Petit

Privacy Policy

Comprehensive privacy notice for the Petit website.

Last update: May 7, 2026.

1. Controller identity and scope of this notice

This notice describes how personal data is processed when users browse the Petit website, interact with its pages, use the contact form, view videos, consult the store locator, or grant consent for analytics and geolocation features.

The website is published under the Petit brand. Based on the information currently displayed on the website, the controller can be identified as Petit, with operational address at c/o BARICENTRO – LOTTO 14/MOD15 – KM 18.000 SS.100 – Casamassima (BA), Italy, Tax Code CRNLRD74L02A662Q.

Requests concerning personal data, privacy rights, or this notice may be sent through the contact details published in the website contact section or to any dedicated privacy email address communicated by the controller.

2. Categories of personal data processed

  • Browsing and device data: IP-related data, browser type, operating system, page path visited, referrer, timestamps, and technical logs required for security and service delivery.
  • Approximate location data: country and city inferred from the visitor IP address, and, where consent is granted, more precise location data derived from browser geolocation and reverse geocoding services.
  • Cookie and identifier data: consent status, analytics identifier, technical session identifiers for reserved areas, and local storage data used by the store locator map.
  • Contact data voluntarily provided: first name, email, phone number, and message content submitted through the contact form.
  • Interaction data with third-party content: technical requests generated when loading Google Maps resources, YouTube thumbnails or embedded videos, and links to social platforms.

3. Purposes of processing and legal bases

  • Website delivery, security and fraud prevention: based on the controller's legitimate interest in ensuring network and information security, maintaining service continuity, and preventing misuse.
  • Handling contact requests: based on the performance of pre-contractual measures requested by the user and, where applicable, the controller's legitimate interest in managing communications.
  • Reserved-area authentication and administration: based on the legitimate interest in protecting the administrative area and, where relevant, contractual or organizational needs.
  • Analytics, visit-source analysis and location-based audience measurement: based on user consent whenever non-necessary tracking or geolocation-related analytics are activated.
  • Optional browser geolocation: based exclusively on prior consent given through the browser permission prompt and the cookie banner acceptance flow.
  • Compliance with legal obligations: where data retention or disclosure is required by applicable law, judicial authority, or competent supervisory authority.

4. Nature of the provision of data

Providing browsing data required for technical delivery of the website is necessary to access the service. Providing contact form data is optional, but failure to provide the information marked as required may prevent the controller from replying. Granting consent for analytics and optional geolocation is entirely optional and can be refused without affecting ordinary browsing.

5. How data is collected

  • Directly from the user, when forms are completed or consent is expressed.
  • Automatically through the device or browser during normal navigation.
  • Through third-party technical services used by the website after a user action or, where required, after consent.

6. Third-party services and recipients

Depending on the page visited and the consent expressed, personal data may be processed by hosting providers, email delivery providers, technical maintenance suppliers, and third-party service providers acting as processors or, where applicable, as independent controllers.

  • Google Maps: used on the store locator page to render the map and related geocoding features.
  • YouTube / Google: used to display backstage video thumbnails and embedded videos when activated by the user.
  • ipapi.co, api64.ipify.org, api.country.is, ipwho.is, BigDataCloud: used in the analytics and geolocation workflow to infer public IP, country, city, or location details where consent is granted.
  • Social platforms: Instagram and Facebook links are available in the footer; if the user clicks them, the relevant platform processes data according to its own policies.

7. International data transfers

Some technology providers used by the website may process data outside the European Economic Area. In those cases, the controller must rely on an adequate transfer mechanism under Chapter V GDPR, such as an adequacy decision, Standard Contractual Clauses, supplementary measures, or another lawful transfer basis where applicable.

8. Retention periods

  • Technical logs and security data: retained for the time strictly necessary to ensure system integrity, incident analysis, and defense of rights.
  • Contact requests: retained for the time needed to manage the request and any follow-up, and for any additional period required for legal defense or record-keeping obligations.
  • Consent records: retained for the duration necessary to demonstrate the user's choice and manage future requests or objections.
  • Analytics records: retained according to the controller's internal retention settings and in line with necessity, minimization, and proportionality principles.
  • Local storage map cache: stored on the user's device until cleared by the browser or overwritten.

9. Automated decision-making and profiling

No automated decision producing legal or similarly significant effects is described in the current implementation. Analytics data may still be used in aggregate or pseudonymized form to observe traffic patterns, content interest, and geographic reach.

10. Data subject rights

Within the limits and conditions set by applicable law, users may request access to their personal data, rectification, erasure, restriction of processing, portability where applicable, and objection to processing based on legitimate interest. Users may also withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Users also have the right to lodge a complaint with the competent supervisory authority. For Italy, this is the Garante per la protezione dei dati personali.

11. Cookies and tracking technologies

A dedicated Cookie Policy provides detailed information on the cookies and similar technologies used by the website, including consent logic, analytics identifiers, map-related storage, and third-party technologies that may be activated during navigation.

12. Children

The website is not intentionally directed at children under the age at which consent is legally valid for information society services. If personal data relating to minors is processed without the necessary legal basis or authorization, it should be promptly deleted once identified.

13. Security measures

The controller adopts technical and organizational measures appropriate to the risk, including session protection, access control, password hashing, limited data collection, and measures designed to reduce the identifiability of visitors where possible.

14. Updates to this notice

This notice may be updated whenever the website features, suppliers, retention periods, contact channels, or regulatory requirements change. The latest version should always remain available from the website footer.

This page is designed to be substantially more complete and aligned with the current site code, but legal completeness still depends on facts that cannot be inferred from source code alone, such as the controller's exact legal name, processor list, contractual safeguards, hosting location, email handling rules, and formal retention schedule.
Petit