Privacy Policy

Who we are and who to contact

The Data Controller of personal data collected or otherwise acquired through the Site is the company Flat Bag s.r.l. – VAT No. IT0443440028 | R.E.A. – T 188689970 with registered office in Via Borgo Padova, 102 Camposampiero 35012 (PD) Italy – Contact e-mail address:

Why this policy and to whom it is addressed

This policy is addressed to the users of the Site and to all natural persons interested in the processing of their personal data by the Data Controller, as part of its activity (“Interested Party” or “User“). Access to certain sections of the Site and/or any requests for information or services by users may be subject to the insertion of personal data, the processing of which will take place in compliance with the GDPR. For the use of specific services on the Site, the interested party will be informed by means of this information notice and, where required, specific consents to the processing of personal data will be requested. This information is provided only for the Site and not for other websites consulted by users through links that may be recalled in this Site.


The term personal data refers to the definition contained in Article 4(1) of the GDPR, i.e. “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity” (“Personal Data“). The GDPR provides that, before processing Personal Data – by which term is meant, according to the definition contained in Article 4, point 2) of the GDPR, “any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (“Processing“) it is necessary that the person to whom such Personal Data belongs is informed of the reasons and purposes for which such data is required and how it will be used. Personal Data may be disclosed to specific persons who are considered recipients of such Personal Data. Article 4(9) of the GDPR defines a recipient of Personal Data as “a natural or legal person, public authority, agency or other body that receives communication of personal data, whether or not it is a third party” (hereinafter the “Recipient“). Personal Data may also be disclosed to specific entities considered under Article 4 at point 10) of the GDPR, “persons authorised to process Personal Data under the direct authority of the Controller or the Processor” (hereinafter the “Authorised Persons“). Among other things pursuant to Article 4 at point 9), of the GDPR, “public authorities that may receive communication of Personal Data in the context of a specific investigation in accordance with Union or Member State law are not considered as Recipients”.

Data Categories and Processing

A. Navigation Data

The computer systems and software procedures used to operate this portal acquire, during their normal operation and for the sole duration of the connection, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected for the purpose of associating it with identified interested parties but, by its very nature, could, through processing and association with data held by third parties, allow the identification of visiting users (e.g. IP addresses), the domain names of the terminals used, the URI (Uniform Resource Identifier) addresses of the requesting parties, the time of requests, etc. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check that it is functioning correctly. The data on web contacts are not stored, The data could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Site. except in the event of computer crimes to the detriment of the Site.

B. Data provided voluntarily by the User

The User is not required to provide any personal data in order to consult the site. However, any contact, or the optional, explicit and spontaneous sending of messages, by electronic or traditional mail, to the addresses indicated on the site entails the subsequent acquisition of the address, including e-mail, of the sender or of the relative telephone number, necessary to respond to requests, as well as any other personal data included in the relative communications. This data will be used solely for the purpose of responding to the User’s request and may be communicated to third parties only if necessary for this purpose. For the processing of data for such purposes, your consent is not required as the processing is necessary for the execution of pre-contractual measures taken at your request (Art. 6, paragraph 1, letter b) of the GDPR), as well as, where applicable, to fulfil a legal obligation (Art. 6, paragraph 1, letter a) of the GDPR).

C. Information on the processing of personal data through social media platforms

With regard to the processing of personal data carried out by the managers of the Social Media platforms used, please refer to the information provided by them in their respective privacy policies. The Data Controller processes personal data provided by users through the pages of the Social Media platforms used to manage interactions with Users (comments, public posts, etc.) and in compliance with current legislation.

D. Data Processing

The processing will be carried out using both manual and IT and telematic tools in compliance with the regulations in force and the principles of correctness, lawfulness, transparency, pertinence, completeness and non-excessiveness, data minimisation and accuracy and with organisation and processing logics strictly related to the purposes pursued and in any case in such a way as to guarantee the security, integrity and confidentiality of the processed data, in compliance with the organisational, physical and logical measures provided for by the provisions in force. These will be implemented and increased from time to time, also in relation to technological development, in order to guarantee the confidentiality, availability and integrity of the data processed.

Processed Data, purposes of processing, legal bases and Data retention periods

A. User Navigation Data

They are used for the sole purpose of obtaining statistical information on the utilisation of the Portal, electronic identification data (IP address, location, cookies, browser, etc.); The legal basis can be identified: legitimate interest art. 6(f) and recital 47: processing is necessary for the purposes of pursuing the legitimate interests of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data do not prevail, taking into account the reasonable expectations of the data subject based on his relationship with the data controller. Activities that are strictly necessary for the operation of the Site and the provision of the navigation service on the platform. The data retention period is directly linked to the duration of the browsing session. For navigation see cookie policy. With the exception of what is specified for navigation data (which are necessary in order to allow navigation of the Site), the user is free to provide personal data.

