Privacy Policy
Privacy Policy XERJOFF.COM (pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)
Xerjoff Group S.p.A. places great importance on the security of users' and data subjects' information. Our goal is to ensure that you always feel protected and fully informed about the data processing activities carried out by our Company.
When the user/data subject visits and interacts with the website www.xerjoff.com, with banners, landing pages or services attributable to the same domain (hereinafter only "website" or "platform"), communicates with us, visits our promotional pages and newsletters in addition to other activities further described in the complete Privacy Policy, we may collect, use, share and process personal information ("personal data"). As an Italian company, Xerjoff Group S.p.A. complies with the European Union's General Data Protection Regulation (GDPR). Additionally, we are committed to adhering to the privacy laws of the countries in which we operate, including: a) United Kingdom: We comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), which govern the protection of personal data in the UK., b) United States: We comply with the main state and sector-specific data protection laws, such as the California Consumer Privacy Act (CCPA) and similar legislation adopted by other States., c) United Arab Emirates (UAE): We comply with Federal Decree Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. We are committed to ensuring the rights of individuals and the lawful, fair, and transparent processing of personal information in the UAE, in accordance with applicable law.
This ongoing commitment to privacy protection ensures that our customers' personal data are processed with the utmost care, security, and in full compliance with applicable international regulations. In particular, pursuant to the General Data Protection Regulation (GDPR - EU Regulation 2016/679), Group S.p.A., as the data controller, provides users/data subjects with the following information.
1. DATA CONTROLLER: IDENTITY AND CONTACT DETAILS
The Data Controller is Xerjoff Group S.p.A., in the person of its acting legal representative.
Xerjoff Group S.p.A. (hereinafter referred to as "Xerjoff") is a company with its registered office at Via Tenivelli 29 - 10024 Moncalieri (TO), Italy, REA Number: TO 106649, Tax Code/VAT Number: 09547650011. The company's operational headquarters is located at Via Torino, 15 - 10044 Pianezza (TO), Italy. The Data Controller can be contacted by writing to the following email address: pec@pec.xerjoff.com or certified mail pec@pec.xerjoff.com or by contacting the telephone number (+39) 011 4143616.
2. DATA PROTECTION OFFICER: IDENTITY AND CONTACT DETAILS
In compliance with Article 37 of EU Regulation 2016/679, Xerjoff Group has appointed Mr./Dr. Federico Capello as its Data Protection Officer. The data protection officer can be contacted by writing to the e-mail address dpo@xerjoff.com or by contacting the telephone number (+39) 011 5534737.
3. CATEGORIES OF PERSONAL DATA PROCESSED
The website offers numerous services for which it is not necessary to register or provide personal data. In order to be able to offer users/data subjects a wide range of services (e.g. The creation of a user account and e-commerce), we need to collect some personal information. The personal data processed by Xerjoff are collected directly from users/data subjects and provided by them voluntarily and freely.
a) Personal data collected automatically
(1) Navigation data collected automatically by the website: the computer systems and software procedures used to operate the website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified users/data subjects, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. These data or part of them (IP addresses, device identifiers, location etc.) may be processed by the Data Controller - subject to specific, preventive, free and optional consent of the user/data subject - in order to track your activity on the website (purchasing habits, interest categories), to process market analysis and statistics also to improve Xerjoff products and services and make them more responsive to the needs of the user/data subject, as well as to send more targeted information and offers that may be of greater satisfaction and interest to the user/data subject. Navigation data can also be collected for the purpose of website security and fraud prevention.
(2) The website uses a technology commonly known as "cookies" to make browsing easier and more intuitive. Cookies are small text files sent by the website to the user’s/data subject’s device (typically to the browser), where they are stored and later transmitted back to the website upon the user’s next visit. By tracking how users navigate the site, cookies provide valuable insights that help enhance the browsing experience, making it more seamless and efficient. Xerjoff utilizes different types of cookies. For more details about the cookies used and how to manage consent for their acceptance or rejection, users/data subjects can refer to the website's Cookie Policy.
b) Personal data provided by the user/data subject:
(3) Registration form (“create an account”): Data to register on the website and be able to make purchases. The data collected on the registration form refers to: name, surname, e-mail address, date of birth.
