Information to be provided in accordance with article 13 – EU General Data Protection Regulation 2016/679 (GDPR)

Karabà s.r.l. (below also “Karabà”), with the registered office in Via della Fonte di Fauno 15 – 00153 Rome, provides visitors to its site with the following information in accordance with article 13 GDPR.

In this Privacy Policy, visitors to the site are also referred to as “users” or “data subjects”.

Identification and contact details of the Controller

Business name: Karabà s.r.l.
Registered office: Via della Fonte di Fauno 15 – 00153 Roma
Vat number and registration number in the business register of Rome: 15920761002
Certified E-mail:

Compliance with legislation for the data protection

The website is compliant with the legislation here listed:

  • EU General Data Protection Regulation 2016/679 (GDPR)
  • Italian Legislative Decree number 193/2006 (“Privacy code” as modified by Legislative Decree number 101/2018)

Type of data processed, legal purposes of the processing and legal basis for the processing

Karabà is the Controller and processes the following types of personal data provided by the users of its site:

  • Personal data: name, surname, address, fiscal code and/or Vat number, date of birth etc.;
  • Contact data: e-mail address, telephone number etc.;
  • Payment data.

Karabà does not process special categories of personal data, pursuant to article 9 GDPR (health data, legal data, etc.).

Listed below are the legal purposes and the legal basis for each type of processing:

Sale of products on the site: personal data of the user (or third parties in case of gift cards) are used by the Controller for all activities concerning the sale (orders, deliveries, billing, payment handling, client assistance). The legal basis is the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (article 6, paragraph 1, letter b GDPR).

Marketing activities and subscription to newsletter: for the sending of commercial messages for marketing purposes and the newsletter (sent to data subjects at their request for promotional and advertising purposes) the legal basis is the consent of the data subject (article 6, paragraph 1, letter a GDPR). The data subject has the right to withdraw his or her consent at any time, by sending an e-mail to or by clicking on the specific link to cancel subscription found in the received e-mails.

In compliance with article 130, paragraph 4 of Privacy Code (Italian Legislative Decree number 193/2006 as modified by Legislative Decree number 101/2018), the Controller can use so-called soft spam without the consent of the data subject, taking legitimate interest as the legal basis (article 6, paragraph 1, letter f GDPR). Soft spam is the use of the e-mail address, provided by the data subject in a previous purchase, to promote products similar to those previously purchased. The data subject may object the processing by sending an e-mail to or by clicking on the specific link found in the received e-mails.

Processing methods

Personal data of the user are processed by the Controller through the use of IT tools, telematics and paper documents as regulated by current law. Security and privacy are guaranteed as well as accuracy, updating and relevance of the data with respect to the stated purposes.

For the below-mentioned, please refer to Privacy Policy of third parties:

  • the web platform used is, with plugin WooCommerce;
  • payment platforms used: Paypal and Stripe;
  • for the newsletter delivery service: Mailchimp.

Nature of the provision of personal data

Personal data, contact data and payment data must be provided in order to purchase a product. However, provision of personal data for the purpose of marketing is optional (sending of newsletter, promotions) and specific consent is requested by ticking the appropriate box..

Transfer of data

The Controller does not transfer personal data provided by data subjects to Third Countries.

Storage period

Personal data of the data subjects are stored only for the time necessary to complete contractual and legal obligations. For example, for fiscal and accounting purposes, personal data must be stored for 10 years from the date of the last invoice or receipt issued to/from the user. Personal data provided for marketing purposes are stored for 24 months from date of consent, except in case of withdrawal or object to processing. At the end of that period the data will be deleted.

Rights of the data subject

In accordance with article 13 GDPR (Information to be provided where personal data are collected from the data subject) and with reference to articles 15-22 GDPR, the data subject is informed that he:

  • has the right to ask the Controller with a specific request addressed to, for access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  • has the right to lodge a complaint with a supervisory authority (in Italy you can follow the procedure and guidelines published on the official website of the Authority at

The exercise of the data subject’s rights (articles 15-22 GDPR) has no restriction and is free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.

Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information is be provided in a commonly used electronic form.

The request will be processed according to the terms of article 12, paragraph 3 GDPR (one month from the request, with the possibility of an extension for up to 3 months).

Regarding the right to data portability, the Controller informs the data subject that where the conditions set out in article 20 GDPR are met, there is the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, if technically feasible.

The following is an overview of the other rights of data subject:

right of access: right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data; possibility to request a copy of the personal data and information according to article 15 GDPR;

right of rectification: right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed;

right of erasure (right to be forgotten): right to obtain from the controller the erasure of personal data concerning him or her without undue, in cases regulated by the law and with specific limitations (article 17 GDPR);

right to restriction of processing: right to obtain from the controller restriction of processing in particular cases as stipulated in article 18 GDPR;

right to object: right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her; the controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;

right not to be subject to a decision based solely on automated processing, including profiling: right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in cases in which the automated decision is necessary to conclude or carry out a contract between the data subject and a data controller, is in accordance with the law, in respect of precautionary measures, is based on the explicit consent of the data subject.


The data subject, as mentioned above, has the right to lodge a complaint with a supervisory authority. In Italy the data subject shall follow the procedures and indications published on the official website of “Garante Privacy” (


Last Update: June 14, 2021