Effective date: 17/04/2026
Last updated: 17/04/2026

Privacy Policy

pursuant to Art. 13 of Regulation (EU) 2016/679 ("GDPR")

GFC S.r.l. Società Benefit collects and processes personal data as data controller ("Data Controller"), in compliance with Regulation (EU) 2016/679 General Data Protection Regulation ("GDPR"), Legislative Decree no. 196 of 30 June 2003, consolidated text ("Privacy Code"), (collectively, the "Italian privacy legislation"), in accordance with the principles of fairness, lawfulness, transparency, protecting the confidentiality of personal data and the rights of data subjects.

This Privacy Policy ("Policy") is provided pursuant to Article 13 GDPR to inform you about the processing of your personal data ("You" or "Data Subject"), collected and processed for the purpose of offering services through the website https://goodfoodconsulting.eu ("Website").

1. Contact details of the Data Controller

The Data Controller is GFC S.r.l. Società Benefit, with registered office at Via Monteporzio 13, 00178 Rome. To request any information regarding the processing of personal data carried out by the Data Controller and to exercise the rights provided by Italian privacy legislation, you may contact the Data Controller at privacy@goodfoodconsulting.it.

2. Personal data

The Data Controller may collect the following personal data relating to the data subject:

  1. Identification data: first and last name;
  2. Contact data: email address;
  3. Communication data: content of communications exchanged with the Data Controller in relation to requests for information on the relevant services and/or scheduling a meeting, including the date and time of such meeting;
  4. Website browsing data: IP address of the device used to access the Website, type and settings of the browser used by the Data Subject, etc.;
  5. Website system and maintenance logs: files that record the Data Subject's interactions within the Website and that may also contain personal data, such as the IP address of the Data Subject's device, country of origin, browser used, the Data Subject's device operating system, etc., including: date/time, URL/HTTP method, response code, referrer; user-agent/browser, OS/device, IP; technical session identifiers and security tokens (Cloudflare Turnstile); cloud infrastructure/application logs (Laravel Cloud).
  6. Data connected to the use of Cookies through the Website: data automatically collected through cookies, such as the IP address of the Data Subject's device, information on Website functionality preferences, etc., including: cookie identifiers and technical IDs; cookie consent preferences; technical session cookies (e.g. Laravel session and CSRF/XSRF tokens); anonymized analytics cookies (e.g. Google Analytics 4: _ga, _ga_*);

Where we are provided with third-party personal data, such as the email addresses of additional participants for scheduling meetings with the Data Controller for requests regarding related services, you must ensure that the disclosure and subsequent processing of such personal data by the Data Controller complies with Italian privacy legislation. For example, you must inform such third parties of the purposes and means of processing of their personal data and obtain, where applicable, their consent to processing as required by Italian privacy legislation.

3. Purposes and legal bases for processing, provision of personal data

Personal data Purpose of processing Legal basis for processing Nature of data provision and consequences of failure to provide data
• Identification data
• Contact data		 Management of the Data Subject's requests for information on the functioning of the Website and/or the services provided through it, and requests to schedule meetings. Processing is necessary for the performance of a contract to which the data subject is party. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data
• Website browsing data
• Website system and maintenance logs
• Data connected to the use of Cookies through the Website		 Management of requests to exercise the Data Subject's rights, including rights provided by Italian privacy legislation. Processing is necessary to comply with a legal obligation to which the Data Controller is subject. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data
• Website browsing data
• Website system and maintenance logs
• Data connected to the use of Cookies through the Website		 Compliance with applicable laws and management of activities necessary to respond to any requests and/or communications from competent authorities (e.g. judicial, police, administrative authorities, etc.). Processing is necessary to comply with a legal obligation to which the Data Controller is subject. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data
• Website browsing data
• Website system and maintenance logs
• Data connected to the use of Cookies through the Website		 Management of activities necessary to protect the assets, rights, and interests of the Data Controller. Processing is necessary for the purposes of the legitimate interest pursued by the Data Controller, and such legitimate interest consists in ascertaining, exercising, and defending its rights and interests before competent authorities. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data		 Management of any disputes and/or litigation concerning the Data Subject and/or the Client companies of the Data Controller where the Data Subject works. Processing is necessary for the purposes of the legitimate interest pursued by the Data Controller, and such legitimate interest consists in taking defensive action in the event of disputes and/or controversies with its Clients. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data		 Management of obligations necessary for the Data Controller's participation in any corporate transactions. Processing is necessary for the purposes of the legitimate interest pursued by the Data Controller, and such legitimate interest consists in carrying out preparatory and executive activities in the event of participation in corporate transactions. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Website browsing data
• Website system and maintenance logs		 Such personal data will be processed in aggregate form.
Improvement of the Website and services provided through it.		 Processing is necessary for the purposes of the legitimate interest pursued by the Data Controller, and such legitimate interest consists in analyzing aggregated data to improve the Data Controller's activity and use of the foodassist.it application. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data
• Communication data
• Website browsing data
• Website system and maintenance logs
• Data connected to the use of Cookies through the Website		 Management and maintenance of ICT security and technical functioning of the foodassist.it application. Processing is necessary for the purposes of the legitimate interest pursued by the Data Controller, and such legitimate interest consists in ensuring the security and proper functioning of the foodassist.it application. Provision of personal data is necessary for this purpose, and failure to provide such data may prevent the establishment or continuation of the relationship with the Data Controller.
• Identification data
• Contact data		 Sending marketing and commercial communications via newsletter and email concerning the Website and services provided by the Data Controller. Processing is based on the Data Subject's consent. Provision of personal data is voluntary. Failure to provide data for this purpose does not affect use of the Website or the relationship with the Data Controller.
• Data connected to the use of Cookies through the Website Management of the Data Subject's preferences regarding the use of Cookies through the Website, as described in detail in the Cookie Policy. Processing is based on the Data Subject's consent. Provision of personal data is voluntary. Failure to provide data for this purpose does not affect use of the Website or the relationship with the Data Controller.

