Legal

Privacy Policy

Last updated: 13 May 2026 · Regulation: GDPR (EU 2016/679) & D.Lgs. 196/2003 · Language: English

This Privacy Policy explains how Mecivi collects and processes personal data in compliance with the General Data Protection Regulation (GDPR), EU Regulation 2016/679, as supplemented by the Italian Privacy Code (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018). Please read it carefully.

Data Controller
Data We Collect
Purposes and Legal Bases
Retention Periods
Third-Party Processors
International Transfers
Your Rights
Cookies
Minors
Changes to This Policy
Contact & Supervisory Authority

1. Data Controller

The data controller within the meaning of Art. 4(7) GDPR is:

Trading name: Mecivi
Registered address: Via Monte Piana 16, 20138 Milano (MI), Italy
Partita IVA: IT10508330965
REA Milano: MI-2544791
Privacy contact email: [email protected]

A Data Protection Officer (DPO) is not currently mandatory for the processing carried out by Mecivi. If one is appointed in the future, their contact details will be listed here.

2. Data We Collect

2.1 Data You Provide Directly

Account registration: email address, password (hashed; never stored in plaintext), full name, company name.
Placing an order: billing name, delivery address, telephone number, email address, VAT number (if applicable), order details.
Contact and quote forms: name, email, telephone number, company name, the content of your message.
Newsletter subscription: email address.
Payment: payment is processed directly by Stripe or transmitted via bank transfer. Mecivi does not receive or store full card numbers. For bank transfers, we receive only the payer's account name and reference.

2.2 Data Collected Automatically

Technical data: IP address, browser type and version, operating system, pages visited, timestamps, referring URL. This data is processed by Cloudflare (CDN and security) as part of normal web service operation.
Cookies: see Section 8.

2.3 Data We Do Not Collect

We do not collect special categories of personal data (Art. 9 GDPR) such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data. We do not knowingly collect data from children under 16 (see Section 9).

3. Purposes and Legal Bases

We process personal data only for specific, explicit, and legitimate purposes (Art. 5(1)(b) GDPR):

Purpose	Data used	Legal basis (Art. 6 GDPR)
Account creation and management	Email, name, hashed password	Art. 6(1)(b) — contract performance
Processing and fulfilling orders	Name, address, email, order details	Art. 6(1)(b) — contract performance
Tax invoicing and legal compliance	Name, address, VAT number, payment details	Art. 6(1)(c) — legal obligation (D.P.R. 633/1972)
Responding to enquiries	Name, email, message content	Art. 6(1)(b) — pre-contractual measures; Art. 6(1)(f) — legitimate interests
Newsletter / marketing emails	Email address	Art. 6(1)(a) — consent (freely given, can be withdrawn at any time)
Website security and fraud prevention	IP address, technical logs	Art. 6(1)(f) — legitimate interests
Improvement of services and analytics	Aggregated/anonymised usage data	Art. 6(1)(f) — legitimate interests

We do not engage in automated decision-making or profiling with legal or similarly significant effects (Art. 22 GDPR).

4. Retention Periods

We retain personal data only for as long as necessary for the purpose for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):

Order and invoice data: 10 years from the date of the transaction, as required by Italian tax law (Art. 25 D.P.R. 600/1973 and Art. 39 D.P.R. 633/1972).
Account data: Until the account is deleted by the user, plus 12 months to handle any outstanding matters. Accounts inactive for 36 months may be deleted after prior notice.
Contact and quote enquiries: 24 months from the date of the last communication.
Newsletter subscriptions: Until you unsubscribe. Every email contains an unsubscribe link.
Technical logs (IP addresses, access logs): Up to 12 months, in accordance with Garante per la protezione dei dati personali guidelines.

After the applicable retention period, data is securely deleted or anonymised.

5. Third-Party Processors

We use carefully selected third-party service providers who process data on our behalf as data processors within the meaning of Art. 4(8) GDPR. All processors are bound by Data Processing Agreements (DPAs) per Art. 28 GDPR:

Supabase Inc. (USA) — Database hosting, authentication, and storage. Data stored in EU data centres (AWS eu-west-1 / eu-central-1). Transfer mechanism: EU Standard Contractual Clauses (SCCs) per Commission Decision 2021/914.
Cloudflare Inc. (USA) — CDN, DDoS protection, DNS. Transfer mechanism: EU SCCs. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
Stripe Inc. (USA) — Payment processing. Stripe processes cardholder data under PCI-DSS standards. Stripe's privacy policy: stripe.com/en-it/privacy.
Shipping carriers (DHL, FedEx, or specialist freight) — Recipient name, delivery address, and phone number are shared solely for the purpose of delivering the order.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. International Transfers

Some of our processors are based in the United States or other third countries outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure an adequate level of protection through one of the following safeguards:

The European Commission's Standard Contractual Clauses (SCCs), adopted under Commission Decision 2021/914;
The EU–U.S. Data Privacy Framework (DPF) where the processor is certified;
An adequacy decision by the European Commission under Art. 45 GDPR.

You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

7. Your Rights

Under Chapter III of the GDPR and Arts. 15–22 of the Italian Privacy Code, you have the following rights with respect to your personal data:

Right of access (Art. 15 GDPR): obtain confirmation of whether we process your data and receive a copy.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your data (“right to be forgotten”), subject to our legal retention obligations.
Right to restriction of processing (Art. 18): limit how we use your data in certain circumstances.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format (applies to data processed by automated means on the basis of consent or contract).
Right to object (Art. 21): object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time.
Right to withdraw consent (Art. 7(3)): where processing is based on consent (e.g., newsletter), you may withdraw at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at [email protected] with the subject line “Data Rights Request”. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before responding.

Account holders may update or delete most personal data directly from their account settings page.

8. Cookies

Mecivi uses a minimal set of cookies to operate the website:

Strictly necessary cookies: Authentication session token (set by Supabase upon login), and a theme preference cookie (mecivi_theme). These are essential for the site to function and do not require consent under Art. 122 D.Lgs. 196/2003 and the Garante's cookie guidelines (Provvedimento 8 gennaio 2015).
Currency preference: A localStorage entry storing your selected display currency (EUR/USD). This is a browser storage item, not a cookie, and does not track you.

We do not use advertising, tracking, or third-party analytics cookies. We do not use Google Analytics or similar tracking technologies.

You can manage or delete cookies via your browser settings. Deleting the authentication cookie will log you out of your account.

9. Minors

Mecivi sells professional commercial equipment and its services are directed exclusively at adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will update the “Last updated” date at the top of this page.

For material changes that affect how we process your data, we will notify registered users by email at least 14 days before the changes take effect. Continued use of the Site after the effective date of a revised policy constitutes your acceptance of those changes.

Previous versions of this policy are available upon request.

11. Contact and Supervisory Authority

For any questions or concerns about this Privacy Policy or our data practices, please contact:

Email: [email protected]
Subject line: “Privacy Request”

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Italian data protection supervisory authority:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Rome, Italy
garanteprivacy.it · [email protected]

If you reside in another EU/EEA member state, you may also contact the supervisory authority of your country of residence.