Terms and conditions of use

Privacy

 INFORMATION ON THE PROCESSING OF PERSONAL DATA

 

I Mercanti srl

 

 Premises

This information is provided by the company I Mercanti srl (Tax Code 09084791210, VAT number 09084791210) with its registered office at Via Nazionale 999, Torre del Greco, taking into account:

- Legislative Decree 196/2003 (Italian Privacy Code) as amended by Legislative Decree of August 10, 2018, no. 101, for adapting the national legislation to the provisions of the European Regulation EU 2016/679 (GDPR). It is provided in view of the processing of personal data carried out by I Mercanti srl: also through the platform called "KIFOOD" for the management of its booking services and customer contacts (referred to individually as "User").

 

I Mercanti srl carries out data processing operations on personal data of Users, becoming the Data Controller pursuant to the provisions of the aforementioned current regulations on personal data processing.

 

The information is provided through paper forms and/or electronic tools, including any links consultable/consulted by the User on the I Mercanti srl website leading to the Platform itself. The information is intended for all Users interacting with the KIFOOD Platform and the booking links on the pages of the I Mercanti srl website, including any paper forms made available by I Mercanti srl due to its direct contact with the User for collecting specific consents, particularly:

 

(a) Users who use the Platform from the I Mercanti srl website;

(b) Users who use the Platform from the application installed on the devices (tablets) of I Mercanti srl;

(c) Users who use the Platform with paper forms provided by I Mercanti srl.

 

PROVISIONS

1. Data Controller

Pursuant to the provisions of the current regulations on personal data processing, the Data Controller of the data referred to in this information is the company I Mercanti srl (Tax Code 09084791210, VAT number 09084791210) with its registered office at Via Nazionale 999, Torre del Greco, email [email protected].

 

2. Data Acquisition

The personal data processed is acquired by I Mercanti srl following the direct entry of data by the User into the KIFOOD Platform for booking management and/or to take advantage of other services/initiatives of I Mercanti srl, thereby benefiting from related rewards and discounts.

 

3. Data Subject to Processing

"Common data" refers to any information regarding an identified or identifiable natural person such as name, surname, tax code, contact details, residence, etc., and "sensitive/particular data" refers to any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to health or sexual life or sexual orientation.

 

The personal data to be processed includes the User's common identification and contact data, as well as other instrumental data for the service. Regarding specific requests made by the User during booking, the Controller may also collect and process sensitive/particular data such as health data or the User's state of health. In any case, outside of exemption cases, such data may only be processed with the User's written or equivalent consent ("equivalent consent" also includes expressing willingness online through procedures such as clicking on web pages, buttons like "Accept", "Submit", etc., or checking boxes next to the term "I consent to the processing", etc.) and in compliance with current regulations on personal data processing.

 

The purposes of processing sensitive/particular data are related solely to booking management (processing data revealing racial or ethnic origin in the case of indicating the User's name who books a table, processing data revealing religious, philosophical beliefs, or health-related notes in the User's booking notes on the Platform, etc.). In any case, the Controller will process only the essential data for the purposes for which the processing is permitted and that cannot be fulfilled case by case through anonymous data or different personal data.

 

4. Primary Purposes of Processing

The primary purpose of processing is to allow the User to book a table or use other services offered by I Mercanti srl such as the free Wi-Fi service within the venue, the "In List" option, or the loyalty program using the Platform from the website or I Mercanti srl devices (tablets).

 

The additional purposes for which the Data Controller collects data are:

(a) compliance with legal, accounting, tax, administrative, and contractual obligations related to existing or future relationships or the provision of requested services;

(b) implementation of measures related to the protection of I Mercanti srl personnel against any unlawful or fraudulent acts by Users or otherwise violating the service offered or legal rules or principles of proper behavior in commercial relations, including activities and treatments aimed at identifying the person responsible for such acts and preserving relevant information for subsequent judicial or other protection determinations by the Data Controller;

(c) collection, storage, and processing of User-provided data to perform statistical analyses in anonymous and/or aggregated form without the possibility of identification, aimed at verifying the quality of the services offered;

(d) communicating with Users via email or phone regarding the booking made.

 

4.1. Communication and Dissemination of Personal Data for the Primary Purposes of Processing

The personal data collected will be processed within the activity of I Mercanti srl by employees strictly authorized and appropriately instructed within their duties.