(4) Website contact forms (“whatsApp / send an email”): the optional, explicit and voluntary sending of e-mails to the addresses indicated on the website entails the subsequent acquisition of the sender's address, needed in order to respond to requests, as well as any other personal data entered in the e-mail. Even the explicit and voluntary sending of the forms that can be filled in on the website containing data of the data subject involves processing to follow up on the pre-contractual obligations or the execution of the services provided for by sending the forms. This information in the forms may contain personal data, contact details, telephone numbers, e-mail addresses of the data subjects and of identified and identifiable third parties having cause with the user of the website.
(5) Newsletter and Mailing List: The e-mail contacts used to send communications from the website come from voluntary subscriptions by the user/data subject to whom a confirmation request is always submitted, as well as from information acquired in a context for the sale of the data controller’s products or services. This includes the sending of information, promotional communications and material. It is emphasized that contacts are not acquired from public directories of subscribers. If you no longer wish to receive our communications, you can unsubscribe by clicking the link provided in each message or by contacting us using the details below.
(6) E-Commerce, Creation of a Personal Account, and Purchase of Products or Services from the Data Controller: this category includes the processing of data necessary for managing shopping carts and abandoned carts, orders, and any registered user profiles. The data processed may include personal details, addresses, tax and billing information, payment details (such as PayPal, Klarna, Credit Cards, Sofort, Apple Pay, Google Pay, and Bank Wire), purchase history, reports, and notes.
Personal data may also be processed through third-party service providers (e.g., CRM platforms, administrative and accounting services, delivery companies, or couriers) for the administrative management of orders and purchases, the handling of participation in loyalty programs, the preparation of anonymous statistics to analyze purchasing behavior, and the sending of promotional materials regarding products and offers, which may be communicated via email or telephone messages.
(7) Processing of Customer Orders and Customer Service: this involves handling data necessary for managing customer orders, including email addresses used to send transactional emails with purchase information. Additional data processed includes shipping addresses, selected shipping methods, and tracking numbers. Furthermore, we process data related to abandoned carts, such as items left in the cart and associated customer information, to send reminders and facilitate order completion.
(8) Work with us: The data collected by Xerjoff through the sending of curriculum vitae, professional profile evaluation interviews such as name, surname, place and date of birth, social security number, telephone number, postal address, educational qualification and other elements of personal identification, sent in relation to any open positions or spontaneous application, fall into the category of "personal data" pursuant to Article 4, paragraph 1 of the GDPR and will be subject processing exclusively for the purpose of evaluating the aptitudes and professional skills of the candidates themselves, according to the open position and for which a selection procedure is underway or for future needs to expand the company staff (recruitment or internship).
c) Personal data provided by third parties:
(9) Quick check out: In the case of purchases through the quick check out, the persona, shipping, billing and contact data will be imported directly from PayPal, Apple & Google Pay.
(10) During interaction with the website, certain personal data may be collected through third-party services integrated into the system, including:
Shopify, as the e-commerce platform provider, manages information related to orders, shipping, contact details, and browsing activity, in order to ensure the proper functioning of the website and transactions. Zendesk, used for customer support, receives and uses data voluntarily provided by the user (such as name, email address, and message content) to respond to support requests. Mapp Cloud, used for sending promotional communications and newsletters, processes data such as name, email address, and interactions with messages (e.g., opens, clicks). All the above providers act as Data Processors and ensure appropriate levels of data protection, including in the case of data transfers to third countries, in accordance with the provisions of the GDPR.
