Privacy Policy

Dear Visitor/User, compliance with the Privacy Policy is particularly important to us.

In particular, the «General Data Protection Regulation» (EU Regulation 2016/679, known by the English acronym «GDPR») requires us to provide you with the following information on the processing of your Personal Data, pursuant to art. 13 of the aforementioned Regulation.

The «Processing of Personal Data», in simple words, is any operation concerning any «information relating to a natural person, identified or identifiable». For example, your first and last name, or an e-mail address with a «username» that identifies you (e.g. mariorossi@….), is considered «Personal Data», and the actions of collection, registration with us and use to send you a communication, are considered «Processing» operations; as well as (always for example) the communication of Personal Data to other organizations and storage.

Our organization is defined as «Data Controller», as a subject that establishes how and for what purposes to process information relating to natural persons. You, if «natural person to whom the Personal Data refers», is defined as «Data Subject», and you have the right to receive the following information about who we are, what Personal Data we process, why, how and for how long we process it, and what obligations and rights you have in this regard. If, on the other hand, you work on behalf of a private organization (e.g. partnerships, corporations, associations, etc.), the Data Subjects are the natural persons who use the Site, and/or the Platform, and/or use the Services under the authority of the same (e.g. you and/or your Workers). Information strictly related to the organization (e.g. tax code or VAT number) is not considered Personal Data.

Depending on whether you are a simple Visitor or have requested one of our Services, we collect and/or need you to provide us with certain Data, which are necessary for us to allow you to browse the Site and/or to receive answers to your requests and/or allow you to use the Platform and our Services; in the first case (i.e. when you simply visit the Site) it is generally information that does not allow you to be identified (and therefore we will only process «Navigation Data»). We specify that our Company is the Data Controller only with reference to the purposes specified in the following grid. With reference, instead, to the Personal Data that you will communicate to third-party managers of sites and platforms connected to the Platform during the use of the Services (eg marketplace managers), we invite you to consult the terms and conditions and privacy policies applied by these managers.

With reference to the Processing of personal data of your customers that we will process on your behalf during the provision of the Services, the Company does not play the role of Data Controller, but of Data Processor by virtue of the contractual documents that it has accepted or will accept at the time of purchasing the BDroppy Services provided by the Company. The website of the Italian Data Protection Authority contains further useful information to better understand the topic (see e.g.:

The definitions of the terms and expressions used are contained in the Glossary at the bottom of the page. For anything not expressly defined herein, please refer to the definitions contained in the Terms and Conditions; in case of possible conflict between definitions, for the purposes of this Privacy Policy the definitions of the Glossary (at the bottom of the page) prevail over those contained in the General Terms and Conditions.

Who are we («Data Controller»)?

IDT S.p.A., with registered office in Via Quittengo 35, 10154 Torino (TO), C.F. e P.IVA 10010450012, registered in the Turin Register of Companies, REA number TO-1098199.

What are the categories of Data Subjects to whom this information is addressed?

Visitor: the natural person who uses a device and browses, through the Internet, on the public pages of the Site. 

Registered User: the natural person who registers in the Reserved Area. 

Customer User: the natural or legal person who purchases any BDroppy Service of the Company from the Reserved Area and therefore uses the Platform and the Service purchased.

What categories of Personal Data do we process?

Navigation Data and «Common» Personal Data (name and surname, e-mail address, telephone number, tax code, VAT number, as well as other data that you may provide us, for example through the forms or contact details of our organization available on the Site), to the minimum extent necessary to achieve each of the Purposes indicated below.

Please do not include any «sensitive» information in the texts of communications and in the description fields of our online forms (sensitive information is considered personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data and data relating to the health or sex life or sexual orientation of the person).

What is the origin of your Personal Data?

As a rule, it is you yourself who transmit them, or another natural person belonging to the organization for which you work authorized for the purpose.

Why do we process Personal Data (Purposes) and on what is the Basis of the Processing (Legal Basis) of each category of Data, and what is the Retention Period?



Categories of Personal Data

Legal Basis

Retention Period


Analyze the traffic on the Site (eg detect the most visited pages, the number of visitors per time slot or day, the geographical origin, the average connection time, the browsers used, the origin of the visitor – from search engines or other sites -, phrases and words searched etc.) to understand how it is used and manage it, optimize and improve it, or even just for statistical purposes; solve operational problems (e.g. anomalies in page loading); perform monitoring activities to repel and/or prevent cyber attacks and fraud.

