This Privacy Policy is defined on the basis of art. 13 of EU Regulation n. 679/2016  and applies only to all data collected through the website. This Privacy Policy is subject to updates that will be posted on the website on time. The present Privacy Policy, as well as Terms and Conditions, any other documents referred to therein and the Cookie Policy, establishes the basis on which the user’s personal data will be processed. The Site's online shop is hosted by PrestaShop, which provides the online e-commerce platform enabling the sale of the Data Controller's Products.

Data Controller

The Data Controller of this website is Costak S.r.l. Milano (MI) 20124 via Mauro Macchi n.8, P. Iva 12300410961, email:

Personal Data

Personal Data means any information relating to an identified or identifiable natural person (Data Subject, User). An identifiable natural person who may be identified, directly or indirectly, with particular reference to an identifier such as name, identification number, location data, an on-line identifier, one or more characteristic elements of his physical identity.

Category of personal data processed

Among the personal data processed by this website, autonomously or by third party, there are common data like: Cookies, usage data, name, surname, address, city, gender, email, phone, tax data useful for purchasing and personal data useful for the delivery of the purchased product.

Methods of personal data processing

The personal data provided or acquired are subjected to a treatment based on principles of correctness, lawfulness, transparency and protection of privacy pursuant to current legislation. The Data Controller processes the user’s personal data adopting appropriate security measures to prevent unauthorized access, disclosure, modification or unauthorized destruction of personal data. Data are processed by means of IT and/or telematic tools, by implementing organizational methods and strategies that are connected to the purposes of the activity.

Purposes for processing the collected data and legal basis

Personal data can be collected autonomously by the Data Controller or by third party. In this case, the computer systems and software used by the website acquire certain user’s personal data, IT related (for example, the IP address, the browser used, the operative system, the domain name and the websites addresses from which you have accessed or exit, etc.), whose transmission is inherent to the correct functioning of Internet. Such data can be processed for the sole purpose of obtaining anonymous statistical information on the use of the website and/or controlling its correct functioning; after their processing, they are immediately erased. The Data that the user chooses to provide spontaneously will be processed in compliance with the conditions of lawfulness pursuant to art. 6 GDPR and will be processed to allow the Website to provide its services, as well as for the Purposes indicated below and will be retained for the time necessary for the fulfillment of the aforementioned Purposes.
The purposes of the processing are:
1) Responding to requests and providing Information
The Data shall be processed in order to be contacted or to follow up on specific requests made to the Controller by the Data Subject for communications of a nature relating to the Services and/or Contents of the same Controller, by e-mail or other communication tools such as telephone.
Legal basis: this processing is optional and based on the consent of the Data Subject, however the provision of the Data is necessary for the pursuit of the indicated purpose.
Period of data retention: until revocation of consent by the Data Subject
2) Site registration form
The Data shall be processed in order to be registered to the Controller's site for the purchase of the Controller's Products.
Legal basis: this processing is optional and based on the consent of the Data Subject, however the provision of the Data is necessary for the pursuit of the indicated purpose.
Period of data retention: until revocation of consent by the Data Subject.
3) Pre-contractual information and compliance
The Data will be processed in order to contact or to respond to specific requests addressed to the Data Controller by the Data Subject for communications of an informative nature and/or for the interest in the purchase in relation to the Products of the Data Controller, via email messages or filling in the contact form and other communication tools such as phone.
Legal basis: this processing is optional and based on the consent of the Data Subject, however the provision of Data is necessary for the pursuit of the purpose indicated. Data retention period: until the Data Subject’s consent is withdrawn.
4) Processing required under a contract
The Data will be processed to fulfil any kind of obligation required by the contract between the user and the Data Controller for the sale of the Products/Services offered on the website, to provide information required by the user, to contact the user in relation to the contract and for its management, the management of statutory warranty claims, assistance, requests for withdrawal, management and termination of the contract.
Legal basis: this processing is mandatory for the execution of the contract to which the User is a party, for the execution of pre-contractual measures or to fulfil a legal obligation to which the Data Controller is subject;
Data retention period:10 (ten) years or different legal obligation.
5) Fulfillment of any obligations provided by current laws
The Data will be processed to fulfill any type of obligation contemplated and provided for by current laws, regulations, related regulations, commercial uses and tax/tax matters, including also for the purposes provided for by the anti-money laundering legislation d.lgs. 231/2007 and subsequent amendments.
Legal basis: this processing is necessary to fulfil a legal obligation to which the Data Controller is subject.
Data retention period: 10 (ten) years or different legal obligation.
6) Softspam
The Data will be processed to allow the Data Controller to send the user via e-mail promotional communication concerning Products and/or Services purchased without the need for the express and prior consent of the user, as required by art. 130, paragraph 4, Code of Privacy, and provided that the user does not exercise the right of opposition. This processing is based on art. 130, paragraph 4 of the Code of Privacy as told by Legislative Decree no.101 of 2018.
Legal basis: this processing is based on the legitimate interest of the Data Controller pursuant to art. 6, lett. F and Recital No. 47 of the GDPR.
Data retention period: until the Data Subject objects.
7) Marketing
The Data will be processed for direct sale of Products/Services, market research, sending of communications and promotional, commercial and advertising or related initiatives and events, via newsletter, e-mail, SMS, WhatsApp, Chat, Direct Messaging by social media, social network or by telephone calls, paper mail and other information material.
Legal basis: this processing is based on the consent freely expressed by the interested party pursuant to art. 6, par. 1, lit. A of the GDPR.
Data retention period: until the Data Subject’s consent is withdrawn.
8) Statistical analysis
The Data will be processed to perform statistical analysis on aggregated and anonymous data to analyze the behavior of the Data Subject to improve the products and services provided by the Data Controller and to meet the expectations of the Data Subject.
Legal basis: this processing is based on the consent freely expressed by the interested party.
Data retention period: until withdrawal of consent by the Data Subject.
9) Profiling activities
The Data will be processed for the analysis and evaluation of interests, habits, consumer choices, including the creation of profiles in order to be able to send personalized information and promotional material on the Services/Products offered by the Data Controller.
Legal basis: this processing is based on the consent freely expressed by the interested party pursuant to art. 6, par. 1, lit. A of the GDPR.
Data retention period: ….. / until the Data Subject’s consent is withdrawn.

