Privacy Policy for Registration in the Reserved Area of ​​the Site

With this Privacy Policy, pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR" or "Regulation"), we wish to inform you of how your Personal Data (i.e., any information that can directly or indirectly identify you) will be processed when you visit and/or make purchases on the website www.esserrepharma.com (hereinafter, the "Site"). This policy, together with the Cookie Policy and the General Terms and Conditions of the Reserved Area for Nutritionists, establishes the basis on which your personal data will be processed.

Data Controller

The Data Controller of the personal data collected through the Site is: ESSERRE PHARMA SRL, with registered office in Italy, Via Salaria, 292 – 00199 Rome (RM), VAT no. 12540841009 (hereinafter 'Data Controller'), email address: privacy@esserrepharma.it

Methods of Processing Personal Data

We take the right to privacy and the protection of our Users' personal data very seriously, and we will process it lawfully.

The Personal Data provided or acquired will be processed in accordance with the principles of fairness, lawfulness, transparency, and confidentiality in accordance with applicable legislation, using appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of the Personal Data.

Processing is carried out using IT and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated.

Personal Data Processed

We list the categories of personal data processed:

1. Identification, Contact and Access Data

Name and surname, email address, office address, telephone number, specialization, membership in professional registers, and account login credentials, as well as any other Personal Data voluntarily communicated by the User.

2. Browsing Data

Connection-related cookies, IP addresses, domain names, and other parameters related to the browser and operating system used.

3. Usage Data

Information generated by visiting the Site: log data, data relating to registrations made, interaction and transaction processes, performance indicators, data relating to navigation flows and use of features.

Purpose of the Processing and Legal Basis

The Data Controller will process the Users' Personal Data, as listed above, for the performance of its commercial activities and sending newsletters, for the specific purposes indicated below.

1. Purposes Related to the Contract and Legal Obligations

  • Browsing the Site;
  • Account registration and management (recovering credentials, deleting them, etc.) and use of related services;
  • Management of User requests via remote communication tools, such as emails, banners, notification systems and other remote communication tools present on the Site;
  • Fulfillment of obligations arising from applicable laws, regulations, or EU legislation (e.g., tax and accounting obligations) or management and response to requests from the competent administrative, tax, and judicial authorities;
  • Response to requests to exercise the rights granted to Users by the contract stipulated with the Data Controller, by the law relating to that contract or by the GDPR, and consequent activities.

For these purposes, the legal basis is the need to fulfill pre-contractual and contractual obligations to which the User is a party (Article 6.1.b) of the GDPR) or the fulfillment of legal obligations to which the Data Controller is subject (Article 6.1.c) of the GDPR).

Therefore, with the exception of account registration data, which is optional, their processing is necessary once the user has registered to allow the provision of services and full use of the Site.

2. Analysis and Statistical Purposes and Other Purposes NOT Based on Consent

  • Perform statistical analyses regarding the use of the Site, navigation, and product searches, to improve the site and the offering of products sold through it;
  • Ensure compliance with the Data Controller's contractual rights or demonstrate that the Data Controller has fulfilled its obligations arising from the contract with the data subject or imposed by law, to prevent and/or suppress fraudulent or harmful actions;
  • Remind the User who has started the purchase process that he has added a product to his shopping cart.

The legal basis for this processing is legitimate interest (Article 6(1)(f) of the Regulation). Sometimes, the legal basis is legitimate interest (Article 6(1)(f) in conjunction with Recital 47 of the Regulation) for sending transactional emails (e.g., abandoned cart).

3. Direct Marketing Purposes, Sending Newsletters, and Subscription to the "Find Your Nutritionist" Service

With your consent, we will send you marketing emails to show you updates, news, offers and promotions, and market research, including through automated processing tools such as emails and newsletters.

With the User's consent, they may sign up for the "Find Your Nutritionist" service, which allows any Site user to find local nutritionists and locate them, via the Site, using the Google Maps feature. In this case, the data will be collected via an online form linked to a store locator application integrated into the Shopify platform; this application geolocalizes the data entered by the User via the Google Maps API.

The legal basis is the User's express consent to the processing of personal data for these purposes (Article 6.1.a) of the Regulation. Providing data for these purposes is optional. Failure to provide consent, revocation of consent, or exercise of the right to object will in no way affect the User's ability to use the Site's services.

Changing Choices and Revoking Consent

If consent is given, the User may at any time revoke the consent given and/or object to the processing of personal data for general marketing purposes using the methods indicated in the "Rights of the Data Subject" section later in this policy.

If you withdraw your consent, any processing performed based on your consent before its withdrawal will still be considered legitimate. If you withdraw your consent and/or object to the processing of your data for general marketing purposes, your data will no longer be processed for that purpose and will be retained by the Data Controller only if there is another legal basis that justifies the processing (e.g., contractual performance; legal obligation; legitimate interest).

Shelf Life

The Data Controller will process Users' personal data for the time necessary to achieve the purposes for which they were collected, as defined in this policy. However, for each of the purposes indicated, the personal data collected will be retained for the period specified below:

1. For the Purposes Related to the Contract

The Data Controller will process the User's data for the time strictly necessary to carry out the individual processing activities. It is understood that, after this period, the Data Controller may retain the data for the purposes and for the maximum retention periods set out in the other sections of this policy, if relevant and/or, in any case, in the cases established by the GDPR and/or by law.

