This data protection notice explains which personal data (Art. 4 para. 1 GDPR) we process when you use our website, mobile applications and services, for what purposes and on what legal basis, as well as which rights you are granted.

Controller (Art. 4 para. 7 GDPR):
Coral Club Distribution LTD, Agapinoros 52, 2nd floor, Flat/Office 1, 8049 Paphos, Cyprus
Registered in the Commercial Register of the Republic of Cyprus
Registration number: HE343977

Local contact office in Italy (not an independent data controller):
Royal Coral Club SRL
Via Coriano, 58 ; Bl. 34/F ; 47924 Rimini (RN), Italia
Tel.: +39 333 423 6501, +39 0541 39 5124
CF / P.IVA: 03739960403
Codice Destinatario: M5UXCR1
E-mail: support.it@coral-club.com

The data protection support center, which contains answers to frequently asked questions, instructions on exercising your rights and configuring your account, is available via the link at the bottom of our website.

This data protection notice applies to all websites and online services operated by Coral Club Distribution LTD, unless otherwise stated.

We collect personal data only to the extent necessary to provide our services, to fulfil contractual or legal obligations, on the basis of your consent, or to protect our legitimate interests (Art. 6(1)(a), (b), (c), (f) GDPR).

When storing or accessing information on end-user devices, the requirements of Italian legislation apply, including Legislative Decree 196/2003 (Codice Privacy) and the ePrivacy Directive 2002/58/EC, which regulate the use of cookies and similar technologies.

Web Hosting (Art. 6(1)(f) GDPR)

• We use a European hosting provider to host this website.
• Your IP address and server log files are processed on our behalf.
• A data processing agreement has been concluded with the provider (Art. 28 GDPR).
• Server location: EU/EEA. If data is transferred to third countries, Art. 45/46 GDPR (DPF/SCC) applies.

When visiting the website (server logs) (Art. 6(1)(f) GDPR)

• Your browser transmits technically necessary data (for example, IP address, date/time, browser/OS information, referring URL).
• The IP address is stored for no more than 30 days in log files and is then automatically deleted (to ensure IT security, stability, and error analysis).

Contact Form / Email (Art. 6(1)(b) or (f) GDPR)

• Mandatory fields: club number, name, email address, message.
• Optional field: phone number (for faster feedback).
• You may also contact us directly by email; the data is deleted after the request is completed, unless otherwise required by law.

Personal Account (Club Member) (Art. 6(1)(b) GDPR)

• To create an account, we collect your email address, first name, last name, and address.
• Optional: phone number, gender.
• Date of birth — only if required to verify age or identity (for example, for specific payment methods).
• Account deletion is possible by request to rccsrl@gmail.com; legal data retention obligations continue to apply (Art. 6(1)(c) GDPR).

Guest Order (Order Without Registration) (Art. 6(1)(b) GDPR)

• Required data: first name, last name, address, email, payment details (depending on payment method).
• Date of birth — only when paying by invoice (for creditworthiness checks; Art. 6(1)(f) GDPR).
• Data retention is carried out in accordance with Italian commercial and tax law, including Codice Civile, DPR 633/1972 (VAT), DPR 600/1973 (tax records).

“Extended Information” Option (Art. 6(1)(a) GDPR)

• This feature is disabled by default.
• You may selectively allow the display of:
  • Contact details (email/phone)
  • Messenger IDs
  • Participation in events
  • Purchase history for the last 3 months
• Only the data activated by you in your personal account is displayed.
• Consent may be withdrawn at any time via account settings (Art. 7(3) GDPR).
• We remain responsible for lawful provision and access control for this feature.

Newsletter

• Legal basis: Art. 6(1)(a) GDPR, Double Opt-In.
• Tracking of opens and clicks — only with consent.
• Unsubscribing is possible via the “Unsubscribe” link or by email.
• The Double Opt-In process is stored as proof of consent (Art. 6(1)(f) GDPR).

Competitions / Surveys (Art. 6(1)(b) or (a) GDPR)

The data collected depends on the specific activity.

Communication Channels — Overview

• Telephone: name, number, subject of inquiry (Art. 6(1)(b)/(f) GDPR).
• Email: sender address, content of the message (Art. 6(1)(b)/(f) GDPR).
• WhatsApp / Telegram: see dedicated sections below.

WhatsApp (Business Platform) (Art. 6(1)(b)/(f) GDPR)

• Contact via Click-to-Chat or saved number.
• Processed data: phone number, name, messages, metadata.
• Data transfer to the USA: based on DPF/SCC.
• Use is voluntary; alternatives include phone or email.

Telegram (Art. 6(1)(b)/(f) GDPR)

• Processed data: username, phone number (if available), messages, metadata.
• Cloud chats are not end-to-end encrypted; secret chats are end-to-end encrypted.
• Provider: Telegram FZ-LLC (UAE).

Social Media (Facebook, Instagram, TikTok, X/Twitter, etc.)

When visiting our pages, data may be processed for marketing and analytics. If processing purposes are jointly determined, Art. 26 GDPR (joint controllership) applies.

• Provision of services / IT security (log files): Art. 6(1)(f) GDPR.
• Contract performance (account, orders, support): Art. 6(1)(b) GDPR; data retention — Art. 6(1)(c) GDPR.
• Newsletter: Double Opt-In, Art. 6(1)(a) GDPR; withdrawal of consent — Art. 7(3) GDPR.
• Competitions / surveys: Art. 6(1)(b) or (a) GDPR.
• Analytics / marketing (cookies / pixels): Only with consent — Art. 6(1)(a) GDPR.
• Payments / delivery: Art. 6(1)(b) GDPR; where required — Art. 6(1)(c) GDPR.
• Marketing to existing customers: Art. 6(1)(f) GDPR; objection possible at any time.
• Requirements of governmental authorities: Art. 6(1)(c) GDPR.

Recipients / Data Processors (Art. 13(1)(e), Art. 28 GDPR)

Hosting, cloud services, IT support, payment systems, delivery services, CRM systems, mailing services, analytics services, consent management systems. Data processing agreements have been concluded with all processors.

Intra-Group Transfers (Art. 6(1)(b)/(f) GDPR)

Data may be transferred within the corporate group to fulfil contracts, for centralized support, IT, and compliance, in accordance with GDPR and Intra-Group Agreements (Art. 46(2)(c) GDPR).

Transfer of Data to Third Countries (Art. 44 et seq. GDPR)

Permitted only if an adequacy decision exists (Art. 45 GDPR), or appropriate safeguards are in place (Art. 46 GDPR, SCC). For the USA — EU–US Data Privacy Framework.

Right to Object (Art. 21 GDPR)

You may object to the processing of your data at any time. For marketing purposes — without explanation. Send an objection to: support.it@coral-club.com

Art. 6(1)(c) GDPR – fulfilment of legal obligations (for example, obligations to provide information, to store data in accordance with Italian commercial and tax legislation, including the Codice Civile, DPR 600/1973, DPR 633/1972 (IVA), as well as accounting and tax obligations).

Art. 6(1)(f) GDPR – protection of legitimate interests (for example, ensuring system security and protection of the company’s rights).

Italian law does not contain a direct equivalent to §§ 24 and 26 BDSG. Therefore, the relevant provisions of the GDPR apply:

• Art. 6(1)(c) and Art. 6(1)(f) GDPR — when processing is necessary to comply with legal obligations, satisfy public authorities, prevent threats, protect legal claims, or cooperate with law enforcement;
• Art. 9(2)(f) and 9(2)(g) GDPR — when processing concerns protection of company rights, legal proceedings, or substantial public interest.

Art. 32 GDPR – ensuring the security of processing (technical and organisational measures, IT security concepts, access control, server protection, system monitoring).

We inform you, to the extent permitted by law, of cases where data must be disclosed in accordance with Art. 14(4) GDPR, provided such disclosure does not contradict statutory confidentiality obligations, government investigations, or public safety requirements.

Analytical functions and technical security (Art. 6(1)(f) GDPR)

Data (IP, browser, pages visited) is processed to ensure stability, security, and usability. Transfers to third countries (e.g., USA) occur under appropriate safeguards (Art. 46 GDPR, SCC). Additional info is in provider privacy policies.

Our website may contain links to websites of other providers to which this Privacy Policy does not apply. If you follow a link to a third-party website, please note that we do not control the content or the data-processing practices of those providers. We recommend that you review their current privacy policies.

If third-party elements are embedded on our website (for example, Google Maps, YouTube videos, social media plug-ins or other external tools), this is carried out:

• On the basis of your consent under Art. 6(1)(a) GDPR, in conjunction with the requirements of Directive ePrivacy 2002/58/EC, D.lgs. 196/2003 (Codice Privacy), and D.lgs. 101/2018, which regulate the use of cookies and similar technologies in Italy;
• Or to protect our legitimate interests — providing an attractive, functional, and user-friendly online offering — under Art. 6(1)(f) GDPR.

In these cases, third-party providers may process your IP address to correctly display the relevant content. We cannot influence this data-processing activity.

