Privacy policy

Privacy Policy

Last updated: 1 May 2026

1. Introduction and Data Controller

This Privacy Policy describes how Manuel Rodriguez, trading as "Tekko Fitness", with address at Via Bernardo Strozzi 9, 16136 Genova (GE), Italy, email tekkofitness@outlook.com (referred to in this Policy as "we", "us" or "our"), collects, uses, discloses and protects your personal data when you visit, use, make a purchase or otherwise interact with our online store and the services provided through it (the "Services").

For the purposes of applicable data protection laws โ€” including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), the Italian Personal Data Protection Code (Legislative Decree no. 196/2003 as amended), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other US state privacy laws โ€” we act as the data controller of the personal data described in this Policy.

Our online store is operated using the Shopify platform (Shopify Inc.). Where Shopify processes personal data on our behalf, it acts as our data processor; where Shopify processes data for its own purposes, it acts as an independent controller. See Section 6 for details.

By using the Services, you confirm that you have read and understood this Privacy Policy. In case of conflict between our Terms of Service and this Privacy Policy, this Privacy Policy prevails in respect of the collection, processing and disclosure of your personal data.

2. Personal Data We Collect

We may collect or process the following categories of personal data, depending on your interaction with the Services:

  • Contact data: name, billing address, shipping address, email address.
  • Financial data: payment card details, financial account details, transaction details, payment confirmation. Note: full payment card numbers are processed directly by our payment processors (e.g. Shopify Payments, PayPal, Stripe) and we do not store them on our systems.
  • Account data: username, password (hashed), preferences and settings.
  • Transactional data: items viewed, added to cart or wishlist, purchases, returns, exchanges, deletions and order history.
  • Communications data: information you include in communications with us (e.g., customer service tickets, emails).
  • Device and connection data: IP address, browser type, operating system, unique device identifiers, language settings.
  • Usage data: pages visited, time spent, links clicked, referring/exit pages, interaction patterns within the Services.
  • Marketing data: preferences for receiving marketing communications, responses to marketing campaigns.

We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data or biometric data) or sensitive personal information as defined under the CCPA/CPRA.

3. Sources of Personal Data

We collect personal data from the following sources:

  • Directly from you: when you create an account, place an order, contact customer service or otherwise communicate with us.
  • Automatically: through your device when you use the Services, including via cookies and similar technologies.
  • From service providers: such as Shopify, payment processors, shipping carriers and analytics providers.
  • From advertising and marketing partners: such as Meta (Facebook/Instagram), Google or TikTok, where you interact with our ads or content on those platforms.

4. How We Use Personal Data and Legal Bases (EU/UK Residents)

For EU and UK residents, we process your personal data on the following legal bases under Article 6 GDPR:

Purpose Categories used Legal basis
Processing your orders, payments, deliveries, returns and exchanges Contact, financial, transactional, account Performance of a contract (Art. 6(1)(b) GDPR)
Creating and managing your account Contact, account Performance of a contract (Art. 6(1)(b))
Customer service and responding to enquiries Contact, communications Performance of a contract / Legitimate interests (Art. 6(1)(f))
Tax, accounting and legal compliance Contact, financial, transactional Legal obligation (Art. 6(1)(c))
Fraud prevention and security Account, device, financial, transactional Legitimate interests in protecting our business and customers
Direct marketing communications to existing customers Contact, transactional Legitimate interests (with right to object at any time)
Marketing communications to non-customers Contact Consent (Art. 6(1)(a))
Personalised advertising on third-party platforms Device, usage, transactional Consent via cookie banner
Improving the Services and analytics Usage, device Legitimate interests in operating and improving our business
Establishing or defending legal claims All as relevant Legitimate interests / Legal obligation

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Use Personal Data (US Residents)

For US residents, we process personal data for the following business purposes: providing and operating the Services; processing transactions; account management; customer service; security and fraud prevention; marketing and advertising; analytics and improvement of the Services; legal compliance and dispute resolution.

6. How We Disclose Personal Data

We disclose personal data to the following categories of recipients:

  • Shopify Inc., our e-commerce platform provider, which provides infrastructure, payment processing (Shopify Payments), analytics and marketing functionality. Shopify's privacy practices are described at https://www.shopify.com/legal/privacy.
  • Payment processors (e.g., Shopify Payments, PayPal, Stripe) to process your payments.
  • Shipping and logistics providers to deliver your orders.
  • IT, hosting and cloud service providers.
  • Marketing and advertising partners (e.g., Meta, Google, TikTok) where you have consented to personalised advertising.
  • Analytics providers (e.g., Google Analytics) where you have consented.
  • Professional advisors (lawyers, accountants).
  • Public authorities, courts and law enforcement where required by law or to protect our rights.
  • Acquirers and successors in the context of a merger, acquisition, restructuring or sale of business assets.

We do not sell your personal data for monetary consideration. We may share personal data for cross-context behavioural advertising (as defined under the CCPA/CPRA); you have the right to opt out โ€” see Section 13.

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate the Services, remember your preferences, analyse usage and (with your consent) deliver personalised advertising.

Strictly necessary cookies do not require consent. All other cookies (analytics, marketing, personalisation) are used only if you give consent through our cookie banner. You can change your cookie preferences at any time using the cookie settings link on our website.

8. International Data Transfers

Your personal data may be transferred to, stored or processed in countries outside your country of residence, including the United States, where our service providers (including Shopify) operate.

