The Data Controller is:

The Website collects the following categories of personal data, either independently or through third-party services:

Data Provided by the User

• Personal identity and contact details: first name, last name, email, phone number
• Shipping and billing data: address, city, postal/ZIP code, province/state, country, tax code, VAT ID
• Payment data: securely processed directly by certified payment gateways (PayPal, Stripe, etc.) — the Data Controller does not store credit card details
• Content of communications: text of messages sent via contact forms or email

Data Collected Automatically

• Usage data: IP address, browser type, operating system, pages visited, access times, referring URLs
• Cookies and similar technologies: please refer to the dedicated Cookie Policy

In compliance with the principle of data minimization (Art. 5.1.c GDPR), the Data Controller only collects data strictly necessary for the stated purposes. Refusal to provide mandatory data may make it impossible to provide the requested service.

Personal data is processed for the following purposes:

• a)Performance of the purchase contract (account registration, order fulfillment, shipping, returns management). Legal basis: Art. 6.1.b GDPR — performance of a contract.
• b)Tax and accounting obligations (invoice issuance, documentation retention). Legal basis: Art. 6.1.c GDPR — legal obligation (Presidential Decree 633/1972, Italian Civil Code).
• c)Responding to contact requests via forms, email, or customer support. Legal basis: Art. 6.1.b GDPR — pre-contractual measures.
• d)Direct marketing and newsletters (sending promotional and commercial communications). Legal basis: Art. 6.1.a GDPR — consent (withdrawable at any time).
• e)Statistical analysis and remarketing through profiling cookies and tracking pixels. Legal basis: Art. 6.1.a GDPR — specific consent collected via the cookie banner.
• f)Website security and fraud prevention (anti-spam protection, system logs, antivirus). Legal basis: Art. 6.1.f GDPR — legitimate interest of the Data Controller.
• g)Legal defense for the protection of the Data Controller's rights. Legal basis: Art. 6.1.f GDPR — legitimate interest.

Data is stored for the time strictly necessary to fulfill the purposes for which it was collected:

• Contractual and purchase data: for the entire duration of the contractual relationship and subsequently for 10 years for tax and civil law obligations
• User account: until erasure is requested by the User or after 24 months of inactivity
• Contact requests: maximum 24 months from the resolution of the request
• Marketing and newsletters: until consent is withdrawn, and in any case no later than 24 months from the last interaction (Data Protection Authority guidelines)
• Profiling cookies: according to the expiration dates specified in the Cookie Policy (max 12 months)
• System logs: max 12 months for security purposes

At the end of the retention period, the data will be deleted or irreversibly anonymized.

The Data Controller adopts appropriate technical and organizational measures (Art. 32 GDPR) to ensure data security, including: SSL/TLS encryption protocols, authentication systems, periodic backups, and data access restricted to authorized and trained personnel. Processing is carried out predominantly using IT and electronic tools.

Data may be disclosed to the following categories of recipients, appointed as Data Processors pursuant to Art. 28 GDPR:

Hosting and Infrastructure

Payments

Shipping

Communications and Support

Analysis and Marketing

Protection and Security

Embedded Content

Data may also be disclosed to legal, tax, and accounting consultants of the Data Controller, as well as to public authorities upon their legitimate request.

• Adequacy decisions of the European Commission, specifically the EU-US Data Privacy Framework (Decision 2023/1795)
• Standard Contractual Clauses (SCC) approved by the Commission (Decision 2021/914)
• Additional technical and organizational safeguards (encryption, pseudonymization)

At any time, the User has the right to:

• Right of access (Art. 15) — obtain confirmation of whether processing exists and a copy of the data
• Right to rectification (Art. 16) — correct inaccurate or incomplete data
• Right to erasure / to be forgotten (Art. 17) — request the erasure of their data
• Right to restriction (Art. 18) — restrict processing in certain specific cases
• Right to data portability (Art. 20) — receive data in a structured format and transmit it to another controller
• Right to object (Art. 21) — object to the processing, particularly for direct marketing purposes
• Right to withdraw consent (Art. 7.3) — at any time, without affecting the lawfulness of the processing prior to withdrawal
• Right not to be subject to automated decision-making (Art. 22), including profiling

To exercise their rights, the User can write to privacy@suybhair.com. Requests are free of charge and will be handled within 30 days (extendable by an additional 60 days in complex cases, with prior notice).

If the User believes that the processing of their personal data violates the GDPR, they have the right to lodge a complaint with the competent Supervisory Authority:

The Website uses technical cookies (necessary for operation) and, subject to the User's consent, analytical and profiling cookies. Settings can be changed at any time. For further details, please refer to the Website's Cookie Policy.

The Website is not intended for individuals under 14 years of age. The Data Controller does not knowingly collect personal data from minors. If it becomes known that data from a minor has been processed without parental consent, it will be deleted immediately.

The Data Controller reserves the right to modify this Privacy Policy at any time, informing Users on this page and, where necessary, via email. The User is invited to consult this document regularly, referring to the "last updated" date indicated at the top.