Privacy Policy of drinkmzero.com
Last updated: 08 June 2026
This Privacy Policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and explains how Mzero Sealab Srl, as data controller, collects and processes personal data of users visiting www.drinkmzero.com, interacting with MZERO content, submitting forms, subscribing to newsletters, participating in promotional activities or making purchases, where applicable.
1. Data Controller
Mzero Sealab Srl, registered office at Via Magellano 25, 87020 Bonifati (CS) VAT 03834310785, is the Data Controller. Privacy requests may be sent to legal@drinkmzero.com.
2. Scope
This Policy applies to the Website, pages connected to the drinkmzero.com domain, online forms, email communications managed by the Controller, digital campaigns and, where available, promotional landing pages, newsletters, online shop, events and customer care activities. It does not apply to third-party websites, social networks or external platforms, which are governed by their own privacy notices.
3. Categories of personal data
We may process browsing data and technical logs; identification and contact data voluntarily provided by users; customer care and business request data; newsletter and marketing data; order, payment and delivery data where e-commerce is active; data collected through cookies, pixels, tags and similar technologies; and data originating from social networks or third-party platforms when users interact with MZERO profiles, campaigns or content.
4. Browsing and security data
The Website automatically collects technical data required for operation, including IP address, online identifiers, user agent, date and time of access, visited pages, referrer, technical errors and security information. These data are used to deliver the Website, prevent abuse, maintain security, diagnose technical issues and protect the Controller’s rights.
5. Data provided through forms, email or requests
When users submit a form, send an email or contact the Controller, we may process name, surname, email, telephone number, company, country, message, preferences and any other data voluntarily provided. Users should not submit special categories of data or unnecessary sensitive information.
6. Newsletter, marketing and profiling
Subject to consent, the Controller may send promotional communications, event invitations, MZERO product news, editorial content and commercial offers. If profiling, advanced segmentation, remarketing or behavioural advertising tools are used, the related processing will be carried out only on the basis of specific and revocable consent.
7. Age gate and minors
The Website and content relating to alcoholic beverages are intended only for users who have reached the legal drinking age in their country of residence. The Controller does not knowingly collect personal data from minors. If a parent or guardian believes that a minor has provided personal data, they may contact the Controller to request deletion.
8. Online purchases, payments and delivery – if applicable
If the Website enables online purchases, the Controller processes data required to manage orders, payments, invoicing, delivery, returns, assistance, warranty, fraud prevention and tax obligations. Payment data may be processed by specialised payment providers; as a rule, the Controller does not store full payment card data unless strictly necessary and permitted by law.
9. Competitions, events, tastings and promotions
Specific privacy notices may be issued for prize competitions, promotional operations, events, tastings or special campaigns. In case of conflict, the specific notice for the relevant initiative will prevail for processing related to that initiative.
10. Automated decision-making
Unless otherwise stated in a specific notice, the Controller does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect users within the meaning of Article 22 GDPR.
11. Purposes, legal bases and retention
| Purpose | Legal basis | Indicative retention |
| Website delivery, security, maintenance and abuse prevention | Legitimate interest; legal obligation where applicable | Technical logs: [7-90 days], unless required for security or legal claims |
| Replying to forms/email/customer care requests | Pre-contractual/contractual steps; legitimate interest | [12-24 months] after closure of the request |
| B2B contacts, distributors, suppliers and partners | Pre-contractual/contractual steps; legitimate interest | Relationship duration + [10 years] for relevant records |
| Newsletter and direct marketing | Consent; soft spam within legal limits for customers | Until withdrawal or [24 months] after last meaningful interaction |
| Profiling, remarketing, personalised advertising, lookalike audiences | Specific consent | According to cookie/CMP duration and in any case no longer than [12-24 months], unless withdrawn |
| Orders, payments, delivery, invoices, after-sales assistance | Contract; legal obligation; legitimate anti-fraud interest | Contract duration + applicable tax/civil law periods, generally 10 years |
| Competitions, events and promotions | Contract/rules; consent for marketing; legal obligation | According to specific rules/notice and legal requirements |
| Establishment, exercise or defence of legal claims | Legitimate interest; legal obligation | As long as necessary to protect rights and up to the applicable limitation period |
12. Provision of data
Data necessary for the technical operation of the Website are processed automatically. Data requested in forms are needed to handle the request; failure to provide them may prevent us from replying. Consent to newsletters, marketing, profiling and non-essential cookies is optional and may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
13. Processing methods and security
Personal data are processed using electronic and, where necessary, paper-based means, in accordance with principles of lawfulness, fairness, transparency, minimisation, storage limitation, integrity and confidentiality. The Controller applies appropriate technical and organisational measures, including access control, individual credentials, backups, software updates, malware protection, privilege limitation and internal procedures for handling requests and incidents.
14. Recipients and processors
Data may be processed by authorised personnel and external providers supporting the Controller, such as hosting providers, web developers, email/newsletter platforms, CRM, analytics services, consent management platforms, marketing agencies, social/advertising platforms, couriers, payment providers, legal/tax advisors, IT companies and competent authorities. Where these parties process data on behalf of the Controller, they are appointed as processors pursuant to Article 28 GDPR. An updated list of recipient categories is available upon request.
Providers currently declared for drinkmzero.com
As of the update date of this template, the following providers/tools should be included among the Website providers:
- Meta Platforms Ireland Ltd. / Meta Facebook Pixel: campaign measurement, conversion tracking, remarketing and personalised advertising, only with prior consent where required.
