Privacy Policy
Last updated: 20 April 2026
This Privacy Notice is provided pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR) and explains how Cabana S.r.l. collects, uses, stores, and protects personal data.
1. Data Controller
Cabana S.r.l., with registered office at Via Paolo Lomazzo 19, 20154 Milan, Italy, tax code, VAT number and registration with the Register of Enterprises of Milano Monza Brianza Lodi no. 11680930960, is the data controller.
For any privacy-related request, you may contact us at info@cabanamagazine.com or by ordinary mail addressed to the Privacy Compliance Officer.
2. Categories of Personal Data Processed
We process the following categories of personal data:
| Category | Examples |
|---|---|
| Identification and contact data | First name, last name, title, date of birth, email address, phone number |
| Shipping and billing data | Delivery and billing addresses |
| Payment data | Credit/debit card data processed via a PCI-DSS compliant gateway |
| Browsing and behavioural data | Pages visited, products viewed, purchase history |
| Declared preferences and interests | Self-descriptions provided via the sign-up form |
| Approximate location data | City of residence, country |
| Technical data | IP address, browser type, operating system, identifying cookies |
We do not process special categories of personal data under Article 9 GDPR.
3. Purposes of Processing, Legal Bases and Retention Periods
| Ref. | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| A | Order fulfilment: purchase management, payment processing, product delivery, customer care | Performance of a contract (Art. 6(1)(b) GDPR) | 7 years from the transaction (tax/accounting obligation) |
| B | Access to services reserved for registered users | Performance of a contract (Art. 6(1)(b) GDPR) | Duration of the contractual relationship + 2 years |
| C | Sending commercial and promotional communications about Cabana products, collections and events (direct marketing) | Consent (Art. 6(1)(a) GDPR) for new users; legitimate interest (Art. 6(1)(f) GDPR) for existing customers, with right to object | Until withdrawal of consent or objection |
| D | Profiling: analysis of preferences, interactions and purchase history to personalise marketing communications and on-site experience | Consent (Art. 6(1)(a) GDPR) | Until withdrawal of consent |
| E | Aggregated statistical analysis of website traffic (Google Analytics) | Legitimate interest (Art. 6(1)(f) GDPR) / Consent to analytical cookies | 26 months (Google Analytics cookie expiry) |
| F | Compliance with legal obligations (e.g. tax, accounting, AML) | Legal obligation (Art. 6(1)(c) GDPR) | As required by applicable law |
| G | Defence of legal claims or complaint management | Legitimate interest (Art. 6(1)(f) GDPR) | Duration of proceedings + 10 years |
4. Recipients of Personal Data
Your personal data may be shared with the following categories of recipients, designated as data processors pursuant to Article 28 GDPR where applicable:
- Shopify Inc. (e-commerce platform): order management, payment processing and site infrastructure. Shopify acts as a data processor. Credit card data is encrypted under PCI-DSS. See Shopify Privacy Statement.
- Payment gateway providers (e.g. American Express, Visa, Mastercard, Google Pay, Wero, UnionPay, Shop Pay): they process payment data as independent controllers under their own privacy policies.
- Google LLC (Google Analytics): website traffic analysis. Data is transmitted to Google in aggregated or pseudonymised form.
- Couriers and logistics providers: for order delivery.
- Professional advisors (legal, tax, accounting): to the extent strictly necessary.
- Public authorities: upon legal request or as required by law.
5. Transfers to Third Countries
Some of the recipients mentioned above, in particular Shopify Inc. and Google LLC, are established in the United States. Transfers are carried out in compliance with Chapter V GDPR, based on the following safeguards:
- EU-US Data Privacy Framework, where the recipient is certified;
- Standard Contractual Clauses (SCCs) adopted by the European Commission, as an alternative or supplement.
Data subjects may obtain a copy of the applicable safeguards by contacting the Data Controller.
6. Data Subject Rights
Under Articles 15–22 GDPR, data subjects have the right to:
| Right | Description |
|---|---|
| Access (Art. 15) | Know what data we process, where it comes from and how we use it |
| Rectification (Art. 16) | Request the update, correction or completion of data |
| Erasure (Art. 17) | Request the deletion of data (“right to be forgotten”) where applicable |
| Restriction (Art. 18) | Request restriction of processing in specific cases |
| Portability (Art. 20) | Receive data in a structured, machine-readable format, or transfer it to another controller |
| Objection (Art. 21) | Object to processing based on legitimate interest, including direct marketing |
| Withdrawal of consent (Art. 7(3)) | Withdraw consent at any time, without affecting the lawfulness of prior processing |
| Complaint (Art. 77) | Lodge a complaint with the competent supervisory authority |
To exercise your rights, please contact: info@cabanamagazine.com
7. Cookies
The website uses technical cookies (necessary for operation), analytical cookies (for aggregated statistics), and profiling cookies (to personalise the experience). Full details are set out in the separate Cookie Policy.
8. Security
We implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including:
- SSL/TLS encryption for data transmission;
- AES-256 encryption for credit card data at rest;
- PCI-DSS compliance for payment processing;
- Access to data restricted to authorised personnel;
- Firewalls and intrusion monitoring systems.
No method of transmission over the Internet is, however, guaranteed to be 100% secure.
9. Minors
The site is intended for persons who have reached the age of majority in their country of residence. Under Article 8 GDPR, for users under 16 years of age, consent to data processing must be given or authorised by the holder of parental responsibility. We do not knowingly collect data from children under 16. Should we become aware of any non-compliant processing, we will proceed with the immediate deletion of such data.
10. Changes to this Notice
We reserve the right to update this notice at any time. Changes will be published on this page with the date of update. In the event of material changes, data subjects will be informed by email or via a prominent notice on the website.
In the event of a merger, acquisition or sale of the business, personal data may be transferred to the new controller, who will be required to honour the terms of this notice.
Last updated: 20 April 2026
