Privacy Policy

Last updated: 28 April 2026

This policy is issued pursuant to Article 13 of EU Regulation 2016/679 ("GDPR") and describes how personal data of users interacting with myorganics.com is processed.

1. Data Controller

The Data Controller is SMÀ Srl, VAT no. 03547050249, with registered office at Via Bianche 3, 36010 Schio (VI), Italy, reachable at support@myorganics.com.

2. Categories of data collected

  • Registration data: first name, last name, email, password (encrypted), date of birth.
  • Contact data: address, phone number.
  • Order data: items purchased, amounts, date, shipping and billing address.
  • Payment data: handled directly by PCI-DSS certified payment gateways; the Controller does not store card numbers.
  • Browsing data: IP address, browser, OS, pages visited, timestamps.
  • Marketing data: newsletter subscription preferences, email open/click logs.

3. Purposes of processing and legal basis

PurposeLegal basis
Account registration and user managementArt. 6(1)(b) GDPR (contract performance)
Order processing, invoicing, shippingArt. 6(1)(b) + 6(1)(c) (tax obligations)
Customer supportArt. 6(1)(b) GDPR
Newsletter and promotional communicationsArt. 6(1)(a) GDPR (consent, revocable at any time)
Purchase behaviour profilingArt. 6(1)(a) GDPR (consent)
Legal defence, fraud preventionArt. 6(1)(f) GDPR (legitimate interest)
Regulatory complianceArt. 6(1)(c) GDPR (legal obligation)

4. Processing methods

Data is processed using automated and paper-based tools, with appropriate technical and organisational measures (TLS encryption in transit, password hashing, access controls, backups).

5. Data retention

  • Account data: for the duration of the contractual relationship and for an additional 10 years after closure for tax obligations.
  • Marketing data: until consent is withdrawn and in any case no longer than 24 months from the last active interaction.
  • Browsing data: for the technical time needed, in any case no longer than 12 months.

6. Disclosure and recipient categories

Data may be disclosed to the following categories of recipients, appointed as Data Processors under Art. 28 GDPR:

  • Cloud, hosting and backup service providers (EU data centers).
  • Payment gateways (Stripe, PayPal or equivalent).
  • Shipping carriers (GLS, TNT, DHL and similar).
  • Transactional and marketing email providers.
  • Analytics and advertising providers: Google (Google Analytics 4 ID G-EFRWBJ3YFH, Google Ads AW-931356265 with Merchant Center 5713761192) and Meta Platforms (Meta Pixel ID 1769735723759274).
  • Professional advisors (accountants, lawyers) and competent authorities upon request.

7. International data transfers

Some third-party services (Google, Meta) process data in the United States. Transfers comply with Articles 44-49 GDPR, based on the EU-US Data Privacy Framework and/or the Standard Contractual Clauses approved by the European Commission.

8. User rights

You have the right, at any time, to:

  • access your data (Art. 15);
  • request rectification (Art. 16) or erasure (Art. 17);
  • request restriction of processing (Art. 18);
  • object to processing (Art. 21);
  • receive your data in a portable format (Art. 20);
  • withdraw consent at any time;
  • lodge a complaint with the competent supervisory authority.

To exercise these rights, write to support@myorganics.com.

9. Cookies

The use of cookies and similar technologies is described in our dedicated cookie policy.

10. Changes

The Controller reserves the right to update this policy to reflect regulatory or service changes. The latest update date is shown at the top.