Privacy policy
(pursuant to articles 13 and 14 of EU Regulation 2016/679)
Last update: August 18, 2025
This information on the processing of personal data is provided to users of the website nolan-helmets.com (hereinafter, the "Site") and is aimed at illustrating the ways in which Nolangroup S.p.A., as data controller (hereinafter, the "Data Controller"), processes personal data collected through the Site and in the context of the conclusion and execution of sales contracts.
The personal data of users and customers are processed by the Data Controller in compliance with Regulation (EU) 2016/679 (“GDPR”), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (“Privacy Code”) and the applicable legislation.
Data controller
Nolangroup S.p.A.
Registered office: Via G. Terzi di Sant'Agata n. 2 Brembate di Sopra (BG)
VAT number: IT 01928470168
The complete contact details of the Owner are indicated in the "Legal Notes" section of the Site.
Data Protection Officer (DPO)
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted:
- via email: dpo@nolan.it
- by ordinary mail: Nolangroup S.p.A. – DPO, Via G. Terzi di Sant’Agata n. 2 Brembate di Sopra (BG)
DESCRIPTION OF TREATMENTS
Account creation
Data processed
Name, surname, e-mail address, password (stored in encrypted form), access history, preferences, account creation date.
Data relating to orders placed and order history are also processed.
Purpose of the processing
Management of registration on the Site and customer account, including the ability to access, manage and retrieve information relating to purchases.
Legal basis of the processing
Execution of the contract or pre-contractual measures adopted at the request of the interested party
(art. 6, par. 1, letter b) GDPR).
Retention period
-
Active phase: for the entire duration of the account and until its cancellation by the user.
In case of prolonged inactivity for two (2) years, the Owner will inform the user of the next cancellation; if there is no response within ninety (90) days, the account will be deactivated. - Archiving phase: the data may be retained for a maximum period of five (5) years from the cancellation of the account, exclusively for the purposes of ascertaining, exercising or defending a right in court, in compliance with the statute of limitations.
The account access logs are kept only for the period of account activity, except for security needs or legal obligations.
Nature of the contribution
The provision of data marked as mandatory is necessary for the creation of the account; otherwise, it will not be possible to proceed with registration.
Rights of the interested party
For this processing the interested party can exercise the rights provided for by the articles. 15–22 GDPR, within the limits of what is compatible with the contractual legal basis of the processing. The rights indicated in the "Rights of the interested party" section remain unaffected.
Product orders
Data processed
Account data and: name and surname, billing and delivery address, payment method, order details, delivery method, any return or replacement requests, communications relating to the order.
Purpose of the processing
- execution of the sales contract (delivery, invoicing, payment management);
- fulfillment of legal warranty obligations and after-sales assistance;
- management of returns, refunds and product recalls;
- fulfillment of legal obligations in accounting and tax matters;
- processing of sales statistics in anonymized form.
Legal basis of the processing
- art. 6, par. 1, letter. b) GDPR – execution of the contract;
- art. 6, par. 1, letter. c) GDPR – fulfillment of legal obligations;
- art. 6, par. 1, letter. f) GDPR – legitimate interest of the Data Controller for statistical analysis, subject to anonymization of the data.
Retention period
- contractual and account data: as indicated in the “Account Creation” section;
- invoices and accounting documents: conservation for ten (10) years, in compliance with civil and tax obligations;
- contracts and related documentation: for the time necessary to protect the rights of the Owner, in compliance with the applicable limitation periods.
Nature of the contribution
The provision of data indicated as mandatory is necessary for the execution of the order; otherwise, it will not be possible to complete the purchase.
Rights of the interested party
The interested party can exercise the rights provided for by the articles. 15–22 GDPR, to the extent that the processing is not necessary for the fulfillment of contractual or legal obligations. The rights indicated in the "Rights of the interested party" section remain unaffected.
Contact form
Data processed
Category of the request, subject of the request, first name, last name, email address, telephone number, country, city and, optionally depending on the request, product serial number, description of the defect, attachments and comments.
Purpose of the processing
Management and response to requests sent via the contact form and management of relationships with the user.
