Information on EU

GDPR 2016/679

November 2021

The Data Controller responsible for your personal data guarantees that they scrupulously respect the privacy of the customers and users of this Platform. On this page, you will find a transparent, detailed and exhaustive description of how the Platform manages and processes its users’ personal data.

The Data Controller, in order to provide the best possible service and personalization for each user, needs to gather some information about the users of this Platform. On this page, we will provide all information about our policy regarding the collection, disclosure and use of the personal information shared by our users.

This privacy policy (also referred to as “Policy”) complies with EU Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing* of personal data, as well as the free circulation of such data (General Data Protection Regulation, hereinafter referred to as “GDPR”), with reference to the processing of personal data of users of the website “www.book-à-porter.com” (also referred to as the “Platform”) by the Data Controller.

This Policy does not refer to the services offered by third parties (accessible via links on this platform) and to their processing of personal data.

We recommend that you read carefully, on these third parties’ web pages, how they process and possibly share the personal data of their users.

The Data Controller has no control over these third parties and therefore declines any responsibility regarding the processing of personal data of users that is carried out through such third parties.

This Policy will be subject to additions or changes in order to make it updated with respect to the law and appropriate with respect to any technical changes made to the Platform or to any changes in the purposes or methods of data processing.

The Data Controller will inform you with appropriate notifications of any changes, but we recommend that you periodically check this page to stay updated. Any updated versions of this Policy, which will bear the date on which they were updated, will be promptly published on this web page and will become effective immediately after publication.

* By “Processing” we refer to: any operation or set of operations, performed with or without the use of automated processes and applied to personal data, or to sets of personal data, such as collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.

***

1. Data controller
The Data Controller is Book-à-Porter by Valentina Morotti e-Mail: bap@book-a-porter.com, also referred to as “Data Controller”. The list of any external data processors may be requested by sending a simple written request to the Data Controller at the addresses indicated above.

2. Purpose of the processing
The personal data of the users of the Platform will be used by the Data Controller to provide the services offered by the Platform and to customize and continuously improve the use of the Platform by the user, as explained below.

If the User is under 18 (eighteen) years of age or is not in possession of the ability to act, this Ploicy is addressed to the subject appointed by the Italian law, that is the only subject qualified to provide the relative express consent.

3. Types of data subject to processing
Personal data that will be collected and processed by the Data Controller may belong to one or all of the following categories:

• personal data and/or contact details (by way of example and without any limitation: name, surname, address, e-mail address, telephone, shipping address, etc.) communicated in the registration phase to the Platform (or later, where required for the execution of specific services);
• data on how the users use the Platform and data relating to the user’s habits and preferences (for example the number and frequency of orders, consumption preferences, purchase habits, etc.);
• additional information provided by the user using the forms on the Platform;
• any information provided during navigation, including the c.d. technical and/or profiling cookies, etc .;
• information relating to user navigation within the Platform;
• information relating to technical and/or profiling cookies. Data related to payments made by the User will not be stored. For the privacy policy of the payment system visit Woocommerce.

3.1 Browsing data and Cookies
3.1.1 Navigation data

The telematics and information systems used to operate the Platform automatically acquire, during their normal operation, some personal data relating to the users and how they navigate the Site. The Platform collects some personal data related to the user’s navigation, by way of example and without any limitation:

• the IP address;
• the number of accesses;
• the duration of the navigation;
• the browser used;
• the pages displayed;
  • the date and time when the access occurred;
  • additional parameters relating to the operating system used by the user to connect to the Platform;
  • etc.Navigation data are collected exclusively for the purpose of obtaining anonymous statistical information about the use of the Platform and to check its correct functioning. However, by their very nature, they could allow to identify the User by processing and elaborating data held by third parties.Under no circumstances are navigation data used for marketing purposes, nor are they used to define the profiles or the personality of the interested party, to send advertising, to carry out market research or commercial communication – and are only temporarily stored by the Data Controller as foreseen by the law.The legal basis for these treatments is the pursuit of the legitimate interest of the Data Controller (article 6.1-f of the GDPR).

3.1.2 Cookies

A cookie is a small text file embedded in your hard drive by the server of the site you are visiting. This file is neither a virus nor spyware. Cookies are used to make surfing on the web easier for you. What actually happens when you visit an online shop for the first time is that the site’s server sends a file to your computer, which installs itself automatically on the disk. Thanks to this cookie, you will be recognised the next time you visit the same site and you won’t have to enter all your details again.

