Privacy policy
Privacy Policy — Bronzata Beauty
Last updated: 1 May 2026
This Privacy Policy describes how we collect, use, store and protect your personal data when you interact with the website bronzata.com, place an order, activate a subscription, or contact us via email. This document is drafted in accordance with EU Regulation 2016/679 (GDPR), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code), and Directive 2002/58/EC (ePrivacy Directive).
1. Data Controller
Privacy contact email: support@bronzata.com · Website: bronzata.com
1.1 EU Representative (Article 27 GDPR). Bronzata Beauty commits to designating an EU Representative in accordance with Article 27 GDPR where required by processing volumes. Pending formal designation, requests from data subjects residing in the EU may be directed directly to support@bronzata.com, with response guaranteed within legal timeframes.
2. Categories of Data Collected
2.1 Data provided by the user. When you create an account, place an order, or contact us, we collect: first and last name, email address, delivery and billing address, telephone number, payment method details (truncated card number, expiry date, cardholder name — the full number is managed by PCI-DSS certified gateways; Bronzata does not access it), tax identification number or VAT number (only if an invoice is requested), preferred product shade, subscription renewal frequency.
2.2 Data collected automatically. During browsing: IP address, browser type, operating system, device, device fingerprint, pages visited, visit duration, referrer, UTM parameters, cookie identifiers (see Cookie Policy), approximate geolocation data (based on IP), access logs and activity.
2.3 Data from third parties. When you interact with our advertisements or social media pages, we may receive from Meta (Facebook, Instagram), TikTok, Google, Pinterest, Klaviyo: advertising identifiers, conversion data, aggregated profiling data (in anonymised or pseudonymised form).
2.4 Data NOT collected. Bronzata does not collect: sensitive health data (except where voluntarily disclosed by the Customer in a support ticket), biometric data, data relating to political, religious or philosophical opinions, data relating to sexual orientation, data of minors under 18 years old.
3. Processing Purposes and Legal Basis
3.1 Contract performance (Article 6(1)(b) GDPR). We process your data to: process orders and payments; manage shipments and tracking; manage subscriptions (renewals, changes, cancellations); provide customer support; handle returns, refunds, warranties; issue invoices when requested.
3.2 Legal obligation (Article 6(1)(c) GDPR). We retain billing and transaction data to comply with tax, accounting, anti-money laundering, and document retention obligations (minimum 10 years in accordance with Italian and US tax legislation).
3.3 Legitimate interest (Article 6(1)(f) GDPR). We process data for: fraud prevention, subscription abuse prevention, fraudulent chargeback prevention (including identity flagging, payment method fingerprinting, ban lists); service and user experience improvement; aggregated traffic analysis (in anonymised or pseudonymised form); Site security and protection against cyber attacks.
3.4 Consent (Article 6(1)(a) GDPR). Only with your explicit consent do we process data for: sending newsletters and email/SMS marketing communications; advertising profiling on Meta, TikTok, Google, Pinterest; analytics and marketing cookies (see Cookie Policy); behavioural profiling for offer personalisation.
3.5 Consent withdrawal. Consent may be withdrawn at any time, without affecting the lawfulness of processing undertaken before withdrawal. Withdrawal is exercised: for newsletters, by clicking "unsubscribe" at the bottom of each email; for SMS, by replying "STOP"; for marketing cookies, by modifying preferences from the "Manage Cookies" banner; or by writing to support@bronzata.com.
4. Categories of Recipients (Sub-processors)
For the purposes described above, your data may be shared with the following parties, acting as Data Processors (Data Processing Agreement concluded in accordance with Article 28 GDPR):
4.1 E-commerce platform. Shopify Inc. (Canada/USA) — website hosting, order processing, subscription management, basic analytics.
4.2 Payment processors. Shopify Payments / Stripe Inc. (USA), PayPal (Luxembourg), Klarna (Sweden, if activated) — transaction management, fraud verification.
