Search on blog

Last blog articles

Herbal Hydroponics: Grow Your Own Herbs for Teas, Infusions and Wellbeing

The numbers of hydroponics

Air Pump in the Hydroponic Kit: Why We Include It

The ABCs of Home Hydroponics: Everything (Little) You Need to Know

The Vertical Scenography: Domestic Hydroponic Towers as Living Sculptures

See all

Home

Privacy Policy

This Privacy Policy is issued pursuant to Article 13 of Regulation (EU) 2016/679 (the "GDPR") and Italian Legislative Decree 196/2003 (Personal Data Protection Code), as amended by Legislative Decree 101/2018, to anyone who interacts with the website www.idroponicafacile.com (the "Site"), makes purchases, registers an account, subscribes to the newsletter, or sends communications through the contact forms.

For specific information on the use of cookies and similar tracking tools, please refer to the Cookie Policy, which forms an integral part of this Privacy Policy.

1. Data Controller

The Data Controller is:

eShop di Elena Stragliotto
Via Santa Giuliana 8 — 20835 Muggiò (MB) — Italy
Italian VAT no. 10258290963 — REA MB-2609904
Email: info@idroponicafacile.com

For any matter relating to the processing of personal data, the Data Controller may be contacted using the details above.

2. Categories of personal data processed

The Data Controller processes the following categories of personal data, collected directly from the data subject or generated through browsing of the Site:

Identification and contact data: first name, surname, email address, phone number, shipping and billing address.
Tax data: tax code, VAT number, recipient code or certified email (for B2B electronic invoicing).
Account data: username, password (stored in encrypted form), preferences, wishlist, compared products, order history.
Order data: products purchased, amounts, payment methods, delivery address, post-sales communications.
Payment data: handled directly by external providers (PayPal, credit card networks). The Data Controller does not store full credit card details.
Browsing data: IP address, browser type, operating system, pages visited, date and time of access, referring URL.
Communication data: content of messages sent through the contact form, email or social channels.
Marketing data: newsletter consent, email open/click behaviour, products added to the cart without completing the purchase.

3. Purposes and legal bases of processing

Personal data is processed for the following purposes, each with its own legal basis:

3.1. Performance of the sales contract (Art. 6(1)(b) GDPR)

Order management, invoicing, shipping, after-sales support, returns and complaints handling, statutory warranty of conformity. Providing this data is mandatory: refusal makes it impossible to complete the purchase.

3.2. Compliance with legal obligations (Art. 6(1)(c) GDPR)

Retention of invoices and tax documentation as required by Italian civil and tax law, communications to the Italian Revenue Agency (Sistema di Interscambio for electronic invoicing), management of the right of withdrawal under the Italian Consumer Code.

3.3. Registration and management of the customer account (Art. 6(1)(b) GDPR)

Creation and management of the reserved area, authentication, password recovery, access to order history. Legal basis: performance of pre-contractual and contractual measures at the request of the data subject.

3.4. Reply to requests submitted via the contact form (Art. 6(1)(b) and (f) GDPR)

Response to questions, requests for product information, quotations, technical advice on hydroponic towers. Legal basis: performance of pre-contractual measures or legitimate interest in providing customer support.

3.5. Newsletter and marketing communications (Art. 6(1)(a) GDPR)

Periodic sending of newsletters with news, offers, guides and editorial content. Legal basis: explicit consent of the data subject, collected through a dedicated checkbox and revocable at any time by clicking the unsubscribe link at the bottom of each email or by writing to info@idroponicafacile.com.

3.6. Abandoned cart recovery (Art. 6(1)(f) GDPR — legitimate interest)

Where the user has entered their email address during a checkout procedure that was not completed (whether as a registered user or as a guest), the Data Controller may send a limited sequence of reminder emails to allow the user to complete the order. Legal basis: the Data Controller's legitimate interest in recovering the commercial relationship already initiated, balanced against the rights of the data subject, who may object at any time (see section 8). These emails are sent only if the user has explicitly provided their email address during the checkout process.

3.7. Soft spam under Article 130(4) of Italian Legislative Decree 196/2003

Customers who have made a purchase may receive promotional communications regarding products similar to those purchased, without further consent, until the data subject objects. Opting out is always possible through the unsubscribe link in each email.

3.8. Statistics, profiling and marketing through cookies (Art. 6(1)(a) GDPR)

Analysis of browsing behaviour, remarketing, targeted advertising. Legal basis: consent given through the cookie banner. Full details are provided in the Cookie Policy.

3.9. Defence in legal proceedings and protection of rights (Art. 6(1)(f) GDPR)

Retention of data necessary to ascertain, exercise or defend a legal right in court. Legal basis: legitimate interest.

4. Methods of processing

Data is processed using electronic and telematic tools, with logic strictly related to the purposes indicated. The Data Controller adopts appropriate technical and organisational security measures, in accordance with Article 32 GDPR, to ensure the confidentiality, integrity and availability of the data, preventing unauthorised access, loss, alteration or undue disclosure. Data is stored on servers located within the European Union, with access restricted to authorised personnel.