Legal basis of the processing
Execution of pre-contractual measures adopted at the request of the interested party
(art. 6, par. 1, letter b) GDPR).
Retention period
The data are stored for the time necessary to manage the request and, subsequently, for a maximum period of three (3) years from the last contact, unless the interested party objects or legal obligations.
Nature of the contribution
The provision of data marked as mandatory is necessary to allow the Data Controller to respond to the request; otherwise, it will not be possible to use the contact form.
Rights of the interested party
The interested party can exercise the rights provided for by the articles. 15–22 GDPR, within the limits of what is compatible with the pre-contractual nature of the processing. The rights indicated in the "Rights of the interested party" section remain unaffected.
Sending newsletters
Data processed
Email address; data relating to the sending of communications; opening and interaction data (clicks), subject to consent; where available, name, surname and purchase history.
Purpose of the processing
Sending informative and promotional communications relating to the Owner's products and initiatives.
Legal basis of the processing
- consent of the interested party (art. 6, par. 1, letter a) GDPR);
- for customers, sending communications relating to similar products or services pursuant to art. 130, paragraph 4, Privacy Code, without prejudice to the right of opposition.
The processing of data relating to newsletter openings and clicks is carried out exclusively with the specific consent of the interested party.
Retention period
The data are stored until the consent is revoked or the right to object is exercised and, in any case, no later than three (3) years from the last interaction.
Rights of the interested party
The interested party can revoke consent at any time and object to processing for direct marketing purposes pursuant to art. 21 GDPR. The rights indicated in the "Rights of the interested party" section remain unaffected.
Customer reviews
Data processed
Name or pseudonym, email address, rating (in stars), comments, publication date, product reviewed.
Purpose of the processing
Publication and management of reviews on the Site; content moderation and verification; improvement of products and services; internal statistics processing.
Legal basis of the processing
Legitimate interest of the Data Controller pursuant to art. 6, par. 1, letter. f) GDPR.
Retention period
Reviews are kept for a maximum period of three (3) years from publication or for as long as they are relevant to the product reviewed, unless cancellation is requested.
Reviews are published using a pseudonym or first name only.
Rights of the interested party
The interested party may object at any time to the processing of data relating to the review pursuant to art. 21 GDPR. The rights indicated in the "Rights of the interested party" section remain unaffected.
User-Generated Content
Data processed
Social account identifier (name or pseudonym), shared contents (images, videos, texts), visible metadata (date of publication, possible location, mentions).
Purpose of the processing
Sharing and valorization of contents on the Site and on the Owner's official channels, community development and institutional communication and marketing activities.
Legal basis of the processing
Explicit consent of the interested party, given through:
- filling out a specific authorization form;
- positive response to a request to use the content.
The use of dedicated hashtags can constitute a manifestation of will only if accompanied by clear and accessible information, without prejudice to the right to withdraw consent.
Retention period
The contents may be used for a maximum period of five (5) years from publication or until consent is revoked.
The data necessary to document consent are retained for a maximum of three (3) years.
Nature of the contribution
The provision of data is optional; in the absence of consent, the contents will not be used.
Rights of the interested party
The interested party can revoke the consent at any time, without prejudice to the lawfulness of the processing carried out before the revocation. The rights indicated in the "Rights of the interested party" section remain unaffected.
Rights of the interested party (general section)
The interested party can exercise the rights provided for by the articles at any time. 15–22 GDPR, including:
- data access;
- rectification or cancellation;
- limitation of processing;
- opposition to processing, in the cases provided for by art. 21 GDPR;
- data portability, where applicable.
Requests can be sent to the Data Controller or to the DPO at the addresses indicated.
The possibility of lodging a complaint with the Guarantor for the protection of personal data remains.
Cookies and tracking tools
The Site uses cookies and other tracking tools, installed on the user's device in compliance with current legislation. Detailed information on the cookies used, their purposes and management methods are available in the cookie management panel, accessible at any time from the Site.
The user can express or revoke his consent to the use of non-necessary cookies through the cookie management panel, without affecting the ability to navigate the Site.
