Privacy policy

PRIVACY POLICY AND INFORMATION ON PERSONAL DATA PROCESSING pursuant to Article 13 of the GDPR – EU Regulation 2016/679

The company Mia First S.r.l., headquartered in Verona, Via Amerigo Vespucci 2, VAT number 04817720230 ("Company"), represented by its legal representative pro tempore, in compliance with Article 13 of the GDPR and concerning your personal data ("PD"), hereby communicates the following:

This data processing statement applies to all services and offerings provided to our clients, regardless of the platform through which the service is offered: website, events, or through social networks.

Regarding the purchase of products for sale online through Mia First S.r.l.'s Customer Assistance Service, we kindly ask you to carefully read the relevant Sales Terms and Conditions, which govern the terms and conditions applicable to purchases made through these means.

1 – Data Controller and Data Protection Officer

1.1 The Data Controller ("Controller") is Mia First S.r.l.

1.2 The Controller has not appointed a Data Protection Officer (DPO), as the legal conditions requiring the mandatory appointment of a DPO do not apply.

1.3 The Controller has appointed certain external data processors, whose names and details can be requested at the addresses indicated below.

2 – Personal data undergoing processing and data source

2.1 The Controller processes the following categories of Personal Data:

  • Personal Identifiable Information: The Personal Data collected by the Controller are voluntarily provided by the Data Subject, particularly, but not limited to: name, surname, email address, phone number, date of birth.
  • Billing Information: VAT number, company name, shipping and billing address, country, province, ZIP code, city.
  • Purchase Data: Information regarding purchased products or items added to the cart in case online purchases are not completed.
  • Payment Data: To make a payment using one of the payment methods offered on the Site, the user must enter the confidential payment card details directly on a page communicated through a secure encryption protocol with the payment service provider (acting as an independent data controller), without passing through the Controller's server, which will not handle such data in any way. The data will be acquired in encrypted format.

Regarding payment card data, it is clarified that the processing of your Personal Data is necessary to enable the conclusion of the online purchase contract with the Controller. Failure to provide this data will therefore prevent you from completing the online purchase process.

  • Browsing Data: Cookies, usage data, geographic location.
  • Location Data: Personal location data from smartphone devices.

3 – Purposes of Personal Data Processing

3.1 The processing primarily aims at managing the pre-contractual phase and ensuring the correct and complete execution of the contractual relationship with the Company, concerning the needs and subsequent fulfillment of contractual, legal, and tax obligations arising from electronic commerce transactions. In particular, among the primary purposes ("Primary Purposes") of the processing are the following:

  • Creation and management of a user account.
  • Preparation of estimates and order confirmations, transportation documents, processing of purchase orders.
  • Execution of the contractual relationship, regarding obligations related to the supply or purchase of goods.
  • Provision of requested services through the technological and instrumental partner.
  • Compliance with legal obligations in tax, accounting, labor, social security, and welfare, insurance fields.
  • Provision of technical support services, consultancy, also via email or phone, sale of products or services of Mia First S.r.l.
  • Payment of issued invoices and management of electronic payment tools.
  • Prevention and detection of fraud and abuses to protect our customers' security; compliance with any other legal obligation incumbent upon the Company as stipulated by current regulations.

3.2 Your Personal Data, including device and access data (type of device, browsing, IP addresses, terminal domain names used, URI/URL addresses), will also be processed for additional purposes ("Additional Purposes") related to the registration process, as follows:

  • Newsletters related to the world of Mia First S.r.l., distinguished by the brand "Mia First Venezia," invitations to events, congresses, and meetings, responding to user information requests.
  • Greeting cards, commemorative cards, celebratory notices.
  • Information regarding the launch of new products under "Mia First Venezia."
  • Profiling purposes: analysis of data acquired at the beginning and during commercial relationships, also regarding the history of users' purchases and services used, identification, including through electronic processing, of preferences and potential products and services of interest, and consequent product recommendation, also automatically via the use of cookies, as described in the dedicated section.
  • Management of promotional, advertising, commercial, and generalized and/or personalized marketing activities (market analysis and research).
  • Geographical location and detection of the current location of the device through which the platform is visited, to provide location-related services.

