(pursuant to Regulation (EU) 2016/679 – GDPR) Last update: 18.02.2026
1. Introduction and scope of the policy
This policy is provided pursuant to and for the purposes of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter also "GDPR"), as well as the applicable national legislation on the protection of personal data, and aims to inform users of the website www.nadezhdakireyeva.com (hereinafter the "Site") about the methods and purposes of processing their personal data. This policy applies to all users who visit the Site, interact with its content, or use the services offered through it, including, by way of example, browsing web pages, purchasing products, sending communications or information requests, making voluntary donations, and any other form of interaction that involves the collection or processing of personal data. The policy transparently describes the types of personal data collected, the purposes and legal bases of processing, the ways in which data are processed and protected, the parties who may access them, retention periods, as well as the rights recognized to data subjects by current legislation.
The processing of personal data is carried out in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, as provided by applicable law.
This policy concerns exclusively the processing of personal data carried out through the Site and does not apply to any third-party websites accessible via hyperlinks present on the Site, which remain subject to their respective privacy policies. The policy is an integral part of the Site's data protection information system and is coordinated with other published policies and legal documents, including the Terms and Conditions of Sale and the Cookie Policy.
2. Data Controller
The data controller of the personal data collected through the website www.nadezhdakireyeva.com (hereinafter the "Site") is Nadezhda Kireyeva, with registered office at Rome, Via Ettore Ximenes 21 A, nadezhda.kireyeva@gmail.com, Controller Nadezhda Kireyeva.
The Controller determines the purposes and means of processing personal data and ensures that processing is carried out in compliance with current data protection legislation, adopting appropriate technical and organizational measures to guarantee the security and confidentiality of the information processed.
For any request regarding the processing of personal data, the exercise of rights recognized by applicable law, or to obtain information on data management methods, data subjects may contact the Controller using the contact details indicated above.
Where required by applicable law or if appointed by the Controller, the contact details of any Data Protection Officer (DPO) or other persons responsible for handling data protection requests will be made available through the Site or communicated to data subjects by appropriate means.
3. Types of personal data processed
While browsing the Site and using the services offered through it, the Controller may collect and process different types of personal data, depending on how the user interacts with the Site and the activities carried out.
In particular, personal data provided directly by the user when purchasing products, filling out contact forms, sending communications, making voluntary donations, or other interactions with the Site may be processed. Such data may include, by way of example, identifying and contact information such as name, surname, shipping address, email address, telephone number, and any other information necessary for managing the contractual relationship or the user's request.
In the case of purchases made through the Site, data necessary for managing the order, shipping, invoicing, and after-sales support, as well as information relating to transactions carried out, may also be processed. Data relating to payment instruments used by the user are normally processed directly by payment service providers responsible for managing transactions and are not stored by the Controller, except as strictly necessary for the administrative and accounting management of operations.
Data voluntarily provided by users in communications sent to the Controller, including the content of messages and information transmitted to request assistance, clarifications, or other forms of contact, may also be processed.
During navigation of the Site, technical data and information automatically generated by IT systems and Internet communication protocols may also be collected. Such data may include, for example, IP addresses, device identifiers used, browser information, access times, pages visited, and other data relating to the user's interaction with the Site. This information is mainly used for technical, security, and proper service operation purposes.
The Site may also use cookies and similar technologies to collect information relating to browsing preferences and service usage. The methods of use of such tools and related information on data processing are described in the Cookie Policy, to which reference is made.
In the case of voluntary donations, data necessary for managing the payment and recording the operation, as well as any information provided by the donor in relation to the donation itself, may be processed.
The personal data processed are limited to those relevant and necessary for the purposes for which they are collected and are processed in compliance with the principles of minimization and proportionality provided by applicable law.
4. Purposes of processing and legal bases
Personal data collected through the Site are processed by the Controller exclusively for specific, explicit, and legitimate purposes, in compliance with the principles provided by data protection legislation.
