Privacy policy

Moranzani - Privacy Policy

Last Updated - [1] January 2021

This Privacy Policy describes how your Personal Information is collected, used, and shared when you visit or make a purchase from www.moranzani.com (the “Site”). It applies to all users of the Site, together with our Cookie Policy. If you do not accept these policies, you should immediately discontinue your use of the Site. We ask that you please read this Privacy Policy before providing us with any information about you or any other person.

In this Policy, “Personal Information” means any information relating to you as an identified or identifiable natural person (“Data Subject”). Under relevant legislation, this is also referred to as personal data. For the avoidance of doubt, Personal Information does not include information from which you cannot be identified (which is referred to simply as data/information, non-personal data or information, anonymous data/information, or de-identified data/information).

To the extent that you are a customer or user of our services (including the Site), this Privacy Policy applies together with our Terms of Conditions, available at:
https://www.moranzani.com/policies/legal-notice.

If you are just browsing, we have designed the Site so that you may navigate and use it without having to provide Personal Information, subject only to certain data that may be collected via the use of cookies. Further information is contained in our Cookie Policy, available at: https://www.moranzani.com/policies/cookie-policy.

Who we are and how to contact us

In this Policy, "we", "us" and "our" refers to Xerri Ltd, trading as “Moranzani”; a company incorporated in Gibraltar (Company Registration Number 118941) with its registered address at 30/1 Cornwall’s Lane, P.O. Box 1404, Gibraltar, GX11 1AA.

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at info@moranzani.com or by mail using the details provided below:

FAO: Privacy Compliance Officer
MORANZANI
30/1 Cornwall's Lane
P.O. Box 1404 
Gibraltar

Our website is owned and operated by us, and we are the “data controller” of any Personal Information you provide us in so far as it relates to the business of Moranzani. We may also act as a “data processor” of your data, acting on the instructions of another data controller.

How we collect Personal Information

When you visit the Site (including when you are just browsing), we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”. For more information, please refer to our Cookie Policy.

When you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, billing address, shipping address, payment information (including credit or debit card numbers), email address, and phone number. We refer to this information as “Order Information”. This includes situations where you abandon your checkout cart after entering your Personal Information.

Additionally, we may offer alternative payment options (such as PayPal and ApplePay) that do not require us to process Personal Information relating to your payment and financial information and will only record the method of payment used in such circumstances

When you register your details on the Site and open a Moranzani user ‘account’, we collect your name and email. Additionally, you are requested to input a password, which is encrypted and not shared with Moranzani personnel or suppliers. Passwords are stored in accordance with our information security policies and procedures in order to ensure they are securely encrypted and subject to further privacy controls. User accounts allow you to keep items in your online shopping basket, use our “Wishlist” functionality and manage your orders (including accessing Order Information) and correspondence with us. You may also opt to share your Wishlist externally to your friends and family by entering their email address (you should only do this with their consent). Your individual user account distinguishes you from other users and the information contained therein is personal to you and referred to as “Account Information”. Using Order Information and Account Information, we create a record of all customers, including an order history log with details of our customers and their purchased items. We also distinguish between new and returning customers, as well as those customers who provide Personal Information generating Account Information without making a prior purchase (i.e. without generating Order Information).

When you use the “Contact Us” feature, we collect your name, email, and any text you input into the “your message” field. You have the option of providing your telephone number, but this is not required in order to contact us. By providing this information, we will be able to respond to your request/query/feedback and distinguish these from those of other users of the Site. You may also contact us by email or mail using the details referred to above.

When you ‘subscribe’ to our offers and/or newsletters, we collect your name and email in order to be able to keep you informed of our latest offers, discounts and other promotional activities or events we consider may be of interest to our customers. We may also choose to use a marketing email management system (such as Mailchimp) to send out newsletters to subscribers, allowing us to prepare customised emails and manage our subscriber base. Where we use such services, we will not store any information collected by our mailing list provider, other than the association of a name to an email address. We will direct you to the privacy policies/notices of any third party system we implement for this purpose.

When visiting any of our Social Networking sites, we may collect and process Personal Information about your use of our social networking sites (e.g. where we use Twitter, Medium, Facebook, Instagram or other popular social networking sites). This data may include:
• clicks on a shortened URL;
• a history of referral URLs for clicks of a shortened URL; and
• a history of IP addresses used to access a shortened URL.

When we talk about “Personal Information” in this Privacy Policy, we are talking about one or more of Device Information, Order Information and/or Account Information, as applicable.

How do we use your Personal Information?

We use the Order Information that we collect generally to fulfil any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information and/or Account Information to:

• Communicate with you;
• Screen our orders for potential risk or fraud; and
• When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.