Data communication

In some cases, in addition to Data Controller, may have access to data:
a) categories of persons specifically trained involved in the organization of the website (administrative staff, commercial staff, marketing staff, lawyers, system administrators);
b) external parties (like third party technical service providers, hosting provider, IT companies, communication agencies) also appointed as Data Processors by the Data Controller ex art. 28 GDPR. The updated list of Data Processors, if appointed, can always be requested from the Data Controller;
c) public or private entities that can access the data in compliance with legal obligations;
d) subjects that perform instrumental tasks with respect to the activity of the Data Controller;

Processing time

As expressly stipulated by art. 5, co. 1, lett. e) of the GDPR, data are stored for a period of time necessary to provide the service requested by the user, or for the time required for the purposes described in this document.
At the end of the storing time, personal data will be deleted and consequently access rights, deletion rights, rectification rights and data portability rights can no longer be exercised.


This website uses Cookies. They are small text files that may be used by websites to make the user’s experience more efficient, to customize contents and advertisements, to provide the functions of the social networks and analyze the traffic. Cookie Policy

Place of processing and transfer of data abroad

The data are processed at the Data Controller's operating office. For more information, contact the Data Controller. The data can be processed by natural persons and/or legal entities acting on behalf of the Data Controller, under specific contractual obligations and located in UE or non-UE countries. If the data are transferred outside the EEA, the Data Controller will adopt any contractual measure suitable to ensure an adequate data protection.

Exercise of the rights of the data subject

The data subject may exercise the rights as described in the artt. 7, 15-22 of the EU Regulation 679/2016. In particular, the right to withdraw his/her consent in any time and, simply asking the Data Controller, he/she may request access to personal data, receive the personal data provided by the Data Controller and, where possible, transmit them to another Data Controller of the processing without impediment (c.d. portability), obtain the update, the limitation of the processing, the rectification of data and the deletion of that processed in contrast with current legislation. The data subject has the right, for legitimate reasons, to oppose the processing of personal data concerning him/her the processing for purposes of sending advertising materials, direct selling and market research. The interested party also has the right to lodge a complaint with the Privacy Authority in its quality of supervisory authority. The data subject may exercise the rights by emailing the owner at:

Tools used for personal data processing

The user, filling in the contact Form with his/her data, agrees to their use to answer any request of information or any other purpose indicated by the form header. Personal data collected by the contact Form: email, name and surname.
These services permit to manage a database of email contacts, telephone contacts or contacts of any other type, used to communicate with the user. Furthermore, these services could permit to collect data related with user’s date and time of viewing of messages, as well as track user's interaction with them, such as information on clicks on the links included in the messages.
By subscribing to the newsletter, the user's email address is automatically added to a list of contacts to which email messages containing information, including commercial and promotional information, relating to this website may be transmitted. The user’s email address might also be added to this list as a result of signing up to this website or after making a purchase. The user can choose at any time to unsubscribe from the newsletter by clicking on a specific button he/she will find within the emails. After clicking the button, the user’s data will be immediately deleted by the “email marketing” software. Personal data collected: email and name.
The User can provide a review regarding a purchase of a product made on the website. This website uses the comment service offered by:
Comment services allow users to formulate and make public their comments regarding the content on this website, including the blog section. Users, depending on the settings chosen by the Data Controller, can also leave comments anonymously. Users are responsible for the content of their comments. In case a third-party comment service is installed, it is possible that, even if users do not use the comment service, it could collect traffic data related to pages in which the comment service is installed.
With the registration service the user allows the website to identify her/him and give her/him access to the services dedicated.
The user registers directly on the website by filling out the form and providing her/his own data.
Statistics services allow the Data Controller only to monitor and analyze the traffic data and keep track of the user’s behavior.
These services allow to interact with social networks directly from the website pages. The interactions and information acquired by this website are subject to the user’s Privacy Policy of each social network. If a service for interaction with social networks is installed, the site may collect traffic data about the pages, even if users do not use the service.
Payment processing services allow this website to process payments by credit card, bank transfer or other means. The data used for payment is acquired directly from the manager of the payment service requested without being in any way processed by this website. Some of these services may also allow for the scheduled sending of messages to the user, such as emails containing invoices or notifications regarding payment.

Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to users on this page. Therefore, it is recommended to consult this page very often, taking as reference the date of last modification indicated at the bottom. In case of non-acceptance of the changes made to this Privacy Policy, the user is required to cease the use of this website and may request the Data Controller to remove their personal data. Unless otherwise specified, the previous Privacy Policy will continue to apply to personal data up to that date collected moment. The Data Controller is not responsible for the update of the links displayable in this Privacy Policy, therefore, every time a link does not work and/or is not updated, users acknowledge and accept that they must always refer to the document and/or the section of the linked websites.

Privacy Policy updated on May 2023