Privacy Policy

Data Controller

Epiphany S.r.l. (“Epiphany”), Via degli Ammirati 6 – 73100 Lecce (LE), P.IVA 04145270759 (here in after “Company”).

1. Data processing purposes

1.1 – We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • where we need to perform the contract we are about to enter into or have entered into with you or to form other legal obligations;
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us by post or email at the address set out in this Privacy Policy.

1.2 – Contractual purposes: to register you as a new customer, process and fulfil the delivery of any goods/services ordered by you and to manage our relationship with you including your purchase of goods/services from our website

1.3 – Marketing purposes: subject to receiving your express consent or where we are otherwise permitted by law to do so, sending, with automated methods of contact (such as sms, mms and e-mail) and traditional (such as phone calls with operator and traditional mail), promotional and commercial communications relating to services / products offered by the Company or reporting of corporate events, as well as carrying out market studies and statistical analysis.

1.4 – Profiling purposes: analysis of your preferences, habits, behaviors or interests in order to send you personalized commercial communications.

1.5 – Legal Obligations: fulfill obligations under applicable national and international regulations and legislation and to protect our legal rights.

1.6 – Newsletter: if requested by registration with this service.

1.7 – Data Controller rights: if necessary, to ascertain, exercise or defend the rights of the controller in court.

1.8 – Website operations: the computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified, but by their very nature could, through processing and association with data held by the Company or third parties, allow users to be identified on the Website.

2. Legal basis for Data Processing

2.1 Contractual purposes: execution of a contract of which you are a part, or for the booking and purchase of products and services of the Website.

2.2 Marketing and profiling purposes: consent (optional and revocable at any time).

2.3 Legal Obligations: fulfill legal obligations.

2.4 Newsletter: execution of a contract of which you are a part, subscribing newsletter service.

2.5 Data Controller rights and Out-of-court debt recovery: legitimate interest.

3. Data retention period

3.1 – Contractual purposes, Legal Obligations and Newsletter: Contractual duration and, after termination, for the ordinary limitation period of 6 years.

3.2 – Marketing and profiling purposes: until the withdrawal of consent for these purposes. Personal data relating to the details of the purchases will only be kept for 24 months.

3.3 – Data Controller rights and Out-of-court debt recovery: in the case of litigation, for the entire duration of the same, up to the exhaustion of the terms of practicability of the appeals.

3.4. Website operations: for the entire duration of the browsing session on the Site. Once the aforementioned retention period has lapsed data will be destroyed or made anonymous compatibly with technical erasure and backup procedures.

4. Personal Data

4.1. Personal data processed for contractual purposes – legal obligations – controller rights – out of court debt recovery. Title, name, surname, social security number, mobile and landline number, country, address, city, post code, email, password.

4.2. Personal data processed for marketing and profiling purposes. Title, name, surname, tax code, mobile and landline number, country, address, city, postal code, email address, password, purchase data made on the Site, data collected from cookies installed by the Site.

4.3. Personal data processed for newsletter: name, surname and email address.

4.4. Personal data processed for website operations. The IP addresses or domain names of the computers used by users connecting to the Website, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (good order, error, etc.), other parameters related to the operating system and the user's computer environment, information relating to user behaviour on the Website, to the pages that have been visited or searched, in order to select and make specific announcements to the user of the Website and the data relating to the browsing behaviour held on the Website using, for example, using cookies.

5. Requirement to provide personal data

The provision of personal data referred to in point 4.1 for the purposes referred to in paragraph 1.1 is mandatory. The refusal to provide the aforementioned personal data does not allow, therefore, the possibility of using the services of the Website relating to sales of products. 

The provision of personal data referred to in point 4.2 for the purposes referred to in points 1.2 and 1.3 is optional and subject to your consent.