The lawful bases we rely on to process your Personal Information

Consent: We rarely rely on your consent to process your Personal Information, as usually another lawful basis will be more suitable. Where we do seek to rely on your consent, we will always ensure that this consent is fairly obtained by clearly informing you about why your consent is needed. Although consent can be obtained orally, we will usually require that you provide your consent through a clear, affirmative action such as ticking a box, toggling/swiping a button or switch on our website or on a mobile application, signing your name or other suitable method that can clearly evidence your consent.

Further to contract: When you place an order on our Site you agree to this Privacy Policy (as read with our Cookie Policy) as well as our Terms of Business. This forms the basis of a commercial business relationship with you, and in order to fulfil our obligations under that legal contract we will need to process certain Personal Information (e.g. to ensure we give the correct orders to the correct persons). These obligations may not be limited to fulfilment of your order, but also communication of disruptions to our services, or investigation of complaints.

Compliance with legal obligations to which we are subject: Certain record keeping requirements may apply to us by statute and prescribe minimum period for us to retain data. Other laws and regulations (e.g. those relating to anti-money laundering and counter-terrorism/ counter-terrorist financing) may require us to properly identify our customers, or to ensure that we prevent fraud on our Site. Processing may also be necessary where it is in response to requests by government or law enforcement authorities conducting an investigation.

Necessary to protect your vital interests or those of another person: we will rarely rely on this as a lawful basis, but will inform you where the need arises.

Processing based on a task carried out in the public interest or to exercise official authority: we never rely on this as a lawful basis to process your Personal Information.

Processing is required to pursue our legitimate interests (or those of a third party): Where we have a business relationship with you and have obtained your Personal Information for that purpose, we may also wish to use that Personal Information to pursue a legitimate aim. We cannot, and will not, always rely on this lawful basis for all processing. There may be cases where your interests and fundamental rights could override our legitimate interest. This may happen in cases where Personal Information are processed in circumstances where you do not reasonably expect further processing. We will always need to (i) identify a legitimate interest (ii) show that processing is necessary to achieve it; and (iii) balance it against your interests, rights and freedoms. Some non-exhaustive examples of situations where we may seek to pursue legitimate interests are:


• Direct marketing, and improving our services, the Site and user experience. Note that you have right to be free from (“opt-out” of) direct marketing. See more information on this right below.
• Where it is necessary to establish, exercise, or defend legal claims.
• Preventing fraud, keeping our staff and our business secure, and disclosing criminal acts.

Sharing your personal Information

We may pass your information to our business partners, affiliates, administration centres, third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing our services to you. These will be treated as our data processors, who will act on our instruction when processing your Personal Information. In addition, when we use any other third-party service providers, we will disclose only the Personal Information that is necessary to deliver the service required and we will ensure, that they keep your information secure and not to use it for their own direct marketing purposes

For example, we use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here:
https://www.shopify.com/legal/privacy.

We also use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a legal action, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

In addition, we may transfer your Personal Information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganisation, or if we are under a duty to disclose or share your Personal Information in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected

Behavioural advertising

As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:
• Facebook: https://www.facebook.com/settings/?tab=ads
• Google: https://www.google.com/settings/ads/anonymous
• Bing: https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads
• Twitter: https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads
• Instagram: https://www.facebook.com/help/instagram/2885653514995517?locale=en_US

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.

Transferring Your Personal Information outside of the European Union (EU)

We will ensure that any transfer of data outside of the EU or the European Economic Area (EEA) to what are commonly referred to as “third countries” is only effected to such extent as allowed by applicable legislation, and subjected to additional safeguards that are appropriate to ensure the processing of your Personal Information outside of the EEA remains within our control as far as possible and allows you to continue to enforce your rights as a data subject. The EEA includes all the EU Members States, plus Norway, Iceland and Liechtenstein

We will ensure that third country transfers of this nature happen, insofar as we can control this, only where the Personal Information will be adequately protected by measures such as the following:

• Standard contractual clauses approved by the European Commission.
• Ensuring transfers are to third countries that it subject to an adequacy decision by the European Commission.
• Use of Binding Corporate Rules (note: given the size of our organisation, we do not transfer Personal Information subject to Binding Corporate Rules)

We do not rely on the US Privacy Shield framework.

In addition, we may rely on certain exemptions under applicable legislation; for example, in cases where Personal Information to be shared is minimal, where we obtain your explicit consent to an international transfer or where it the transfer is necessary for the performance of any contractual obligations we have with our customers.

Our data security measures

We have put in place appropriate security measures to prevent your Personal Information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your Personal Information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Information on our instructions and they are subject to a duty of confidentiality. We educate and train our employees on our information security, fraud prevention and privacy obligations at least annually, and they are aware that mishandling of your Personal Information is a disciplinary offence within our organisation and also has important legal implications.

