1. Who this notice applies to

This notice applies in particular to:

• users browsing the Website;
• customers purchasing products through the Website;
• registered users or holders of a customer account;
• persons contacting customer care or submitting requests for assistance, returns, withdrawal or warranty;
• users subscribing to the newsletter or receiving commercial communications;
• users interacting with marketing, analytics, advertising tools, pixels or other tracking tools active on the Website.

2. Personal data we collect

Depending on how you interact with the Website, we may process the following categories of personal data:

Identification and contact data — first name, last name, address, e-mail, telephone number, country, city, postal code, shipping and billing address.

Order-related data — products purchased, size, model, quantity, price, order history, returns, exchanges, withdrawal, complaints, warranty and order-related communications.

Payment data — payment method used, transaction outcome, transaction identifiers and data necessary to manage the payment. We do not store complete payment card data; this is handled directly by the payment providers.

Account data — credentials, order history, preferences and information entered in the personal area, where available.

Customer care data — content of requests sent via e-mail, Website, returns portal, social media or other channels, including any photographs or documents submitted in connection with complaints, defects or lack of conformity.

Technical and browsing data — IP address, online identifiers, browser, operating system, device, pages visited, date and time of visit, interactions with the Website, e-commerce events, data collected through cookies, pixels and similar tools.

Marketing and newsletter data — e-mail address, consent preferences, interactions with communications, openings, clicks, product preferences or audience segments.

Anti-fraud and security data — information necessary to prevent abuse, fraud, chargebacks, unauthorised access or improper use of the Website and payment services.

We do not intend to collect special categories of personal data within the meaning of Article 9 GDPR through the Website. You are invited not to transmit sensitive, health-related or otherwise non-relevant data for the purposes described in this notice.

3. Source of the data

Personal data are collected directly from you — for example when you place an order, create an account, subscribe to the newsletter or contact customer care. Certain data are collected automatically through the Website, Shopify, cookies, pixels, analytics, advertising tools and similar technologies. Additional data may be received from providers involved in the management of orders, payments, shipments, returns, security or marketing, to the extent necessary for the relevant purposes.

4. Purposes of processing and legal bases

Technical browsing and functioning of the Website
We process technical data, logs, session data and data necessary for cart, checkout, security and technical preferences in order to provide the service and ensure the proper functioning and security of the Website. Consent is not required for technical cookies under applicable legislation.

Creation and management of a customer account
We process identification data, e-mail, credentials, order history and preferences entered in the personal area on the basis of performance of pre-contractual or contractual measures requested by you.

Management of orders and performance of the sale contract
We process identification data, contact details, shipping and billing address, order data and order-related communications on the basis of performance of the contract or pre-contractual measures.

Payments and transaction management
We process payment and transaction data on the basis of performance of the contract, compliance with legal obligations and legitimate interest in preventing fraud and disputes.

Shipping, delivery, tracking, returns and exchanges
We process identification data, address, contact details, order number, shipping data and tracking information on the basis of performance of the contract, compliance with legal obligations and legitimate interest in proper logistics and document management.

Withdrawal, complaints, defects, legal guarantee and customer care
We process identification data, contact details, order number, descriptions, photographs and communications submitted by the user on the basis of performance of the contract, compliance with legal obligations and legitimate interest in handling requests and defending rights.

Administrative, tax and accounting obligations
We process identification data, order data, invoices, payments and commercial and tax documentation in compliance with the legal obligations to which we are subject.

Product safety, recalls and product-related communications
We process order and contact data to send communications on safety, defects, recalls or corrective measures on the basis of compliance with legal obligations and legitimate interest in product safety and customer protection.

Prevention of fraud, abuse, chargebacks and Website security
We process technical data, order data, payment data, logs and anti-fraud information on the basis of our legitimate interest in preventing fraud and abuse and compliance with legal obligations where applicable.

Newsletter and commercial communications
We process e-mail address, name, consent preferences and interactions with communications on the basis of your consent, or where applicable the soft spam exemption pursuant to Article 130(4) of the Italian Privacy Code for similar products or services, with the right to object at any time.

Abandoned cart recovery and automated commercial communications
We process e-mail address, cart data, products viewed or added to the cart, online identifiers and interactions on the basis of your consent or, where the conditions are met, the soft spam exemption under Article 130(4) of the Italian Privacy Code for communications relating to products or services similar to those already purchased, with the right to object and unsubscribe at any time.

Analytics and measurement of Website performance
We process technical data, browsing events, pages visited, interactions, IP address and online identifiers, including data collected through Clicky.com, on the basis of user consent for analytics tools that are not strictly technical, or on the basis of legitimate interest or a consent exemption if configured in aggregated and anonymised form within the limits allowed by applicable legislation.

Advertising, retargeting and campaign measurement
We process technical data, cookies, pixels, online identifiers, e-commerce events and interactions with ads, including data collected through Meta Pixel and Google Ads Pixel / Google & YouTube, on the basis of user consent for non-technical cookies, pixels and tracking tools, and where applicable legitimate interest for internal campaign management within the limits permitted.

Establishment, exercise or defence of legal claims
We process data necessary to manage complaints, disputes, chargebacks, litigation and requests from authorities on the basis of our legitimate interest in protecting our rights and compliance with legal obligations where applicable.

5. Nature of the provision of data

The provision of data necessary for technical browsing, account creation, management of orders, payments, shipments, returns, withdrawal and warranty is necessary to use the Website and purchase products. Failure to provide such data may prevent us from providing the requested services or performing the contract.

The provision of data for marketing, newsletter, advertising, retargeting, non-technical analytics and non-necessary cookies is optional. Failure to provide such data or consent does not affect the possibility to browse the Website or purchase products, but may prevent the receipt of commercial communications or the personalisation of the user experience and ads.

6. Consent, withdrawal and objection to marketing

Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of the processing carried out before withdrawal. Withdrawal may be exercised through the unsubscribe links included in our communications, through the cookie management panel or by writing to office@haikure.it.

You may object at any time to the processing of your data for direct marketing purposes, including any profiling related to such marketing, by writing to us or using the available opt-out tools.

7. Processing methods and security measures

Personal data are processed by electronic, telematic and, where necessary, manual means, according to logics strictly related to the purposes indicated in this notice. We adopt reasonable technical and organisational measures appropriate to the risk in order to protect personal data against loss, unauthorised access, disclosure, alteration or unauthorised destruction.

The Website is hosted and managed through Shopify and connected tools. Certain processing activities may be carried out by external providers, Shopify apps, payment providers, carriers, consultants and technical providers acting, depending on the case, as processors, independent controllers or persons authorised to process personal data.

8. Recipients and categories of recipients

Personal data may be disclosed or made accessible, within the limits necessary for the purposes described above, to the following categories of recipients:

• personnel and collaborators authorised to process personal data, including customer care, administration, sales, marketing, logistics, IT and legal functions;
• e-commerce platform and technological infrastructure, including Shopify and the related account, checkout, cart, newsletter, customer privacy and automation functionalities;
• apps and services installed or connected to the Shopify backend, including Track123, AfterShip Tracking, Sale Discount Wizard, Messaging, Flow and DHL Express Commerce, within the limits of their respective functionalities;
• payment providers and payment intermediaries, including Shopify Payments / Shop Pay, payment card processors, Apple Pay, Google Pay, PayPal, Klarna and any other methods available on the Website;
• carriers, freight forwarders and logistics operators, including DHL, UPS, FedEx, GLS, Mail Boxes Etc. and entities responsible for delivery, tracking, customs management and returns;
• providers of marketing, newsletter, abandoned cart, advertising and retargeting services, including Shopify Email / Shopify newsletter, Meta Platforms, Google and other tools that may be activated;
• providers of analytics and measurement services, including Clicky.com, within the limits of the active configuration;
• IT, hosting, maintenance, security, technical support and Website management providers;
• professional advisers, accountants, auditors, tax, legal and administrative advisers;
• public authorities, administrations, judicial or supervisory authorities, in the cases provided by law or upon lawful request;
• entities connected to the Haikure trademark or corporate structure, only where necessary for administrative, contractual, rights-protection or trademark management purposes and within the limits permitted by applicable legislation.

The updated list of any processors appointed by us may be requested by writing to office@haikure.it.

