Login

Cart

Your cart is empty

GDPR Compliance

GDPR COMPLIANCE

OUR COMMITMENT TO DATA PROTECTION

Lily Venus fully complies with the General Data Protection Regulation (EU) 2016/679. As an Italian company, we are committed to protecting your personal data with the highest standards of privacy and security throughout the European Union and beyond.

LEGAL BASIS FOR PROCESSING

We process your personal data only when we have a valid legal basis:

Contract Performance (Article 6(1)(b))

  • Processing orders and payments
  • Delivering purchases
  • Managing your account
  • Providing customer service

Legitimate Interests (Article 6(1)(f))

  • Fraud prevention and security
  • Business improvement
  • Direct marketing to existing customers
  • Internal administrative purposes

Legal Obligations (Article 6(1)(c))

  • Tax and accounting records
  • Anti-money laundering compliance
  • Consumer protection laws
  • Court orders and legal claims

Consent (Article 6(1)(a))

  • Marketing to new contacts
  • Non-essential cookies
  • Newsletter subscriptions
  • Special category data processing

DATA PROTECTION PRINCIPLES

We adhere to all seven GDPR principles:

1. Lawfulness, Fairness, and Transparency

  • Clear legal basis for all processing
  • Fair collection methods
  • Transparent privacy notices
  • No hidden data practices

2. Purpose Limitation

  • Specific, explicit, legitimate purposes
  • No further incompatible processing
  • Clear communication of purposes
  • New purposes require new legal basis

3. Data Minimization

  • Only collect necessary data
  • Relevance to stated purposes
  • Regular data audits
  • Deletion of excess data

4. Accuracy

  • Keep data accurate and current
  • Prompt correction mechanisms
  • Regular verification processes
  • User update capabilities

5. Storage Limitation

  • Defined retention periods
  • Automatic deletion processes
  • Regular retention reviews
  • Clear retention schedule

6. Integrity and Confidentiality

  • Appropriate security measures
  • Encryption and pseudonymization
  • Access controls
  • Regular security testing

7. Accountability

  • Documented compliance
  • Privacy by design
  • Impact assessments
  • Compliance monitoring

YOUR RIGHTS UNDER GDPR

Right of Access (Article 15)

  • Confirmation of processing
  • Access to your personal data
  • Processing information
  • Copy of data (free of charge)

Right to Rectification (Article 16)

  • Correct inaccurate data
  • Complete incomplete data
  • Timely updates
  • Third-party notification

Right to Erasure/"Right to be Forgotten" (Article 17)

  • Request deletion in specific circumstances
  • When data no longer necessary
  • Consent withdrawn
  • Unlawful processing

Right to Restrict Processing (Article 18)

  • Limit processing while disputes resolved
  • Accuracy contested
  • Processing unlawful
  • Legal claims pending

Right to Data Portability (Article 20)

  • Receive data in structured format
  • Machine-readable format
  • Transfer to another controller
  • Direct transfer where feasible

Right to Object (Article 21)

  • Object to processing based on legitimate interests
  • Object to direct marketing
  • Object to profiling
  • Compelling grounds override

Rights Related to Automated Decision-Making (Article 22)

  • Not subject to solely automated decisions
  • Right to human intervention
  • Express your point of view
  • Contest the decision

DATA WE COLLECT

Personal Data Categories:

  • Identity Data: name, title, username
  • Contact Data: addresses, email, phone
  • Financial Data: payment details (tokenized)
  • Transaction Data: purchase history, preferences
  • Technical Data: IP address, browser type
  • Profile Data: preferences, feedback
  • Usage Data: website interaction
  • Marketing Data: preferences, subscriptions

Special Category Data: We do not intentionally collect special category data (racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data, health data, sexual orientation).

