Privacy Policy​​

​EXTENDED INFORMATION PURSUANT TO ARTICLES. 12, 13 AND, IF NECESSARY, 14 OF THE GDPR - REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)

The data controller reports, below, the Information pursuant to Articles 12, 13 and, where appropriate,
14 of the GDPR regarding the processing of personal data provided by the Customer/interested party through the
completion and signing of the Contract to purchase the products/services offered for sale by the
owner of the processing itself, by spontaneously uploading to this website personal data (in particular through the completion of forms) or by simply browsing through it.

​EXTENDED INFORMATION PURSUANT TO ARTICLES. 12, 13 AND, IF NECESSARY, 14 OF THE GDPR - REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)

The data controller reports, below, the Information pursuant to Articles 12, 13 and, where appropriate,
14 of the GDPR regarding the processing of personal data provided by the Customer/interested party through the
completion and signing of the Contract to purchase the products/services offered for sale by the
owner of the processing itself, by spontaneously uploading to this website personal data (in
particular through the completion of forms) or by simply browsing through it.

1. Data controller and contact details
The data controller is Serena Conforti, Website: https: //www.birdstories.it Email: info@birdstories.it

2. Principles applicable to the processing
In accordance with the requirements of the GDPR, the data controller shall constantly strive
so that personal data are:
a. processed lawfully, fairly and transparently;
b. collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not
incompatible with those purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, if necessary, kept up to date;
e. kept for a period of time not exceeding the achievement of the purposes for which they are processed;
f. processed, by means of appropriate technical and organizational measures, in such a way as to ensure their security;
g. processed, if by virtue of consent, by a decision freely made by the Client/interested party,
on the basis of request submitted in a clearly distinguishable from the rest, in a form
understandable and easily accessible, using simple and clear language.
The data controller shall take appropriate technical and organizational measures to ensure the
protection of personal data by design and to ensure that by
default setting, only the data necessary for each specific processing purpose.
The data controller collects and takes into the utmost consideration indications, comments and
opinions of the Client/Subject transmitted to the above contact details, in order to implement a system
of dynamic privacy management that ensures effective protection of individuals, with regard to the
processing of their data.
This Information Notice may be subject to change, in line with the evolution of the reference legislation and the technical and organizational measures gradually adopted by the data controller; the client/interested party is, therefore, requested to periodically visit this section of the Website, in order to view the updates and the Information Notice in the text in force from time to time.

 3. Methods of personal data processing
The processing of personal data is carried out manually and by electronic means, with
logic strictly related to the purposes set out below and, in any case, in such a way as to ensure the
security and confidentiality of the data.

