Our Privacy Policy
KIKO S.p.A.,with registered office in Bergamo, via Giorgio e Guido Paglia n. 1/D, 24122, VAT No. 02817030162, Tax Code 12132110151 (hereinafter, the "Company" or "KIKO").
Email address: dpo.kiko@kikocosmetics.com
"Data" refers to the personal information commonly required when you make a purchase and pay for products and/or services from the Company, when you register and create a KIKO account, and/or when you sign up to the loyalty programme. This includes your name, surname, date of birth, email address, delivery address (when you make a purchase with home delivery) and phone number (optional).
During registration, you will be asked to enter a username and password, which will serve as authentication and access credentials for your account. Before completing the registration form to create an account, the system will ask you to enter your email address and an OTP (sent to the email address provided) for verification. Once you have entered the OTP, you will be able to proceed and fill in the form.
The term "Data" also includes browsing information; this category consists of the source IP address, the URL address, the type of "agent" (e.g. Chrome, Firefox, Safari) and the time of access. This information, acquired by the website's computer systems and software procedures during normal operation, is not collected to be associated with identified data subjects but, through processing and association with data held by third parties, could potentially allow the user to be identified.
A) Browsing the website: source IP addresses and the other types of browsing data mentioned above are used to ensure a smooth connection and browsing experience, to offer users full and functional access to all of the website's features, and to assess the security and stability of the system.
Regarding the use of cookies and similar technology (non-essential technical cookies), please refer to the cookie policy available in the website footer.
B) Contractual purposes: booking beauty services, purchasing products and/or services, payment and delivery of the Company's products.
C) Fulfilment of legal obligations: fulfilment of administrative/accounting obligations established by applicable national law.
D) Court proceedings: for raising a case in court, exercising and/or defending the rights of the Company in legal proceedings.
E) Soft spam: sending limited communications to existing customers, with the aim of directly promoting and/or selling products or services similar to those already purchased/used by the customer, using the email addresses provided in such cases, without prejudice to the right to object at any time following the steps indicated at the bottom of the communication and to the addresses indicated below, in order to exercise your rights under Art. 15 et seq. of the GDPR.
F) Joining the KIKO ME Loyalty Programme (for those over 18 years of age): as a member of the Loyalty Programme, you can accumulate points for every purchase you make. There are three loyalty levels to reach and exclusive rewards, which can be requested and received in accordance with the KIKO ME Regulations.
KIKO Milano recommends that you give us your consent for the purposes set out in paragraphs G) and H), so you can take full advantage of the KIKO ME loyalty programme.
G) Profiling: by consenting to data processing for profiling purposes, you agree to receive personalised commercial communications based on your preferences, purchasing habits, related behaviour and/or interests via automated means of contact (email, text message and push notifications) or advertising material, newsletters, promotional and commercial communications relating to the Company's products and/or events, as well as any market research and statistical analysis conducted. Furthermore, by providing your consent for this purpose, you agree that your encrypted email address may be shared with certain third party social and paid media platforms (e.g. Google, Meta, Amazon, Snapchat) in order to offer you, through interactions and information processed on said platforms, more targeted ads based on your interests, behaviour and purchases.
H) Direct marketing purposes: Sending, via automated means of contact (email, text message and push notifications) advertising material, newsletters, promotional and commercial communications relating to the Company's products and/or events, as well as carrying out market research and statistical analysis.
You can consent to direct marketing by providing your email address, ticking the checkbox or clicking "subscribe" in the "Newsletter" form on the website.
I) Collecting and publishing individual user reviews: your data, such as name, email address, browser-generated information, location data, IP addresses, recent purchase information, order numbers, as well as photos and videos of products purchased, may be collected so that KIKO can request (via email) that you write a review of your purchase, which they will publish.
A) Browsing the website: Legitimate interests of the data controller or third parties, provided that the data subject’s interests or fundamental rights and freedoms requiring personal data protection are not impinged upon, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the running and browsing of the website.
Art. 6(1)(f) of the GDPR.
For non-essential technical cookies and similar technology, processing is based on your consent to the processing of personal data pursuant to Article 6(1)(a) of the GDPR. Please consult the cookie policy available in the website footer.
B) Contractual purposes: Execution of a contract (or pre-contractual measures).
Art. 6(1)(b) GDPR.
C) Fulfilment of legal obligations: Fulfilment of a legal obligation.
Art. 6(1)(c) GDPR.
