1 – Introduction

Browsing the PROZIS website and customer registration on the online store from the 03rd October 2023 shall represent the acknowledgment and the acceptance of this Privacy and Data Protection Policy.

PROZIS (collectively, including all the companies belonging to PROZIS GROUP), maintains a constant concern for the protection of the privacy of personal data and a preventive action regarding the security of the website and the protection of the data of its customers and visitors.

To reinforce the guarantees of the confidentiality of personal data, new data protection measures were implemented, both in terms of verifying the legitimacy of the use of personal data processed, as in terms of ensuring compliance with the rights granted to the data subjects. In this context, and through the specialization of customer support channels, PROZIS aims to promote a clearer and more objective communication of the purposes underlying the processing of personal data and the transparency of data processing operations.

Thus, the information contained in this text is intended to convey, clearly and unambiguously, the content of the privacy policy and protection of personal data that will be processed under the terms of the General Data Protection Regulation in force (hereinafter GDPR) and delimited by the content of the business relationship to be established between the data subject and PROZIS.

2 – Processing of personal data

Customers' personal data is processed in accordance with strict procedures that are frequently reassessed in order to guarantee full compliance with the principles that derive from both the applicable legal provisions and the good practices issued at supranational level with regard to the Security and Privacy of Personal Data.

In general terms, personal data are collected in three situations directly arising from PROZIS' activity:

2.1. Customer registration: creating a PROZIS account and determining the purposes for processing personal data

For the purpose of creating the customer account, a personal area is provided in which the customer must enter the data necessary for their identification as a customer. The first purchase will depend on the provision of additional personal data, indispensable for order processing and delivery.

Required fields on the forms available for those registration stages are marked with an asterisk (*).

Confirming the intention of creating a customer account shall mean that the data indicated to that aim is accurate and up-to-date, as well as the acknowledgment that PROZIS may, at any moment, suspend the account, including any transactions in progress, if there is a founded suspicion that the data provided is not compliant and the Customer fails to rectify it when requested to do so.

At the latest when the first order is placed, the customer must provide the personal details deemed necessary for the order to be processed and delivered correctly.

PROZIS is committed to protecting customer data which will never be made available to third parties without the acknowledgment or consent of the data subject, as legally required.

PROZIS has concluded confidentiality and data protection agreements with the companies in the group of companies to which it belongs, insofar as they provide support services for the management of the sales process and the distribution of the products in the online shop, as well as with all other entities that provide support services for the operation of the functionalities and applications that customers wish to use. All entities, whether they have a direct subcontracting relationship with the data controller, or an indirect one due to the subcontracting relationship with the subcontractor and authorised by the latter, will also be required to comply with the GDPR, under the provisions applicable to the processing of personal data on behalf of third parties. In addition, when making a purchase on the site, customers will also be asked to provide their delivery address and payment details in order to promote maximum efficiency and ensure that delivery times are met. Those data will be transmitted to the companies abovementioned, as well as to the carrier who will guarantee the delivery operation. This data will be passed on to the companies in the aforementioned group, as well as to the forwarding agent who will guarantee delivery of the order, all of whom are obliged to process this data in strict compliance with the principles applicable to the protection of personal data.

In the course of processing the customer's order, it is also possible that certain personal data - such as address and postcode - may be communicated to third parties for the sole purpose of preventing and detecting fraud and always following a request to this effect from the competent authorities. For security reasons, the request itself is subject to a procedure to confirm its authenticity.

For the purposes of implementing other functionalities made available by PROZIS, at the customer’s demand, additional personal data may be requested and processed in accordance with the procedures specifically set out in the conditions of use of such data, without prejudice to the customer's right to be informed of the specific procedures for such processing in response to such request.

The data provided will be kept for the strictly necessary period, which generally corresponds to the duration of the customer's account. For this reason, when the customer triggers the deactivation of their account, the personal data will be permanently deleted, with the exception of data to be retained in order to comply with legal obligations, in particular but without limitation, for invoicing and accounting purposes. This data will be stored in a dedicated, pseudonymised database created for this purpose, and only for as long as is absolutely necessary for these purposes. Data relating to transactions carried out during this period using the credit card payment method will also be stored in the same database for a period of twelve months. This record is kept for the purpose of making any refunds due to the customer during these periods, which run from the date of issue of the respective invoices. However, this does not apply to situations where data is kept for reasons of suspected fraud, as described above.

Consequently, once the account has been deactivated, if the customer wishes to place a new order on the site, they must register again, subject to the conditions in force at that time, which will be available in a downloadable version.

Remark: If, after the expiry of the aforementioned twelve months, a refund is required and the account has already been deactivated, the customer must contact Customer Services, providing new bank details and presenting an original, official bank statement. Only bank statements on which the customer is identified as the sole or main holder of the new bank account will be accepted.