Navigation Data, anonymous information (which does not allow us to trace your identity) and Common Personal Data (e.g. full IP address)

The need to make the Site available in accordance with the Terms and Conditions (art. 6.1.b GDPR)

1 week from the date of your last access to the Site.


Satisfy the requests that you want to transmit to us using the contact details on the Site.


The need to adopt pre-contractual measures at your request (art. 6.1.b GDPR)

For a maximum of 2 years from your last request.


Provide you with access to the Reserved Area


The need to adopt pre-contractual measures at your request (art. 6.1.b GDPR)

For a maximum of 2 years from your last request.


Providing BDroppy Services


The need to adopt pre-contractual measures at your request (art. 6.1.b GDPR)

For a maximum of 10 years from your request to cancel the Service and your account.

Clarifications on the Maximum Retention Period

Your Personal Data will be processed for the maximum periods indicated above for the respective related processing purposes, unless the Applicable Legislation requires us to keep them for a longer period or allows it to protect our rights and / or legitimate interests.

To whom do we communicate the Data (Categories of Recipients)?

To the minimum extent necessary to achieve each of the Purposes, on the basis of the Applicable Regulations and / or a contractual agreement with the Data Controller, to:

  1. subjects necessary for the execution of activities connected and consequent to the management of the Site, the management of the Platform and the provision of the Services, who act as Data Processors (e.g. IT service providers, etc.);
  2. subjects necessary for the execution of activities connected and consequent to the provision of the Services, who act as Data Processors or as independent Data Controllers (e.g. suppliers of IT, banking, insurance, shipping and transport services, commercial agency, accounting, tax, tax, legal, etc.);
  3. other persons authorized by us (e.g. our workers), committed to confidentiality or recipients of a legal obligation to confidentiality;
  4. public organizations and Authorities, if and to the extent that this is required by the Applicable Legislation or by their orders, or for the exercise, assessment and / or defense of a right in court.

The Data Controller does not carry out the Dissemination of Personal Data, except in the event that it is required, in accordance with the law, by Authorities, information and security bodies or other public entities for purposes of defense or security of the State or prevention, detection or repression of crimes. 

The Data that you communicate to third-party operators of sites and platforms connected to the Platform during the use of the Services are to be understood as communicated directly by you to these managers.

Do we transfer Personal Data outside the European Union?

Yes, for the provision of the Site and the Platform, the Company uses, in addition to subjects located in the territory of the European Union, also subjects located outside this territory, with particular reference to the storage of the servers on which the Personal Data of Visitors / Users are stored (located in Cardiff, United Kingdom). 

The Data Controller ensures that the transfer of non-EU data takes place in accordance with the applicable legal provisions and that the transfer is carried out to subjects (third countries and / or international organizations) for which there is an adequacy decision of the European Commission pursuant to Article 45 GDPR, or by stipulating, where necessary, agreements that guarantee an adequate level of protection and / or adopting the standard contractual clauses provided by the Commission European, and in any case in compliance with the other guarantees or derogations provided for in Chapter V of EU Regulation 2016/679 (GDPR).

If you do not agree that your Personal Data may be transferred to non-EU countries, we invite you not to enter into any Contract with the Company and to cease using the Site and the Platform.

Does the Site use Cookies?

Yes. To learn more and to view our policy in this regard, you can consult the Cookie Policy.

Are you obliged to provide us with Personal Data?

Due to the operation of the Internet, it cannot refuse the communication of Navigation Data; there is no refusal to communicate some Personal Data (such as the IP address of your device).

What happens if you refuse to communicate your Data?

If you refuse to communicate Personal Data for the contractual purposes indicated above in numbers 2, 3 and 4, we will not be able to establish the contractual relationship and fulfill your request or provide the Service.

What communications do we send you?

We will only send you communications necessary for the performance of the Contract, based on the applicable contractual purpose among those indicated above. For example, we will communicate with you to respond to your general request (Purpose 2), or we may send you notifications to inform you of issues related to access to the Reserved Area, or information concerning the sales operations managed by you in dropshipping mode thanks to the Platform and as a result of subscribing to the Services (Purposes 3 and 4).

What rights do you have as an «Data Subject»?