4. Processing methods

For the purposes of processing carried out under this Policy, the Data Controller may process personal data using electronic and/or IT tools or, in any case, automated tools. The Data Subject's personal data will be processed according to organizational methods and with logic strictly related to the purposes indicated in the Policy and in compliance with Italian privacy legislation.

During personal data processing, the Data Controller adopts appropriate security measures aimed at preventing unauthorized or unlawful access, disclosure, modification, or destruction of personal data.

5. Disclosure of personal data

The Data Controller's personnel, trained, authorized, and instructed on personal data processing, may access the Data Subject's personal data.

Furthermore, in providing the foodassist.it application and services through it, the Data Controller may disclose the Data Subject's personal data to parties external to its organization, such as:

  1. Technology service providers: hosting and/or security service providers for Website network traffic management (Contabo GmbH, Cloudflare), or providers of marketing and/or commercial communication services (e.g. Sendinblue France (SAS), for the email marketing service), who will act as processors on the basis of designation and data processing agreements pursuant to Art. 28 GDPR.
  2. Third parties, independent data controllers, providing professional services: for example, consultants and freelancers in legal, tax, and commercial matters;
  3. Third parties, independent data controllers, in the event of corporate transactions: for example, disclosure of the Data Subject's personal data may occur in the context of mergers, acquisitions, sale of business branches, or other extraordinary transactions where the Data Controller may need to share information with potential buyers or counterparties and their advisors;
  4. Third parties, independent data controllers, in compliance with a legal obligation or to ascertain, exercise, or defend a right in court: the Data Controller may disclose the Data Subject's personal data to institutions, law enforcement, judicial authorities, administrative or public security authorities requesting access to data in the performance of their institutional duties (e.g. during judicial or administrative proceedings), or in order to comply with a legal obligation or protect its rights.
The Data Subject may request the updated list of processors and independent controllers to whom the Data Controller may disclose relevant personal data by contacting the Data Controller as indicated at the beginning of this Policy.

6. International data transfers

As a rule, the Data Controller does not transfer the Data Subject's personal data outside the European Economic Area. In fact, the technology and services used by the Data Controller to provide the Website and related services allow personal data to be stored within the European Economic Area.

Should it become necessary to carry out international transfers of personal data to recipients located in jurisdictions that do not ensure a level of personal data protection equivalent to that provided by the GDPR, the Data Controller will adopt, and require its service providers to adopt, adequate safeguards pursuant to Article 46 GDPR to protect personal data (e.g. Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, transfer impact assessment, etc.).

7. Retention of personal data

The Data Controller may retain the Data Subject's personal data only for the time strictly necessary to achieve the purposes for which data are collected and processed.

By way of example, personal data contained in contracts, communications, and business correspondence may be subject to statutory retention periods, which may require retention for up to ten (10) years, based on the ordinary applicable limitation period and/or provisions of the Civil Code.

Where personal data processing is based on consent provided by the Data Subject for certain purposes under this Policy, the Data Subject's personal data will be retained until such consent is withdrawn. The foregoing also applies where data subjects' consent has been provided for marketing and/or commercial purposes, without prejudice to the Data Controller's periodic verification of the validity and currency of such consent (e.g. every twenty-four (24) months) and the Data Subject's free choices in managing cookie preferences.

