Last Updated: January 1, 2023
1. Identity and contact of the Controller
Give Back Beauty is a company established in the U.S., therefore Give Back Beauty appointed Give Back Beauty S.r.l., with registered office in Corso Italia 13, 20122, Milano (MI), Italy, VAT 10129060967, as a representative within the EU territory (“Representative”), pursuant to Article 27 GDPR.
2. Identity and contact of DPO
The Controller has not appointed a Data Protection Office.
3. Information We Collect and persona data’s categories
- Contact information such as your name, address, phone number, or email address;
- Registration information such as your username and password, date of birth, and gender
- Account login credentials, such as usernames and passwords, password hints and similar security information;
- Other account registration and profile information, such as photo and video;
- Payment information (such as banking information, payment card number, expiration date, delivery address, and billing address)
- Information about the electronic device you use to access our Digital Services
- Details of products and services you have purchased from us or inquiries you have made
- Preference information, such as communications you receive from us
- Any other information relating to you (or other individuals) which you provide to us directly or indirectly through access and use of our Digital Services, by email or by phone, surveys or questionnaires, completing forms or contacting customer service
We may use or disclose the personal data we collect for one or more of the following business purposes:
- To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal information in order for us to prepare a tax return, we will use that data prepare the return and submit it to the applicable taxing Authorities;
- To provide you with information, products or services that you request;
- To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, with your consent;
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections;
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations;
- As described to you when collecting your personal information or as otherwise set forth in the GDPR or CCPA.
In any case, we don't sell and disclose your personal data; for further information see our “Do not sell My Personal Information”.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
GBB has not disclosed personal information for a business purpose in the preceding 12 (twelve) months.
We collect this information:
- Directly from you when you provide it to us;
- Automatically as you navigate through our Digital Services;
- From third parties, for example, our business partners.
Information You Voluntarily Provide To Us
You do not have to register for a service or program to receive much of the information available through our Digital Services. However, some of our content is available only to registered or identified users and will require you to set up a profile or provide specific information about yourself in order to provide you the service. When you sign up to be a registered user, we may collect information such as your name, email, password, date of birth, gender, and contact preference information.
We also collect information that you provide to us when you purchase a product, sign up or request to receive marketing products and information, contact GBB customer service via email, phone, mail, or otherwise, or respond to GBB questionnaires or surveys. This information may include personal information, such as your name and email address, or other contact information, and your payment information, or other information related to your business or your concerns regarding our products.
Information Collected Automatically
When you use our Digital Services, we also may collect certain usage and device information automatically as described below.
IP Address. We may record the Internet Protocol (“IP”) address of your computer or other electronic device when you access our Digital Services. An IP address identifies the electronic device you use to access the Digital Services, which allows us to maintain communication with your computer as you navigate through our Digital Services and to customize content.
Cookies and Other Tracking Technologies. We also collect information about your use of our website through tracking technologies such as cookies and web beacons. A “cookie” is a unique numeric code that is transferred to your computer to track your interests and preferences and to recognize you as a return visitor. A “web beacon” is a transparent graphic image placed on a website, e-mail or advertisement that enables the monitoring of things such as user activity and site traffic. These technologies help remember your preferences and allow us to bring you the content and features that are likely to be of greatest interest to you on the basis of “clickstream” data that shows your previous activities on our website.
Mobile Tracking. Our Digital Services are available as mobile applications or mobile sites that you can use on your mobile device. If you use a mobile device to access and use our Digital Services, we may collect the following mobile-specific information in addition to the other information described above: device or advertising ID, device type, hardware type, media access control (“MAC”) address, international mobile equipment identity (“IMEI”), the version of your mobile operating system, the platform used to access or download our Digital Services (e.g., Apple, Google, Amazon, Windows), location information and usage information about your device and your use of the Digital Services.
Information We Obtain From Third Parties
To provide you with our products and services, we may also collect information (including personal information) from third parties, including from your organization and representatives, public sources, our related companies, and other parties.
When you submit an application for employment with us, we may also collect from third parties personal information about you, such as your education, employment, and other background information.
4. Purposes and legal basis of the processing, consent and consequences of the lack of consent
Personal data will be processed for the following purposes:
- For contractual purposes and, in particular, to allow the purchase of goods within the E-commerce. For instance, if you choose to purchase a product or receive our services, we use the information that you provide through our Digital Services to manage your orders and invoices, to process payments, to respond to your questions, provide you the service you request and offer an optical customer experience. In this, case the obligation to fulfill the contractual purposes constitutes the legal basis. The communication of the data constitutes an obligation; in the lack of such data, it will not be possible to proceed perform the contract.