Types of cookies:
A cookie can be classified by its lifespan and the domain to which it belongs. By lifespan, a cookie is either a:
– Session cookie which is erased when the user closes the browser or
– Persistent cookie which remains on the user’s computer/device for a pre-defined period of time.

As for the domain to which it belongs, there are either:
– First-party cookies which are set by the web server of the visited page and share the same domain
– Third-party cookies stored by a different domain to the visited page’s domain. This can happen when the webpage references a file, such as JavaScript, located outside its domain.

Most browsers accept Cookies. However, you can modify your browser settings to decline Cookies, disable existing ones, or simply be notified when a new Cookie is sent to your device. Please note that by declining or disabling Cookies, you may lose some of the features of the Website.

If you use other devices to access the Website such as computers, smartphones, tablets, etc. you should ensure that each browser on each device is adjusted to suit your preferences relating to Cookies.

You can find information on how to do this in the browsers you use (the following links are the most used):

• Firefox
• Chrome
• Internet Explorer
• Safari

The technical Cookies we use on our site are strictly linked to the performance of the site itself and we have grouped them into these main categories:

1) Essential cookies or those required for browsing:
These are for internal use only, essential for the basic operation of our site, such as those which give the user access to the site as a registered user both when logging in for the first time and on subsequent occasions. If you disable these Cookies we cannot guarantee that you will be able to use all the features and services of our site.

2) Analytics Cookies
These are cookies used by us and by third parties (see third-party Analytics Cookies) to collect anonymous statistics and help us understand how visitors interact with our Website, by providing information on the areas visited, the time spent on a specific Web page and number of clicks made. This information enables us to improve our performance as well as avoid fraud and improve the security of our Website

3) Third-party Analytics Cookies
Third-party services used on this Website and Additional Information

Google Analytics (Google Inc.): http://www.google.com/policies/privacy/

4) Performance Cookies
Improve user experience We use these Cookies to provide services that you have asked for, such as watching a video, commenting on a blog or interacting with third-party services such as social media. Storing your preferences enables our Website to activate specific personalised features.

The above technical Cookies do not require prior consent by the user to be installed and implemented. On the contrary, profiling Cookies require prior consent as they are used to track the user’s browsing activity and to create a profile based on his/her preferences in order to send advertising messages online.

5) Promotional or targeting Cookies Targeted Advertising managed by third parties
Targeted advertising Cookies managed by third parties can be stored on the user’s device by third-party advertisers, advertising networks, data exchange services, marketing studies, and other service providers. Targeted advertising Cookies managed by third parties collect information about the user’s browsing activity on the various Websites and online services in order to provide the user with relevant advertisements on our Websites and online services as well as those of third parties. Advertising networks may share this information with advertisers using their network. The information collected using these Cookies for targeted advertising managed by third parties does not identify the user personally.

Third-party services used on this Website and Additional Information:

• Google AdWords Remarketing: http://www.google.com/policies/privacy/

AdWords Remarketing is a Remarketing and Behavioural Targeting service supplied by Google Inc. which links the activities of this Application with the Adwords advertising network and Cookie Doubleclick. Personal data collected: Cookies and User Data. Place where data is handled: USA – Privacy Policy – Opt Out.

The legal basis for these treatments is the pursuit of the legitimate interest of the Data Controller (article 6.1-f of the GDPR) or, depending on the case, the execution of an explicit consent (Article 6.1-a).
3.1.3 Management of cookies policy

If the user wants to check which cookies are installed on their device, and eventually modify their choices, they can independently modify the privacy settings in the control panel of his browser and/or visit this site.

To check, and possibly modify, your choices regarding ‘Online behavioral advertising’ (that is the mode that allows third parties to send advertising messages on the websites that the user visits, making them more in line with the needs and the interests of the user) it is advisable to visit the following link where there is information and tools to perform these operations: www.youronlinechoices.eu.

Disabling the services that install cookies could compromise the possibility for the user to use the Platform and/or prevent the user from using some or all of the services and features offered.

The duration of cookies depends on their nature:

• session cookies are deleted when the user closes his browser;
• Persistent cookies may have different expiration dates set by the cookie creator. To check the duration of each cookie you can use tools such as ‘Wappalyzer’ (free download at this link).

