emoticon furgone Free shipping on orders over 65€ emoticon furgone

Contact Us
Store Locator
  • My Account
  • My Wish List ()
  • Sign In
  • Compare
  • Create an Account
Toggle Nav
Chat with operator
Menu
Icon Contact UsContact Us
Icon Find a StoreFind a Store
Account

Privacy Policy

 

Privacy Notice - Medspa s.r.l.

This privacy notice governs the collection, use and processing of the customers’ and users’ (“Customer” or “you”) personal data by the Data Controller when accessing the Data Controller’s Website at www.miamo.com (“Website”) and ordering products on the Website. 

Interpretation: Throughout this privacy notice, references to "GDPR" mean the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation (as incorporated into UK law by the Data Protection Act 2018), as applicable to the Customer.

Moreover, throughout this privacy notice, references to the FADP mean the Swiss Federal Act on Data Protection (SR 235.1) as amended from time to time and as applicable to Customers in Switzerland. 

Data Controller 

The Data Controller is Medspa s.r.l., represented by the legal representative, located at Corso Sempione n. 17, Milan (“Data Controller”, “Medspa” or “We”)

Phone: +39 081/19569101, Email: privacy@medspa.it, PEC: medspa.srl@pec.it

Joint Data Controllers for International Purchases

Medspa has appointed ESW as merchant of record for processing and executing sales to Customers outside of Italy. If a Customer’s habitual or place of residence is outside of Italy and such a Customer makes a purchase on the Website, ESW becomes the contractual partner of the Customer. Thus ESW is responsible for certain operations related to the sales process, including: order collection and management, checkout services, consumer support, returns services.

For all Customers purchasing a product on the Website from outside Italy, the joint data controllers are Medspa s.r.l., represented by the legal representative, located at Corso Sempione n. 17, Milan and U.S. Direct E-Commerce Limited trading as ESW, a company registered in Ireland under company registered number 479237 and with its registered office at South Block, The Concourse Building, 110-115 Airside Business Park, Swords, County Dublin, Ireland, email: miamo_support@esw.com (“ESW”) (Medspa and ESW collectively referred to as „Joint Data Controllers“).

As Medspa and ESW consider themselves as joint controllers in terms of certain Customer data, they have entered into a joint controller agreement setting out their mutual obligations regarding their obligations in terms of the processing of Customer personal data. A copy of the joint controller agreement is available upon request by the data subject.

Essence of the Joint Controller Agreement

In the joint controller agreement, the Joint Data Controllers agreed that each party shall comply with its obligations under applicable data protection laws. In terms of jointly controlled and processed personal data of Customers, Joint Data Controllers agreed that ESW shall only process such jointly controlled personal data of Customers for the purposes of providing the agreed services to Medspa and to fulfill its obligations towards the Customers that derive from the distance sales contracts concluded between ESW and Customers on the Website. In particular, ESW shall implement and maintain appropriate technical and organizational measures to protect the jointly controlled personal data and inform the data subjects about the data processing operations relating to the jointly controlled personal data in accordance with applicable data protection laws. Each party is obliged to fulfill its information obligations towards Customers.

In the event that Joint Data Controllers receive a request from a data subject concerning the exercise of one or more of their data subject rights under applicable data protection laws, Joint Data Controllers agreed that the receiving party shall be obliged to manage such request and, where necessary, seek assistance from the other party. Where such request concerns the rectification or erasure of the jointly controller personal data or the restriction of the processing, the receiving party shall, without undue delay, communicate this request to the other party.

In addition, Joint Data Controllers agreed that they shall cooperate with and support each other to the extent necessary to comply with any requests from competent data protection authorities regarding the processing of the jointly controlled Customer data. ESW shall also support and cooperate with Medspa in terms of Medspa’s information and notification obligations (e.g., in the event of a data breach or under Article 13 GDPR and Article 19 FADP), and regarding Medspa’s obligation to demonstrate its and its partners compliance with applicable data protection laws. Moreover, ESW is obliged to notify Medspa of any legally binding disclosure requests ESW receives from law enforcement authorities, courts or governmental bodies concerning the jointly controlled Customer data, unless such notification is prohibited.

