Skip to main content

Privacy Policy

Effective Date: 28/05/2026 — A.M.F. SpA

1. Introduction and Organisational Information

A.M.F. SpA (“we”, “us”, “our”) is committed to the responsible management of personal data collected through the-restory.com and related interactions. We process personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

We do not have a designated Data Protection Officer (DPO). For any privacy-related enquiries, contact us at:

  • Email: info@amfsnaps.com
  • Address: A.M.F. SpA – Via Bortolo Sacchi 54-58, 36061 Bassano del Grappa (Vicenza) Italy.

2. Scope and Application

This policy applies to all website visitors, registered users, and customers of The Restory (luxury bag restoration service) who interact with the-restory.com. It covers all personal data processing activities carried out by A.M.F. SpA as data controller.

3. Legal Bases for Processing (Art. 6 GDPR)

We process personal data under the following legal bases:

  • Consent (Art. 6(1)(a)): for marketing communications, advertising cookies, analytics cookies, and server-side tracking via Meta CAPI.
  • Contract performance (Art. 6(1)(b)): for processing orders, managing accounts, and delivering services.
  • Legal obligation (Art. 6(1)(c)): for compliance with tax, accounting, and data protection regulations; and for consent management via Cookiebot.
  • Legitimate interest (Art. 6(1)(f)): for security, fraud prevention (hCaptcha), website analytics (Microsoft Clarity), and tag orchestration (Google Tag Manager). A Legitimate Interest Assessment (LIA) is available upon request.

4. Data Collection and Processing

We collect personal data through direct interactions, automated technologies, and third-party services. The categories of data we may process include:

  • First and last name
  • Email address and/or phone number
  • Address and city
  • Device ID
  • IP address
  • Browser information and language
  • Operating system and version
  • Browser fingerprint
  • IP-based approximate location
  • Interaction logs (clicks, time spent on pages)
  • Browsing history (limited to our website)
  • Purchase history

We process only data that is adequate, relevant, and limited to what is necessary for the stated purposes (data minimisation principle, Art. 5(1)(c) GDPR).

5. Purposes of Processing

  • Authentication and security
  • Customising and adapting user experience
  • Content delivery
  • Communication and customer support
  • Analytics and performance tracking
  • Marketing and advertising
  • Displaying videos
  • Processing transactions
  • Compliance with legal obligations
  • Fraud prevention and risk management
  • User engagement and retention
  • Consent management (tag management)

6. Data Storage and Protection

Storage Locations

Personal data is stored on secure servers located in the following countries: Italy (IT), United States (US), Luxembourg (LU), Ireland (IE), Germany (DE). For transfers outside the EEA, appropriate safeguards are in place as detailed in Section 8.

Technical and Organisational Measures (Art. 32 GDPR)

  • Encryption in transit (HTTPS/TLS) and at rest where applicable
  • Pseudonymisation of data where appropriate (e.g. SHA-256 hashing of personal data transmitted via Meta Conversions API)
  • Strict access control: data accessible only to authorised personnel on a need-to-know basis
  • Regular security audits and system monitoring for anomalous activity
  • Consent management platform (Cookiebot) with full audit log of user consents
  • Conditional script blocking: third-party tracking scripts are not loaded prior to obtaining user consent
  • Data Processing Agreements (DPAs) in place with all third-party processors
  • Data breach notification procedure: incidents are assessed and, where required, notified to the Garante per la Protezione dei Dati Personali within 72 hours (Art. 33 GDPR)

7. Data Sharing and Third-Party Processors

We share personal data with the following third-party service providers acting as data processors under Art. 28 GDPR. All processors are bound by Data Processing Agreements requiring compliance with GDPR and adequate technical/organisational security measures.

