Last update: Milan, November 2025

This Privacy Policy describes how personal data is collected and processed when you visit and interact with the website www.shiraghaffari.com (the “Site”).
1. Data Controller

The data controller is:

Shira Ghaffari S.r.l.
Registered office: Via Uberto Visconti di Modrone 11, 20122 Milan (MI), Italy
VAT / Tax Code: 12592240969 – VAT ID: IT12592240969

Email for privacy matters (PEC): shiraghaffarisrl@legalmail.it

Shira Ghaffari S.r.l. operates mainly in the wholesale trade of jewellery and watches and in the development, manufacture and sale of fine and high jewellery.

If a Data Protection Officer (DPO) is appointed in the future, the relevant contact details will be added to this page.
2. Types of data processed

When you use the Site, we may process the following categories of data.

2.1 Browsing data

During normal operation, the IT systems and software procedures that enable the functioning of the Site acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but, by its very nature, could allow users to be identified through processing and association with data held by third parties.

This category includes, for example:
– IP address or domain names of the devices used by users who connect to the Site;
– browser type and parameters of the device used to connect;
– URI (Uniform Resource Identifier) addresses of requested resources;
– time of the request;
– method used to submit the request to the server;
– size of the file obtained in response;
– numerical code indicating the status of the response from the server (successful, error, etc.);
– other parameters relating to the operating system and user’s IT environment.

These data are used only for the purpose of obtaining anonymous statistical information on the use of the Site, to check its correct functioning, and to ensure security, and are normally deleted after processing, except where they are needed to ascertain responsibility in case of possible cybercrimes.

2.2 Data provided via forms (Formidable Forms)

When you fill in the forms on the Site (created with Formidable Forms), for example to request information about services, projects, collaborations or any other contact, we may process:
– first name and last name;
– email address and/or telephone number;
– company / organisation (if provided);
– subject of the request;
– any other information you voluntarily include in the message or attachments.

Form data are stored in the Site’s database and can be sent by email to the Controller through the configured email system.

2.3 Communication data (WP Mail SMTP)

The Site uses WP Mail SMTP to route and deliver emails generated by forms and other functionalities. This implies the processing of:
– sender and recipient email addresses;
– content of the message;
– technical delivery metadata (date and time, IP/server logs, error logs where applicable).

Depending on the configuration, outgoing messages may be delivered through the hosting provider’s SMTP or through external transactional email services, which act as processors on behalf of the Controller.

2.4 Cookies and similar technologies

The Site uses cookies and similar technologies, including third-party cookies (such as Google Analytics), for technical, analytical and, if activated in the future, preference or marketing purposes. More detailed information is provided in the Cookie Policy.
3. Purposes and legal bases of processing

Personal data is processed for the following purposes and on the legal bases indicated in Articles 6 and 9 of Regulation (EU) 2016/679 (“GDPR”).

3.1 Site operation and security

To enable the technical functioning of the Site, to provide access to pages and content, to monitor performance and to ensure security (e.g. protection against attacks, misuse, unauthorised access).

Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR) in operating a secure and functioning website.

3.2 Handling contact and service requests (Formidable Forms)

To respond to questions, requests for information, project proposals or other communications you submit via the Site’s forms or by email.

Legal basis:
– performance of pre-contractual measures or contract at the request of the data subject (Art. 6(1)(b) GDPR);
– legitimate interest of the Controller in managing relationships with users, clients and partners (Art. 6(1)(f) GDPR).

3.3 Email delivery (WP Mail SMTP)

To send and deliver emails generated by the Site (notifications from forms, confirmations, replies and similar communications).

Legal basis:
– performance of pre-contractual measures or contract (Art. 6(1)(b) GDPR);
– legitimate interest in ensuring reliable, traceable communications (Art. 6(1)(f) GDPR).

3.4 Web analytics (Google Analytics)

To analyse, in aggregated form, how the Site is used, so as to improve structure, content and usability.

Tool: Google Analytics 4 (“GA4”), provided by Google Ireland Limited. GA4 uses cookies and similar technologies to collect information about use of the Site (pages visited, time spent, interactions, approximate location area). GA4 no longer stores IP addresses in standard reports and includes additional privacy controls, but the information collected may still constitute personal data under the GDPR.

Legal basis: consent (Art. 6(1)(a) GDPR), given through the cookie banner. Analytics cookies are activated only if you consent.

3.5 Search engine optimisation (All in One SEO)

To improve indexing and visibility of the Site in search engines using All in One SEO, a WordPress plugin that manages metadata, sitemaps and structured data. In a standard configuration, the plugin primarily processes content and technical data of the Site and does not intentionally process visitor personal data beyond what is technically necessary to deliver pages and sitemaps.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in promoting services and ensuring the Site can be easily found.