DPO Contact Information

The Data Protection Officer (“DPO”) can be contacted at: dpo@medspa.it

Purposes of Processing and Data Used to Achieve these Purposes

Web Service Provision

When accessing the Website, we automatically collect the following technical information, which are automatically transmitted by your browser: your IP address, data and time of accessing our Website, time zone difference to Greenwich Mean Time (GMT), content of the request (i.e., the website you visited), access status/HTTP status code, amount of data transferred, previously visited website, browser, operating system, language and version of the browser software (“Technical Data”).

This Technical Data and information is collected to ensure the correct functioning, security and use of the Data Controller’s website and to provide the Website to our Customers.

Data collection occurs automatically when the Website is accessed and the collection and processing is technically necessary to provide our Website.

Data will be retained for a maximum of 12 months. Legal basis for the collection and processing of the Technical Data is the legitimate interest of the Data Controller (Art. 6 (1) lit. f) GDPR).

Online Purchases

For the completion, fulfillment and performance of the purchase contracts for the products concluded with the Customer on our Website, it is necessary that we collect various personal data from the Customer. In this context, the Data Controller (and for purchases outside Italy, the Joint Data Controllers) collects the following data: 

  1. Contact Data such as the Customer’s first and last name, address, additional delivery address (if any), email address and phone number (“Contact Data”);

  2. Payment Data such as the credit card details of the Customer’s credit card (card number, expiry date, security code, credit card type), information on the payment service provider used by the Customer (e.g. PayPal, Apple Pay, Google Pay or Klarna) or whether the Customer used immediate wire transfer or Satispay to pay the purchase price or if the Customer whishes to pay cash on delivery (if available) (“Payment Data”);

  3. Transaction Data such as the products ordered, Tax Code if an invoice is requested, samples selected during the ordering process, prices, discounts, discount and gift card codes, shipping method and shipping costs, and the outcome of the transaction (“Transaction Data”);

Purchases made through the Website are protected by appropriate security systems (e.g., HTTPS Protocol).

Payment management services allow the Data Controller or the Joint Data Controllers to process payments via credit card, bank transfer, or other methods (e.g., Paypal, Scalapay, Klarna, Doofinder, CDN systems, etc.).

Some of these services may also involve the sending of messages to the Customer, such as invoices or payment notifications. Customers are advised to review the relevant privacy notices available on the service provider’s web pages.Service providers may process the Contact Data, Payment Data and Transaction Data as an independent data controllers.The Joint Data Controllers will inform Customers of external service providers before sharing data with them.

Providing the Contact, Payment and Transaction Data is necessary to receive the requested service and for the fulfillment of the contract concluded with the Customer.

Data will be retained for 10 years in compliance with tax and contractual documentation retention laws.

Legal basis: Compliance with contractual obligations, and fulfillment and performance of the contract concluded with Customers (Art. 6 (1) lit. b) GDPR).

Receiving Information and Consultation Requests

Data (name, surname, phone number, email, photo, preferences, residence, order number) will be collected to handle contact, interaction, or product consultation requests, voluntarily submitted through web forms (“Consultation Data”).

An external application (e.g., WhatsApp) may be used to manage requests. In such cases, the application provider may process the Consultation Data as an independent data controller.

The Data Controller will inform Customers of external applications before sharing data.

Providing data is optional.

Consultation Data will be retained for as long as necessary to manage the request, provided that further retention of the Consultation Data is not required for other purposes or longer statutory retention obligations apply.

Legal basis: Execution of contractual and pre-contractual activities at the request of the data subject and fulfillment and performance of the contract Concluded with the Customer (Art. 6 (1) lit. b) GDPR).

Appointment Booking

Data Controller processes Contact Data of the Customer to request and manage an appointment with our consultants.

Providing data is optional.

Data will be retained for as long as necessary to manage the request, provided that further retention of the Consultation Data is not required for other purposes or longer statutory retention obligations apply.

Legal basis: Execution of contractual and pre-contractual activities at the request of the data subject and fulfillment and performance of the contract Concluded with the Customer (Art. 6 (1) lit. b) GDPR). 

Participation in Data Controller’s Initiatives (e.g., prize competitions and/or points collection)

Customers’ data such as Contact Data and Transaction Data will be processed to manage Customers’ participation in prize competitions and/or points collection organized by the Data Controller.

Providing data is optional, but refusal will prevent participation.

Data will be retained for the duration necessary to manage the Data Controller’s initiative. Data necessary for legal compliance will be retained for 10 years (e.g. to comply with statutory retention periods).

