Privacy Policy

How we collect, use and protect your personal data.

Last updated:

This Privacy Policy explains how [COMPANY_NAME] (the “data controller”) processes personal data collected through addicting.shop, in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and applicable national legislation.

1

Data controller

The data controller is [COMPANY_NAME], registered at [COMPANY_ADDRESS], VAT [COMPANY_VAT]. For any privacy-related request you can reach us at [COMPANY_EMAIL].

Where a Data Protection Officer (DPO) has been appointed, they can be contacted at [DPO_EMAIL].

2

Categories of personal data we process

We may process the following categories of personal data:

  • Account & business information: company name, VAT number, business address, contact details of authorised representatives.
  • Order data: billing and shipping address, order history, invoicing data.
  • Payment data: limited to the information necessary to process payments; full card details are handled by our payment provider and never stored by us.
  • Technical data: IP address (hashed for consent logs), browser type, device information, referrer.
  • Interaction data: pages visited, products viewed, newsletter interactions.
  • Communications: content of messages you send us via forms, email or chat.
3

Purposes of processing

We process your personal data for the following purposes:

  1. Contract execution — managing your account, processing orders, invoicing, shipping, providing customer support.
  2. Legal obligations — tax reporting, accounting records, anti-fraud checks, responding to competent authorities.
  3. Legitimate interest — fraud prevention, network and information security, service improvement, internal analytics on aggregated data.
  4. Consent — commercial communications (newsletters), non-essential cookies, profiling for marketing.
5

Data sharing & processors

We may share your data with the following categories of recipients, acting as data processors under Art. 28 GDPR:

  • Hosting providers for the operation of the Site.
  • Payment processors (e.g. Stripe, PayPal) for transaction handling.
  • Logistics partners (couriers) for shipping.
  • Email providers for transactional and marketing emails.
  • Analytics providers (only if you consent via our cookie banner).
  • Accounting, legal and tax advisors, within the strict necessity of their mandate.

We never sell your data to third parties.

6

Retention periods

We keep personal data only as long as necessary for the purposes for which it was collected:

  • Account data: until account deletion + 12 months for security reasons.
  • Order and invoicing data: 10 years (accounting retention obligation).
  • Consent logs: up to 13 months for the IP hash; consent events are retained as proof of compliance.
  • Marketing data: until consent withdrawal or after 24 months of inactivity.
  • Technical logs: maximum 12 months.
7

Your rights

Under Articles 15–22 GDPR you have the right to: access your data, rectify it, request erasure, restrict processing, object to processing, request data portability, and withdraw consent at any time.

To exercise any of these rights, contact us at [COMPANY_EMAIL]. We reply within 30 days. You also have the right to lodge a complaint with your national supervisory authority (in Italy: Garante per la protezione dei dati personali, www.garanteprivacy.it).

8

International transfers

Your personal data is processed primarily within the European Economic Area. Where transfers to third countries are necessary (e.g. to use cloud providers based in the USA), we rely on the European Commission’s adequacy decisions or on Standard Contractual Clauses (SCCs) approved by the Commission, together with supplementary technical and organisational measures as required.

9

Security measures

We apply appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction or modification — including: TLS/HTTPS transport encryption, hashing of authentication credentials, pseudonymisation of IP addresses in consent logs (daily-rotating salt), access controls on internal systems, regular backups, and ongoing staff training.

10

Changes to this Policy

We may update this Privacy Policy from time to time. Substantial changes will be notified via email to registered users and/or through a prominent notice on the Site. The “Last updated” date at the top always reflects the most recent revision.

11

Contact

For any privacy-related enquiry please write to [COMPANY_EMAIL] (general) or [DPO_EMAIL] (DPO, where appointed).

Join Our Newsletter

Get exclusive deals and new arrivals first

© 2026 Addicting - Vintage WholeSale