2. For Fiscal, Administrative, Accounting and Legal Purposes

Until the expiration of the legal deadlines required for fulfilling each obligation and/or the retention periods required by law. If the User closes the account, the data contained therein will be retained for administrative purposes for a period of 3 months from the date of the account closure request.

3. For Purposes Based on the Data Controller's Legitimate Interest

The Data Controller will process the User's data for the time strictly necessary to fulfill this interest, unless, in the event of disputes and/or complaints, the Data Controller needs to retain the personal data for defense purposes (letter k) for the following 10 years (the statute of limitations) or, in the event of litigation, further retention is required by the duration of the dispute or specific requests from the authorities. The User can obtain further information on the legitimate interest pursued by contacting the Data Controller.

4. For Direct Marketing Purposes and Registration for the "Find Your Nutritionist" Service

Until consent is revoked and in any case for a period of 12 months from when consent was given or renewed by the User, or from the date of the last contact with the User, meaning, for example, opening the newsletter.

After such retention periods, the Personal Data will be deleted and the User will no longer be able to exercise the rights of access, deletion, rectification, and portability of the Data.

Communication and Dissemination of Data

In addition to the Owner, in some cases, the following may have access to the Data:

  1. Persons involved in the organisation of the Website (for example: administrative, commercial, marketing personnel);
  2. Third parties who perform tasks that are ancillary and instrumental to the Data Controller's activity and who process personal data on behalf of the Data Controller (for example: payment services, event, trade fair and conference organization agencies, lawyers, accountants, system administrators, logistics companies, newsletter services);
  3. Public or private entities that can access the Data in compliance with the law, regulations and provisions issued by the competent authorities;
  4. Potential purchasers of the Owner company and entities resulting from the merger or any other form of transformation.

These recipients, depending on the case, process Users' personal data as data processors, data processors, or independent controllers. Users may request an updated list of Data Processors pursuant to Art. 28 of the GDPR.

Place of Processing and Transfer of Data Abroad

Data processing takes place primarily in Italy and other European Union countries. Some third-party tools may process the data of this website's users in countries outside the European Economic Area (the "Third Countries").

Data transfer to third countries may also occur through the use of external tools that enable certain services (e.g., newsletters, remarketing, advertising, use of social media buttons, video viewing).

Sometimes, the use of these tools may involve the transfer of personal data of users who visit this website to a third country, such as the United States, for which there is no adequacy decision from the European Commission.

If there is a need to transfer data to third countries, the Data Controller undertakes to ensure that the country to which the data will be sent guarantees an adequate level of protection, as required by Article 45 of the GDPR; such transfer will be governed by the standard data protection contractual clauses approved by the European Commission for the transfer of personal data outside the EEA pursuant to Article 46.2 of the GDPR.

Personal Data Processing Tools

Contact Form

By completing the contact form, the User consents to the processing of the personal data entered therein and its use to respond to requests for information. The personal data processed are those requested by the form (name, surname, company, email address, telephone number) and any other personal data entered by the user in the body of the message.

Statistics

Usage Data and Cookies. This website uses the following services:

Rights of the interested parties

Interested parties have the right to exercise the rights provided for in Articles 7, 15-22 of the Regulation.

Specifically, Users have the right to obtain: access, updating, rectification, or, where applicable, integration of their data; the deletion, anonymization, or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed; and certification that the aforementioned operations, including their content, have been notified to those to whom the data was communicated or disseminated, unless this proves impossible or involves a manifestly disproportionate effort compared to the right being protected.

Furthermore, Users have the right to withdraw their consent at any time, if the processing is based on their consent, to request data portability (i.e., to receive all personal data concerning them in a structured, commonly used, and machine-readable format), to request restriction of processing of personal data and/or erasure (the "right to be forgotten"), as well as the right to object to the processing of personal data concerning them and to processing for the purposes of sending advertising materials, direct selling, and market research.

Pursuant to the Applicable Law, the Data Controllers inform Users that they have the right to obtain information on (i) the source of their personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) the identification details of the Data Controllers and data processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as data processors or persons in charge of processing.

Interested parties may exercise their rights by sending the Data Controller a specific communication or by using the data subject rights exercise form, available at this link, to be sent, duly completed and signed, with attachments, to the Data Controller by email to: privacy@esserrepharma.it

If interested parties believe that the processing of their personal data violates the Regulation, they also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, with headquarters in Piazza Venezia n. 11 - 00187 – Rome, Italy) (http://www.garanteprivacy.it/ ).

Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by giving notice to Users on this page. Therefore, please check this page often, referring to the date of the last modification indicated at the bottom. If you do not accept the changes made to this Privacy Policy, you must cease using this Website and may request that the Data Controller remove your Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that point. The Data Controller is not responsible for updating all links displayed in this Privacy Policy. Therefore, if a link is not functioning and/or up-to-date, Users acknowledge and agree that they must always refer to the document and/or section of the websites linked to that link.