D) Court proceedings: Legitimate interests of the data controller or third parties, provided that the data subject’s interests or fundamental rights and freedoms requiring personal data protection are not impinged upon.
Art. 6(1)(f) of the GDPR.
E) Soft spam: Legitimate interests of the data controller or third parties, provided that the data subject’s interests or fundamental rights and freedoms requiring personal data protection are not impinged upon. (Recitals 47-50).
Art. 6(1)(f) of the GDPR.
F) Joining the KIKO ME Loyalty Programme (for those over 18 years of age): Consent (optional and revocable at any time) of the data subject.
Art. 6(1)(a) of the GDPR.
G) Profiling: Consent (optional and revocable at any time), given by persons aged 18 and over.
Art. 6(1)(a) of the GDPR.
H) Direct marketing purposes: Consent (optional and revocable at any time), given by persons aged 18 and over.
Art. 6(1)(a) of the GDPR.
I) Collecting and publishing individual user reviews: Legitimate interests of the data controller or third parties, provided that the data subject’s interests or fundamental rights and freedoms requiring personal data protection are not impinged upon.
Art. 6(1)(f) of the GDPR.
A) Browsing the website: Browsing data is stored for a period of 6 months and then automatically deleted for security reasons (e.g. fraud prevention).
Please consult the cookie policy available in the website footer.
B) Contractual purposes + C) Fulfilment of legal obligations: For the entire duration of the contract and, upon expiry, for the customary period of 10 years.
You can request to have your account deleted at any time, according to the procedure outlined in Section 8 of this policy.
D) Court proceedings: In the event of a legal dispute, for the duration of the dispute and in any case until the expiration of the time limit for lodging appeals.
E) Soft spam: 36 months from your last purchase or until you object to data processing, whichever comes first. You can object at any time using the direct link found in each communication.
F) Joining the KIKO ME Loyalty Programme (for those over 18 years of age): Data is retained for 36 months from the last purchase made and, in any case, until consent is withdrawn. To unsubscribe from the KIKO ME loyalty programme, you can contact Customer Services using the Customer Help Centre contact form on the website. You can also contact the Company at the email address dpo.kiko@kikocosmetics.com as indicated in Section 8 of this Privacy Policy.
G) Profiling: Your purchases will be examined to analyse your preferences, habits and related behaviours in order to offer you special services and exclusive gifts linked to the KIKO ME loyalty programme, and to send you personalised communications – including through interactions on social and paid media platforms – based on information from the past 36 months.
H) Direct marketing purposes: 36 months from the data subject's last qualifying interaction with the Company and in any event until consent is revoked. A "qualifying interaction" solely refers to the purchase of a KIKO product or service by the data subject.
I) Collecting and publishing individual user reviews: 36 months from the collection and publication of your review. You can object to data processing at any time using the direct link found in each communication or by writing an email to dpo.kiko@kikocosmetics.com
Upon expiry of the aforementioned data retention periods, personal data will be destroyed, deleted or anonymised in accordance with the Company's technical deletion and backup procedures.
The provision of data for purposes A), D), E) and I) is required by the controller on the basis of your legitimate interest, but you can always object to the processing as set out in this policy. In particular, for purpose E) relating to soft spam, you can object to the sending of such communications at any time via the means provided in each communication.
It is mandatory to provide data for purposes B) and C). Any refusal to provide data will therefore prevent you from purchasing products and/or using the Company's services.
The provision of data for purposes F), G), H) and I) is optional. Refusal to provide data will not affect your ability to browse the website or purchase the Company's products and/or services. It will mean, however, that you cannot subscribe to the KIKO ME loyalty programme, accumulate points with every purchase or enjoy the rewards through each level of the scheme. You will not receive automated communications, newsletters on the Company's events and promotions, or personalised communications, including through interactions on social and paid media platforms, based on your purchasing habits, preferences and related behaviour.
Data may be processed by external parties acting as autonomous data controllers pursuant to Art.4 and 24 of the GDPR, including but not limited to authorities and supervisory/regulatory bodies, public or private parties authorised to request the data, consultancy firms and/or professional studies and/or professionals such as legal, tax and insurance consultancies, social media channels or social and paid media platforms.
Data may also be processed on behalf of the Company by external parties designated as data processors pursuant to Art. 28 of the GDPR, who are provided with adequate operational instructions for the correct processing of your personal data. These parties essentially fall into the following categories, by way of example: companies providing emailing services, companies providing website maintenance and development services, social media channels, companies providing support for market research studies, companies providing after-sales customer support and assistance, shipping and transportation companies, companies providing postal services and other marketing activities, KIKO Group companies providing intra-group services and managing purchases made at the stores of each KIKO Group company.