 

Externally, the data may be communicated and processed by all individuals and/or legal entities engaged to perform necessary and/or instrumental activities for I Mercanti srl's operation. The updated list of data processing Managers and authorized data processors is kept at the Data Controller's registered office and can be viewed upon request.

 

The processed personal data will not be disseminated but may be communicated to inspection bodies responsible for verifying and controlling legal compliance.

 

In case of data communication/transfer abroad, including to non-EU countries, the relevant processing will be carried out in full compliance with current regulations.

 

4.2. Mandatory or Optional Consent for the Primary Purposes of Processing Personal Data

The provision of data, although not mandatory, is necessary and essential to manage and finalize the booking as well as to use the other services described above offered by I Mercanti srl. Therefore, the Data Controller does not have the obligation to acquire specific consent to the processing from the User as the processing responds to specific requests from the interested party. If the User does not intend to provide the requested and necessary personal data for booking at I Mercanti srl, it will result in the inability to use the services offered by I Mercanti srl itself.

 

5. Secondary Purposes of Processing Personal Data for Promotional, Advertising, and Marketing Purposes

The collected personal data may also be processed, both in paper form (e.g., filling out forms, coupons, and similar paper materials at I Mercanti srl and subsequently used electronically) and in automated/computerized mode, for the following purposes as specified below as provided by current regulations on commercial promotion, advertising communication, solicitation to purchase behaviors, market research, surveys (including telephone, online, or through forms), statistical processing (in identifiable form) and marketing in the broadest sense of products and/or services related to the Data Controller (collectively "Marketing Purposes Processing"). By providing consent to processing for Marketing Purposes - according to the procedures available on the Platform in the appropriate sections or directly at I Mercanti srl where specific informed marketing consent collection will be possible, the User specifically acknowledges such promotional, commercial, and marketing purposes in the broadest sense of the processing and expressly authorizes the Data Controller.

 

According to the current regulations on "Consent to personal data processing for direct marketing purposes through traditional and automated contact tools", Users' attention is specifically drawn to the fact that:

(a) the consent possibly given for the sending of commercial and promotional communications through the use of email, SMS, automatic systems without operator intervention, and similar, including electronic platforms and other telematic means, will imply receiving such communications not only through these automated contact modes but also through traditional modes such as communications via postal mail or operator calls;

(b) the User's right to object to the processing of their personal data for direct marketing purposes through the above-mentioned automated contact methods will extend in any case to traditional methods and also in this case, the possibility of exercising this right partially remains as provided by the current regulations, both regarding certain means and certain treatments;

(c) the possibility remains for the User who does not intend to give consent as indicated above to express the desire to receive communications for the aforementioned marketing purposes exclusively through traditional contact methods where provided: this desire can be exercised freely by sending a simple email to the Data Controller's address;

(d) for the principle of compliance with privacy obligations for the Data Controller while respecting the principles of simplifying the same obligations, we inform you that the specific consent formula available based on the consent collection procedure provided from time to time will be unitary and comprehensive and will refer to all possible marketing treatment means while still allowing the User to notify a different desire to the Data Controller regarding the use of certain means and not others for the receipt of marketing communications. Also, in compliance with the principles of simplifying the same obligations, the Data Controller also informs that the specific consent formula will be unitary and comprehensive and will also refer to all different and possible marketing purposes here specified (without multiplying the consent formulas for each distinct marketing purpose pursued by the Data Controller), still allowing the User to notify the Data Controller even later of a different selective desire concerning the consent or denial of consent for individual marketing purposes.

To proceed with processing for Marketing Purposes, it is mandatory to obtain specific, separate, expressed, documented, prior, informed, free, and entirely optional consent.

Consequently, if the Platform User decides to give specific consent, they must be previously informed and aware that the processing purposes pursued are of specific commercial, advertising, promotional,  and marketing nature in the broadest sense. In a spirit of absolute transparency, we inform you that the data will be collected and subsequently processed based on specific consent:

1) to send promotional or otherwise commercial solicitation material to subjects who have given informed consent;

2) to carry out direct sales or placement of the Data Controller's products or services;

3) to send commercial information; to make interactive commercial communications through the use of email;

4) to carry out market studies, statistical surveys, and polls, both by telephone and by electronic means;

With reference to the sending of newsletters via email, to which the User may possibly consent, we also inform you that the electronic content of such promotional communications may be supported by software (such as cookies or web beacons) capable of making known to the Data Controller a series of parameters such as, for example: the time of opening the newsletter, the pages viewed within the newsletter, links clicked inside the newsletter, connections to the Data Controller's sites directly from the newsletter. These parameters, which will not constitute profiling of the recipient, are aimed at making known to the Data Controller certain statistical data regarding service bookings generated by various sources.