9. Transfers of data outside the EEA

Certain providers we use, including e-commerce platforms, payment, analytics, marketing, advertising and cloud services, may process personal data in countries located outside the European Economic Area ("EEA"). Depending on the tools and configurations actually in use, this may include Shopify, Meta Platforms, Google, Clicky.com / Roxr Software Ltd., payment providers, cloud providers and other technical or marketing service providers.

Such transfers take place, where applicable, on the basis of an adequacy decision of the European Commission, the EU-U.S. Data Privacy Framework where the provider adheres to it, the standard contractual clauses approved by the European Commission or other safeguards provided under Articles 44 et seq. GDPR.

We verify, as far as reasonably possible, that the providers we use offer adequate safeguards for the protection of personal data. Further information on the applicable safeguards may be requested by writing to office@haikure.it.

10. Retention periods

Personal data are retained for the time necessary to pursue the purposes for which they are collected and, thereafter, for the periods required by law or necessary to protect our rights.

Technical browsing data and security logs
Retained for the time strictly necessary for the functioning and security of the Website, without prejudice to further retention where necessary to ascertain abuse, fraud or security incidents.

Customer account data
Retained for the duration of the account and until its deletion. Data relating to orders, invoices and legal obligations may be retained for the periods indicated below.

Orders, payments, deliveries, returns and withdrawal
Retained for the time necessary to manage the order and thereafter up to 10 years for administrative, accounting, tax and rights-protection purposes.

Tax data, invoices and accounting documentation
Retained for 10 years or for the different period required by applicable tax and accounting legislation.

Customer care, complaints, defects and warranty
Retained for the time necessary to handle the request and thereafter for the period necessary to protect rights, generally up to 10 years from closure of the case, except in the event of litigation or specific obligations.

Newsletter and e-mail marketing data
Retained until withdrawal of consent or objection. Evidence of consent or objection may be retained for the period necessary to demonstrate compliance with applicable legislation.

Abandoned carts and automated marketing communications
Retained for the period strictly necessary for the configured campaign or automation and in any case until consent is withdrawn or an objection is made, subject to different technical configuration.

Analytics, advertising, retargeting and pixel data
Retained according to the durations indicated in the Cookie Policy and / or in the consent management panel.

Anti-fraud and security data
Retained for the time necessary for checks and for the prevention of fraud, abuse or chargebacks; in the event of disputes, for the time necessary to defend rights.

Product safety and recalls
Retained for the time necessary to manage product safety obligations, recalls, notices and corrective measures, within the limits permitted by applicable legislation.

11. Your rights

Within the limits and under the conditions provided by the GDPR, you may exercise the following rights:

• right of access to your personal data;
• right to rectification of inaccurate data or completion of incomplete data;
• right to erasure of data in the cases provided by law;
• right to restriction of processing;
• right to data portability, where applicable;
• right to object to processing based on legitimate interest and to direct marketing;
• right to withdraw consent at any time, where processing is based on consent;
• right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, in the cases provided by Article 22 GDPR.

Requests may be sent to office@haikure.it. We will respond within the time limits set by applicable legislation. Before responding, we may ask for information necessary to verify your identity.

12. Complaint to the supervisory authority

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or with the supervisory authority competent in the Member State where you habitually reside, work or where the alleged infringement occurred.

13. Profiling and automated decisions

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

The Website may use advertising, retargeting, audience, conversion tracking and analytics tools, such as Meta Pixel, Google Ads Pixel / Google & YouTube and Clicky.com, which may involve segmentation, measurement and ad personalisation activities based on your interactions with the Website. Such processing is carried out within the limits of the technical configuration adopted and, where required under applicable law, is managed through Shopify Customer Privacy — the automated Shopify-managed consent framework used by the Website — and through the preferences expressed by you via the cookie banner or preferences panel.

14. Minors

The Website and online sales services are not specifically intended for minors. Minor users should use the Website and purchase products only with the involvement of a parent or guardian. We do not knowingly collect personal data of minors for marketing purposes without the legal prerequisites required by applicable legislation.

15. Updates to this notice

We may update this notice to reflect regulatory, technical, organisational or commercial changes. The updated version will be published on the Website. In the event of significant changes, we may adopt further reasonable information measures.