b) other information required for providing sales fulfilment, such as data required for processing payments and shipping/exchanging purchased products;

c) information regarding your habits, preferences, and interests, in order to send you personalized offers and promotions.

3. LEGAL BASIS AND PURPOSES OF THE PROCESSING

Personal data provided by the user during website browsing is processed by the Data Controller in accordance with the current data protection regulations. The Company processes personal data for the following purposes:

a) Shopping activities (in physical stores or online): personal data provided will be used for the establishment, management, execution, and/or conclusion of the sales contract. The data supplied will be processed by the Data Controller to manage purchase orders, including, by way of example, payment processing, shipping, customer support, as well as to carry out administrative and accounting activities related to order management and to fulfil obligations required by applicable law. For credit card payments, transaction details (cardholder’s name, credit/debit card number, expiration date, security code) will be processed by authorized financial institutions or, if applicable, by companies responsible for fraud control through encrypted protocols, ensuring that no third parties can access this information. Such details will never be viewed or retained by the seller.

Legal basis: performance of the contractual relationship and compliance with a legal obligation – Article 6(1)(b) and (c) of the GDPR.

b) Marketing activities: Personal data will therefore be processed by the Data Controller for commercial or promotional communications, for updates related, for example, to the latest trends, new arrivals, exclusive offers, special events, and promotions via SMS, newsletters, or instant messaging applications. If the user chooses to subscribe to the newsletter service, this will only occur following prior, specific, and explicit consent.

Subscription to the newsletter can take place through: (i) Pop-Up NL & Banner on the Home Page, (ii) personal My Account section, (iii) at the time of purchasing products, in the “Cart” section, (iv) website footer, (v) social media channels (e.g., Facebook).
You can give your consent by using the specific checkboxes available in these sections. Users may unsubscribe from the newsletter by simply clicking the unsubscribe link at the bottom of the received emails or by emailing support@sunosport.com.

The Data Controller, to compare and potentially improve the effectiveness of communications, employs tools to send newsletters and promotional messages equipped with reporting systems. Through these, the Controller can obtain information such as: the number of readers, messages opened, clicks; the type of device used (desktop, mobile); the number of pending users who have not yet confirmed their subscription; the number of emails sent by date/time/minute; details of successfully delivered emails compared to those sent; the list of unsubscribed users; email opened and clicks on individual links; message display issues; link tracking (i.e., the number of clicks on the links within the message); click tracking (which links were clicked).

All this data is used solely to compare and, if necessary, improve the results of communications.

Some of our promotional campaigns may appear on third-party websites and/or social networks. The processing of personal data for this purpose will also occur only after the user’s specific and explicit consent. Information collected from the user’s interaction with the functions of third-party social networks (for example, by clicking the “Like” buttons) is also processed to provide targeted advertising. The Company encourages Data Subjects to consult the privacy policies of the social networks used, where they can learn more about how these social networks operate, the profile data collected, and how to exercise their rights with respect to them.

Legal basis: consent to the processing of personal data – Article 6(1)(a) of the GDPR.

c) Registration on the company website www.sunosport.com: Personal data will be processed by the Data Controller if the user decides to register on the website www.sunosport.com, and only following the user’s specific and explicit consent. In particular, upon providing their first name, last name, date of birth, phone number, email address, and setting an access password, this data will be processed for the creation of a personal account, to speed up the purchase process, to allow the user to view order status and receive updates on purchases made, to set and modify their data to improve navigation and update the account, and to view order history.

Legal basis: consent to the processing of personal data – Article 6(1)(a) of the GDPR.

d) Profiling of the individual: only following an explicit and specific consent, the personal data provided may be processed by the Data Controller for profiling activities or preference analysis aimed at creating personalized content and offers. Legal basis: consent to the processing of personal data – Article 6(1)(a) of the GDPR.

e) Internal research, analytics, and security analysis: The personal data collected may be processed by the Data Controller to carry out internal commercial analyses, including data and trend analyses or research, for statistical and survey purposes.