If you do not want third-party providers to collect, process or use data about you, you can disable JavaScript in your browser or block the loading of such content using additional browser extensions. However, please note that doing so may limit the functionality of our website.

If data is transferred to third countries (for example, the United States), such transfer is carried out exclusively in accordance with Art. 44 et seq. GDPR (adequacy decision or appropriate safeguards, including the EU–US Data Privacy Framework (DPF) or the EU Standard Contractual Clauses — SCC).

As a data subject within the meaning of Art. 4(1) GDPR, you have the following key rights with respect to us:

• Right of Access (Art. 15 GDPR) — request confirmation as to whether we process your personal data, and obtain information about such data.
• Right to Rectification (Art. 16 GDPR) — request immediate correction of inaccurate personal data or completion of incomplete personal data.
• Right to Erasure (“Right to Be Forgotten”) (Art. 17 GDPR) — request deletion unless statutory retention obligations prevent it.
• Right to Restriction of Processing (Art. 18 GDPR) — request restriction of processing in certain cases.
• Right to Data Portability (Art. 20 GDPR) — receive your personal data in structured, machine-readable format or have it transmitted to another controller.
• Right to Object (Art. 21 GDPR) — object at any time to processing for reasons related to your particular situation.
• Right to Withdraw Consent (Art. 7(3) GDPR) — withdraw previously given consent at any time with effect for the future.
• Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR) — in Italy: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Rome, Italy; www.garanteprivacy.it; Tel.: +39 06 69677 1; E-mail: protocollo@gpdp.it.

To view, update, or delete your personal data, log into your personal account and open the “Settings” section (Art. 12(2) GDPR). You may also contact us at rccsrl@gmail.com. We will respond without undue delay and no later than within one month of receipt (Art. 12(3) GDPR). If your request is complex or we receive a high number of requests, the period may be extended by a further two months, with prior notification.

To protect your data, we verify your identity before disclosing information or making changes (Art. 12(6) GDPR). Exercising your rights is free of charge (Art. 12(5) GDPR). In cases of clearly unfounded or excessive requests, we may charge a reasonable fee or refuse the request (Art. 12(5), second sentence GDPR).

We process and store personal data in accordance with principles of data minimisation, integrity, and confidentiality (Art. 5(1)(c) and (f) GDPR). We implement technical and organisational measures under Art. 24 and Art. 32 GDPR to ensure protection appropriate to the risk.

• Encryption of data transmission (e.g., TLS / SSL)
• Firewall systems, access control, and role-based authorisation structures
• Regular security tests, IT infrastructure audits, and penetration testing
• Staff training and awareness-raising regarding data protection and information security

Data Retention

Personal data is stored only as long as necessary to provide requested services or when required by law (Art. 5(1)(e) GDPR). Retention periods:

• Performance of a Contract: retained until completion of contractual obligations and expiry of warranty/contractual periods (Art. 6(1)(b) GDPR).
• Commercial and Tax Obligations in Italy: retained according to:
  • Codice Civile — 10 years
  • TUIR — 10 years from end of financial year
  • D.P.R. 600/1973 and D.P.R. 633/1972 — accounting/fiscal documentation
• Legal Requirements: until expiry of limitation periods (standard: 10 years; certain obligations: 5 years)

This retention ensures the establishment, exercise, or defence of legal claims (Art. 6(1)(f) GDPR).

Deletion or Anonymisation

After retention periods expire, personal data is deleted or anonymised unless required by law or other lawful grounds justify continued storage (Art. 17 GDPR).

Contact for Data Protection Questions: rccsrl@gmail.com

Our services are intended exclusively for individuals who are at least 18 years old. This age restriction protects minors and ensures compliance with legal requirements (Art. 5(1)(a) GDPR; Art. 6(1)(f) GDPR). We do not knowingly collect personal data from individuals under 18 years of age. If you believe that a person under 18 has provided us with personal data, please contact us at rccsrl@gmail.com. We will promptly delete such data in accordance with Art. 17 GDPR.

Do-Not-Track Signals: Our websites currently do not respond to browser “Do Not Track” signals. Nevertheless, all personal data is processed in accordance with this Privacy Policy, Art. 5 and Art. 6 GDPR, and — when accessing users’ devices — Italian cookie legislation (D.lgs. 196/2003, D.lgs. 101/2018, Garante Privacy “Cookie and Other Tracking Tools Guidelines” 2021). Compliance with age restriction and data protection principles is part of our technical and organisational measures (Art. 24, Art. 32 GDPR). We reserve the right to amend these provisions as legal or technical requirements evolve.

