Privacy and Cookie Policy
- Pagamento sicuro quando arriva a casa
Privacy policy di flyrshop.com
Privacy & Cookie Policy of flyrshop.com
Last update: 25 April 2025
1 Data Controller and Contacts
| Controller | Flyrshop D.O.O. – Registered office: Begunje pri Cerknici 67-71, 1382 Begunje pri Cerknici, SL VAT: 064288123745 |
| Privacy e-mail | info.flyrshop@gmail.com |
2 Personal Data We Process
| Data category | Examples | Source |
|---|---|---|
| Identification | first and last name, postal address, order ID | provided by user |
| Contact | e-mail, phone, social ID | provided |
| Payment | IBAN, card token, PayPal transaction ID | payment provider |
| Browsing | IP address, user-agent, server logs, technical cookies | collected automatically |
| Profiling / marketing | purchase preferences, viewed products | tracking cookies |
| Support | photos, videos, chat transcripts, tickets | provided |
Special categories (Art. 9 GDPR): we do not intentionally process sensitive data. If a user submits such data spontaneously (e.g. in order notes) we will delete it.
3 Purposes, Legal Bases and Retention
| # | Purpose | Legal basis (Art. 6 GDPR) | Retention* |
|---|---|---|---|
| 3.1 | Execute the sales contract (cart, shipment, after-sales) | b) Contract | 10 years (tax law) |
| 3.2 | Legal obligations (invoicing, warranty, returns) | c) Legal obligation | 10 years |
| 3.3 | Customer care (chat, tickets, RMA) | b) Contract | 24 months after last ticket |
| 3.4 | IT security and fraud prevention | f) Legitimate interest | 24 months; security logs 6 months |
| 3.5 | Direct marketing e-mail/SMS/newsletter | a) Consent | Until withdrawal; max 24 months |
| 3.6 | Profiling for personalised offers | a) Consent | Until withdrawal; max 12 months |
| 3.7 | Soft-spam on similar products (Art. 130 §4 Italian Privacy Code) | f) Legit. interest | Until opt-out |
| 3.8 | Anonymous / aggregated statistics | f) Legit. interest | Anonymous data only |
*Periods may be extended in case of disputes or regulatory requests.
4 Processing Methods and Security
Data are processed on paper and electronically; only authorised staff can access them (“zero-trust” principle). Security measures include TLS 1.3 encryption, encrypted backups, MFA, intrusion-detection logging, automatic retention policies, and data-minimisation by design.
5 Recipients
Hosting & cloud providers: [OVH SAS] – servers in EU
Carriers / logistics: [UPS, GLS, Poste Italiane]
Payment institutions: [Stripe Payments Europe, PayPal Europe]
Professional advisors (tax, legal) bound by NDAs
Marketing platforms (only with consent): [Klaviyo, Meta, Google]
An up-to-date list of subprocessors is available on request.
6 Transfers outside the EEA
Some suppliers (e.g. Meta Platforms, Google LLC) are located in third countries. Transfers occur under:
An adequacy decision (Art. 45) where available;
Otherwise, Standard Contractual Clauses (Art. 46) plus supplementary safeguards (encryption at rest, pseudonymisation).
7 Data Subject Rights (Arts. 15-22 GDPR)
You may at any time:
obtain confirmation of processing and access (Art. 15)
request rectification or completion (Art. 16)
request erasure (“right to be forgotten”, Art. 17)
obtain restriction (Art. 18) or portability (Art. 20)
object on legitimate grounds or to marketing (Art. 21)
withdraw consent at any time (Art. 7 §3)
Requests: [info.flyrshop@gmail.com].
If you believe your rights have been violated you may lodge a complaint with the Italian Data-Protection Authority (Garante per la Protezione dei Dati Personali) or with your local authority.
8 Minors
Our site and services are not intended for children under 16. We do not knowingly collect their data. If we learn that we have unintentionally obtained personal data from a minor, we will delete it immediately.
9 Cookie Policy
9.1 What cookies are
Cookies are small text files stored by websites on your device. They are classified as:
| Type | Purpose | Consent required? |
|---|---|---|
| Technical (first-party) | session, language, cart | No |
| First-party analytics | aggregated stats (e.g. self-hosted Matomo) | No, if anonymised |
| Third-party analytics | Google Analytics 4 (IP-anon), Hotjar | Yes, if user-level tracking |
| Profiling / marketing | Meta Pixel, Google Ads, TikTok | Yes |
9.2 Cookies we use
| Name | Provider | Expiry | Type | Purpose |
|---|---|---|---|---|
phpsessid | first-party | session | technical | Keep login/cart state |
_ga | Google LLC | 13 months | analytics | Aggregated statistics (GA4) |
_fbp | Meta | 90 days | marketing | Facebook/Instagram remarketing |
kl_… | Klaviyo | 2 years | marketing | E-mail & browse tracking |
A complete, automatically updated list is generated every 30 days by [Cookiebot].
9.3 Consent management
On first visit a banner compliant with the Italian DPA guidelines (10 June 2021) appears:
Accept all, Reject all, Customise
Scroll or click outside the banner does not equal consent.
Consent is logged server-side (Art. 7 GDPR) and can be withdrawn at any time via the “Cookie settings” widget.
9.4 Disabling cookies via browser
Quick links to guides for Chrome, Firefox, Edge, Safari, Opera.
10 Policy Changes
We may amend this Policy at any time. Previous versions will be archived. For substantial changes (e.g. new marketing purpose) we will notify users by e-mail or banner and, where required, request fresh consent.
(Version 2.0 – fully replaces the previous Privacy & Cookie Policy dated 15 March 2024)
