Privacy Policy

Last updated: January 25, 2026

CASTA S.R.L. (hereinafter "Data Controller") respects user privacy and is committed to protecting personal data collected through the BroilyGrill website. This privacy policy describes how personal data is processed in compliance with EU Regulation 2016/679 (GDPR).

1. Data Controller

The Data Controller of personal data is: CASTA S.R.L. Registered office: Via [Address], Forlì (FC), Italy VAT Number: IT03497370407 Email: info@broilygrill.com For any questions regarding the processing of personal data, you may contact the Data Controller using the above details.

CASTA S.R.L.
Via F.lli Lumière, 11 (Z.I. Villa Selva)
47122 Forlì (FC) - Italy
P.IVA: IT03497370407
Tel: +39 0543 782920
Fax: +39 0543 782925
Email: info@broilygrill.com

2. Categories of Data Collected

The Data Controller collects different categories of personal data depending on user interactions with the website:

2.1 Navigation Data

During website navigation, the following technical data is automatically collected:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and timestamps
  • Visit duration
  • Referring website (referrer)
  • Usage data and website interaction

2.2 Contact Form Data

When users submit the contact form, the following data is collected:

  • First and last name
  • Email address
  • Phone number (optional)
  • Message and request content

2.3 Account Registration Data

To access the members area, users provide:

  • First and last name
  • Email address
  • Password (encrypted)
  • Broily product serial number
  • Purchased product model
  • Registration date
  • The product serial number is verified to ensure exclusive access to content reserved for Broily customers.

2.4 Cookies and Tracking Technologies

The website uses technical cookies necessary for operation and analytical cookies to improve user experience. For more information, please refer to our Cookie Policy.

3. Data NOT Collected

Please note that the BroilyGrill website does NOT collect or process the following categories of data:

  • Payment data (credit cards, bank accounts) - the website does not conduct e-commerce transactions
  • Sensitive data (ethnic origin, political opinions, biometric data, health data)
  • Data relating to criminal convictions or offenses
  • Data of minors under 16 years of age (the service is reserved for adults)

4. Processing Purposes

Personal data is processed for the following purposes:

4.1 Necessary Purposes (without explicit consent)

  • Service provision User account management, authentication, and access to reserved content (recipe videos, training materials)
  • Serial number verification Verification of Broily product authenticity and customer area access enablement
  • Request management Response to requests submitted via contact form and customer support
  • Security and fraud prevention Protection of the website from unauthorized access and improper use
  • Technical operation Provision of video streaming service via Bunny.net and infrastructure management

4.2 Consent-Based Purposes

  • Marketing communications Sending newsletters, product updates, and promotional content (only with explicit consent)
  • Statistical analysis Improvement of user experience through aggregate analysis of browsing behavior

5. Legal Basis for Processing

Processing activities are based on the following legal grounds provided by Art. 6 GDPR:

  • Art. 6(1)(b) - Contract performance Account management, members area access, training content delivery
  • Art. 6(1)(a) - Data subject's consent Marketing communications, analytical cookies
  • Art. 6(1)(f) - Legitimate interest Website security, fraud prevention, service improvement
  • Art. 6(1)(c) - Legal obligation Data retention for tax and accounting obligations

6. Processing Methods

Personal data is processed using automated tools and stored on secure servers. The Data Controller adopts appropriate technical and organizational measures to ensure data security, including: • Password encryption (bcrypt hash) • Certified HTTPS connections • Restricted data access by authorized personnel • Regular backups and disaster recovery • Constant access monitoring • Regular security updates Data is accessible exclusively to authorized personnel of the Data Controller and external data processors, in compliance with the principle of data minimization.

7. Retention Period

Personal data is retained for the time strictly necessary for the purposes for which it was collected:

  • User account data For the duration of the active account + 12 months from deletion (for legal obligations)
  • Contact form data 24 months from last contact, unless retention is necessary for litigation
  • Navigation data 12 months from collection
  • Marketing data Until consent is withdrawn or 24 months from last active consent
  • Tax/accounting data 10 years for legal obligations (if applicable)

8. Data Communication and Sharing

Personal data is not sold to third parties. It may be communicated exclusively to the following categories of recipients:

  • External data processors (IT service providers)
  • Public authorities (upon legal request)
  • Consultants and professionals (subject to confidentiality obligations)
  • The main external data processors are:
    • Supabase Inc. User database and authentication management (EU servers)
    • Vercel Inc. Website hosting and infrastructure
    • Bunny.net (BunnyWay d.o.o.) Video streaming service delivery (CDN and storage)
    • Resend Transactional email and notification delivery
    • Sanity.io CMS content management (recipes, products)
  • Data may be communicated to competent authorities in case of legitimate requests (law enforcement, tax authorities) or to comply with legal obligations.

Data may be transferred to non-EU countries only to recipients that guarantee an adequate level of protection (adequacy decisions, EU standard contractual clauses, Privacy Shield where applicable).

9. Data Subject Rights

In accordance with Articles 15-22 of GDPR, data subjects have the right to:

  • Access (Art. 15) Obtain confirmation of the existence of personal data and receive a copy
  • Rectification (Art. 16) Request correction of inaccurate data or completion of incomplete data
  • Erasure (Art. 17) Obtain erasure of data ("right to be forgotten"), subject to legal obligations
  • Restriction (Art. 18) Obtain restriction of processing in case of contestation or objection
  • Portability (Art. 20) Receive data in a structured, transmissible format to another controller
  • Objection (Art. 21) Object to processing based on legitimate interest or marketing purposes
  • Withdraw consent (Art. 7) Withdraw consent at any time (without affecting the lawfulness of previous processing)
  • Complaint (Art. 77) Lodge a complaint with the Supervisory Authority for the protection of personal data

10. How to Exercise Rights

To exercise the rights listed above, data subjects may: • Send an email request to: privacy@broilygrill.com • Submit the contact form on the website indicating "Exercise of GDPR rights" • Send written communication to: CASTA S.R.L., Via [Address], Forlì (FC) The request must include: • Complete personal details of the data subject • Copy of a valid identity document • Description of the right to be exercised

The Data Controller will provide a response within 30 days of receiving the request (extendable by a further 60 days in case of particular complexity).

In case of account deletion request, all personal data will be deleted within 15 working days, except for data that the Data Controller is legally required to retain.

11. Supervisory Authority

In case of violation of personal data protection regulations, data subjects have the right to lodge a complaint with the Supervisory Authority:

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) Piazza Venezia 11, 00187 Rome, Italy Phone: +39 06.696771 Email: garante@gpdp.it PEC: protocollo@pec.gpdp.it Website: www.garanteprivacy.it
Piazza Venezia, 11 - 00187 Roma
Email: protocollo@gpdp.it
PEC: protocollo@pec.gpdp.it
Web: www.garanteprivacy.it

12. Changes to Privacy Policy

The Data Controller reserves the right to modify this privacy policy at any time. Changes will be published on this page with indication of the last update date. We recommend checking this page periodically to stay informed about any changes. In case of substantial changes, the Data Controller will provide adequate notice and, where required by law, request new consent.

13. Contact Information

For any questions or requests regarding this privacy policy, please contact: CASTA S.R.L. Email: privacy@broilygrill.com Phone: [Number] Address: Via [Address], Forlì (FC), Italy

Email: info@broilygrill.com
Tel: +39 0543 782920