4. Purposes of personal data processing

(4a) Purposes for which data processing is necessary
The personal data provided by the Customer/interested party are mainly processed for the execution of the
Contract and the management of credit and, more generally, of the relationship arising from the Contract itself.
The provision of data in the Contract or later, in the course of the contractual relationship, for the purposes
of processing in question is mandatory; therefore, the failure, partial or inaccurate provision of such
data makes it impossible to enter into and/or execute the Contract and, for the Client/interested party, to take advantage
of the products/services offered by the data controller, potentially exposing the
Client/interested party itself to liability for breach of contract.
Personal data provided by the Client/interested party may, likewise, be processed if this
is necessary to fulfill a legal obligation to which the data controller is subject, for the
safeguarding of the vital interests of the Client/interested party or another natural person,for
the performance of a task of public interest or connected with the exercise of public powers vested in the data controller
or for the pursuit of the legitimate interest of thedata controller
itself or of a third party, provided that the interests orfundamentalrights and freedoms
of the Client/concernedperson do not prevail;even in these cases, the provision of data is obligatory and,
therefore, the non, partial or inaccurate provision of data may expose the Client/interested party to
possible responsibilities and sanctions provided for by the Legal System.
(4b) Further purposes of processing following specific and express consent of the
Client/interested party
In addition to the purposes of processing mentioned above, the personal data provided/acquired may be
processed, subject to the consent of the Client/interested party, to be expressed by checking the box <I accept cookies> on the Contract or on the Site (or using other social or web applications of the data controller), also for the purpose of conducting market surveys and to carry out commercial and promotional communications, by telephone (also using the cell phone number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), about products/services of the data controller
or companies of the Group to which the data controller may belong.
Consent for the purposes of processing referred to in this point (4b) is optional; therefore,following
any refusal, the data will be processed only for the purposes indicated in the preceding point
(4a), except as specified below with reference to the legitimate interests of the owner of
processing or of third parties
5.Categories of personal data processed
The data controller mainly processes identification/contact data (first name, last name,
addresses, type and number of identification documents, telephone numbers, e-mail addresses, of
fiscal/invoicing nature, except others) and, if commercial transactions are envisaged,
financialdata(of banking nature, in particular current account identifiers,
creditcard numbers, except others related to the aforementioned commercial transactions).
The processing that the data controller carries out, both for the execution of the Contract and in
force of the express consent of the Client/interested party, does not generally concern special categories
of personal data, known as sensitive (revealing racial or ethnic origin,politicalopinions
, religious beliefs, state of health or sexual orientation, etc.), nor genetic data
and biometric or so-called judicial data (relating to criminal convictions and crimes).
However, it cannot be ruled out that the data controller, in order to perform the obligations
arising from the Contract, must retain and/or has the need to process sensitive, genetic and
biometric or judicialdata, of the Client/interested party or of third parties, which the Client/interested party has in
its capacity as data controller;in this hypothesis, the processing by the owner of the
processing is carried out by virtue of, under the conditions and within the limits referred to in the appointment of the same owner of the
processing as a data controller, by the Client/interested party.
The data controller processes, as the data controller with reference to the Site, and,
potentially, as the data processor appointed for this purpose (under the terms set out above) by the
Client/interested party, also so-called browsing data.The computer systems and procedures
software responsible for the operation of the Internet sites acquire, in the course of their normal
operation, some personal data, the transmission of which is implicit in the use of
communicationprotocolsof the Internet.This is information that is not collected in order to be associated with
identified subjects, but which, by its very nature, could make it possible to identify
the person concerned.This category of information includes geolocation data, IP addresses,
browser type, operating system, domain name and addresses of websites from which
was accessed or exited, information on pages visited by users within the site,
access time, stay on individual page, internal path analysis and other parameters
related to the user's operating system and computer environment.It is, therefore,
information that, by its very nature, allows, through processing and association also
with data held by third parties, to identify users.
On the Site may, then, be made use of cookies, both session (which are not stored on the
computer of the interested party and vanish when the browser is closed) and persistent, for the
transmission of information of a personal nature, or in any case of systems for tracking
the interested parties. 

 6. Source of personal data
The personal data that the data controller processes are collected directly by the data controller
itself from the Customer/interested party at the time of, and during, the navigation of this
on the Site (or using other social or web applications of the data controller), or, also at
by means of its salespeople, at the time of, or subsequent to, the signing of the
Contract, during the execution of the same, or from public sources.
As specified above, the data controller, as a data processor appointed for this purpose,
in order to perform the obligations arising from the Contract, may store and/or process data, in
particular navigationdata, potentially also sensitive, genetic and biometric or judicial data,of
third parties, of which the Customer/interested party has in its capacity as data controller, acquired, subject to
consent of said third parties, at the time of, and during, the navigation of said third parties on the Site (or
using other social or web applications referable to the data controller).

7.Legitimate Interests
The legitimate interests of the data controller or third parties may constitute a valid legal basis for
processing, provided that they do not override the interests or fundamental rights and freedoms
of the data subject.In general, such legitimate interests may exist when there is a
relevant and appropriaterelationship between data controller and data subject, such as when the data subject is
a customer of the data controller.It constitutes, in particular, a legitimate interest of the data controller
to process personal data of the Client/Subject:for fraud prevention purposes, for the purposes of
direct marketing, to ensure the free movement of the same data within the
businessGroupto which the data controller may belong, i.e. related to traffic, for the
purpose of ensuring network and information security, i.e. the ability of a network or a
system to withstand unforeseen events or unlawful acts that may compromise the availability,
authenticity, integrity and confidentiality of the data.