We have put in place procedures to deal with any suspected Personal Information breach. Where we are legally required to do so, we will notify you and any applicable supervisory authority of a breach without undue delay.

Given this Site uses Shopify to deliver the online shopping experience and to manage user accounts and orders, your Personal Information is also subject to security measures implemented at Shopify. For further information, please visit: https://www.shopify.com/legal

Whilst we take appropriate technical and organisational measures to safeguard your personal information, please note that we cannot guarantee the security of any data that you transfer over the internet to us.

Existence of automated decision-making

On our Site, and in delivery of our services decisions are not made by computers or robots, and where any decisions need to be made using automated means, they will be subject to human intervention. We also do not use your Personal Information for the purposes of profiling.

Data retention

When you place an order through the Site, we will maintain your Order Information for our records unless and until you ask us to delete this information. Your Order Information may also be saved to your Account Information where you open a user account with us.

In all cases, we retain your information only for as long as is necessary for the purposes for which we process the information as set out in this Policy. Retention periods are determined based on the type of record, the nature of the data and activity and the legal or regulatory requirements that apply to those data. To determine the appropriate retention period for Personal Information, we consider:

• the amount, nature, and sensitivity of the Personal Information
• the potential risk of harm from unauthorised use or disclosure of the Personal Information;
• the purposes for which we process the Personal Information and whether we can achieve those purposes through other means; and
• the applicable legal requirements that may require us to retain or destroy it.

However, we may retain your Personal Information for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. Finally, we may retain your Personal Information where we have a legitimate interest to do so; e.g. for the establishment, exercise, or defence of legal claims.

Additional Information

Minors: The Site is not intended for individuals under the age of 18. If we are required to provide or decide to provide online services to a child, or to investigate a report or complaint made by a child, we will need parental consent for this, and may, for this purpose, ask for the name, email address and contact information of the person(s) with parental responsibility for that child.

Changes: We may update this Privacy Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. Where we do so, we will change the ‘Last Updated’ date above, and any amended policy will be effective immediately on the date stated therein.

Your rights as a data subject

You have certain rights under applicable legislation and in particular under Regulation (EU) 2016/679 (‘General Data Protection Regulation’ or ‘GDPR’). We explain these below. You can find out more about the GDPR and your rights by accessing the European Commission’s website at the following link https://ec.europa.eu/info/law/law-topic/data-protection_en.

In summary, you have the following rights as a data subject:
• Right to information
• Right of access
• Right to rectification
• Right to restrict processing
• Right to object to processing (including profiling)
• Right to opt-out of direct marketing
• Right to data portability
• Right to erasure (‘right to be forgotten’)
• Right to freedom from automated decision-making
• Right to withdraw consent
• Right to lodge a complaint with us, or with a relevant supervisory authority

Further information on each of these rights is contained in the Annex to this Privacy Policy.

If you would like to exercise any of the above rights, please contact us through the contact information above.

Requests are free of charge, unless manifestly unfounded or excessive in which case we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances. Requests will be processed within one month of receipt but this might be extended to two months in case of a complex request, where you have made a number of requests, or if the identity of the requestor cannot be verified. In such cases, we will notify you and keep you updated, and may seek additional information to allow us to understand your request.
 
ANNEX
Further Information on your rights as a data subject

Right to information
You have a right to be informed about the processing of your Personal Information (and if you did not give it to us, information as to the source) and this Privacy Policy intends to provide such information. Of course, if you have any further questions you can contact us on the above details.

Right of access
You have a right to obtain confirmation from us as to whether or not your Personal Information are being processed and, where this is the case, a right of access to your Personal Information, but not that of others. We have an obligation to provide additional information when complying with an access request (also referred to as a “data subject access request” or “DSAR”), and we have endeavored to capture this information within this Policy.

We are happy to provide you with details of the Personal Information that we process about you. To protect our customers' personal information, we follow strict storage and disclosure procedures, which means that we will require proof of identity from you prior to disclosing such information. This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it.

Right to rectification
You have the right to have any inaccurate Personal Information rectified and to have any incomplete personal information about you completed.

It is important that the Personal Information we hold about you is accurate and current. Please keep us informed if your Personal Information changes during your relationship with us. If we do hold Personal Information and you believe it is incorrect, you may submit a request to us to correct any alleged mistakes.

We shall communicate any rectification of Personal Information to each recipient to whom the Personal Information have been disclosed, unless this proves impossible or involves disproportionate effort, and shall inform you about such recipients if you request it.