Service Provider Legal Basis Data Collected Int’l Transfer Privacy Policy
Microsoft Clarity Microsoft Corporation (US) Legitimate Interest (Art. 6(1)(f)) Browser info and language; OS and version; IP-based approx. location; Interaction logs SCC (Art. 46 GDPR) Privacy Policy
Brevo Brevo / Sendinblue (FR/DE) Consent (Art. 6(1)(a)) / Contract (Art. 6(1)(b)) First and last name; Email address / Phone number; IP address; Browser info Intra-EU — no SCC required Privacy Policy
hCaptcha Intuition Machines, Inc. (US) Legitimate Interest (Art. 6(1)(f)) — fraud prevention Browser info and language; OS and version; IP address; Browser fingerprint; IP-based approx. location; Interaction logs (behavioral) SCC (Art. 46 GDPR) Privacy Policy
Cookiebot / Usercentrics Usercentrics A/S (DK) Legal Obligation (Art. 6(1)(c)) — consent management IP address (anonymized); Browser info and language; Consent preferences and timestamp; Consent ID Intra-EU — no SCC required Privacy Policy
Meta Pixel Meta Platforms Ireland Ltd. (IE) Consent (Art. 6(1)(a)) First and last name; Email address / Phone number; IP address; Device ID; Browser fingerprint; IP-based approx. location; Interaction logs; Browsing history Intra-EU (Ireland) — no SCC required for Pixel Privacy Policy
Meta Conversions API (CAPI) Meta Platforms, Inc. (US) Consent (Art. 6(1)(a)) — server-side event tracking Email address (hashed SHA-256); Phone number (hashed SHA-256); First and last name (hashed); IP address; User agent; fbp / fbc identifiers; Event data (purchase value, currency, content ID); External ID SCC (Art. 46 GDPR) — data transmitted server-side to Meta US Privacy Policy
Google Tag Manager Google Ireland Limited (IE) Legitimate Interest (Art. 6(1)(f)) — tag orchestration Aggregated tag firing data Intra-EU — no SCC required Privacy Policy
Google Fonts Google Ireland Limited (IE) Legitimate Interest (Art. 6(1)(f)) IP address; Browser fingerprint; Browser info and language Intra-EU — no SCC required Privacy Policy
Google Ads Google Ireland Limited (IE) Consent (Art. 6(1)(a)) Email address / Phone number; Device ID; IP address; Browser fingerprint; IP-based approx. location; Interaction logs Intra-EU — no SCC required Privacy Policy
Google Analytics Google Ireland Limited (IE) Consent (Art. 6(1)(a)) IP address (anonymized); Device ID; Browser fingerprint; OS and version; IP-based approx. location; Browser info and language; Interaction logs; Purchase history Intra-EU — no SCC required Privacy Policy
Amazon Web Services Amazon Web Services EMEA SARL (LU) Contract (Art. 6(1)(b)) — cloud infrastructure Email address / Phone number; Address and city; Device ID; IP address; OS and version; Browser info and language; Interaction logs Intra-EU (Luxembourg) — no SCC required Privacy Policy
Amazon CloudFront Amazon Web Services EMEA SARL (LU) Contract (Art. 6(1)(b)) — CDN Device ID; IP address; OS and version; Browser info and language; IP-based approx. location Intra-EU (Luxembourg) — no SCC required Privacy Policy
YouTube Google Ireland Limited (IE) Consent (Art. 6(1)(a)) Device ID; IP address; OS and version; Browser info and language; Interaction logs Intra-EU — no SCC required Privacy Policy
Vimeo Vimeo.com, Inc. (US) Consent (Art. 6(1)(a)) Device ID; IP address; OS and version; Browser info and language; Browser fingerprint; IP-based approx. location; Interaction logs SCC (Art. 46 GDPR) Privacy Policy
Mailchimp The Rocket Science Group LLC (US) Consent (Art. 6(1)(a)) — marketing emails only First and last name; Email address / Phone number; Device ID; IP address; Browser info and language; OS and version; Interaction logs SCC (Art. 46 GDPR) Privacy Policy

Note on Meta Conversions API (CAPI): CAPI transmits event data server-side directly from our infrastructure to Meta’s US servers, independently of browser-based cookie mechanisms. This transmission occurs only where the user has provided valid consent to marketing/analytics tracking. The data transmitted includes hashed (SHA-256) identifiers; raw personal data is never sent in plain text.

