Grillz Marche · Privacy

PRIVACY POLICY

Every data point, every provider, every retention period: all written here, in plain words.

This notice (art. 13 GDPR) explains what personal data we process, why, for how long, with whom, and what rights you have. We wrote it to be genuinely readable, not just signable.

01

Data controller

The data controller is Grillz Marche di Moustachfa Wassim — VAT 02184970438, Via Nicolò Bonafede 5, 62015 Monte San Giusto (MC), Italy.

  • Email: grillzmarche@gmail.com
  • Certified email (PEC): WASSIM.MOUSTACHFA@PEC.FISCOZEN.IT
  • WhatsApp: +39 389 482 9784

We have not appointed a data protection officer (DPO) because our activity does not fall within the cases where one is mandatory.

02

What data we collect

We only process data you give us, plus a few technical data generated by using the site:

  • Quote request / waiting list (from the configurator): name, email, phone, Instagram handle (a required field of the form), shipping address, your chosen configuration, and any reference photos and notes you attach.
  • Production (once sales are active): dental impressions, photos needed for the work and, once online payments are active, proof of payment.
  • Account (if you register): email, name and password (stored only as a protected hash, never in plain text).
  • Support: whatever you write to us by email, WhatsApp or Instagram.
  • Technical logs: security and operations logs generated by the hosting infrastructure.
  • Anonymous statistics: aggregate visit counters without cookies and without identifying data (see section 7).

We do not collect browsing data for advertising purposes and we do not buy data about you from third parties.

03

Why we use it and on what legal basis

  • Handling your quote request and the waiting list, and contacting you back at launch: pre-contractual measures taken at your request (art. 6(1)(b) GDPR).
  • Making your grillz and fulfilling the order, including status emails: performance of the contract (art. 6(1)(b)).
  • Complying with accounting and tax obligations: legal obligation (art. 6(1)(c)).
  • Replying to you and handling support, including warranty matters: our legitimate interest in assisting you and managing disputes (art. 6(1)(f)).
  • Site security (technical logs, abuse prevention): legitimate interest (art. 6(1)(f)).
  • Aggregate anonymous statistics on visits: legitimate interest (art. 6(1)(f)) on data that cannot identify you.

We do not use your data for marketing without your consent, and we perform no profiling or automated decisions with legal effects on you. Providing the form data is necessary to handle your request: without it, we simply cannot reply.

04

How long we keep it

  • Quote / waiting-list requests not followed by an order: up to 12 months from the last contact, then deleted.
  • Orders and tax documents: 10 years, as required by law (art. 2220 of the Italian Civil Code).
  • Production photos and impressions: for the duration of the legal warranty (2 years from delivery), then destroyed or deleted.
  • Account: until you ask for deletion.
  • Support emails and messages: up to 24 months after the request is closed, unless a dispute is ongoing.
  • Technical logs: for the short technical periods set by the hosting provider.

When the period expires, data is deleted or irreversibly anonymised.

05

Who we share it with

We do not sell or hand over your data to third parties for marketing. To run the service we rely on these providers, which process data on our behalf or as independent controllers within the limits indicated:

  • Vercel Inc. (USA) — site hosting and technical logs.
  • Sanity Inc. (USA) — database for site content and orders/requests; request data is stored encrypted with AES-256, unreadable without our key.
  • Resend (USA) — transactional emails (summaries and confirmations).
  • Google (USA) — the Gmail inbox where we receive requests and emails.
  • Telegram — for each request we receive an internal notification with name, email and phone, so we can reply fast.
  • Upstash (USA) — infrastructure for the aggregate statistics; it receives no personal data (see section 7).
  • Express couriers — receive name, address and phone for delivery.
  • Stripe — not active today; when we switch on online payments we will update this notice before using it.

Data may also be disclosed to advisers (e.g. tax) and to authorities where the law requires it.

06

Transfers outside the European Union

Some providers listed above (Vercel, Sanity, Resend, Google, Upstash) are based or run servers in the United States. In those cases the transfer is protected by the standard contractual clauses (SCCs) approved by the European Commission included in their contracts and, where the provider is certified, by the EU-US Data Privacy Framework.

Telegram may process data outside the EU: that is why we use it only as an internal notification channel and keep the data sent to the bare minimum (name, email, phone). You can request a copy of the safeguards applied by writing to the contacts in section 1.

07

Statistics without cookies (and without spying on you)

To understand how many people visit the site we use a first-party, cookieless counter: we record only aggregate data (page viewed, country, referring site) and estimate unique visitors with a temporary technical code that changes every day and cannot be traced back to your identity.

  • No cookies and no identifier stored on your device.
  • Your IP address is never stored.
  • No individual profile, no cross-site tracking, no sharing with advertising networks.
  • If your browser sends the «Do Not Track» signal, the counter does not even start.
08

How we protect your data

All site traffic travels over HTTPS. Request and order data is stored encrypted with AES-256-GCM: in the database it is unreadable without the key, which is kept separately. Account passwords are stored only as hashes. Access to data is limited to the owner and to the providers listed, each for its own function.

09

Your rights

At any time you can exercise your rights under arts. 15-22 GDPR:

  • Access: know what data we hold about you and get a copy.
  • Rectification: correct wrong or incomplete data.
  • Erasure: have it deleted, where no legal obligation forces us to keep it.
  • Restriction and objection: block or contest processing based on legitimate interest.
  • Portability: receive your data in a machine-readable format.

How: write to grillzmarche@gmail.com (or to the PEC WASSIM.MOUSTACHFA@PEC.FISCOZEN.IT) stating which right you want to exercise. We reply within one month. If you are not satisfied, you have the right to lodge a complaint with the Italian data protection authority — Garante (www.garanteprivacy.it).

10

Minors

The site and the products are aimed at adults. We do not knowingly process data of children under 14; if you are a minor, ask a parent to handle the request for you. If we discover data of a child collected without the consent of the person responsible for them, we delete it.

11

Cookies and external links

The complete list of cookies and other data stored on your device, with name, purpose and duration, is in the Cookie Policy (linked in the footer). Preview: we use technical tools only, no advertising tracking.

The chatbot reachable from the site is a separate external service: its own terms apply. The same goes for links to Instagram and WhatsApp: from there on, those platforms' privacy policies apply.

12

Changes to this notice

If we change providers or processing activities (for example when activating payments with Stripe), we update this page and the revision date at the bottom. For substantial changes, if we have your contact details, we let you know directly.

Version 2.0 — Last revised: 1 July 2026