Right to restrict processing
Instead of requesting erasure, you also have the right to right to restrict processing of your personal information where:
• you contest the accuracy of the Personal Information;
• processing is unlawful, but you do not want us to erase it;
• we no longer need to process your Personal Information but you need us to retain your information as you need it for the establishment, exercise, or defence of legal claims; or
• you have objected to our use of your Personal Information but we need to verify whether we have overriding legitimate grounds to use it.

We shall communicate any restriction of Personal Information to each recipient to whom the Personal Information have been disclosed, unless this proves impossible or involves disproportionate effort, and shall inform you about such recipients if you request it.

Right to object
You have a right to object at any time to processing of Personal Information (including profiling) concerning you where:
• processing is based on your consent, and you withdraw that consent;
• processing is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in a controller; or
• where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

We do not process Personal Information on grounds of public interest or exercise of official authority. We do however rely on our legitimate interests as a lawful basis for processing Personal Information as outlined in this Policy. This applies, in particular, in the context of directly marketing to you.

Exercise of this right may impact the services we can provide and we will explain this to you if you decide to exercise it. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms, and this may allow us to continue to (wholly or partly) process your personal information.

Right to opt-out of direct marketing
This forms part of your right to object (see immediately above), but is an absolute right, in that it is always available to you and you can exercise this right at any time without restriction.

You have a choice about whether or not you wish to receive direct marketing information from us. We will not contact you for marketing purposes unless:
• you have a business relationship with us, and we rely on our legitimate interests as the lawful basis for processing (as described above); or
• you have otherwise given your prior consent (such as when you actively subscribe for news, information, newsletters or marketing information on our website, where we provide this functionality).

We will only use your preferred communication channels to contact you, and on each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your Personal Information for marketing purposes (known as ‘opting-out’) by clicking on an ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data.

You can change your marketing preferences and/or opt-out at any time by contacting us on above details.

Please note that any administrative or service-related communications (to offer our services, or notify you of an update to this Privacy Policy or applicable terms of business, etc.) will solely be directed at our clients or business partners, and such communications generally do not offer an option to unsubscribe as they are necessary to provide the services requested. Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you.

Right to data portability
You have a right to receive the Personal Information concerning you (which you have provided to us) in a structured, commonly used and machine-readable format, or ask us to send it to another person. This right only applies where:
• processing is based either (i) on your consent or (ii) on a contract we have with you (or steps taken at your request prior to entering into a contract); and
• processing is carried out by automated means

Processing by automated means is understood as general electronic processing (i.e. excluding paper files), and is to be distinguished from automated decision-making (explained below).

This right does not include any additional data that created by us based on the data you have provided. For example, if we use the data you have provided to create a user profile or account, then this data would not be in scope of data portability (but could be in the scope of a data subject access request as explained above)

Right to erasure (‘right to be forgotten’)
You have the general right to request the erasure of your personal information in the following circumstances:
• the personal information is no longer necessary for the purpose for which it was collected;
• you withdraw your consent to consent based processing and no other legal justification for processing applies;
• you object to processing for direct marketing purposes;
• we unlawfully processed your personal information; and/or
• erasure is required to comply with a legal obligation that applies to us.

We will proceed to comply with an erasure request without delay, unless continued retention is necessary for:
• Exercising the right of freedom of expression and information;
• Complying with a legal obligation under EU or other applicable law;
• The performance of a task carried out in the public interest;
• Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or
• The establishment, exercise, or defence of legal claims.

We shall communicate any erasure of Personal Information to each recipient to whom the Personal Information have been disclosed, unless this proves impossible or involves disproportionate effort, and shall inform you about such recipients if you request it.

Right to freedom from automated decision-making
As explained above, we do not use automated decision-making, but where any automated decision-making takes place, you have the right in this case to express your point of view and to contest the decision, as well as request that decisions based on automated processing concerning you or significantly affecting you and based on your Personal Information are made by natural persons, not only by computers.
 
Other rights

Right to withdraw consent
Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent

Consent should be as easy to withdraw as it is to give, so we will normally provide toggle switches, tick boxes or forms that allow you to change your preference at any time online. However, if an online option is not available, or if you have submitted a paper form and no longer have a copy available, you can always enquire about and exercise your right to withdraw consent by contacting us on the above details.

Raising a complaint about how we have handled your Personal Information
If you wish to raise a complaint on how we have handled your Personal Information, you can contact us as set out above and we will then investigate the matter.

Right to lodge a complaint with a relevant supervisory authority
If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Information Commissioner under the Data Protection Act 2004, which is presently the Gibraltar Regulatory Authority (“GRA”). You may contact the GRA on the below details:

Address: Gibraltar Regulatory Authority, 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar
Email: info@gra.gi
Phone: (+350) 200 74636
Fax: (+350) 200 72166
Website: www.gra.gi

You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA.