1 5

Privacy policy

(Articles 13 and 14 of EU Regulation 2016/679 – GDPR)

Last update: July 2025

  1. Data controller

The data controller is Calzaturificio Medori Stefano, with registered office in Via Fonte Giugliano 15, 63812 Montegranaro (FM), Italy, VAT number 01554620441.

Privacy contact email: customer@shoto.it 

The Data Protection Officer (DPO) is appointed internally.

  1. Types of data collected

We process the following categories of data:

  • Identification data: first name, last name;
  • Contact details: email address, phone number (optional);
  • Shipping and billing data: address, postal code, city, state, country;
  • Payment data: transactions via Shopify Payments or PayPal;
  • Technical data: IP address, browsing data, technical and profiling cookies;
  • Data relating to purchase history and preferences.
  1. Purpose of processing and legal basis

Purpose of processing Legal basis (Art. 6 GDPR)

Registration on the website and user account management Performance of the contract (Art. 6.1.b)

Order fulfillment and purchase management Performance of the contract (Art. 6.1.b)

Legal and tax compliance Legal obligation (Art. 6.1.c)

Sending promotional communications (newsletters) Explicit consent (Art. 6.1.a) Anonymous statistical analysis and service improvement Legitimate interest (Art. 6.1.f)

Remarketing and behavioral advertising activities Explicit consent (Art. 6.1.a)

Prevention of abuse and fraud Legitimate interest (Art. 6.1.f)

  1. Processing methods

Personal data is processed using electronic tools and, only in limited cases, in paper form. Appropriate technical and organizational measures are taken to ensure data security, confidentiality, integrity, and availability.

  1. Conservazione dei dati

Tipologia di dati Periodo di conservazione

Dati relativi a ordini, fatture, contabilità 10 anni (obblighi fiscali e contabili)

Dati marketing e newsletter Fino a revoca del consenso e comunque non oltre 7 anni

Dati account registrato Per tutta la durata del rapporto contrattuale e fino a 24 mesi dalla chiusura account

Cookie tecnici e analitici Secondo quanto indicato nella Cookie Policy


  1. Mandatory provision of data

The provision of personal data is necessary for the conclusion of the contract and the provision of the requested services. Failure to provide such data may make it impossible to complete a purchase. Consent for marketing or profiling purposes is optional.


  1. Scope of communication and dissemination of data

Personal data may be communicated to the following parties:

  • IT service providers and platforms (e.g., Shopify, for hosting and order management);
  • Banks and payment institutions (e.g., PayPal, Shopify Payments);
  • Tax and accounting consulting firms;• Competent authorities in compliance with legal obligations.

The data will not be disseminated or sold to third parties.


  1. Transfers outside the EU

Some suppliers (e.g., Shopify and Meta) are based in countries outside the EU. In these cases, the transfer takes place in compliance with the safeguards provided for in Articles 44–49 of the GDPR, including:

  • adequacy decisions by the European Commission;
  • standard contractual clauses approved by the Commission;
  • additional security measures where necessary.

  1. Rights of the data subject

Pursuant to Articles 15–22 of the GDPR, the user has the right to:

  • obtain confirmation of the existence of their personal data and access its content;
  • request the rectification, erasure, or restriction of the processing of the data;
  • object to the processing for legitimate reasons;
  • receive the data in a structured format (portability);
  • withdraw your consent at any time;
  • lodge a complaint with the Data Protection Authority

(www.garanteprivacy.it)

You can exercise your rights by sending a request to the email address: customer@shoto.it 


  1. Processing of data relating to minors

Our website and services are not intended for persons under the age of 16. We do not knowingly collect data relating to minors. If we become aware of any unintentional processing, we will delete the data immediately.


  1. Security measures adopted

We adopt appropriate technical and organizational measures to protect personal data, including:

  • limited and controlled access to systems;
  • encryption of sensitive data;
  • regular backups;
  • updated firewalls and antivirus systems.

  1. Changes to the policy

We reserve the right to modify or update this policy at any time. In the event of substantial changes, users will be informed via the website or email. The updated version will always be available on the website in the “Privacy” section.