Plumma

1. Data Controller

The Data Controller for the processing of personal data is:

2. Data Protection Officer (DPO)

Plumma srl has assessed its obligation to appoint a Data Protection Officer pursuant to Art. 37 GDPR. Following this assessment, the company has appointed a DPO. The appointed Data Protection Officer is:

3. Personal Data Processed

3.1 Data provided voluntarily

Data that users provide directly, including:

• Identification and contact details (first name, last name, email address, phone number)
• Company information (company name, industry, size)
• Messages and communications sent via contact forms
• Information provided during consultation requests

3.2 Data collected automatically

When visiting plumma.it, the following data is collected automatically:

• IP address and approximate geolocation data
• Browser type, operating system, and device information
• Pages visited, time spent, and navigation patterns
• Referral source and exit pages
• Data collected via cookies and tracking technologies (see Section 5)

4. Purposes of Processing and Legal Bases

Each processing activity is founded on a specific legal basis pursuant to Art. 6 GDPR, as detailed below:

• Service provision and response to inquiries: Art. 6(1)(b) GDPR – performance of pre-contractual measures at the request of the data subject
• Operational communications and service updates: Art. 6(1)(b) GDPR – performance of a contract / pre-contractual measures
• Website usage analytics and service improvement: Art. 6(1)(f) GDPR – legitimate interest of the Controller in understanding website usage (balancing test carried out)
• Marketing activities and promotional communications: Art. 6(1)(a) GDPR – explicit consent of the data subject (freely revocable at any time)
• Compliance with legal and fiscal obligations: Art. 6(1)(c) GDPR – compliance with a legal obligation
• Website security and fraud prevention: Art. 6(1)(f) GDPR – legitimate interest of the Controller in IT security

Consent to marketing is optional and may be withdrawn at any time by contacting privacy@plumma.it, without affecting the lawfulness of processing carried out prior to withdrawal.

5. Cookies and Tracking Technologies

The website uses cookies and similar technologies for the following purposes:

• Essential technical cookies: required for the correct functioning of the website (no consent required)
• Analytical cookies: allow analysis of user behaviour (consent required unless fully anonymised)
• Marketing cookies: used for profiling and targeted advertising (consent required)

Users can manage their preferences via the cookie banner displayed on first access to the site, and at any time through browser settings. Disabling technical cookies may impair website functionality.

6. Google Analytics

The website uses Google Analytics, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics collects information such as:

• How you arrived at our site
• Pages visited and session duration
• Approximate geographic location (country/region)

Google Analytics processes data in accordance with its own privacy policy. For transfers to the USA, Google LLC adheres to the EU-US Data Privacy Framework. You can opt out via the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

Where IP anonymisation (ip_anonymize) is enabled, the legal basis may be legitimate interest; otherwise, user consent is required.

7. Data Retention Periods

Personal data is retained only for as long as strictly necessary to fulfil the purposes for which it was collected, in compliance with the principles of data minimisation and storage limitation (Art. 5(1)(e) GDPR):

• Contact data and communications: Up to 24 months from the last contact, unless a different contractual arrangement applies
• Navigation data and analytical cookies: Maximum 13 months from collection (EDPB guidelines)
• Data for tax and accounting obligations: 10 years pursuant to Italian law (Art. 2220 Italian Civil Code)
• Data processed on the basis of consent (marketing): Until consent is withdrawn or, in the absence of activity, a maximum of 24 months

8. Data Sharing and Disclosure

Personal data may be disclosed to:

• Technical service providers (hosting, email, analytics): acting as Data Processors under Art. 28 GDPR, bound by dedicated data processing agreements
• Business partners: only where necessary to fulfil the services requested
• Public and judicial authorities: where required by law or to protect the rights of the Controller

Personal data is never sold to third parties.

9. International Data Transfers

Some service providers (e.g. Google LLC for Google Analytics) may process data in countries outside the European Economic Area (EEA). In such cases, the Controller ensures that:

• The destination country benefits from an adequacy decision by the European Commission (e.g. the EU-US Data Privacy Framework), or
• Appropriate safeguards are in place pursuant to Art. 46 GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission

10. Security Measures

The Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or disclosure, including:

• SSL/TLS encryption for data transmission
• Secure hosting infrastructure
• Access controls and authentication systems
• Regular security assessments and updates

No method of transmission over the Internet can be guaranteed as 100% secure. The Controller cannot guarantee the absolute security of transmitted information.

11. Rights of the Data Subject

Pursuant to Arts. 15–22 GDPR, data subjects have the right to:

• Access (Art. 15): obtain confirmation of processing and a copy of their personal data
• Rectification (Art. 16): request the correction of inaccurate or incomplete data
• Erasure (Art. 17): request deletion of personal data ("right to be forgotten")
• Restriction (Art. 18): obtain restriction of processing in certain circumstances
• Portability (Art. 20): receive personal data in a structured, machine-readable format
• Objection (Art. 21): object to processing based on legitimate interest or for direct marketing purposes
• Withdrawal of consent: at any time, without affecting the lawfulness of prior processing

To exercise these rights, data subjects may submit a written request to: privacy@plumma.it

The Controller will respond within 30 days of receiving the request (extendable by a further 60 days in complex cases, with prior notice to the data subject).

12. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with the competent supervisory authority. In Italy, the relevant authority is:

Alternatively, data subjects may contact the supervisory authority of the EU Member State in which they habitually reside, work, or where the alleged infringement occurred.

13. Children's Privacy

The website plumma.it is not intended for persons under the age of 18. The Controller does not knowingly collect personal data from minors. Should any such data be inadvertently collected, the Controller will take immediate steps to delete it.

14. Changes to This Policy

The Controller reserves the right to amend this Privacy Policy at any time. In the event of material changes, users will be informed via:

• Publication of the updated version on the website
• Update of the "Last updated" date
• Email notification, where available and for significant changes

Continued use of the website following publication of changes constitutes acceptance of the updated Privacy Policy.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with Italian and European Union law, in particular:

• Regulation (EU) 2016/679 (GDPR)
• Italian Personal Data Protection Code – Legislative Decree 196/2003, as amended by Legislative Decree 101/2018
• Measures and guidelines issued by the Garante per la protezione dei dati personali