8.Circulationof personal data
(8a) Communication of personal data - categories of recipients
In addition to employees and collaborators in various capacities of the data controller (who are by
the data controller itself authorized to process by virtue of appropriate
writtenoperating instructions, inorder to be able to ensure the confidentiality and security of the data),some operations of
processing may also be carried out by third parties, to whom the data controller
entrusts certain activities, or part of them, functional to the purposes referred to in point (4a), thus both in
execution of contractual and legal obligations, among which deserve mention, however,
inevitably, non-exhaustive:commercial and/or technical partners; companies that providebanking and financial
services; companies that carry out document archiving services;
debtcollectioncompanies; auditing and balance sheet certification companies; rating companies; subjects that
carry out, on behalf of the data controller, professional assistance and consultancy activities;
companies that carry out customer care activities; factoring, credit securitization or
companies that otherwise assign receivables; companies in the Group to which the data controller possibly
belongs; subjects that provide commercial information; computer service companies.The
subjects belonging to the aforementioned categories process the same personal data as autonomous
data controllers, or as data processors, with reference to
specific processing operations that are part of the contractual services that the subjects
themselves perform for/in the interest of the data controller; to the
data processors the data controller issues adequate written operating instructions, with particular
reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and
security of the data.
Some processing operations may be carried out by third parties, to whom the data controller
entrusts certain activities, or part of them, also functionally to the purposes referred to in
(4b), among which deserve mention, however, inevitably, not exhaustive: partners
commercial and / or technical; companies that provide marketing services institutionally; agencies
advertising; subjects that provide assistance and advice with reference to contests and
prize operations.The subjects belonging to the aforementioned categories process personal data as
autonomous data controllers, or as data processors, with
reference to specific processing operations that are part of the contractual services that the
same subjects perform for/in the interest of the data controller; to the
processors the data controller issues adequate written operating instructions, with particular
reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and
security of the data.

list,
subject to periodic updating, of the data processors with whom the data controlleritself has dealings is available upon written request to be sent to the data controller's office.
Personal data may, in addition, be communicated, in case of request, to the competent authorities, in
fulfillment of obligations arising from mandatory legal regulations ​

 8b) Transfer of personal data to non-EU countries
The Client's / data subject's personal data may also be transferred abroad, either to countries
of the European Union or to countries outside the European Union and, in the latter case,either on
the basis of an adequacy decision, or within the scope and with the appropriate safeguards provided for by the GDPR
(thus, in particular, in the presence of standard contractual data protection clauses approved
by the European Commission), or, outside of the above-mentioned hypotheses,recurrence of one or more of the
exceptions provided for by the GDPR (in particular, by virtue of the explicit consent of the Client/concernedperson, or
for the execution of the Contract concluded by the Client/concerned person, or for the execution of a
contract concluded between the data controller and another natural or legal person for the benefit of the
Client/concernedperson, in particular for the execution of activities entrusted to it by the
data controllerfor the execution of the Contract concluded with the Client/concerned person).For
the hypothesis of data transfers to countries outside the European Union, the Client/interested party is
allowed, upon written request to be sent to the headquarters of the data controller, to know
the adequate guarantees, or rather the exceptions, that legitimize cross-border processing.It remains
understood, in case of transfer of data to countries outside the European Union, that for any
request inherent to the data, including for the exercise of the rights recognized by the GDPR to the Client/Interested Party,
the latter may always validly refer to the data controller.