4. PURPOSE AND LAWFULNESS OF DATA PROCESSING
The personal data acquired through the website will be processed by the Data Controller for the following purposes:
(1) Enhancing website navigation and usability, ensuring platform security, and collecting aggregated and anonymous statistical information on website usage by users (e.g., number of visitors, pages visited, time spent, keywords, etc.);
(2) Purposes related to website security and fraud prevention;
(3) Purposes strictly related and instrumental to managing relationships with users/data subjects, such as responding to contact requests and/or information inquiries from the user/data subject;
(4) Purposes directly related to the fulfillment and implementation of services requested by the user/data subject, including the execution of a contract to which the data subject is a party or the adoption of pre-contractual measures at their request;
(5) Purposes connected with obligations established by law, as well as by provisions issued by authorities legitimated by the law;
(6) For the assessment, exercise or defense of a right in and out of court (legitimate interest) of the undersigned organization;
(7) Purposes related to the selection of personnel and evaluation of applications in order to establish an employment relationship;
Furthermore, only and exclusively in the presence of specific and free consent of the user/data subject, the Data Controller may process personal data for the following additional purposes functional to the activity in which the data subject has the right to express or deny his consent:
8) Sending commercial and promotional communications, direct marketing purposes, invitations to events, detecting the degree of customer satisfaction, both through traditional contact methods (i.e. paper mail and telephone calls with an operator) and through automated contact methods (i.e. automated telephone calls and similar methods such as fax, e-mail, SMS, MMS, etc.);
(9) Profiling purposes of user/data subject, data which involve, in addition to the processing of common data referred to in paragraph 3.b.3. above, also the processing of the user's/data subject’s date of birth.
(10) Tracking users’/data subjects’ browsing behavior and purchase choices to enhance marketing offerings, commercial promotions, and customer satisfaction analysis. This activity is also carried out through the use of technologies such as cookies (for more details, please refer to the website's "Cookie Policy" section).
The legal basis that legitimizes the processing are:
- the legitimate interest of the data controller (par.4.1, 4.5, 4.6);
- the fulfilment of legal obligations to which the data controller is subject (par. 4.4);
- the execution of a contract of which the user/data subject is the execution of pre-contractual measures adopted at the request of the same (par. 4.2 and 4.3);
- the consent of the data subject (par. 4.7, 4.8, 4.9, 4.10).
The data subject may modify or withdraw, at any time, the consents previously given to the Data Controller by accessing the reserved area of the website www.xerjoff.com, by clicking on the appropriate cookie banner available on the website, by using the dedicated link found at the bottom of each email communication, or by directly contacting the Data Controller or the Data Protection Officer (DPO) using the contact details provided in this notice. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Should the Data Controller intend to process personal data for a purpose other than that for which it was originally collected, the user/data subject will be informed in advance about the new purpose and any other relevant information, in accordance with Article 13(3) of the GDPR.
5. NATURE OF DATA PROCESSING
The provision of personal data is mandatory only for the processing necessary for the provision of services (execution of pre-contractual or contractual measures or processing based on the fulfilment of legal obligations to which the Data Controller is subject). Any refusal for the purpose of providing the service makes it impossible to finalize the purchase of online services in addition to registering and accessing some reserved areas of the website, compromising the completion of contractual agreements or pre-contractual measures requested by the data subject. For all other types of personal data, providing information is optional, and any refusal by the data subject will not have any negative consequences on the provision of services offered through the website.
6. CATEGORIES OF RECIPIENTS
The personal data of users/data subjects will not be disclosed but may be communicated and processed:
a) Within the company, among staff, specifically employees and collaborators involved in activities related to data processing and who have been duly authorized to process such data.
b) By third parties that provide services essential to fulfilling the requests of the user/data subject or to enhance our service delivery. These third parties include, but are not limited to:
1. Hosting platforms: Providers that host our website and manage its functionality, such as Shopify, ensuring accessibility, performance, and security;
2. Financial institutions or credit card issuers: Entities that manage payments for our services;
3. Companies providing tools for order accounting management and electronic invoicing: Service providers that support the recording, accounting processing, and issuance of invoices in compliance with applicable tax regulations;
4. Customer relationship management (CRM) services: Platforms like HubSpot that help us manage interactions with users/data subjects;
5. Marketing service providers: Companies that assist in delivering marketing campaigns and activities;
6. Email and SMS platform providers: Services such as Mapp marketing cloud that facilitate the delivery of marketing communications and interaction with the user;
7. Social media messaging tools: Platforms that enable communication through social media channels;
8. Shipping companies, couriers, logistics firms, and local distributors: Entities responsible for the delivery, distribution, and logistics of products purchased by users/data subjects;
9. Internet service providers and cloud computing companies: Organizations that offer infrastructure and cloud services to support our operations;
10. Zendesk, Inc.: Provider of customer support and service management solutions, used exclusively for handling customer inquiries, assistance requests, and communication management through the website;
11. WhatsApp (Meta Platforms, Inc.): A messaging platform used to enable users to contact customer service and receive assistance quickly and directly;
12. Professional advisors and parties responsible for legal or fiscal audits: These may include, by way of example, accountants, legal advisors, auditing firms, or other external consultants who operate on our behalf in compliance with applicable
regulations;
13. Customs agencies, border authorities, and international and local regulatory authorities;
14. Any other recipient whose involvement is necessary for the fulfillment of the requested service or for compliance with legal obligations.