- For direct marketing communications, newsletters, advertising material, market research, by means of traditional contact systems and automated computer systems, CRM, databases, including commercial or promotional communications by email, messaging systems, SMS, or telephone communications. In this case, your express consent constitutes the legal basis. The communication of data, therefore, is entirely optional and does not constitute a contractual obligation for you. In the absence of such data, it will not be possible to send newsletters. You may opt-out of receiving marketing communications from GBB at any time by using the opt-out options specified in our marketing communications or by contacting us as described in Section 17 below.
- For purposes related to relevant legal obligations where processing is carried out for the purposes referred to in point a). In this case, the legal basis is the legal obligation of the Controller to process such personal data in accordance with applicable national legislation; in the absence of such data, it will not be possible to proceed with the conclusion of the contract.
The consent to the processing of personal data may be expressed by clicking a specific flagbox.
6. Methods of processing data, logics and safeguards
If you consent to the Processing of your personal data to benefit from personalized services through profiling, your personal data may be subject to an automated decision-making process, with a specific algorithm that will decide which communications are best suited to your profile or which may be of most interest to you. The Processing carried out in this way has, as expected consequences, by way of example, the sending of highly profiled commercial communications, the sending of discounts, the sending of invitations to events deemed of interest, etc.
In accordance with Article 22 GDPR, you have the right to:
- obtain human intervention in the decision-making process by the Controller;
- express your opinion;
- obtain an explanation of the decision reached by the Controller.
- challenge the decision itself.
8. Source from which personal data originate
9. Recipients or categories of recipients of your personal data
We only share your personal information with third parties as described below. We do not sell personal information to third parties.
The following may be recipients of the personal data:
- The communication companies that provide commercial communication activities on behalf of the Controller, which are responsible for the processing, if consent has been given for marketing purposes;
- Companies belonging to the information society, such as those providing web hosting services;
- Companies performing statistic and market inquiries, if consent has been given for marketing purposes;
- Companies that perform account services;
- Partner companies of the Controller;
- Companies offering shipping services of the products acquired by means of the Controller’s E-commerce;
- All persons to whom the right of access to such data is recognized under regulatory measures.
Third Party Sites and Social Media Plug-ins
10. Categories of personal data
The Controller will process only personal data from you. There will be no handling of special categories of personal data under Article 9 of the GDPR.
11. Transfer of personal data
The Controller may intend to transfer personal data to a third country or an international organization, such as:
- Communication agencies conducting activities on behalf of the Controller;
- Companies offering information society services, including, in particular, those offering hosting services;
- Service providers of the communication company.
The transfer of personal data to the aforesaid subjects is subject to an adequacy decision made by the European Commission after deciding that the third country or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection of personal data and your rights. However, if the Controller deems it appropriate to proceed with the transfer of personal data despite the lack of any adequacy decisions, the Controller reserves the right to conclude separate agreements with those subjects, requiring them to adopt adequate technical and organizational security measures to safeguard the transferred personal data, with particular regard to the protection of rights and freedoms of the concerned subjects. Your personal data may be transferred to the United States of America.
To obtain a copy of the transferred personal data or to be informed on where personal data have been transferred to, you shall send the Controller a written request to the following addresses: 8 The Green Suite # 4220, Dover, DE 19901, United States of America or email address: email@example.com.
12. Data Security
GBB maintains reasonable technical, administrative and physical controls to secure any personal information collected through our Digital Services. However, there is always some risk that an unauthorized third party could intercept an Internet transmission, or that someone will find a way to thwart our security systems. We urge you to exercise caution when transmitting personal information over the Internet, especially your financial-related information. GBB cannot guarantee that unauthorized third parties will not gain access to your personal information; therefore, when submitting personal information through our Digital Services, you must weigh both the benefits and the risks.
13. Children’s Privacy
GBB does not knowingly collect or use any personal information directly from children through our Digital Services (GBB defines “children” as minors younger than 18). We do not knowingly allow children to order our products, to communicate with us, or to use any of our online services. If you are a parent and become aware that your child has provided us with information, please contact us using one of the methods specified below, and we will work with you to address this issue.
14. Personal data retention period
- Personal data processed and stored for the purposes under Section 4(a) are processed for no longer than 10 years starting from the termination of the contractual effects, in case of conclusion of the contract, unless otherwise required by law;
- Personal data processed and stored for the purposes under Section 4(b) (marketing purposes) are processed and stored until when you request the erasure and/or revoke consent;
- Personal Data processed for the purposes set forth in Section 4(c) (preference determination purposes) are processed and stored by Company for a period not exceeding 12 months from collection.