4.3 Shipping. Courier partners (BRT, GLS, DHL, UPS, FedEx depending on destination) — receive name, address, telephone for delivery execution.
4.4 Email and SMS marketing. Klaviyo Inc. (USA) — sending transactional and marketing emails (with consent).
4.5 Analytics. Google Analytics 4 (USA), Microsoft Clarity (USA, if active) — aggregated traffic analysis (with cookie consent).
4.6 Advertising and profiling. Meta Platforms Inc. (USA), TikTok (Ireland/Singapore), Google Ads, Pinterest — conversion and remarketing pixels (only with explicit consent).
4.7 Anti-fraud. Shopify Fraud Protect, Signifyd, Riskified, NoFraud (USA, according to active configuration) — fraud and chargeback prevention.
4.8 Customer support. Gorgias (USA), Help Scout (USA) or other CRM/helpdesk in use — management of support@bronzata.com tickets.
4.9 Authorities. In the event of legal obligation, data may be communicated to: judicial authorities, law enforcement, Italian tax authorities (Agenzia delle Entrate), US IRS, Data Protection Authority, upon legitimate request and within the limits of the law.
4.10 Data is not communicated or transferred to third parties for marketing purposes outside the network of sub-processors listed above.
5. Data Transfers Outside the EU
5.1 Because Bronzata Beauty is based in the United States, and many sub-processors are based in the USA, some personal data is transferred outside the European Economic Area (EEA).
5.2 Safeguards applied. Extra-EU transfers are safeguarded by the following protections, in accordance with Articles 44-49 GDPR:
(a) Sub-processor participation in the EU-US Data Privacy Framework (EU Commission Adequacy Decision 10 July 2023) — applicable to Shopify, Meta, Google, Klaviyo, Microsoft, Stripe (verify current participation of each).
(b) Standard Contractual Clauses (SCC) approved by EU Commission Decision 2021/914, supplemented by Transfer Impact Assessment (TIA) where applicable.
(c) Binding Corporate Rules (BCR) for certified multinational groups, where available.
5.3 The data subject may request from support@bronzata.com a copy of the safeguards applied or further information on transfers.
6. Retention Period
6.1 Account and order data. Retained for the duration of the relationship with the Customer, and for 10 years following the last transaction, in accordance with tax, accounting and anti-money laundering obligations (Legislative Decree 231/2007, US legislation).
6.2 Marketing data (newsletters, profiling). Retained until consent is withdrawn by the data subject, or for a maximum of 24 months of inactivity, after which data is anonymised or deleted.
6.3 Technical navigation and log data. Retained for maximum 12 months, unless security incident investigation or documented fraud requires longer retention.
6.4 Anti-fraud and ban list data. Retained for 36 months from flagging, unless ongoing legal proceedings require longer retention.
6.5 Support data (email tickets). Retained for 5 years from last interaction, for legal protection purposes and evidence in case of disputes.
7. Rights of the Data Subject (Articles 15-22 GDPR)
At any time you may exercise the following rights:
7.1 Right of access (Article 15). Obtain confirmation of whether processing concerning you is occurring and receive a copy of the data processed, purposes, categories, recipients, retention period, origin, existence of automated decision-making processes.
7.2 Right to rectification (Article 16). Correct inaccurate or incomplete data.
7.3 Right to erasure / "right to be forgotten" (Article 17). Request deletion of data in cases provided by law (consent withdrawal, objection, unlawful processing, etc.). Right limited by tax/legal retention requirements set out in §6.
7.4 Right to restrict processing (Article 18). Restrict processing where data accuracy is contested, processing is unlawful, or whilst objection is being verified.
7.5 Right to data portability (Article 20). Receive data in a structured, commonly used and machine-readable format (CSV, JSON), and transmit it to another controller.
7.6 Right to object (Article 21). Object to processing based on legitimate interest or for marketing purposes.
7.7 Right not to be subject to automated decision-making (Article 22). Including profiling producing significant legal effects. Exception: anti-fraud flagging and Welcome identity checks (Subscription Policy §5-6) are based on automated decisions justified by legitimate contractual interest (fraud prevention); the Customer has the right to human intervention by writing to support@bronzata.com.
