of users who visit the website of Officina Profumo Farmaceutica di Santa Maria Novella S.p.A.

(pursuant to Article 13 of Regulation 2016/679/EU).

Effective date: 25 May 2018


Pursuant to (EU) Regulation 2016/679 (hereinafter "the Regulation"), this page describes the processing of the personal data of users who visit the website of Officina Profumo Farmaceutica di Santa Maria Novella S.p.A., accessible electronically at the following address:



This privacy policy is provided pursuant to Art.13 of the Regulation for the sole website of the company Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. and the personal data acquired will be processed in compliance with the principles of the legislation indicated above, i.e. processing will be based on principles of correctness, lawfulness, transparency and protection of your privacy.

This page describes the methods for managing the site in reference to the processing of the personal data of users who consult it.

The privacy policy is provided for the sole website of the company Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. and not also for other websites visited by the user via links, but outside the domain of Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. In fact, the company Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. does not monitor and control the content of these websites and even if these sites use instruments that collect and process visitors’ personal data: We therefore recommend you check the privacy policies on the protection of Privacy of each website.



After visiting the site, data relating to identified or identifiable physical persons may be processed.

The Data Controller is Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. (hereinafter the Company) whose registered office is in via della Scala no. 16 - 50123 Florence, VAT No. 00459370482 (email:; Tel.: 055 4368315).



The data collected as a result of browsing and visiting the website will not be disclosed in any way.

They may be the subject of communication to third parties for the purpose of performing operations linked to the order placed by the user-customer on the site and its delivery (for example they may be communicated to our IT consultants for the web platform in order to ensure in particular the sending of email messages that you have chosen to receive or to our partners for shipments, or to banks and credit institutions to manage payments, professionals and consultants for the tax and accounting management of the sales contract).

In addition, personal data will be processed according to the methods and for the purposes set out in this privacy policy by the Controller’s suitably trained employees (e.g. administrative and marketing staff, etc.).

In particular, in relation to the personal data collected and processed via this website, the Data Controller has expressly appointed as external the company Valori Aziendali S.p.A. As Data Processer as supplier of development and maintenance of the web platform services - as supplier of development services involving the provision and operational management of the technological platforms used.

The appointment of this Processer is kept at the Controller’s premises and is available to the user concerned upon request to be submitted to the following email address:



The personal data provided by the user when browsing the website are processed by the Controller in accordance with the current regulations on the protection of personal data.

The legal basis for the processing is the provision of its services by the Company, the management and facilitation of the website, as well as the constitution, execution and possible termination of the online sales contract concluded between the parties and the obligations related to the contract and/or directly and/or indirectly arising therefrom.

In particular, the processing of personal data by the Company is aimed at pursuing the following objectives:

1) Subscribing to the Company’s newsletter: in the case where the user decides to subscribe to the newsletter, only as a result of any specific consent, the personal data will be processed by the Data Controller for the sending of commercial or promotional communications, updates relating for example to the latest trends, new arrivals, exclusive offers, special events and promotions.

To unsubscribe to the newsletter just click on the unsubscribe link, shown at the bottom of emails received or write to us at the address

2) Registration on the Company’s website: if the user decides to register on the website, only as a result of any specific consent, their personal data will be processed by the Data Controller for the purposes of registration and to manage the account created by means of registration. In particular, once their first name, last name and email address have been provided for registration and an access password set, they will be processed to create a personal account to expedite the purchase process, to allow the user to view the status of orders and receive updates on purchases, change personal settings and update the account, view their history of returns and goods change requests and save their favourite items in the wish list.

3) Online shopping activities: the personal data supplied by you will be used for the purposes of the establishment, management, implementation and/or conclusion of the online sales contract. The data provided will be processed by the Data Controller only for the purposes of managing the purchase order, completing operations linked to payments made by the customer, the shipment of goods ordered on the site, taking care of any returns, for customer service, the execution of the administrative/accounting/tax purpose related to managing the purchase order, and finally, to fulfil the obligations provided for by the legislation in force. If payment is made by credit card, the information necessary to perform the transaction (credit/debit card number, date and expiry date, security code) will be processed by Intesa Sanpaolo S.p.A. and Mercury Payment Services S.p.A., or possibly by fraud control companies via an encrypted protocol and without third parties being able to access it in any way. This information will not be however ever be viewed or saved by the Data Controller.

4) Proposal of promotional offers responding to browsing: only as a result of any explicit consent, can personal data be processed by the Data Controller for preference analysis activities aiming at creating personalised content and offers (see the Privacy Policy below in this regard concerning the Company’s cookies policy). The aim of the processing being carried out by the Data Controller will be to improve and personalise the website and the products, services and activities related to it, precisely by tracking preferences for products purchased from the site, purchase history and interactions with the site itself.



The protection of minors online represents a fundamental element of the Data Controller’s corporate policy. Therefore, the Data Controller does not accept subscription, registration or orders sent by minors of 18 years and will not proceed with the knowledgeable collection and processing of the personal data of such persons. By purchasing on the site or by registering the customer declares having reached adult age according to the legislation in their country of residence.



The management and storage of personal data acquired will take place in archives or on servers located in Canada owned by the Data Controller and/or third-party companies appointed as External Data Processors. The European Commission, with Decision 2002/2/EC stated the adequacy of the protection provided by Canadian law on the safeguarding and protection of personal data.



Customer information

For example personal information provided by customers when subscribing to our newsletter (contact details, email address, telephone number, home address if expected to be issued in the newsletter) or during registration to the site to create their personal account (authentication and identification information such as name, address and password); data of any transactions carried out on the site when making online purchases; data provided voluntarily by the user (the optional, explicit and voluntary sending of email to the address indicated on this site involves the subsequent acquisition of the user’s address, necessary to respond to requests, as well as other personal data voluntarily included in the message).