3.6 Compliance with legal obligations

To comply with legal obligations under EU and national law, regulations or orders from competent authorities (e.g. accounting, tax, civil or criminal law, regulatory obligations).

Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

3.7 Establishment, exercise or defence of legal claims

To ascertain, exercise or defend the rights of the Controller in judicial, out-of-court or administrative proceedings.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4. Nature of provision of data

– Browsing data is collected automatically when you access the Site. If you block certain technical cookies or traffic at browser or device level, parts of the Site may not function correctly.
– Providing data via forms is voluntary, but necessary if you wish to receive a reply or have us assess your request. If you do not provide the required data, we may be unable to respond.
– Consent to analytics cookies is optional. If you do not give or withdraw your consent, your browsing will not be tracked by Google Analytics and you will still be able to use the Site.

5. Data recipients and categories of recipients

Personal data may be accessed, within the limits of their respective roles and on a need-to-know basis, by:

– internal staff and collaborators of Shira Ghaffari S.r.l., duly instructed and authorised;
– IT, hosting, maintenance and security providers for the Site;
– providers of specific tools used on the Site, including:
– Google Ireland Limited (Google Analytics);
– developer/publisher of Formidable Forms (form management plugin);
– developer/publisher of All in One SEO (SEO plugin);
– email service providers configured through WP Mail SMTP;
– external consultants (e.g. legal, tax, corporate, technical) within the limits necessary for their assignments;
– public authorities and supervisory bodies, where required by law or in the context of legal proceedings.

Where required, these third parties act as data processors pursuant to Article 28 GDPR and are bound by contractual obligations of confidentiality and data protection. The Controller does not sell, rent or exchange personal data for marketing purposes.

6. International data transfers

Some providers may process data in countries outside the European Economic Area (“EEA”), such as the United States, in particular in connection with Google Analytics and certain email services.

Where such transfers occur, they are carried out in compliance with Chapter V GDPR, for example on the basis of:

– adequacy decisions adopted by the European Commission; and/or
– standard contractual clauses (SCCs) approved by the Commission; and/or
– other appropriate safeguards provided for by EU data protection law.

For further details on data transfers and safeguards adopted by each provider, please refer to their respective privacy documentation.

7. Data retention

Personal data is kept for periods proportionate to the purposes for which it was collected, in line with the principles of data minimisation and storage limitation.

In particular:

– Browsing and technical logs: retained for the time strictly necessary for security and proper functioning of the Site and, in general, for no more than 12 months, unless a longer period is required by law or necessary to protect the rights of the Controller.
– Form data (Formidable Forms): retained for the time necessary to manage your request and, where a contractual relationship is established, for the duration of the relationship and for the subsequent limitation periods under applicable law (typically up to 10 years under Italian civil law).
– Email logs (WP Mail SMTP and email providers): retained for the time necessary to ensure correct delivery, manage possible errors and comply with legal obligations.
– Analytics data (Google Analytics): retained for the period configured in GA4 (for example 14–26 months) in aggregated or pseudonymised form, in line with the options made available by Google.
– Data processed for legal obligations and disputes: may be retained for longer periods where necessary to comply with legal obligations or to establish, exercise or defend legal claims.

Once the relevant retention periods have expired, personal data will be deleted, anonymised or otherwise irreversibly de-identified.

8. Your rights under the GDPR

As a data subject, you may exercise at any time the rights recognised by Articles 15–22 GDPR, including:

– Right of access: obtain confirmation as to whether we process your personal data and receive a copy.
– Right to rectification: request the correction of inaccurate or incomplete data.
– Right to erasure (“right to be forgotten”): request deletion of your personal data where the conditions set out in Article 17 GDPR are met.
– Right to restriction of processing: request restriction of processing in the cases provided by Article 18 GDPR.
– Right to data portability: receive the personal data you have provided in a structured, commonly used and machine-readable format and transmit it to another controller, where technically feasible and applicable.
– Right to object: object, on grounds relating to your particular situation, to processing based on legitimate interest. Where personal data is processed for direct marketing, you have the right to object at any time.
– Right to withdraw consent: where processing is based on your consent (e.g. analytics cookies), you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise your rights, you may contact:

Shira Ghaffari S.r.l.
Via Uberto Visconti di Modrone 11, 20122 Milan (MI), Italy
Email (PEC): shiraghaffarisrl@legalmail.it

You also have the right to lodge a complaint with the competent supervisory authority, in particular the Italian Data Protection Authority (Garante per la protezione dei dati personali) or the authority of your habitual residence or place of work.

9. Security measures

The Controller adopts appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration and destruction. These measures are periodically reviewed and updated in line with technological developments and business needs.
10. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time, for example following changes to applicable law, to the Site’s functionalities or to the tools used. The updated version will be published on this page with indication of the latest revision date.