3.3 You ('Data Subject') may freely choose not to provide your consent for Additional Purposes.

3.4 In cases where the processing of special categories of data is essential for the execution of the relationship or the fulfillment of specific services as well as legal obligations, providing such data will be mandatory. As their processing is only allowed with the explicit written consent of the Data Subject (pursuant to Articles 9 and 10 of the GDPR), you will need to consent to their processing.

3.5 It may occur that the Company processes data of third parties directly communicated by you (for example, when the individual paying for the purchase differs from the individual for whom the product is intended and shipped). In these cases, it is advisable to ensure obtaining the consent of the person to whom the data refers before communicating them to the Company. You will be solely and exclusively responsible for communicating such data. However, within the limits prescribed by the regulations, the Company will fulfill the obligation to inform the third party and, if necessary, request their consent at the time of registering their personal data in our records.

4 – Legal Basis of Processing

4.1 The Controller processes your Personal Data lawfully when the processing:

  • is necessary for the performance of the contractual relationship of which you (or companies or entities of which you are a member, administrator, manager, proxy holder, or representative) are part, or for the execution of pre-contractual measures adopted upon request;
  • is necessary to comply with a legal obligation incumbent on the Controller;
  • is based on explicit consent, concerning activities related to Additional Purposes.

4.2 Your explicit consent is not required when processing concerns data from public registers, lists, deeds, or documents accessible by anyone, subject to the limits and methods established by laws, regulations, or community legislation for data accessibility and publicity, or data related to the performance of economic activities processed in compliance with the current legislation on trade secrets and industrial secrets.

4.3 Your explicit consent is also not required - and if provided, must be understood as confirming the lawfulness of the processing - when processing concerns activities related to the Primary Purposes.

5 – Personal Data Retention Periods

5.1 The Personal Data undergoing processing are kept only for the time strictly necessary for the accomplishment of the above-described activities/purposes and, in any case, stored for different periods according to the purposes for which they are processed, in compliance with the applicable regulations at any given time.

5.2 Personal Data processed for Primary Purposes are kept for 10 years after the termination of the contract's effectiveness or, in case of disputes, for the statute of limitations period provided by the legislation for the protection of related rights, without prejudice to longer retention periods specified by specific sector regulations.

5.3 The consent provided for direct and indirect marketing purposes remains valid until revoked by the Data Subject. It should be noted that marketing activities are carried out based on data collected in the last 36 months from the last conclusive behavior or the last positive action taken by the Data Subject.

5.4 The consent provided for profiling purposes remains valid until revoked by the Data Subject. It should be noted that profiling activities are carried out based on data from the last 24 months from the last conclusive behavior or the last positive action taken by the Data Subject.

5.5 In any case, the Controller will take every care to ensure an appropriate use of the collected data, periodically verifying the actual interest of the data subject for processing purposes as described above. Otherwise, the data will be deleted, blocked, or rendered anonymous. However, the possibility of retaining the aforementioned data remains to protect the rights of the Controller in any extrajudicial and judicial proceedings, in arbitration and/or mediation, and conciliation procedures.

6 – Consequences of Non-disclosure of Personal Data

6.1 Regarding Personal Data related to the execution of the contract of which you are a part (or companies or entities of which you are a member, administrator, manager, proxy holder, or representative) or related to the fulfillment of a legal obligation (for example, obligations related to keeping accounting and tax records), failure to disclose Personal Data prevents the conclusion of the contractual relationship or, in certain cases, suspends or prejudices its execution.

6.2 Data not essential for the performance of the contractual relationship should be considered additional information. Their provision, if requested, is optional.

