Política de Privacidad

Information on the processing of personal data pursuant to EU Regulation 2016/679

Eco Bio Boutique SRL (hereinafter the " Owner ") is a company specialized in the marketing and distribution of cosmetic products, phytocosmetics and raw materials for cosmetic use.

Eco Bio Boutique SRL takes the utmost account of the protection and safeguarding of personal data with which it comes into contact during its business, and treats them in full compliance with the legislation applicable from time to time, including - by way of example and not limited to – the EU Regulation 2016/679 (hereinafter the “ Regulation ” or the “ GDPR ”), the Legislative Decree n. 196/2003, as amended by Legislative Decree no. 101/2018 (hereinafter the " Privacy Code "), and the provisions issued by the Italian Personal Data Protection Authority (hereinafter, together with the Regulation and the Privacy Code, the " Personal data protection legislation ").

This information, provided pursuant to art. 13 of the aforementioned Regulation, is intended for those who register on the site https://ecobioboutique.it (hereinafter the " Site ") and/or for those who make a purchase on the Site (hereinafter, jointly, the " Users "). .

1. Data controller

Eco Bio Boutique SRL, with registered office in Rome (Italy), Via Città della Pieve 76, CAP 00191, Tax Code and VAT number 16233951009, PEC address ecobioboutique@legalmail.it.

2. Contact details of the Data Controller

For any information relating to this information, Users can contact the Owner at any time in the following ways:

  • by sending a certified e-mail message to the PEC address ecobioboutique@legalmail.it;
  • by sending a registered letter with return receipt addressed to the Data Controller's headquarters, Via Città della Pieve 76, CAP 00191 – Rome (Italy); or
  • by sending an e-mail message to admin@ecobioboutique.it.

3. Categories of personal data being processed

In relation to the purposes described in this statement, the Data Controller may process the following categories of personal data of Users:

  1. for the purpose of registering an account on the Site: name, surname, e-mail address;
  2. for the purpose of purchasing and shipping products: name, surname, e-mail address, residential and/or shipping address and house number (optionally: interior, staircase, floor, etc.), zip code, city, province, country , telephone number;
  3. data necessary for the management of payments and any refunds.

Navigation data

The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified Users, but which by their very nature could, through processing and association with data held by third parties, allow Users to be identified. This category of data includes the IP addresses or domain names of the computers used by the Site Users, the addresses in URI (Uniform Resource Identifier) ​​notation of the requested resources, the time of the request, the method used to submit the request to the server , the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the Users' IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning and are canceled immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the Data Controller and/or caused to the Site. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning and are canceled immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the Data Controller and/or caused to the Site. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning and are canceled immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the Data Controller and/or caused to the Site.

4. Purpose and legal basis of the processing; whether or not the provision of personal data is mandatory; retention of personal data

Users' personal data will be processed for the pursuit of the following purposes:

a) pre-contractual and contractual purposes : to use the services made available by the Data Controller through the Website (for example: warranty and/or after-sales assistance services which require the tracking of purchases for the duration of making the service); participation in prize events and promotional activities (for example: request for samples, discount coupons, surveys, games, etc.); registration on the Website, also via connection to social networks (creation and management of accounts); manage purchases and orders (for example: finalize the check-out; manage the payment; ship the products; inform the User when the product becomes available again, etc.); manage requests for information through the “ Contacts ” section” of the Site or through instant messaging services and/or social networks (by way of example and not limited to, Facebook and Instagram); manage customer care operations (for example: follow up on consumer requests by email or by phone call; manage reports or complaints; manage requests for returns, refunds, exercise of the legal guarantee); manage any complaints; manage any other service made available by the Data Controller through the Site.

The legal basis of the processing carried out for the aforementioned purpose is the execution of a contract of which the User is a party or the adoption of pre-contractual measures adopted at the request of the User, pursuant to art. 6, par. 1, letter b), of the GDPR.