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), in particular in the United States. For all such transfers, we rely on one of the following safeguards pursuant to Art. 46 GDPR:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission — applicable to: Microsoft Clarity, hCaptcha, Meta Conversions API (Meta Platforms, Inc.), Vimeo, Mailchimp.
  • Adequacy decisions where applicable.

Providers with EU-based legal entities (Google Ireland, Meta Platforms Ireland, AWS EMEA SARL, Brevo, Usercentrics) process data primarily within the EEA; any onward transfers by those entities are governed by their own GDPR-compliant transfer mechanisms.

A copy of the applicable SCCs is available upon written request to info@amfsnaps.com.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):

  • Customer account data: retained for the duration of the contractual relationship plus 10 years (Italian civil law obligations).
  • Marketing consent and email data: retained until withdrawal of consent or 3 years from last interaction, whichever is earlier.
  • Analytics data: retained in accordance with the retention settings configured in each analytics platform (typically 14 months for Google Analytics).
  • Consent logs (Cookiebot): retained for 12 months.
  • Server logs and security data: retained for 12 months.

Upon expiry of the applicable retention period, data is securely deleted or anonymised.

10. Children’s Privacy

Our services are not directed at persons under the age of 18. We do not knowingly collect personal data from minors. Users are required to confirm they are at least 18 years old at the point of registration or purchase. If we become aware that personal data of a minor has been collected without verifiable parental consent, we will delete it promptly. Please contact info@amfsnaps.com if you believe this has occurred.

11. Your Rights Under GDPR

You have the following rights with respect to your personal data, exercisable by contacting info@amfsnaps.com:

  • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful.
  • Right to restriction of processing (Art. 18): request that we limit processing in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest, including profiling; and to object at any time to direct marketing.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77): lodge a complaint with the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it) or any other competent supervisory authority in your country of residence.

We will respond to requests within 30 days (extendable to 90 days for complex requests, with notification). We may need to verify your identity before processing a request.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on the-restory.com. Consent is collected and managed through Cookiebot (Usercentrics). No non-essential tracking scripts are loaded prior to obtaining your consent.

Cookie Categories

  • Essential cookies: strictly necessary for website functionality (authentication, security, session management). No consent required.
  • Performance and analytics cookies: collect aggregated information about website usage to help us improve (e.g. Google Analytics, Microsoft Clarity). Require consent.
  • Functional cookies: enable enhanced functionality and personalisation (e.g. language preferences). Require consent.
  • Advertising and targeting cookies: used to deliver relevant advertising and measure campaign effectiveness (e.g. Google Ads, Meta Pixel). Require consent.

Managing Your Consent

On your first visit, a consent banner allows you to accept all, reject non-essential, or customise your preferences by category. You may withdraw or modify your consent at any time via the cookie settings link in the website footer.

For the full list of cookies used, please consult our Cookie Policy: https://the-restory.com/it-en/cookie-policy

13. Direct Marketing

We send marketing communications only where you have provided explicit prior consent (opt-in). Each communication includes an unsubscribe link. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Marketing channels we use: email, social media platforms, retargeting ads, geotargeted marketing, referral programmes.

We maintain separate records of marketing consent, including the date, source, and version of the privacy policy in force at the time of collection. Transactional emails (order confirmations, service updates) are sent on the basis of contract performance and do not require marketing consent.

14. Policy Updates

We may update this policy to reflect changes in legal requirements, our services, or processing activities. The effective date at the top of this document indicates the most recent revision.

For significant changes affecting your rights or how we process your data, we will notify you by email and/or a prominent notice on the website, and — where required by law — seek your explicit consent before the changes take effect.

15. Contact

For any questions, requests, or complaints regarding this privacy policy or our data processing activities:

  • Email: info@amfsnaps.com
  • Website: the-restory.com
  • Supervisory Authority (Italy): Garante per la Protezione dei Dati Personali — www.garanteprivacy.it