Privacy Policy

The data controller is TALBOX di Taleb Badr, registered office in Suzzara (MN), Italy, VAT number IT02617720202.

For any enquiry regarding the processing of personal data, please contact us at: privacy@klepa.it.

No Data Protection Officer (DPO) has been appointed as the Controller does not fall within the categories requiring mandatory designation under Art. 37 GDPR.

Identification and contact data: first name, last name, email address, phone number, shipping and billing address, tax code or VAT number (if an invoice is requested).

Browsing data: IP address (anonymised), browser type, operating system, pages visited, session duration, traffic source. These data are collected automatically by servers and via analytical cookies (see Cookie Policy).

NFC card data: upon activation of the physical card, the NFC serial number and the associated digital profile (display name, links, photos) are stored on our Firebase servers.

Payment data: we do not store full credit card numbers or complete payment data. All sensitive payment data are processed directly by Stripe, Inc. acting as an independent data controller for that purpose.

Data from card scanners: when a visitor scans a KLEPA card, we collect aggregated and anonymised data (country, device, browser) for the card owner's analytics functions. We do not collect personally identifiable data from visitors without explicit consent.

Performance of a contract (Art. 6(1)(b) GDPR): order management, delivery of physical cards, activation of the digital profile, after-sales support, issuance of invoices.

Legal obligation (Art. 6(1)(c) GDPR): retention of invoices and accounting documents for 10 years; compliance with anti-money laundering obligations.

Legitimate interest (Art. 6(1)(f) GDPR): IT security of the site and systems, fraud prevention, service improvement via aggregate analytics, sending service communications (e.g. shipping status, security updates).

Consent (Art. 6(1)(a) GDPR): newsletter and marketing communications, third-party analytical cookies (Google Analytics 4), marketing cookies (Meta Pixel). Consent may always be withdrawn without affecting the lawfulness of prior processing.

Contractual and tax data: retained for 10 years from the end of the contractual relationship, in compliance with legal obligations.

Digital profile data: retained for the duration of the active account and for 30 days after account deletion (grace period), then permanently erased.

Browsing data and system logs: 12 months, unless longer retention is necessary for security investigations or legal proceedings.

Marketing data (newsletter): until consent is withdrawn or for a maximum of 3 years from the last interaction, whichever comes first.

Cookies and analytics data: as specified in the Cookie Policy.

Personal data are not sold to third parties. They may be shared with the following categories of recipients, to the strictly necessary extent:

IT service providers (processors): Google LLC (Firebase, Google Analytics 4) based in the USA — transfers take place on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission; Stripe, Inc. based in the USA — transfer based on SCCs; hosting and CDN services.

Couriers and shipping companies (e.g. GLS, BRT, Poste Italiane): only name, surname and shipping address, to perform delivery.

Accountants and legal advisors: acting as processors or independent controllers, for tax and legal compliance.

Public authorities and law enforcement: where required by law or authority orders.

For transfers to the USA (Stripe and Google), the appropriate safeguards are the SCCs adopted under Decision 2021/914/EU. A copy of the safeguards is available upon request at privacy@klepa.it.

As a data subject, you have the right to: (i) access your personal data (Art. 15 GDPR); (ii) obtain rectification of inaccurate data (Art. 16); (iii) obtain erasure ("right to be forgotten", Art. 17); (iv) obtain restriction of processing (Art. 18); (v) receive your data in a structured, machine-readable format (portability, Art. 20); (vi) object to processing based on legitimate interest (Art. 21); (vii) withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, send a request to privacy@klepa.it. We will respond within 30 days (extendable by a further 60 days in complex cases, with prior notice).

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Rome — website: www.garanteprivacy.it — without prejudice to your right to seek judicial remedy.

The site uses strictly necessary technical cookies, analytical cookies and marketing cookies. Full details on the types of cookies used, their duration and management options are available in our Cookie Policy.

Data collection via analytical cookies (Google Analytics 4) and marketing cookies (Meta Pixel) only occurs with the user's consent via the cookie consent banner, implemented in accordance with Google Consent Mode v2.

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration or destruction, including: encryption in transit (HTTPS/TLS 1.3), encryption at rest for sensitive data, access control based on the principle of least privilege, continuous infrastructure monitoring.

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the Garante Privacy within 72 hours and inform the affected individuals without undue delay, pursuant to Arts. 33-34 GDPR.

KLEPA services are intended for persons aged 16 or over. We do not knowingly collect personal data from individuals under 16. If you believe a minor has provided personal data without parental or guardian consent, please contact us at privacy@klepa.it for immediate deletion.

The Controller reserves the right to update this Privacy Policy to reflect regulatory, case-law or technological changes. Material changes will be communicated to registered users by email or via a prominent notice on the site, with at least 15 days' advance notice.

The updated version will always be available on this page with the date of the last update. Continued use of the site after changes constitutes acceptance of the new version.