Privacy policy


With the definitive entry into force in Europe of the new General Data Protection Regulation (GDPR) 2016/679, from 25 May 2018 – for the protection of individuals – we believe it is important that you are aware of the rights you are entitled to in relation to your data when you decide to access our online services.
Here is how and why we use your data and how you can control its use. The new statement that we show below is divided into:
Data Controller: Who processes your data
Legal basis: Why you have provided us with your data
Category of data processed: What data we process
Purpose of the processing: What we process your data for
Processing methods: How we process your data
Processing duration: How long we keep your data
What are cookies
Summary table of the cookies used
Ensuring security of your data: How we protect your data
Exercising the rights of the interested party: What are their rights

We invite you to read this


Pursuant to Article 13 of Regulation (EU) 2016/679, we inform you that the personal data acquired will be processed, also in an automated manner for:

  • accessing our online services also in order to request quotes;
  • the sending of information requested by customers and/or suppliers in general, including the presentation of a complaint in order to contact you again;
  • accessing the Restricted page using your credentials, after user registration;
  • sending newsletters.

Data Controller
Company name: BOXY S.P.A.
Registered office: VIA ALCIDE DE GASPERI, 16 – 25010 REMEDELLO (BS)
Telephonic contact: +39 030.9579000
E-mail contact:
Processing Recipients and Authorized Subjects
In addition to the employees and collaborators of BOXY SPA, the processing of personal data may also be carried out by third parties, to whom the company entrusts certain activities (or part of them) connected or instrumental to carrying out the processing or to the provision of the requested services. In this case, the same subjects will operate as independent data controllers or will be appointed as Managers who also carry out the tasks of a technical and organizational nature of the site on behalf of the Data Controller.
Legal basis and possible consequences of failure to provide data
The personal data collected through the Site are processed on the basis of your consent pursuant to EU Reg. 2016/679, art. 6, paragraph 1, letter a). Your refusal will make it impossible to contact you again, access our online services, request quotes and/or provide you with information, and/or
send you commercial communications.
Obligation to provide data
Some personal data are strictly necessary for the Site’s operation, others are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check it is functioning correctly, and are deleted immediately after processing.
Categories of data processed

  • DATA COMMUNICATED BY THE USER – The data collected is personal and is provided by the interested party spontaneously by filling in the specific contact forms or by sending e-mails.
  • DATA LOCALISATION – The Site may collect location data with IP address masking (or anonymously)

Purpose of the processing
The processing has the purpose of accessing our online services, of being able to contact you again, following your request to send newsletters and/or information, by filling in the relative online forms “Contacts”, “Request a quote”, “Registration”, ” Subscription/sending newsletter”.
Specific information is published on the pages of the Site for the provision of these services.
Processing methods
Personal data will be processed on paper, in computerized and telematic form and added to the relevant databases (customers, suppliers, users, etc.) which the employees expressly designated by the Data Controller as Managers and Persons in charge of processing the personal data will be
able to access, and therefore become aware of, and who may consult, use, process, compare and carry out any other appropriate operation, including automated, in compliance with the provisions of the law necessary to guarantee, among other things, the confidentiality and security of the data
as well as the accuracy, updating and relevance of the data with respect to the declared purposes.
Retention period of personal data

  • For data provided through the “Contacts” Contact Form: 3 years from the last contact
  • For data provided to activate the RESTRICTED AREA service: 5 years from the last access
  • For data provided for activation of the QUOTE REQUEST service: 5 years from the last access
  • For data provided by subscribing to the newsletter: 24 months from consent

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data stored on the user’s computer by the web browser while browsing a website. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember pieces of information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers.
Cookies perform essential functions in the modern web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie’s data to be read by a hacker, used to gain access to user data, or used to gain access (with the user’s credentials) to the website to which the cookie belongs (see cross-site scripting and cross-site request forgery for examples).

There is a Google Analytics tracking code.
How we protect your data
We design our systems and devices with due regard to your security and privacy. Personal data are processed with automated tools in compliance with the principle of necessity and proportionality, avoiding the processing of personal data if the operations can be carried out through the use of
anonymous data.
In compliance with the GDPR, we adopt physical, electronic and organizational security measures in relation to the collection, retention and communication of our customers’ personal data, also in order to prevent the loss, illicit use and unauthorized access of personal data. We remind you that it is good practice for the security of your data to carry out the appropriate checks on your device, that it is equipped with periodically updated antivirus tools and that the Internet Service Provider that provides you with the Internet connection guarantees the secure transmission of data through firewalls, spam filters and/or other similar guarantees.
Rights of the interested party
In relation to the personal data covered by this statement, the interested party has the right to exercise the rights provided for by the EU Regulation as shown below:

  • right of access of the interested party [art. 15 of the EU Regulation]( the possibility of being informed about the processing carried out on their Personal Data and possibly receiving a copy);
  • right to rectify their Personal Data [art. 16 of the EU Regulation] (the interested party has the right to rectify any inaccurate personal data concerning them);
  • right to cancel their Personal Data without undue delay (“right to be forgotten”) [art. 17 of the EU Regulation] (the interested party has, and will have, the right to have their data deleted);
  • right to limit the processing of Personal Data in the cases provided for by art. 18 of the EU Regulation, including in the case of unlawful processing or dispute of the accuracy of the Personal Data by the interested party [art. 18 of the EU Regulation];
  • right to data portability [art. 20 of the EU Regulation], the interested party may request their Personal Data in a structured format in order to transmit them to another controller, in the cases provided for by the same article;
  • right to object to the processing of your Personal Data [art. 21 of the EU Regulation] (the interested party has, and will have, the right to object to the processing of their personal data);
  • right not to be subjected to automated decision-making processes, [art. 22 of the EU Regulation] (the interested party has, and will have, the right not to be subjected to a decision based solely on automated processing).

Further information about the rights of the interested party can be obtained on the website or by asking the Data Controller for an integral extract of the aforementioned articles. The aforementioned rights can be exercised free of charge as established by the Regulations by sending an email to
In compliance with art. 19 of the EU Regulation, the data controller proceeds to inform the recipients to whom the personal data have been communicated, of any corrections, cancellations or limitations of processing requested, where this is possible.
With reference to the aforementioned purposes, the interested party has the right to proceed, at any time, with the withdrawal of consent for the processing of identification and personal data by sending an email to

Pursuant to art. 7 of the EU Regulation, the withdrawal of consent does not affect the lawfulness of the processing based on the consent made prior to withdrawal.
Right to lodge a complaint
If the interested party believes that their rights have been compromised, they have the right to lodge a complaint with the Italian Data Protection Authority, in the manner indicated by it at the following internet address:
Changes and updates
This statement is valid from 31/07/2020 until the next update.