JOINT CONTROLLERSHIP NOTICE — Meta and TikTok advertising pixels (Selv-a)
Effective date: 2026-04-19 Last updated: 2026-04-19
1. Why this notice exists
When Selv-a's marketing website loads the Meta Pixel and (where activated) the TikTok Pixel, two parties act as controllers for the personal data the pixels collect at the moment of loading and for the conversion events that follow.
Selv-a (operated by Luminibus S.r.l.s. socio unico, Italian company number 03034600183) is the website operator. We decide that the pixel is embedded, on which pages it is embedded, and which conversion events we send.
Meta Platforms Ireland Ltd. (Dublin, Ireland) and TikTok Information Technologies UK Limited together with TikTok Technology Limited (Dublin, Ireland) — referred to collectively as the Pixel Providers — receive the data from your browser and use it for their own measurement, audience-building, and platform purposes as set out in their respective business-products terms.
The Court of Justice of the European Union held in Fashion ID (C-40/17) that this configuration creates joint controllership for the collection-and-transmission stage. This notice is the public-facing record required by Article 26(2) GDPR.
2. What data is collected and when
The pixels load only after you grant consent through Cookiebot, our consent management platform. Until you grant consent, the pixels do not run and no data is sent to the Pixel Providers. The cookie-free /download page never loads either pixel.
When loaded with consent, the pixels collect the following from your browser:
- IP address
- User-Agent string and basic browser characteristics
- The page URL you visit and the referrer URL
- UTM parameters and click identifiers (Meta fbc / fbp; TikTok ttclid)
- Conversion events that we send via JavaScript and via Meta's server-side Conversions API: sign-up, paywall view, subscription started, and similar product events
- A SHA-256 hash of your email address, when an account is identifiable, sent only via Meta's Conversions API for matching purposes
- We do not transmit special category data (Article 9 GDPR) to the Pixel Providers.
3. Allocation of responsibilities under Article 26(2) GDPR
This is the essential allocation between Selv-a and the Pixel Providers. It is summarised here and reproduced in full inside our internal Records of Processing Activities (ROPA).
3.1 Information to data subjects (Articles 13 and 14 GDPR)
Selv-a is the primary contact for the information that has to be given to you about this joint processing. This notice plus our Cookie Notice and Privacy Policy fulfil that obligation. The Pixel Providers also publish their own privacy notices, which apply to their independent downstream use of the data.
3.2 Lawful basis for the collection-and-transmission stage
Consent under Article 6(1)(a) GDPR, collected through Cookiebot. You can withdraw consent at any time by clicking "Cookie Preferences" in the website footer. Withdrawal stops new collection but does not retroactively delete events the Pixel Providers have already received.
3.3 Exercise of rights (Articles 15 to 22 GDPR)
You may exercise your rights against either party. We act as the primary contact for rights requests that touch the data Selv-a holds about your visit. For rights against the data the Pixel Providers hold downstream you must also contact them directly. We will assist by relaying your request where reasonably possible.
3.4 Security and breach notification
Each party is responsible for the security of the data inside its own systems. If a breach affecting jointly controlled data occurs, the party that detects it will notify the other without undue delay so that the breach-notification obligations under Articles 33 and 34 GDPR can be coordinated.
3.5 International transfers
Meta Platforms, Inc. (the US group entity) is self-certified under the EU-US Data Privacy Framework. Standard Contractual Clauses (Module 1, controller-to-controller) apply as a secondary safeguard under Meta's Controller Addendum. TikTok relies on Standard Contractual Clauses (Module 1) plus the supplementary measures published by TikTok as part of Project Clover for EEA-user data residency. The residual risk of access from authorities in the People's Republic of China is disclosed and accepted by Selv-a in our internal records.
3.6 Records and audit
Each party maintains its own Article 30 record. Selv-a's record is held internally and made available to the Garante on request.
4. The Pixel Providers' own information
For the parts of the processing that the Pixel Providers control independently after the data leaves your browser — including but not limited to ad-targeting, audience building, model training, and product analytics — please see:
- Meta: https://www.facebook.com/policy.php and https://www.facebook.com/legal/controller_addendum
- TikTok: https://www.tiktok.com/legal/page/global/privacy-policy/en and https://ads.tiktok.com/i18n/official/policy/business-products
5. Your contact points
Primary contact at Selv-a:
- Privacy email: privacy@selv-a.com
- Postal address: Luminibus S.r.l.s. socio unico, Via Papa Giovanni XXIII 8, 27052 Godiasco Salice Terme (PV), Italy
- PEC: luminibus@legalmail.it
- Selv-a does not have a Data Protection Officer; the conditions of Article 37(1) GDPR are not met. The privacy contact remains privacy@selv-a.com.
The Pixel Providers' own privacy contacts are listed in their respective notices linked above. You can also lodge a complaint with the Garante per la protezione dei dati personali (https://www.garanteprivacy.it) or with your national supervisory authority.
6. Updates to this notice
If we change which pixels are embedded, change the events we send, or if a Pixel Provider materially changes its terms, we will update this notice and the effective date above. The corresponding entry in our ROPA at section 2.13 (Meta) and 2.14 (TikTok) is updated at the same time.