You, as the person to whom the data refer («Data Subject») have the right to: 

  1. access the data held by the Data Controller, and to request a copy, except in the event that the exercise of the right infringes the rights and freedoms of other natural persons; 
  2. request the correction of any incomplete or inaccurate data; request the deletion of data, without prejudice to the exclusions or limitations established by the Applicable Regulations (e.g. Article 17 § 3 GDPR); 
  3. request the Limitation of processing, where the conditions are met and without prejudice to the exclusions established by art. 18 § 2 GDPR; lodge a complaint with the Guarantor for the Protection of Personal Data (in Italy,, or with the Guarantor Authority of the EU State in which he habitually resides or works, or of the place where the alleged violation occurred. 

The exercise of the above rights may also be delayed, limited or excluded in the cases provided for by art. 2-undecies d. lgs. 196/2003.

Who can you contact with questions or to exercise your rights?

You can contact the Data Controller for questions concerning the processing of your Personal Data and to exercise your rights by sending an email to the address, or by post to the address: IDT SpA, Via Quittengo 35, 10054 Torino (TO), Italy.



  • the information herein concerns exclusively the processing carried out on the Personal Data collected by us as a result of the provision of the Site, the Platform and the Services. In the event that you enter into a relationship with the Company other than the above, including relationships that provide for the provision of sites, platforms or services other than those regulated herein, different contractual terms and different privacy policies will be applied. 2. this Privacy Policy is in force since August 2021; we reserve the right to modify its content, in part or completely, also as a result of changes in the Privacy Policy; we will publish the updated version of the Privacy Policy on the Site and from that moment it will be binding: you are therefore invited to visit this section regularly.
  • We do not intentionally collect personal information relating to natural persons who, according to their national law of origin, are without the legal capacity to act for the purpose of entering into contracts, except for requests relating to minors made by the subjects who exercise parental authority or custody over the minors in question. In the event that information on these subjects is recorded, we will delete it in a timely manner, at the request of the interested party or of those who exercise authority over it.


«Supervisory Authority»: means the reserved area accessible from the Site to which it is necessary to register to purchase the Services. 

«Supervisory Authority»: the independent public authority established by a State of the European Union, or by the European Union itself, in charge of supervising the application of the Privacy Law (for Italy, the Guarantor for the Protection of Personal Data, 

«Authoritỳ»: body or organization, public or private, with administrative, judicial, police, disciplinary and supervisory powers. 

«Authorized»: the natural person, placed under the direct authority of the Data Controller, who receives from the latter instructions on the Processing of Personal Data, pursuant to and for the purposes of art. 29 of the GDPR. 

«Privacy Code»: Legislative Decree no. 196/2003 and subsequent amendments and/or additions (in particular by Legislative Decree no. 101/2018).

«Committee» or «EDPB»: the European Data Protection Board, established by art. 68 of the GDPR and governed by Articles. from 68 to 76 of the GDPR, which replaces WP29 from 25/5/2018.

«Communication»: «the giving knowledge of personal data to one or more specific subjects other than the data subject, the representative of the data controller in the territory of the European Union, the manager or his representative in the territory of the European Union, the persons authorized, pursuant to Article 2-quaterdecies, to process personal data under the direct authority of the owner or manager, in any form, also through their availability, consultation or interconnection» (as defined in Article 2-ter, paragraph 4, letter a of the Privacy Code). 

«Contract»: agreement stipulated with the Customer User, through acceptance, by the latter, of the Terms and Conditions.

«Cookies»: short fragments of text (letters and / or numbers) that allow the web server to store information on the browser to be reused during the same visit to the site (session cookies) or later, even after days (persistent cookies). Cookies are stored, based on user preferences, by the individual browser on the specific device used (computer, tablet, smartphone). The following categories are considered:

  • Technical cookies: these cookies are essential for the proper functioning of the site and are used for the sole purpose of «carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide this service» (see art. 122, c. 1, of the Privacy Code).
  • Analytical cookies: these are cookies used to collect and analyze traffic and use of the site anonymously. These cookies, while not identifying the user, allow, for example, to detect if the same user returns to connect at different times. They also allow you to monitor the system and improve its performance and usability. Disabling these cookies can be done without any loss of functionality.
  • Profiling cookies: these are persistent cookies used to identify (anonymously or not) the user’s preferences and improve his browsing experience.
  • Third-party cookies (analytical and / or profiling): these are cookies generated by organizations not belonging to the Site, but integrated into parts of the Site page. Think, for example, of Google «widgets» (e.g. Google Maps) or «social plugins» (Facebook, Twitter, LinkedIn, Google+, etc.).

