This information on the processing of Personal Data (hereinafter "Information") is provided to the User of the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com with reference to the consequent processing of the User's Personal Data - provided in his/her capacity as a natural person directly concerned in the purchases and the consequent processing, in compliance with the provisions contained in articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016, in relation to the protection of natural persons with regard to the processing of Personal Data, as well as the free movement of such data (General Data Protection Regulation, hereinafter also "GDPR").
Pursuant to articles 13 and 14 of the GDPR, hence, you are invited to take note of the following Information.
The Personal Data that will be collected are the following:
(Hereinafter "Personal Data" or "Data").
The User is responsible for the completeness and truthfulness of the Personal Data, and must therefore hold the Data Controller exempt from any liability towards third parties. As regards so-called "navigation" data and/or the use of so-called "cookies", please refer to the separate policy, which can be accessed on the website of the Data Controller.
The Data Controller in charge of the processing of the Personal Data provided by the Customer is Istituto Image Srl, Via Pietro Mascagni 14, 20122 Milan (MI), Tax code: 06564590963 and VAT Number: 06564590963 (hereinafter "Data Controller"). For any communication to be sent to the Data Controller, it is possible to send an e-mail to the following address: shop@istitutoimage.com; or a PEC (Certified e-mail) to: istitutoimagesrl@legalmail.it; or a registered letter to the address of the Data Controller's offices.
In fulfilment of the obligations established by current legislation, the Data Controller collects the Personal Data and carries out their processing, for the following purposes:
a) managing the User's registration on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com; and during the precontractual and contractual phase for the purpose of implementing the collection and management of orders relating to the products and the services offered by the Data Controller on said platform; as well as for following up on any requests made by the User, including requests for information regarding the products and the services offered by the Data Controller; and also for proceeding with the completion of the procedures and activities associated with the performance of the Order itself in favour of the Customer;
b) fulfilling the legal and contractual obligations associated with the execution of the Order and the Service in favour of the Customer, including the performance of invoicing and payment collection activities, and the related tax obligations;
c) fulfilling any legal, accounting and tax obligations (e.g., customer due diligence obligations and customer information communications in compliance with the provisions relating to the prevention of money laundering, obligations deriving from the provisions relating to the verification and repression of computer crimes, tax violations etc.);
d) sending advertising material, newsletters, and carrying out direct marketing actions;
e) the exercising of rights in court and out of court, connected to the relationship (e.g., management of any disputes);
f) analyzing website usage and user behavior to improve our services and website functionality;
g) tracking health-related browsing behavior when users interact with health-related content (such as treatments, medical conditions, or health services), but only with explicit consent.
The Personal Data collected in the context of this processing are strictly functional to the purposes referred to in the preceding paragraph.
For purposes a) and b) of paragraph III above, the provision of Personal Data does not require the User's consent, given that their processing is necessary for the execution of the contract and of the precontractual measures, and for the management of the orders transmitted by the User on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com.
For the purposes referred to in letters b) and c) of paragraph III above, the legal basis for the collection of the Personal Data is the necessary fulfilment of a legal obligation to which the Data Controller is subject.
For the purposes referred to in letter d) of paragraph III above, the legal basis for the collection of the Personal Data is the free and specific consent of the User, which may have been given during the registration phase on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com or subsequently communicated to the Data Controller. It is understood that, by virtue of the rights granted to the interested parties by EU Regulation 2016/679 of 27 April 2016, referred to in paragraph VIII below, the User may at any time and without any prejudice revoke his/her previously granted consent, without prejudice to the legitimacy of the processing carried out in the meantime.
For the purposes referred to in letter e) of paragraph III above, the legal basis for the collection of the Personal Data is the legitimate interest of the Data Controller in the exercise and protection of the Data Controller's rights in court and out of court.
For the purposes referred to in letter f) of paragraph III above, the legal basis for the collection of the Personal Data is the legitimate interest of the Data Controller in improving the website and services offered.
For the purposes referred to in letter g) of paragraph III above, the legal basis for the collection of the Personal Data is the explicit consent of the User, which is requested separately from other consents due to the sensitive nature of health data.
In the event of the User's failure to provide the Personal Data for the purposes referred to in letters a), b), c) and e) of paragraph III above, it will not be possible for the User to register on the e-commerce platforms https://www.istitutoimage.it and https://www.istitutoimage.com, nor to forward orders through them, and hence to correctly execute the contractual relationships and the Services connected with them. The provision of Personal Data by the User for the purposes referred to in letters d), f), and g) of paragraph III above, on the other hand, is optional, given that it is also possible to correctly execute the contractual relationships and the Services connected with them without it.
