top of page

Privacy Policy

pursuant to EU Regulation 2016/679 (“GDPR”)

Data Controller: Gtiles Srl
Strada Statale 467 No. 128, 42013 Sant’Antonino di Casalgrande (RE), Italy
Tel. +39 0536 824805 – Email: info@gtiles.it – Certified Email (PEC): info@pec.gtiles.it
VAT No. 02034520359

Last updated: 01/01/2026

1) Scope of application

This Privacy Policy describes the ways in which Gtiles Srl processes the personal data of users who:

  • browse the website gtiles.it;

  • submit requests through forms/contact channels (e.g. “Contact” form, email, telephone);

  • submit an unsolicited job application through the relevant form or by other means;

  • make any purchases/orders through the Shop/e-commerce area (where available);

  • manage preferences relating to cookies and tracking tools.

2) Types of data processed

2.1 Browsing data and technical data

During browsing, data such as the following may be processed, by way of example:

  • IP address, date and time of access, pages visited, time spent;

  • device and browser identifiers, operating system, language settings, technical parameters;

  • application and security logs (e.g. anomalous events, unauthorized access attempts), necessary to ensure the operation and security of the website.

2.2 Data voluntarily provided by the user

Depending on the interaction, the Data Controller may process:

Requests/contacts: first name, last name, email address, subject, message content, and any other data voluntarily entered in the text;

Applications: first name, last name, email address, telephone number (if provided), role/position, application text, date, links (e.g. CV/LinkedIn), CV and attachments;

Shop/orders (where available): identification and contact details, shipping and/or billing address, order details, any necessary tax data, communications relating to the order and customer support.

Data minimization: users are invited not to enter data that are irrelevant or excessive in relation to the purposes pursued (e.g. unnecessary information in the message or CV).

2.3 Cookies and tracking tools

The website may use:

  • technical/necessary cookies;

  • analytics/statistics cookies and other non-necessary tools (only with prior consent);

  • technologies connected to third-party content and services (e.g. maps, fonts, libraries).

Further details are available in the Cookie Policy and in the preferences expressed by the user through the dedicated management system.

3) Purposes of processing and legal bases (Art. 6 GDPR)

A) Website operation, technical management and security

Purpose: to allow browsing, ensure service continuity, prevent fraud and abuse, manage logs and IT security, and carry out maintenance and diagnostics.
Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

B) Management of requests and contacts

Purpose: to receive and manage requests for information/quotes, respond to communications, and manage contacts initiated by the user.
Legal basis: performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR). Where necessary, the legitimate interest of the Data Controller in organizational management and in protecting its rights (Art. 6(1)(f) GDPR).

C) Job applications and personnel selection

Purpose: to assess applications and manage the recruitment process.
Legal basis: pre-contractual measures (Art. 6(1)(b) GDPR).

Special categories of data (Art. 9 GDPR): any special categories of data included by the user in the CV or attachments (e.g. health-related information) will be processed only if strictly relevant and within the limits permitted by applicable law; users are invited not to include such data unless necessary.

D) Shop/e-commerce and after-sales support (where available)

Purpose: cart and order management, performance of the contract, delivery/shipping, returns/refunds, customer support, management of communications relating to the order.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR).

E) Legal compliance and administrative/accounting obligations

Purpose: compliance with civil, tax, and accounting obligations; management of requests from competent authorities.
Legal basis: legal obligation (Art. 6(1)(c) GDPR).

F) Statistics and website improvement through cookies/non-necessary tools

Purpose: statistical measurement and traffic analysis, improvement of performance and content, through non-necessary cookies/tools.
Legal basis: consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time through the cookie preferences.

G) Protection of the Data Controller’s rights

Purpose: to establish, exercise or defend a right of the Data Controller in judicial or extrajudicial proceedings; management of disputes and/or debt recovery, where applicable.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and, where necessary, legal obligation (Art. 6(1)(c) GDPR).

(Where applicable) Promotional communications

Where the user requests/subscribes to or consents to receive promotional communications (e.g. newsletters), processing will take place:

  • on the basis of consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time.

In the absence of consent (or another applicable legal basis), the Data Controller does not send promotional communications.

4) Methods of processing and security measures (Arts. 24–32 GDPR)

Processing is carried out using IT/telematic tools and, where necessary, also in paper form, by adopting technical and organizational measures appropriate to reduce risks for data subjects (e.g. access control, credential management, backups, security measures for systems, and incident management procedures).

Access to data is permitted only to authorized persons and only to the extent necessary for the purposes pursued.

5) Recipients of the data (Art. 13(1)(e) GDPR)

Personal data may be disclosed to:

  • authorized staff of the Data Controller, within the limits of their assigned duties;

  • suppliers acting as Data Processors (Art. 28 GDPR), for example: hosting providers, website maintenance and technical management providers, IT and security services, any technical platforms connected to the website;

  • (where Shop/e-commerce is available) couriers/shipping providers and parties involved in delivery and returns management;

  • consultants and professionals (e.g. accountants, tax advisors, lawyers) where necessary;

  • public authorities and entities authorized by law in the cases provided for by law.

Some parties (e.g. payment providers, third-party platforms) may act as independent data controllers in accordance with their own privacy policies.

An updated list of Data Processors is available upon request by writing to info@gtiles.it.

6) Transfers to countries outside the EEA (Arts. 44 et seq. GDPR)

Where the use of suppliers/services entails transfers of personal data to countries outside the European Economic Area, the Data Controller ensures the adoption of appropriate safeguards (e.g. adequacy decisions, Standard Contractual Clauses and, where necessary, supplementary measures).