Completion of the customer's registration will trigger a registration confirmation for the email address that the customer has associated with the customer account, which will include a hyperlink to this text.

Every feature or platform that PROZIS may possess and which the customer intends to use will be subject to acceptance of the respective conditions of use and, where applicable, the respective privacy and data protection policy. All matters not covered by the aforementioned texts will be governed, with the necessary adaptations, by the conditions set out in this document.

With regard to the accuracy of the customer's data and the respective register, whenever the customer wishes to check the data provided to PROZIS, they can do so in the Account details tab. Customers must keep their account access codes securely, as any action or request made via the account is their responsibility.

Remark: For security and protection of personal data reasons, we recommend that customers do not save their password in their browser, as someone else who has access to their devices may be able to access their personal information.

What is the purpose of the data collected?

Customer data is processed for purposes such as processing orders, notifying customers of any changes to the functionalities of the website, conducting surveys and evaluating interactions for statistical purposes.

Other information concerning the customer's experience on the website may also be collected for the sole purpose of improving the service provided to the customer. However, this will only be done once it has been confirmed that the respective owner has been informed or, where applicable, express consent has been obtained, particularly with regard to the services and functionalities made available by PROZIS via the website or any other app it owns. For the purposes of assessing and certifying the quality of the service and the effectiveness of the response offered by PROZIS, the relevant information may be shared with entities specialised in this field, namely Trustpilot A/S, on the basis of the legitimate interest of PROZIS. For this reason, the customer will be guaranteed the right to object to the processing of the data transmitted in this context (e-mail address and order number). To this end, an opt-out option will be provided in the request for evaluation of the purchasing experience, without prejudice to the customer's right to make a request directly to PROZIS’ customer service or to the Data Protection Officer (via email sent to [email protected]).

Customers may periodically receive information on products and services, campaigns, promotions and special offers by email. If customers do not wish to be contacted for these purposes, they may unsubscribe from the newsletter by clicking on the "Manage permissions" tab in the "Account details" area or by clicking on the link available for this purpose in the text of the newsletter.

2.2. Customer contact with PROZIS

Whenever the customer, on their own initiative, contacts PROZIS in order to obtain information, regarding the products, purchase procedures, the status of the order or to report any situation related to the site or to any services provided, PROZIS may need to collect additional personal data for various purposes, which will be specifically communicated in this case, but which may generally fall under the circumstances of confirming the customer's identity and the purpose of the contact.

In order to ensure that the contact is actually being established by the data subject, PROZIS has implemented measures to reinforce the identity of the caller, especially in cases where the contact is established by telephone.

The operator will only continue the call once the purpose and conditions for validating the customer's identity have been clearly and objectively communicated, and once the customer has expressly confirmed their intention to continue the conversation under these conditions.

In this respect, the customer may be asked, for example, to indicate one or more products purchased during previous orders, which the operator will confirm after requesting authorisation to access the purchase history for the last 6 (six) months. Alternatively, and after describing the identity validation mechanism, the operator may send an alphanumeric validation code to the telephone contact or e-mail address registered in the customer's account, which will then be required by the operator to continue the conversation.

Once the customer's identity has been validated, the operator will ask key questions based on the description of the purpose of the contact to frame the situation and possibly pass it on to the appropriate Customer Service operator.

Any recording of the call to assess the quality of the service will depend on the customer's prior and express consent for this purpose.

For each communication established between the customer and the customer service and as soon as the situation that led to the customer's contact with PROZIS is considered resolved, the customer will be sent a message confirming the update of the complaint or the status of their request. Personal data associated with the initial contact will be retained for a maximum period of 36 months, after which it will be permanently deleted. In certain cases, upon completion of the process, a request for assessment of the service provided, with an optional reply, will be sent. Accordingly, and if the customer expressly consents, the customer's opinion on the level of satisfaction with the service provided will be stored. This specific registry will not imply the storage of any personal data, but only the level of satisfaction but using a proper pseudonymisation procedure.

2.3. PROZIS contact with the customer

When processing a specific order, there may be a need for PROZIS Customer Service to contact the customer in order to:

i) promote the confirmation or rectification of any of the personal data required to complete the delivery process (e.g. the delivery address). In such cases, contact will be made to the mobile phone number on the customer file. Once the connection has been established, the operator will confirm the caller's identity by following, if necessary, the procedure described on the clause 2.2. above.

ii) inform the customer that a message has been sent to his or her mailbox in the customer account as a result of the stockout of one or more items in the order concerned and that, as an alternative to unavailable products, the amount paid back or similar products may be returned, as provided for in the clause 1.4. of the General Conditions of Sale. iii) request for clarification on the content of any message sent by the customer or regarding conversations already in progress. In either case, such contact will be followed by a written message confirming the content addressed and / or any fact eventually agreed upon.

