Privacy Policy

Foreword

Pursuant to Article 13 of Regulation (EU) No. 2016/679 (hereinafter the "GDPR") on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), as a user of this website you are hereby informed that the personal data you provide will be processed using methods and procedures designed to ensure that this is done in accordance with the fundamental rights and freedoms and the dignity of the data subject, with particular reference to confidentiality and security, personal identity and the right to personal data protection.

Definition

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4, GDPR).

By registering with this website, you voluntarily disclose to PharmaNutra S.p.A., tax code/VAT no. 01679440501, with registered offices at Via Campodavela 1, 56122 Pisa, and Bloomart S.r.l., tax code/VAT no. IT02023720515 with registered offices at via Impiano 1, Laterina (AR), your personal data, which will be processed in compliance with the principles of personal data protection established by Regulation (EU) No. 679/2016 and other applicable regulations.

The provision of data is optional. However, failure to provide the data deemed mandatory (marked with an asterisk *) will prevent proper registration on the website, as well as the possibility of using the services reserved for registered users provided by the portal, and, in the case of a purchase, the fulfilment of the purchase order, the order proposal and the execution of the corresponding contract.

Data Controller, Data Protection Officer and Data Processors

The Data Controller that manages your data is PharmaNutra S.p.A., tax code/VAT no. 01679440501, with registered offices at Via Campodavela 1, 56122 Pisa, duly represented by its legal representative. The updated list of the data processors appointed by the Data Controller pursuant to Article 28 of the aforementioned EU Regulation and of the subjects authorised to process the data can be consulted at the offices of the Data Controller, PharmaNutra S.p.A.

Purpose of processing

The Data Controller will process your personal data, identification data (such as your first name, last name, date of birth, home address, email address) as well as your shipping and billing address and your IP address, login information, browser type and version, time zone, plug-in types, geolocation information regarding where you might be located, and operating system and its versions. The Data Controller will process data relating to your browsing path within shop.cetilar.com, the products and services you have viewed, page loading and response times, download errors and browsing time. The Data Controller will not collect any kind of sensitive data or special categories of data concerning you (i.e. personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning your health or sexual life or sexual orientation, judicial or banking data).

In particular

as soon as you interact with shop.cetilar.com, the Data Controller starts collecting data. They may be collected either through your specific disclosure or automatically during your use of the website. This is how the collection takes place:

	Data you provide	Data we collect automatically
Your identification data (name, surname, date of birth, address and e-mail)	X
Website browsing		X
Your telephone number	X (only if provided on your own initiative)
Use of Cetilar	X	X
Conclusion of purchase orders	X	X
Customer Care service	X	X (order number only)
Marketing information (newsletters, etc.)	X (only with your explicit consent)

Legal basis of processing

Your personal data will be processed in accordance with Article 6(1)(a) and (b). Please note: consent is not a condition for the lawfulness of the processing when it is justified by the need to fulfil a contract or pre-contractual measures or, lastly, to fulfil a legal obligation to which the Data Controller itself is subject. However, it will always be possible to request clarification regarding the sound legal basis of each processing operation and in particular to specify whether the processing is based on the law, provided for by a contract or necessary to conclude a contract.

Communication channels

The deeds of appointment of data processors, internal authorised persons, any requests and any other information concerning your data may be consulted at the Data Controller's offices.

Purposes and methods of data processing

The personal data collected with this registration are processed in order to allow access to the services provided by the portal and reserved for registered users. If you expressed your consent when the service was activated, or express it subsequently and until such time as consent is withdrawn, your personal data may be processed by the Data Controller, also by means of third-party companies, which are in turn responsible for processing the data and are indicated in the above-mentioned list, to:

allow registration on the website and access to and use of the services provided by the portals and reserved for registered users, as well as to allow the Data Controller to fulfil the online sale contract;
send users who expressed their consent when the service was activated, or express it subsequently, and until such time as consent is withdrawn, commercial information on its own products and services, or those of third party companies, including by automated means, for direct sales purposes, as well as to distribute market research and user satisfaction surveys;
disclose and transfer to third parties the data of users, if they expressed their consent when the service was activated, or express it subsequently, and until such time as consent is withdrawn, to distribute commercial information on their own products and services, including by automated means, for direct sales and market research purposes;
carry out, if the users gave their consent when the service was activated, or express it subsequently, and until such time as consent is withdrawn, also by means of electronic means, activities to analyse specific behaviour and consumption habits, in order to improve the services provided and direct commercial proposals of interest to the user, also offering to third parties the pooled data summarising openings and clicks obtained through a tracking system using "cookies";
The Data Controller will also use personal data for administrative and accounting purposes and to fulfil its contractual obligations towards its customers.

Personal data submitted through the registration procedures for website services may be processed by Data Controller using automated means. The Data Controller will not process the aforementioned data in pooled form (e.g. classification of the entire clientele into homogeneous service level, consumption, spending categories, etc.) in order to periodically monitor the development and economic performance of the Data Controller's business.

The Data Controller has specific security measures (including in-house measures) in place to prevent the loss of data, illegal or improper use and unauthorised access. Personal data are recorded and stored on electronic databases located in Italy and in countries belonging to the European Economic Area (EEA), but not in non-EU third countries. Personal data provided by users may also be processed by companies, entities or consortia, appointed as data processors pursuant to Article 28 of the aforementioned EU Regulation, which, on behalf of the Data Controller, provide specific processing services, or related, instrumental or support activities.

These data processors include the provider of the website hosting service.
Personal data provided by users may also be disclosed:

to subsidiary or associated companies;
to entities recognised the right to access the personal data by legal provisions, regulations or by Community legislation;
to entities in relation to which disclosure is required by rules of law or regulations, or by public entities for the conduct of their institutional functions.

The retention period for the above-mentioned personal data is:

24 months for the purposes referred to in points 2) and 3);
12 months for the purpose referred to in point 4);
10 years from the date of termination of the contractual relationship for the purpose referred to in point 5).

Data Security

The Data Controller has specific security measures in place so that the confidentiality, integrity, correctness and availability of the processed personal data is guaranteed and unauthorised access to them is prevented.

Rights of the data subject

The data subject is entitled to ask the Data Controller to have access to the personal data concerning him/her, as well as to their rectification and erasure, to restrict or object to their processing and to their portability, if they are processed automatically on the basis of consent or for the execution of a contract. The data subject is entitled to withdraw consent at any time without prejudice to the lawfulness of the processing based upon consent performed prior to such withdrawal. The data subject is entitled to file a complaint with the Italian Data Protection Authority, pursuant to Article 77 of Regulation (EU) No. 679/2016. In particular, in accordance with the provisions of the GDPR, the data subject has the following rights vis-à-vis the Data Controller:

to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data (Right of access, Article 15);
to obtain rectification of inaccurate personal data concerning him/her without undue delay (Right to rectification, Article 16);
to obtain the erasure of personal data concerning him or her without undue delay and the Data Controller shall have to erase personal data without undue delay where certain conditions exist (Right to be forgotten, Article 17);
to obtain the restriction of processing in certain cases (Right to restriction of processing, Article 18);
to receive the personal data concerning him or her, which he or she has provided in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, in certain cases (Right to data portability, Article 20);
to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you (Right to object, Article 21);
to be informed without undue delay of any personal data breach suffered by the Data Controller (Article 34);
to withdraw express consent at any time (Conditions for consent, Article 7);
to object to an automated decision-making process relating to natural persons, including profiling.

The address to be used to exercise the above-mentioned rights is [email protected]., also with reference to claims made against persons whose data have been transmitted with the consent of the data subject. Requests will be processed within 30 days. This period may be extended for reasons relating to the specific right of the person concerned or the complexity of your request. The data subject is hereby informed that he/she is entitled to file a complaint with the Italian Data Protection Authority, by following the procedures and instructions published on the Authority's official website at www.garanteprivacy.it and that the exercising of rights is not subject to any formal constraint and is free of charge.

Changes to this privacy policy

In the event of substantial changes to the manner in which your data is processed, you will be promptly informed of such changes using the contact details provided by you.