3.2 Data provided voluntarily

The data that the User provides voluntarily by sending an e-mail to the addresses indicated on the Platform (or by completing and sending the forms on the same) will be acquired by the Data Controller.

In particular, in addition to the User’s e-mail address, which is necessary to reply, any other personal data contained in the electronic communication will be acquired.

These data will not be disclosed or communicated to third parties, nor will they be used to define the profile or the personal identity of the User. Besides, they will not be used for direct or indirect commercial or advertising purposes and, in any case, they will be kept exclusively for the purposes of storage.

The legal basis for these treatments is the pursuit of the legitimate interest of the data controller (article 6.1-f of the GDPR).
3.3 Data processed in relation to the use of services accessible through the use of credentials

The data provided to access services that require the use of credentials, together with the User’s physical address, may be processed:

1. a) to invoice the purchase of services and/or of products requested by the registered user;
2. b) to send to the registered user updates (also personalized) on the activities of the Data Controller, in particular on new services, special offers, new products, surveys, opinions and other types of communication relating to the services of the Data Controller;
3. c) for marketing activities carried out by the Data Controller, such as, by way of non-exhaustive example: updates (also personalized) by email on the activities/products/initiatives/promotions of the Data Controller, statistical or commercial research, etc.
4. d) for any purpose connected to the execution of the services offered by the Platform.

Failure to provide personal data will not entail any consequences for the registered User. The only consequence will be the impossibility to fulfil the order in case the User does not provide the data required to fulfill the latter.

The legal basis for these treatments is the fulfillment of the contract (Article 6.1-b of the GDPR) or, depending on the case, the fulfillment of a legal obligation to which the Data Controller is subject (Article 6.1-c of the GDPR)

We will also use your data:

• if you provide us with appropriate consent by clicking the checkbox “I expressly consent to the collection of personal data for profiling purposes”, to study your interests and define your individual and/or group profile. This activity serves us to send you (where you have consented to receive our communications for advertising and commercial purposes) updates on our activities (even customized), in particular on our new services / products, on our special offers, on surveys and/or opinions and other types of communication related to our services and for the preparation of statistical and commercial research studies – that are in line with your interests. It is, therefore, our legitimate interest (article 6.1-f of the GDPR) or, depending on the cases in the execution of your express consent (article 6.1-a) verify your preferences and define your own profile (also specific) so as to be able to customize our offer;
• if you provide us with specific consent by clicking the checkbox “I consent to the processing of my personal data for commercial and promotional purposes” to send you updates (even personalized) – on our activities, in particular on our new services/ products , on our special offers, on surveys and/or opinions and on other types of communication related to our services and for the preparation of studies of statistical and commercial research – that are in line with your interests. It is, therefore, our legitimate interest (article 6.1-f of the GDPR) or, depending on the cases in the execution of your express consent (article 6.1-a), to be able to use your personal data to send you commercial communications in line with your preferences so that we can personalize our communications.

Your consent to this processing of your data is optional (and freely modifiable even if you have consented, by request to the email address privacy@book-a-porter.com or via all the different methods indicated by the Data Controller, without any further formalities) and your refusal will not result in the inability to use the services of the Platform.
3.4 Newsletter

The newsletter service is reserved for certain categories of registered users. To provide and manage this service, the Data Controller uses the services and tools provided by MailChimp. For more information on the processing of personal data by MailChimp, the Data Controller advises to carefully consult the following link: Privacy Policy – MailChimp. Failure to provide personal data will not entail any consequences for the registered User. The only consequence will be the impossibility to access the service in case the User does not provide the data required to access the latter.

The legal basis for these treatments is the fulfillment of the contract (Article 6.1-b of the GDPR).

4. Methods of processing and scope of data dissemination
The processing of personal data for the aforementioned purposes will be carried out by the Data Controller, with or without the aid of electronic tools, according to the principles of correctness, lawfulness, transparency, in order to protect the privacy and rights of the user at all times in compliance with the provisions of current legislation.These data will not be disclosed or communicated in any way to external subjects, without prejudice to the obligations provided for by law.Unless otherwise specified in relation to the individual purposes of the processing as specified above, the personal data collected may be communicated to – or in any case be aware of – persons in charge and/or responsible (also external) of the treatment, in relation to the skills and functions of each, in order to meet the aforementioned purposes or to implement specific regulatory and/or contractual obligations.