The provision of personal data for this purpose is necessary to manage the commercial relationship, proceed with purchases and provide the services described and those requested by the User. The refusal to provide personal data therefore does not allow the possibility of managing the commercial relationship, proceeding with purchases and providing the indicated services.

Personal data will be kept for the entire duration of the contractual relationship and, after termination, for a maximum period of 10 years from their collection.

In the event of a dispute, they will be kept for the entire duration of the same, until the terms for the appeal actions have expired;

b) management of personal data provided voluntarily by the User.

With the exception of what is specified for navigation data, the User is free to provide personal data by filling in any request forms present on the Site, or by sending appropriate communications.

Failure to provide the personal data requested in the contact forms could make it impossible to send the request to the Data Controller. In these cases, only the information necessary for the requested service will be requested.

In the event that, in using the Site, the User provides personal data of third parties, the User acknowledges and agrees to act as independent data controller, assuming all legal obligations and responsibilities. In this sense, it confers on this point the broadest indemnity to the Data Controller with respect to any objection, claim, request for compensation for damage from treatment, etc., which should reach the Data Controller from third parties whose personal data refer. In any case, the User hereby declares that the processing of personal data of third parties that he should provide via the Site   will be based on an appropriate legal basis pursuant to art. 6 of the Regulation, thus declaring the legitimacy of the processing in question;

c) direct marketing : sending, using automated contact methods (email and instant messaging) and traditional methods (telephone calls with operator and ordinary mail), advertising material, newsletters, promotional and commercial communications relating to products and/or services and/or events relating to the "Eco Bio Boutique" brand, as well as carrying out market studies and statistical analyses.

The legal basis of the processing of personal data carried out for the aforementioned purpose is the free, specific, informed, revocable and modifiable consent at any time, provided by the User, pursuant to art. 6, par. 1, lit. a), of the Regulation.

The User can revoke the consent given at any time and easily and free of charge, by clicking on the " unsubscribe " button present in each e-mail message sent by the Owner (so-called opt-out system).

The provision of personal data for the aforementioned purpose is mandatory for subscribing to the newsletter, and failure to provide personal data for this purpose - as well as failure to provide consent - will not allow the interested party to subscribe to the newsletter. In any case, failure to provide personal data - and the relative consent - does not in any way affect the use of the Site by the User, nor the possibility for the same to make purchases and use the services of the Site.

The personal data provided for this purpose will be processed within the limits of the retention times established by current legislation, until the withdrawal of consent by the User and, in any case, for a period not exceeding 24 months from the last interaction of the concerned with the Owner;

d) promotion and/or direct sale of the Owner's products and/or services similar to those already purchased by the User, by sending e-mail messages : the Owner may use, for the purpose of promoting and/or selling products and / or services similar to those previously purchased by the User, and without the consent of the latter, the e-mail address provided by the User at the time of purchase, without prejudice to the User's opposition to this treatment.

The legal basis of the processing of personal data carried out for the aforementioned purpose is the legitimate interest of the Data Controller to provide the User with products and/or services similar to those already purchased, pursuant to art. 130, paragraph 4, of the Privacy Code and of the " Guidelines on promotional activity and the fight against spam - 4 July 2013 [2542348] "issued by the Italian Personal Data Protection Authority on the subject, which exclude the need for prior obtaining of the interested party's consent to the processing of personal data for this specific purpose.

The User may object at any time and easily and free of charge to the processing of their personal data for the aforementioned purpose in the following ways: (i) by sending an e-mail to assistenza@ecobioboutique.it, or (ii ) by written communication sent to Eco Bio Boutique SRL, Via Città della Pieve 76, CAP 00191 - Rome (Italy), taking care in both cases to indicate one's willingness to exercise the right to object to such treatment, or again (iii ) through the opt-out system set up by the Data Controller in the communications sent for this purpose, and therefore by clicking on the " unsubscribe " button present in each email.