Personal data may also be communicated to entities when necessary to comply with legal obligations or regulations. Where required by law, these parties will be designated as independent Data Controllers (if essential for contract performance) or as Data Processors. Users/data subjects may request a complete list of Data Processors by writing to gdpr@xerjoff.com.
7. DATA TRANSFER
The website is hosted on Shopify (hosting provider), all personal data from customers in the European Economic Area (EEA) is initially processed by Shopify International Limited (Ireland). Personal data will also be stored in electronic format on adequately protected magnetic media stored at the offices of Xerjoff. If for technical and/or operational reasons it is necessary to make use of subjects or companies (e.g. cloud provider or cloud services) located outside the European Union, we inform as of now that these subjects will be appointed as Data Processors pursuant to and for the effects of art. 28 of the Regulation and the transfer of Personal Data to these subjects, limited to the performance of specific activities of Processing, and will be regulated in accordance with the provisions of Chapter V of the Regulations. All necessary precautions will therefore be taken in order to ensure the most complete protection of the personal data of the user / data subject. The Company also uses cloud services provided by third-country companies recognized as adequate in terms of confidentiality, integrity and availability of data.
8. DATA PROFILING
Through the website, the Data Controller carries out activities such as analyzing the purchasing habits and consumption choices of users/data subjects, mainly through the processing of the data provided when creating specific user profiles on the website. The information thus obtained allows the Data Controller to create - with the consent of the user/data subject- profiles (individual and/or aggregated), to process market analyses and statistics to also improve their products and services and make them more responsive to the needs of their own customers, as well as to carry out targeted promotional campaigns of greater satisfaction and interest to users/data subjects who have given specific consent. With reference to the newsletters and landing pages sent, the system records the navigation data relating to the opening, reading, views, passages, clicks, areas of interest as well as any further actions relating to each communication sent by preparing historicized profiles of interest and preferences aimed at a greater understanding of the needs of the user/data subject to propose targeted commercial offers and to prepare single and/or aggregate purchase statistical analysis reports. The /data subject has the possibility to modify or revoke their consent to the processing for profiling purposes by accessing, at any time, their reserved area of the "permission" section of the website, or by sending an email to gdpr@xerjoff.com.
9. DATA RETENTION
The processing of personal data is carried out mainly using electronic procedures and supports (DB, CRM platforms, etc.) for the time strictly necessary to achieve the purposes for which the data were collected and, in any case, in compliance with the
principles of lawfulness, fairness, non-excess and pertinence provided for by current privacy legislation and in particular:
- Personal data provided by sending emails to the website’s email address or using the website’s communication systems will be retained for the time necessary to provide a response and for an additional 24 months for customer support purposes;
- The personal data necessary to manage and fulfill orders will be retained for the entire duration of the contractual relationship. Once the relationship has ended, the data will be stored for the period required by tax and civil law. Specifically,
fiscal and accounting documents will be kept for 10 years from the date of the last entry, as required by law;
- The data acquired for analysis and profiling purposes will be kept for a maximum of 12 months. The user/data subject has the possibility to revoke his/her consent to the processing for profiling purposes by accessing, at any time, his/her reserved
area of the website in the appropriate "permission" section of the website, or by sending an email to gdpr@xerjoff.com.