In particular, personal data may be processed to allow the proper management of the contractual relationship between the Customer and the Controller, including order management, payment processing, organization and execution of shipments, management of communications with the Customer, provision of requested services, and fulfillment of activities related to the supply of products. In such cases, processing is necessary for the performance of the contract or for the adoption of pre-contractual measures requested by the data subject.
Personal data may also be processed to fulfill legal obligations to which the Controller is subject, including administrative, accounting, tax, and regulatory obligations arising from the management of sales and economic transactions. In such cases, processing is carried out in fulfillment of a legal obligation.
Processing may also be carried out to ensure the security of the Site and transactions, prevent fraudulent activities, protect the Controller's rights, ascertain, exercise, or defend a right in court, as well as to ensure the proper functioning of IT systems and digital services. Such processing is based on the Controller's legitimate interest in ensuring the security, integrity, and protection of its activities and Site users.
If the Site allows voluntary donations, personal data provided by the donor may be processed for managing the payment, recording and traceability of the operation, and for related administrative and legal obligations. In this case, processing is necessary for the execution of the operation requested by the data subject and for the fulfillment of any applicable legal obligations.
With the specific consent of the data subject, where required by applicable law, personal data may be processed for additional purposes, such as sending informational or promotional communications relating to the Controller's activities, as well as for analyzing preferences and usage patterns of the Site through tracking tools not strictly necessary for the operation of the service.
Personal data may also be processed to respond to information requests, communications, or reports voluntarily sent by the user. In such cases, processing is necessary to respond to the data subject's request and is based on the Controller's legitimate interest in responding to received communications.
In any case, personal data are processed only to the extent necessary for the pursuit of the above purposes and in accordance with the applicable legal basis.
5. Nature of data provision and consequences of failure to provide
The provision of personal data by the user may be necessary or optional depending on the specific purposes for which the data are collected.
The provision of data required for the conclusion and execution of the purchase contract, for payment management, for product shipment, and for compliance with legal obligations is necessary. Failure to provide, incomplete, or inaccurate provision of such data may make it impossible to conclude the contract, properly execute the order, manage the user's requests, or fulfill the legal obligations to which the Controller is subject.
The provision of data necessary for sending communications, information requests, or other voluntary interactions with the Controller is optional, but failure to provide the requested data may make it impossible to respond to requests or provide the services requested by the user.
The provision of data for additional purposes that require the data subject's consent, such as sending promotional communications or using specific tracking technologies not strictly necessary for the operation of the Site, is free and optional. Failure to provide consent does not affect the ability to use the Site or make purchases but may limit access to certain features or ancillary services.
In any case, the user is free to decide whether or not to provide their personal data, it being understood that failure to provide data indicated as necessary may prevent the Controller from providing the requested services or executing the contractual relationship.
6. Methods of processing and security measures
The processing of personal data is carried out by the Controller using IT, telematic, and, where necessary, also manual means, in compliance with the principles of lawfulness, fairness, transparency, and confidentiality protection provided by applicable law.
Personal data are processed exclusively for the purposes indicated in this policy and for the time strictly necessary for their pursuit, in compliance with the principles of minimization and proportionality. Processing is carried out through operations of collection, registration, organization, storage, consultation, processing, use, communication, and any other operation necessary for data management in compliance with current legislation.
The Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature of the data processed, the purposes of processing, and the characteristics of the systems used. These measures are aimed at preventing unauthorized access, loss, destruction, alteration, undue disclosure, or unlawful use of personal data.
Access to personal data is allowed only to authorized persons operating under the authority of the Controller or who are formally appointed for processing, within the limits of their respective competences and the purposes for which the data were collected. Such persons are bound by confidentiality obligations and process data in accordance with the instructions given by the Controller.
The processing of personal data takes place through systems and procedures suitable for ensuring their security and confidentiality, also in relation to the transmission of data through electronic communication networks and the use of digital services and technological platforms necessary for providing the services offered through the Site.