During Coral Club corporate events (conferences, forums, seminars, training programs, presentations, etc.), photo and video recordings may be carried out to document company activities, improve communications, and inform about the company’s work.

Legal bases for processing:

• Art. 6(1)(f) GDPR — legitimate interest in documenting and communicating company activities;
• Art. 6(1)(a) GDPR — consent, if required (e.g., individual close-up recordings).

Recorded materials may include participants and be used on official websites, social media, presentations, and other materials. Participants may object to processing (Art. 21 GDPR) or withdraw consent (Art. 7(3) GDPR) by emailing rccsrl@gmail.com. Upon objection or withdrawal, the company will cease using the relevant materials and, where possible, delete previously published images.

Note: In wide-angle recordings, group photos, or public events, complete exclusion of individuals may not be technically feasible. Processing is then based on legitimate interest (Recital 47 GDPR).

We may modify this Privacy Policy to reflect changes in legislation, technical developments, or updates to services. Changes are communicated in accordance with Art. 12 and Art. 13(3) GDPR. Material changes affecting purposes or categories of data are communicated at least 30 days in advance (email or prominent notice).

If changes concern processing based on consent (Art. 6(1)(a) GDPR), consent will be requested again if material. The current version is always available on our website; previous versions may be provided on request (Art. 15 GDPR).

Version: October 2025

You may lodge a complaint with any supervisory authority (Art. 77 GDPR), especially in your Member State of residence, work, or where a violation occurred.

Lead authority (Cyprus):
Office of the Commissioner for Personal Data Protection
1 Iasonos Str., 1082 Nicosia, Cyprus
www.dataprotection.gov.cy

Local authority (Italy):
Garante per la Protezione dei Dati Personali (Garante Privacy)
Piazza Venezia, 11, 00187 Rome, Italy
Tel.: +39 06 696771
E-mail: protocollo@gpdp.it
Website: www.gpdp.it

If you have questions, comments, or complaints about this Privacy Policy or data processing, contact us. Requests are handled in accordance with Art. 12, Art. 13(1)(a–b), and Art. 15 GDPR.

Primary contact (data controller):
Coral Club Distribution LTD
Agapinoros 52, 2nd floor, Flat/Office 1, 8049 Paphos, Cyprus
Registration Number: HE343977

Local contact in Italy:
Royal Coral Club SRL
Via Coriano, 58; Bl. 34/F, 47924 Rimini (RN), Italy
Tel.: +39 333 423 6501, +39 0541 39 5124
CF / P. IVA: 03739960403
Codice Destinatario: M5UXCR1
E-mail: rccsrl@gmail.com

We recommend sending confidential information only in encrypted form (Art. 32 GDPR). We generally respond within one month, with possible extension of two months for complex or numerous requests, with prior notification.

We use cookies and similar technologies (web beacons, pixels, local storage) for functionality, security, personalization, and analytics. Storage/access is governed by Art. 122 of the Italian Personal Data Protection Code (D.lgs. 196/2003, as amended), aligning with EU requirements.

Technologies:

• Technically Necessary: Required for website operation. Legal basis: Art. 122(1) Codice Privacy; Art. 6(1)(f) GDPR.
• Analytical, Marketing, Personalisation: Only with consent. Legal basis: Art. 122(1-bis) Codice Privacy; Art. 6(1)(a) GDPR. Consent can be withdrawn via “Cookie Settings”.

Types:

• Session Cookies — deleted after session ends
• Persistent Cookies / Local Storage — stored for defined periods (preferences, login, settings)
• Pixels / Web Beacons — measure interactions/performance

Tools (examples):

• Google Analytics 4 — analytics, IP anonymized, user/event data retained up to 14 months, transfers to US via EU–US DPF or SCC.
• Mixpanel — product/event analytics, consent required.
• Singular — advertising campaign attribution, consent required.

Transfers outside EU/EEA only with adequacy decision (Art. 45 GDPR) or safeguards (Art. 46 GDPR, e.g., SCC/DPF). See providers’ privacy policies for details.

When external content or functions are integrated, providers process data under their own responsibility (Art. 4(1) GDPR). Transfers to third countries comply with Art. 45/46 GDPR.

• Google Maps: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: policies.google.com/privacy. Transfers to US: EU–US DPF or Art. 46 safeguards.
• Meta (Facebook/Instagram): Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy Policies: Facebook, Instagram. Joint controllership applies for “Page Insights” (Art. 26 GDPR).
• X (Twitter): Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland. Privacy Policy: twitter.com/privacy. Transfers to US: Art. 46 safeguards.
• YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: policies.google.com/privacy. Transfers to US: EU–US DPF or Art. 46 safeguards.