Online Purchase

The following information is provided pursuant to the GDPR regarding the processing of personal data supplied for the purpose of purchasing Yamamay products (hereinafter, “Products”) on the e-commerce website https://www.yamamay.com/it_it/ (hereinafter, the “Site”), as further described in the general terms and conditions of sale.

1. Identity and contact details of the data controller

Inticom S.p.A., tax code and VAT no. 02649140122, with registered and operational office at Via Carlo Noè 22, 21013 – Gallarate (VA), e-mail address privacy@yamamay.com, certified e-mail address (P.E.C.) inticomspa@certimprese.it (hereinafter, the “Controller”).

2. Purposes of processing, legal bases and data retention periods

why are personal data processed?	what is the legal basis that makes the processing lawful?	how long do we retain personal data?
a) To allow the purchase of Products on the Site.	The performance of a contract to which the data subject is party.	For the entire duration of the contractual relationship and for the following 10 years, as the ordinary limitation period.
b) To carry out administrative-accounting, tax and any further legal obligations.	Compliance with a legal obligation to which the Controller is subject.	In the event of litigation, for the entire duration of the same and until the expiry of the time limits for bringing appeal actions.
c) For the possible establishment, exercise or defence of the Controller’s rights in judicial and extrajudicial proceedings (including credit protection).	The legitimate interest of the Controller.
d) To store credit card data and, therefore, facilitate further purchase operations for the Products	The consent of the data subject.	Until the card expiry date, without prejudice to the data subject’s right to request deletion of the data at any time
e) To send promotional communications to the customer’s e-mail address regarding Products similar to those sold.	The so-called “soft spam” referred to in art. 130, paragraph 4 of Italian Legislative Decree 196/2003 (“Privacy Code”).	Until objection by the data subject (by clicking on the “unsubscribe” link at the bottom of each communication).
f) To carry out profiled marketing activities: analysis of the behaviours and preferences of data subjects inferred from the data provided by them in combination with data relating to online browsing on the Site (collected through cookies), in order to receive from the Controller promotional content more closely aligned with their interests, through automated contact methods (such as e-mail, instant messaging systems) and/or online advertising banners.	The consent of the data subject	For 4 years, without prejudice to the data subject’s right to withdraw consent at any time

Once the retention periods indicated above have expired, the data will be destroyed, erased or made anonymous, compatibly with the technical deletion and backup times.

3. Provision of data

The data marked with an asterisk are necessary for the purchase of the Products, while the others are optional.

4. Categories of recipients

The data may be communicated to other third parties likewise acting as independent controllers, such as public authorities and professional firms.

The data may also be processed, on behalf of the Controller, by third parties designated as Data Processors pursuant to art. 28 of the GDPR, such as natural and/or legal persons that carry out activities functional to the purposes indicated above (e.g. IT services, communication and marketing services, customer care services), also operating outside the European Union.

In particular, the data will be transferred to the company responsible for the management and maintenance of the Site, namely Shopify, and may also be transferred to its sub-processors established outside the EU. Where such sub-processors are established in countries without an adequacy decision pursuant to art. 45 of the GDPR, the standard contractual clauses adopted by the European Commission pursuant to art. 46, paragraph 2, letter c) of the GDPR will be used as appropriate safeguards, with the possible provision of “supplementary measures” designed to ensure a level of protection substantially equivalent to that required by EU law.

Furthermore, the data are processed by the Controller’s employees - belonging to the corporate functions assigned to the pursuit of the purpose indicated above - who have been expressly authorised to process the data and have received adequate operating instructions.

5. Data subject’s rights

The data subject may exercise the rights set out in Articles 15 to 22 of the GDPR, where applicable, and, in particular, obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed and, where this is the case, access to the same and to the information referred to in art. 15, rectification of inaccurate data, completion of incomplete data, erasure of data in the cases provided for by art. 17, restriction of processing in the cases provided for by art. 18 GDPR, as well as object, on grounds relating to his/her particular situation, to processing carried out on the basis of the Controller’s legitimate interest.

Furthermore, where the processing is based on consent or on a contract and is carried out by automated means, the data subject has the right to receive the data in a structured, commonly used and machine-readable format, and, where technically feasible, to transmit them to another controller without hindrance (“right to data portability”).

Furthermore, the data subject has the right, at any time, to withdraw the consent given for marketing purposes, as well as to object to processing for that purpose, including the profiling connected thereto. In the case of communications sent by e-mail, the data subject may also object by clicking on the “unsubscribe” link at the bottom of each e-mail.

To exercise his/her rights, the data subject may contact the Controller using the contact points indicated in paragraph 1.

The data subject has the right to lodge a complaint with the competent supervisory authority in the Member State where he/she habitually resides or works, or in the State where the alleged infringement occurred.