Legal basis: Execution of contractual and pre-contractual activities at the request of the data subject (Art. 6 (1) lit. b) GDPR). 

Creation of a Miamo Lovers Account (User Account)

Users can join the "Miamo Lovers" community by creating a personal account through the Website. For the creation of the user account, the Data Controller collects and processes Customers’ Contact Data. In addition, the Data Controller may link the Customers’ Transaction Data with his or her user account.

The community has a commercial purpose, allowing access to promotions, discounts, and personalized offers.

Creating a "Miamo Lovers" account is optional and intended to manage the contractual relationship and enhance the customer experience.

During the registration process and subsequently within their user area, the data subject may optionally give their consent to receive commercial communications for marketing purposes from the Data Controller, in order to benefit from offers dedicated to Community members.

Communications relating to the management of the Miamo Lovers Account may be sent by email, SMS or instant messaging, where the Customer has provided the relevant contact details upon registration or subsequently within their user area

Data will be retained until the account is deleted. Afterward, only data necessary for legal compliance (e.g. compliance with statutory retention periods) and for the fulfillment of the contracts concluded with Customers will be kept. The Data Controller reserves the right to verify the user’s interest in maintaining their account in case of prolonged inactivity. The Data Controller may delete inactive accounts, following prior notice. Data subjects can update their personal data at any time.

The Consent can be withdrawn at any time, without affecting the lawfulness of the processing carried out before the withdrawal based on the given consent. The data subject may withdraw their consent by clicking the “unsubscribe” link included in the marketing email or by sending an email to privacy@medspa.it.

Legal basis: Compliance with contractual obligations and performance of the contract concerning the “Miamo Lovers Account” and associated services and consent in terms of the marketing activities associated with the “Miamo Lovers Account”.

Skin Test

Data Controller collects Data such as [age range, sex, skin type] via a dedicated web page to perform a skin evaluation and provide a report on potential issues and suggested solutions. 

Sensitive data related to health , such as skin issues may be collected during the test, intended for diagnosis and treatment (art. 9(2) lit. h of the GDPR).Providing data is optional.

If the process is completed without requesting the final report, data will be immediately deleted.

If the report is requested, data will be retained for 36 months for periodic user comparison.

Legal basis: Pre-contractual activities at the request of the data subject and performance of the contract concerning the conduct of skin tests and the evaluation and provision of a report on potential issues and suggested skin care and improvement solutions (Art. 6(1) lit. b) GDPR). For the processing of the Customers health data, the legal basis is Art. 9(2) lit. h), (3) GDPR.

Concerning the sensitive personal data (Article 5 lit. c) of the FADP) of Customers in Switzerland, this data will only be collected with their explicit consent (Article 6(7) lit. a) of the FADP).

Customer Review

The Data Controller may send emails to the Customer to ask to leave a review on services and/or products. 

The Data Controller collects data such as pseudonym (name under which the review will be published, which may differ from the registration name), review title and text of the review.

These processing activities aim to improve products offered.

Providing data is optional.Data will be retained until consent is withdrawn or 3 years, whichever occurs first.

Legal basis: consent. The Consent can be withdrawn at any time, without affecting the lawfulness of the processing carried out before the withdrawal based on the given consent. The data subject may withdraw their consent by sending an email to privacy@medspa.it.


 


 

Marketing Activities

A) Direct Marketing:

The Data Controller may send advertising messages via email, WhatsApp, SMS, messaging apps, postal service, social networks, and newsletters, upon consent and by using and processing Customers’ Contact Data.

Personal data will be processed for marketing purposes until the data subject withdraws their consent and, in any event, for a maximum period of 12/24 months from the date consent is provided.

Before the expiry of this period, the Data Controller may request a renewal of consent (so-called consent refresh mechanism) in order to verify the data subject’s continued interest in receiving marketing communications.

Personal data that are also processed for other purposes (e.g., contact details necessary for the performance of a contract) will be retained for the period strictly necessary to fulfil those purposes, in accordance with applicable data protection laws.. 

Providing data is optional.

Legal basis: Customers’ prior Consent. The Consent can be withdrawn at any time, without affecting the lawfulness of the processing carried out before the withdrawal based on the given consent. The data subject may withdraw their consent by clicking the “unsubscribe” link included in the marketing email or by sending an email to privacy@medspa.it.


 

B) Soft Spam:

The Data Controller may send promotional emails for products or services similar to those previously purchased, if the Customer has been informed accordingly in conjunction with the purchase of a product or service, and not objected to the receipt of such promotional emails.

