Our Privacy Policy
KIKO S.p.A., with registered address at 24122 Bergamo, via Giorgio e Guido Paglia n. 1/D, VAT Number 02817030162, Fiscal Code 12132110151 (the “Data Controller”).
Email address: dpo.kiko@kikocosmetics.com
By "Data," it is meant your common personal information (such as name and surname, date of birth, email address and telephone number) that will be mandatory when you make a reservation of beauty services. If you are a registered user, you will be required to enter your username and password, which will serve as your authentication and your data will be automatically compiled.
Moreover, the term “Data” includes navigation data: this category encompasses the source IP address, URL address, the “agent” type (e.g., Chrome, Firefox, Safari), and access time. These pieces of information, acquired by the computer systems and software procedures in charge of the website's operation during their normal activities, are not collected to be associated with identified individuals but, through processing and associations with data held by third parties, could potentially allow user identification.
A) Website Browsing: The source IP address and other aforementioned data are used to ensure a smooth connection and navigation, to enable you to properly utilize all the website's features, and to assess the security and stability of the system. Regarding the use of cookies and similar technologies (non-essential technical cookies), please refer to the cookie policy available in the website footer. B) Contractual purposes: reservation of beauty services, purchase of products and/or services, payment, and delivery of the Company's products. C) Fulfilment of administrative/accounting obligations established by the applicable national law. D) Legal action or defense in court: to establish, exercise, and/or defend the rights of the Company in legal proceedings. E) Soft Spam Purposes: Sending communications limited to those who are already customers, with the aim of promoting and/or directly selling products or services similar to those already purchased/used by the user, using the e-mail addresses provided in such cases, without prejudice to the right to object at any time in the manner indicated at the bottom of the communication and at the contact details indicated below, for the exercise of the rights under articles 15 et seq. of the GDPR. F) KIKO Me loyalty program membership (for individuals over 18 years of age): membership in the loyalty program entails the ability to accumulate points for each purchase made until the minimum point threshold is reached for each of the three loyalty levels, with the option to request and receive the rewards as outlined in the KIKO Me Regulations. Additionally, as a result of joining the KIKO Me Program and in accordance with the program's regulations, the Company may conduct verifications and internal audit activities regarding members aimed at preventing any fraudulent, abusive, or otherwise illicit conduct in violation of the program's regulations. G) Direct marketing purposes: dispatch, via automated contact means (email, SMS, and push notifications) of advertising material, newsletters, promotional and commercial communications concerning products and/or events of the Company, as well as conducting market research and statistical analysis. Consent for direct marketing can be given by providing your email and by taking action with the "Send" button on the website in the "Newsletter" form or by selecting the checkbox to consent to direct marketing processing. H) Profiling: by consenting to data processing for profiling purposes, you agree to receive personalised commercial communications based on your preferences, purchasing habits, related behaviour and/or interests via automated means of contact (email, text message and push notifications) or advertising material, newsletters, promotional and commercial communications relating to the Company's products and/or events, as well as any market research and statistical analysis conducted. Furthermore, by providing your consent for this purpose, you agree that your encrypted email address may be shared with certain third party social and paid media platforms (e.g. Google, Meta, Amazon, Snapchat) in order to offer you, through interactions and information processed on said platforms, more targeted ads based on your interests, behaviour and purchases.
I) Collection and presentation of individual user’s reviews and their public presentation: your data as well as name, email address, browser generated information, location data, IP addresses, information about recent purchases, order number in addition to photos and videos of the products purchased may collect in order to ask you by an e-mail to leave a review of your purchase and to publish it
A/ Legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring personal data protection do not outweigh them, taking into account the data subject's reasonable expectations and the activities strictly necessary for the operation of the website and navigation itself. Article 6, paragraph 1, letter f) of the GDPR.
For non-essential technical cookies and similar technologies, the processing is based on consent to the processing of personal data as per Article 6, paragraph 1, letter a) of the GDPR. Please refer to the cookie policy available in the website footer. B/ Execution of a contract (or pre-contractual measures). Art. 6, par. 1, letter b) of the GDPR. C/ Fulfilment of a legal obligation Art. 6, par. 1, letter c) of the GDPR. D/ Legitimate interest of the Data Controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject requiring personal data protection do not outweigh them. Article 6, paragraph 1, letter f) of the GDPR.
A/ Navigation data is stored for a period of 6 months and then automatically deleted for security reasons (e.g., for anti-fraud protection).
Please refer to the cookie policy available in the footer of the website. For the duration of the contract and, after validity, for an ordinary period of 10 years.
B/ & C/ This procedure of double opt-in communications via email and SMS is necessary to confirm, modify or cancel your appointment. KIKO informs you that these are not marketing communications.
D/ In the case of a legal dispute, for the entire duration of it, until the expiration of the terms for the filing of appeals. Upon expiration of the abovementioned data retention periods, personal data will be destroyed, cancelled or anonymised according to the technical cancellation and backup procedures of the Data Controller.