«Navigation Data»: are the data that the computer systems and software procedures used to operate the site acquire, during their normal operation, and whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s computer environment. These data, necessary for the use of web services, are also processed for the purpose of: obtaining statistical information on the use of the services (most visited pages, number of visitors per time slot or day, geographical areas of origin, etc.); check the correct functioning of the services offered.

«Personal Data»: «any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his physical, physiological, genetic, mental, economic, cultural or social identity», as defined by art. 4, subparagraph 1, n. 1, of the GDPR).

«Data» or «Data»: one or more of the categories indicated as Personal Data.

«Recipient»: «the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is a third party», as defined by art. 4, subparagraph 1, n. 9, of the GDPR. 

«Dissemination»: «giving knowledge of personal data to indeterminate subjects, in any form, including by making them available or consulting» (as defined in Article 2-ter, paragraph 4, letter.b of the Privacy Code). 

«GDPR»: EU Regulation 2016/679 «on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)».

«Data subject»: «identified or identifiable natural person», as defined by art. 4, paragraph 1, n. 1, of EU Regulation 2016/679 (so-called «GDPR»). 

«Limitation»: «the marking of personal data stored with the aim of limiting their processing in the future», as defined in art. 4, subparagraph 1, n. 3, of the GDPR. 

«Regulations» or «Regulations»: one or more of the sets of rules indicated, in this Act, as Privacy Policy and Applicable Law. 

«Applicable Legislation»: any provision, of any rank, belonging to Italian or European Union law, in any way applicable to the Site and / or the Contract.

«Privacy Law»: EU Regulation 2016/679 («GDPR»), Legislative Decree 196/2003 and subsequent amendments and / or additions («Privacy Code»), as well as the measures adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and the further applicable legislation, of any rank, including the opinions and guidelines drawn up by the Committee. 

Platform: the digital dropshipping platform made available through the Site. 

Privacy Policy: this information on the processing of personal data for the management of the Site. 

Professionals: the subjects who carry out the profession of psychologist and / or researcher in the field of psychotherapy using the Platform on the basis of specific agreements with the Company.

«Profiling»: «any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of said natural person», as defined in art. 4, subparagraph 1, n. 4, of the GDPR. 

«Publication»: the action by which the Data Controller communicates information on the Site, without the implementation of procedures that require the Visitor to view it.

«Responsible»: «the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller», as defined by art. 4, subparagraph 1, n. 8, of the GDPR. 

«BDroppy Service»: any service provided by the Company to its Client Users through the Platform. 

«Site»: web pages displayed through, including subdomains. 

«Company»: the company IDT S.p.A., with registered office in Via Quittengo 35, 10154 Torino (TO), C.F. e P.IVA 10010450012, registered in the Turin Register of Companies, REA number TO-1098199.

«Terms and Conditions»: also abbreviated as «GTC», available on the Page of the Site [insert link] govern the use of the Site and the provision of the Platform and Services. 

«Third»: «the natural or legal person, public authority, service or other body that is not the data subject, the data controller, the data processor and the persons authorized to process personal data under the direct authority of the owner or manager», as defined by art. 4, subparagraph 1, n. 10, of the GDPR.

«Data Controller»: «the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data», as defined by art. 4, subparagraph 1, n. 7, of the GDPR.

«Processing» means «any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, the comparison or interconnection, limitation, cancellation or destruction», as defined by art. 4, subparagraph 1, n. 2, of the GDPR.

«User»: means, without distinction, Registered Users and Customer Users. 

«Client User»: the natural person who purchases any BDroppy Service of the Company from the Reserved Area and therefore uses the Service and the Platform. 

«Registered User»: the natural person who registers in the Reserved Area. 

«Visitor»: the natural or legal person who uses a device and browses, through the Internet, on the public pages of the Site. 

«WP29»: the Working Group for the Protection of Individuals with regard to the Processing of Personal Data, established pursuant to art. 29 of Directive 95/46/EC, whose tasks are set out in art. 30 of Directive 95/46/EC and art. 15 of Directive 2002/58/EC.