 

By giving optional consent, the interested party specifically acknowledges and authorizes these further possible secondary treatments. In any case, even if the User has given consent to authorize the Data Controller to pursue all the purposes mentioned in points 1 to 4 above, they will remain free at any time to revoke it by sending a clear communication to the Data Controller's contacts.

 

Upon receiving such a request, the Data Controller will promptly proceed to remove and delete the data from the databases used for Marketing Purposes Processing and inform any third parties to whom the data was communicated for the same purposes of the cancellation. The simple receipt of the cancellation request will automatically constitute confirmation of the cancellation.

 

5.1. Communication and Dissemination of Personal Data for the Pursuit of Secondary Purposes of Processing

It is informed that the data cannot be communicated to third-party commercial partners for the purposes indicated in numbers 1 to 4 of the previous Paragraph 5. The consent to processing for Marketing Purposes by the Data Controller – if given by the User – does not also cover the different and additional marketing processing represented by communication to third parties of the data for the same purposes. To proceed with such external communication (not carried out by the Data Controller), it is mandatory to obtain from the User an additional, separate, expressed, documented, informed, and entirely optional consent.

 

5.2. Mandatory or Optional Consent for the Pursuit of Secondary Purposes of Processing Personal Data

The provision of personal data to the Data Controller and the release of consent to processing for Marketing Purposes for the purposes and methods described above are entirely optional and optional (and revocable without formality even subsequently by sending a communication to the Data Controller's contacts). Failure to provide will not prejudice the pursuit of the primary purposes of processing referred to in Paragraph 4 but will result exclusively in the impossibility for the Data Controller to proceed with the mentioned marketing treatments.

 

6. Processing of Personal Data of Interested Parties for Commercial Profiling Purposes

It is possible that for marketing purposes and improving the services and functionalities of the Platform itself, the Data Controller will proceed with data processing so-called "profiling." According to the current regulations on personal data protection, profiling activity may concern "individual" personal data or "aggregated" personal data derived from detailed individual personal data of the User. To clarify what "profiling" consists of, reference can be made, for example, to the following parameters:

 

- data is structured and coordinated according to predefined parameters identified from time to time according to business needs (regardless of marketing, contractual, administrative purposes, etc.);

- the starting data considered individually may include various personal information, including contractual data and consumption-related data, but only after profiling (i.e., structuring according to predefined parameters) can further indications be derived referring to each User, further indications (i.e., the "profile" for example, consumption range, expenditure level, active services, commercial attitude, etc.) that would not result from the mere informative attitude of the individual or separately considered data. In other words, from strict profiling, a wealth of information may result that goes far beyond the information considered individually and related to each interested party;

- furthermore, strict profiling provides added value given by the multiple correlations that can be established between the collected individual data to derive useful additional information. Foundational elements of a profiling treatment are therefore: 1) the predetermination of parameters for structuring the individually considered data; 2) the comparison, intersection, and relationship of such data with each other and the comparative analysis conducted based on predefined parameters (i.e., the cataloging of individual data into clusters); 3) obtaining a profile through the preceding activities, which allows identifying Users and additional analytical indications compared to the individual data related to their personal sphere (tastes, preferences, habits, needs, and consumption choices) and allows generating the mapping/segmentation into homogeneous behavioral groups (dynamic creation of behavioral profiles).

 

The illustrated treatments will henceforth be collectively defined as "Profiling Processing." To proceed with Profiling Processing, it is mandatory to obtain specific, separate (also from the marketing consent referred to in paragraphs 5 and 5.1 above), expressed, documented, prior, and entirely optional consent. The Data Controller may proceed with the following Profiling Processing such as detecting:

- the number and type of bookings made within a predetermined time frame;

- frequency of service use;

- other indices aimed at highlighting tastes and purchase habits.

 

Consequently, if the User decides to give specific consent, they must be previously informed and aware that the processing purposes pursued are of specific commercial, advertising, promotional, and marketing nature in the broadest sense based on Profiling Processing. In a spirit of absolute transparency, we inform you that the data collected based on specific consent may be subject to Profiling Processing for the same purposes mentioned in paragraphs 5 and 6 of this information, while the communication scope will possibly be the same already specified for Marketing Treatments in paragraph 5.1. It is specified that currently, the Data Controller will not proceed with the communication of common personal data to third parties for Profiling Processing.