Opposition to processing can be communicated via email to privacy@medspa.it or by using the “unsubscribe” button/link at the bottom of our marketing emails.

Legal basis: Legitimate interest under Art. 6 (1) lit f) GDPR (and in conjunction with Article 130(4) of Legislative Decree 196/03 for Italy).

If the Customer opts out of receiving marketing communications, he/she will still receive service-related communications that are essential for administrative or customer service purposes for example relating to order confirmations, appointment reminders, updates to our terms and conditions, or checking that your contact details are correct.

Member get Member” Program

Personal data may be processed in connection with the “Member-get-Member” referral program. In particular, registered users may use the referral link available on the Website and share it with their contacts.

The Data Controller will process the personal data of the user who independently and freely shares the referral link with third parties solely for the purpose of verifying their registration and account and, where applicable, granting them the benefits provided under the initiative.

The personal data of the invited individual who registers will be processed as described above in relation to the creation of an account.

The provision of personal data is optional.

Personal data will be retained until the closure of the user’s account.

Legal basis: the processing is based on the Data Controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR.


 

Corporate Transactions

Personal data may be processed in connection with, or during, negotiations relating to corporate transactions involving all or part of the Data Controller’s business.

Such processing is necessary for the legitimate interest of the Data Controller in pursuing and executing corporate transactions. Personal data processed for these purposes will be retained for the duration necessary to manage the completion of the transaction.

Legal basis: legitimate interest of the Data Controller (Article 6(1) lit. f) of the GDPR).


 

Cookies and Tracking Technologies

The Data Controller may use cookies and other tracking technologies on the Website (e.g., web beacons or tracking pixels). Further information on the cookies and tracking technologies used on the Website can be found in our cookie notice, accessible at: https://miamo.com/eu_en/privacy-policy-cookie-restriction-mode


 

The Data Controller confirms that no automated decision-making processes, including profiling pursuant to Article 22 of the GDPR and Article 21 of the FADP, are carried out.


 

Recipients of Customers’ Personal Data

In addition to the cases expressly mentioned in this privacy notice Data Controller may share Customer personal data with third parties only with Customers’ prior consent or if this is permitted and required by law.

The Data Controller may share Customer personal data with the following recipients for the following purposes:

  1. Technical Data, Contact Data, Payment Data and Transaction Data with persons engaged in the conduct of Data Controller’s business and operation of the Website to the extent necessary (shipping and delivery companies, auditors, financial institutions, insurance companies, legal advisors, regulators, parties involved in acquisitions or the establishment of joint ventures) based on Data Controller’s legitimate business interest (Art. 6 (1) lit. f) GDPR) or to fulfill the contract with the Customer (Art. 6 (1) lit. b) GDPR).

  2. To the extent necessary to investigate unlawful or abusive use of the Website and services or for legal defense or enforcement and to investigate criminal offenses, Technical Data, Contact Data, Payment Data and/or Transaction Data may be disclosed to law enforcement or other authorities and, if necessary, to harm third parties and legal counsel. However, Data Controller will only forward your data if there are indications of illegal or abusive behavior and upon binding request. Data Controller may also share it, particularly with its legal counsels and advisors, if necessary to enforce our terms and conditions of sale or other legal claims. In addition, Data Controller may be required by law to provide information about personal data at the request of certain public authorities. This typically includes requests from law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities. Data Controller may also disclose Customer data to authorized third parties if Data Controller is permitted to do so by law (e.g., in the case of (third-party) information claims for intellectual property rights infringement) or if Data Controller is required to provide information by an administrative or court order. The legal basis for the disclosure of Customer’s personal data is either to comply with a respective legal obligation which applies to the Data Controller (Art. 6 (1) lit. c) GDPR), Data Controller’s legitimate interest pursuant to Art. 6 (1) lit. f) GDPR, or if there are indications of unlawful or abusive behavior, Data Controller have a legitimate interest in disclosing the data to enforce the terms and conditions of sale, Data Controller’s own legal claims or those of third parties, and Data Controller’s interests outweigh Customers’ interest in protecting their personal data.