The customer-user is not obliged to provide the afore-mentioned personal data. The provision of personal data by the customer (in particular personal details, email address, postal address, credit/debit card numbers and telephone number) is necessary for us to process the order for the purchase of products on the website for the provision of other services on our website at the request of the customer or to fulfil the obligations provided for by laws or regulations. The refusal by the customer to provide the data necessary to achieve the afore-mentioned aims can make it impossible for us to process the order for the purchase of products for sale on our website or fulfil the obligations provided for by laws or regulations. The provision of personal data may therefore constitute, in some cases, a legitimate reason and justification for failure to process the order for the purchase of the products on sale on the website or failure to provide services on the Website.

Browsing data

In normal operation, the computer systems and software procedures involved in the operation of this website acquire some personal data which are implicitly transmitted when using Internet communication protocols.

This category of data includes the IP addresses or domain names of the computers and terminals used by users, addresses in URI/URL (Uniform Resource Identifier/Locator) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (completed, error, etc.) and other parameters related to the user’s operating system and computer environment.

These data are necessary for the use of the web services, they are also processed to:

  • obtain statistical information on the use of the services (most visited pages, number of visitors per time band or daily, geographical areas of origin, etc.);

  • check the correct operation of the services offered.

Browsing data are not kept for more than 365 days and are immediately deleted after aggregation (subject to any requirement to investigate offences by the judicial authority).



Like virtually all websites, the site also uses some cookies. They now represent fundamental tools as they enable modern sites to operate optimally, allowing maximum personalisation, interaction and fluidity when browsing. Precisely because of these possibilities they can also be used to track customer/user browsing of the site and to send messages that respond to the browsing performed.

For more information on the Data Controller’s policy on the use of cookies please consult the Cookies Policy .



From the site you can use the login functions of connections to Twitter, Facebook, LinkedIn, YouTube, Instagram and Google+. When you use the connection functions of the social network site you can agree to Officina Profumo Farmaceutica di Santa Maria Novella S.p.A. accessing those aspects and information of your social profile that you have made available to share (based on the settings you have selected in your profile) and their use in accordance with the privacy policy of the social network and this privacy policy. You can withdraw your consent at any time



The personal data collected on this site are processed with computer storage media and are protected by adequate security measures suitable to ensure their confidentiality and integrity.

The Data Controller attaches great importance to the security of all personal data relating to users of the site and the adoption of safety measures to prevent accidental or illegal destruction, accidental loss, alteration, unauthorised disclosure or access to data represents a fundamental element of the Data Controller’s corporate policy.

However, the Data Controller cannot guarantee users that the security measures adopted for the protection of the site and the transmission of the data and information on the site are able to limit or exclude any risk of unauthorised access or leakage of data by devices belonging to the user. For this reason, it is suggested that users of the site make sure that devices are protected. For example, the user must make sure that their computer has appropriate software to protect them from the network transmission of data (such as an updated antivirus) and that their Internet Provider has adopted appropriate measures for the security of the transmission of data over a network (such as a firewall and anti-spam filters). The Data Controller also undertakes to process the data according to the principles of correctness, lawfulness and transparency, to collect them in so far as is necessary and correct for processing and to only permit their use by personnel for the purpose authorised.
As regards the storing the customer’s personal data, the Data Controller’s general approach is to only retain these data until necessary to achieve the purposes for which the data were collected. In particular, we store personal data for 36 months from the conclusion date of the relationship with the customer-user or from the last contact with them. In some cases, personal data can be stored for longer periods where necessary to allow the Data Controller to fulfil statutory obligations (e.g. to fulfil mandatory storage for accounting-tax purposes or to prevent tax fraud). Finally, the Data Controller may also keep the personal data of customers-users for longer periods so as to have accurate documentation of negotiations which have taken place, in the case of complaints and/or disputes.

In any case, the Data Controller will take care to avoid the use of data for an indefinite time regularly suitably checking whether there is still an interest in the subject they relate to.



Data subjects have the right to obtain the following from the Data Controller, in the cases provided for by Articles 15-22 of Regulation:

  • access to their personal data

  • the correction of their personal data

  • the deletion of their personal data

  • the limitation of the processing of their personal data

  • object to the processing of their personal data

  • data portability

To exercise these rights provided for in Articles 15-22 of Regulation in the cases provided for in it you can send an email to this address: You will receive a response within a maximum period of 1 month from the date of receipt of the request. In the case in which the issue is extremely complex you will receive an email that will indicate the response times when it is more than one month.

Right to complain

Data subjects who consider that the processing of the personal data related to them carried out via this website takes place in breach of the requirements of the Regulation have the right to submit a complaint to the Data Protection Authority, as laid down in Art. 77 of the same Regulation, or to complain to the appropriate courts (Art. 79 of Regulation).

Right to withdraw consent

The customer has the right to withdraw their consent at any time. For example, if the customer wishes to cancel their subscription for the electronic receipt of marketing/promotional communications, they will be able to edit the settings of their account on the Website or use the “unsubscribe to the newsletter” link provided in our emails or otherwise contact us directly so we can stop sending communications at the following address: You can also edit consent in relation to profiling cookies (see Cookies Policy below)



We may change this Privacy Policy to comply with new requirements imposed by the applicable legislation or technical requirements. The updated information will be published on the Website. As a result of the changes, we will inform the customer of the changes to certain conditions via email to the address specified for registration or for subscription to the newsletter. In addition, we will ask the customer for permission for the afore-mentioned changes, where required by applicable law. We therefore invite the customer to periodically review this page.