KIKO S.p.A., with registered address at 24122 Bergamo, via Giorgio e Guido Paglia n. 1/D, VAT Number 02817030162, Fiscal Code 12132110151 (the “Data Controller”).

By "Data," it is meant your common personal information (such as name and surname, date of birth, email address and telephone number) that will be mandatory when you make a reservation of beauty services. If you are a registered user, you will be required to enter your username and password, which will serve as your authentication and your data will be automatically compiled.

Moreover, the term “Data” includes navigation data: this category encompasses the source IP address, URL address, the “agent” type (e.g., Chrome, Firefox, Safari), and access time. These pieces of information, acquired by the computer systems and software procedures in charge of the website's operation during their normal activities, are not collected to be associated with identified individuals but, through processing and associations with data held by third parties, could potentially allow user identification.

A) Website Browsing: The source IP address and other aforementioned data are used to ensure a smooth connection and navigation, to enable you to properly utilize all the website's features, and to assess the security and stability of the system. Regarding the use of cookies and similar technologies (non-essential technical cookies), please refer to the cookie policy available in the website footer. B) Contractual purposes: reservation of beauty services, purchase of products and/or services, payment, and delivery of the Company's products. C) Fulfilment of administrative/accounting obligations established by the applicable national law. D) Legal action or defense in court: to establish, exercise, and/or defend the rights of the Company in legal proceedings.

A/ Legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring personal data protection do not outweigh them, taking into account the data subject's reasonable expectations and the activities strictly necessary for the operation of the website and navigation itself. Article 6, paragraph 1, letter f) of the GDPR.

For non-essential technical cookies and similar technologies, the processing is based on consent to the processing of personal data as per Article 6, paragraph 1, letter a) of the GDPR. Please refer to the cookie policy available in the website footer. B/ Execution of a contract (or pre-contractual measures). Art. 6, par. 1, letter b) of the GDPR. C/ Fulfilment of a legal obligation Art. 6, par. 1, letter c) of the GDPR. D/ Legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring personal data protection do not outweigh them. Article 6, paragraph 1, letter f) of the GDPR.

A/ Navigation data is stored for a period of 6 months and then automatically deleted for security reasons (e.g., for anti-fraud protection).

Please refer to the cookie policy available in the footer of the website. For the duration of the contract and, after validity, for an ordinary period of 10 years.

B/ & C/ This procedure of double opt-in communications via email and SMS is necessary to confirm, modify or cancel your appointment. KIKO informs you that these are not marketing communications.

D/ In the case of a legal dispute, for the entire duration of it, until the expiration of the terms for the filing of appeals. Upon expiration of the abovementioned data retention periods, personal data will be destroyed, cancelled or anonymised according to the technical cancellation and backup procedures of the Data Controller.

The provision of data for purposes A) and D) is requested by the Data Controller based on its legitimate interest, but you can always object to the processing as indicated in this notice.

For purposes B) and C), providing data is mandatory. Refusal to provide data will therefore not allow you to complete the reservation of beauty services.

The data may be processed by external entities acting as independent data controllers under Articles 4 and 24 of the GDPR, including but not limited to authorities and supervisory and control bodies, as well as, in general, public or private entities authorized to request data, consulting companies and/or professional firms and/or professionals, such as legal, tax, and insurance companies, and social media channels.

The data may also be processed on behalf of the Data Controller by external entities designated as data processors appointed in accordance with Article 28 of the GDPR, to whom appropriate operational instructions are provided regarding the correct processing of your personal data. These entities essentially fall into the following categories, for example: companies offering website maintenance and development services.

Your Data may be processed by employees of the Data Controller's business units responsible for pursuing the aforementioned purposes, who have been expressly authorized to process the Data and have received appropriate operational instructions in accordance with Article 29 of the GDPR.

Considering that the activities of the Data Controller are performed at a global level, personal data could be transferred to countries inside or outside the European Union, therefore to companies (including affiliates of KIKO S.p.A.). Depending on the circumstances, these companies may act as autonomous data controllers or data processors for the performance of the processing activities described in this notice regarding your use of our products and/or services.

It is understood, in any case, that the transfer of personal data to countries located outside the European Union (including the USA) will be carried out in accordance with Articles 44 and following of the GDPR, implementing safeguard measures aimed at ensuring an adequate level of data protection during the transfer of your personal data, including:

  • adequacy decisions adopted by the European Commission concerning third countries that ensure an adequate level of protection;

  • data transfer agreements that incorporate the European Commission's Standard Contractual Clauses;

  • additional measures required by applicable regulations and/or competent authorities' orders.

In addition, if you are a registered user there is a recognition through email address and password with an “Identity provider” service provided by Google. For the transfer and processing of your IP address and email address by Google please we invite you to review its privacy policy:

Google: https://policies.google.com/privacy?hl=en-US

By contacting the Data Controller at the DPO’s email address dpo.kiko@kikocosmetics.com, you have the right to obtain the access to your personal data (article 15 of the GDPR), request their rectification (article 16 of the GDPR), their erasure in the case provided by the law (article 17 of the GDPR) orrestriction of their processing (article 18 of the GDPR). Furthermore, pursuant to article 20 of the GDPR, with reference to the purposes of processing based on the contract or consent which are performed via automated means, you have the right to receiveyour personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from the Company if technically feasibile. Pursuant to article 20 GDPR, you have the right to object at any time to the processing of your data based on legitimate interests. Finally, you have the right to lodge a complaint with the competent supervisory authority in the member state where you reside, work, or otherwise habitually stay, or where the alleged infringement has occurred.

The Data Controller reserves the right to amend/update the present information notice at any time.

For this purpose, you will find below the date of the last update.

Last update: March 15, 2024