B. Contact Data

With regard to the contact data provided directly by the User (compulsory: name, surname and e-mail address, optional: telephone number and company, and the request message), the purpose of the collection is the need to follow up on the User’s requests and carry out all communication activities always related to responding to requests for contact and possible forwarding of promotional material by the Data Controller. The legal basis can be identified in pre-contractual or contractual obligations related to responding to requests from the data subject or to the provision of a service, but also in legal obligations to which the Data Controller is subject. The data subject may, at any time, request the deletion of his/her data from the Data Controller’s archives, which will in any case retain the data for a period not exceeding 24 months from the date of collection.

Automated Decisions

The Data Controller declares that it does not adopt decisions likely to affect the Data Subject based solely on automated processing of personal data. All decision-making processes associated with the purposes of the processing described above are carried out with human intervention.

Disclosure of Personal Data

Personal Data may be disclosed to specific entities considered as Recipients or to Persons Authorised to process such Personal Data under the authority of the Data Controller. In this perspective, in order to properly carry out all the Processing activities necessary to pursue the purposes set out in this Policy, the following Recipients may be in the position to process Personal Data:
  • third parties who carry out part of the Processing activities and/or activities connected and instrumental to the same on behalf of the Data Controller, having their registered office in the countries of the European Union, who have been entrusted with the performance of services, assistance and/or consultancy activities also for the operation of this Site on behalf of the Data Controller. The third parties mentioned above are essentially included in the following categories: (a) subjects with whom the Data Controller has entered into collaboration agreements; (b) subjects operating in the Sector; (c) suppliers involved in the provision of services (d) Consultants and the employees / or collaborators of the Data Controller performing the functions involved in the activity of the Data Controller who have received, in this regard, adequate instructions on security and proper use of personal data,
  • finally, public authorities or public bodies for the fulfilment of legal obligations to which the Data Controller is subject, and any other public body entitled to request the data, in the cases provided for by law. Where required by law or to prevent or repress the commission of a crime, Personal Data may be disclosed to public authorities or judicial authorities.
Among other things according to Article 4 at point 9), of the GDPR, “public authorities that may receive communication of Personal Data in the context of a specific investigation in accordance with Union or Member State law are not considered Recipients”. It is understood that the data processed will only be those necessary to achieve the specific purpose, it follows that data managed through third parties will be limited to the specific purpose. Personal Data will not be diffused.

International transfers of personal data

Personal Data will be processed by the Data Controller within the territory of the European Union. In the event that for technical and/or operational reasons it becomes necessary to use entities located outside the European Union, the transfer of Personal Data, limited to the performance of specific Processing activities, will be regulated in accordance with the provisions of Chapter V of the GDPR. All necessary precautions will therefore be taken in order to ensure the most complete protection of Personal Data by basing such transfer: (i) on adequacy decisions of the receiving third countries expressed by the European Commission; (ii) on adequate safeguards expressed by the receiving third party pursuant to article 46 of the GDPR; (iii) on the adoption of binding corporate rules.

User Rights and Practise

As provided for in Article 15 of the GDPR, the Data Subject may access the Personal Data, request its rectification and updating, if incomplete or erroneous, request its deletion if it was collected in violation of a law or GDPR, as well as object to the Processing for legitimate and specific reasons. In particular, the rights that the User may exercise, at any time, vis-à-vis the Data Controller are as follows.
  • receive confirmation of the existence of your personal data and access to their content;
  • update, modify and/or correct your personal data;
  • request cancellation (oblivion), transformation into anonymous form, blocking of data processed in breach of the law or restriction of processing;
  • object processing for legitimate reasons;
  • receive a copy of the data you have provided and request that such data be passed on to another data controller;
  • lodging a complaint with the competent Data Protection Authority.
These rights may be exercised by contacting the Data Controller. Any claims under Article 15 of the GDPR should be addressed or by email as indicated in the contact section. Moreover, at any time you may consult the “Privacy” section of the Website, where you will find all the information concerning the Policy on the processing of Personal Data applied by the Data Controller, the use and processing of Personal Data, updated information on the contacts and communication channels made available to the Data Subject by the Data Controller.


For any request or need, the Data Subject shall send a communication which should be addressed to:   Il Titolare del Trattamento             Flat Bag S.r.l.   Versione della policy aggiornata a dicembre 2021