The provision of data for purposes A) and D) is requested by the Data Controller based on its legitimate interest, but you can always object to the processing as indicated in this notice.
For purposes B) and C), providing data is mandatory. Refusal to provide data will therefore not allow you to complete the reservation of beauty services.
Data may be processed by external parties acting as autonomous data controllers pursuant to Art.4 and 24 of the GDPR, including but not limited to authorities and supervisory/regulatory bodies, public or private parties authorised to request the data, consultancy firms and/or professional studies and/or professionals such as legal, tax and insurance consultancies, social media channels or social and paid media platforms.
The data may also be processed on behalf of the Data Controller by external entities designated as data processors appointed in accordance with Article 28 of the GDPR, to whom appropriate operational instructions are provided regarding the correct processing of your personal data. These entities essentially fall into the following categories, for example: companies offering website maintenance and development services.
Your Data may be processed by employees of the Data Controller's business units responsible for pursuing the aforementioned purposes, who have been expressly authorized to process the Data and have received appropriate operational instructions in accordance with Article 29 of the GDPR.
Considering that the activities of the Company are performed at a global level, personal data could be transferred to countries inside or outside the European Union, therefore to companies (including affiliates of KIKO S.p.A.), as well as to social networks such as Instagram, Facebook, Twitter, YouTube, and TikTok, (social channels). Depending on the circumstances, these social channels may act as autonomous data controllers or data processors for the performance of the processing activities described in this notice regarding your use of our products and/or services. It is understood, in any case, that the transfer of personal data to countries located outside the European Union (including the USA) will be carried out in accordance with Articles 44 and following of the GDPR, implementing safeguard measures aimed at ensuring an adequate level of data protection during the transfer of your personal data, including:
Adequacy decisions adopted by the European Commission concerning third countries that ensure an adequate level of protection.
Data transfer agreements that incorporate the European Commission's Standard Contractual Clauses, which our service providers operating in the United States adhere to.
Additional measures required by applicable regulations and/or competent authorities' orders.
For more information about the purposes and methods of data processing by social networks, we invite you to review their privacy policies:
Instagram: https://about.instagram.com/blog/announcements/instagram-community-data-policy;
Twitter: https://twitter.com/en/privacy;
Youtube: https://www.youtube.com/intl/en_us/howyoutubeworks/our-commitments/protecting-user-data/;
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en .
With regard to data processing relating to profiling, including when conducted by means of customer audience and social advertising, please consult the privacy policies of the following third parties:
Amazon ads: https://advertising.amazon.com/it-it/legal/privacy-notice
Google ads: https://safety.google/intl/it_it/privacy/ads-and-data/
Snapchat ads https://values.snap.com/privacy/ads-privacy
Meta: the Company and Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4 Ireland (“Meta Ireland”), act as joint controllers according to a specific data sharing agreement. For further information on how Meta Ireland processes personal data, please consult the privacy policy available at this link https://www.facebook.com/legal/terms/businesstools and the data processing appendix available here https://www.facebook.com/legal/controller_addendum.
TikTok: the Company and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, act as joint data controllers according to a specific data sharing agreement. For more information on how TikTok Technology Limited processes personal data, please consult the privacy policy available at this link https://www.tiktok.com/legal/page/global/partner-privacy-policy/en and TikTok Business Products' (Data) Terms & Conditions here https://ads.tiktok.com/i18n/official/policy/business-products-terms
In addition, if you are registered there is a recognition through email address and password with an “Identity provider” service provided by Google. For the transfer and processing of your IP address and email address by Google please we invite you to review its privacy policy:
By contacting the company and the DPO at the address dpo.kiko@kikocosmetics.com , you have the right to obtain the access to your personal data (article 15), request their rectification (article 16), their erasure in the case provided by the law (article 17) or restriction of their processing (article 18). Furthermore, pursuant to article 20 GDPR, with reference to the purposes of processing based on the contract or consent which are performed via automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller without hindrance from the Company if technically feasibile. Pursuant to article 20 GDPR, you have the right to object at any time to the processing of your data based on legitimate interests. You have the right to withdraw your consent for marketing and/or profiling purposes at any time by logging into your account on the Website (and going to "Privacy Settings") or by writing an email to dpo.kiko@kikocosmetics.com. Moreover, you have the right to withdraw your consent for your enrollment in the KIKO Me loyalty program at any time by contacting Customer Service at the following email addresses: customercare-ar@kikocosmetics.com (ME) or customercare-enme@kikocosmetics.com (English), or by writing to the email address dpo.kiko@kikocosmetics.com. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal in any way. Finally, you have the right to lodge a complaint with the competent supervisory authority in the member state where you reside, work, or otherwise habitually stay, or where the alleged infringement has occurred.
The Data Controller reserves the right to amend/update the present information notice at any time.
For this purpose, you will find below the date of the last update.
Last update: March 15, 2024
