Effective Date: 28/05/2026 — A.M.F. SpA
A.M.F. SpA ("we", "us", "our") is committed to the responsible management of personal data collected through the-restory.com and related interactions. We process personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.
We do not have a designated Data Protection Officer (DPO). For any privacy-related enquiries, contact us at:
Email: info@amfsnaps.com
Address: A.M.F. SpA – Via Bortolo Sacchi 54-58, 36061 Bassano del Grappa (Vicenza) Italy.
This policy applies to all website visitors, registered users, and customers of The Restory (luxury bag restoration service) who interact with amfgroup.tech. It covers all personal data processing activities carried out by A.M.F. SpA as data controller.
We process personal data under the following legal bases:
• Consent (Art. 6(1)(a)): for marketing communications, advertising cookies, analytics cookies, and server-side tracking via Meta CAPI.
• Contract performance (Art. 6(1)(b)): for processing orders, managing accounts, and delivering services.
• Legal obligation (Art. 6(1)(c)): for compliance with tax, accounting, and data protection regulations; and for consent management via Cookiebot.
• Legitimate interest (Art. 6(1)(f)): for security, fraud prevention (hCaptcha), website analytics (Microsoft Clarity), and tag orchestration (Google Tag Manager). A Legitimate Interest Assessment (LIA) is available upon request.
We collect personal data through direct interactions, automated technologies, and third-party services. The categories of data we may process include:
• First and last name
• Email address and/or phone number
• Address and city
• Device ID
• IP address
• Browser information and language
• Operating system and version
• Browser fingerprint
• IP-based approximate location
• Interaction logs (clicks, time spent on pages)
• Browsing history (limited to our website)
• Purchase history
We process only data that is adequate, relevant, and limited to what is necessary for the stated purposes (data minimisation principle, Art. 5(1)(c) GDPR).
• Authentication and security
• Customising and adapting user experience
• Content delivery
• Communication and customer support
• Analytics and performance tracking
• Marketing and advertising
• Displaying videos
• Processing transactions
• Compliance with legal obligations
• Fraud prevention and risk management
• User engagement and retention
• Consent management (tag management)
Personal data is stored on secure servers located in the following countries: Italy (IT), United States (US), Luxembourg (LU), Ireland (IE), Germany (DE). For transfers outside the EEA, appropriate safeguards are in place as detailed in Section 8.
• Encryption in transit (HTTPS/TLS) and at rest where applicable
• Pseudonymisation of data where appropriate (e.g. SHA-256 hashing of personal data transmitted via Meta Conversions API)
• Strict access control: data accessible only to authorised personnel on a need-to-know basis
• Regular security audits and system monitoring for anomalous activity
• Consent management platform (Cookiebot) with full audit log of user consents
• Conditional script blocking: third-party tracking scripts are not loaded prior to obtaining user consent
• Data Processing Agreements (DPAs) in place with all third-party processors
• Data breach notification procedure: incidents are assessed and, where required, notified to the Garante per la Protezione dei Dati Personali within 72 hours (Art. 33 GDPR)
We share personal data with the following third-party service providers acting as data processors under Art. 28 GDPR. All processors are bound by Data Processing Agreements requiring compliance with GDPR and adequate technical/organisational security measures.
Service | Provider | Legal Basis | Data Collected | Int'l Transfer | Privacy Policy |
Microsoft Clarity | Microsoft Corporation (US) | Legitimate Interest (Art. 6(1)(f)) | Browser info and language OS and version IP-based approx. location Interaction logs | SCC (Art. 46 GDPR) | |
Brevo | Brevo / Sendinblue (FR/DE) | Consent (Art. 6(1)(a)) / Contract (Art. 6(1)(b)) | First and last name Email address / Phone number IP address Browser info | Intra-EU — no SCC required | |
hCaptcha | Intuition Machines, Inc. (US) | Legitimate Interest (Art. 6(1)(f)) — fraud prevention | Browser info and language OS and version IP address Browser fingerprint IP-based approx. location Interaction logs (behavioral) | SCC (Art. 46 GDPR) | |
Cookiebot / Usercentrics | Usercentrics A/S (DK) | Legal Obligation (Art. 6(1)(c)) — consent management | IP address (anonymized) Browser info and language Consent preferences and timestamp Consent ID | Intra-EU — no SCC required | |
Meta Pixel | Meta Platforms Ireland Ltd. (IE) | Consent (Art. 6(1)(a)) | First and last name Email address / Phone number IP address Device ID Browser fingerprint IP-based approx. location Interaction logs Browsing history | Intra-EU (Ireland) — no SCC required for Pixel | |
Meta Conversions API (CAPI) | Meta Platforms, Inc. (US) | Consent (Art. 6(1)(a)) — server-side event tracking | Email address (hashed SHA-256) Phone number (hashed SHA-256) First and last name (hashed) IP address User agent fbp / fbc identifiers Event data (purchase value, currency, content ID) External ID | SCC (Art. 46 GDPR) — data transmitted server-side to Meta US | |
Google Tag Manager | Google Ireland Limited (IE) | Legitimate Interest (Art. 6(1)(f)) — tag orchestration | Aggregated tag firing data | Intra-EU — no SCC required | |
Google Fonts | Google Ireland Limited (IE) | Legitimate Interest (Art. 6(1)(f)) | IP address Browser fingerprint Browser info and language | Intra-EU — no SCC required | |
Google Ads | Google Ireland Limited (IE) | Consent (Art. 6(1)(a)) | Email address / Phone number Device ID IP address Browser fingerprint IP-based approx. location Interaction logs | Intra-EU — no SCC required | |
Google Analytics | Google Ireland Limited (IE) | Consent (Art. 6(1)(a)) | IP address (anonymized) Device ID Browser fingerprint OS and version IP-based approx. location Browser info and language Interaction logs Purchase history | Intra-EU — no SCC required | |
Amazon Web Services | Amazon Web Services EMEA SARL (LU) | Contract (Art. 6(1)(b)) — cloud infrastructure | Email address / Phone number Address and city Device ID IP address OS and version Browser info and language Interaction logs | Intra-EU (Luxembourg) — no SCC required | |