It is understood that each communication sent to the User for the aforementioned purpose will provide for the possibility for the interested party to object to the processing of their personal data for this purpose, by simply clicking on the relative link for exercising the right to object which will be present in the aforementioned communication.

The provision of personal data for the aforementioned purpose is optional and failure to provide it does not in any way affect the use of the Site by the User, nor the possibility for the same to make purchases and use the services of the Site; however, in the absence of said conferment, it will not be possible for the Owner to send the interested party email communications on products and/or services similar to those previously purchased by the User.

The personal data provided for this purpose will be processed within the limits of the retention times established by current legislation, up to the exercise of the right of opposition by the User and, in any case, for a period not exceeding 24 months from the last interaction of the data subject with the Data Controller;

e) fulfillment of legal obligations : the personal data provided by the User may be processed by the Data Controller to fulfill obligations established by law, by an authority, by a regulation or by Italian and/or European legislation. By way of example but not limited to, the aforementioned purpose includes the processing of personal data carried out for the fulfillment of accounting and tax obligations, or for the fulfillment of provisions of the judicial authorities aimed at the prevention and repression of crimes.

The legal basis of the processing of personal data carried out for the aforementioned purpose is the fulfillment of a legal obligation to which the Data Controller is subject, pursuant to art. 6, paragraph 1, lett. c), of the Regulation.

The provision of personal data for this purpose is necessary to manage the commercial relationship, proceed with purchases and provide the services described and those requested by the User. The refusal to provide personal data therefore does not allow the possibility of managing the commercial relationship, proceeding with purchases and providing the indicated services.

Personal data will be kept for the entire duration of the contractual relationship and, after termination, for a maximum period of 10 years from their collection.

In the event of a dispute, they will be kept for the entire duration of the same, until the terms for the appeal actions have expired;

f) right of defense of the Owner : the personal data provided by the User may be processed by the Owner for the protection of the rights of the User and/or of the Owner and for the full exercise of their right of defense both in pre-litigation and in litigation.

The legal basis of the processing of personal data carried out for the aforementioned purpose is the legitimate interest of the Data Controller in the defense and exercise of rights, pursuant to art. 6, par. 1, lit. f), of the Regulation.

The provision of personal data for the aforementioned purpose is necessary to guarantee the right of defence, and failure to provide them does not allow you to proceed with the purchases and receive the services indicated.

5. Retention of personal data

In compliance with the principle of limitation of conservation and the more general principle of proportionality, personal data will be kept in a form that allows identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are processed and in any case in compliance with the minimum conservation terms established by law and, in any case, with those indicated for each purpose referred to in the previous art. 4.

6. Recipients and transfer of personal data

The personal data of the interested party may be made available and/or communicated to subjects in charge and/or in charge (including external) of the treatment, in relation to the skills and functions of each of them, in order to satisfy the aforementioned purpose or in fulfillment to specific regulatory obligations. By way of non-exhaustive example, the personal data of the interested parties could be made available and/or communicated to:

  • employees of the Data Controller, duly appointed in charge of processing personal data, or collaborators and/or consultants of the Data Controller, duly appointed data processors;
  • companies, consultants or professionals who may be in charge of the installation, maintenance, updating and, in general, the management of the Owner's hardware and software or which the Owner uses for the provision of its products and/or services, also if necessary appointing them system administrators;
  • companies, consultants or professionals who assist the Data Controller in fulfilling specific legal obligations.

In this regard, the Data Controller specifies that the persons in charge to whom the Users' personal data will be disclosed will process them by virtue of a specific appointment or assignment, in accordance with the requirements of art. 29 of the Regulation, and that the third parties to whom the personal data will be made available will process them as external managers of the processing of personal data on behalf of the Data Controller, on the basis of specific appointment documents, in compliance with the requirements of art. 28 of the Regulation.

An updated list of names of the subjects appointed as data processors is always available to interested parties, who can request it from the Data Controller in the manner set out in the following art. 7.