 

The provision of the User's personal data to the Data Controller and the release of consent to Profiling Processing are entirely optional and optional (and revocable without formality even subsequently by sending a communication to the Data Controller) and failure to provide will not prejudice the pursuit of the primary purposes of processing referred to in Paragraph 4 but will result exclusively in the impossibility for the Data Controller to proceed with the mentioned profiling treatments.

 

6 bis. Possible Processing of Sensitive Data (Covid-19/Green Pass Regulation)

If the regulations on Covid-19 Green Pass certifications require the display of the Green Pass – or equivalent certification – to allow access to indoor dining services, the Data Controller, solely to facilitate the verification of the requirements and only for those customers who voluntarily give the required consent, will allow online uploading of the Green Pass or equivalent certification.

 

These data will be automatically deleted 14 days after the customer's visit to the venue without the possibility of subsequent recovery. Regarding these data, no transfer, sharing, or other type of processing is foreseen, neither directly by the Data Controller nor by third-party processors, not even against compensation. These data will not be processed or communicated to third parties in any case, except for the purposes provided by the emergency Covid-19 legislation and in other cases provided by law.

 

7. Navigation Data

The IT systems and software procedures responsible for the Platform's operation acquire, during their normal course of operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified Users but could, by their nature, allow users to be identified through processing and associations with data held by third parties. This data category includes IP addresses or domain names of computers/terminals used by Users connecting to the Platform, URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used to submit the request to the Platform server, the size of the file obtained in response, the numerical code indicating the server response status (success, error, etc.) and other parameters related to the User's operating system and computing environment. This data is used only to obtain anonymous statistical information on the Platform's use and to check its correct functioning and is kept for the purposes of Paragraph 4. The data could be used to ascertain responsibility in case of hypothetical IT crimes against the Platform.

 

8. Possible Indication by the User of Personal Data of Third Parties (Other Interested Users)

The User acknowledges that any indication (for example, when filling out the booking form using the Platform from the website or devices - tablets - of the Merchant) of personal data and contact details of any third party different from the User represents a personal data processing operation for which they are an autonomous Data Controller, assuming all the obligations and responsibilities provided by current regulations in the matter. In this sense, the User guarantees the Data Controller that any data of third parties that will be indicated in this way by the User (and which will consequently be treated as if the third party had given their informed consent to the processing) has been acquired by the User themselves in full compliance with the current regulations. The User provides the broadest indemnity on this point concerning any claims, requests, damages from processing, etc., that should reach the Data Controller from any third party interested due to the provision of data indicated by the User in violation of the applicable data protection regulations.

 

9. Data Retention and Security Measures

Data will be retained for the periods defined by the reference legislation on servers located in EU countries or in countries outside the EU that guarantee adequate security measures (for example, the United States - Privacy Shield). In any case, the retention period of the User's data will be solely represented by the time necessary to pursue the primary purposes indicated above in Paragraph 4, except

 

 for express and specific consent also concerning the operations referred to in paragraphs 5 and 6 (marketing profiling), in which case the data will be processed until the subsequent withdrawal of consent and in any case no longer than two years from when it was given or renewed, for data provided for marketing activities no longer than one year for data used for profiling purposes as outlined above. Once the cited obligations have been fulfilled, the User's data will in any case be deleted, except for retention based on different legal terms of the act and/or document containing the data.

 

10. Exercising Rights by the User/Interested Party to Processing

At any time, the User can – without any formality – exercise their rights as defined by the current regulations as reported below. The exercise of rights is not subject to any formality. It will suffice to send a request to the Data Controller's contact containing their requests.

 

RIGHTS OF THE INTERESTED PARTY

The Interested Party/User can exercise the right to:

a) request confirmation of the existence or otherwise of their personal data and, if so, obtain access to the same data and all information related to the processing;

b) obtain the rectification and deletion of data;

c) obtain the limitation of processing;

d) obtain the portability of data, i.e., receive it from a data controller in a structured, commonly used, and machine-readable format and transmit it to another data controller without impediments;

e) object to the processing at any time, including in the case of processing for direct marketing purposes;

f) withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;

g) lodge a complaint with a supervisory authority.

 

11. Changes

In compliance with the current regulations on personal data protection, the Data Controller reserves the right to make changes to this information at any time by giving appropriate communication to the Platform Users and ensuring in any case adequate and similar protection of personal data. To view any changes, the User is invited to regularly consult this information, which in any case indicates the date of the last modification.