Sign up to the newsletter, 50% off shipping

Free shipping to EU over 49£

Boutique Locator

Assistance

Privacy Policy

Information notice pursuant to and for the purposes of Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

WHY THIS INFORMATION NOTICE?
Pursuant to Regulation (EU) 2016/679 (hereinafter, the “GDPR”), this page describes the methods of processing of personal data. This information notice is provided pursuant to Article 13 of the GDPR. This information notice shall not be deemed valid for any third-party websites that may be consulted through links available on this website, for which no responsibility is assumed.

Personal data that may be processed:
-Personal data:any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Recitals 26, 27, 30 GDPR).
-Data relating to contracting parties/users.
-Browsing data: the IT systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data the transmission of which is implicit in the use of Internet communication protocols. This category of data includes IP addresses or the domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.
-Data voluntarily provided: the optional, explicit and voluntary sending of messages to the contact addresses indicated on this website and/or the completion of data collection forms entails the subsequent acquisition of the sender’s address, necessary in order to reply to requests, as well as any other personal data included therein.

Information regarding the processing of personal data carried out through Social Media platforms
With regard to the processing of personal data carried out by the operators of the Social Media platforms used by the Controller, please refer to the information made available by them through their respective privacy policies. The Controller processes the personal data provided by users through the dedicated pages on Social Media platforms in order to manage interactions with users (comments, public posts, etc.) and in compliance with the applicable laws and regulations.

COOKIES AND OTHER TRACKING SYSTEMS. WHAT ARE THEY? WHAT ARE THEY USED FOR?
For Cookies and other tracking systems, please see the cookie policy available in the footer of the website and at the following link.

1. WHO IS THE DATA CONTROLLER? HOW CAN IT BE CONTACTED?
The Data Controller is Legami S.p.A. Società Benefit, with registered office at Via Stezzano no. 18 - 24052 Azzano San Paolo (BG), in the person of its pro tempore Legal Representative, who may be contacted by e-mail at: privacy@legami.com

HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THE CONTACT DETAILS?
Legami S.p.A. Società Benefit has appointed its own Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO may be contacted at the registered office of the Controller indicated above and by e-mail at: dpo@legami.com.

2. PURPOSES OF THE PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF THE PROVISION OF DATA
BROWSING OF THIS WEBSITE: The data necessary for the use of the web services are also processed for the purpose of obtaining statistical information on the use of the services (most visited pages, number of visitors by time slot or daily basis, geographical areas of origin, etc.) and monitoring the proper functioning of the services offered.
LEGAL BASIS: The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, taking into account the reasonable expectations of the data subject and the activities strictly necessary for the functioning of the website and browsing itself (Article 6(1)(f) and Recital 47 of the GDPR).
DATA RETENTION PERIOD: Browsing data shall be retained for the duration of the browsing session.
NATURE OF THE PROVISION OF DATA: The provision of data is necessary for browsing the website.

USE OF COOKIES AND EQUIVALENT TECHNOLOGIES Please see the cookie policy in the footer of the website.
LEGAL BASIS: For non-technical cookies and equivalent technologies that are necessary, the processing is based on consent to the processing of personal data (Article 6(1)(a) and Recitals 42, 43 of the GDPR). Consent is given through the banner and the cookie policy of the website. For technical cookies, the processing is based on legitimate interest (Article 6(1)(f) and Recital 47 of the GDPR).
DATA RETENTION PERIOD: Please see the cookie policy in the footer of the website.
NATURE OF THE PROVISION OF DATA: Please see the cookie policy in the footer of the website.

In addition to browsing, personal data shall be processed for the following purposes:

A) CONTACTS, sending contact requests and information requests.
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR.
DATA RETENTION PERIOD: 12 months
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the necessary data will make it impossible to contact you and provide information.

B) RESPONSE TO CONTACT REQUESTS FROM END CUSTOMERS OF ANY CHANNEL REGARDING AFTER-SALES MATTERS
((by way of example only: requests concerning returns, non-compliant products, withdrawals).
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR.
DATA RETENTION PERIOD: 10 years from termination of the contractual relationship.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the necessary data will make it impossible to receive a response regarding the existing relationship.

C) FULFILMENT OF CONTRACTUAL OBLIGATIONS AND ADMINISTRATIVE-ACCOUNTING PURPOSES relating to the purchase, whether made through the “guest checkout” section or through a registered account. For the purpose of the proper management of the purchase, the Controller may contact you by e-mail or by means of instant messaging services solely in order to communicate information connected with the order placed. It is further specified that the Controller may request your e-mail address in order to send you the digital receipt.
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR.
DATA RETENTION PERIOD: the data shall be retained for 10 years from completion of the commercial transaction.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary in order to allow the user to complete the purchase order and subsequently proceed with payment.

D) CUSTOMER AREA – Registration and access to the reserved area.
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR.
DATA RETENTION PERIOD: until termination of the contract and for the technical time necessary to disable the credentials.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the necessary data will make it impossible to access the reserved area and to complete any purchases as a registered user.

E) DIRECT MARKETING for the sending of advertising material or direct selling material, or for the carrying out of market research, commercial and promotional communications, statistical analyses and newsletters, by automated means (electronic mail).

LEGAL BASIS: the processing is based on consent to the processing of personal data (Recitals 42 and 43). Article 6(1)(a) of the GDPR.
DATA RETENTION PERIOD: until withdrawal of consent (or opt-out).
NATURE OF THE PROVISION OF DATA:the provision of data is optional. Failure to provide the necessary data will make it impossible to receive direct marketing communications.

F) PROFILING: analysis of the user’s preferences, such as the products viewed and placed in the shopping cart, purchasing habits, where available, and interests (wishlist), in order to send targeted promotional communications, as well as disclosure of data to third-party social media platforms in order to offer targeted advertising based on the user’s interests, behaviour and purchases.
LEGAL BASIS: the processing is based on consent to the processing of personal data (Recitals 42 and 43). Article 6(1)(a) of the GDPR.
DATA RETENTION PERIOD: profiling activities are carried out on purchase data and products viewed during the previous 12 months, without prejudice to prior withdrawal of consent.
NATURE OF THE PROVISION OF DATA: the provision of data is optional. Failure to provide the necessary data will make it impossible to carry out analyses and send targeted communications.

G) RE-CONTACT BY E-MAIL following the availability of the product in which the user has expressed an interest.
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR.
DATA RETENTION PERIOD: until the product in which the user has expressed an interest becomes available / is made available again.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the necessary data will make it impossible to contact you and provide information.

H) PUBLICATION OF REVIEWS: to allow the user to submit a review regarding his/her purchasing experience, as well as to contact the user in order to interview him/her regarding his/her purchasing experience with the Controller. It is specified that the review will be published anonymously and that consent will only allow Legami to send you communications asking you to evaluate the experience and the product as described above.
LEGAL BASIS: the processing is based on consent to the processing of personal data (Recitals 42 and 43). Article 6(1)(a) of the GDPR.
DATA RETENTION PERIOD: for the time necessary to send the review request e-mail.
NATURE OF THE PROVISION OF DATA: the provision of data is optional. Failure to provide the necessary data will make it impossible to contact the user in order to request a product review.

I) MANAGEMENT OF YOUR REQUESTS AND REQUESTS OF OTHER DATA SUBJECTS PURSUANT TO ARTICLES 15 ET SEQ. OF THE GDPR
(data subject rights).).
LEGAL BASIS: the processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Recital 45). Article 6(1)(c) of the GDPR.
DATA RETENTION PERIOD: 5 years from closure of the request, unless litigation is pending.
NATURE OF THE PROVISION OF DATA: the provision of personal data is mandatory, as it is indispensable in order to comply with legal obligations.

J) VERIFICATION OF PURCHASES MADE BY THE USER in order to ascertain any abusive conduct to the detriment of the Controller.
LEGAL BASIS: the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Recitals 47–50). Article 6(1)(f) of the GDPR.
DATA RETENTION PERIOD: the data shall be retained for the time necessary to verify the purchases made and, in any case, for no longer than 48 hours.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary in order to allow the Controller to carry out the appropriate checks aimed at preventing improper conduct.

K) GIFT CARD – issuance of the gift card and use thereof by the beneficiary. It is specified that this processing purpose applies solely to purchases of gift cards made in Italy.
LEGAL BASIS: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Recital 44). Article 6(1)(b) of the GDPR
DATA RETENTION PERIOD: the data shall be retained for the entire period of validity of the gift card and, upon its expiry, for the time necessary to delete it. Any personal data of the purchaser shall instead be retained in accordance with purpose C) of this information notice.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the necessary data will make it impossible to use the gift card.

L) MANAGEMENT OF UNSOLICITED COMMUNICATIONS FROM INDIVIDUALS including minors (e.g. letters, drawings, messages), and related response by the company, as well as any related administrative and documentary organisation.
LEGAL BASIS: the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Recitals 47–50). Article 6(1)(f) of the GDPR.
DATA RETENTION PERIOD: the data shall be retained for the technical time necessary to process the request in compliance with the company procedures in force and, in any event, no longer than 12 months from receipt of the request, unless the data subject objects.
NATURE OF THE PROVISION OF DATA: the provision of data is necessary. Failure to provide the data will make it impossible for the Controller to receive the communication and, where applicable, respond to the data subject.

3. SOURCE AND CATEGORY OF DATA FROM WHICH THE PERSONAL DATA PROCESSED ORIGINATE
Where the personal data (e-mail address) have not been provided directly by you, they originate from a third party (customer) who purchased a LEGAMI gift card in Italy.

4. TO WHOM WILL THE PERSONAL DATA BE DISCLOSED? RECIPIENTS OF THE DATA
the purposes and methods of the processing. The data shall be disclosed to recipients belonging to the following categories: subjects providing services for the website and communication networks, including electronic mail, hosting and website management; subjects with whom the Controller has entered into agreements and, where required, subject to consent; payment platform providers; shipping and transport companies; for direct marketing and/or profiling, subject to consent, subjects entrusted with the management of the relevant activity; companies for the publication of reviews; subjects providing customer care services; social networking platforms; competent authorities for compliance with legal obligations and/or provisions issued by public bodies, upon request.
The list of data processors pursuant to Article 28 is available by writing to privacy@legami.com or to the other contact details indicated above.

5. WILL THE DATA BE TRANSFERRED TO NON-EEA COUNTRIES?
The data may be transferred to countries outside the EEA and in particular to the United States at the request of Salesforce, a provider offering adequate safeguards, specifically through adherence to the Data Privacy Framework, an adequacy decision that allows data to flow securely from the European Economic Area to participating U.S. undertakings, without the need for additional safeguards for data protection (Article 45 GDPR). In any case, it is specified that any further transfers of personal data to countries located outside the European Economic Area shall be carried out in compliance with the measures laid down by the applicable legislation, ensuring an adequate level of protection for data subjects. In order to obtain information regarding the safeguards relating to the transfer of data outside the EEA, data subjects may write to privacy@legami.com.

6. IS THERE AN AUTOMATED PROCESS?
The personal data shall be subject to traditional manual, electronic and automated processing. It is specified that no fully automated decision-making processes are carried out.

7. WHAT ARE YOUR RIGHTS? HOW CAN YOU EXERCISE THEM?
Data subjects may exercise their rights as set out in Articles 15 et seq. of the GDPR by contacting the Controller at privacy@legami.com or the DPO/RPD at the following e-mail address: dpo@legami.com.
Legami guarantees data subjects the possibility to request, at any time, access to their personal data (Article 15), rectification (Article 16), erasure thereof (Article 17), and restriction of processing (Article 18). Legami shall communicate (Article 19) to each of the recipients to whom the personal data have been disclosed any rectifications or erasures or restrictions of processing carried out. The Controller shall communicate such recipients to data subjects who so request. The Controller guarantees the right to data portability (Article 20) and, in the event of requests pursuant to Article 20, shall provide data subjects with the data in a structured, commonly used and machine-readable format. Data subjects are entitled to object (Article 21), at any time, to processing based on legitimate interest, by writing to the contacts indicated above with the subject line “objection”. Data subjects are entitled to withdraw the consent given, without affecting the lawfulness of processing based on consent before its withdrawal. For the purpose of no longer receiving automated direct marketing communications (electronic mail), data subjects may use the automatic unsubscribe systems (opt-out) provided in the e-mails or by accessing their personal profile. Data subjects are entitled to withdraw consent to profiling (non-automated) through the relevant section in their personal profile or through the systems provided in the e-mails. This is without prejudice to the possibility of writing to the contacts indicated above.
Should data subjects consider that the processing of personal data carried out by the Controller infringes Regulation (EU) 2016/679, they are free to lodge a complaint with the national supervisory authority, in particular in the Member State in which they habitually reside or work, or in the place where the alleged infringement of the Regulation occurred (Italian Data Protection Authority – https://www.garanteprivacy.it/), or to bring proceedings before the competent judicial authorities.

8. AMENDMENTS TO THE INFORMATION NOTICE
The Controller may change, amend, add to or remove any part of this Privacy Policy. In order to facilitate the verification of any changes, the information notice shall indicate the date on which the information notice was updated.

Date of update: 14 April 2026