This document aims to provide you with the necessary information for you to understand how the personal data you will share (“Data“) will be processed and for you to express explicit and informed consent to the data processing carried out through the App DRESSO (“App“).
This Policy exclusively refers to the App and the website and does not cover other websites, pages or online services accessible through hypertext links that may be posted within it.
This Policy is subject to change or update at any time. If so, you will be informed by the Owner. The current version is the one published on the App.
- CONTROLLER OF DATA PROCESSING
The Data Controller is the company REM s.r.l. based in Italy, with headquarters in Via Bonistallo 50/B Empoli (FI), registered in Florence (VAT 07022910488), (“Data Controller”)
The Data Controller protects the confidentiality of the acquired personal data and grants it the necessary protection from any event that may jeopardize it. To this end, the Data Controller shall put into practice the recommended procedure concerning the collection and use of personal data which will be processed in accordance with internationally recognised principles of lawfulness, fairness, transparency, purpose and retention limitation, minimisation of data, accuracy, integrity and confidentiality, as well as the exercise of the rights granted by the legislation that applies to data subjects.
- PERSONAL DATA SUBJECT TO PROCESSING
Pursuant to the browsing on the App and in order to allow the exploitation of all services, the Owner needs to know and process certain data. Dresso only collects the Data that is strictly necessary for the purposes for which it is acquired, so if such data is not provided, it will not be possible to manage the registration request, provide the requested service and complete the requested sale etc.
Such Data, also depending on your decisions on how to use the Services, may consist of:
- contact details – name, place of birth, tax code, address, telephone number, mobile phone number, e-mail address, information about your payment methods, username and password.
If the User enters their login details to Google, Dresso will receive the following data: profile photo; first and last name; Google account ID; email address; language.
If the User enters their Facebook login data, Dresso will receive the following data from the User’s Facebook account: profile photo; first and last name; gender; email address; date of birth.
Data obtained from Facebook or Google will be used to configure one’s Dresso account. This means that the Facebook or Google account name will be listed as the username for the Dresso Account, so it will be visible to other visitors of the website and other users of the App. Other data obtained from Facebook or Google will not be visible to anyone on the platform.
- location data – you can manually enter a physical address or, upon your agreement, your Internet browsing program (cs. “Browser”) may share with the Site an approximation of your geographical location through information about wireless access points in your proximity and the IP address of your device. In both cases, it is a processing of the use of a completely optional Personal Data which, however, allows the Owner to ensure the delivery of increasingly useful Services.
- data regarding interests and usage – information that is provided about the interests of the User such as, for example, the type of wardrobe; the date of the last access; number and names of the profiles followed; number and name of the followers.
- data voluntarily provided by the Users – the optional, explicit and voluntary submission of e-mail messages, including through forms, involves the acquisition of the name and surname of the sender, the e-mail address, as well as any other personal data included in the email message; the optional exchange of messages between Users and the navigation involve the acquisition of the username, the shared photos, the date and time of access, the rendering information.
- METHODS OF COLLECTION AND RETENTION OF DATA
The above-mentioned data is collected and processed by the Data Controller when: you create an Account, purchase and/or sell a product, browse and view the products, contact DRESSO directly; use the instant messaging service put at disposal to contact other Users.
- PURPOSE OF DATA PROCESSING AND THE MANDATORY NATURE OF ITS PROVISION
The Owner will use your Personal Data collected through the Site for the following purposes:
- allow the registration on the App and set-up profile information. The provision of data is mandatory because in case of failure to provide it will not be possible to use the App;
- allow other Users to view information about other Users’ activities on the App. In the lack of such conferral it will not be possible to exchange information between Users as well as to proceed with purchases or sales;
- allow the sale and purchase of the Products and the activities of quality control and delivery of the products, etc. The provision of data is mandatory because in case of failed provision it will not be possible to buy or sell the Products;
- handling complaints or answering questions relating to sales and purchase services or procedures;
- comply with legal obligations that oblige Data Controllers to collect and/or further process certain types of Data. The processing for this purpose is mandatory;
- prevent or detect any abuse in the use of the App, or any fraudulent activity and therefore allow Owners to protect themselves in court.