- Personal data processed and stored for the purposes under point Section 4(d) (fulfilment of legal obligations) are processed and stored for a period no longer than 10 years following the termination of the contractual effects, in case of conclusion of the contract, as well as for a period no longer than 10 years following the termination of the negotiations, unless otherwise required by law.
The Controller reserves the right, in any case, to request you to renew his/her consent to the processing and/or to verify the consents already expressed.
15. Data subjects’ rights (EU Residents)
15.1 Right to object
- You have the right to object to the processing of personal data concerning your pursuant to Article 6, sub-section 1, letter (e) or (f) of the GDPR, at any time and on grounds relating to your particular situation. The Controller shall refrain from any further processing of your personal data unless the Controller proves that there are compelling legitimate grounds for the processing which take precedence over your interests, rights and freedoms or for the establishment, exercise or defence of a right in court.
- If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data carried out for such purposes, including profiling to the extent that it is related to such direct marketing.
- If you object on the processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. It is specified that your right to object on the processing of his/her personal data for the aforesaid purposes may be exercised even partially, i.e. by opposing, for example, only on sending promotional communications by automated and/or digital means, or on sending paper communications and/or receiving telephone communications.
- Where personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1 of the GDPR, you have the right to object on the processing of his/her personal data for reasons related to his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.
15.2 Other rights
The Controller also wishes to inform You of the existence of the following rights:
- Right to access: You have the right to obtain from the Controller confirmation as to whether or not Your personal data are being processed and, if so, to obtain access to the personal data and specific information, in accordance with article 15 of the GDPR;
- Right to rectification: You have the right to obtain from the Controller the rectification of inaccurate personal data without undue delay. Taking into account the processing purposes, you have the right to obtain supplementing of incomplete personal data, including by providing a supplementary statement, in accordance with art. 16 of the GDPR;
- Right to erasure of data, including the right to revoke consent: You have the right to obtain from the Controller the erasure of the personal data without undue delay or to revoke consent. The Controller has the obligation to erase Your personal data without undue delay, if the reasons set out in art. 17 of the GDPR exist. With regard to the right to revocation, You also have the right to revoke consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to revocation;
- Right to restriction of processing: You have the right to obtain from the Controller the restriction of processing when the conditions set out in art. 18 of the GDPR exist;
- Right to data portability: You have the right to receive Your personal data provided to the Controller in a structured format, commonly used and readable by automatic devices. You have the right to send such data to another controller without any impediment by the Controller in the cases and at the conditions specified in art.20 of the GDPR;
- Contractor’s right to object on commercial communications: You, as a contractor, have the right to object at any time, free of charge, on the receipt of commercial communications.
- Right to lodge a complaint with the Supervisory Authority: you have the right to lodge a complaint the the Supervisory Authority for the Protection of personal data, if you consider that the processing of your personal data infringes the GDPR or data protection dispositions, in accordance with art. 77 GDPR.
The same rights are guaranteed by us to citizens not resident in the European Union territory, where technically possible.
16. Data subjects’ rights (Non-EU Residents)
If you are not an EU resident, with respect to personal information that we may have collected about you, you may:
- Ask us to erase or delete all or some of your personal data;
- Ask us for a copy of your personal data, including in machine readable form;
- Ask us to change, update, or fix your data if it is inaccurate; and
- Ask us to stop using all of some of your personal data (where we have no legal right to keep using it) or to limit our use of it.
In any case, you have the right to request that we disclose certain personal data to you. Once we receive and confirm your verifiable request, we will disclose to you:
- The categories of personal data we collected about you;
- The categories of sources for the personal information we collected;
- Our business or commercial purpose for collecting or selling that personal information;
- The categories of third parties with whom we share that personal information;
- Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
- A copy of the specific pieces of personal information we collected about you, for data portability purposes;
- If we sold or disclosed your personal information for a business purpose;
- Sales, identifying the personal information categories that each category of recipient purchased.
You may contact us using the contact information in Section 17 below, and we will consider your request in accordance with applicable laws.17. How to Contact Us with Privacy Concerns
Alternatively, You can exercise said rights by sending a registered letter with recorded delivery to in 8 The Green Suite # 4220, Dover, DE 19901, United States of America.
You may lodge a complaint with the Local Supervisory Authority for the Protection of personal data according to the provided instructions in the official website.
We will not discriminate against you for exercising any of your GDPR and CCPA rights. Unless permitted by the GDPR and CCPA, we will not:
- Deny you goods or services or provide you a different level or quality;
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services;
- Charge you different prices for goods or services, including through granting discounts or other benefits.