Technical cookies and navigation data
Data processed
IP address, browser type, language, operating system, date and time of access, URL of origin, type of device, session identifiers.
Purpose of the processing
Guarantee the correct functioning and security of the Site, prevent abuse and unauthorized access, resolve technical malfunctions and adapt the display to the devices used.
Legal basis
Legitimate interest of Nolangroup S.p.A. pursuant to art. 6, par. 1, letter. f) GDPR; art. 122 Privacy Code.
Retention period
Browsing data is stored for a maximum period of twelve (12) months, except for the need to ascertain illicit acts or legal obligations.
Session cookies are deleted at the end of the browsing session.
Audience analysis and measurement cookies
Purpose
Statistical analysis of site traffic and performance, improvement of content and browsing experience.
Legal basis
- first-party cookies configured to reduce identification power: comparable to technical cookies;
- third-party or non-anonymized cookies: user consent pursuant to art. 6, par. 1, letter. a) GDPR.
Retention period
Maximum thirteen (13) months.
Functionality and preference cookies
Purpose
Store user preferences (e.g. language, display settings) in order to improve the browsing experience.
Legal basis
- cookies strictly necessary for the preferences requested by the user: legitimate interest;
- non-necessary cookies: user consent.
Retention period
From six (6) to thirteen (13) months, depending on the type of cookie.
Profiling and advertising cookies
Purpose
Analysis of browsing habits and user interests, personalization of advertising content, measurement of campaign effectiveness and integration with social networks.
Legal basis
Free, specific and informed consent of the user (art. 6, par. 1, letter a) GDPR).
Retention period
Maximum thirteen (13) months.
Third party cookies
The Site uses third-party cookies provided by external parties (e.g. analytics service providers, social networks, advertising platforms).
For these cookies, Nolangroup S.p.A. and third-party suppliers can act as joint data controllers pursuant to art. 26 GDPR or, depending on the case, as independent data controllers.
Essential information relating to suppliers, the cookies used and their respective privacy policies are available in the cookie management panel. The user can exercise their rights both towards Nolangroup S.p.A. and directly towards third parties, as indicated in the respective information.
Cookies used on the Site
The Site uses cookies and other tracking tools in order to guarantee correct functioning, improve the user's browsing experience and, with prior consent, carry out statistical analyzes and marketing activities.
Cookies are installed in compliance with Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 and the Guidelines of the Guarantor for the protection of personal data of 10 June 2021.
Updated information on the cookies used and on how preferences are managed is always available via the cookie management panel, accessible at any time from the Site.
Technical cookies (necessary)
| Supplier | Cookie | Duration | Function |
| Shopify | _shopify_essential | 150 days | Operation and security of the Site |
| Shopify |
_shop_app_essential | 12 months | Shop Pay payment management |
| Shopify |
cart | 30 days | Cart storage |
| Shopify |
cart_currency | 14 days | Currency selected |
| Shopify |
localization | 12 months | Language and localization |
| Shopify |
keep_alive | Session | Session maintenance |
| Shopify |
shopify_pay_redirect | 27 days | Shop Pay redirection |
| Shopify |
_tracking_allow | 12 months | Stores cookie preferences |
| Axeptio | axeptio_cookies | 6 months | User Choices |
| Axeptio | axeptio_all_vendors | 6 months | Partners listed |
| Axeptio | axeptio_authorized_vendors | 6 months | Authorized partners |
Audience analysis and measurement cookies (subject to consent)
| Supplier | Cookie | Duration | Function |
| Shopify | _shopify_s | Session / 1 year | Internal statistical analysis |
| Shopify | _landing_page | 14 days | Entry page |
| Shopify | _orig_referrer | 14 days | Source URL |
| _ga, _ga_* | 13 months | Google Analytics 4 | |
| AMP_* | 13 months | Analytics AMP pages |
These cookies are installed only with prior consent and are used exclusively for statistical purposes. Google Analytics is configured to reduce identification power (IP anonymization).