The data subject may request information on the safeguards applied by contacting info@gtiles.it.

7) Retention periods (Art. 13(2)(a) GDPR)

Data are retained for the time necessary to pursue the purposes and in compliance with legal obligations, according to differentiated criteria:

Requests/contacts: for the time necessary to manage the request and subsequent communications; as a rule, up to 12 months, unless further retention is necessary (e.g. protection in the event of disputes).

Applications: for the duration of the selection process; if no employment relationship is established, as a rule up to 24 months, unless legal obligations or the need to protect the Data Controller apply.

Technical data and security logs: for periods proportionate and strictly necessary for technical and security purposes.

Shop/orders and administrative/accounting documentation (where available): for the time necessary to perform the contract and, thereafter, for the applicable civil and tax obligations (as a rule up to 10 years for invoices/accounting records, where applicable).

Cookies: as indicated in the Cookie Policy and in the preferences expressed by the user.

Once the retention period has expired, data are deleted or anonymized, unless further retention is necessary due to legal obligations or for the defense of rights.

8) Provision of data and consequences of failure to provide data (Art. 13(2)(e) GDPR)

The provision of data may be:

8.1 Necessary data (mandatory)

Contacts: the data requested in the form are necessary to receive and manage the request and provide a response. Failing this, the Data Controller will not be able to handle the request.

Application: the requested data and necessary attachments are essential to assess the application. Failing this, the Data Controller will not be able to consider or complete the assessment.

Shop/orders (where available): the requested data are necessary to complete the order, manage delivery, and fulfill administrative obligations. Failing this, it will not be possible to complete the purchase and/or proceed with delivery.

8.2 Optional data

Any additional information freely entered by the user is optional. Users are advised not to enter excessive or irrelevant data.

8.3 Cookies and non-necessary tools

Technical/necessary cookies may be indispensable for the functioning of the website. Analytics cookies and other non-necessary tools are optional and operate only with prior consent, which may be withdrawn through the preferences management system. Failure to consent does not affect essential browsing.

9) Rights of the data subject and how to exercise them (Arts. 12–22, 77–79 GDPR)

The data subject may exercise at any time the rights provided for by Arts. 15–22 GDPR, in particular:

Right of access (Art. 15): to obtain confirmation as to whether or not personal data concerning them are being processed and receive a copy of the personal data.

Right to rectification (Art. 16): to request the updating or correction of inaccurate or incomplete data.

Right to erasure (“right to be forgotten”, Art. 17): to request the deletion of data in the cases provided for by the GDPR (e.g. data no longer necessary, withdrawal of consent where applicable), without prejudice to retention obligations provided for by law or the need to establish, exercise or defend a right of the Data Controller.

Right to restriction (Art. 18): to obtain restriction of processing in the cases provided for (e.g. contesting the accuracy of the data).

Right to data portability (Art. 20): to receive the personal data provided in a structured, commonly used and machine-readable format and, where technically feasible, to transmit them to another controller (only for processing based on consent or contract and carried out by automated means).

Right to object (Art. 21): to object, on grounds relating to their particular situation, to processing based on the legitimate interest of the Data Controller; it is also always possible to object to processing for direct marketing purposes (if any), even without stating reasons.

Right to withdraw consent (Art. 7): where processing is based on consent (e.g. non-necessary cookies and/or promotional communications), consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before the withdrawal.

Right not to be subject to automated decision-making (Art. 22): where applicable, the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect the data subject.

How to exercise rights

Requests may be sent to:

Where possible, please indicate in the subject line: “Exercise of privacy rights – GDPR” and specify the right you intend to exercise.

For security reasons, the Data Controller may request additional information necessary to confirm the identity of the requester (Art. 12(6) GDPR), where there are reasonable doubts.

Response times and costs

The Data Controller shall respond without undue delay and, as a rule, within 30 days of receipt of the request (Art. 12(3) GDPR). This period may be extended by a further 60 days in cases of particular complexity or a high number of requests, with a reasoned communication to the data subject.

Requests are generally free of charge; in the event of manifestly unfounded or excessive requests, the Data Controller may charge a reasonable fee or refuse the request, within the limits of Art. 12(5) GDPR.

Complaint to the Supervisory Authority and judicial remedy

The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (Art. 77 GDPR) and, where the conditions are met, to bring proceedings before the competent courts (Arts. 78–79 GDPR).

10) Automated decision-making and profiling (Art. 22 GDPR)

Unless otherwise expressly stated, the Data Controller does not carry out processing involving decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect the data subject.

11) Source of the data

The data may be:

  • provided directly by the data subject (contact forms, job application, any shop);

  • collected automatically during browsing (technical data, logs, cookies);

  • derived from third parties only where necessary (e.g. payment results/identifiers, shipping information), in compliance with privacy roles and the privacy notices of the respective parties.

12) External links and third-party services

The website may integrate or refer to third-party content/services (e.g. maps, libraries, fonts, analytics tools). By interacting with such content, processing may also take place in accordance with the policies of the respective providers (independent controllers or processors, depending on the case).

Users are invited to consult the privacy notices of third parties, where applicable.

13) Minors

The website is not intended for minors. If a parent/guardian believes that a minor has provided personal data, they may contact the Data Controller to request deletion.

14) Updates to this policy

The Data Controller may update this Privacy Policy; any changes will be published on this page with an indication of the update date and, where necessary, the effective date.

15) Links

  • Customer Privacy Notice

  • Customer Privacy Notice (English)

  • Supplier Privacy Notice

  • Website Notice – Contact Form

  • CV Privacy Notice

bottom of page