Privacy policy

PRIVACY POLICY

SysterBeauty cares about your privacy

Syster processes your personal data in accordance with the European General Data Protection Regulation 2016/679 ("GDPR"), taking all appropriate security measures to protect your personal data.

 

This policy (hereinafter, the "Privacy Policy") contains all the details relating to how Syster processes your personal data, so please read it carefully.

This Privacy Policy is provided to users of the website www.systerbeauty.com (hereinafter, the "Website") and has been prepared in accordance with article 13 of the GDPR.

 

  1. Data Controller:

Muuh S.r.l., with registered office in Milan, Via Giuseppe Mazzini 9/11, Tax Code and VAT number IT09938460962 (hereinafter, the "Data Controller" or "Syster") can be reached at the following email address: amministrazione@abiby.it

 

  1. Data subject to processing:

The Data Controller will process the following personal data:

  1. Data provided voluntarily by the user: (e.g., name, surname, address, telephone, email): (hereinafter referred to as "personal data" or also "data"): this is data provided directly by you when you create your personal area on the Website and/or fill in the relevant forms (e.g., Newsletter, Contact Us, etc.).
  2. Purchase data (e.g., orders placed, address, payment method, credit/debit card details): this is the information you provide to Syster when you decide to purchase a product through the Website.
  3. Third-party data: this is third-party data that you decide to provide to us (e.g., during the purchase process, by entering this information for payment and/or shipping purposes). In this case, please ensure that these parties have been previously and adequately informed about the methods and purposes of processing indicated here. In situations of this type, you act as an independent data controller, assuming all legal obligations and responsibilities.
  4. Data collected using cookies or similar technologies. For more information, please refer to the Cookie Policy.
  5. Technical data: this data category includes the IP addresses or domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used only for the sole purpose of obtaining statistical information (and is, therefore, anonymous) and to verify the proper functioning of the website and is deleted immediately after processing. The data could be used to ascertain responsibility in the case of any computer crimes against the website; with the exception of this eventuality, the data on web contacts is stored for no longer than 7 days.

 

  1. Purpose and legal basis of the processing:

Your personal data will be processed for the following purposes:

  1. to create your personal area on the Website and to finalise the purchase of products.

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter b) of the GDPR "Processing is necessary for the execution of a contract of which the Data Subject is a party or for the execution of pre-contractual measures adopted at the request of the same".

The provision of personal data for this purpose is optional, but without it, it will not be possible for the Data Controller to finalise the creation of your personal area, nor to follow up on your requests and/or finalise the purchase of products through the Website.

 

  1. To allow you to subscribe to our Newsletter.

Subject to your specific consent, the Data Controller may send you promotional communications by email regarding the Data Controller's products and/or services and/or initiatives.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter a) of the GDPR "consent of the data subject".

The provision of personal data for this purpose is optional and may be revoked at any time according to the procedures indicated in point 8 of this Privacy Policy without affecting the lawfulness of the processing based on the consent given before revocation.

 

  1. To send communications relating to the products/services purchased.

The Data Controller may use your email address provided at the time of account registration and/or purchase of products through the Website, to send you commercial communications regarding products and services similar to those purchased by you (referred to as "soft spam").

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter f) of the GDPR "Processing is necessary for the purposes of the legitimate interests pursued by a data controller or third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child" and article 130, paragraph 4 of Italian Legislative Decree 196/2003, Italian Privacy Code.

 

  1. For carrying out direct marketing activities.

We process your personal data, subject to your free, specific and informed consent, to update you on our promotional, commercial and advertising initiatives regarding events, initiatives or partnerships of the Data Controller (including any initiatives reserved for you on your birthday), to conduct market and user satisfaction surveys, in accordance with the requirements of the Italian Personal Data Protection Authority's provision "Guidelines on promotional and anti-spam activities – 4 July 2013 [2542348]".

If you decide to give your consent, we would like to inform you that these activities may be carried out, as provided for by the regulations in force, by letter, telephone contact by an operator ("traditional methods"), email (newsletters), sending of text messages, push notifications and use of social networks ("automated methods"). In this respect, we would like to point out that we will only collect one consent for the above-mentioned marketing purposes, in accordance with the aforementioned Guidelines. In addition, we will process your data to carry out analysis and reporting activities relating to promotional communication systems, such as tracking the number of emails opened, clicks on links included in emails, types of device used to read the emails and the related operating systems, and a list of people who unsubscribe from the newsletter.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter a) of the GDPR "consent of the data subject".

The provision of personal data for this purpose is optional and may be revoked at any time according to the procedures indicated in point 8 of this Privacy Policy without affecting the lawfulness of the processing based on the consent given before revocation.

 

  1. For carrying out profiling activities.

Subject to your consent, the Data Controller may process your personal data in order to analyse, also with the aid of electronic instruments, your interests, habits and consumption choices, in order to be able to send you personalised information and promotional material on the services and products offered by the Data Controller and in order to improve the range of products and services offered.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter a) of the GDPR "consent of the data subject".

The provision of personal data for this purpose is optional and may be revoked at any time according to the procedures indicated in point 8 of this Privacy Policy without affecting the lawfulness of the processing based on the consent given before revocation.