Amazon CloudFront | Amazon Web Services EMEA SARL (LU) | Contract (Art. 6(1)(b)) — CDN | Device ID IP address OS and version Browser info and language IP-based approx. location | Intra-EU (Luxembourg) — no SCC required | |
YouTube | Google Ireland Limited (IE) | Consent (Art. 6(1)(a)) | Device ID IP address OS and version Browser info and language Interaction logs | Intra-EU — no SCC required | |
Vimeo | Vimeo.com, Inc. (US) | Consent (Art. 6(1)(a)) | Device ID IP address OS and version Browser info and language Browser fingerprint IP-based approx. location Interaction logs | SCC (Art. 46 GDPR) | |
Mailchimp | The Rocket Science Group LLC (US) | Consent (Art. 6(1)(a)) — marketing emails only | First and last name Email address / Phone number Device ID IP address Browser info and language OS and version Interaction logs | SCC (Art. 46 GDPR) |
Note on Meta Conversions API (CAPI): CAPI transmits event data server-side directly from our infrastructure to Meta's US servers, independently of browser-based cookie mechanisms. This transmission occurs only where the user has provided valid consent to marketing/analytics tracking. The data transmitted includes hashed (SHA-256) identifiers; raw personal data is never sent in plain text.
Some of our service providers are located outside the European Economic Area (EEA), in particular in the United States. For all such transfers, we rely on one of the following safeguards pursuant to Art. 46 GDPR:
• Standard Contractual Clauses (SCCs) as adopted by the European Commission — applicable to: Microsoft Clarity, hCaptcha, Meta Conversions API (Meta Platforms, Inc.), Vimeo, Mailchimp.
• Adequacy decisions where applicable.
Providers with EU-based legal entities (Google Ireland, Meta Platforms Ireland, AWS EMEA SARL, Brevo, Usercentrics) process data primarily within the EEA; any onward transfers by those entities are governed by their own GDPR-compliant transfer mechanisms.
A copy of the applicable SCCs is available upon written request to info@amfsnaps.com.
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):
• Customer account data: retained for the duration of the contractual relationship plus 10 years (Italian civil law obligations).
• Marketing consent and email data: retained until withdrawal of consent or 3 years from last interaction, whichever is earlier.
• Analytics data: retained in accordance with the retention settings configured in each analytics platform (typically 14 months for Google Analytics).
• Consent logs (Cookiebot): retained for 12 months.
• Server logs and security data: retained for 12 months.
Upon expiry of the applicable retention period, data is securely deleted or anonymised.
Our services are not directed at persons under the age of 18. We do not knowingly collect personal data from minors. Users are required to confirm they are at least 18 years old at the point of registration or purchase. If we become aware that personal data of a minor has been collected without verifiable parental consent, we will delete it promptly. Please contact info@amfsnaps.com if you believe this has occurred.
You have the following rights with respect to your personal data, exercisable by contacting info@amfsnaps.com:
• Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful.
• Right to restriction of processing (Art. 18): request that we limit processing in certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest, including profiling; and to object at any time to direct marketing.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77): lodge a complaint with the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it) or any other competent supervisory authority in your country of residence.
We will respond to requests within 30 days (extendable to 90 days for complex requests, with notification). We may need to verify your identity before processing a request.
We use cookies and similar tracking technologies on amfgroup.tech. Consent is collected and managed through Cookiebot (Usercentrics). No non-essential tracking scripts are loaded prior to obtaining your consent.
• Essential cookies: strictly necessary for website functionality (authentication, security, session management). No consent required.
• Performance and analytics cookies: collect aggregated information about website usage to help us improve (e.g. Google Analytics, Microsoft Clarity). Require consent.
• Functional cookies: enable enhanced functionality and personalisation (e.g. language preferences). Require consent.
• Advertising and targeting cookies: used to deliver relevant advertising and measure campaign effectiveness (e.g. Google Ads, Meta Pixel). Require consent.
On your first visit, a consent banner allows you to accept all, reject non-essential, or customise your preferences by category. You may withdraw or modify your consent at any time via the cookie settings link in the website footer.
For the full list of cookies used, please consult our Cookie Policy: https://the-restory.com/it-en/cookie-policy
We send marketing communications only where you have provided explicit prior consent (opt-in). Each communication includes an unsubscribe link. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Marketing channels we use: email, social media platforms, retargeting ads, geotargeted marketing, referral programmes.
We maintain separate records of marketing consent, including the date, source, and version of the privacy policy in force at the time of collection. Transactional emails (order confirmations, service updates) are sent on the basis of contract performance and do not require marketing consent.
We may update this policy to reflect changes in legal requirements, our services, or processing activities. The effective date at the top of this document indicates the most recent revision.
For significant changes affecting your rights or how we process your data, we will notify you by email and/or a prominent notice on the website, and — where required by law — seek your explicit consent before the changes take effect.
For any questions, requests, or complaints regarding this privacy policy or our data processing activities:
Email: info@amfsnaps.com
Website: amfgroup.tech
Supervisory Authority (Italy):
Garante per la Protezione dei Dati Personali — www.garanteprivacy.it
No spam, we promise. You can unsubscribe at any time.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.
The trademarks mentioned are the property of their respective owners and are shown only to document the restoration service performed.