The processing will be carried out both with manual tools on hard-copy format and with IT and/or telematic tools, with organization and processing logics strictly related to the purposes for which the Personal Data are processed, and in any case in such a way as to guarantee the security, integrity, and confidentiality of the Data in compliance with the organizational, physical, and logical measures envisaged by the provisions in force. The processing will be carried out in accordance with the principles of correctness, lawfulness, and transparency, in order to protect the privacy and the rights of the interested party (User) at all times in compliance with the current legislation.
The Data Controller declares and guarantees that the Personal Data provided by the User will be processed with the greatest confidentiality and protection, also guaranteeing that the appropriate technical and organizational security measures will be adopted so as to prevent the unauthorized access, disclosure, accidental or improper alteration, loss, or destruction of the Personal Data.
As a health and wellness provider, we understand the sensitive nature of health-related information. When you browse health-related content on our website (such as treatments, conditions, or medical services), this browsing behavior may be considered health-related data under certain privacy regulations.
Special Consent for Health Data: We require explicit consent before tracking any health-related browsing behavior. This consent is separate from general marketing or analytics consent and can be managed in your cookie preferences.
How We Use Health Data: When consent is provided, we may use this data to:
Safeguards for Health Data:
Connection to Form Consent: The "privacy for medical booking" consent you provide in our forms is separate from website tracking consent. Form consent applies to the processing of health data you explicitly provide in forms, while cookie consent applies to tracking your browsing behavior.
Our website uses the following analytics and tracking technologies:
Meta Pixel and Conversions API: We use Meta Pixel and Conversions API to track conversions and measure the effectiveness of our advertising. This technology helps us understand how users interact with our website after seeing our ads on Facebook, Instagram, and other Meta platforms.
Google Analytics: We use Google Analytics to analyze website traffic and user behavior. This helps us understand how users interact with our website and improve our services.
PostHog: We use PostHog to analyze user behavior and improve our website functionality.
For more detailed information about these technologies and how to control them, please refer to our Cookie Policy.
The Personal Data will be stored, in compliance with the provisions of current legislation on the subject, for a period of time not longer than that necessary for achieving the purposes for which they have been collected, processed, and provided. For the purposes of order execution and invoicing and associated obligations, the Personal Data will be stored by the Data Controller for the entire duration of the contractual relationship and for 10 (ten) years following the date of registration of the last invoice pursuant to article 2220 of the Italian Civil Code.
In the event that the processing is necessary for the pursuit of the purposes referred to in letter e) of paragraph III above, the Data Controller may store the Data deemed reasonably necessary to be processed for these purposes, and for as long as is necessary for exercising and/or protecting the Data Controller's rights, out of court and/or in court, in any case no later than the definitive judgement on any dispute that may have arisen becomes enforceable.
In addition to the Data Controller, in some cases, the Personal Data may also be accessed by subjects involved in the organization of the Data Controller, as well as other subjects, including:
Subjects who typically act as data controllers pursuant to article 28 of the GDPR (hereinafter "Data processors"), namely:
i. persons, companies, or professional firms that supply assistance and consultancy activities to the Data Controller in accounting, administrative, legal, tax, financial, and debt collection matters in relation to the orders;
ii. subjects external to the Data Controller who operate on the Data Controller's behalf and provide services and/or carry out connected, instrumental, or support services to those performed by the Data Controller (e.g. couriers and logistics operators, companies operating in the transport sector, hosting providers, system engineering service providers, agents/commercial representatives/business agents/brokers etc., collection service providers, IT companies, associated and/or controlled and/or contracted and/or affiliated companies etc.);
iii. subjects delegated to carry out technical maintenance activities (including maintenance of network equipment and electronic communication networks);
iv. subjects, bodies, or authorities, and independent data controllers, to whom it is mandatory to communicate the Personal Data pursuant to provisions of the law or orders of the Authorities with respect to the purpose of Compliance (e.g., banks, insurance companies, tax registers, judicial authorities, and police);
v. subjects authorized pursuant to article 29 of the GDPR by the Data Controller to process the Personal Data necessary for carrying out activities strictly related to the management and fulfilment of the Orders, as well as to the supply of the Services, who are committed to confidentiality, or have an appropriate legal obligation to confidentiality. These subjects have access only to the Personal Data that are necessary for performing their duties, and with reference to the specific purposes for which the Data have been collected/provided, with the exclusion of the use of the Personal Data for any other purpose.
They are also required to process the Personal Data in compliance with this Information and in accordance with the applicable regulations relating to the protection of Personal Data.
In the event of any future transfer of Personal Data to a third country outside the European Union, or to an international organization, all the provisions of chapter V of the GDPR will be respected, in order to ensure an appropriate level of protection.
The User has the right:
To exercise his/her rights, the Customer may formulate an express written request to the Data Controller to be sent to the following e-mail address: shop@istitutoimage.com; or by PEC (Certified e-mail address) to the address istitutoimagesrl@legalmail.it; or by registered letter to the address of the Data Controller's offices.