PRIVACY POLICY

PRIVACY POLICY

Last updated: February 2026

This Privacy Policy, provided pursuant to Article 13 of EU Regulation 2016/679 (‘GDPR’), describes how RETORI (the ‘Site’, ‘we’, ‘us’ or “our”) collects, uses and shares your personal data when you visit, use our services or make a purchase on retori.com (the ‘Site’). ‘we’, ‘us’ or ‘our’) collects, uses and shares your personal data when you visit, use our services or make a purchase on retori.com (the “Site”) or otherwise communicate with us regarding the Site (collectively, the ‘Services’). For the purposes of this Privacy Policy, ‘you’ and ‘your’ refer to you as a user of the Services, whether you are a customer, a website visitor or another individual whose information has been collected under this Privacy Policy.
Please read this Privacy Policy carefully.

 

Third-party links

Retori is committed to protecting and ensuring the security and confidentiality of its customers' personal data in accordance with the GDPR, taking all necessary precautions to prevent such data from being distorted, damaged or accessed by unauthorised third parties. Our Site may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated with or controlled by us, we encourage you to review their privacy and security policies and terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness or reliability of the information contained therein. The information you provide on public or semi-public sites, including information you share on third-party social networking platforms, may also be visible to other users of the Services and/or users of such third-party platforms, without limitation as to their use by us or third parties. The inclusion of such links does not, in itself, imply any endorsement of the content of such platforms or their owners or operators, except as indicated in the Services.

 

Data controller

The data controller is RETORI S.r.l., with registered office in Milan (MI), at Via Dante no. 4, 20121, Italy, which can be contacted at the addresses indicated below in this policy.
Retori S.r.l. has appointed a Data Protection Officer (DPO) who can be contacted at the address indicated in the ‘Contact Details’ section.

 

Types of data processed

The Data Controller processes the following categories of personal data:

  • Personal details, such as, but not limited to, name, surname, gender, date of birth, address, city;
  • Contact details, such as, but not limited to, telephone number, e-mail address;
  • Order information, including billing address, shipping address, payment confirmation;
  • Account information, including email address and password;
  • Customer service information, including information you choose to include in communications with us, such as when you send a message through the Services;
  • Browsing data, such as IP address, products visited, for which information can be found in the Cookie Policy.

 

Purpose and legal basis of processing

Customers' personal data is collected for the following purposes:

  1. provision of products and services: we use your personal data to provide you with services in order to perform our contract with you, including to process your payments, fulfil your orders, arrange shipping, facilitate any returns and exchanges, and other features. The legal basis for processing is the performance of the contract or the services requested pursuant to Article 6(1)(b) of the GDPR;
  2. customer service: we use your personal data to provide you with the customer service you have requested and information about orders and payments. The legal basis for the processing is the performance of the services requested pursuant to Article 6(1)(b) of the GDPR;
  3. marketing and advertising: with your consent, we use your personal data for marketing and promotional purposes, for example to send commercial communications, advertising and promotions via e-mail, SMS and instant messaging apps (e.g. WhatsApp, Line, WeChat), and to show you advertisements for products or services. The legal basis for the processing is your free and optional consent, pursuant to Article 6(1)(a) of the GDPR;
  4. profiling: with your consent, we use your personal data to carry out studies, surveys, analyses and statistical and/or market research, on an individual or aggregate basis, in relation to your preferences regarding our products, in order to offer you personalised services in line with your needs and to promote cultural and recreational initiatives and activities that may be of interest to you. The legal basis for the processing is your free and optional consent, pursuant to Article 6(1)(a) of the GDPR.
  5. sending newsletters: with your consent, we use your e-mail address to send you communications about events and promotions organised by the Data Controller. The legal basis for the processing is your free and optional consent, pursuant to Article 6, paragraph 1, letter a) of the GDPR. You can choose not to receive them at any time by using the unsubscribe option displayed in our emails;
  6. service improvement: we use your personal data through reports and statistics to improve our Services. The legal basis for the processing is legitimate interest, pursuant to Article 6(1)(f) of the GDPR;
  7. security and fraud prevention: we use your personal data to detect, investigate or take action regarding possible fraudulent, illegal or harmful activities in the use of the Services. The legal basis for the processing is that of legitimate interest, pursuant to Art. 6,
  8. exercise of the right of defence: we use your personal data in the event of any complaints or legal or extrajudicial actions in order to exercise our right of defence. The legal basis for the processing is that of legitimate interest, pursuant to Article 6(1)(f) of the GDPR;
  9. fulfilment of legal and regulatory obligations: we use your personal data to fulfil legal or regulatory obligations imposed on us by national regulations. The legal basis for the processing is that of legitimate interest, pursuant to Article 6, paragraph 1, letter f) of the GDPR.