- Google Ireland Ltd. / Google Analytics: usage statistics, traffic measurement and Website performance; to be configured with privacy-oriented settings and consent for non-exempt analytics.
- Google Ireland Ltd. / Google Tag Manager: centralised tag management; the container must be configured to block analytics, pixel and marketing tags before consent.
- Google Ireland Ltd. / Google Search Console: domain ownership verification and aggregated reports on indexing, search queries and SEO performance; as a rule, it does not place tracking cookies on the user device, but it should still be listed among the Google tools used by the Controller.
15. Transfers outside the EEA
Some providers may process personal data outside the European Economic Area. In such cases, transfers will take place only where an appropriate legal mechanism is in place, such as adequacy decisions, Standard Contractual Clauses approved by the European Commission, supplementary technical/organisational measures or other safeguards under Articles 44 et seq. GDPR. extra-EEA providers: Google, Meta.
16. Cookies and similar technologies
The Website uses cookies and similar technologies. Technical cookies are necessary and do not require consent. Non-anonymised analytics cookies, marketing cookies, profiling tools, social plugins, pixels, remarketing tags and similar technologies are installed only with prior consent where required. Users may manage, change or withdraw their preferences through the cookie panel available on the Website. Further details are provided in the Cookie Policy attached to this document or published separately.
17. Data subject rights
Users may exercise the rights provided by Articles 15-22 GDPR: access, rectification, erasure, restriction, objection, portability, withdrawal of consent and the right not to be subject to automated decision-making in the cases provided by law. Requests may be sent to [privacy email]. The Controller will reply within the statutory timeframe. Users may also lodge a complaint with the Italian Data Protection Authority or bring a claim before the competent courts.
18. Links, social networks and embedded content
The Website may contain links to third-party websites, social profiles, videos, maps, marketplaces, distributors or external platforms. Interaction with those services may involve independent processing by the relevant providers. Users should review third-party privacy notices before interacting with such services.
19. Changes to this Privacy Policy
The Controller may update this Policy at any time. Changes will be published on this page with the last updated date. In case of material changes, the Controller may adopt additional notices proportionate to the nature of the processing.
PART D – ENGLISH COOKIE POLICY
This section may be published as a standalone “Cookie Policy” page or attached to the Privacy Policy. It must be updated after a technical scan of the cookies actually used on the Website.
1. What cookies are
Cookies are small text files that websites send to the user’s device, where they are stored and then sent back to the same websites on subsequent visits. Similar technologies include pixels, tags, beacons, SDKs, local storage and other online identifiers.
2. Cookie categories
| Category | Description | Consent |
| Strictly necessary | Enable browsing, security, load balancing, session management, language, cart or essential preferences. | No |
| Functional/preferences | Remember non-essential choices, such as advanced language, region or customised settings. | Yes, unless strictly technically necessary |
| Analytics | Measure traffic, visited pages, performance and interactions. If anonymised and not combined with other data, simplified rules may apply; otherwise consent is required. | Depends on configuration; prudentially yes |
| Marketing/profiling | Enable personalised advertising, remarketing, conversion tracking, segmentation, lookalike audiences and campaign measurement. | Yes |
| Social/plugins/third-party content | Enable display or sharing of content from social networks, videos, maps or external platforms. | Yes, where non-essential tracking occurs |
Cookie table to complete
| Cookie/technology name | Provider | Purpose | Duration | Category | Legal basis |
| cookie_consent / CMP cookie | MZERO/CMP | Storing cookie preferences and proof of consent/withdrawal | [6-12 months] | Necessary | Legitimate interest/technical necessity |
| _ga; _ga_<ID>; any GA4 cookies | Google Analytics / Google Ireland Ltd. | Analytics, aggregated statistics, traffic measurement and Website performance | [to be verified: e.g. up to 2 years] | Analytics | Consent, unless a genuinely exempt/anonymised configuration applies |
| Google Tag Manager container | Google Tag Manager / Google Ireland Ltd. | Centralised management and activation of Website tags | Does not necessarily set its own cookies; depends on loaded tags | Technical/instrumental or marketing depending on tags | Legitimate interest for technical management; consent for non-essential tags |
| _fbp; _fbc; Meta Pixel event data | Meta Platforms Ireland Ltd. / Meta Facebook Pixel | Conversion tracking, remarketing, campaign measurement, personalised advertising and lookalike audiences | [to be verified: e.g. up to 90 days/2 years depending on configuration] | Marketing/profiling | Consent |
| Search Console verification/report | Google Search Console / Google Ireland Ltd. | Domain ownership verification, indexing and aggregated SEO reports | As a rule, no user-side cookie; aggregated data in Google panel | Technical/SEO tool | Legitimate interest |
4. Consent management
On the first visit, the Website displays a banner allowing users to accept, reject or customise non-essential cookies. Closing the banner, scrolling or continuing navigation does not, by itself, constitute consent. Users may change or withdraw consent at any time through the “Manage cookie preferences” link available in the footer or banner.
5. Browser settings and third parties
Users may also manage cookies through their browser settings. Disabling technical cookies may affect certain Website features. For third-party cookies, users should also consult the privacy notices of the relevant providers.
6. Contact form
Form notice: “The data provided will be processed by Mzero Sealab Srl to reply to your request, as described in the Privacy Policy. Fields marked with an asterisk are required.”
Mandatory non-marketing checkbox: “I confirm that I have read the Privacy Policy.”
Optional marketing checkbox: “I consent to receiving promotional communications, newsletters, event invitations and updates about MZERO products. I may withdraw my consent at any time.”