5. Retention period

Personal data is retained for the time strictly necessary to fulfil the purposes of the processing and, in any event, according to the following criteria:

Order and invoicing data: 10 years from the conclusion of the contract, as required by Article 2220 of the Italian Civil Code and tax legislation.
Customer account data: for the entire duration of the relationship and, in case of prolonged inactivity (over 24 months without logins or orders), the account is deleted following prior notice.
Marketing and newsletter data: until consent is withdrawn and, in any case, no longer than 24 months from the last interaction, subject to renewal.
Abandoned cart data: 30 days from the abandonment event, after which it is deleted or anonymised.
Contact form data: up to 24 months from the last communication, unless the relationship develops into a contractual relationship.
Browsing logs: a maximum of 12 months, subject to specific retention obligations for security purposes or the investigation of offences.
Data necessary for the defence of legal claims: for the time provided by the applicable limitation periods.

6. Recipients of the data and data processors

Personal data may be communicated, for the purposes indicated above, to the following categories of recipients, appointed as Data Processors under Article 28 GDPR where applicable:

Hosting and infrastructure provider: Keliweb S.r.l., supplier of the VPS server hosting the Site (server located in Italy).
E-commerce platform: PrestaShop, software running the online shop (installed on the Data Controller's own server).
Email marketing provider: Brevo (Sendinblue SAS), with registered office in France, used for sending newsletters, transactional emails and abandoned cart recovery sequences. Brevo Privacy Policy.
Payment providers:
- PayPal (Europe) S.à r.l. et Cie, S.C.A. — PayPal Privacy Policy
- Any other payment gateways activated (e.g. Stripe, Nexi, Satispay), acting as independent controllers for the payment data they process.
Couriers and logistics operators: for the delivery of products (e.g. BRT, GLS, SDA, Poste Italiane), to whom data strictly necessary for shipping is communicated.
Google services: Google Analytics and Google Ads, provided by Google Ireland Limited, for statistical and advertising purposes (only with cookie consent).
Meta Platforms Ireland Ltd.: for Meta Pixel on Facebook and Instagram (only with cookie consent).
YouTube (Google Ireland Limited): for embedding videos on the Site.
Tax adviser and accountant: for accounting and tax obligations.
Sistema di Interscambio (SdI) of the Italian Revenue Agency: for the transmission of electronic invoices.
Public authorities: where required by law or for the defence of a legal right.

Personal data is not disclosed publicly and is not sold to third parties for their independent marketing purposes.

7. Transfers of data outside the EU

Some providers (in particular Google, Meta and, in the case of specific processing activities, other technology providers) may process data in countries outside the EU, including the United States of America. Such transfers take place on the basis of:

Adequacy decisions of the European Commission (e.g. EU-US Data Privacy Framework, where applicable);
Standard Contractual Clauses approved by the European Commission;
Supplementary technical, organisational and contractual security measures, in compliance with Articles 44 to 49 GDPR.

For more information on the transfer mechanisms adopted by each provider, please consult their respective privacy policies, linked in section 6.

8. Rights of the data subject

As a data subject, the user has the right at any time to:

Access their personal data (Art. 15 GDPR);
Rectify inaccurate or incomplete data (Art. 16 GDPR);
Erase the data ("right to be forgotten"), in the cases provided for in Art. 17 GDPR;
Restrict processing (Art. 18 GDPR);
Object to processing based on legitimate interest or for marketing purposes (Art. 21 GDPR);
Receive their data in a structured, commonly used and machine-readable format, and transmit it to another controller (data portability — Art. 20 GDPR);
Withdraw consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal (Art. 7 GDPR);
Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU Member State of residence or of the place of the alleged infringement. Users resident in the United Kingdom may also lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise these rights, users may write to: info@idroponicafacile.com. The Data Controller will reply without undue delay and, in any case, within 30 days of receipt of the request.

9. Nature of data provision and consequences of refusal

Providing data is:

Mandatory for the purposes of contract performance, legal obligations and account management: refusal makes it impossible to complete a purchase or use the services of the Site.
Optional for marketing, newsletter, profiling and statistical purposes: refusal does not affect in any way the ability to purchase products or use the Site.

10. Automated decision-making

The Data Controller does not carry out processing based on automated decision-making that produces legal effects on the data subject or that significantly affects them, within the meaning of Article 22 GDPR.

11. Minors

The Site is not intended for minors under the age of 16. The Data Controller does not knowingly collect personal data from minors without the consent of the holder of parental responsibility. Should the Data Controller become aware of such an occurrence, the data will be promptly deleted.

12. Changes to this Privacy Policy

This Privacy Policy may be updated at any time to reflect regulatory, technical or organisational changes. The current version is always published on this page, with an indication of the date of the last update. In the event of substantial changes, registered users will also be informed by email.

Last updated: 27 May 2026

Cookie name	Provider	Purpose	Expiry
cookiesplus	https://www.idroponicafacile.com	Stores your cookie preferences.	1 year
PrestaShop-#	https://www.idroponicafacile.com	This cookie helps keep user sessions open while they are visiting a website, and help them make orders and many more operations such as: cookie add date, selected language, used currency, last product category visited, last seen products, client identification, name, first name, encrypted password, email linked to the account, shopping cart identification.	480 hours

Cookie name	Provider	Purpose	Expiry
fr	Facebook	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.	3 months
tr	Facebook	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.	Session
_fbp	Facebook	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.	3 months