Your data may be processed by employees of the Company's business units assigned to pursue the aforementioned purposes, who are expressly authorised to process the data and have received adequate operational instructions pursuant to Art. 29 of the GDPR.
Your Data may be processed by employees of the Data Controller's business units responsible for pursuing the aforementioned purposes, who have been expressly authorized to process the Data and have received appropriate operational instructions in accordance with Article 29 of the GDPR.
Given that the Company's activities are carried out globally, personal data may be transferred to countries within or outside the European Union, that is to companies (including affiliates of KIKO S.p.A.) and social networks such as Instagram, Facebook, Twitter, YouTube and TikTok. Depending on the circumstances, these social channels may act as autonomous data controllers or processors for the execution of the processing activities described in this policy regarding your use of our products and/or services.
In any case, it is understood that the transfer of personal data to countries outside the European Union (including the USA) will take place in accordance with Articles 44 et seq. of the GDPR, implementing safeguarding measures to ensure an adequate level of data protection during the transfer of your personal data, including:
adequacy decisions adopted by the European Commission concerning third countries that guarantee an adequate level of protection;
data transfer agreements incorporating the European Commission's Standard Contractual Clauses;
additional measures required by applicable regulations and/or orders of the competent authorities
For more information on the purposes and methods of data processing by social networks, please consult their privacy policies:
Instagram: https://about.instagram.com/blog/announcements/instagram-community-data-policy;
Twitter: https://twitter.com/en/privacy;
YouTube: https://www.youtube.com/intl/en_us/howyoutubeworks/our-commitments/protecting-user-data/;
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en.
With regard to data processing relating to profiling, including when conducted by means of customer audience and social advertising, please consult the privacy policies of the following third parties:
Amazon ads: https://advertising.amazon.com/it-it/legal/privacy-notice
Google ads: https://safety.google/intl/it_it/privacy/ads-and-data/
Snapchat ads https://values.snap.com/privacy/ads-privacy
Meta: the Company and Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4 Ireland (“Meta Ireland”), act as joint controllers according to a specific data sharing agreement. For further information on how Meta Ireland processes personal data, please consult the privacy policy available at this link https://www.facebook.com/legal/terms/businesstools and the data processing appendix available here https://www.facebook.com/legal/controller_addendum.
TikTok: the Company and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, act as joint data controllers according to a specific data sharing agreement. For more information on how TikTok Technology Limited processes personal data, please consult the privacy policy available at this link https://www.tiktok.com/legal/page/global/partner-privacy-policy/en and TikTok Business Products' (Data) Terms & Conditions here https://ads.tiktok.com/i18n/official/policy/business-products-terms
During registration, your email address and password will also be verified by an "identity provider" service offered by Google. Regarding the transfer and processing of your IP and email address by Google, please see the relevant privacy policy:
By contacting the Company at the email address dpo.kiko@kikocosmetics.com, the data subject has the right to access their personal data (Art. 15 of the GDPR), request amendments (Art. 16 of the GDPR), have it erased in cases provided for by law (Art. 17 of the GDPR) and restrict its processing (Art. 18 of the GDPR).
Furthermore, pursuant to Art. 20 of the GDPR, with respect to contract-based or consent-based processing purposes performed by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit such data to another data controller without hindrance from the Company, if technically feasible.
Pursuant to Art. 21 of the GDPR, you also have the right to object at any time to the processing of your data based on legitimate interests.
You have the right to withdraw your consent for marketing and/or profiling purposes at any time by logging into your account on the Website (and going to "Privacy Settings") or by writing an email to dpo.kiko@kikocosmetics.com
In addition, you have the right to withdraw your consent and unsubscribe from the KIKO ME loyalty programme at any time by contacting Customer Services via the Customer Help Centre contact form on the website or by writing to the email address dpo.kiko@kikocosmetics.com. Withdrawing your consent in no way affects the lawfulness of the processing based on your consent prior to withdrawal.
Finally, you have the right to lodge a complaint with the competent supervisory authority in the Member State where you live, work or habitually reside, or where the alleged infringement occurred.
The data controller reserves the right to amend/update this policy at any time. To this end, the date of the most recent update is provided below.
Last updated: 17 June 2025