7. Retention of personal data
Personal data are retained for the time strictly necessary to achieve the purposes for which they were collected and processed.
Data processed for purposes related to the conclusion and execution of the sales contract, as well as the administrative, accounting, and tax management of operations, are retained for the period required by current legislation on legal, tax, and civil obligations, and in any case for the time necessary to protect the Controller's rights in relation to the contractual relationship.
Data processed for Site security purposes, fraud prevention, protection of the Controller's rights, or defense in court may be retained for the time necessary to achieve these purposes and, where necessary, for the period useful for managing any disputes or proceedings. Data voluntarily provided by the user for information requests, communications, or other interactions are retained for the time necessary to provide a response and manage the request, unless further retention is required due to legal obligations or to protect the Controller's rights.
Data processed on the basis of the data subject's consent are retained until consent is withdrawn, unless further retention is necessary to comply with legal obligations or for the establishment, exercise, or defense of a right.
After the applicable retention period, personal data are deleted, anonymized, or otherwise processed so as not to allow the identification of the data subject, unless further retention is required by current legislation or necessary for the Controller's legitimate purposes.
8. Recipients of personal data
Personal data may be disclosed to third parties whose activity is necessary or functional to the management of the services offered through the Site, the execution of the contractual relationship, compliance with legal obligations, or the pursuit of the Controller's legitimate purposes.
In particular, data may be processed by technical and IT service providers, payment system operators, logistics and shipping operators, consultants, and other parties providing services related to the Controller's activity, as well as by public authorities in cases provided by law.
These parties process personal data as data processors or independent controllers, depending on the role performed, and are required to ensure an adequate level of data protection in accordance with applicable law.
9. Transfer of personal data outside the European Economic Area
Given the nature of online services and transactions, some personal data may be transferred to countries outside the European Economic Area. In such cases, the Controller ensures that the transfer takes place in compliance with the conditions provided by applicable data protection legislation and in the presence of adequate safeguards for data subjects, such as adequacy decisions adopted by the European Commission, standard contractual clauses, or other protection tools recognized by current legislation.
The Controller takes all necessary measures to ensure that any international transfers of personal data are carried out in accordance with legal requirements and ensure an adequate level of protection for the rights and freedoms of data subjects.
10. Data subject rights
Data subjects to whom personal data refer may exercise at any time the rights recognized by applicable data protection legislation.
In particular, in the cases and within the limits provided by law, the data subject has the right to obtain access to their personal data, to request their rectification if inaccurate or incomplete, to request their erasure, to obtain restriction of processing, or to object to processing in the cases provided by current legislation. The data subject also has the right to receive the personal data concerning them in a structured, commonly used, and machine-readable format and, where technically possible, to transmit them to another data controller. Where processing is based on consent, the data subject has the right to withdraw it at any time, without prejudice to the lawfulness of processing carried out before withdrawal.
The data subject also has the right to lodge a complaint with the competent supervisory authority for personal data protection if they believe that the processing of personal data concerning them is in violation of applicable law.
The data subject may exercise at any time the rights recognized by data protection legislation by contacting the Controller at the contact details indicated in this policy. Requests will be handled in compliance with the terms and methods provided by applicable law.
11. Complaint to the Supervisory Authority
The data subject has the right to lodge a complaint with the competent Supervisory Authority for personal data protection if they believe that the processing of personal data concerning them is in violation of applicable law.
12. Cookies and tracking technologies
The Site uses cookies and similar technologies to ensure the proper functioning of the pages, improve the browsing experience, analyze service usage, and, where provided, enable the use of features and services offered by third parties.
The methods of use of cookies, related purposes, the legal basis for processing, and the options available to the user to manage or change their preferences are described in detail in the Cookie Policy published on the Site, to which express reference is made.
13. Changes to this policy
The Controller reserves the right to modify or update this policy at any time, also in consideration of any regulatory changes or the evolution of the services offered through the Site. Changes will be published on the Site and will become effective from the time of their publication, unless otherwise indicated.