In the event of litigation, the Data Subject's data may be retained until completion of the final level of judicial and/or administrative proceedings.

At the end of each personal data retention period, the Data Controller will permanently delete data from its systems and/or anonymize them. In any case, the Data Controller may retain personal data further if necessary to comply with a legal obligation or to exercise defense rights in court.

8. Rights of the Data Subject

Using the contact details provided at the beginning of this Policy, the Data Subject may exercise at any time rights pursuant to Articles 15 et seq. of the GDPR, namely:

  • Right of access: in certain circumstances, the Data Subject has the right to obtain from the Data Controller confirmation as to whether personal data concerning them are being processed and, if so, request access to such personal data and certain information, such as: (i) processing purposes, (ii) categories of personal data processed, (iii) recipients or categories of recipients to whom personal data have been or will be disclosed, (iv) source of personal data collection, (v) retention period, (vi) Data Subject privacy rights, (vii) existence of automated decision-making, and (viii) appropriate safeguards for personal data in case of transfer outside the European Economic Area/European Union. However, this is not an absolute right and the interests of other persons may limit the right of access. The data subject has the right to request a copy of personal data. For any additional copies requested, the Data Controller may charge a reasonable fee taking into account administrative costs incurred.

  • Right to rectification: in certain circumstances, the Data Subject has the right to obtain from the Data Controller rectification of inaccurate personal data concerning them. In addition, the data subject may have the right to obtain completion of incomplete personal data, including by providing a supplementary statement.

  • Right to erasure (right to be forgotten): the Data Subject has the right to obtain erasure of personal data concerning them, in certain circumstances, namely (i) where personal data are no longer necessary for the purposes for which they were collected or otherwise processed, or (ii) the Data Subject has withdrawn consent and there is no other legal ground for continued processing, or (iii) the Data Subject has objected to processing and there is no overriding legitimate ground for processing, (iv) the Data Subject has objected to processing and there is no overriding legitimate ground for processing, including objection to direct marketing purposes and profiling connected to marketing, or (v) personal data have been unlawfully processed, or (vi) personal data must be erased to comply with a legal obligation. In such cases, the Data Controller will take steps to erase or permanently render such personal data unintelligible.

  • Right to restriction of processing: the Data Subject has the right to obtain restriction of processing of their personal data where (i) they contest the accuracy of personal data for the period necessary for the Data Controller to verify such accuracy, or (ii) processing is unlawful and the Data Subject opposes erasure, or (iii) data are no longer needed by the Data Controller but are required by the Data Subject to establish, exercise, or defend legal claims, or (iv) the Data Subject has objected to processing pending verification by the Data Controller of overriding legitimate grounds for continued processing. In these cases, data will be marked and may be processed by the Data Controller only for certain purposes, namely data storage, or to establish, exercise, or defend legal claims, or to protect rights of another natural or legal person, or for reasons of important public interest of the Union or Italy.

  • Right to data portability: in certain circumstances, such as where processing is automated and based on the Data Subject's consent or on a contract with the Data Controller, the Data Subject has the right to receive personal data concerning them and provided by them to the Data Controller in a structured, commonly used, machine-readable format, and to transmit such personal data to another data controller.

  • Right to object: in certain circumstances, such as processing of personal data based on the Data Controller's legitimate interest, the Data Subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data by the Data Controller and may request that such personal data no longer be processed for specific purposes. If the Data Subject has the right to object and exercises this right, their personal data will no longer be processed by the Data Controller for those purposes unless the Data Controller demonstrates compelling legitimate grounds to continue processing or for establishment, exercise, or defense of legal claims.

If personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing for such purposes, including profiling to the extent that it is related to direct marketing. If the data subject objects to processing for direct marketing purposes, personal data will no longer be processed for such purposes.

  • Automated decision-making process: the Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the decision: (i) is based on the Data Subject's explicit consent; (ii) is necessary for entering into or performance of a contract between the data subject and a data controller; or (iii) is authorized by European Union or Italian law.

Please note that, in certain circumstances pursuant to Article 2-undecies of the Privacy Code, exercise of rights may be delayed, limited, or excluded. In such case, the Data Controller will promptly provide the Data Subject with a reasoned communication and the Data Subject may in any case request the Data Protection Authority to verify that such delay, limitation, or exclusion is based on legitimate grounds.

The Data Subject has the right to lodge a complaint with the Data Protection Authority.

9. CHANGES TO THIS POLICY

This Policy is valid from the effective date indicated at the beginning of this Policy. The Data Controller reserves the right to amend this Policy over time. The Data Subject will be informed of such changes via email communication. Continued use of services through the Website following an update of this Policy indicates acceptance of the changes made.