Legal basis: pursuit of the legitimate interest consisting of conducting market analysis – Article 6(1)(f) of the GDPR.

f) Legal defense of the Data Controller’s rights: The Controller may provide the data of Data Subjects to authorities and bodies responsible for law enforcement, regulations, and judicial acts, as well as to third parties involved in litigation or extrajudicial proceedings, including for the purpose of debt recovery.

Legal basis: pursuit of the legitimate interest consisting in the right to defend one’s claims in court – Article 6(1)(f) of the GDPR.

4. NATURE OF DATA PROVISION

With regard to the purposes referred to in letter a) of the previous paragraph, the provision of personal data is mandatory. Failure to provide such data will render it impossible for the Company to establish, manage, execute, and/or conclude the sales contract and, consequently will prevent the execution of activities related to payments, shipping, order processing, customer support, and compliance with related administrative and accounting obligations. Failure to provide the data will furthermore prevent the user from participating in loyalty programs or any discount initiatives.

With regard to the purposes referred to in letter b) of the previous paragraph, the provision of personal data and consent to its processing is optional. Failure to provide consent will render it impossible for the Company to send commercial or promotional communications, updates related, for example, to the latest trends, new arrivals, exclusive offers, special events, and promotions via newsletters, SMS, or instant messaging applications.

With regard to the purposes referred to in letter c) of the previous paragraph, the provision of personal data is optional. Failure to provide such data and consent will render it impossible for the Company to allow registration on the website, creation of a personal account, expedition the purchase process, view of order status, reception of updates on purchases made, modification of personal settings, and updates of the account.

With regard to the purposes referred to in letter d) of the previous paragraph, the provision of personal data and consent to their processing is optional. Failure to provide consent will render it impossible for the Company to conduct profiling activities or perform preference analyses aimed at creating personalised content and offers.

With regard to the purposes referred to in letters e) and f) of the previous paragraph, the provision of personal data is mandatory, and failure to provide such data will render it impossible for the Company to carry out the activities indicated therein.

5. METHODS OF DATA PROCESSING AND RETENTION

The processing of personal data is carried out by the Data Controller in compliance with the applicable privacy laws. The Data Controller processes personal data using IT and/or telematic means, employing organizational and logical methods strictly related to the achievement of the purposes set out in this privacy notice. Appropriate security measures are adopted to prevent unauthorized access, disclosure, alteration, or destruction of personal data, as well as their loss and unlawful or incorrect use (in accordance with Article 32 of the GDPR).

However, the Company cannot guarantee that the security measures adopted for the website, data transmission, and information on the site will eliminate or limit risks of unauthorized access or data leakage from devices belonging to the user. For this reason, website users are advised to ensure that their computers are equipped with adequate software to protect data transmission over the network (e.g., updated antivirus software) and that their Internet Service Provider has adopted suitable measures for secure online data transmission.

The Company further undertakes to process data according to the principles of fairness, lawfulness, and transparency; to collect data only to the extent necessary and accurate for processing purposes, and to allow its use only by authorised personnel for the intended purposes.

Depending on the different purposes for which they are collected, personal data will be retained for the period strictly necessary to achieve those purposes and, in any case, in accordance with current statutory and regulatory provisions. In any event, the Company shall take care to avoid indefinite data retention by periodically verifying compliance with current regulations and the continued existence of legitimate interest relating to the data subjects concerned.

