Skip to main content
Winning Time logo

Privacy Policy

Last updated: 2026-05-15

This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and describes how Winning Time Group processes the personal data of users who visit winningtime.it and its subdomains.

Data controller

The data controller is Winning Time Group, with registered office at Via Londra 77, 46047 Porto Mantovano (MN), Italy. Any request relating to the processing of personal data may be sent to info@winningtime.it or by phone to +39 895 8950825. The data controller has not appointed a Data Protection Officer (DPO), as the conditions set out in Article 37 of the GDPR do not apply.

Categories of data processed

Navigation data: the IT systems and software procedures used to operate this website acquire, during their normal operation, certain data whose transmission is implicit in the use of internet communication protocols. This includes, in particular, IP addresses (in anonymized form), browser type, operating system, device identifier, pages visited, language and referrer. Contact data: data (name, email address, possible phone number and message content) that you voluntarily provide by writing to the email addresses published on the site. Identifiers and analytics data: information collected through cookies and similar technologies, described in detail in the Cookie Policy; such data is collected only after the user has given express consent.

Purposes of processing and legal bases

Personal data is processed for the following purposes: (a) operation of the website, technical management and IT security – legal basis: legitimate interest of the controller, Art. 6(1)(f) GDPR; (b) responding to requests for information or contact sent by the user – legal basis: performance of pre-contractual measures and/or legitimate interest, Art. 6(1)(b) and (f) GDPR; (c) aggregated and statistical measurement of website usage through Google Analytics 4 – legal basis: the user’s consent under Art. 6(1)(a) GDPR, given through the cookie banner and revocable at any time; (d) compliance with legal obligations and defence in legal proceedings – legal basis: legal obligation under Art. 6(1)(c) and legitimate interest under Art. 6(1)(f) GDPR.

Processing methods and security

Data is processed by electronic means and in accordance with logic strictly related to the purposes set out above. Appropriate technical and organisational measures are in place to ensure a level of security suitable for the risk, including encrypted connections (HTTPS/HSTS), Content Security Policy, access controls, the data minimisation principle and restricted access for authorised personnel only. Data is mainly processed within the European Union; any transfers outside the EEA are governed as described in the dedicated section below.

Recipients and external processors

Personal data may be disclosed to third parties acting on behalf of the controller as data processors pursuant to Article 28 of the GDPR, in particular: Vercel Inc. (hosting and CDN provider), Google Ireland Ltd. and Google LLC (Google Analytics 4 service, activated only upon consent), Supabase Inc. and Neon Inc. (database and authentication, used exclusively for the restricted /admin area of the site), as well as email and technical support providers. Data is not disseminated and is not transferred to third parties for marketing purposes.

Transfers of data outside the EU

Some of the providers listed above (in particular Google, Vercel and Supabase) are established or operate servers outside the European Economic Area, including in the United States of America. In such cases the transfer is carried out on the basis of the Standard Contractual Clauses adopted by the European Commission and, where applicable, the providers’ certification under the EU–US Data Privacy Framework. A copy of the safeguards in place can be requested by contacting the controller.

Retention periods

Navigation data and technical logs are kept only for the time strictly necessary to operate the website and, in any case, no longer than 30 days, except where retention is required for the investigation of offences or to enable the controller to defend itself in legal proceedings. Data collected through Google Analytics 4 is kept in aggregated form for 14 months (GA4 default setting). Email communications are kept for the time needed to handle the request and for the following 24 months for documentation and defence purposes. Data processed to comply with legal obligations is kept for the time required by the applicable law.

Rights of the data subject

You may exercise at any time, within the limits and under the conditions set out in Articles 15–22 of the GDPR, the rights to access your personal data, to obtain rectification or erasure, to restrict or object to the processing, to data portability and to withdraw any consent previously given, without prejudice to the lawfulness of processing carried out before the withdrawal. Requests can be sent to the controller at info@winningtime.it and will be answered within the timeframe set by applicable law.

Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it), Piazza Venezia 11, 00187 Rome.

Changes to this notice

The controller reserves the right to modify this notice at any time, also as a result of changes in applicable law or in the services offered. Updates will be published on this page and indicated by the “Last updated” date shown at the top. Users are invited to consult this page from time to time.

For any question or request regarding the processing of personal data, please contact the controller using the details provided in the “Data controller” section.