1. The Data Controller
Personal data collected through this website is processed by:
- Cesare Vergari s.r.l. - Società Agricola
- Registered office
- Via Cutrofiano, 167, 73040 Supersano, Italy
- VAT no. (P.IVA)
- 04219010750
- REA
- LE - 274749
- PEC
- cesare.vergari@open.legalmail.it
- SDI
- 0000000
- info@agricolavergari.it
- Phone
- +390833631359
referred to in this notice as “we”. For anything concerning your personal data you can write to the addresses above or use the contact page.
2. What this policy covers
This notice explains how personal data is processed when you browse this website, create an account, place an order, book a tasting or write to us — in accordance with Regulation (EU) 2016/679 (GDPR) and Legislative Decree no. 196/2003 as amended. The company identified in section 1 is the data controller. The notice does not cover third-party websites reached through links on our pages.
3. What data we collect
We only collect the data needed to run the shop and the mill's tasting experiences:
- Account data — email address, name, phone number, country of residence, saved billing and shipping addresses, preferred language and password (stored only in hashed form).
- Social sign-in data — if you choose to sign in with Google, Apple or Facebook, we receive your name and email address from that provider; we never see your password.
- Order data — the products purchased, amounts, delivery and billing addresses and, if you request an invoice, the billing details you provide such as tax code, VAT number or SDI recipient code.
- Booking and enquiry data — name, contact details and the content of the messages or tasting requests you send us.
- Acceptance records — when you accept the Terms & Conditions we record the accepted version, date and time, IP address, browser identifier and language, as proof of the acceptance.
- Security and fraud-prevention data — when you register, sign in or sign out (including failed sign-in attempts), place an order or complete a payment, we record the date and time of the event, your IP address, your browser identifier (user agent) and the interface language you were using. The same details are recorded when a request is refused by our protection measures — for example when the request limits in section 4 are exceeded or a fraud-prevention rule matches. For paid orders we also receive and keep, from our payment provider, the card's issuing country and Stripe Radar's fraud-risk assessment of the payment.
- Technical data — server logs (IP address, requested pages, timestamps) and the technical cookies described in section 11.
4. Purposes and legal bases
Your data is processed:
- to conclude and perform the contract — managing orders, payments, deliveries, invoicing on request, tasting bookings and the account area (Article 6(1)(b) GDPR);
- to comply with legal obligations, such as tax and accounting rules and, where applicable, anti-money-laundering provisions (Article 6(1)(c) GDPR);
- in our legitimate interest to keep the shop secure and prevent fraud (Article 6(1)(f) GDPR): the security and fraud-prevention data described in section 3 is analysed to protect accounts and the platform — for example to recognise implausible sign-in or ordering patterns such as too many discrepancies in location, to maintain internal denylists of characteristics associated with detected fraud, to apply hourly per-connection limits on the number of requests our public forms accept, and to apply additional checks at registration or checkout when such a pattern has been detected. The same basis covers technical logs and establishing or defending legal claims. You may object to this processing at any time (section 10);
- on the basis of consent only where we expressly ask for it. Today the website sends transactional messages only — order confirmations, booking replies, account notices — and carries out no marketing and no profiling.
Providing the data marked as required at registration, checkout or booking is necessary to fulfil your request; without it the account, order or booking cannot be processed.
5. Payments
Payments are handled by Stripe, an independent PCI DSS–certified payment provider. The payment step takes place on Stripe's own secure pages, which apply Stripe's cookie policy — no payment cookie is ever set on this website. Your card details travel encrypted from your browser to Stripe and never reach our servers; we only receive a payment reference, the outcome and the amount. Stripe also applies its own fraud-prevention system (Stripe Radar) to every payment; we receive its risk assessment and the card's issuing country, and use them solely to decide whether to accept an order (section 4). Stripe processes your data as an autonomous controller, as described in its own privacy policy.