HOW WE USE YOUR DATA

Purpose Legal Basis Data Categories
Process orders Contract Identity, Contact, Financial, Transaction
Customer service Contract/Legitimate interests Identity, Contact, Transaction
Marketing Consent/Legitimate interests Identity, Contact, Profile, Marketing
Improve services Legitimate interests Technical, Usage, Profile
Legal compliance Legal obligation All categories as required
Security Legitimate interests Technical, Transaction

DATA SHARING

We share data with:

  • Service providers (processors)
  • Professional advisers
  • Tax authorities
  • Law enforcement (when required)

We do NOT:

  • Sell your personal data
  • Share without legal basis
  • Transfer without safeguards
  • Allow unauthorized access

INTERNATIONAL TRANSFERS

Within EEA: Free movement of data

Outside EEA transfers only with:

  • Adequacy decisions
  • Standard contractual clauses (SCCs)
  • Binding corporate rules
  • Your explicit consent
  • Other Article 49 derogations

Current transfer mechanisms:

  • EU-US transfers: SCCs + supplementary measures
  • EU-UK transfers: Adequacy decision
  • Other countries: Appropriate safeguards

DATA RETENTION

Data Type Retention Period Reason
Order data 7 years Tax/legal requirements
Account data Active + 3 years Service continuity
Marketing Until opt-out Consent duration
Cookies Max 13 months ePrivacy Directive
CCTV 30 days Security
Customer service 3 years Dispute resolution

SECURITY MEASURES

Technical Measures:

  • Encryption (at rest and in transit)
  • Pseudonymization where appropriate
  • Regular testing and assessment
  • Secure development practices

Organizational Measures:

  • Access controls and authentication
  • Staff training and awareness
  • Confidentiality agreements
  • Incident response procedures

Physical Measures:

  • Secure facilities
  • Equipment protection
  • Secure disposal
  • Access logging

DATA BREACH PROCEDURES

Our commitment:

  • 72-hour notification to supervisory authority
  • Notification to affected individuals (high risk)
  • Documented breach register
  • Mitigation measures
  • Prevention improvements

Breach response includes:

  • Nature of breach
  • Categories of data affected
  • Approximate number affected
  • Consequences and measures taken
  • Contact details for information

PRIVACY BY DESIGN

We implement:

  • Data protection from the outset
  • Default privacy settings
  • Minimal data collection
  • Purpose limitation
  • Transparency measures
  • User control features

DATA PROTECTION OFFICER

DPO Contact: dpo@lilyvenus.com +39 348 8423854

Responsibilities:

  • Monitor GDPR compliance
  • Privacy impact assessments
  • Staff training
  • Supervisory authority cooperation
  • Data subject point of contact

SUPERVISORY AUTHORITY

Lead Authority (Italy): Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Roma Tel: (+39) 06.696771 Email: protocollo@gpdp.it Website: www.garanteprivacy.it

Your local authority: You may also lodge complaints with your local data protection authority.

EXERCISING YOUR RIGHTS

How to submit requests:

  1. Email: privacy@lilyvenus.com
  2. Online privacy portal
  3. Phone: +39 348 8423854
  4. Post: Via Milano 46, 36100 Vicenza, Italy

We require:

  • Proof of identity
  • Specific right(s) exercised
  • Clear description of request
  • Preferred response format

Response timeline:

  • Acknowledgment: 72 hours
  • Full response: 30 days
  • Complex requests: +60 days with notice
  • Free of charge (unless excessive)

COOKIES AND TRACKING

Cookie compliance:

  • Clear cookie banner
  • Granular consent options
  • Prior consent for non-essential
  • Easy withdrawal mechanism
  • Cookie policy available

Types of cookies:

  • Strictly necessary: No consent required
  • Performance: Consent required
  • Functional: Consent required
  • Targeting: Consent required

CHILDREN'S DATA

  • No intentional collection under 16
  • Parental consent required
  • Verification measures
  • Deletion rights for parents
  • Special protections applied

PRIVACY IMPACT ASSESSMENTS

We conduct DPIAs for:

  • Large-scale processing
  • New technologies
  • High-risk processing
  • Systematic monitoring
  • Special category data

THIRD-PARTY PROCESSORS

Requirements:

  • Article 28 agreements
  • Security guarantees
  • Processing instructions
  • Audit rights
  • Sub-processor approval

YOUR PRIVACY MATTERS

We never:

  • Process without legal basis
  • Collect excessive data
  • Keep data longer than necessary
  • Transfer without protection
  • Ignore your rights

We always:

  • Respect your choices
  • Protect your data
  • Respond promptly
  • Maintain transparency
  • Improve our practices

QUESTIONS?

For GDPR compliance questions:

Email: privacy@lilyvenus.com DPO: dpo@lilyvenus.com Phone: +39 348 8423854 Hours: Monday-Friday, 9:00-18:00 CET

Your data. Your rights. Our responsibility.