Some personal data referred to in point 4.4 are strictly necessary for the operation of the Website, others are used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check its correct functioning and are deleted immediately after processing. In the processing of personal data that can directly or indirectly identify your person, we try to respect a principle of strict necessity. For this reason, we have configured the Website in such a way that the use of personal data is kept to a minimum and in order to limit the processing of personal data that allow identifying it only in case of need or at the request of the authorities and police (as, for example, for data relating to traffic and your stay on the Website or to your IP address) or for ascertaining responsibility in the event of hypothetical computer crimes against the Website.

6. Data recipients

The data can be processed, as well as by the Company, also by

  1. designated employees and collaborators in charge of processing who manage the Company’s physical stores or e-commerce and who can view, modify and update the data entered in the CRM system and in the event of any third party collaborators, we will enter into a suitable data processing agreement with them in order to safeguard the safety of your personal data;
  2. external bodies such as, for example, authorities and supervisory and control bodies and in general subjects, public or private, entitled to request data;
  3. external subjects designated as processor who will be subject to a suitable data processing agreement with us ensuring that any processing carried out is in accordance with UK and EU data protection rules and laws, who are given appropriate operating instructions, included in the following categories:
    • companies that offer e-mail sending services;
    • companies that offer site maintenance and development services;
    • companies that offer support in carrying out market studies.
    • third parties established in the European Union and also outside the European Union, data processor, which the Company relies on in particular for data acquisition and data entry services, shipping, mailing of promotional material, after-sales assistance, research market, management and maintenance of the CRM system and other company information systems.

 7. Parties authorised to process data

Your data may be processed by employees of the Company’s corporate functions appointed for the pursuit of the aforementioned purposes, who have been expressly authorised to process and who have received adequate operating instructions.

 The data referred to in point 4.4 collected during navigation of the Website will be processed by employees, collaborators of the Company or external subjects, as persons in charge of data processing, who perform technical and organizational tasks on the Website.

8. International Transfers

We do not share your personal data with any third party unless you have expressly consented to this. Currently, all personal data is held on servers located in the European Union. Some personal data may be held on servers in the US. This may involve transferring your data outside the European Economic Area (EEA).

Whenever we transfer and/or process your personal data outside of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

- where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe;

- where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to that afforded in the EEA to personal data shared between Europe and the US.

9. Security of data

Your personal data will be processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected and in compliance with the principle of necessity and proportionality, avoiding the processing of personal data when operations can be performed through the use of anonymised data or by other means.

We have adopted specific security measures to prevent the loss of personal data, illicit or incorrect use and unauthorised access, but please do not forget that it is essential for the security of your data that your device is equipped with tools such as antivirus constantly updated and that the provider providing the connection to the Internet guarantees the secure transmission of data through firewalls, anti-spam filters and similar safeguards.

10. Data subjects’ rights – complaint to the supervisory authority

By contacting the Company by e-mail at the e-mail address , you can ask the Company for access to data concerning you, their deletion, correction of inaccurate data, the integration of incomplete data, the limitation of treatment in the cases provided for by art. 18 of the GDPR, as well as the opposition to the treatment in the case of legitimate interest of the Company.

Furthermore, in the case where processing is based on consent or a contract and carried out with automated tools, you have the right to receive the personal data in a structured, commonly used and machine-readable format, and to transmit the data to another data controller without obstruction.

You have the right to revoke the consent given at any time for marketing and / or profiling purposes, as well as to object to the processing of data for marketing purposes, including profiling related to direct marketing. It remains the possibility that he prefers to be contacted for the aforementioned purpose exclusively through traditional methods, to express his opposition only to the receipt of communications through automated methods.

You have the right to lodge a complaint with the competent Supervisory Authority in the Member State where you normally reside or work or of the State in which the alleged violation has occurred.

Cookies: You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Epiphany website may become inaccessible or not function properly.

You have additional legal rights to: 

- request access to your personal data (commonly known as the data subject access request);

- request correction of the personal data that we hold about you;

- request erasure of your personal data in certain circumstances;

- request the restriction of processing of your personal data;

- request the transfer of your personal data to you or to a third party;

- withdraw consent at any time where we are relying on consent to process your personal data.