Privacy Policy (GDPR) – hirostar.com

Last updated: 30/12/2025

This privacy policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”) and applicable national legislation (Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018) to users who browse and use the website hirostar.com (the “Site”), including e-commerce, support and contact services.

Contents

  1. Data Controller
  2. Types of data processed
  3. Purposes, legal bases and nature of data provision
  4. Data recipients
  5. Transfers outside the EEA
  6. Data retention periods
  7. Data subject rights
  8. Cookies and tracking technologies
  9. Minors
  10. Changes to this policy
  11. Contacts

1) Data Controller

The Data Controller is:

  • Hirostar S.r.l.
  • Registered office: Via Washington, 27 – 20146 Milan (MI) – Italy
  • VAT number: 11872250961
  • Email: info@hirostar.com
  • Certified email (PEC): hirostar@pec.it

Data Protection Officer (DPO): unless otherwise communicated, the Data Controller has not appointed a DPO. Should one be appointed, the relevant contact details will be published on this page.

2) Types of data processed

2.1 Browsing data

The IT systems and software procedures used to operate the Site acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols (e.g. IP address, device identifiers, browser type, operating system, information on visited pages, date and time of access, technical logs).

2.2 Data provided by the user

When you make a purchase, create an account, fill in forms or contact us, we may process data such as: first and last name, email address, phone number, shipping/billing address, country, data required to manage the order, tax code/VAT number (if required for invoicing), the content of messages sent and any other information you choose to share.

2.3 Payment data

Payments are handled through third-party providers (e.g. payment circuits and/or payment service providers). The Data Controller does not normally receive or store full card details (e.g. full card number and CVV), which are processed directly by the provider in accordance with their own terms and privacy policies.

2.4 Marketing data (only if you choose to receive them)

If you choose to subscribe to newsletters or receive promotional communications, we will process contact details and preferences (e.g. consent, declared interests, interaction history with emails, if provided by the service used).

3) Purposes, legal bases and nature of data provision

Below is a summary of the main purposes of processing, the legal bases (Article 6 GDPR) and the nature of data provision.

Purpose Legal basis Data provision
Enable browsing, ensure security, prevent abuse/fraud, manage technical logs Legitimate interest (Art. 6.1.f) and, where applicable, legal obligations Necessary for the operation/security of the Site (partly automatic)
Account management (registration, login, user area) Performance of pre-contractual measures/contract (Art. 6.1.b) Necessary to create and manage the account
E-commerce order management (purchase, shipping, returns, after-sales support) Contract (Art. 6.1.b) and legal obligations (Art. 6.1.c) Necessary to purchase and receive products
Payment management and administrative/accounting activities Contract (Art. 6.1.b) and legal obligations (Art. 6.1.c) Necessary to complete the purchase
Handling requests via forms/email (information, support, reseller, sponsorship) Pre-contractual measures/contract (Art. 6.1.b) and/or legitimate interest (Art. 6.1.f) Optional, but necessary to receive a response
Compliance with legal obligations (tax, accounting, authority requests) Legal obligation (Art. 6.1.c) Mandatory
Protection of the Controller’s rights (complaints/disputes management) Legitimate interest (Art. 6.1.f) Necessary in case of disputes
Sending promotional communications/newsletters Consent (Art. 6.1.a). In some cases, for existing customers, the “soft spam” regime may apply (Art. 130(4), Italian Privacy Code), with the right to object at any time. Optional (withdrawable at any time)
Cookies/statistics/online marketing (e.g. traffic analysis, campaigns, remarketing) Consent (Art. 6.1.a) for non-essential cookies; for technical/necessary cookies: technical necessity and/or legitimate interest (where applicable) Optional (manageable via cookie banner)

Processing methods: data are processed using electronic and/or paper-based tools with appropriate technical and organisational measures to ensure security and confidentiality and to reduce the risk of loss, unlawful use or unauthorised access.

4) Data recipients

Data may be disclosed to third parties only to the extent necessary for the purposes described above, acting as Data Processors (Art. 28 GDPR) or, where applicable, as independent controllers.

Categories of recipients:

  • IT and hosting service providers, system maintenance and security providers, e-commerce platforms
  • Payment service providers and fraud prevention services (e.g. PSPs, banks, payment circuits)
  • Couriers and logistics operators for delivery and returns management
  • Customer care and ticket management service providers (if used)
  • Communication/marketing and analytics service providers (only with consent, where required)
  • Consultants (legal, tax) and competent authorities, where required by law or necessary to protect rights

An updated list of Data Processors may be requested by writing to info@hirostar.com.

5) Transfers outside the EEA

Data are mainly processed within the European Economic Area (EEA). Where certain suppliers (e.g. cloud services, analytics/marketing tools, support services) involve transfers to countries outside the EEA, the Data Controller will adopt the safeguards required by the GDPR (e.g. adequacy decisions, Standard Contractual Clauses, additional measures where necessary).

6) Data retention periods

Data are retained for the time strictly necessary to achieve the stated purposes and in compliance with legal obligations. In particular:

  • Order/invoicing data: up to 10 years (accounting and tax obligations)
  • Account data: until account deletion is requested (unless legal obligations or disputes apply)
  • Support/contact requests: for the time needed to handle the request and any follow-up; then archived according to internal practices
  • Marketing data: until consent is withdrawn/objection is raised or as specified in individual initiatives (where applicable)
  • Cookies and online identifiers: according to consent settings and the technical duration of cookies stored on the device

7) Data subject rights

As a data subject, you may exercise the rights provided for by Articles 15–22 GDPR, including: access, rectification, erasure, restriction, portability (where applicable), objection to processing, and withdrawal of consent (without affecting the lawfulness of processing based on consent before its withdrawal).

You may also lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or bring an action before the competent courts.

The Site uses cookies and similar technologies. Necessary cookies enable the proper functioning of the Site (e.g. security, essential features). Preference, analytics and marketing cookies may be used only according to your choices and, where required, with your consent.

Cookie consent and preference management is handled through a Cookie Management Platform (CMP) based on Cookiebot. You can:

  • Accept or reject non-essential cookies via the cookie banner displayed on first access
  • Change your preferences at any time by reopening the cookie settings panel

9) Minors

The Site and its services are not intended for the intentional collection of data from minors. If you believe that a minor has provided personal data without the consent of parents/guardians where required, please contact us to request deletion.

10) Changes to this policy

The Data Controller may update this policy. In such case, the updated version will be published on this page with the indication of the last update date.

11) Contacts

To exercise your rights or for any questions regarding this policy, you can contact us at: