Privacy Policy & Cookie Policy – Il Cashewficio


(Compliant with the GDPR – EU Reg. 2016/679 – and Italian Privacy Code as amended by Legislative Decree 101/2018)
Last update: October 2025
This document explains how we process your personal data and how we use cookies on our Shopify e‑commerce website.


1) Data Controller
Controller: Il Cashewficio – La Fromagerie Vegetale S.r.l. (Tax/VAT No. 02601960996)
Registered office: Via Saporiti 9/3, 16134 Genova (GE), Italy
Operational site / Lab: Via Piantelli 12R, 16139 Genova, Italy
Privacy contact: info@ilcashewficio.com
Website: www.ilcashewficio.com


2) Categories of personal data
• Identification and contact data: name, surname, address, email, phone, shipping/billing address.
• Purchase data: items bought, amounts, payment method (only outcome, never full card numbers).
• Account data: username, password (hashed), order history, preferences.
• Browsing/analytics data: IP address, cookies, online identifiers, visited pages, e‑commerce events.
• Job application data (if HR forms are available): CV and professional information submitted by the applicant.


3) Purposes and legal bases (Art. 6 GDPR)
A) Online sale and contract performance: order, payments, shipping, customer support. Legal basis: performance of a contract (Art. 6.1.b).
B) Legal/tax obligations: invoicing, accounting, responses to authorities. Legal basis: legal obligation (Art. 6.1.c).
C) Account creation and management: access, order history, preferences. Legal basis: performance of a contract (Art. 6.1.b).
D) Marketing communications (newsletter, offers, news): sent with your explicit consent (Art. 6.1.a). You can unsubscribe anytime.
E) Soft spam to existing customers: communications about products similar to those already purchased, as permitted by Art. 130(4) of the Italian Privacy Code; opt‑out always available. Legal basis: legitimate interest (Art. 6.1.f).
F) Statistics and performance measurement (analytics). If data are anonymized/aggregated → legitimate interest (Art. 6.1.f). For advanced analytics and marketing profiling → consent (Art. 6.1.a).
G) Security, fraud prevention and abuse. Legal basis: legitimate interest (Art. 6.1.f).
H) Recruitment (job applications). Legal basis: pre‑contractual measures (Art. 6.1.b).


4) Marketing, profiling and disclosure to third parties
• Newsletters and promotional communications: sent with your consent. You can withdraw it anytime via the “unsubscribe” link or by writing to us.
• Remarketing/retargeting: pixels and identifiers (e.g., Meta, Google) used only after cookie consent.
• Disclosure to third parties for their own marketing: we DO NOT disclose your data to third parties for their autonomous marketing without your separate, explicit consent. If we ever wished to do so, we would ask you via a dedicated opt‑in and you would be free to refuse.


5) Nature of provision
Providing data necessary for a purchase is mandatory to complete the order. Providing data for marketing and non‑essential analytics is optional.


6) Recipients and “Processors” (Art. 28 GDPR)
We rely on qualified vendors acting as Data Processors under Art. 28 GDPR, including:
• E‑commerce platform: Shopify (hosting, CMS, e‑commerce features).
• Payments: Shopify Payments; enabled methods (Visa, Mastercard, Apple Pay, Google Pay). Other PSPs (e.g., Satispay) if activated.
• Logistics & shipping: express couriers and refrigerated couriers (appointed as Processors for delivery).
• Email marketing: Shopify Email; in future we may use providers like Mailchimp/Klaviyo/Brevo (they will be appointed as Processors).
• Analytics/Advertising: Google (Analytics), Meta (pixel), and other ad partners activated via cookie consent.
The updated list of Processors is available on request at info@ilcashewficio.com.


7) International data transfers
Some providers (e.g., Shopify, email or advertising vendors) may process data outside the EEA. In such cases, appropriate safeguards under Arts. 44 et seq. GDPR are adopted (e.g., Standard Contractual Clauses and supplementary measures).


8) Data retention
• Purchase/invoicing data: up to 10 years (civil & tax obligations).
• Customer accounts: up to 24 months of inactivity, unless otherwise requested by the user.
• Marketing (newsletter): until consent withdrawal or deletion request.
• Analytics: according to the tool’s settings; if anonymized, data may be retained longer for statistical purposes.
• Job applications: up to 12 months from receipt, unless further consent.


9) Data subject rights (Arts. 15–22 GDPR)
You can access, rectify or erase your data, restrict processing, object to processing based on legitimate interest at any time, and receive your data in a portable format. You can also withdraw consents.
To exercise your rights: write to info@ilcashewficio.com.
You can lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).


10) Security measures
We adopt appropriate technical and organizational measures to protect data (encrypted payments, access controls, backups, data minimization).