Privacy Policy

Last updated: November 27, 2025

1. Data Controller and Contact Information

1.1 Data Controller Identity

The data controller is The Grid Verona, located at Via Filippo Brunelleschi, 11A, 37138 Verona (Veneto), Italy.

1.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection activities. You can contact our DPO at: privacy@thegridverona.com

1.3 Legal Framework

We are committed to protecting your privacy and complying with all applicable data protection laws, including:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • Italian Privacy Code - D.Lgs. 196/2003 as amended by D.Lgs. 101/2018
  • ePrivacy Directive - Directive 2002/58/EC as implemented in Italy
  • Consumer Rights Directive - EU Directive 2011/83/EU
  • Italian Consumer Code - D.Lgs. 206/2005

2. Personal Data We Collect

We collect and process various categories of personal data as defined under Article 4(1) of the GDPR.

Identity and Contact Data

  • Personal Identifiers: Full name, title, date of birth, nationality
  • Contact Information: Email address, mobile phone number (optional), postal address
  • Government Identifiers: Tax code (Codice Fiscale), VAT number (for business members)

Account and Authentication Data

  • Login Credentials: Username, encrypted password, security questions
  • Authentication Tokens: Session tokens, API keys, two-factor authentication codes
  • Account Settings: Language preferences, notification settings, privacy choices

Membership and NFC Data

  • Membership Information: Membership number, tier level, join date, renewal dates
  • NFC Card Data: Unique card identifier, issuance date, replacement history
  • Access Logs: Card scan times, location access, entry/exit timestamps

Transaction and Financial Data

  • Purchase History: Items ordered, quantities, prices, order timestamps
  • Payment Information: Payment method (card type), last 4 digits, transaction IDs
  • Billing Data: Invoices, receipts, tax calculations, refund records

Loyalty and Rewards Data

  • Points and Rewards: Points earned, rewards claimed, expiration dates
  • Redemption History: Rewards used, redemption dates, staff who processed
  • Tier Progression: Points thresholds, tier advancement history

Technical and Device Data

  • Device Information: Device type, operating system, browser version, screen resolution
  • Network Data: IP address, ISP, geolocation (city/country level), WiFi connections
  • Usage Analytics: Page views, click patterns, time spent, feature usage

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR)

  • Membership services and account management
  • Processing payments and transactions
  • Loyalty program administration
  • NFC card services and access control

Legitimate Interest (Art. 6(1)(f) GDPR)

  • Customer analytics and service improvement
  • Fraud prevention and security
  • Direct marketing to existing customers
  • Business analytics and reporting

Consent (Art. 6(1)(a) GDPR)

  • Marketing communications (you can withdraw consent anytime)
  • Optional mobile number for enhanced services
  • Personalized offers and recommendations

4. How We Use Your Data

Service Provision

  • Managing your membership account and access
  • Processing orders and payments
  • Administering loyalty rewards and special offers
  • Providing customer support

Customer Analysis and Marketing

  • Analyzing customer preferences and behavior patterns
  • Creating personalized offers and recommendations
  • Sending marketing communications about events and promotions
  • Improving our services based on usage data

Business Operations

  • Maintaining security and preventing fraud
  • Complying with legal obligations
  • Business analytics and reporting
  • Staff training and service improvement

5. Data Sharing

We may share your data with:

  • Service Providers: Payment processors, IT support, cloud hosting (with appropriate data processing agreements)
  • Legal Authorities: When required by Italian or EU law
  • Business Partners: For joint promotions (only with your explicit consent)

We never sell your personal data to third parties.

6. Data Retention

We retain your data as follows:

  • Active Membership: Throughout membership duration
  • Inactive Accounts: 3 years from last activity (for potential reactivation)
  • Transaction Records: 10 years (Italian tax and accounting requirements)
  • Marketing Data: Until consent is withdrawn

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access (Art. 15)

Request a copy of your personal data

Rectification (Art. 16)

Correct inaccurate or incomplete data

Erasure (Art. 17)

Request deletion of your data

Portability (Art. 20)

Receive your data in a structured format

Restriction (Art. 18)

Limit how we process your data

Objection (Art. 21)

Object to processing for marketing

8. Data Security and Technical Safeguards

We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:

Encryption and Data Protection

  • Data in Transit: TLS 1.3 encryption for all web traffic and API communications
  • Data at Rest: AES-256 encryption for database storage and backup systems
  • Password Protection: Bcrypt hashing with salt for all user passwords
  • NFC Card Security: Encrypted card IDs with secure authentication protocols
  • Payment Data: PCI DSS compliant tokenization and encryption

Access Control and Authentication

  • Multi-Factor Authentication: Required for administrative access
  • Role-Based Access Control: Principle of least privilege for all system access
  • Session Management: Automatic logout and secure session tokens
  • API Security: Rate limiting, authentication tokens, and request validation

Data Breach Response

  • Detection: Automated monitoring systems and staff reporting procedures
  • Assessment: Risk evaluation within 1 hour of detection
  • Containment: Immediate action to prevent further data exposure
  • Notification: Authorities notified within 72 hours (Article 33 GDPR)
  • Communication: Data subjects informed without undue delay if high risk

9. International Data Transfers

Your personal data is primarily processed and stored within the European Economic Area (EEA). Our primary data centers are located in Italy and other EU member states to ensure compliance with European data protection standards.

When transfers outside the EEA occur, we ensure appropriate safeguards are in place as required by Articles 44-49 of the GDPR, including Standard Contractual Clauses (SCCs) and adequacy decisions.

10. Children's Privacy and Age Restrictions

The Grid is an exclusive membership-based venue that serves alcoholic beverages. Our services are strictly intended for adults:

  • Minimum Age: 18 years old (legal drinking age in Italy)
  • GDPR Compliance: We do not process data of individuals under 16 without parental consent
  • Digital Services: Online accounts require users to be 18 or older
  • Venue Access: Physical premises restricted to adults 18+ with valid ID

11. Automated Decision-Making and Profiling

We inform you about any automated decision-making, including profiling, that produces legal effects or significantly affects you. Currently, we use automated systems for:

  • Fraud Detection: Pattern analysis of login attempts, transaction amounts, and device information
  • Personalization: Analysis of purchase history, preferences, and behavioral patterns

When automated decision-making affects you, you have the right to request human intervention, express your views, and challenge decisions.

12. Italian Consumer Protection Compliance

As a consumer under Italian law (D.Lgs. 206/2005), you have additional rights:

  • Clear Language: All data processing information provided in plain Italian
  • Accessible Format: Information available in multiple formats upon request
  • Complete Disclosure: Full details of data use before collection
  • Withdrawal Right: Cancel data processing consent within 14 days for new services

13. Complaints and Supervisory Authority

You have the right to lodge a complaint with the Italian Data Protection Authority:

Garante per la protezione dei dati personali

Website: www.gpdp.it

Email: garante@gpdp.it

Phone: +39 06 696 77 1

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. For material changes, we will provide 30 days advance notice via email to all active members. You can accept changes, object, withdraw consent, or terminate your membership if you disagree with changes.

15. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email:

Phone: +39 045 631 2993

Address: Via Filippo Brunelleschi, 11A, 37138 Verona (Veneto), Italy

Back to Home