Privacy Policy

PREAMBLE

Yana Beaute srls (hereinafter also "Yana Beautè" or "the owner") is a company engaged in e-commerce activities in the sector of parapharmaceuticals, dietary supplements, personal hygiene and care, cosmetics, as well as household products, and processes personal data of Internet users, particularly those who visit its websites.

Yana Beaute srls aims to safeguard the privacy of the private sphere and the rights of individuals and is therefore committed to applying specific and protective rules of conduct – in line with European Regulation 679/2016 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) – that ensure safe, controlled and confidential navigation on the web.

This information privacy protection policy may change over time, also due to legislative and regulatory integrations and amendments or due to our institutional decisions; therefore, we invite you to periodically consult this section of our website.

Thank you, therefore, for reviewing the rules that our company has imposed on itself in collecting and processing personal data and in always providing a satisfactory service to the users of its websites.

This Privacy Policy is intended to apply exclusively to the websites of Yana Beaute and not to those of other companies, entities, associations, professionals or any other legal entity or natural person.

BASIC PRINCIPLES OF YANA BEAUTE'S PRIVACY POLICY

processing (art. 4, paragraph 2, GDPR: “any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, erasure or destruction”) of personal data (art. 4, paragraph 1, GDPR: “any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity”) exclusively for the purposes and according to the methods described in the information provided to the user each time they access a section of the site where the direct or indirect provision of personal data is required;

to use the data that have been voluntarily provided by the user;

to use technical cookies to facilitate site navigation and analytical cookies for statistical purposes;

to use profiling cookies to direct personalized messages and banners to users based on their web browsing, both inside and outside the site;

to transmit data to third parties (data processors – art. 4, paragraph 8, GDPR: "the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller") exclusively for instrumental purposes to what is expressly requested and carefully selected by us;

to communicate data to third parties for activities related to the matters of interest or when required by law, regulation, or EU legislation;

to carry out direct marketing activities on behalf of third parties for the promotion of their products and services, as well as to communicate data to third parties for their independent processing activities with promotional purposes;

to respond to requests for access to personal data, rectification or deletion thereof, restriction of processing or the right to object to their processing for legitimate reasons. To ensure the exercise of the right to data portability, as well as to object to data processing for informational and promotional communications about our commercial initiatives, our offers and discounts, news and catalog products, surveys and research, to make known the possibility of filing a complaint with the supervisory authority;

to ensure correct and lawful processing of Your data, safeguarding Your privacy, as well as applying appropriate security measures to protect the confidentiality, integrity, and availability of the data themselves.

Purpose of data processing and processing methods – legal basis of processing – data collection criteria

PURPOSES OF DATA PROCESSING

As better explained in the sections that allow you to subscribe – by providing your personal data – to the services reserved for users of our site, the requested data are used to respond to the requests expressly made by the user. In particular, all data collection – and subsequent processing – activities are aimed at pursuing the institutional and commercial purposes of Yana Beaute and, in particular, for:

• process the registration request and activate the user profile, provide services reserved for registered users (including the management of any orders placed and any reviews left on products), including the management of the profile by the user themselves and service communications related to the operation and additional features/services of the site

• process orders in all their phases, from acceptance to delivery and for payment management and possible debt collection, as well as allow the customer to leave product reviews send the requested newsletter respond to requests made through contacts spontaneously established by the user, such as advice provided by the pharmacist or request for notification when an unavailable product returns to the catalog or to obtain information about our products direct the user to our social channels

• comply with administrative and other mandatory regulations under current national law or by virtue of European Union decisions

• carry out direct marketing activities related to own products and services (promotional communications, direct sales offers, surveys and market research, updates on the product catalog)

• carry out direct marketing activities with profiling connected to direct marketing based on the preferences and behaviors or purchasing and consumption tendencies, interests of the data subject or combined with other information derived from own or third-party archives

• carry out direct marketing activities on behalf of third parties to promote their products or services

• communication of data to third parties for their independent uses with promotional purposes

• dissemination of images in video and photographic format, testimonials and statements, also released through the Owner's social channels, solely for the purpose of publicizing them – on their own informational, editorial, advertorial material, and/or website or on the occasion of public events or on media such as print and TV and other digital and non-digital channels intended for the public – to promote and document initiatives and commercial relationships, reviews, projects and institutional activities, as well as to create a historical archive of Yana Beaute's commercial initiatives to be used on occasions of special significance (e.g.: anniversaries of the Owner's founding) to represent the developments of Yana Beaute's commercial and sales activity.

• statistical processing on the characteristics of customers and their orders, as well as on registered users or those requesting information or using services provided through the site. The resulting statistical reports may also be disseminated through Yana Beaute’s communication channels, such as its own website, at events and conferences, on printed and online illustrative materials or digital media, in print media (e.g., newspapers and magazines), and information media (e.g., TV). Similarly, aggregated and anonymous reports may be made available to companies, entities, and third-party organizations for their anonymous studies and research in the sector in which the Data Controller operates.

• to exercise, assert, or defend in court a right of one’s own or of a third party.

DATA PROCESSING METHODS

Personal data are processed by the Data Controller using both paper and electronic and telematic tools and are stored within its own IT system. Appropriate security measures are observed to prevent loss or alteration of data – even accidental – unlawful or incorrect use, and unauthorized access.

All processing carried out within this site will be performed with logic related to the purposes for which the data were collected and in compliance with current security regulations, for the purposes specified from time to time in the information to be provided pursuant to art. 13, GDPR.

For the execution of profiling activities related to direct marketing referred to in point 8., "Purpose of processing", Yana Beaute will analyze, using electronic procedures, the preferences and purchasing and consumption behaviors or the preferences and interests of the customer (e.g., purchase frequency, amount spent, campaign participation) or the characteristics and tendencies, interests, and preferences of the user in general. Therefore, processing will be carried out that involves selecting the information stored about the person, so that they can be contacted for offers and purchase proposals, surveys, and research of their interest and in line with their preferences, avoiding being disturbed by unwanted contacts. This profiling activity may also be conducted by drawing from archives made available by third parties.

For the execution of direct marketing activities – without and with profiling – referred to in points 7 and 8 of the chapter “Purposes of processing,” the Data Controller uses the contact details provided by the data subject themselves, and the contact methods predominantly used. The phone number provided by the data subject will be used for the purposes referred to in points 7 and 8, “Purposes of processing” only after applying the rules of law 05/2018: if registered in the “Public Register of Objections,” the phone number will not be used for these purposes, except for subsequent consent expressly given directly to Yana Beaute for such contacts.

Contacts referred to in points 7 and 8 of the chapter “Purposes of processing” may take place using traditional communication tools (e.g., postal mail, landline or mobile phone with operator) or electronic (e.g., e-mail, SMS).

The purposes referred to in point 11, “Purposes of processing,” may involve partial or total reprocessing, as well as matching and interconnection of creative works with other materials already available to the Data Controller.

The purposes referred to in point 12, “Purposes of processing,” are pursued with electronic processing that separates the information identifying the data subject (such as, for example, name and surname, e-mail) from other information provided and consist of anonymous reports: the matching with the person to whom the data refer will no longer be reconstructible.

Health-related data will be processed exclusively to carry out the user's request (e.g., purchase of medicines or pre-sale inquiries about product composition and indications on their health status) and not for direct marketing activities, with or without profiling.

LEGAL BASIS OF PROCESSING

The legal basis of the processing depends on the purpose of the processing itself. Therefore, the different legal bases applied for the individual processing purposes pursued by Yana Beaute are listed.

for the purposes referred to in points 1 to 5 of the “Purposes of data processing,” the legal basis is art. 6, paragraph 1, letter b), GDPR since the processing is aimed at fulfilling pre-contractual or contractual obligations to which the data subject is a party. Specifically, to allow the user to subscribe to the services mentioned therein and, therefore, to satisfy a request expressly made by the user or of their specific interest. An additional legal basis is the consent referred to in art. 9, paragraph 2, letter a), GDPR, where, for the service of interest (e.g., purchase of medicines) it involves the detection of health-related data (e.g., inferable from the purchased product or the request made or the communication of adverse effects resulting from the use of the product)

For the purposes referred to in point 6., "Purposes of data processing", the legal basis is art. 6, paragraph 1, letter c), GDPR since the processing is aimed at fulfilling legal obligations to which the Data Controller is subject.

For the purposes referred to in point 7. "Purposes of data processing", the legal basis is the "legitimate interest" (art. 6, paragraph 1, letter f), GDPR, considering C47, GDPR and Opinion April 09, 2014, no. 6 of the Working Party 29, par. III.3.1.) of Yana Beaute in maintaining the relationship voluntarily established by the data subject who, through their action (site registration, purchase or request for information) has expressed their appreciation for our commercial activity, and informing them about our marketing and direct sales activities, to introduce new products and brands, product catalog updates, to present offers, discounts, promotions, involve them in surveys and research on the satisfaction level of their experience with Yana Beaute, allowing the data subject to become aware of these opportunities and to decide, if they wish, to place orders or take other actions. This is balanced by the person's expectations to receive information from the Data Controller concerning products and services that are of their interest and with which they have already voluntarily established a relationship through their own action.

For the purposes referred to in point 8., "Purposes of data processing", the legal basis is the consent of the data subject (art. 6, paragraph 1, letter a), GDPR).

Promotional contacts via email referred to in points 7. and 8., "Purposes of data processing" carried out towards customers are supported by the legal basis referred to in art. 130, paragraph 4, Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, which allows the sending of emails aimed at the direct sale of products similar to those purchased to the email address provided during the purchase process, with the customer's right to object to such mailings at any time. Similarly, this applies to the sending of promotions and direct sales proposals to the customer's postal address pursuant to the provisions of the Authority's measure on "Simplifications of certain obligations in the public and private sectors regarding processing for administrative and accounting purposes" dated June 19, 2008.

for the purposes referred to in points 9. and 10., "Purpose of data processing", the legal basis of the processing is the consent of the data subject (art. 6, paragraph 1, letter a), GDPR

for the purposes referred to in point 11., "Purpose of data processing", the legal basis is the consent of the data subject (art. 6, paragraph 1, letter a), GDPR). Additionally, there is the legal basis of "legitimate interest" (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 09 April 2014, no. 6 of the Working Party 29, par. III.3.1.) of Yana Beaute in disseminating information and experiences of actual and potential customers in their relations with Yana Beaute and to publicize its commercial activities and their development. With the same legal bases just indicated, Yana Beaute will use the content to create a historical archive of its commercial and institutional activities. Yana Beaute guarantees that testimonials, statements, and images will be disseminated only for purposes permitted by current laws, as well as respecting the decorum, dignity, and reputation of the persons involved. Yana Beaute cannot be held responsible for any harmful consequences possibly resulting from the dissemination of testimonials, statements, sounds, images and/or photos attributable to violations committed by third parties carried out beyond any control of Yana Beaute. Data subjects acknowledge that no compensation is due following the use and dissemination of the testimonials, images, and audio in question. It is also expressly understood and accepted that the aforementioned images and audio-video recordings are and will remain the exclusive property of Yana Beaute. Furthermore, the Ethical Rules relating to the processing of personal data in the exercise of journalistic activity of 29 November 2018 apply.

for the purposes referred to in point 12. "Purpose of processing", the legal basis is the "legitimate interest" (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 09 April 2014, no. 6 of the Working Party 29, par. III.3.1.) of Yana Beaute to analyze the profile of people interested in its commercial activity and the type of orders placed or requests for product information in order to improve, integrate or modify its product catalog and services related to orders and the provision of services through the website

for the purposes referred to in point 13., "Source and purpose of processing," the legal basis is the "legitimate interest" (Art. 6, paragraph 1, letter f), GDPR, considering C47, GDPR and Opinion 09 April 2014, No. 6 of the Working Party 29, par. III.3.1.) of Yana Beaute or a third party to protect their rights.

DATA COLLECTION CRITERIA

The forms to be filled out include both data that are strictly necessary to participate in the relevant interest and whose omission prevents the request from being processed, as well as optional data provision. Mandatory data provision is usually indicated with an asterisk. Therefore, the user is free to provide the personal data reported in the request forms or otherwise indicated in contacts with Yana Beaute to request information or for the other purposes listed above. In these cases of mandatory data provision, their absence may result in the inability to obtain what is requested. The need to request data as mandatory for participation in individual initiatives or to place orders or make requests has been considered in compliance with the provisions of Article 25, GDPR ("Data protection by design and by default"), which require prior assessment of appropriate technical and organizational measures, such as "pseudonymization" (Art. 4, paragraph 5, GDPR: "the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that such personal data are not attributed to an identified or identifiable natural person"), aimed at effectively implementing data protection principles, such as minimization, and integrating the necessary safeguards into the processing to meet GDPR requirements and protect the rights of data subjects. Furthermore, Yana Beaute has implemented appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the specific purpose of the processing arising from the initiative or service (e.g., order, site registration) to which the data subject has voluntarily adhered are processed.

CRITERIA USED TO DEFINE THE DATA RETENTION LIMIT

Data will be kept in our archives (Art. 4, paragraph 6, GDPR: “any structured set of personal data accessible according to specific criteria, regardless of whether such a set is centralized, decentralized, or functionally or geographically distributed”) according to criteria that vary depending on the data category, the nature of the processing, and the purposes of the processing itself. The criteria or exact retention limit are described in the information to be provided pursuant to Art. 13, GDPR at the time of personal data provision.

In principle, the following assessments by Yana Beaute apply to establish the data retention criteria:

For the purposes referred to in point 1. “Purpose of data processing,” the data retention period is determined based on the time necessary to complete the registration and as long as the user is registered and uses the reserved services; data will also be deleted if the user decides to close their profile. The user's data (and related profile) will be deleted if improper behavior by the user is detected during site navigation or actions performed through the site. In this case, the Data Controller will inform the Competent Authorities by communicating the user's data.

for the purposes referred to in point 2. “Source and purpose of processing”, the data retention period is determined based on the time necessary to execute the order or pre-contractual obligations, in all phases, from order acceptance to delivery (e.g., payments and reminders, refunds, returns, communications on order progress, issuance of purchase receipts and delivery notes), as well as for managing any review left

for the purposes referred to in point 3., “Purpose of data processing”, the data will be retained as long as the user is interested in the newsletter service, maintaining their subscription. Afterwards, it will be deleted from our archives

for the purposes referred to in point 4., “Purpose of data processing”, the data will be retained for the time necessary to fully fulfill the request made by the data subject, which may extend over time if the request is not satisfied at the first contact and requires multiple exchanges of information between the data subject and the Data Controller or if the data subject intends to raise further questions related to the initial request. If the request is aimed at applying to work with Yana Beaute, the data may also be retained if the candidate's profile is not of immediate interest but may be in the future. In any case, retention will not exceed 1 (one) year, a period assessed based on the fact that the candidate may have subsequently changed their professional profile or otherwise found employment

for the purposes referred to in point 5., “Purpose of data processing”, all user data accessing Yana Beaute's social pages is stored in archives for the period necessary to maintain the contact established through this channel by the user themselves and voluntarily extended over time based on the user's interest in keeping their profile on the Data Controller's pages

for the purposes referred to in point 6., “Purpose of processing”, the data retention period is determined based on the individual national and EU regulations that impose legal obligations on the Data Controller. For administrative, tax, and accounting purposes, therefore, the data is retained for a period of 10 (ten) years

for the purposes referred to in point 7. “Purposes of data processing”, the data are stored in our archives for the period necessary to maintain the established relationship with the person and inform them about our commercial activities, allowing Yana Beaute to legitimately continue its direct marketing and sales activity as long as the person is considered interested in our products and services, especially if registered or a regular customer. Approximately, the data of these data subjects will be kept for a period of two years from the last action taken (e.g., cancellation of subscription or last order placed). Obviously, this retention period will be interrupted when the person expresses the desire not to receive further information and offers from Yana Beaute, communicating it according to the methods described in the chapter “Rights of data subjects regarding their data”. Yana Beaute will adopt appropriate technical and organizational measures to no longer contact the person

for the purposes referred to in point 8., “Purposes of data processing”, the data are stored in our archives as long as the person's profile aligns with the personalized contacts created through the cross-referencing of information available to us and, therefore, as long as Yana Beaute continues its sales and commercial activity with products, offers, promotions, research, and surveys that are considered of interest to the person because they reflect their characteristics and behaviors and are, therefore, specifically appreciated by them. In principle, the behavioral characteristic data of the data subjects will be kept for a period of one year from the date of their last action. The retention will cease, even before the retention period described here, if opposition is expressed at any time to the processing of personal data carried out for profiling related to direct marketing, according to the methods described in the chapter “Rights of data subjects regarding their data”. Yana Beaute will adopt appropriate technical and organizational measures to no longer contact the person

for the purposes referred to in point 9., “Purposes of data processing”, the data will be stored in our archives according to the processing purposes carried out by Yana Beaute as an independent data controller for the execution of promotional activities on third-party products and services as long as the user is considered interested in the third-party services and products. The period is reduced if opposition is expressed according to the methods explained in the chapter “Rights of data subjects regarding their data”. The Controller will adopt appropriate technical and organizational measures to no longer contact the person

for the purposes referred to in point 10., "Purposes of data processing," the data are kept in our archives for the period necessary to prepare archives to be communicated to third parties. Obviously, the Data Controller will keep in its archives the data subject to communication for its own purposes listed in the chapter "Purposes of data processing."

for the purposes referred to in point 11., "Purposes of data processing," the data will be kept as long as it is considered that the testimonies in image and declarative format are relevant to express and represent their commercial initiatives and the development of their activity to the public and pertinent to the institutional objectives of the Data Controller. For greater clarity, images, sounds, and testimonies will be kept in our archives as long as the communication activity and the context of the recordings are objectively significant to represent institutional events and our commercial activity and its developments. Subsequently, they will be deleted through their destruction and will no longer be reconstructible or attributable to the people involved. Although over a longer time frame, the contents referred to here will be kept for training purposes and the use of a historical archive suitable to represent the evolution of the commercial activity and the successes of expansion in Yana Beaute's reference market.

for the purposes referred to in point 12., "Purposes of data processing," the personal data are kept in our archives for the period necessary for their transformation into anonymous form. After this period, the identifying data are no longer identifiable and do not relate to the person and, therefore, are no longer subject to the provisions of the GDPR.

for the purposes referred to in point 13., "Purposes of data processing," the data are kept in our archives for the period necessary to carry out the individual phases of any judicial proceedings or disputes that may arise until their conclusion, therefore within terms consistent with the timelines indicated by the competent bodies.

After the periods mentioned above have elapsed, the identifying data are transformed into anonymous form and used only for statistical reports that do not allow identification of the person but are useful for adapting the services, product catalog, and promotional and commercial initiatives of Yana Beaute. Personal data (identifying the person) will therefore be destroyed, unless otherwise ordered by supervisory authorities, law enforcement, and the judiciary or to exercise, assert, or defend a right of Yana Beaute or a third party in court, as already stated above.