  3. Contact Data, Payment Data and Transaction Data may be shared with and disclosed to ESW by Data Controller in order to enable and support ESW in fulfilling the contract concluded between Customer and ESW if the Customer has his or her habitual or place of residence outside of Italy and makes a purchase on Data Controller’s international Website (Art. 6 (1) lit. b) GDPR). Data Controller and ESW consider themselves as joint controllers within the meaning of Art. 26 GDPR and have concluded a corresponding agreement, which can be requested by using the contact details of the Data Controller in this privacy notice.

  4. [

the complete list is available upon request – please write an email to:  privacy@medspa.it

Data Transfers to Third Countries

The Data Controller does not intend to transfer Customer personal data to third countries outside the European Union, the United Kingdom, Switzerland or United States. 

Should the Data Controller transfer personal data to third countries outside the European Union, it/they will do that, where necessary, by:

  • ensuring that the country to which the personal data are transferred provides an adequate level of protection, in accordance with Article 45 of the GDPR and Article 16(1) of the FADP; or

  • relying on the Standard Contractual Clauses approved by the European Commission for the transfer of personal data outside the EEA, adopted pursuant to Article 46(2) of the GDPR, or, for Customers based in Switzerland, standard data protection clauses that the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) has approved, issued or recognized beforehand pursuant to Article 16(2) of the FADP.


 

Data Subject Rights

Under Articles 15-22 of the GDPR and Articles 25-28, 32 of the FADP, data subjects have the right to:

  • Right of access: the data subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the personal data (Article 15 of the GDPR and Article 25 of the FADP);

  • Right to rectification: the data subject has the right to obtain the rectification of inaccurate personal data concerning them and to have incomplete personal data completed (Article 16 of the GDPR and Article 32(1) of the FADP);

  • Right to erasure (“right to be forgotten”): the data subject has the right to obtain the erasure of personal data concerning them where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, where consent is withdrawn or the data subject objects to the processing, where the personal data have been unlawfully processed, or where erasure is required to comply with a legal obligation, or, for Customers in Switzerland, if the data were obtained or used in a way that is contrary to the processing principles of transparency or good faith (Article 17 of the GDPR and Article 32(2) lit. c) of the FADP);

  • Right to restriction of processing: the data subject has the right to obtain restriction of processing where one of the following applies: the data subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; the data subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the data subject or, for users in Switzerland whether the data processing complies with the proportionality principle (Article 18 of the GDPR and Article 32(2) lit. a) of the FADP);

  • Right to object: the data subject has the right to object, at any time, to the processing of personal data concerning them which is based on Article 6(1) lit. e) or lit. f) of the GDPR, including profiling, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims (Article 21 of the GDPR and Article 32(2) lit. a) of the FADP);

  • Right to data portability: the data subject has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where the processing is based on consent or on a contract (Article 20 of the GDPR and Article 28 of the FADP);

  • Right to withdraw consent: Any time Data Controller bases the processing of Customer personal data on the Customers’ consent, Customers can withdraw their consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal based on the given consent. The data subjects may withdraw their consent by sending an email to privacy@medspa.it.

  • Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR).

  • Other rights for data subjects in Switzerland: The data subject may request that no personal data be disclosed to third parties (Article 32(2) lit. b) of the FADP). If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the data subject may request that the data is marked as being disputed (Article 32(3) of the FADP). The data subject may also request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment is communicated to third parties or is published (Article 32(4) of the FADP).

To exercise these rights, contact: privacy@medspa.it or the DPO dpo@medspa.it.

Where the data subject considers that the processing of personal data relating to them infringes the GDPR or the FADP for data subjects in Switzerland, they have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. In Italy, the competent supervisory authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali), or the data subject may seek a judicial remedy before the competent courts. In the United Kingdom, the data subject has the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). In Switzerland, the data subject has the right to make a complaint to the FDPIC, the independent authority responsible for matters relating to data protection and freedom of information (https://www.edoeb.admin.ch/en/report-form-data-subjects) or the data subject may seek a judicial remedy before the competent courts.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

For data subjects in Switzerland, if providing the information involves a disproportionate cost, we may require you to contribute to the costs in an appropriate manner. The contribution may not exceed CHF 300. We shall notify you of the amount of the contribution before providing the information. 

Information we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Deadline 

For data subjects in Switzerland, we shall provide you with the information within 30 days of receipt of the request. If it is not possible to provide the information within 30 days, we shall notify you of this and of how long it will take to provide the information. If we decide to refuse, restrict or defer the right of access, we shall notify you of such decision within the same deadline.

Select Store