2.4. Collection of data via Cookies and/or other MarketingTools

Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information that can be used for one or multiple purposes – e.g. to remember users and their previous interactions with PROZIS and to keep track of items of the shopping cart. Information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.

2.4.1. Classification and description of the cookies used by PROZIS

Regarding the type:

Essentials – allow you to navigate the site and use its features. Without these cookies, orders cannot be processed.

Non-Essentials, Functionality or Performance - Collect information on how the user uses the site to improve its functionality. They allow you to check which areas are of greatest interest to the customer by measuring the effectiveness of promotional campaigns. In this way, PROZIS can understand which products and promotions are best suited to the client's interests and needs, which will be done through: the elaboration of statistics based on the non-individualized behavior of the client and the consequent use of the site; measuring the effectiveness of advertising campaigns; consequent improvements in navigation, etc., for the sole purpose of improving the site's performance and responsiveness. For this reason, performance cookies provided by authorized third parties are also used for the purposes stated herein.

Analyticals - used anonymously for statistical purposes and for the purpose of improving the functioning of the site without any collection of personal information. They allow you to highlight articles that may be of interest to customers or visitors, monitor site performance, determine the most effective method of linking pages, or even why some pages are receiving error messages.

Regarding validity:

Persistent - stored on the client's computer or equipment between browser sessions to maintain settings or preferences and to improve site usage on the next visit. Some of these cookies are provided by authorized third parties, however, with the following purposes: presentation of campaigns and products - considered to be in the customer's interest; retargeting - advertising of PROZIS products on partner or social network websites without storing personal data or user profiles, thus not assuming the transmission of any personal data to third parties because advertising is entirely anonymous.

Session – limited to each user-initiated session, so they expire each time a browser session is ended. They may be aimed at indicating products previously placed in the shopping cart, identifying problems and ensuring a better browsing experience. Some session cookies may also be a guarantee of enhanced security.

· Cookies used by PROZIS

The cookies remain on the chosen browser merely during the session and may inclusively be deactivated if a period of inactivity of the user shall be detected.

Regardless the session length, the user may, at any time, deactivate these cookies by managing the browser settings. In order to verify which cookies are active during each navigation session, the Cookie Declaration made available on the side tab shall be consulted.

2.4.2. Enabling and disabling cookies and similar technologies

Newsletters and other communications may, for statistical purposes, contain information that enables them to know if they are open and to verify clicks through hyperlinks within them. However, the customer is always allowed to refuse to receive the newsletter or email communication through an option specifically provided for this purpose and mentioned therein.

In addition, in the "Help" menu of the browser used, the customer can manage the use of cookies and other similar technologies. As indicated in the message at the top of this page, access to the PROZIS online store presupposes the use of cookies and their deactivation may affect site navigation.

When intending to and if applicable, the customer may ask for additional information regarding the storage period of the data collected by the cookies provided by PROZIS.

For more information, it is suggested to consult the information provided in each of the browsers or to consult articles with specific information on the subject (e.g.

2.4.3. Individualized communications of product and services promotions

Depending on the customer's choice between standard experience or custom experience, PROZIS may or may not send emails, in the form of notifications or newsletters, within which general or customer-oriented promotional campaigns are conducted. In both cases, such communications shall be received only upon confirmation that the customer has expressly and unambiguously given his consent and that he has been informed of his right to terminate, at any time, the permissions previously granted to such effect. The customer may at any time check which permissions are granted in connection with the processing of personal data in the "Manage Permissions" tab of the Account Data tab.

The processing of personal data carried out within the scope of individualized communications is made in strict compliance with GDPR, whether carried out by PROZIS' employees or by any other company belonging to PROZIS Group, to whom data may be transmitted for the purpose of performing the services necessary to perform the said promotional campaigns.

2.4.4. Redirecting

Some hyperlinks on this site redirect the customer to external websites, partners of PROZIS. By clicking on those hyperlinks, the customer will be leaving the PROZIS' website. As no control over these sites is possible, PROZIS cannot be held responsible for any content made available on them. Navigation and use of any platform owned by PROZIS or by any of its partners will mean the acceptance of the conditions of use of the same, accordingly to the specific terms laid down for that purpose.

3 - Secure data processing, lawfulness, fairness and transparency

PROZIS uses one of the most secure online ordering systems and is constantly improving its software in order to offer the safest possible data processing to its customers and ensure their trust. A server certificate, also known as a digital certificate, guarantees our identity, as well as the Secure Sockets Layer (SSL) encryption of transmitted data.

All data of PROZIS’s customers are processed lawfully, fairly and transparently. For this reason, the data subject may always contact PROZIS for any clarification regarding the processing of his/her data, as indicated in point 2.5.1. below.

