Privacy Policy - Loyalty Program
This notice describes how Tristate International S.A. (hereafter "Company" or "we" or "us" or "our") as data controller processes the personal data in relation to the registration and participation in "The Brotherhood" programme (hereinafter the "Programme"). For more information on how the Programme works, please refer to the Terms and Conditions of the Programme.
Types of data processed: The registration and participation in the Programme entails the processing of data included in your personal account, namely your identification data (full name, date of birth) and your contact data (phone number, email address and residential address). We also process data related to your purchases, namely date, amount, details of the products purchased and possible return of products, as well as the information related to your status and point balance.
Purposes of processing: We process your data for the following purposes; for each of them we indicate the types of data processed and the legal bases legitimizing our processing activity:
· Programme Registration: we process your identification and contact data included in your personal account, as well as the manifestation of your will to sign up to the Programme for the purpose of allowing your registration to the Programme. Your date of birth is also processed to ensure that the Programme members are of legal age as well as to enable your receipt of the Birthday Gifts, as described in the Programme Terms and Conditions. The above data are processed to comply with the contractual obligations we have with you according to Art. 6 (1) lit. b GDPR.
· Programme Management: your identifying data, together with data relating to the purchases made as well as any returns, or data relating to your status and points balance are processed for the purposes of managing your participation in the Programme and awarding you with the relevant benefits. All details of your status as a Programme Member are also stored and available in your account on the Site. The above data are processed to comply with the contractual obligations we have with you according to Art. 6 (1) lit. b GDPR.
Nature of the provision: The provision of personal data is necessary for the purposes of registering to and managing the Programme, in fact, without such personal data, it would not be possible to proceed with your registration or management of your participation as well as the allocation of the benefits.
Method of processing: The processing of your data may be carried out both manually and electronically, in accordance with the logics and procedures necessary for the protection and security of your data.
Disclosure and access: Your data may be accessed by our personnel authorized to process your data and by our service providers for the above purposes, who will act as data processors, duly appointed and instructed on the basis of an ad hoc agreement, such as providers of hosting services. Your data will also be accessed by other companies of our group of companies, that manage the physical shops where the Programme is active; said companies have been duly appointed as our data processors and act on the basis of our instructions. Your data may also be disclosed to third parties when required by applicable laws or regulations, for instance, in case of requests from competent authorities, as well as in case of extraordinary transactions concerning the Companies (in which case recipients could be for example legal counsel or external consultants). If the recipients of your data are established outside the EU or UK, in countries without an adequate level of personal data protection, the data controller will take all necessary measures to ensure that the transfer of data outside the EU or UK is adequately safeguarded as required by applicable privacy legislation. As of today, no transfer of data outside of the EU, UK or Switzerland is performed.
Storage: Your data will be stored for as long as strictly necessary to pursue the processing purposes mentioned above, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, in compliance with the GDPR and UK GDPR (as applicable). In particular, with respect to the Programme registration and management purposes, your data will be retained for the duration of the Programme and as long as your account remains active, unless you request erasure of data. In Germany, statutory retention periods which can result from, e.g. commercial and tax law (such as the German Commercial Code (Handelsgesetzbuch, "HGB") or the German Fiscal Code (Abgabenordnung, "AO") are generally between 6 and 10 years (e.g. for contracts, notifications and business letters).
Your rights: You may contact Tristate International S.A., using the contact details mentioned below, to exercise your rights as provided for under Article 15 and following of the GDPR or UK GDPR or the Swiss Federal Act on Data Protection (as applicable) at any time, i.e. (depending on the applicable law) access your personal data and verify its origin and accuracy. You may request the integration of incomplete data and the amendment or update of inaccurate data. You may request the deletion of your data and the portability of your data and define the fate of your data after your death. You may also request the restriction of processing and object to the processing of your personal data, as well as withdraw any consent you may have given. You may also lodge a complaint with the competent supervisory authority and contact the authority if the exercise of your rights is delayed, restricted or excluded by the data controller according to the law.
Data controller and contact details: The data controller is Tristate International S.A. with registered office at Via Canova 9 - Lugano, Switzerland, email: privacy@eu.tristateww.com.