Privacy Policy

Welcome to the website

Dear User, we kindly ask you to read our Privacy Policy, which applies to every case in which you access the website and decide to browse through it and use its services.

This Privacy Policy describes, pursuant to and for the purposes of art. 13 of General Data Protection Regulation (hereinafter, “GDPR”), the way the Data Controller processes the data you provide while browsing this website.

The processing of personal data will be based on the principles of lawfulness, transparency, fairness and protection of confidentiality and your rights, always in accordance with national and European legislation currently in force.

Data Controller

Pursuant to Articles 4 and 24 of the GDPR, the Data Controller is Società Agricola Rocca delle Macie S.r.l, Castellina in Chianti, Loc. Le Macie n. 45 (SI). E-mail address:

Type of data processed

The Data Controller can collect and process the following data:

  • personal data provided directly by the User following registration on the website ("Sign Up Now"). In this case, the data acquired by the Data Controller are name, surname, date of birth, country, cell phone, telephone and e-mail. These types of data are collected in order to allow the User to register on the website and use the e-commerce service. Through this section are not collected bank details or other data necessary to complete the payment;
  • personal data provided by the User in order to proceed and finalize the purchase of goods; the User must provide truthfully and completely the data requested in the checkout form;
  • orders history and saved products data: to deliver the products and to fulfil the contract (if you do not put the products in the "cart", in fact, you cannot proceed with the purchase), the Data Controller acquires information relating to the orders history, also to be able to provide customer service and support;
  • payment information: the Data Controller collects information in order to complete purchases, accept payments and handle claims. This includes, but is not limited to, information regarding the payment instrument selected and billing and shipping information;
  • navigation data. The computer systems and software procedures used for this web site operation acquire, during their normal operation, personal data, whose transmission is implicit in the use of Internet communication protocols. However, this information is not collected in order to be associated with identified data subjects but are information which could - through processing and associations with data held by third parties - allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the website, requested resources addressed in URI (Uniform Resource Identifier) notation, the browser, the time of the request and other parameters relating to the operating system and computer environment of the User. These data are used only to receive anonymous statistical information on the use of the website and to check its proper functioning. They are deleted immediately after processing.

Legal ground and purpose of the processing

Data are processed for the following purposes:

  • for User registration, to process orders, manage payments and provide customer service and support. The legal basis is the execution of contractual and pre-contractual measures taken at the request of the customer (Art. 6, letter b) GDPR) and the fulfilment of legal obligations of a fiscal, accounting, administrative nature (Art. 6, letter c) GDPR);
  • for promotional purposes, in order to send, via e-mail or other digital communication tools, news about products, services, events and promotions. The legal basis is the express consent given by the User (Article 6, letter a), GDPR); 
  • to comply with the legal obligations to which the Data Controller is subject (Art. 6, letter c) GDPR).


Conferment of personal data

The compulsory or optional nature of the conferment is specified from time to time - with reference to the individual information requested - also by affixing a special symbol (*) to the mandatory information. Any refusal to communicate the data marked as mandatory makes it impossible for the Data Controller to perform the contract or provide the services as requested. The conferment of further data is, instead, optional.

Processing modalities

The processing of personal data is carried out by the Data Controller with mainly electronic and telematic methods, using internal staff specifically authorized. Adequate security measures are taken in order to minimize the risk of destruction or loss - even accidental - of data, unauthorized access or treatment that is not allowed or does not conform to the purposes of collection. Data are processed at the Data Controller's headquarter and in any other place where the parties involved in the processing are located, as well as at the host servers. For further information, please contact the Data Controller.

Data retention period

The data are processed for the time necessary to carry out the service requested by the User or in general until the purposes for which they were collected are achieved. Some data will be kept for longer periods because of obligations relating to fiscal-administrative-accounting requirements. With regard to promotional purposes, the retention period is 24 months from the date of consent, without prejudice to the User's right to request revocation at any time. Subsequently, personal data will be automatically deleted or permanently anonymized.

Data communication

The User's personal data will not be disclosed to unspecified subjects, however, may be communicated to professionals, collaborators, legal persons and third parties who perform services of a technical and organizational nature on behalf of the Data Controller. These subjects will be able to process the data as Data Controllers, Joint Controllers and Data Processors duly appointed ex art. 28 of GDPR; they are provided only with the information necessary to carry out their functions. The complete and updated list of the Data Processors is available upon request. The data may also be communicated or made available to persons who have the right to access the data under the provisions of the law, regulation or European legislation, within the limits and for the purposes provided by these rules.

Data transfer

Your personal data will not be transferred abroad to countries outside the EU that do not ensure adequate levels of data protection. If necessary, within the limits strictly related to the pursuit of the activities described, the Data Controller assure you that the transfer of data is carried out only based on standard contractual clauses and decision of adequacy, in compliance with the provisions of art. 44 et seq. of GDPR.

Links to other sites, platforms and social networks

This Privacy Policy is provided only for the website and not for other websites and social platforms that can be reached by the User through social buttons, special buttons on the site that represent the icons of the main platforms and social networks. For further information on the data processing carried out by these external subjects, please refer to their respective privacy policies.


Your rights

You have specific legal rights in relation to the personal information we hold about you which are recognized by Articles 15-22 EU Regulation 679/2016. These rights include:

  • accessing your data (in full and by obtaining a copy) and knowing if the Data Controller holds and/or processes personal data relating to you. On this occasion you also have the right to obtain access to your personal data and information regarding the processing purposes, the categories of personal data in question, the receivers or categories of receivers to whom the personal data have been or will be communicated;
  • verifying, updating and obtaining the rectification of inaccurate data or the integration of incomplete personal data with no unjustified delay;
  • obtaining the cancellation or removal of your personal data;
  • obtaining the restriction of the treatment;
  • when applicable, receiving the personal data concerning you which you have provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller (right to portability);
  • objecting to the processing;
  • lodging a complaint with the competent data protection supervisory authority (Italian Privacy Authority or take legal action.

The exercise of rights, except for letter g), may take place by sending a request to the e-mail address

Amendments of the Privacy Policy

In the future, the Data Controller may modify or simply update, in whole or in part, this Privacy, also in consideration of the modification of laws or regulations that govern this matter and protect the rights of the interested party. Changes and updates to the Privacy Policy will be binding as soon as they are published on the website. We therefore invite the User to regularly access this section to check the publication of the most recent and updated Privacy Policy.