Privacy Policy

(pursuant to EU Regulation 2016/679, the “GDPR”) This policy describes the personal data we collect when you use this website or visit “Malo” branded points of sale. It also lists the purposes for which the data is used and the rights to which you are entitled as a data subject. The processing operations described in this policy only apply to the services available on the website or in “Malo” branded points of sale. We would like to inform you that the website may contain links to websites owned by third parties, who are directly responsible for the data processing carried out there; we therefore invite you to consult their privacy and cookie policies. DATA CONTROLLER With regard to the personal data collected for the use of the services available on this website and at the “Malo” branded points of sale, the Data Controller is Malo S.p.A. (hereinafter referred to as “Malo”), which has its registered office at . Malo can be contacted by sending an email to email WHY WE USE YOUR DATA The following is a list of all the purposes for which we may collect your personal data.Website browsing

Purpose: To enable web browsing; to perform aggregate statistical analysis aimed at measuring the proper functioning of this website and, in case of cybercrimes, to ascertain any responsibilities.

Data processed: IP addresses, domain names, URIs. These data are acquired by the computer systems responsible for the operation of this website.

Legal bases:

• provision of services aimed at enabling users to browse this website;
• legitimate interest in ensuring the proper functioning of computer systems and in investigating possible offenses (also based on the existence of a legal obligation).

Storage period: 30 days following the date of collection, unless otherwise provided by law or measures of Public Authorities that impose a different retention period in relation to investigations related to possible cybercrimes.Online product purchases

Purpose: Processing of online purchase orders and carrying out related activities (dispatch of goods, invoicing, payment management, shipment tracking, delivery of goods, possible activation of the return and refund process, return management, etc.).

Data processed: Contact details (name, surname, email address, phone number) and shipping address. In case of returns, we will also ask you to provide us with your IBAN code, necessary to process the refund for the returned merchandise. Malo will not process data related to the payment method you provided (e.g., payment card number and security code), which will instead be collected exclusively by the payment service provider you have chosen.

Legal basis: Performance of the sales contract.

Retention period: Time necessary to fulfill contractual and regulatory obligations regarding the sale of products (e.g., tax regulations).

Customer Care Purpose: we provide a support service (via chat, telephone, email, online form and social media) for any requests relating to the purchase of our products or the use of our services. Telephone calls to the Customer Care service are recorded, allowing us to assess how to improve the quality and efficiency of the service provided to our customers. Data processed: the data required to respond to your requests to our Customer Care service (for example, for the chat support service, we will ask you to provide your name and email address; calls subject to recording will be limited to less than 30% of the total calls received on a daily basis). Legal bases: Performance of a contract for the purchase and sale of products or pre-contractual measures taken in response to your request; With regard to the chat support service, legitimate interest in preventing so-called “chat spam”; With regard to the recording of telephone calls, legitimate interest in improving the quality and effectiveness of the service offered. Retention period: the time strictly necessary to fulfil your request; recordings of telephone calls will be retained for no longer than 93 days.Participation in satisfaction questionnaires

Purpose: In order to improve the customer service, we invite you to fill out a questionnaire where you can indicate your satisfaction with the assistance received or share any additional observations.

Data processed: Ticket number assigned to your assistance request, data provided during the questionnaire completion. If the user wishes to be contacted again, contact data will also be processed.

Legal basis: User’s specific consent expressed by completing each questionnaire.

Retention period: Up to 1 year from their collection.Sending commercial communications (“Direct Marketing”)

Purpose: Sending commercial communications via traditional postal mail, email, SMS, landline and mobile phone, conducting market research, and activities to assess your satisfaction level regarding products related to the Malo brand.

Data processed: Contact information (e.g., name, surname, email address, phone number).

Legal basis: Your consent, which you can revoke at any time by writing to email or accessing your reserved area.

Retention period: Until your consent is revoked.

Profiling Purpose: profiling enables us to send you commercial communications that are tailored to your customer profile and your buying and browsing habits, and to develop products and services according to our customers’ preferences. Data processed: data relating to your purchases, your country of origin, your gender and age, your interactions with us via our website, via apps – which may be developed by us or by third parties – and via our social media channels (e.g. Facebook, Instagram, etc.). We may also examine data relating to the use of services provided by us. Finally, we may enrich your customer profile with information of a statistical nature that we lawfully acquire from other sources: for example, data on your area of residence (including demographic information, georeferencing data, etc.) or on the electronic tools you use to interact with us. Legal basis: your consent, which you may revoke at any time by writing to email or via your customer account. Retention period: data relating to your interactions with us will be retained for 12 months from the date of collection; information relating to your purchases will be retained for 3 years from the date of each purchase.Anti-fraud measures

Purpose: Verify the correspondence between the buyer and the holder of the selected payment instrument.

Data processed: Your first name, last name, details of e-commerce orders, and information about the type of payment instrument used to make the purchase.

Legal basis: Legitimate interest in fraud prevention and detection.

Retention period: Two years following the collection of the data.Registration for a customer account

Purpose: Creation of a reserved area (“account”) that will allow you to save certain contents (e.g., the “wishlist,” which is the list of your favorite products, purchase history, etc.).

Data processed: Personal identification and contact information provided in the online form for registration to the reserved area. Data essential for the use of our services are marked with an asterisk: without providing this information, we will not be able to provide you with the requested service.

Legal basis: Execution of the website registration contract.

Retention period: In case of non-use for more than 3 years, the created accounts and related data will be deleted.Saving login credentials for the customer account after the end of the session (“Stay logged in”)

“Purpose: To facilitate the use of your reserved area (‘account’) by allowing you to save your login credentials and remain logged into your account beyond the end of the browsing session. Data processed: Your login credentials. Legal basis: Your consent expressed through the acceptance of a cookie (also refer to the Cookie Policy). Retention period: The cookie that saves the login credentials will remain active for 12 months. At any time, you can disable cookies by accessing the ‘Cookie Settings’ section available in the Cookie Policy.Statistical analysis

“Purpose: To create statistical reports and behavioral models in order to examine, in aggregate form, the economic effectiveness of commercial initiatives (e.g., launching a new product) by Malo S.p.A. and to direct future commercial and promotional initiatives. Data processed: Information related to your purchases, country of origin, age, gender, information obtained by examining your interaction with us, through email, our website, and through Apps that may be developed by us or by third parties (for more information, please refer to the respective privacy policies). Legal basis: Malo S.p.A.’s legitimate interest in analyzing – in pseudonymized form (thus without directly attributable information to individual customers) – customer data to obtain strategic information regarding customer purchasing behavior, the ways in which customers interact with the company through various communication channels, and the effectiveness of commercial and promotional initiatives, in order to compete with major industry players. Retention period: Data related to your purchases will be retained – in pseudonymized form – for a period of five years. Other personal data will be retained – in pseudonymized form – for a period of two years.”

Gifts Purpose: purchases of Malo items that you can send as gifts to the recipients indicated by you. Data processed: the personal and contact data of the gift purchaser, as well as the personal and contact data of the gift recipient (communicated to us by the purchaser or recipient). Legal bases: performance of the contract for the sale and purchase of products; legitimate interest in ensuring delivery of the gift to the recipient. Retention period: the data will be retained for as long as necessary to fulfil the contractual obligations and obligations imposed by law (e.g. tax obligations).Purchase of products at the point of sale with home delivery or in-store collection

Purpose: In case the product you desire is not available, you can order it at our stores and have it delivered to your home or pick it up at our stores. We will then collect your personal data for processing your purchase order and performing related activities (such as shipping, invoicing, payment management, shipment tracking, product delivery, possible activation of the return and refund process, return management, etc.). Data processed: Personal and contact information (name, surname, shipping address, email address, phone number), information regarding the purchased product (e.g., size). In case you wish to return the purchased products, to proceed with the refund of the paid amount, we will ask you to provide us with your IBAN code. Legal basis: Execution of the sales contract. Retention period: The time necessary to fulfill contractual and regulatory obligations related to the sale of products (e.g., tax regulations). Data controller: Malo S.p.A. To exercise your rights regarding this specific purpose, you can contact us by writing to email.Customised sales

Purpose: Provide a product customization service. Data processed: Information (e.g., size, color, model) related to purchases made by you in the previous 12 months. Legal basis: Legitimate interest in providing the best customer service at our stores, in line with customer needs. Retention period: 12 months from the date of collection.Sending tax receipts in digital format

Purpose: Sending the fiscal receipt via email for a purchase made at a “Malo” retail store. Data processed: Email address. Legal basis: Compliance with tax regulatory obligations. Fulfillment of contractual obligations.Information on product availability

Purpose: Sending a notification to the email address you provided regarding the new availability of a product (so-called back in stock). Data processed: Email address. Legal basis: Execution of pre-contractual measures adopted based on your request. Retention period: Your email address will be deleted immediately after informing you of the new availability of the requested product, and in any case, within one month from the request.