The personal data processed by the Data Controller are generally not communicated to other subjects, except for the hypothesis in which this may prove necessary in compliance with regulatory or contractual provisions or to fulfill specific obligations.

In this case, the aforementioned data may, in particular, be brought to the attention of the following subjects or of the following categories of subjects, to the extent that this is necessary for the fulfilment of regulatory and/or contractual obligations:

• consultants or collaborators, internal and/or external, for compliance with current legislation and/or for performance of contractual services in relations with the individuals concerned (for example, labour consultants, legal advisors, accountants, tax consultants, auditors of accounts, etc.);
• judicial authorities or other public authorities, in compliance with the aforementioned purposes or for legal obligations.

The Data Controller also reserves the right to transfer the user’s personal data to a third country on the basis of the adequacy decisions of the European Commission or on the basis of the adequate guarantees required by current legislation.

The legal basis is provided by the art. 6.1- c – as the processing is necessary to fulfill a legal obligation to which the data controller is subject.

5. Rights of the interested parties
The EU Privacy Regulation (GDPR) confers to the user the exercise of specific rights, including those to ask the data controller:

• confirmation that the processing of your personal data is underway and, in this case, obtaining access (access right);
• the correction of inaccurate personal data, or the integration of incomplete personal data (right of rectification);
• cancellation of data, if there is one of the reasons provided for by the Regulation (right to be forgotten);
• the limitation of processing when one of the hypotheses provided for by the Regulation (limitation right) occurs;
• to receive the personal data you have provided to the holder in a structured, commonly used and readable form by an automatic device and to transmit this data to another data controller (right to portability).

The user also has the right to withdraw consent to the processing of their data at any time, without prejudice to the lawfulness of the processing based on consent given before the revocation and to oppose the processing at any time for marketing or for other purposes (right of opposition).

Finally, the user has the right to oppose, in whole or in part:

• for legitimate reasons, the processing of personal data concerning them, even if pertinent to the purpose of the collection;
• the processing of personal data concerning them for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication

6. Duration of storage of the user’s personal data
The Data Controller will keep the personal information of the registered user to the services that are accessible through platform credentials and/or newsletters for as long as such registration remains active. The Data Controller will also retain the additional personal information of the user for as long as necessary to comply with the relevant obligations under the law.

The user’s data will be stored, in accordance with the provisions of current legislation, for a period of time not exceeding that necessary to achieve the purposes for which they are processed.

In relation to the management of the existing contractual relationship, the data will be kept for the times defined by the relevant legislation as well as, at the termination of the relationship, for the ten-year term for the conservation of data of civil nature only.

In relation to the processing of data for marketing purposes and analysis of habits and consumption choices, in case of manifestation of the required optional consent, the data collected will be kept for the time strictly necessary for the management of the above purposes according to criteria based on compliance with the current regulations and the fairness and balance between the legitimate interest of the Data Controller and the rights and freedom of the user.

Consequently, in the absence of specific rules that provide for different storage times, the Data Controller will take care to use the data for the aforementioned marketing purposes for a time congruous with respect to the interest shown by the person to whom the data refer to the Data Controller’s initiatives.

In any case, the Data Controller will take every care to avoid the use of the data for an indefinite period, proceeding periodically to verify the effective interest of the user to marketing initiatives, as specified above.
Marketing activities can be carried out through automated contact methods, such as e-mail.

7. Information
The rights mentioned above can be exercised by the user at any time, by sending a simple request to the Data Controller by registered letter, fax or e-mail to the addresses indicated in the epigraph. The Data Controller will contact or inform the user as soon as possible and, in any case, within 15 (fifteen) days from the date of the request.

8. Location and possible transfer of personal data
Your personal data are stored in the European Economic Area (also referred to as ‘EEA’), and specifically are stored on servers by Site Ground (Amsterdam, Holland).

We also reserve the right to transfer your personal data to countries that guarantee an adequate level of security, based on the adequacy decisions of the European Commission or on the basis of the adequate guarantees required by current legislation.

9. Complaints
If you believe the personal data protection legislation has been violated regarding your data, you also have the right to file a complaint before the Local Data Protection Authority in the European Economic Area ( ‘EEA’). You can find the different Authorities, depending on the country in which you are based, by clicking on this link http://www.garanteprivacy.it/web/guest/home/footer/link.