 

Data retention

Your personal data is retained for the time strictly necessary to achieve the purposes for which it is collected and, in any case, in accordance with the maximum retention criteria set out below. After this period, your data will be anonymised, unless Retori S.r.l. is required to retain the data for a further period (e.g. in the event of a dispute).
For the purposes referred to in:

  • letters a) and b) of this policy, the retention period is a maximum of 10 years;
  • letters c), d) and e) of this policy, the retention period is a maximum of 7 years, unless you withdraw your consent as indicated in the section on the rights of data subjects;
  • letters f) and g) of this policy, the maximum retention period is 10 years;
  • for point h) of this policy, the maximum retention period is 5 years following the final judgement of the dispute or, in the case of an out-of-court settlement, following the agreement between the parties;
  • for point i) of this policy, the retention period is that required by the regulations indicated.

 

Communication and dissemination of data

The data collected may be processed by employees and collaborators of Retori S.r.l. in their capacity as persons authorised to process data, duly bound by confidentiality.
This data may also be processed by trusted companies that perform technical and organisational tasks on our behalf relating to the management of the website or other activities requested through the website. These companies are our direct collaborators and operate as our data processors. The complete list of Data Processors is constantly updated and is available on request by sending a communication to the addresses below.
The data will also be disclosed to third parties who will act as independent data controllers.
Finally, we may obtain information about you from third parties, including vendors and service providers who may collect information on our behalf, such as:

  • companies that support our Website and Services, such as Shopify.
  • Specialised third-party providers who collect and process the necessary data, such as information relating to your bank account, credit or debit card and billing address, in order to process payments, fulfil orders and provide you with the products or services you have requested. In particular, Retori S.r.l. uses the service provided by Global-e, which acts as a payment processor on our behalf. Global-e and Retori S.r.l. act as independent data controllers, given that Global-e has its own Privacy Policy and Cookie Policy (available at this link https://www.global-e.com/consumer-privacy-policy).

 

Place of processing and transfers outside the EU

We may transfer, store and process your personal data outside the country in which you live. Your personal data is also processed by staff, third-party service providers and partners in these countries.
In the event of your personal data being transferred outside Europe, we assure you that such transfer will take place in accordance with the appropriate safeguards provided for by the GDPR, i.e. on the basis of an adequacy decision, standard contractual clauses or binding corporate rules.

 

Data subject rights

Depending on where you live, you may have some or all of the rights listed below in relation to your personal data. However, these rights are not absolute, may only apply in certain circumstances, and in some cases we may refuse your request as permitted by law.

  • Right of access: you have the right to request access to the personal information we hold about you, including details of how we use and share your information.
  • Right to erasure: you have the right, except in cases of limitation expressly provided for by law, to request the erasure of the personal information we hold about you.
  • Right to rectification: you have the right to request the correction of inaccurate personal information we hold about you.
  • Right to portability: you have the right to receive, in certain circumstances and with certain exceptions provided for by law, a copy of the personal information we hold about you and to request its transfer to a third party.
  • Right to object: you have the right, in certain circumstances, to object to the processing of your personal data.
  • Restriction of processing: you have the right, in certain circumstances provided for by law, to ask us to stop or restrict the processing of your personal data.
  • Withdrawal of consent: where we rely on consent to process your personal data, you may have the right to withdraw that consent. In any case, the withdrawal of consent takes effect from the moment of receipt and the previous processing carried out on the basis of the consent you gave remains lawful.
  • Complaint to the Authority: if you believe that the processing violates the GDPR, you also have the right to lodge a complaint with the competent supervisory authority.

You can exercise any of these rights by contacting us using the addresses provided in the ‘Contact Details’ section.

