Privacy Policy

Privacy notice pursuant to Art. 13 of EU Regulation 679/2016 (GDPR) and the UK GDPR

Last updated — March 2026 · 40gradinord.com

We invite you to read this Privacy Policy carefully before sharing any personal data with the Controller. To exercise your rights or for any clarification, please write to privacy@greatitalianoutdoors.com.

This Privacy Policy describes how the website 40 Gradi Nord — a brand owned by Great Italian Outdoors LTD — manages the data of users who visit it or use the services available at https://www.40gradinord.com.

This document has been drawn up in accordance with:

• — EU Regulation 2016/679 (GDPR)
• — UK GDPR and Data Protection Act 2018 (DPA 2018), applicable as Great Italian Outdoors LTD is a company registered in the United Kingdom
• — Legislative Decree 101/2018, which aligned the Italian Privacy Code (Legislative Decree 196/2003) with the GDPR
• — ePrivacy Directive 2002/58/EC and its national implementing legislation

This notice applies exclusively to the Site and not to any other websites accessible via links contained within it. It may be subject to updates: we invite you to consult this page periodically.

If you are under 16 years of age, pursuant to Art. 8(1) of EU Regulation 2016/679, you must obtain authorisation from a parent or guardian before providing any personal data.

Data Controller

Data Processor

The data processor, pursuant to Art. 28 of EU Regulation 2016/679, is identified as Great Italian Outdoors LTD in its capacity as Controller. Any external processors appointed for specific services (e.g. hosting, newsletter, payments) are bound by written agreements compliant with Art. 28 GDPR.

Place of Processing

Data is processed at the registered office of Great Italian Outdoors LTD, Salford M50 2AB, United Kingdom, and — solely for services that require it — at the premises of third-party providers indicated in this notice, in compliance with the safeguards set out in Arts. 44–49 of the GDPR and the UK GDPR.

What are cookies

Cookies are small text strings stored in the user’s browser when visiting a website. They allow preferences and actions to be remembered over time. They are not executable code and do not transmit viruses. The Site uses cookies to improve the browsing experience and for analytical and marketing purposes, within the limits and with the safeguards described below.

1. Technical cookies (no consent required)

Necessary for the correct functioning of the site and the delivery of requested services. These include session cookies (deleted when the browser is closed) and persistent cookies for features such as maintaining login sessions. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and (f) (legitimate interest of the Controller).

2. Third-party analytical cookies (consent required)

Used to collect aggregated information on user behaviour in order to improve the Site. Data is transmitted in anonymised form. Legal basis: Art. 6(1)(a) GDPR (consent).

3. Profiling cookies (consent required)

Used to create user profiles for the purpose of sending targeted advertising messages. Installed only with explicit consent, pursuant to Art. 22 of EU Regulation 2016/679 and Art. 122 of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018. Legal basis: Art. 6(1)(a) GDPR (consent).

Third-party plugins and services

Managing cookies from your browser

Users can manage or disable cookies directly from their browser settings. Disabling technical cookies may affect the functioning of the Site. Links to official guides:

• — Chrome: support.google.com/chrome/answer/95647
• — Firefox: support.mozilla.org/kb/cookies
• — Safari: support.apple.com/guide/safari
• — Edge: support.microsoft.com/cookies
• — Opera: help.opera.com/web-preferences

1. Browsing data

Computer systems automatically collect during browsing certain data whose transmission is implicit in internet protocols:

• — IP address
• — Browser type, operating system and device parameters
• — Internet Service Provider (ISP) name
• — Date, time, referring page (referral) and exit page
• — Number of clicks and page interactions

This data is processed in aggregate form to verify the correct functioning of the site and for security purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller). Retention: 90 days, unless required for criminal investigations.

2. Data provided voluntarily by the user

Sending emails or completing forms (contact, bookings, account registration) involves the collection of the data entered, including name, email address and any other information provided. Legal basis:

• — Art. 6(1)(b) GDPR for data necessary for the performance of a contract (bookings)
• — Art. 6(1)(a) GDPR for expressed consent (newsletter, marketing)
• — Art. 6(1)(c) GDPR for compliance with legal obligations (invoicing, accounting)

Retention: for the time strictly necessary to deliver the service, and in any case no longer than 5 years for tax and accounting obligations, unless a longer retention period is required by law.

3. Data for site security

For security purposes (anti-spam filters, firewall, intrusion detection), certain data such as IP addresses may be recorded and used, in compliance with applicable law, to block attempts to cause damage or unlawful activity. Such data is never used for profiling. Legal basis: Art. 6(1)(f) GDPR. Retention: 30 days.

Pursuant to Arts. 15–22 of EU Regulation 2016/679 and the UK GDPR, the user has the right to:

• — Access (Art. 15) — obtain confirmation of whether processing is taking place and receive a copy of the data
• — Rectification (Art. 16) — correct inaccurate data or have it completed
• — Erasure (“right to be forgotten”) (Art. 17) — obtain the deletion of data, subject to legal retention obligations
• — Restriction of processing (Art. 18) — request the suspension of processing in certain circumstances
• — Data portability (Art. 20) — receive data in a structured, machine-readable format
• — Objection (Art. 21) — object to processing based on legitimate interest, including direct marketing
• — Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal

Requests may be addressed to the Controller by writing to privacy@greatitalianoutdoors.com. The Controller will respond within 30 days of receipt (extendable by a further 60 days in complex cases, with a reasoned notification).

In the event of a breach of data protection law, the user has the right to lodge a complaint with the competent supervisory authority: the Garante per la Protezione dei Dati Personali (garanteprivacy.it) for users in Italy, or the Information Commissioner’s Office (ICO) (ico.org.uk) for the United Kingdom.

Some of the services used by the Site (e.g. Google Analytics, Stripe, PayPal) involve the transfer of data to countries outside the European Economic Area (EEA), in particular to the United States. Such transfers take place exclusively in compliance with:

• — EU-US Data Privacy Framework — adequacy decision of the EU Commission of 10 July 2023 (Art. 45 GDPR)
• — Standard Contractual Clauses (SCC) — standard contractual clauses adopted by the EU Commission (Art. 46(2)(c) GDPR), as an additional safeguard

In the event of a personal data breach that may pose a risk to the rights and freedoms of users, the Controller undertakes to:

• — Notify the competent supervisory authority (Garante/ICO) within 72 hours of becoming aware of the breach, pursuant to Art. 33 GDPR
• — Communicate the breach to affected individuals without undue delay, where it is likely to result in a high risk, pursuant to Art. 34 GDPR
• — Document all breaches in the internal breach register

The Controller adopts appropriate technical and organisational measures to ensure a level of security proportionate to the risk, pursuant to Art. 32 GDPR. These include: encryption of data in transit (HTTPS/TLS), access controls, firewalls and intrusion detection systems.

In addition to the Controller, certain categories of persons involved in the operation of the site (technical, administrative and legal staff) or external parties (hosting providers, payment processors, IT service providers) may have access to data strictly to the extent necessary. All are bound by confidentiality agreements and/or contracts pursuant to Art. 28 GDPR.

This document is published at https://40gradinord.com/en/privacy-policy/ and constitutes the official Privacy Policy of the Site.

It may be subject to updates following regulatory or operational changes. Users are invited to consult this page periodically. Previous versions will remain accessible. This document was updated in 2024 to comply with EU Regulation 2016/679, the UK GDPR, Legislative Decree 101/2018 and the EU-US Data Privacy Framework.

privacy@greatitalianoutdoors.com