Privacy Policy

for the use of the Platform

This information on the processing of personal data (the “Privacy Policy”) is prepared pursuant to Articles. 13 and 14 of European Regulation 2016/679 (the “GDPR”) and international, European and Italian laws – including Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 – concerning the processing of personal data, in each case to the extent that they are applicable from time to time, together with their respective modifications and additions (collectively, together with the GDPR, below, also the “Privacy Policy”).

This Privacy Policy applies only to the WeWear APP (hereinafter, the “Platform”), and with reference to the Services accessible from the Platform, as better identified in the General Conditions available here. Therefore, it does not apply to any other website or application that may be consulted by the user through a link from the Platform.
All terms indicated with a capital letter in this Privacy Policy and not defined herein have the meaning attributed to them in the General Conditions.

1. Data Controller
The data controller is We Wear S.r.l., with registered office in 20129 Milan, Corso Plebisciti n. 15, Tax Code and VAT 10337690969 (“We Wear” and also the “Data Controller”). The Data Controller can be contacted at the following email address info@we-wear.biz

2. Type of personal data to be processed (“Personal Data”)
a) Registration on the Platform for the creation of an Account
To process registration on the Platform and create an Account, necessary to access all the Services, We Wear asks the user to provide the following Personal Data:
i. e-mail address.

b) Creation of the Avatar
To process the creation of the Avatar, We Wear asks the User to provide the following personal data:
i. Anthropometric data (acquired by body scanning through a scanning booth and / or the acquisition of two photographs and / or the manual entry of some body data);
ii. Year of birth
iii. Body shape
iv. Height
v. Weight

c) Other Personal Data
As part of the provision of the Services, among the Personal Data collected by We Wear, independently or through third parties, there are also:
i. data on the use of the Platform;
ii. memory permissions;
iii. password;
iv. information on malfunctions of the Platform;
v. information on the device used to connect to the Platform.

3. Purpose of the processing
In general, Personal Data is collected to allow the Data Controller to provide the Services, comply with legal obligations, respond to enforcement requests, protect its rights and interests (or those of other users or third parties), detect any malicious or fraudulent activity, as well as for the following purposes:
i. registration of the user to the Platform and creation of an Account for the purpose of accessing the Services;
ii. creation of the Avatar by transforming the body image acquired by scanning into a point cloud and/or two photographs; and its preservation in the We Wear scanning repository;
iii. allow the User to verify the status of the authorizations granted to Sellers through the Platform;
iv. respond to requests for assistance or information from the User; and
v. fulfillment of legislative or regulatory obligations (e.g. of a fiscal nature).

4. Legal basis of processing
We Wear will process the user’s Personal Data in compliance with the provisions of the Privacy Law by virtue of the following legal bases:
i. as the Personal Data are necessary for the execution of the Services requested by the user through the Platform; and/or
ii. if the User has given his consent for one or more specific purposes; and/or
iii. as the Personal Data are necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller; and/or iv. the processing is necessary for the
pursuit of the legitimate interest of the Data Controller or third parties; and/or
v.ai for the purposes of fulfilling legal obligations to which the Data Controller is subject.
In any case, it is always possible to request the Data Controller to clarify the concrete legal basis of each treatment and in particular to specify whether the processing (i) takes place on the basis of the provisions of the Privacy Law and / or other applicable laws and regulations, (ii) is provided for by a contract or necessary to conclude a contract.

5. Consequences of failure to communicate Personal Data

Failure to communicate Personal Data in the manner specified in this Privacy Policy will prevent the Data Controller from identifying and registering the User on the Platform, making it impossible to provide the Services.
Furthermore, please consider that the revocation of one or more permissions and / or consents to third parties and / or Sellers may have consequences on the correct functioning and / or on the ability to provide the Services.