7.8 Right to withdraw consent (Article 7(3)). Without affecting the lawfulness of processing undertaken before withdrawal.
7.9 Right to lodge a complaint with a supervisory authority (Article 77). In the UK: the Information Commissioner's Office (ICO). In the EEA: your national data protection authority.
8. How to Exercise Your Rights
8.1 Requests to exercise your rights must be sent by email to support@bronzata.com, specifying the right you are exercising and providing sufficient information to identify you (name, account email, any order number).
8.2 Identity verification. Bronzata may request additional documents to verify the identity of the requestor, to prevent identity fraud.
8.3 Response times. Response within 30 days of receipt of the request, extendable by a further 60 days in case of complex or numerous requests, with notification to the requestor.
8.4 No fee. Exercise of your rights is free of charge. Exception: manifestly unfounded, excessive or repetitive requests may incur a reasonable fee or be refused, with reasoned justification.
9. Automated Processing and Profiling
9.1 Anti-fraud and Welcome eligibility. Bronzata uses automated systems to: detect fraud attempts or abuse (Shopify Fraud Protect, potentially Signifyd/Riskified); verify Welcome Discount eligibility via identity matching (email, payment method fingerprint, address, IP, telephone); flag early cancellations (sub-cancel-within-48h) for future promotion exclusion. The legal basis is legitimate contractual interest (fraud prevention) and contract performance (Subscription Policy).
9.2 Right to human intervention. In case of an unfavourable automated decision (e.g. order cancelled for suspected duplicate, promotion exclusion), the Customer has the right to request human intervention and review by writing to support@bronzata.com within 30 days of notification.
9.3 Marketing profiling. With your express consent, Bronzata may perform behavioural profiling (interests, products viewed, purchase frequency) to personalise email/SMS communications and advertising. Marketing profiling does not produce significant legal effects and may be withdrawn at any time.
10. Data Security
10.1 Bronzata adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, destruction, in accordance with Article 32 GDPR.
10.2 Technical measures: TLS/HTTPS encryption on all Site-server communications, PCI-DSS certified payment gateways, password hashing, two-factor authentication for admin accounts, encrypted backups with rotation, firewalls, antimalware, access monitoring.
10.3 Organisational measures: data access restricted to authorised personnel on a need-to-know basis, periodic privacy and security training, NDAs with sub-processors, periodic internal audits.
11. Data Breach Notification
11.1 In case of a personal data breach presenting a high risk to the rights and freedoms of data subjects, Bronzata commits to:
(a) notify the supervisory authority (Data Protection Authority) within 72 hours of discovery, in accordance with Article 33 GDPR;
(b) communicate the breach to data subjects without undue delay (Article 34 GDPR), with description of the breach, possible consequences, measures adopted.
12. Cookies
For details on cookies used, purposes, duration and how to manage consent, please refer fully to our Cookie Policy, which is an integral part of this Privacy Policy.
13. Processing of Minors' Data
Bronzata does not target minors under 18 years old and does not knowingly collect personal data of minors. If we become aware of having collected minors' data without valid parental consent, we will proceed to immediate deletion. To report this: support@bronzata.com.
14. Changes to this Privacy Policy
Bronzata reserves the right to update this Privacy Policy at any time to reflect regulatory, organisational or technological changes. Substantial changes will be communicated via email to active data subjects at least 15 days in advance. The updated version will always be available at bronzata.com/policies/privacy-policy with the date of last update.
15. Contact Us
Privacy contact email and exercise of rights: support@bronzata.com
Website: bronzata.com
Bronzata Beauty commits to processing your personal data in a transparent, lawful manner in compliance with EU Regulation 2016/679 (GDPR) and Italian legislation. This Privacy Policy is drafted in Italian; for customers residing in Italy, the Italian version prevails in case of any discrepancy with other translations.