- Data collected through Zendesk and the WhatsApp module for customer support will be retained for a maximum period of 24 months from the closure of the support request, unless legal protection needs of the Data Controller arise from the management
of the ticket or conversation;
- The personal data collected for recruitment purposes, including CVs, unsolicited applications, and cover letters, will be processed for the time necessary to achieve the stated purposes and, in any case, for no longer than 2 years from the date
of collection.
10. COOKIES AND SIMILAR TECHNOLOGIES
The IT systems and software procedures used to operate this website collect, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified individuals, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. In addition, this website uses cookies and similar technologies for marketing and profiling purposes, including the analysis of browsing behavior, tracking user activity, and displaying personalized content or advertisements. These technologies are activated only with the user’s explicit consent, which can be managed at any time through the cookie settings panel. The data may also be used to ascertain responsibility in the event of potential cybercrimes against the site. For more details, please refer to the Cookie Policy available on this website.
11. LINKS TO OTHER WEBSITES AND SOCIAL MEDIA
The website Our website includes links to official company pages on social media platforms such as Facebook, YouTube, Spotify, Instagram, LinkedIn, and TikTok. By clicking on these icons or links, users are redirected to our company profiles on the respective platforms, which operate as independent data controllers. We encourage users to review the privacy policies of each platform to understand how their personal data may be processed:
Facebook – Meta Platforms, Inc.
YouTube – Google LLC
Spotify AB
Instagram – Meta Platforms, Inc.
LinkedIn – Microsoft Corp.
TikTok Technology Limited
Please note that interaction with these platforms occurs outside of our website, and no personal data is shared with these third parties merely by clicking the access links. For details regarding the purposes, types, and methods of personal data collection, processing, use, and storage by the social network platforms, as well as information on how to exercise your rights, please refer to the privacy policy of each respective social network or external platform. The website also integrates the services of Zendesk, provided by Zendesk, Inc., and WhatsApp Web, used exclusively for managing support requests received through the "Contact Us" button available on the site. The WhatsApp module allows users to initiate direct conversations with the Data Controller’s customer service. Through these tools, we may collect data such as name, surname, email address, phone number, and the content of communications sent. Such data is processed solely for pre-sales and post-sales support purposes. For more information on the data processing carried out by Zendesk, you can consult their privacy policy at the following link: Zendesk Privacy Policy. For more details on WhatsApp's data processing practices, please refer to their privacy policy here: WhatsApp Privacy Policy.
12. USER/DATA SUBJECT RIGHTS ON DATA PROCESSING
The user/data subject may exercise at any time the rights established by the applicable Personal Data protection laws, including the right to:
- receive confirmation of the existence of their Personal Data and access their content (access rights);
- update, modify and/or correct their Personal Data (right of rectification);
- request the cancellation or limitation of the processing of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or otherwise processed (right to be forgotten and
right to limitation); - oppose the processing based on legitimate interest (right of opposition);
- withdraw consent at any time, without affecting the lawfulness of processing carried out based on consent before its withdrawal;
- lodge a complaint with the Supervisory Authority in the event of a violation of the Personal Data Protection Regulations;
- receive a copy of the data in electronic format concerning the user/data subject and request that such data be transmitted to another data controller (right to data portability). To exercise these rights, you may at any time make a specific request
to the Data Controller, by writing to Xerjoff Group S.p.A., Via Torino, 15 - 10044 Pianezza (TO), Italy. The Data Controller can also be contacted by email at gdpr@xerjoff.com, via certified email at pec@pec.xerjoff.com,
or by phone at (+39) 011 4143616 (Italy). The user/data subject is encouraged to complete the appropriate application form to exercise their rights before submitting it to the Data Controller and the Data Protection Officer.
13. CHANGES TO THIS PRIVACY POLICY
As our services continually evolve, the nature and scope of personal data processing may change accordingly. Therefore, this Privacy Policy may be updated or modified from time to time to reflect new regulatory requirements or changes to our services. We encourage you to periodically review this Privacy Policy. Whenever possible, we will promptly inform you of any changes made and their implications.
Last update: 12 march 2025