PRIVACY POLICY

PRIVACY POLICY NABLACOSMETICS.COM

Who is the Data controller?

NABLA Cosmetics S.r.l., with registered office in Via Tortona, 33 – 20144 Milano (MI) (VAT number: 12267321003) (hereinafter, “Data controller”)

How can I contact him?

The company's contact details are:

Peo: info@nablacosmetics.com

Address: Via Tortona, 33 – 20144 Milano (MI)

1. Introduction

According to the European regulation on the protection of personal data (GDPR), legal persons are not considered data subjects and therefore the European regulation does not apply. However, if in the context of the collection of company data personal data relating to a natural person are entered, this will be considered data subject pursuant to the aforementioned regulation with consequent applicability of the reference legislation.

2. What are the treatments that are carried out through the site? And what are the legal bases, purposes and data retention?

2.1REGISTRATION

  • PURPOSE
    The purpose of data processing is to register on the site to be able to make purchases more easily, monitor shipments and returns.
  • LEGAL BASIS
    Consent.
    In the event of litigation, the data will be processed to act and/or defend itself in court based on the legitimate interest of the Data Controller.
  • DATA RETENTION
    The data will be processed until the consent is revoked.
    In the event that the account remains inactive for 3 years, we will send you an email to find out if you are still interested in keeping it active; alternatively, the account will be deleted.
    In the event of litigation, the data will be processed for a longer period.
  • OTHER INFORMATION
    Registration is not mandatory to make purchases, as it is also possible to proceed in "guest" mode.

2.2 ACCESS (Membership program)

  • PURPOSE
    Creation and management of the user account, including the possibility of accessing reserved discounts.
  • LEGAL BASIS
    Execution of the contract.
    In the event of a dispute, the data will be processed to act and/or defend itself in court based on the legitimate interest of the Data Controller.

Pursuant to Art. 4 no. 7 GDPR: the data controller is the person who determines the purposes and means of the processing of personal data and his responsibilities are identified in Art. 24 GDPR.

  • DATA RETENTION
    The data will be processed for 12 months from registration. Subsequently, unless the conditions for keeping the account active persist (an additional 12 months), it will be deactivated.
    The data will be processed for a longer period in the event of a dispute.
  • OTHER INFORMATION
    Registration is mandatory in order to make purchases in the facilitated ways provided for this category of users.

2.3 PURCHASE

  • PURPOSE
    The main purpose of data processing is to allow you to purchase and receive the requested product and, furthermore, they are necessary for the fulfillment of legal obligations (including accounting and tax).
    The data could be used in the event of disputes raised regarding the correct fulfillment of the contract.
  • LEGAL BASIS
    Execution of a contract and consequent fulfillment of the legal obligations incumbent on the data controller.
    In the event of litigation, the data will be processed to take action or defend itself in court and this corresponds to the legitimate interest of the data controller.
  • DATA RETENTION
    The data will be deleted after 10 years from the fulfillment of the contract.
    They could be kept longer only in the event of disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.
  • OTHER INFORMATION
    The provision of data is mandatory and in the event of refusal to provide it, it will not be possible to purchase the requested products.

2.4 TRANSACTIONAL EMAIL

  • PURPOSE
    The purpose of data processing is to send you information in relation to the purchase made and registration.
  • LEGAL BASIS
    Contractual execution and legal obligation.
  • DATA RETENTION
    Until the order is delivered or registration is completed. The data will be processed for a longer period in the event of a dispute.
  • OTHER INFORMATION
    Transactional emails are sent to allow better order management and to provide the Customer with confirmation in relation to the purchase, shipping and registration.

2.5 CONTACT US

  • PURPOSE
    The purpose is to offer the User the possibility of contacting the Data Controller; to exercise or protect a right in the event of a dispute.
  • LEGAL BASIS
    Execution of pre-contractual measures carried out at the request of the Data Subject.
  • DATA RETENTION
    We will process the data for the time necessary to respond to requests and then we will delete the data.
    They could be kept longer only in case of possible disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.
    The verification of the obsolescence of the data is done every 12 months.
  • OTHER INFORMATION
    The data will be retained for 12 months or for a longer period in the event of a dispute.

2.6 NEWSLETTER/DEM (with automated or traditional methods)

  • PURPOSE
    The purpose of data processing is to send you newsletters and DEMs.
  • LEGAL BASIS
    Consent given by the Data Subject. 
  • DATA RETENTION
    1 year from the last sending.
  • OTHER INFORMATION
    Consent may be revoked at any time. The User is completely free to provide the requested data, since there is no legal obligation to provide them. However, if the user chooses not to provide the data indicated as essential, the Data Controller will not be able to achieve the indicated purpose.

2.7 NEWSLETTER/DEM “Softspam”

  • PURPOSE
    The purpose of data processing is to send you newsletters and DEMs. In case of purchase of our product, your data will be exported to a CRM for sending commercial information on products similar to those purchased.
  • LEGAL BASIS
    In case of purchase, your consent is not necessary based on art. 130 c. 4 d.lgs. n. 196/03.
  • DATA RETENTION
    1 year from the last sending.
  • OTHER INFORMATION
    Consent may be revoked at any time.

2.8 BACK IN STOCK

  • PURPOSE
    The purpose of data processing is to inform the User when a finished product becomes available for purchase again.
  • LEGAL BASIS
    Execution of pre-contractual measures carried out at the request of the Data Subject.
  •  DATA RETENTION
    The data will be retained until the product is available again and in any case no longer than 1 year.
  • OTHER INFORMATION
    The User has full freedom to release the requested data, since there is no legal obligation to provide them. However, if the user chooses not to provide the data marked as essential, the Data Controller will not be able to achieve the indicated purpose.

2.9 ABANDONED CART

  • PURPOSE
    The purpose of data processing is to be able to send 1 email to invite the user to finalize the interrupted purchase on the site.
  • LEGAL BASIS
    Legitimate interest of the Data Controller in completing the purchase.
  • DATA RETENTION
    72 hours
  • OTHER INFORMATION
    The provision of data is automatic and follows the partial compilation of the shopping cart.

2.10 MARKETING AND PROFILING THROUGH DIGITAL PLATFORMS

  • PURPOSE
    The purpose of the data processing is to show marketing content based on your interests, as identified by your interactions on our site or social media. This includes the use of retargeting tools of digital platforms to deliver targeted advertising messages.
  • LEGAL BASIS
    Consent that can be acquired through various methods:
    1. Through Cookies on our Site: Your consent to marketing and profiling cookies is collected through the cookie settings on our site.
    2. For Custom Audience CRM Campaigns (Prospecting and Retargeting): For these campaigns, we obtain your explicit consent to use your contact data (e.g. email address) for marketing purposes.
    Interaction with Social Pages: If you have given consent to the use of profiling cookies on our Site, we can process your contact data and the information communicated during the interaction with the Social Pages. We use this information, in accordance with your privacy settings on social media, to show personalized marketing ads.
  • DATA RETENTION
    The data will be stored until the consent is revoked through the cookie settings.
  • OTHER INFORMATION
    1. Consent acquired through Cookies on our Site: The User can manage or revoke this consent at any time, as described in our Cookie Policy. We also inform you that cookies can be both first-party and third-party and therefore installed, through us, directly by Meta.
    2. Consent acquired for Custom Audience CRM Campaigns (Prospecting and Retargeting): This consent allows us to process your data to identify similar audiences (lookalikes) and to show targeted advertisements on social media and other digital platforms.
    In the case of simple segmentation of the User, your consent is not required.

2.11 NAVIGATION DATA

  • PURPOSE
    Site Security
  • LEGAL BASIS
    We will process data based on the legitimate interest of the company in IT security and compliance with legal obligations. The legal basis for the processing of cookies other than those necessary is consent
  • DATA RETENTION
    24 months
  • OTHER INFORMATION
    For the regulation on cookies, please refer to the specific information.

3.What else should I know?
The data will be processed lawfully, fairly and with the utmost confidentiality, in compliance with the appropriate security measures as required by the Code and the Regulation. The processing will be carried out using digital means. The data will not be subject to public disclosure. Furthermore, the user will not be subjected to automated decision-making processes such as profiling unless he/she consents to this by installing cookies or other tracking tools for whose regulation, please refer to the specific information.

4. To whom will my data be communicated?
The Data Controller may communicate the data to all subjects to whom communication is mandatory by law for the fulfillment of the purposes set out by law.
The Data Controller also uses some companies or IT tools that carry out processing activities on the personal data of the interested parties in the exclusive interest of the owner of the same, all adequately appointed as data controllers pursuant to art. 28 GDPR.
The data will also be communicated to the payment gateways as independent Data controllers.
The list of data controllers is available at the office.

5. Where is the data stored and transferred?
The management and storage of personal data will take place on servers located within (hosting) and outside the EU (DEM and data management tools). The Data Controller guarantees that the transfer outside the EU takes place in compliance with Articles 44-47 Chapter V of the GDPR by signing standard contractual clauses and/or through the Adequacy Decision of the EU Commission.

What rights can I exercise?
1. RIGHT OF ACCESS (art. 15 GDPR)
The Data subject has the right to obtain confirmation of the existence or otherwise of personal data concerning himor her, even if not yet recorded, and their communication in an intelligible form.
2. RIGHT OF RECTIFICATION (art. 16 GDPR)
The Data subject has the right to obtain the rectification of inaccurate personal data concerning him or her and also the integration of incomplete data.
3. RIGHT OF CANCELLATION (art. 17 GDPR)
The Data subject has the right to obtain the cancellation of personal data in the presence of particular reasons such as the withdrawal of consent, opposition to processing or if data are no longer necessary with respect to the purposes for which they were collected and processed or in the case of unlawful processing. It will not always be possible to proceed with cancellation but it will certainly be the responsibility of the data controller to provide adequate motivation.
4. RIGHT TO LIMIT PROCESSING (art. 18 GDPR)
The Data subject has the right to obtain the limitation of processing in the presence of particular hypotheses such as, for example, in the case of a request for rectification or opposition during the evaluation time of the requests.
5. RIGHT TO PORTABILITY (art. 20 GDPR)
If the processing is based on consent or on the contract and is carried out with automated tools, the Data subject can receive them in a structured, commonly used and machine-readable format or ask to transmit them to another owner.
6. RIGHT TO OPPOSITION (art. 21 GDPR)
The Data subject has the right to object, in whole or in part:
a) for legitimate reasons to the processing of personal data concerning him/her, even if pertinent to the purpose of the collection;
b) to the processing of personal data concerning him/her for the pursuit of purposes not contemplated by art. 2.
The user may submit a request to object to the processing of his/her personal data pursuant to Article 21 of the GDPR, in which he/she must provide evidence of the reasons justifying the objection: the Data Controller reserves the right to evaluate the request, which would not be accepted in the event of the existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the user.
7. RIGHT TO SUBMIT A COMPLAINT
The Data subject has the right to submit a complaint to the competent supervisory authority pursuant to Article 77 of the GDPR if he/she believes that the processing of his/her data is contrary to the legislation in force.

How can I exercise my rights?
The Data subject may exercise the rights referred to in the previous point at any time by contacting the data controller at the email address above.

Last version: 07/09/2025

This information has been drawn up by Polimeni.Legal