In particular, the Owner informs Users that the Site is hosted by the Shopify platform, a platform provided by Shopify Inc. that allows the Owner to develop, operate and host the Site. The Owner has appointed Shopify as external data processor personal data of Users, in compliance with the provisions of art. 28 of the GDPR. For further information about the treatments carried out by Shopify on behalf of the Data Controller, the User is invited to click on the link https://it.shopify.com/legal/privacy/customers , the content of which must be understood here as fully referenced and transcribed in the version in force from time to time.

The personal data of the interested parties collected will not be disclosed, made available or data for consultation in any form to subjects other than those indicated in this information and/or required by current legislation.

The User's personal data will not be transferred outside the European Economic Area; however, in such an eventuality, the Data Controller specifies that the treatment will take place according to one of the methods permitted by the legislation on the protection of personal data, such as the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international programs for the free circulation of data or operating in countries considered safe by the European Commission, etc. It is possible to receive further information, upon request, from the Data Controller at the contacts indicated above.

7. Your rights regarding your personal data

The legislation on the processing of personal data grants the User the right to exercise the following rights:

  • the right to access your personal data in accordance with the provisions of Article 15 of the Regulation;
  • the right to obtain the rectification or integration of personal data in accordance with the provisions of article 16 of the Regulation;
  • the right to obtain the cancellation of personal data, according to the provisions of article 17 of the Regulation, (unless the processing of personal data of the interested party is necessary for a. the exercise of the right to freedom of expression and information b. the fulfillment of a legal obligation which requires the processing envisaged by European Union or Italian law or for the execution of a task carried out in the public interest or in the exercise of public powers vested in the Data Controller; c reasons of public interest in the field of public health d .archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89, paragraph 1, of the Regulation, to the extent that the right to erasure risks making it impossible or seriously jeopardizing the achievement of the objectives of such processing ; And. the ascertainment, exercise or defense of a right in court by the Data Controller);
  • the right to obtain the limitation of the processing of personal data, within the limits of the provisions of article 18 of the Regulation;
  • the right to the portability of personal data, and therefore the right to receive, in a structured format, commonly used and readable by an automatic device, the personal data collected by the Data Controller and also the right to transmit such personal data to another data controller , under the conditions referred to in Article 20 of the Regulation;
  • the right to objectat any time, within the limits of the provisions of article 21 of the Regulation, for reasons connected to his particular situation, to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e) (performance of a task of public interest or connected to the exercise of public powers) of) (legitimate interest of the Data Controller), including profiling, on the basis of these provisions. The Data Controller will therefore refrain from further processing the personal data of the interested party, unless the Data Controller demonstrates the existence of compelling legitimate reasons for proceeding with the processing which prevail over the interests, rights and freedoms of the User, or for the verification , the exercise or defense of a right in court.
  • the right to revoke each of the consents given at any time, without prejudice to the lawfulness of the processing carried out on the basis of said consent prior to the revocation, pursuant to art. 7 of the Regulation;
  • the right to lodge a complaint with the Personal Data Protection Authority (www.garanteprivacy.it) or with the ordinary judicial authority, pursuant to articles 77 and 79 of the Regulation.

All the rights indicated may be exercised by contacting the Data Controller by sending an e-mail message to the address atencion@ecobioboutique.es , or by mail addressed to Eco Bio Boutique SRL, Via Città della Pieve 76, CAP 00191, Rome (Italy) , indicating your identification data, postal or e-mail address, the reasons for the request and supporting documentation, including your identity document.

It is understood that, for the purposes of exercising the right to revoke the consent given and/or to oppose the processing of personal data, the User is not required to provide any supporting documentation, except for a specific written request to that effect from part of the Owner in the event that it is impossible to identify the User at the time in which he exercises these rights.

This information is updated as of 17/01/2023 . Users are invited to regularly consult the Site in order to view the most recent version of this information.