When transferring personal data outside the European Economic Area or the United Kingdom to a country not deemed adequate by the European Commission or the UK ICO, we rely on appropriate safeguards such as the European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or other lawful transfer mechanisms.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy. Specific retention periods include:

  • Order and transaction data: 10 years from the date of the transaction (in compliance with Italian tax and accounting obligations under Art. 2220 of the Italian Civil Code).
  • Account data: until you delete your account, plus a reasonable backup retention period of up to 12 months.
  • Customer service communications: up to 24 months from last contact.
  • Marketing data and consent records: until you withdraw consent or object, plus 24 months for evidence of consent.
  • Cookie and analytics data: as set out in our cookie banner (typically up to 13 months).
  • Data needed to defend legal claims: until expiration of applicable limitation periods (typically up to 10 years under Italian law).

After these periods, data is deleted or anonymised.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration or disclosure, including encryption in transit (HTTPS), restricted access, hashing of passwords and use of trusted service providers. However, no security measure is perfect; we recommend that you use strong, unique passwords and contact us immediately if you suspect any unauthorised access to your account.

11. Your Rights โ€” Overview

Depending on where you reside, you may have certain rights regarding your personal data. These rights are not absolute and may be subject to legal exceptions. To exercise any of your rights, contact us at tekkofitness@outlook.com. We will respond within the time frames required by applicable law (generally 30 days under GDPR, 45 days under CCPA, extendable). We may need to verify your identity before processing your request.

You will not be discriminated against for exercising your rights.

12. Additional Rights for EU/EEA Residents

If you are a resident of the European Economic Area, you have the following rights under the EU GDPR:

  • Right of access (Art. 15) โ€” to know what personal data we hold about you.
  • Right to rectification (Art. 16) โ€” to correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object to processing (Art. 21), including objection to direct marketing at any time.
  • Right not to be subject to automated decision-making (Art. 22). We do not engage in automated decision-making with legal or similarly significant effects.
  • Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint with a supervisory authority. Italian residents may complain to the Garante per la Protezione dei Dati Personali (https://www.garanteprivacy.it). A list of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

13. Additional Rights for UK Residents

If you are a UK resident, you have substantially the same rights as EU/EEA residents under the UK GDPR and the Data Protection Act 2018. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) (https://ico.org.uk).

14. Additional Rights for US Residents

14.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended:

  • Right to know what categories and specific pieces of personal information we have collected, the sources, purposes and categories of recipients.
  • Right to delete personal information, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information for cross-context behavioural advertising. To exercise this right, contact us at tekkofitness@outlook.com or use the "Do Not Sell or Share My Personal Information" link available on our website.
  • Right to limit the use of sensitive personal information (we do not use sensitive personal information for purposes beyond those permitted by ยง7027(m) of the CCPA Regulations).
  • Right to non-discrimination for exercising your rights.

Categories of personal information collected (last 12 months): Identifiers (name, email, IP address); customer records (billing/shipping address, payment information); commercial information (purchase history); internet/network activity (browsing, interaction with the Services); geolocation (approximate, derived from IP); inferences drawn from the above.

Sale/sharing: in the past 12 months we have not "sold" personal information for monetary consideration. We may "share" Identifiers, Commercial information and Internet activity for cross-context behavioural advertising, which you can opt out of as set out above.

Sources and purposes for each category are described in Sections 2-5 of this Policy. Categories of recipients are described in Section 6.

You may designate an authorised agent to make requests on your behalf. We may verify your identity before responding.

14.2 Virginia, Colorado, Connecticut, Utah, Texas and Other US State Residents

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA) or another US state with applicable comprehensive privacy legislation, you may have rights similar to those described above, including the right to access, delete, correct (where applicable), obtain a portable copy of, and opt out of the sale or targeted advertising use of, your personal data.

To exercise these rights, contact us at tekkofitness@outlook.com. If we deny your request, you may have the right to appeal; you may submit an appeal to the same email address. If your appeal is denied, you may contact your State Attorney General.

15. Children's Privacy

The Services are not directed to children. We do not knowingly collect personal data from:

  • Children under 14 in Italy (in accordance with Article 2-quinquies of the Italian Personal Data Protection Code);
  • Children under 16 in other EU/EEA countries (or the lower age set by applicable national law);
  • Children under 13 in the United Kingdom and the United States (in accordance with the UK GDPR and the US Children's Online Privacy Protection Act, "COPPA").

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at tekkofitness@outlook.com and we will delete the data promptly.

We do not knowingly "sell" or "share" personal data of consumers under 16 years of age.

16. Third-Party Links

The Services may contain links to third-party websites or platforms that we do not operate or control. This Privacy Policy does not apply to those third parties. We recommend you review their privacy policies before providing them with personal data.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory or operational reasons. We will post the updated Policy on our website with a new "Last updated" date. Where required by law, we will notify you of material changes.

18. Contact and Complaints

For any questions about this Privacy Policy, or to exercise your rights, please contact:

Manuel Rodriguez (trading as "Tekko Fitness") Via Bernardo Strozzi 9, 16136 Genova (GE), Italy Email: tekkofitness@outlook.com

For Italian residents, complaints may also be addressed to the Garante per la Protezione dei Dati Personali at https://www.garanteprivacy.it. For UK residents, complaints may be addressed to the Information Commissioner's Office at https://ico.org.uk.