Delivery in 5 working days in Europe

Contact Us
Store Locator
  • My Account
  • My Wish List ()
  • Sign In
  • Compare
  • Create an Account
Toggle Nav
Menu
Contact Us
Find a Store
Account
Settings

Privacy Policy

Data Controller

The Data Controller is Medspa Ltd, represented by its legal representative, with registered office at 17 Corso Sempione, Milan.
Tel. 081/19569101, email: privacy@medspa.it, certified email: medspa.srl@pec.it

 

DPO Contact Details

The Data Protection Officer (DPO) can be contacted at the email address: dpo@medspa.it

 

Processing Purposes: web Service Provision

Data and information are collected to allow the correct functioning and use of the Data Controller's website (operational data, statistical data, security information, etc.). Data collection occurs automatically upon opening the website pages.
Data will be stored for a maximum of 24 months.
Legal Basis: Data Controller's legitimate interest

 

Online Purchases

Data collection occurs to process and complete product purchase transactions. Purchase operations through Medspa Ltd web pages are protected by suitable security systems (e.g., HTTPS protocol). Payment management services allow the Data Controller to process payments via credit card, bank transfer, or other methods (e.g., Paypal, Scalapay, Klarna, Doofinder, CDN systems, etc.). Payment data is acquired directly by the required payment service provider, without being processed by the Data Controller except for transaction outcomes. Some of these services may also involve scheduled message sending to the User, such as emails containing invoices or payment-related notifications. Users are advised to review the respective information on the service provider's web pages. Data provision is necessary to provide the requested service. Data will be stored for 10 years in compliance with regulations on document retention for tax and contractual purposes.
Legal Basis: Fulfillment of contractual obligations

 

Receiving Requests

Data collection aims to process contact or interaction requests that are spontaneously sent through forms on the website page (e.g., "Contact Us" section or "Chat with Us"). For request management, an application external to the website (e.g., Whatsapp) might be used, in which case, the data may be known to the application manager, who may process them as an independent data controller. Medspa Ltd will notify the use of external applications before data sharing. Data provision is optional. Data will be stored for the time necessary to manage the request.
Legal Basis: Exercise of contractual and pre-contractual activities at the data subject's request

 

Appointment Booking

Data is processed to request and manage appointments with our consultants. Only contact details are processed. Data provision is optional. Data will be stored for the time necessary to manage the request.
Legal Basis: Exercise of contractual and pre-contractual activities at the data subject's request.

 

Participation in Owner's Initiatives such as contests and/or point collections

Your data will be processed to manage your participation in contests and/or point collections organized by the Data Controller. Data provision is optional, but failure to provide data will result in the inability to participate in the aforementioned initiatives. Data will be stored for the time necessary to manage the event. Only data necessary to fulfill legal obligations will be retained for 10 years.
Legal Basis: Exercise of contractual and pre-contractual activities at the data subject's request and compliance with legal obligations (Adherence to Regulations)

 

Creation of a Miamo Lovers Account

Through the website, you can join the "Miamo Lovers" Community by creating a personal account. The Community is for commercial purposes; registration allows access to promotions, discounts, and personalized offers. The creation of a "Miamo Lovers" account is not mandatory but is an optional service offered by the Data Controller to manage the contractual relationship and improve the commercial experience with the Customer. Registration implies consent to the Data Controller's marketing activities, enabling access to offers dedicated to Community participants (see point no. 8). Data will be stored until the account deletion request. Subsequently, only data necessary to fulfill legal obligations will be retained.
Legal Basis: Fulfillment of contractual obligations (Adherence to Terms and Conditions) and consent

 

Skin Test

Data will be collected to perform a skin assessment via the dedicated webpage and provide a report on any identified issues and proposed solutions. During the test, special data (suitable for revealing the data subject's health status) may be collected to provide diagnosis and treatment (Art. 9, paragraph 2, letter h). Data provision is optional. Transmitting the final report involves sending commercial advice, requiring consent to the Data Controller's marketing activities as described in the "Marketing" section of this document. If the procedure concludes without a request for the final report, the data will be immediately deleted. If the procedure concludes with the final report, the data will be stored for months to provide periodic comparison to the User about the treatment status. Data deletion can be requested at any time as described in the "Data Subject Rights" section of this document.
Legal Basis: Exercise of pre-contractual activities at the data subject's request

 

Customer Experience

The Data Controller may contact the Customer via email or telephone to collect information about the quality of the service provided. These processing activities aim to improve the products and services covered by the contract and tailor the offer to customer needs. Data provision is optional. Data will be stored for months and then archived in anonymous form for statistical and service quality control purposes.
Legal Basis: Data Controller's legitimate interest

 

Marketing

Data is processed for the communication of commercial information (marketing). The Data Controller's marketing activities may include:

  1. A) Data Controller's Marketing: The Data Controller may send advertising communications via email, WhatsApp, SMS, messaging apps, postal service, social networks, newsletters, if the respective data (email address, telephone number, residential address/domicile, etc.) is provided. Data provision is optional and requires prior consent. Data will be stored until consent is revoked.
    Legal Basis: Consent
  2. B) Third-Party Marketing: The Data Controller may transmit the data of the data subject to third parties for autonomous marketing activities. In the case of Medspa Ltd, data may be transmitted to partner companies for autonomous marketing activities. Third-Party Marketing is an optional treatment carried out with prior consent. Data will be stored until consent is revoked.
    Legal Basis: Consent
  3. C) Soft Spam: The Data Controller may send promotional communications via email or postal service to customers to advertise products or services similar to those previously purchased. It is always possible to object to the processing by sending a communication to privacy@medspa.it. Data will be stored until objection communication is received.
    Legal Basis: Data Controller's legitimate interest pursuant to art. 130 paragraph 4 of Legislative Decree 196/03.

 

Data Disclosure to Third Parties

Data may be communicated to third parties for legal obligations. Your data may also be disclosed to companies performing, on behalf of Medspa Ltd, activities related to IT systems management, accounting, debt collection, transmission, printing, enveloping, rating, insurance, etc. Your data may be communicated to companies performing marketing, promotional initiatives, surveys, research, and analysis activities on behalf of Medspa Ltd, only with explicit consent. Personal data will not be disseminated without explicit authorization from the data subject.

 

Automated Processes

No automated processes are planned. All processes involve the assistance of an operator.

 

Data Transfer to Non-EU Countries

The website pages and related applications may share collected data with services located outside the European Union. The Data Controller verifies the existence of appropriate legal bases for data transfer outside the EU. Regarding data transfer resulting from Cookie activities, please refer to the Cookie Policy.

 

Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, data subject rights include:

  1. a) Access and copy of data;
    b) Rectification;
    c) Erasure;
    d) Restriction of processing;
    e) Objection;
    f) Receive data in a structured, commonly used, and machine-readable format and transmit such data to another controller without hindrance where technically feasible;
    g) Withdrawal of consent.
    The data subject also has the right not to be subject to a decision based solely on automated processing.
    For more information on processing and to exercise the aforementioned rights, you may send a communication to the email address privacy@medspa.it. In case of violation in data processing, the data subject may lodge a complaint with the Data Controller, the Data Protection Authority, or the competent Judicial Authority. It is possible to submit a complaint to the Data Protection Authority in case of personal data violation.