 

Contact Details

If you have any questions about our privacy policies or this Privacy Policy, or if you wish to exercise any of your rights, please call us or send us an email at digital@retori.com or contact us at Via Dante 4, Milan, MI, 20121, IT, or you can contact the Data Protection Officer (DPO) at the email address digital@retori.com;

 

CCPA – additional US privacy information

In the United States, some states have adopted their own laws regarding the processing of their citizens' data. The CCPA grants California residents certain rights and imposes restrictions on certain business practices, as outlined below. This section applies only to California residents, as defined in sections 1798.140 (c), (g), 1798.145(a)(6) of the CCPA, as well as residents of other states such as Colorado, Connecticut, Utah, Nevada, Virginia, Delaware, Iowa, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas, which have regulations similar to the CCPA.

 

Right to object to the sale of personal data

Residents of California and the above states have the right to opt out of the sale of their personal data, including the display of advertisements based on personal data obtained or inferred over time from an individual's activities across companies or sites, applications or services with distinct brands (‘targeted advertising’, also defined in California as ‘cross-context behavioural advertising’) . Certain states listed above also provide the right to opt out of ‘sharing,’ which includes providing or making personal information available to third parties for such targeted advertising activities. Please note that Retori, in accordance with GDPR regulations, requires express consent for the above activities, without which no profiling activities are carried out. We do not and will not sell your personal data. Please also note that if you visit our Site from the United States with the Global Privacy Control opt-out preference signal enabled, depending on your location, we will automatically treat this request as a request to opt out of the ‘sale’ or ‘sharing’ of information for the device and browser you use to visit the Site.

 

Notice of Collection

At or prior to the collection of personal data, residents of California and the above states must be provided with a notice regarding the categories of personal data collected and the purposes for which such information is used.

 

Automated Processing

We do not engage in automated processing of personal data for the purpose of evaluating, analysing, or predicting an individual's personal aspects for decisions that produce legal or similarly significant effects.

 

Verifiable deletion requests and information requests

Subject to certain exceptions, residents of California and the above states have the right to make the following requests, free of charge:

  • Deletion request: You have the right to request the deletion of personal data collected about you and to have such personal data deleted, except where an exemption applies.
  • Request for information: you have the right to request and, subject to certain exemptions, receive a copy of all personal data we have collected about you in the previous 12 months and have it delivered to you electronically in a portable and, to the extent technically feasible, readily usable format that allows you to transmit that information to another entity without hindrance. You also have the right to request certain information about how we have processed your personal data in the previous 12 months, including:
    1. categories of personal data collected;
    2. categories of sources of personal data;
    3. business and/or commercial purposes for collecting and selling their personal data;
    4. categories of third parties/with whom we have disclosed or shared their personal data;
    5. categories of personal data we have disclosed or shared with a third party for a commercial purpose;
    6. the categories of personal data collected;
    7. the categories of third parties to whom the personal data of residents have been sold and the specific categories of personal data sold to each category of third parties.
  • Requests for information may be made up to twice every 12 months.

 

Right to non-discrimination

The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. Discrimination may exist when a business denies or provides a different level or quality of goods or services, or applies (or suggests applying) different prices, rates, or penalties to residents who exercise their rights under the CCPA, unless this is reasonably related to the value provided to the business by the residents' data. This rule also applies to residents of the other states listed in the paragraph.

 

Financial Incentives

A business may offer financial incentives for the collection, sale, or deletion of California residents' personal data, provided that the incentive is not unfair, unreasonable, coercive, or usurious, and is made available in accordance with applicable transparency, informed consent, and opt-out requirements. To this end, we may ask you to collect or share your personal data, including, but not limited to, your name, contact information, professional information, account information, and transaction information. The third parties who may receive access to your personal data in connection with any programme or offer are our business partners. California residents have the right to be informed of any financial incentive offers and their specific terms, as well as the right to opt out of such incentives at any time; residents may not be included in such incentives without their prior informed consent. We do not currently offer any incentives.

 

Submitting requests

We may need to collect information from you to verify your identity, such as your email address or account information, before providing a substantive response to your request. In accordance with applicable laws, you may designate an authorised agent to submit requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof that you have authorised them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request in a timely manner as required by applicable law.