Profiling and marketing cookies (subject to consent)
| Supplier | Cookie | Duration | Function |
| Meta | _fbp | 3 months | Retargeting and measurement campaigns |
| Klaviyo | __kla_id | 13 months | Email marketing attribution |
These cookies allow you to personalize advertising content and measure the effectiveness of campaigns. They are installed only with the free and specific consent of the user.
Third party cookies
For third-party cookies, Nolangroup S.p.A. and suppliers may act as joint controllers or independent controllers, as appropriate. Essential information on suppliers, purposes and methods of exercising rights are available in the cookie management panel and in the respective privacy policies.
RECIPIENTS OF PERSONAL DATA
Data controller
The data controller of personal data is Nolangroup S.p.A., whose complete identification data are indicated in the "Legal notes" section of the Site.
Recipients of the data
In relation to the purposes indicated in this information, personal data may be communicated to:
- internal personnel of Nolangroup S.p.A., duly authorized to process pursuant to art. 29 GDPR, for the performance of administrative, commercial, contractual, technical and after-sales assistance activities;
- service providers operating on behalf of Nolangroup S.p.A. as data controllers pursuant to art. 28 GDPR (for example: hosting providers, IT service providers, logistics operators, payment institutions, consultants), within the limits of what is necessary for the provision of the requested services;
- subjects who act as independent data controllers, in the cases provided for by law (for example payment institutions for the processing within their competence).
The updated list of data controllers can be requested from the Data Controller.
RIGHTS OF THE INTERESTED PARTY
Interested parties may exercise the rights provided for in articles 15 et seq. of Regulation (EU) 2016/679 at any time.
Right of access
The interested party has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and to receive information on the processing itself, as well as a copy of the personal data processed.
Right of rectification
The interested party has the right to obtain the rectification of inaccurate personal data concerning him and the integration of incomplete ones.
Right to erasure
The interested party has the right to obtain the cancellation of personal data concerning him in the cases provided for by the art. 17 GDPR, in particular when the data are no longer necessary with respect to the purposes for which they were collected or processed, or in case of legitimate opposition to the processing.
The right to cancellation cannot be exercised in the cases provided for by the art. 17, par. 3, GDPR, including the fulfillment of legal obligations or the need to ascertain, exercise or defend a right in court.
Right to limit processing
The interested party has the right to obtain the limitation of processing in the cases provided for by the art. 18 GDPR.
Right to data portability
The interested party has the right to receive the personal data provided to Nolangroup S.p.A. in a structured, commonly used and machine-readable format and, where technically feasible, to transmit them to another data controller.
Right of opposition
The interested party has the right to object at any time to the processing of personal data based on the legitimate interest of the Data Controller, pursuant to art. 21 GDPR.
If personal data are processed for direct marketing purposes, the objection can be exercised at any time and is always accepted.
Right to withdraw consent
The interested party has the right to revoke the consent given at any time, without prejudice to the lawfulness of the processing based on the consent before the revocation.
Right to lodge a complaint
The interested party has the right to lodge a complaint with the Guarantor for the protection of personal data, if he believes that the processing of personal data concerning him violates the applicable legislation.
Personal data of deceased persons
Pursuant to art. 2-terdecies of Legislative Decree 196/2003, the rights relating to the personal data of a deceased person can be exercised by those who have an interest of their own, by those acting to protect the interested party or for family reasons worthy of protection, unless the interested party has expressly prohibited this exercise with a written declaration presented to the Data Controller.
The interested party may at any time exercise the rights provided for in articles 15 et seq. of Regulation (EU) 2016/679 towards the Data Controller, Nolangroup S.p.A., using one of the following methods:
- by sending a request via e-mail to the address: privacy@nolangroup.it
- by sending a written communication by ordinary mail to the following address: Nolangroup S.p.A. – Privacy Office, Via G. Terzi di Sant’Agata n. 2
The interested party can also contact the Data Protection Officer (DPO) at the contact details indicated in this information.
Requests are processed without unjustified delay and, in any case, within the deadlines set by the art. 12 GDPR. The exercise of rights is free, except in the cases provided for by applicable legislation.