In that sense, PROZIS also ensures that its employees only have access to this data to the extent deemed absolutely necessary for the performance of their duties. These employees are identified and monitored according to the functions and tasks entrusted to them and within the framework of the contractual relationship established with them.

All data processed by PROZIS, whether directly indicated by the data subject or collected by PROZIS for the sole purpose of executing the contract established between them or for the execution of any functionality requested or to which the customer has access, will be deleted as soon as the purpose that determined the processing ceases to exist. For this reason, the storage of personal data must comply with the principles of data minimisation, purpose limitation and storage limitation, since only the data strictly necessary to comply with the legal and contractual obligation will be collected, which will be stored in an appropriate specific database for the period strictly necessary for these purposes, when the determination of its duration is provided for by special legislation.

4 - Access and Purpose Limitation

PROZIS undertakes to use the personal data of its customers and visitors for the purposes strictly necessary for the pursuit of its activity, with the limitations arising from the scope of the same or the extent of the consent expressly granted by its holder. This also means that the data will not be transmitted to any third party without their knowledge and / or authorization where PROZIS is so legally bound to.

In this sense, PROZIS also ensures the access to such data by its employees to the extent deemed absolutely necessary to carry out the action in question. Those employees are identified and tracked according to the functions and tasks assigned to them and within the framework of the contractual relationship set between them.

All data processed by PROZIS, whether directly indicated by the data subject or collected by PROZIS for the sole purpose of executing the contract set between them or for the execution of any functionality requested or accessed by the customer will be definitely erased as soon as the purpose which has determined the processing fails to exist. For this reason, the storage of personal data must comply with the principles of data minimisation, purpose limitation and storage limitation, since only the data strictly necessary to comply with the legal and contractual obligation will be collected, which will be stored in an appropriate specific database for the period strictly necessary for these purposes, where the determination of its duration is provided for by special legislation.

5 - Rights of the data subject

5.1. Right to Information and Access to Personal Data (including the Right to Portability)

At any time, the customer may request information on the personal data stored, both as regards the category of personal data concerned, the origin and recipient(s) of such data, the length of the retention period and the underlying purposes, and as regards the identification of the data controller, the data protection officer and their contacts.

In the event of a manifestly unfounded or excessive exercise of the right to be informed, PROZIS may charge a fee of 100,00 Eur. / hour (one hundred Euros per hour). This amount should be settled within five business days of receipt of payment instructions. The instructions shall be sent in writing to the email address provided by the data subject and / or via SMS to the mobile contact registered in their account or indicated as response to such request.

5.2. Right to Rectification, Erasure and Deletion of Personal Data

If the customer wishes to exercise his right to rectification of his data, he must send his request, identifying the data to be amended and the new wording, by e-mail to [email protected]. The same procedure must be followed if the customer wishes to exercise the right to partial deletion of personal data, which can only be accepted if the data in question are not legally excluded from the scope of that right. In both cases, the customer will receive confirmation, through the same channel used, that his request has been fulfilled as requested.

The right to ('full') deletion of personal data is realised by deactivation of the customer's account, which should preferably be activated by the account holder using the functionality made available for this purpose.

Requests for clarification of the scope and effects of the exercise of these rights must be submitted via the same channel.

5.3. Right to Restriction of processing, to Object and to Withdraw prior consent

In reinforcement of the principle of transparency in the processing of personal data and customer communications, PROZIS allows the customer to, at any time, modify the data processing permissions granted for each of the stated purposes. Through the opt-in and opt-out features made available for the activation and deactivation of the granted permissions, in the tab "Manage Permissions" of the customer's personal account, the customer can modify or revoke the previous consents, namely those given for the purpose of receiving advertising campaigns, newsletters and other individualized communications including profiling, designed for the PROZIS-customer relationship or for the optimization of the custom navigation experience as well as for the data processing by the remaining Group companies or by third parties which are PROZIS' partners for the execution of any of the functionalities that may be made available at the customer's request.

6. Subsidiary application

This text shall govern all the matters regarding the privacy and the data processing done within the framework of the use of the apps and further functionalities, whether accessible through a hyperlink made available by PROZIS on the website, or on any other platform owned by PROZIS. For that reason, it shall be applicable on a subsidiary basis to all the situations which may not be specifically regulated.

7. Privacy Policy changes and contacts

7.1. Any changes to this Privacy and Data Protection Policy will be posted on the PROZIS website.

7.2. Irregularities, non-compliance and any security restrictions on the processing of personal data should be immediately reported to the Data Protection Officer of PROZIS by email sent to [email protected] who, at the data subject’s request provide the necessary clarification of the complaint to the Control Authority, if the irregularities are not corrected within 30 days of the date of the complaint.