7 – Communication of Personal Data

7.1 Your Personal Data may be communicated to:

  1. a) external professionals (including, for example: lawyers, accountants, web agencies, data processing centers, and web space management companies for data storage, etc.) providing services functional to achieve Primary and/or Additional Purposes, who - if the legal conditions exist - will assume the role of external data processors;
  2. b) employees, collaborators, and assistants of the Controllers, in their capacity as internal data processors and/or system administrators, or the Data Protection Officer (DPO) if appointed;
  3. c) third-party companies or other subjects not mentioned in the previous letters (including, for example, carriers and shippers, credit institutions, professional studios, consultants, insurance companies for the provision of insurance services, factoring, leasing, etc.) providing services functional to Primary and/or Additional Purposes, who - if the legal conditions exist - will assume the role of external data processors;
  4. d) subjects processing data in fulfillment of specific legal obligations;
  5. e) judicial or administrative authorities, including arbitration, for legal compliance;
  6. f) publishers and editors of magazines or newspapers for Additional Purposes.
  7. g) technological and instrumental partners used by the Controller to provide services requested by users.

7.2 Additionally, the Controller may communicate your Personal Data to an address management and email messaging service.

8 – Profiling and Dissemination of Personal Data

We also inform you that your Personal Data will not be disseminated or subjected to any entirely automated decision-making process, including profiling, without your explicit consent, except for necessary communications that may involve the transfer of data to public entities, consultants, or other subjects for legal compliance. In particular, your data may be communicated to:

  1. a) Public Bodies or Offices or control authorities in compliance with legal and/or contractual obligations;
  2. b) Banks and/or credit institutions for managing payments arising from the contractual relationship.

9 – Transfer of Personal Data

9.1 Personal data will not be transferred to Third Countries, meaning countries not belonging to the European Union or the European Economic Area. If this occurs, the Controller declares and guarantees compliance with Articles 44 and onwards of the GDPR.

10 – Data Subject Rights

Among the rights recognized to you by the GDPR are:

  • to request from the Controller access to your Personal Data and information related to them; rectification of inaccurate data or integration of incomplete ones; deletion of the Personal Data concerning you (upon the occurrence of one of the conditions indicated in Article 17, paragraph 1 of the GDPR and respecting the exceptions provided in paragraph 3 of the same article); limitation of the processing of your Personal Data (in the event of one of the hypotheses indicated in Article 18, paragraph 1 of the GDPR); request and obtain from the Controller – in cases where the legal basis of the processing is the contract or consent, and it is carried out by automated means – your Personal Data in a structured, commonly used, and machine-readable format, also for the purpose of communicating such data to another data controller (the so-called right to data portability);
  • to object at any time to the processing of your Personal Data in situations that concern you;
  • to revoke consent at any time, limited to cases where the processing is based on your consent for one or more specific purposes and concerns common personal data (such as date and place of birth or residence), or special categories of data (such as data revealing your racial origin, political opinions, religious beliefs, health status, or sex life). However, processing based on consent carried out before its revocation remains lawful;

In particular, to revoke your consent to the messaging program related to commercial communications, it is sufficient to send a specific request:

  1. a) by following the instructions for cancellation at the bottom of each email message;
  2. b) by sending an email to
  • to lodge a complaint with a supervisory authority (Italian Data Protection Authority –

11 – Security Measures

11.1 The Controller adopts security measures suitable for minimizing the risks of destruction or loss, including accidental, unauthorized access, or processing not allowed or not in compliance with the purposes of collection indicated in this Privacy Policy.

11.2 For the best protection of your Personal Data beyond the control and management of the Controller, we recommend ensuring that the computer used is equipped with suitable software devices for the protection of data transmission over the network, both incoming and outgoing (such as updated antivirus systems), and that the chosen Internet service provider has adopted adequate measures for the security of data transmission over the network (such as firewalls and anti-spam filters).

12 – Exercise of Rights Modalities

In your capacity as a data subject, you may exercise your rights at any time by sending a registered letter with return receipt requested to Mia First s.r.l., Via Amerigo Vespucci 2, Verona.

13 – Updates

The Privacy Policy of this website is subject to updates; therefore, we invite you to periodically verify its content.

//Script to track viewed page