Privacy & Cookies Policy

Last updated: 17 November 2025

1. Introduction

This Policy explains how Vivaly (“we”, “us”, “our”) processes personal data in accordance with the EU General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and Italian law (D.Lgs. 196/2003, D.Lgs. 70/2003, D.Lgs. 206/2005).
By using www.vivaly.it or contacting us, you acknowledge this Policy.

We process data lawfully, fairly, and transparently; for specified purposes; with data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability (GDPR Art. 5).

2. Data Controller

Vivaly di Kübra Onat
Registered office: Padua (PD), Italy
VAT / P.IVA: 05719410283
Email: info@vivaly.it

We currently do not appoint a DPO, as our activities do not require large-scale monitoring or processing of special categories (GDPR Art. 37).

3. Categories of Personal Data Processed

• Identification & Contact Data: name, surname, email, phone, country/region.

• Communication Data: messages sent via forms, email, WhatsApp, Instagram, Video calls.

• Service & Style Data: item/style preferences, shopping history, size preferences, body measurements (height, clothing or shoe size, proportions) shared voluntarily for personal styling purposes.Body measurements are processed only when voluntarily provided by the client for style consultancy purposes, and are stored securely for a limited time (maximum 12 months after the last service). They are not shared with third parties.

• Technical Data: IP address, browser/device info, cookies and similar technologies (see Section 10).

• Payment Metadata (if applicable): transaction or shipment references (no card data stored by us).

We do not intentionally collect special-category or criminal-record data (GDPR Arts. 9–10).

​​

4. Purposes and Legal Bases

|   |                      Purpose                                     | Data                                            |      Legal Basis                                   | Retention             |

| - | ------------------------------------------------------- | ---------------------------------------- | ------------------------------------------      | ---------------------- |

| 1 | Respond to enquiries                                  | Identification, Communication | Legitimate interest (Art. 6(1)(f))        |    24 months         |

| 2 | Provide consultancy & shopping services | Identification, Service                | Contract performance (Art. 6(1)(b)) | 10 years                |

| 3 | Accounting & tax compliance                    | Identification, Transaction         | Legal obligation (Art. 6(1)(c))            |  10 years              |

| 4 | Operational updates                                   | Identification, Communication | Legitimate interest (Art. 6(1)(f))         | 24 months           |

| 5 | Marketing emails                                         | Identification, Contact               | Consent (Art. 6(1)(a))                          | Until withdrawal |

| 6 | Security & analytics                                     | Technical data                             | Legitimate interest (Art. 6(1)(f))         | see Section 10    |

5. Data Sources

We collect data directly from you or automatically through website usage (cookies, analytics). We never purchase or rent data.

6. Recipients and Processors

Data may be shared only with:

• Hosting platform: Wix.com Ltd. (EU-based servers)

• Professional advisors: accountant, IT support

• Operational partners: payment and shipping providers when necessary

• Authorities: where required by law

All are bound by confidentiality and data-protection obligations. No data is sold.

7. International Transfers

If any provider operates outside the EU/EEA, we use appropriate safeguards (Standard Contractual Clauses under Arts. 44–49 GDPR).
For clients outside the EU (e.g., Türkiye), cross-border data flows occur only as needed to respond to requests (Art. 49(1)(b)).

8. Your Rights

You may at any time request: access, rectification, erasure, restriction, portability, objection, or withdraw consent (GDPR Arts. 15–22).

To exercise your rights: email info@vivaly.it.
We respond within one month (Art. 12(3)).
You may also complain to the Garante per la Protezione dei Dati Personali (Italy).

9. Security Measures

We apply technical and organizational protections (GDPR Art. 32): SSL encryption, limited access, data minimization, secure storage, and continuous monitoring.Personal data such as style preferences or body measurements are stored in secure, access-controlled systems and are deleted after the service period unless the client requests continued storage for future consultations.

10. Cookies and Tracking Technologies

10.1 What Cookies Are

Cookies are small files stored on your device to improve site functionality and analytics.

10.2 Types of Cookies Used

| Type                       | Purpose                                                      |      Legal Basis         | Duration            l

| ------------------        | ----------------------------------------------------  | ------------------------ |---------------------   |

| Strictly Necessary | Enable basic navigation and security      | Legitimate interest |   Session              |

| Preferences           | Remember language or region               | Consent                   |  6–12 months      |

| Analytics                | Measure usage (Google/Wix Analytics) | Consent                   | 13 months           |

| Marketing              | Personalized ads (only if accepted)        | Consent                   |Up to 13 months |

10.3 Managing Cookies

When you first visit our site, a banner lets you accept, reject, or customize cookies.
You can later adjust choices via the “Cookie Settings” link or browser preferences.

10.4 Third-Party Cookies

External providers (Google, Meta, Wix) may place cookies. Refer to their own policies:

• Google Analytics: https://policies.google.com/privacy

• Meta (Instagram): https://privacycenter.instagram.com/

• Wix: https://www.wix.com/about/privacy

11. Children’s Data

Our services target adults. If we learn that a minor has submitted data, we delete it immediately.

12. Third-Party Links

We may link to external sites (Instagram, WhatsApp). Their privacy practices are their own; review them before sharing data.

13. Retention Periods

• Enquiries: 24 months

• Contracts & invoices: 10 years

• Marketing consent: until withdrawn

• Cookies/analytics: per Section 10

After expiry, data are deleted or anonymized.

14. Marketing Communication

We send updates only with your explicit consent (GDPR Arts. 6(1)(a), 7). You can unsubscribe any time.

15. Automated Decisions and Profiling

We do not perform automated decision-making that produces legal effects (GDPR Art. 22).

16. Updates

This Policy may change due to legal or technical reasons. The latest version is always on this page.

17. Contact

Vivaly di Kübra Onat
📍 Padua (PD), Italy
🌐 www.vivaly.it
📧 info@vivaly.it

Plain-language note:
We collect only what we need, keep it for the necessary time, and protect it with industry standards. If anything is unclear, write to info@vivaly.it — we will answer honestly.