- RECIPIENTS OF THE DATA
We share the personal data collected with the following categories of subjects:
- Persons authorized by us to carry out any of the data-related activities described in this document: these are our employees and collaborators who have signed an agreement about confidentiality and specific rules for the processing of your Data.
- Our Data Processors: these are the external subjects we entrust certain processing operations to. For example, this category includes the security providers of our systems, technology platforms for hosting data and subjects delegated to perform technical maintenance activities (including maintenance of network equipment and electronic communications networks); accounting, administrative, legal, tax, financial and credit recovery consultants. With each of these subjects we have signed a contract to ensure that the processing of your Data occurs according to appropriate measures and only on our command;
- System administrators: these are our employees or our data processors who are entrusted with the management of our informatic systems and who therefore have the power to access, modify, suspend and limit the processing of your Data. Such subjects have been previously selected, adequately trained and their activities are traced by systems that they cannot modify, in accordance with the arrangements of the Italian Control Authority;
- Third parties authorized by law such as law enforcement or any other authority whose provisions are mandatory for us: this happens for example when we must comply with a judicial order, a law or when it is necessary to defend ourselves in court. Insofar as a government, a supranational, federal, state or governing, prefecture or local authority, a statutory, administrative or regulatory institution, a court, an agency, or any other authority anywhere in the world (even outside of your jurisdiction) whose regulations, directives, notices, resolutions, orders, decrees, injunctions, mandates, subpoenas or judgments are binding on us, require us to communicate your Data, we will not share your Data without your consent, unless we have a legal obligation to comply with such regulations, etc.
- RETENTION OF DATA
The Data will be preserved by the Data Controller for the strictly necessary time to fulfil the purposes it was collected for, namely:
- the Data collected to allow registration on the App will be stored until the Account is deleted;
- the Data collected and processed to ensure the correct use of the service and of the Products will be kept until the fulfillment of the corresponding verification action;
- The data collected for the sending of commercial communications on the services will be stored until the User unsubscribes as a registered User or rejects the processing.
- The Data collected to comply with the legal obligations and any contingent protection in court will be kept for the time necessary for the related activity.
- RIGHTS OF THE DATA SUBJECT
We inform you that, at any time, you have the right to ask the Owner:
- access to your Personal Data as well as any information about its retention;
- rectification or integration of Personal Data that is incomplete;
- the cancellation and/or limitation of the processing of your Personal Data;
- your Personal Data in a structured and readable format
You have the right at any time to:
- object to the processing of your Personal Data by the Owner;
- withdraw your consent,
- file a complaint to a supervisory authority, without prejudice, however, to any other administrative or judicial action.
- DATA BREACH POLICY
In the event of a personal data breach, the Data Controller has set up a crisis team and has forecast specific intervention procedures, in order to resolve the problem promptly and give the User appropriate communication in order to allow him to take adequate precautions, aimed at minimising the potential damage resulting from the breach.
In the communication of the violation, the User will be given details about:
- the name and contact details of the Data Protection Officer or of another contact point where more information can be found;
- the potential consequences of the personal data breach;
- the measures taken or proposed to be taken by the Legal Representative to tackle the personal data breach and also, if applicable, to mitigate its possible negative effects.
The Data Controller will carry out a public communication, or similar action, and will not be bound to inform the User in case appropriate technical and organizational protection measures are put in place on the data subject to the breach, in case further measures are subsequently taken to prevent new high risks to the Users’ rights, in case the communication requires disproportionate efforts. However, it will assess the opportunity, although not strictly mandatory, to keep the User updated.
The Data Controller will also proceed to communicate, within 72 hours and where necessary, the violation to the Data Protection Authority.
For this reason, if a Data Processor or a Sub Processor has come to knowledge of the breach, they are required to report the breach, respectively within 24 and 12 hours since the breakthrough.
Any personal data breaches may be communicated by writing to: firstname.lastname@example.org