6. SCOPE OF PERSONAL DATA DISCLOSURE

The collected data shall under no circumstances be disclosed in any way, but shall be processed within the limits and for the purposes described by the following categories of recipients:

a) employees/collaborators of the Company based on appropriate operational instructions (for example, administrative, commercial, marketing, legal personnel, system administrators, etc.), appointed as authorized Data Processors pursuant to Article 29 of the GDPR and Article 2 quaterdecies of Legislative Decree 196/2003;

b) third parties—who have been appointed as External Data Processors pursuant to Article 28 of the GDPR—whom the Data Controller uses or may use in managing the contractual relationship, provisioning the services offered, and for technical/organizational needs related to its business activities;

c) public and private entities that may access the data by virtue of legal, regulatory, or EU provisions, within the limits established by such legislation.

d) parties requiring access to the data for purposes related to the contractual relationship between the parties, strictly limited to the performance of auxiliary tasks (such as banks and financial institutions, technical service providers, hosting providers, IT companies, communication agencies, postal couriers, and shipping companies);

e) collaborators and/or consultants, within the limits necessary for carrying out their professional duties. The updated list of External Data Processors and authorized data handlers is kept at the Data Controller’s registered office and may be made available to the Data Subject upon request, submitted to the contact details provided by the Controller.

7. TRANSFER OF DATA TO COUNTRIES OR ORGANIZATIONS OUTSIDE THE EU

The management and retention of personal data will take place on servers owned by the Data Controller and/or third-party companies duly appointed as External Data Processors. Personal data may be transferred abroad, in accordance with applicable laws, including to countries outside the European Union. Transfers to non-EU countries, in addition to cases covered by Adequacy Decisions by the European Commission, will be carried out in a manner that provides appropriate and adequate safeguards pursuant to Articles 46, 47, or 49 of the Regulation.

8. RIGHTS OF THE DATA SUBJECTS

As a Data Subject, the user may exercise, at any time, the rights granted under Articles 15 et seq. of the GDPR, which specifically include the right to:

a) obtain from the Data Controller, pursuant to Article 15, confirmation as to whether or not personal data concerning them is being processed, and, where such processing exists, access to the personal data and information including:

(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients are located in third countries or international organizations;
(iv) where possible, the retention period or, if not possible, the criteria used to determine that period;

b) obtain from the Data Controller, pursuant to Article 16, the rectification of inaccurate personal data concerning them without undue delay; taking into account the purposes of processing, the data subject has the right to obtain the completion of incomplete personal data, including by means of providing a supplementary statement;

c) obtain from the Data Controller, pursuant to Article 17, the erasure of personal data concerning them without undue delay. The Controller is obliged to erase personal data without undue delay if one of the grounds specified in paragraph 1 of Article 17 applies;

d) obtain from the Data Controller, pursuant to Article 18, the restriction of processing when one of the conditions laid down in paragraph 1 of Article 18 applies;

e) obtain from the Data Controller, pursuant to Article 20, data portability—meaning the right to receive personal data concerning them, which they have provided to a Controller, in a structured, commonly used, and machine-readable format. The Data Subject also has the right to transmit those data to another Controller without hindrance from the original Controller, where the conditions set out in Article 20(1) apply. Finally, the Data Subject has the right to have the personal data transmitted directly from one Controller to another, where technically feasible;

f) object, in whole or in part, pursuant to Article 21, to the processing of personal data concerning them.

Furthermore, the Data Subject has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, without prejudice to the consequences mentioned above regarding any refusal to provide such personal data. The Data Subject also has the right to lodge a complaint with the relevant Data Protection Authority (www.garanteprivacy.it).

Requests to exercise these rights may be submitted to: support@sunosport.com. SUNO Srl undertakes to respond to the Data Subject’s requests within one month, except in cases of particular complexity where a maximum of three months may be required. In any case, the Data Controller will inform the Data Subject of the reason for the delay within one month of receiving the request.

9. CHANGES TO THIS PRIVACY NOTICE

The Data Controller reserves the right to make changes to this Privacy Policy at any time, publishing updates on the website. Users are therefore advised to consult this page frequently, referring to the “Last Updated” date shown at the bottom of the document. In the event of non-acceptance of the changes made to this Privacy Policy, the Data Subject may request the Data Controller to delete their personal data. Unless otherwise specified, the previous Privacy Policy will continue to apply to personal data collected prior to such changes.

Last updated: 29/04/2025

The Data Controller