6. Recipients and where your data lives
The website runs on Google Cloud infrastructure — application, database and file storage — under a data-processing agreement with Google, with the data hosted in the European Union; sensitive documents (invoice copies, acceptance certificates) are stored encrypted in a private bucket. Beyond that, data is shared only with the parties needed to fulfil your requests: the courier delivering your order (name, address, phone), the payment provider (section 5), our email service for transactional messages, and professional advisers or public authorities where the law requires it. We never sell personal data.
The map on the contact page loads its tiles from OpenStreetMap and its software from a public CDN: when that page is displayed, those services see your IP address, as any website you visit does.
7. Transfers outside the European Union
Where a provider processes some data outside the European Union (for example certain Stripe or Google services), the transfer relies on the safeguards of Chapter V of the GDPR — an adequacy decision such as the EU–US Data Privacy Framework, or Standard Contractual Clauses.
8. How long we keep your data
We keep personal data only as long as each purpose requires:
- Account data: for as long as the account exists.
- Orders, invoice-request details and terms-acceptance records: for up to five years from the order — or, if you had an account, from its deletion — to meet anti-fraud, anti-money-laundering and audit needs and to establish or defend legal claims; they are then erased or irreversibly anonymised.
- Booking requests and messages: up to two years from the last exchange.
- Security and fraud-prevention records — sign-ins, sign-outs, failed sign-in attempts and the client details captured with your order actions: up to twelve months, after which they are deleted; the client details attached to order records are blanked when the order itself is anonymised. Where a record forms part of a detected-fraud case, it may be kept for the time needed to handle that case and any legal claims.
- Fraud-prevention denylist entries — the characteristics (such as an email or postal address) of attempts refused for fraud: for as long as they remain necessary to protect the shop against repeated fraud; they are reviewed periodically and removed when no longer justified.
- Technical logs: up to ninety days, unless an incident requires a longer investigation.
Invoice documents issued through the website are courtesy copies provided for your reference; the fiscal originals are issued and stored by the Seller outside the website, in accordance with the applicable tax rules.
9. Deleting your account
You can delete your account yourself at any time from the Privacy & data section of your account area. Because the deletion cannot be undone, you will be asked to sign in again and to type a randomly generated confirmation phrase; accounts with orders still in progress must wait until those are settled. You can also request deletion by writing to the addresses in section 1 from the email registered on the account. Either way, the account is deactivated without delay and its profile data — addresses, phone number, social sign-in link, active sessions — is removed; order, billing and acceptance records are moved to a restricted archive and retained for up to five years as described in section 8, accessible only for the legal purposes listed there, after which they are erased or anonymised.
10. Your rights
You may at any time exercise the rights of Articles 15–22 GDPR — access, rectification, erasure, restriction, portability and objection (including to processing based on legitimate interest) — by writing to the addresses in section 1; we reply within one month. If you believe your data is processed unlawfully, you may lodge a complaint with the Italian supervisory authority, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it), or with the authority of your country of residence.
11. Cookies
This website uses technical cookies only: the session cookie (login and cart), the CSRF security cookie, the language cookie and local browser preferences such as the light or dark theme and the dismissal of the cookie notice. They are strictly necessary or purely functional, require no consent under the Italian data protection authority's guidelines, and no advertising, analytics or profiling cookie is ever set. For this reason the cookie notice shown on your first visit is informational only — there is nothing to accept or refuse. Blocking cookies in the browser may prevent login and checkout from working.
12. Security
Data travels over encrypted connections (HTTPS) and is stored on infrastructure with restricted, logged access. Passwords are hashed, sensitive documents are encrypted at rest, staff access is limited to what each role requires, and accounts can be protected with two-factor authentication.
13. Minors and automated decisions
The shop is intended for adults: by ordering you declare that you are at least eighteen years old, and we do not knowingly collect children's data. No marketing profiling is carried out. Security data may be analysed for fraud-prevention purposes as described in section 4; if a registration or order is ever refused as a result of such a check, you can always contact us at the addresses in section 1 to have the decision reviewed by a person.
14. Changes to this policy
We may update this notice — for example when the law, our suppliers or the website's features change. Every version is numbered and kept, and the current version with its publication date is always shown on this page; significant changes are highlighted on the website or, where appropriate, notified by email.