Criteria for determining the period of retention of personal data
For the purposes referred to in point (4a) above, the period of retention of personal data
released by the Client/interested party, and the consequent potential processing thereof, coincides with the
period of prescription of rights/duties (legal, tax, etc.) arising from the Contract:
tends to be 10 years, therefore, unless the occurrence of interruptive events of the prescription that
could extend, in fact, said period.
For the purposes referred to in point (4b) above, the retention period of the data released by the
Client/interested party, and the consequent potential processing thereof, ends with the revocation of the
consent previously issued by the Client/interested party itself or, in the absence thereof,
however, one year after the termination of any relationship between the data controller and the
Client/interested party.

10. Rights of the Client/interested party
The data controller recognizes - and facilitates the exercise, by the Client/interested party, of -
all the rights provided for by the GDPR, in particular the right to request access to his/her personal data and
to take a copy of it (art. 15 GDPR), to rectification (art. 16 GDPR) and deletion of it (art.
17 GDPR), to limitation of the processing concerning him/her (art.18 GDPR), to the portability of the data
(art. 20 GDPR, where the prerequisites are met) and to object to the processing that concerns him (art. 21 and
22 GDPR, for the hypotheses mentioned therein and, in particular, to the processing for marketing purposes or
that results in an automated decision-making process, including profiling, that produces
legal effects concerning him, where the prerequisites are met).
The data controller also recognizes, where the processing is based
on consent, theClient/Subject, the right to revoke said consent at any time, without prejudice to the lawfulness
of the processing based on the consent given before revocation.In order to do so, the Customer/interested party
may unsubscribe at any time on the Site (or on other social or web applications of the data controller
treatment) or by using the appropriate link at the bottom of each commercial communication
received, or by contacting the data controller at the contact details above.
In addition, the data controller informs the Client/interested party of the right to lodge a complaint
with the Italian Data Protection Authority, as the supervisory authority operating in
Italy, and to lodge a judicial appeal, both against a decision of the Data Protection Authority,
and against the data controller itself and/or a data processor.
11.Security of systems and personal data
Taking into account the state of the art and the cost of implementation, as well as the nature, object,
context and purposes of the processing, as well as the risk, in terms of probability and severity,
to the rights and freedoms of natural persons, the data controller shall take technical and
organizationalmeasuresdeemed appropriate to ensure a level of security appropriate to the risk, in
particular by ensuring,on a permanent basis, the confidentiality, integrity, availability and
resilience of the processing systems and services (including through the encryption of personal data, where
necessary) and the ability to restore data availability in a timely manner in the event of aphysical or technical
incident, and adopting internal procedures directed at regularly testing, verifying and evaluating
the effectiveness of the technical and organizational measures employed.
In assessing the appropriate level of security, account shall be taken of the risks presented by the processing which
arise, in particular, from the destruction, loss, alteration, unauthorized
disclosureor access, whether accidental or unlawful, to personal data transmitted, stored or
otherwise processed.
The data controller shall ensure that anyone acting under its authority and having
access to personal data shall not process such data unless instructed to do so by the
data controller.
That being said, the Client/Party acknowledges and accepts that no security system guarantees, in
terms of certainty, absolute protection; therefore, the data controller shall not be liable for theactsor
facts of third parties who abusively, despite the appropriate precautions taken, should access
systems without due authorization.

12. Automated decision-making processes, including profiling
The data controller may carry out automated processing, including profiling, in
relation to the purposes referred to in point (4b) above, to optimize the navigability of the Site (or the
usability of other social or web applications of the data controller) and to improve the
shoppingexperience, except as specified above with regard to the rights of opposition and revocation of
consent by the Customer / interested party.
Profiling means any form of automated processing of personal data aimed at
assessing certain aspects relating to a natural person, in particular to analyze or predict
aspects concerning, for example, the personal preferences, interests or location of that person,
including for the purpose of creating profiles, i.e. homogeneous groups of individuals by characteristics, interests or
behavior.
The data controller does not carry out any automated processing that produces legal
effectsconcerning the Client/interested party or that significantly affects his/her
person ina similar way, unless this is necessary for the conclusion or execution of the Contract, is authorized
by law or is based on the explicit consent of the Client/interested party, in any case always recognizing
the latter's right to obtain human intervention, express his/her opinion and
challenge the decision. ​