Invoicing Purpose: to issue invoices for purchases made at “Malo” points of sale. Data processed: first name, last name, contact details, billing address, tax code, VAT number, residential address, recipient code (SDI code). Legal bases: fulfilment of regulatory obligations in tax matters; fulfilment of contractual obligations. Retention period: the time required to fulfil the contractual and regulatory obligations relating to the purchase and sale of products (e.g. tax regulations). Data controller: Malo S.p.A.Point-of-sale video surveillance

Purpose: In our stores, there is a video surveillance system to protect the security of our stores, staff, and customers who access them. The purpose of the processing is therefore to protect against concrete situations of danger such as fires, thefts, robberies, acts of vandalism, and unauthorized access. The collected images may also be used for defense purposes, verification, and exercise of our own claims and rights. Data processed: Your image. Legal basis: Legitimate interest of the data controller in protecting its corporate assets and the safety of its employees and customers. Retention period: The images will be retained for a period of 72 hours. In case of a request from the judicial authority or law enforcement or, in any case, in the event of the use of the images in a judicial proceeding, the retention period may be extended until the definition of the proceeding itself.

COOKIES

We use cookies in some areas of the website. We ask that you read our Cookie Policy in conjunction with this policy.DATA PROCESSING METHODS

The Data Controller will process the personal data of users/customers using both manual and computerized tools, with logic strictly related to the purposes themselves and, in any case, in a way that ensures the security and confidentiality of the data. The data provided voluntarily is collected electronically directly by the Data Controller or through subjects appointed as “Authorized to Process” or through third parties expressly appointed as Data Processors, also through Customer Relationship Management (CRM) computer systems. The CRM is used by the Data Controller both to improve the management of customer data from an administrative and computer perspective and to offer higher-quality services, and, if you give your consent, for direct and profiled marketing purposes.SOCIAL NETWORKS

On our website, you may also find social buttons/widgets, which are specific “buttons” featuring icons of social networks (such as Facebook and Instagram) and interactive social walls (displaying content from social networks). These “buttons” allow users browsing our website to interact with a single click directly with the social network, which collects data related to your visit. In some areas of the site, there is also the so-called social login, which allows you to access your reserved area through the social network account. When you perform the social login, you agree to the terms, conditions of use, and privacy policy of the social network itself.TRANSFER OF COLLECTED PERSONAL DATA TO COUNTRIES OUTSIDE THE EU

The personal data collected may be transferred outside the European Union. In such a case, the transfer will comply with the provisions of Regulation (EU) 2016/679 (“GDPR”) (in particular, the data will be transferred only upon the signature of Standard Contractual Clauses approved by the EU Commission with Decision No. 2021/914/EU or to countries capable of ensuring an adequate level of protection of personal data and therefore recipients of an Adequacy Decision adopted by the EU Commission).

RIGHTS THAT CAN BE EXERCISED BY THE DATA SUBJECT

You can exercise your personal data rights under the GDPR by writing to email. We undertake to reply to your request as soon as possible, and no later than thirty days after receipt of your request. In certain cases, we may ask you for further information if it is necessary to verify your identity in connection with your request. Specifically, you may exercise the following rights:

• The right of access , i.e. the right to know whether personal data relating to you is being processed and, if so, to obtain a copy of such data and information concerning: the source of the data, the categories of personal data being processed, the recipients of the data, the purposes of the processing, the use of automated decision-making (including profiling), the data retention period, and your rights under the GDPR.
• The right to have your data rectified or completed.
• The right to have your personal data deleted if such data is no longer necessary for the purposes for which it was collected, or if we are no longer authorised to process it.
• The right to obtain the restriction of processing of personal data in the following cases: i) you have contested the accuracy of the personal data. You may request restriction of the processing for the period necessary to verify the accuracy of the data; ii) we are no longer authorised to process the data and, instead of deleting it, you may ask us to restrict its use; iii) the personal data, which is in our possession but no longer necessary for the purposes for which it was collected, is necessary for you to establish, exercise or defend a legal claim. The right to data portability, i.e. the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, as well as the right to request that such data be transferred to another Data Controller.
• The right to withdraw your consent for processing based on said consent. You have the right to object to the processing of your personal data based on our legitimate interests at any time.You also have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your data contravenes the provisions of the GDPR.We reserve the right to update the content of this page periodically. We encourage you to consult this information regularly in order to stay up to date with any changes that may have occurred since your last consultation.Last updated: February 2024