Need help?

AC CREATIVITY S.r.l. — Manila Grace

Information notice on the processing of personal data — Arts. 13 and 14 GDPR

This information notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and Legislative Decree 196/2003 and subsequent amendments ("Privacy Code") to users interacting with the e-commerce website accessible at manilagrace.com (hereinafter the "Website"). It is understood that this information notice exclusively concerns the Website and not third-party websites that may be consulted through hyperlinks.

The Data Controller is AC Creativity S.r.l., with registered office in Via Gaetano Ferraiolo n. 62, 80047 San Giuseppe Vesuviano (NA), Tax Code/VAT no. 08332271215, in the person of its legal representative, Mr. Antonio Casillo (hereinafter also the "Controller" or the "Company").

To exercise the rights indicated below and for any question related to the processing of personal data, please write to privacy@manilagrace.com.

The Controller has not appointed a Data Protection Officer (DPO), as the mandatory requirements under Article 37 of the GDPR do not apply; however, an internal contact person has been identified for data protection issues.

In the context of using the Website, the Controller processes: navigation data (IP address, device identifiers, technical logs, data collected through cookies and similar technologies, as indicated in the Cookie Policy); identifying and contact data (name, surname, email address, phone number, delivery and billing address); order and payment data (purchased products, amounts, payment methods; card and payment instrument data are processed directly by payment service providers and are not stored by the Controller); account data of any reserved area; data relating to marketing preferences and interactions, where the data subject gives their consent.

Personal data are processed for the purposes and on the legal bases indicated below:

Purpose	Legal basis
Conclusion and execution of the sales contract, management of orders, shipments, and assistance	Performance of a contract — Art. 6, par. 1, lett. b) GDPR
Account and reserved area management	Performance of a contract — Art. 6, par. 1, lett. b) GDPR
Responding to requests sent via the contact form	Pre-contractual measures / performance of a contract — Art. 6, par. 1, lett. b) GDPR
Fulfilment of legal, tax and accounting obligations	Legal obligation — Art. 6, par. 1, lett. c) GDPR
Sending promotional communications and newsletters	Consent — Art. 6, par. 1, lett. a) GDPR
Profiling and segmentation of marketing communications	Consent — Art. 6, par. 1, lett. a) GDPR
Cookies and statistical and marketing tracking tools	Consent — Art. 6, par. 1, lett. a) GDPR (see Cookie Policy)
Management of electronic withdrawal pursuant to Art. 54-bis of the Consumer Code and retention of relevant logs for evidentiary purposes	Legal obligation — Art. 6, par. 1, lett. c) GDPR
Ascertainment, exercise or defence of a right in judicial proceedings	Legitimate interest — Art. 6, par. 1, lett. f) GDPR

Processing is carried out primarily with electronic tools, according to logics related to the indicated purposes and with adequate technical and organizational measures to ensure the security, confidentiality, and integrity of the data pursuant to Art. 32 of the GDPR. The Website is built and managed on the Shopify platform.

Data may be communicated to entities that operate on behalf of the Controller as data processors pursuant to Art. 28 of the GDPR, or to autonomous controllers, within the following categories:

Recipient category	Entity
E-commerce platform and hosting	Shopify International Ltd (Ireland) and its sub-processors
Management of email and newsletter campaigns	Mailchimp (Intuit Inc.)
Advertising, analysis and measurement	Meta Platforms, Google, TikTok
Messaging and support	WhatsApp (Meta Platforms)
Consent Management Platform (CMP)	Complianz (by iubenda)
Payment services	Shopify Payments, PayPal, Klarna
Shipping and logistics	BRT S.p.A. (Italy), UPS (abroad)
Website development and technical maintenance	Turnup communication di Giovanni Pollio, VAT ID IT07090981213, Via Mario Fiore n. 14, 80129 Naples (NA)

Data may also be communicated to the competent authorities in compliance with legal obligations. The updated list of data processors is available upon request from the Data Controller.

Some of the aforementioned entities may process personal data outside the European Economic Area. In such cases, the transfer takes place based on an adequacy decision by the European Commission, where applicable (including, for certified US entities, the EU-U.S. Data Privacy Framework), or by signing the Standard Contractual Clauses adopted by the European Commission, supplemented by additional measures where necessary.

Data relating to orders and tax documentation are retained for the period required by law (normally 10 years). Account data is retained until the account is deleted by the user. Data processed for marketing purposes is retained until consent is revoked and, in any case, not beyond 24 months from the last useful interaction; data processed for profiling and segmentation purposes is retained for no more than 12 months, after which it is deleted or consent is renewed. Browsing data is retained for a limited period, unless it is necessary to ascertain crimes.

The data subject may exercise the rights provided for in articles 15 to 22 of the GDPR at any time: access, rectification, erasure, restriction, portability, objection, as well as the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal. The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

The provision of data necessary for the execution of the contract and for legal obligations is mandatory; failure to provide it prevents the completion of the purchase. The provision of data for marketing purposes is optional and refusal does not affect the possibility of purchasing.

The Data Controller reserves the right to modify this policy; updated versions will be published on the Website.

Last updated: June 11, 2026.