← Back to site

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller responsible for processing your personal data is:

Pamplona OÜ
Tornimäe tn 5, 10145 Tallinn, Estonia
Email: info@pamplona.one

Given the nature and scale of our processing activities, the appointment of a Data Protection Officer (DPO) is not required under Art. 37 of Regulation (EU) 2016/679 (GDPR). For any data-protection enquiry you may contact us directly at the address above.

2. Data We Collect

2.1 Data you provide voluntarily

When you fill in our contact form, we collect the following fields:

• Company name
• Contact person (first and last name)
• Business e-mail address
• Phone number
• Business type / sector
• Company website URL
• Free-text message

2.2 Data collected automatically

When you visit our website, the following technical data may be collected automatically by our hosting infrastructure:

• IP address
• Browser type and version
• Operating system
• Referring URL (referrer)
• Date and time of the request

3. Legal Bases for Processing

We process your personal data on the following legal grounds under Art. 6(1) GDPR:

• Art. 6(1)(b) — Performance of a contract or pre-contractual measures: Processing is necessary to respond to your B2B inquiry and to take steps at your request prior to entering into a commercial relationship.
• Art. 6(1)(f) — Legitimate interest: Processing is necessary for the purposes of our legitimate interests, namely operating and securing the website, preventing abuse, and improving our services. These interests are balanced against your rights and do not override them.
• Art. 6(1)(a) — Consent: Where you have given explicit consent (e.g., agreeing to the privacy checkbox on the contact form), we process data on that basis. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Purpose of Processing

Your personal data is processed for the following purposes:

• B2B inquiries: To receive, evaluate, and respond to business inquiries submitted via our contact form; to establish and manage potential commercial relationships with distributors, retailers, and other professional partners in the cosmetics and perfumery sector.
• Website operation and security: To ensure the proper technical functioning, availability, and security of our website; to detect and prevent fraudulent or malicious activity; and to maintain server logs for diagnostic purposes.

5. Recipients and Processors

Your data may be shared with the following third-party service providers (data processors), each acting under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR:

Provider	Country	Service	Transfer Safeguard
Vercel Inc.	USA	Website hosting & CDN	EU-US Data Privacy Framework (DPF)
Zoho Corporation	Netherlands (EU)	SMTP / email delivery	EU-only data centre; no international transfer
Domain registrar	USA	DNS management	Standard Contractual Clauses (SCCs)
Google LLC	USA	Google Maps embed	EU-US Data Privacy Framework (DPF)

We do not sell, rent, or otherwise commercially share your personal data with any third party.

6. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA). Where personal data is transferred to a third country, we ensure an adequate level of protection through one or more of the following mechanisms:

• EU-US Data Privacy Framework (DPF): Vercel Inc. and Google LLC are certified under the EU-US Data Privacy Framework, recognized by the European Commission as providing adequate protection (adequacy decision of 10 July 2023).
• Standard Contractual Clauses (SCCs): Where the DPF does not apply, we rely on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) to safeguard transfers.
• EU-only processing: Zoho Corporation processes our email data exclusively within the EU (Netherlands data centre), so no international transfer occurs.

7. Retention Periods

We retain your personal data only for as long as necessary to fulfil the purposes described above or to comply with legal obligations:

• Contact form data: Retained for 12 months from the date of submission. If no business relationship is established, the data is deleted after this period.
• Business / contractual data: If a commercial relationship is established, relevant data is retained for 6–10 years in accordance with Italian civil and tax law obligations (Art. 2220 Codice Civile; D.P.R. 600/1973).
• Server logs: Automatically deleted after 90 days.

8. Cookies and Local Storage

This website does not use cookies for analytics, advertising, or tracking purposes.

We use localStorage exclusively to store your language preference (e.g., en, it, de). This is a strictly necessary technical function that enables the website to display content in your chosen language upon return visits.

Under Art. 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), strictly necessary storage that is essential for providing a service explicitly requested by the user is exempt from the consent requirement. Since our localStorage use serves this purpose exclusively, no cookie banner or prior consent is required.

9. Right of Access (Art. 15 GDPR)

You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to the data together with the following information: the purposes of processing, the categories of data, the recipients, the envisaged retention period, the existence of your other rights, and the right to lodge a complaint with a supervisory authority.

10. Right of Rectification (Art. 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.

11. Right of Erasure (Art. 17 GDPR)

You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by a legal obligation.

12. Right of Restriction of Processing (Art. 18 GDPR)

You have the right to obtain the restriction of processing where one of the following applies: you contest the accuracy of the data (for a period enabling verification); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours.

13. Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and you have the right to transmit that data to another controller without hindrance, where the processing is based on consent or a contract and is carried out by automated means.

14. Right to Object & Right to Withdraw Consent

Right to Object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data which is based on legitimate interest (Art. 6(1)(f)). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Response timeframe: In accordance with Art. 12(3) GDPR, we will respond to any request to exercise your rights without undue delay and in any event within 30 days of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

To exercise any of the above rights, please contact us at info@pamplona.one.

15. Supervisory Authority (Art. 77 GDPR)

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Italy, the competent authority is:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: garante@gpdp.it
PEC: protocollo@pec.gpdp.it