Privacy policy
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) – Updated on 10/02/2026
This notice describes how the Data Controller processes the personal data of users/customers who browse the website and/or purchase products, as well as those who contact customer support or subscribe to marketing communications.
1. Data Controller
| Company name | G.T.S Global Trade Solution S.r.l. (brand: Bombafit) |
| Registered office | Via Zoe Fontana 220 – 00131 Rome (RM) – Italy |
| VAT number | 17237271006 |
| Customer support email | assistenza@bombafit.it |
| Phone | 0774380830 |
| PEC / privacy contact | globaltradesolution@legalmail.it |
| DPO | Not appointed (unless otherwise required) |
2. Data Processors (Article 28 GDPR)
For certain activities, the Data Controller uses suppliers who process personal data on its behalf, appointed as Data Processors pursuant to Article 28 GDPR.
The Data Controller makes use of, in particular:
- LDA Fashion S.r.l., with registered office at Via delle Genziane, 13/E – 00012 Guidonia Montecelio (RM), VAT no. 14345861000, PEC ldafashionsrl@pec.gocciagroup.it, as Processor for sales management, customer care, marketing and e-commerce operations (as set out in the Article 28 GDPR agreement).
- additional suppliers (e.g., e-commerce platform/hosting, payment processing, shipping, email marketing/CRM, analytics and advertising tools, anti-fraud/anti-spam tools) appointed as Data Processors.
The updated list of Data Processors can be requested from the Data Controller using the contact details provided above.
3. Categories of personal data processed
By way of example, the following data may be processed:
- Identification and contact data (first name, last name, email, phone, delivery/billing address);
- Purchase and transaction data (products purchased, amounts, payment method; payment data is handled by payment providers);
- Account data and preferences (credentials, wishlist, size, communication preferences);
- Browsing and website usage data (logs, IP address, online identifiers, cookie and similar data – see the Cookie Policy);
- Customer care request data (messages, attachments you may send).
4. Purposes and legal bases of processing
The Data Controller processes personal data for the following purposes and legal bases:
| A) | Performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR): order management, delivery, returns, customer support, account creation/management, and related activities. |
| B) | Legal obligations (Art. 6(1)(c) GDPR): tax/accounting obligations, warranty handling, requests from public authorities. |
| C) | Legitimate interest (Art. 6(1)(f) GDPR): website security and prevention of fraud/abuse, legal protection/defence, technical management and service continuity. |
| D) | Consent (Art. 6(1)(a) GDPR): sending newsletters and promotional communications; profiling/personalisation activities (if enabled); marketing via channels other than email (e.g., SMS/WhatsApp/phone), where applicable. |
| E) | “Soft spam” (Art. 130(4) Italian Privacy Code): sending emails about products/services similar to those already purchased, using the email provided during the sale, unless you object (opt-out). |
5. Nature of data provision
Providing data for the purposes under points A) and B) is necessary: if not provided, it will not be possible to complete or manage the order and/or comply with legal obligations.
Providing data for marketing/profiling purposes (point D) is optional: withholding consent does not affect purchases.
Processing based on legitimate interest (point C) is necessary for proper operation and to protect the Data Controller and users; the data subject may object in the cases provided by the GDPR.
6. Processing methods
Data is processed using IT and/or manual tools, according to logic strictly related to the purposes indicated and with appropriate security measures (e.g., access control, logging, backups, encryption in transit).
7. Data recipients
Data may be disclosed to:
- suppliers appointed as Data Processors (Art. 28 GDPR), including LDA Fashion S.r.l. and other technical providers;
- independent data controllers (e.g., couriers, payment institutions, banks, payment platforms) to the extent necessary to provide the service;
- advisors (e.g., legal, tax) and competent authorities in the cases provided by law.
8. Transfers outside the EEA
Some suppliers used by the Data Controller (e.g., e-commerce/hosting platform, analytics/advertising tools, email marketing, anti-fraud/anti-spam) may involve transfers of data to countries outside the European Economic Area.
In such cases, transfers are carried out in compliance with Chapter V GDPR, through an adequacy decision by the European Commission or appropriate safeguards (e.g., Standard Contractual Clauses) and supplementary measures where necessary. You may request information about the safeguards applied by contacting the Data Controller.
9. Retention periods
Data is retained for the time strictly necessary for the purposes:
- Order-related data: for the duration of the contractual relationship and, thereafter, for the periods required by law (e.g., accounting/tax obligations).
- Customer care data: for the time needed to handle the request and, afterwards, for a reasonable period to protect the Data Controller (e.g., until statutory limitation periods expire).
- Marketing data based on consent: until consent is withdrawn and in any case subject to periodic checks (e.g., prolonged inactivity).
- Soft spam data: until you object (opt-out).
- Cookies and online identifiers: as indicated in the Cookie Policy/CMP.
10. Data subject rights
The data subject may exercise the rights set out in Articles 15–22 GDPR (access, rectification, erasure, restriction, objection, portability) and withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).
11. Automated decision-making and profiling
If enabled, profiling is carried out only with prior consent and consists of analysing preferences and interactions (e.g., purchases, categories viewed) to personalise content and offers.
No automated decision-making is envisaged that produces legal effects or similarly significant effects on the data subject.
12. Updates to this notice
The Data Controller may update this notice. Any changes will be published on the website indicating the date of the update.