Privacy Policy

With this Privacy Policy, provided pursuant to art. 13 of Regulation (EU) 2016/679 (“GDPR” or “Regulation”), we wish to inform the User about the methods by which their Personal Data (i.e., any information capable of identifying them directly or indirectly) will be processed when they visit and/or make purchases on the website or App www.gymbeam.com (hereinafter, the “Site”). This policy, together with the Cookie Policy and the Terms of Use and General Terms and Conditions of Sale, establishes the basis on which the personal data of Users will be processed.

Data Controller 

The Data Controller of personal data collected through the Site is: GymBeam s.r.o., with registered office in Košice, Slovakia, Rastislavova 93, 040 01, VAT: SK2023380447 (hereinafter “Data Controller”), email address: [email protected].

Data Protection Officer (DPO):

• Ema Mirdová
• Rastislavova 93, 040 01 Kosice, Slovakia
• [email protected]

Methods of Processing personal data

We hold the right to privacy and the protection of our Users' personal data in the highest regard, which will be processed lawfully.

The Personal Data provided or acquired will be subject to Processing based on the principles of correctness, lawfulness, transparency, and protection of confidentiality in accordance with current regulations, through appropriate security measures aimed at preventing unauthorized access, disclosure, modification, or destruction of Personal Data.

Processing is carried out using computer and/or telematic tools, with organizational methods and logic strictly related to the purposes indicated. 

Processed Personal Data

When the User visits the Site, contacts us (via email, telephone, mail, etc.), subscribes to the newsletter, or submits an order, we process some of their Personal Data, independently or through third parties.

We list the categories of personal data processed:

1. Identification, contact, and access data: first and last name, email address, shipping address, telephone number, and account access credentials if one has been created, as well as any other Personal Data voluntarily communicated by the User. 

2. Purchase data: data referring to purchases made;

3. Navigation data: relating to the connection, IP addresses, domain names, and other parameters relating to the browser and operating system used;

4. Usage Data: information generated by visiting the Site or making purchases on it: log data, data relating to registrations made, interaction and transaction processes, performance indicators, data relating to navigation flows and use of features;

5. Billing and payment data: any VAT number, bank account number or IBAN code for payments by bank transfer, tax code, address, and possibly the company name.

Do you wish to delete your account in the app? 

You can delete and cancel your account at any time, in total autonomy. The operation can be carried out directly within the App, in the “Need help?” section, or by contacting our customer service via email at [email protected]. or by telephone at + 39 (0871) 485600. The withdrawal of consent does not affect the lawfulness of the processing of personal data carried out prior to the withdrawal itself, based on the consent previously given.

Purpose of Processing and Legal Basis 

The Data Controller will process the Personal Data of Users, as listed above, for the performance of its economic and commercial activities, for the specific purposes indicated below.

1. Purposes related to the Contract and Legal Obligations

1. Navigation on the Site and in the App; 

2. Registration and account management (credential recovery, cancellation, etc.) and use of related services;

3. Activities necessary for the conclusion of the contract for the purchase of products sold by the Site and its execution;

4. