Cookie Policy

Information on the processing of data in accordance with European Regulation (GDPR) 2016/679 and subsequent amendments and additions

This information on the processing of Personal Data (hereinafter "Information") is provided to the User of the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com with reference to the processing of the User's Personal Data related to cookies and tracking technologies, in compliance with the provisions contained in articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016, in relation to the protection of natural persons with regard to the processing of Personal Data, as well as the free movement of such data (General Data Protection Regulation, hereinafter also "GDPR").

Pursuant to articles 13 and 14 of the GDPR, hence, you are invited to take note of the following Information.

I. Personal Data

The Personal Data that may be collected through cookies and tracking technologies include the following:

• Navigation data (e.g., IP address, browser type, device information, pages visited, and time spent on the website);
• User behavior data (e.g., clicks, scrolling, interactions with website elements);
• Special categories of data, specifically health-related data, when users interact with health-related content (such as treatments, medical conditions, or health services), but only with explicit consent.

(Hereinafter "Personal Data" or "Data").

The User is responsible for the completeness and truthfulness of any Personal Data provided directly. This Cookie Policy specifically addresses the use of cookies and tracking technologies. For broader data processing details, please refer to our separate Privacy Policy, accessible on the website of the Data Controller.

II. Data Controller in charge of the processing of Personal Data

The Data Controller in charge of the processing of the Personal Data collected through cookies is Istituto Image Srl, Via Pietro Mascagni 14, 20122 Milan (MI), Tax code: 06564590963 and VAT Number: 06564590963 (hereinafter "Data Controller"). For any communication to be sent to the Data Controller, it is possible to send an e-mail to the following address: shop@istitutoimage.com; or a PEC (Certified e-mail) to: istitutoimagesrl@legalmail.it; or a registered letter to the address of the Data Controller's offices.

III. Purposes of the processing

The Data Controller collects the Personal Data through cookies and tracking technologies for the following purposes:

a) ensuring the proper functioning of the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com (e.g., technical cookies for session management and website navigation);

b) fulfilling legal obligations related to the use of cookies, such as obtaining user consent where required;

c) sending advertising material, newsletters, and carrying out direct marketing actions (e.g., using targeting cookies);

d) the exercising of rights in court and out of court, connected to the relationship (e.g., management of any disputes related to cookie usage);

e) analyzing website usage and user behavior to improve our services and website functionality (e.g., using analytics cookies);

f) tracking health-related browsing behavior when users interact with health-related content (such as treatments, medical conditions, or health services), but only with explicit consent (e.g., using specific tracking cookies for health data).

IV. Nature of the conferral and legal basis for the processing

The Personal Data collected through cookies are strictly functional to the purposes referred to in the preceding paragraph.

For purpose a) of paragraph III above, the provision of Personal Data does not require the User's consent, as their processing is necessary for the technical functioning of the website.

For purpose b) of paragraph III above, the legal basis for the collection of the Personal Data is the necessary fulfilment of a legal obligation to which the Data Controller is subject (e.g., compliance with GDPR consent requirements).

For purpose c) of paragraph III above, the legal basis for the collection of the Personal Data is the free and specific consent of the User, which is obtained through the cookie banner or preferences center during the User's first visit to the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com.

For purpose d) of paragraph III above, the legal basis for the collection of the Personal Data is the legitimate interest of the Data Controller in the exercise and protection of the Data Controller's rights in court and out of court.

For purpose e) of paragraph III above, the legal basis for the collection of the Personal Data is the free and specific consent of the User, which is obtained through the cookie banner or preferences center, as this processing is not strictly necessary for the website's functionality but serves to improve services.

For purpose f) of paragraph III above, the legal basis for the collection of the Personal Data, including special categories of data (health data), is the explicit consent of the User, which is requested separately from other consents due to the sensitive nature of health data.

In the event of the User's failure to provide consent for the purposes referred to in letters c), e), and f) of paragraph III above, the related cookies will not be activated, but the User will still be able to navigate the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com using technical cookies necessary for functionality.

V. Methods of processing

The processing will be carried out with IT and telematic tools, with organization and processing logics strictly related to the purposes for which the Personal Data are processed, and in any case in such a way as to guarantee the security, integrity, and confidentiality of the Data in compliance with the organizational, physical, and logical measures envisaged by the provisions in force. The processing will be carried out in accordance with the principles of correctness, lawfulness, and transparency, in order to protect the privacy and the rights of the interested party (User) at all times in compliance with the current legislation.

The Data Controller declares and guarantees that the Personal Data collected through cookies will be processed with the greatest confidentiality and protection, also guaranteeing that the appropriate technical and organizational security measures will be adopted so as to prevent unauthorized access, disclosure, accidental or improper alteration, loss, or destruction of the Personal Data.

Special Handling of Health Data

As a health and wellness provider, we understand the sensitive nature of health-related information. When you browse health-related content on our website (such as treatments, conditions, or medical services), this browsing behavior may be considered health-related data under certain privacy regulations.

Special Consent for Health Data: We require explicit consent before tracking any health-related browsing behavior. This consent is separate from general marketing or analytics consent and can be managed in your cookie preferences.

How We Use Health Data: When consent is provided, we may use this data to:

• Improve the relevance of health-related content shown to you
• Measure the effectiveness of our health-related services
• Optimize our website for users with similar health interests

Safeguards for Health Data:

• All health-related browsing data is pseudonymized
• We implement strict access controls for this data
• We never share identifiable health data with third parties without explicit consent
• You can withdraw your consent at any time through the Cookie Preferences center

Connection to Form Consent: The "privacy for medical booking" consent you provide in our forms is separate from website tracking consent. Form consent applies to the processing of health data you explicitly provide in forms, while cookie consent applies to tracking your browsing behavior.

Analytics and Tracking Technologies

Our website uses the following analytics and tracking technologies:

Meta Pixel and Conversions API: We use Meta Pixel and Conversions API to track conversions and measure the effectiveness of our advertising. This technology helps us understand how users interact with our website after seeing our ads on Facebook, Instagram, and other Meta platforms.

Google Analytics (GA4): We use Google Analytics 4 (GA4) to analyze website traffic and user behavior. GA4 is configured with server-side tagging to enhance GDPR compliance by minimizing the transfer of personal data to third parties.

PostHog: We use PostHog to analyze user behavior and improve our website functionality. PostHog is configured to prioritize user privacy and comply with GDPR requirements.

For more detailed information about these technologies and how to control them, please refer to our Cookie Policy.

Consent Mechanisms for Newsletter, Contact Submission, and Consultation Booking

To ensure compliance with GDPR, we have implemented explicit consent mechanisms for the following activities:

• Newsletter Subscription: When subscribing to our newsletter, users are presented with a clear checkbox to provide consent for receiving marketing communications. This consent is separate from cookie-related consents and can be withdrawn at any time via a link in each newsletter.
• Contact Submission: When submitting contact information through our forms, users must explicitly consent to the processing of their data for communication purposes. This consent is documented and can be revoked by contacting the Data Controller.
• Consultation Booking: During the consultation booking process, users are required to provide explicit consent for the processing of their data, including any health-related data, for the purpose of providing the requested service. This consent is separate from cookie tracking and is linked to our Privacy Policy.

Links to Policies: On all pages where users enter personal data (e.g., during newsletter subscription, contact submission, or consultation booking), we provide clear links to this Cookie Policy and our Privacy Policy for transparency.

VI. Storage times

The Personal Data collected through cookies will be stored for a period of time not longer than that necessary for achieving the purposes for which they have been collected, as outlined in paragraph III. Specifically:

• Technical cookies (purpose a) are stored for the duration of the browsing session or as long as necessary for website functionality.
• Marketing and analytics cookies (purposes c and e) are stored for a maximum of 12 months from the date of consent, unless the user withdraws consent earlier.
• Health-related tracking data (purpose f) is stored for a maximum of 12 months from the date of consent, unless withdrawn earlier.
• Data related to legal disputes (purpose d) may be stored as long as necessary for exercising and/or protecting the Data Controller's rights, out of court and/or in court, in any case no later than the definitive judgement on any dispute that may have arisen becomes enforceable.

VII. Categories of recipients of Personal Data - Transfer/communication of Data to third parties

The Personal Data collected through cookies may be accessed by the following third-party recipients involved in the processing of cookie-related data:

• Meta: For the operation of Meta Pixel and Conversions API, used for advertising and conversion tracking (purpose c).
• Google: For the operation of Google Analytics 4 (GA4), used for website analytics (purpose e), with server-side configuration to enhance GDPR compliance.
• PostHog: For the operation of PostHog analytics, used for user behavior analysis (purpose e), configured to prioritize GDPR compliance.

These third parties act as data processors under article 28 of the GDPR and are contractually obligated to process the Personal Data in compliance with this Cookie Policy and applicable GDPR regulations. No other categories of recipients, such as those involved in order fulfillment or other non-cookie-related activities, are included here, as they are addressed in the separate Privacy Policy.

In the event of any future transfer of Personal Data to a third country outside the European Union (e.g., via Google or Meta), all the provisions of chapter V of the GDPR will be respected, including the use of Standard Contractual Clauses or other mechanisms to ensure an appropriate level of protection.

VIII. User's rights

The User has the right:

• to request confirmation as to whether or not his/her Personal Data collected through cookies are being processed, and if they are, to obtain access to them (right of access);
• to request the rectification of inaccurate Personal Data or the integration of incomplete data (right to rectification);
• to request the cancellation of Personal Data, in the cases provided for by the GDPR (right to cancellation);
• to request the limitation of processing, in the cases provided for by the GDPR (right to limitation);
• to receive the Personal Data in a structured, commonly used and automatically readable format, and to transmit such data to another Data Controller (right to portability);
• to revoke, at any time, any consent given for the processing of his/her Personal Data through cookies for marketing, analytics, or health tracking purposes, without prejudice to the lawfulness of the processing based on consent given prior to revocation (right to withdraw consent). Users can manage or withdraw their consent via the Cookie Preferences center accessible on our website;
• to oppose at any time and for reasons related to the interested party's personal situation, the processing of data carried out on the basis of the Data Controller's legitimate interests (right of opposition);
• to lodge a complaint with a Supervisory Authority (Guarantor for the Protection of Personal Data: https://www.garanteprivacy.it/), in the event that he/she considers that the processing violates the GDPR (right to complain).

To exercise his/her rights, the User may formulate an express written request to the Data Controller to be sent to the following e-mail address: shop@istitutoimage.com; or by PEC (Certified e-mail address) to the address istitutoimagesrl@legalmail.it; or by registered letter to the address of the Data Controller's offices.