6. Data retention
Personal Data, processed for the purposes indicated above, will be kept for the entire period of use of the Services and for a period not exceeding 14 days from the date of cancellation of the User from the Platform (for the purpose of processing the related request) and, subsequently, for the period of time in which the Data Controller is subject to retention obligations for tax purposes or for other intended purposes by current legislation.
At the end of the retention period, Personal Data will be deleted. Therefore, at the end of this term, the User will no longer be able to exercise the rights of access, cancellation, rectification and the right to the portability of Personal Data.
Personal Data will be stored by means of computer archives, including portable devices, adopting appropriate measures to guarantee security and limit access only to personnel authorized by the Data Controller and within the strict scope of the purposes indicated above.

7. Communication of data to third parties
Personal Data may be disclosed to the following third parties:
i. Sellers;
ii. consultants, suppliers, accountants or lawyers who provide functional services or services related to the execution of the Services;
iii. judicial or administrative authorities, for the fulfillment of legal obligations.

8. Methods of processing Personal Data
The Data Controller adopts appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data.
The processing is carried out using IT and / or telematic tools, with organizational and technological methods strictly related to the purposes indicated. In addition to the Data Controller, in some cases, other subjects involved in the organization of We Wear (administrative, commercial, marketing, legal, system administrators) or external parties (such as third-party technical service providers, hosting providers, IT companies, communication agencies) appointed, if necessary, data processors by We Wear pursuant to the Privacy Law, may have access to Personal Data. The updated list of Data Processors can always be requested from the Data Controller.

9. Place of processing of Personal Data and non-EU countries
Personal Data will be processed and stored on servers located in the territory of the European Union.
Where required for the provision of the Services, such data may possibly be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, recognized by a specific adequacy decision of the European Commission. Any transfers of Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will take place exclusively on the basis of the terms and conditions established in ad hoc contractual clauses stipulated between the data exporter and importer of Personal Data (“CCS”), in accordance with European Commission Decision 2010/87/EU of 5 February 2010 (“Decision”). The user may at any time request a copy of the CCS in force from time to time by sending a specific request to the following e-mail address: info@we-wear.biz.
In the absence of adequacy decisions by the European Commission or the appropriate measures described above, the transfer of Personal Data to non-EU countries will take place exclusively with the express consent of the user or in the manner otherwise permitted by the Privacy Law.

10. Rights of the interested party
Among the rights granted to the User by the GDPR are those of:
i. request and obtain from the Data Controller access to Personal Data;
ii. request and obtain from the Data Controller the correction of inaccurate Personal Data or the integration of incomplete Personal Data in the terms and conditions referred to in art. 16 of the GDPR;
iii. request and obtain from the Data Controller the cancellation of Personal Data, upon the occurrence of one of the conditions indicated in art. 17, paragraph 1 of the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same article;
iv. request and obtain from the Data Controller the limitation of the processing of Personal Data under the terms and conditions referred to in art. 18, paragraph 1 of the GDPR;
v. request and obtain from the Data Controller Personal Data in a structured and machine-readable format, also in order to communicate such data to another data controller (so-called right to the portability of personal data) under the terms and conditions referred to in art. 20 of the GDPR;
vi. oppose at any time the processing of Personal Data under the terms and conditions referred to in art. 21 of the GDPR;
vii. lodge a complaint with the Guarantor Authority for the protection of personal data (www.garanteprivacy.it) or other supervisory authority, if competent.

11. How to exercise your rights
In order to exercise the aforementioned rights, the user can direct a request to the contact details of the Data Controller indicated in this Privacy Policy. Requests are submitted free of charge and processed by the Data Controller as soon as possible, in any case within 30 days.

12. Data Processors
The updated list of data processors is kept at the headquarters of the Data Controller and the user can request it at any time by submitting a request to the contact details of the Data Controller indicated in this Privacy Policy.

13. Changes to the Privacy Policy
The Data Controller reserves the right to make changes to this Privacy Policy at any time by sending you a notification through the Platform and, if technically and legally possible, by sending the user a notification through one of the contact details held by We Wear. Therefore, please consult this page with constant frequency, referring to the date of last modification indicated at the end of the same.
If the changes affect the processing of Personal Data whose legal basis is consent, the Data Controller will collect the user’s consent again, if necessary.
Last update 16.03.2023