Privacy & Cookie Policy

Introduction

The purpose of this document is to inform any natural person (hereinafter “Data Subject”) visiting the website gallerista.ai (hereinafter “Website”) about the processing of his/her personal data (hereinafter “Personal Data”) collected by the data controller, Gallerista SRL (hereinafter “Data Controller”) via the Website.

The Data Controller’s registered address is Via Ariosto 28, 20145 Milan. Its e-mail address is concierge@gallerista.ai.

Changes and updates to this policy will be effective as soon as they are published on the Website. In case of non-acceptance of the changes made to the Privacy Policy, the Data Subject shall stop using this Website and may ask the Data Controller to delete his/her Personal Data.

1. Categories of Personal Data Processed

The Data Controller processes the following types of Personal Data:

  • Data voluntarily provided by the Data Subject:
    • Contact Data: first name, last name, address, e-mail address, phone number, authentication credentials, and any additional contact information shared by the Data Subject.
    • Fiscal and Payment Data: tax ID, VAT number. (Note: We do not access nor store card payment details.)
    • Artist Data: to fulfill our obligations with Artists, including a copy of one of their IDs and their bank account details (e.g., IBAN, Revtag).
  • Data collected automatically:
    • Technical Data: information produced by devices, websites, tools and protocols (e.g., device information, IP addresses, browser type, ISP). Combined with unique identifiers, this data can be used to create profiles of individuals.
    • Usage Data: pages visited, number of clicks, actions taken, duration of sessions, etc.
    • Location Data: geolocation data that precisely identifies the Data Subject’s location (derived from IP address and other means), collected with the Data Subject's consent. Consent can be withdrawn at any time by clicking “deny” on the cookie banner or using the opt-out button in the table in section 2.

2. Cookies and Similar Technologies

The Website uses cookies, web beacons, unique identifiers, and other similar technologies to collect the Data Subject's Personal Data regarding visited pages, links, and other actions performed during the use of the Website. This data is stored and used on subsequent visits.

The full Cookie Policy is outlined below:

Cookie Category Purpose Duration Consent
SessionID Technical Manages the user’s session, recognizes logged-in users, enables use of the shopping cart, and temporarily stores device data (e.g., screen size, browser type, preferred language). Expires when the user closes their browser, or within 7 days (if the browser remains open, the cookie persists).
Stripe SessionID Technical Links the user to a payment session when items are added to the cart or a purchase is made, ensuring the payment process is secure. Expires after 24 hours, or when the user updates their cart.
CSRFToken Technical Provides essential security to ensure requests originate from the legitimate user, preventing unauthorized actions (e.g., CSRF attacks). Same as SessionID.
PostHog Marketing & Analytics Collects data on visitor behavior (e.g., referral sources, pages visited, session duration) to improve our services and marketing efforts. (Enabled only with your consent; Cookieless otherwise.) Default duration is 2 years, though it may vary by browser (e.g., 7 days for Safari users).

While no additional analytics cookies are set, we do collect technical and session-related data server-side for legitimate interest purposes, including:

  • Technical: Browser and device data; session metrics (session duration, page load times, navigation behavior).
  • Marketing & Analytics: UTM parameters from tracked campaigns; geolocation data (inferred from your IP address).

You can opt out of Marketing & Analytics tracking via our cookie banner when you first visit the Website or the checkboxes in the table above.

3. Legal Basis and Purpose of Data Processing

The processing of Personal Data is necessary for several reasons:

  • For the performance of the contract with the Data Subject, including:
    • Fulfillment of any obligations arising from the pre-contractual or contractual relationship.
    • Registration and authentication of the Data Subject for access and identification on the Website, including via external platforms.
    • Support and contact to respond to the Data Subject's requests.
    • Management of payments.
  • For legal obligations, especially:
    • Compliance with applicable norms, laws, and regulations, particularly regarding tax and fiscal matters.
  • For the legitimate interest of the Data Controller, including:
    • Marketing purposes via e-mail to directly sell products or services.
    • Management, optimization, and monitoring of the technical infrastructure.
    • Security and anti-fraud measures to protect assets, infrastructures, and networks.
    • Statistical analysis based on anonymous data to improve products and services.
Additionally, on the basis of the Data Subject's consent, Personal Data may also be used for the following purposes:
  • Profiling for marketing purposes to provide targeted information about products and services.
  • Retargeting and remarketing to reach the Data Subject with customized advertisements. (Opt-out available via the Network Advertising Initiative page.)
  • Direct marketing activities and market research using both automated and traditional methods.

Additionally, the Website may interact with external platforms or social networks whose data processing is governed by their respective privacy policies. The information acquired is subject to the privacy settings chosen by the Data Subject on those platforms, and is used solely to provide the requested services.
Personal Data may also be used by the Data Controller to protect its interests in judicial proceedings.

4. Data Processing Methods and Recipients

Personal Data is processed using computer tools and organizational methods strictly related to the purposes specified above, and with appropriate security measures. Personal Data is processed exclusively by:

  • Authorized persons bound by confidentiality obligations or legal confidentiality requirements.
  • Independent data controllers or data processors designated by the Data Controller (e.g., business partners, consultants, IT companies, service providers, hosting providers).
  • Entities required by law or by order of the authorities to receive Personal Data.

In particular, our fulfillment partners and their associates (production companies and carriers) are authorized to process Personal Data to ensure that the Data Controller’s contractual obligations—especially the sale and delivery of printed goods—are fully met. These subjects are required to implement appropriate measures to protect Personal Data and will only access data necessary for their duties. Personal Data will not be indiscriminately shared.

5. Place

Personal Data will not be transferred outside the European Economic Area (EEA), unless the services provided require the Data Controller to share such data with partners located outside of the EEA.

6. Personal Data Storage Period

Personal Data will be stored for the duration necessary to fulfill the purposes for which it was collected. In particular:

  • Contractual purposes: Data will be stored for the entire duration of the contractual relationship and, after termination, for the ordinary prescription period of 10 years. In the event of legal disputes, data will be stored for the duration of the disputes until the appeals period has expired.
  • Legitimate interests: Data will be stored until the fulfillment of such interests.
  • Legal obligations: Data will be stored as required by applicable laws, regulations, and the relevant statutory limitation periods.
  • Based on consent: Data will be stored until the Data Subject withdraws consent.

At the end of the storage period, all Personal Data will be deleted or anonymized so that the Data Subject is no longer identifiable.

7. Rights of the Data Subject

Data Subjects have the following rights regarding their Personal Data:

  • Right to be informed about the processing of their Personal Data.
  • Right to withdraw consent at any time.
  • Right to restrict the processing of their Personal Data.
  • Right to object to the processing of their Personal Data.
  • Right to access their Personal Data.
  • Right to verify and request the rectification of their Personal Data.
  • Right to obtain the erasure of their Personal Data.
  • Right to transfer their Personal Data to another data controller.
  • Right to file a complaint with the personal data protection supervisory authority and/or take legal action. In our home country (Italy), the supervisory authority is the "Garante per la protezione dei dati personali"

To exercise these rights, Data Subjects may send an email request to concierge@gallerista.ai. Requests will be processed promptly, and in any case within 30 days.

Last update: 01/04/2025

We use technical cookies to make this website work. We'd like to also use an optional cookie to enhance your experience and our analytics. You can update your choice and learn more about our Privacy & Cookie policy here.