 

  1. To carry out third-party marketing activities.

Subject to your consent, the Data Controller may disclose your data to its business partners operating in the luxury goods, publishing or event organisation sectors to enable them to send you invitations to events organised in partnership with the Data Controller and/or to send you promotional communications.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter a) of the GDPR "consent of the data subject".

The provision of personal data for this purpose is optional and may be revoked at any time according to the procedures indicated in point 8 of this Privacy Policy without affecting the lawfulness of the processing based on the consent given before revocation.

 

  1. To fulfil legal obligations to which the Data Controller is subject.

The Data Controller may use your personal data to (i) comply with any obligations imposed by applicable laws, regulations or EU legislation, or respond to requests from authorities (ii) follow up on requests from data subjects to exercise their rights, involving, where appropriate, third parties appointed as data processors.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter c) of the GDPR "The processing is necessary for compliance with a legal obligation to which the data controller is subject".

 

  1. For the pursuit of the legitimate interests of the Data Controller.

The Data Controller may use your personal data for (i) purposes of preventing fraud committed through the use of the Website and to allow the Data Controller to protect itself in court, (ii) to allow the Data Controller to complete a potential merger, sale of assets, sale of a company or business unit by disclosing and transferring your personal data to the third party(ies) involved.

 

With reference to this purpose, the legal basis for the processing of your personal data is article 6, paragraph 1, letter f) of the GDPR "Processing is necessary for the purposes of the legitimate interests pursued by a data controller or third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".

 

  1. Data recipients:

Your data may be shared with:

  1. persons authorised by the Data Controller to process personal data who have undertaken to maintain confidentiality or have an appropriate legal obligation of confidentiality;
  2. subjects delegated and/or appointed by the Data Controller to carry out activities strictly related to the pursuit of the aforementioned purposes (including technical maintenance interventions of the systems), duly appointed as data processors;
  3. persons, companies, or professional firms that provide assistance and consultation to the Data Controller, duly appointed as data processors;
  4. persons, entities or authorities who require the communication of your personal information as mandated by law or by order of the competent authorities;
  1. Data transfer:

Your personal data may be transferred outside the European Economic Area. In particular, for the management of the Website, Syster avails itself of the collaboration of Shopify International Ltd. (hereafter, also the "Provider"), which may – for the sole purpose of fulfilling its contractual obligations – transfer your data to entities located in countries outside the European Economic Area, such as Canada and the United States. For more information on the third parties used by the Provider, please refer to the following link https://help.shopify.com/it/manual/your-account/privacy/GDPR/subprocessors.

In this regard, we would like to inform you that the Provider, as a result of the judgment of 16 July 2020 (the so-called "Schrems Il" judgment), has implemented additional technical and organisational measures aimed at ensuring the same level of protection guaranteed by the GDPR to personal data processing operations carried out by persons residing in third countries outside the European Economic Area. For more information on the measures adopted by the Provider, please refer to the following link https://help.shopify.com/pdf/cross-border-whitepaper.pdf.

 

  1. Data storage period:

The Data Controller will process personal data for the time strictly necessary to fulfil the purposes referred to in article 3 above.

 

In particular, we must inform you that:

  • the personal data processed for the pursuit of the purposes referred to in point 3.a of this Privacy Policy will be kept for 10 years from the time of purchase.

 

  • the personal data processed for the pursuit of the purposes referred to in points 3.b, (d), (e) and (f) of this Privacy Policy will be kept until your consent is revoked.

 

  • the personal data processed for the pursuit of the purposes referred to in point 3.g of this Privacy Policy will be kept until the time required by the specific obligation or applicable law.

 

  • the personal data processed in pursuit of the purposes set out in point 3.c and (h) of this Privacy Policy shall be retained until the data subject exercises his or her right to object, without prejudice to the right of the Data Controller to retain your personal data for the period of time provided for and permitted by the applicable law to protect its interests.

 

  1. Data protection:

Your personal data is processed by the Data Controller in full compliance with current legislation. In particular, in order to ensure the security of your personal data, taking into account the state of the art and the costs of implementation, as well as the nature, subject matter, context and purposes of the processing, and the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons, the Data Controller has adopted appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

 

  1. Rights of the data subject:

To revoke the consent given for direct marketing purposes, you can contact the Data Controller by writing to the following email address: amministrazione@abiby.it.

 

In your capacity as a data subject, in accordance with the GDPR, you have the right to ask the Data Controller, at any time, for access to your personal data, to rectify or erase it or to object to its processing. The law also allows you to exercise the right to request the restriction of processing in the cases provided for by article 18 of the GDPR, as well as to obtain in a structured, commonly used, and machine-readable format the data concerning you, in the cases provided for by article 20 of the GDPR.

Requests can be sent to the following email address: amministrazione@abiby.it.

Lastly, we would like to remind you that you always have the right to lodge a complaint with the competent supervisory authority (the Italian Personal Data Protection Authority, Garante per la Protezione dei Dati Personali), pursuant to article 77 of the GDPR, if you believe that the processing of your data is contrary to the legislation in force.

 

 

Date of issue of this Privacy Policy: 15 November 2021.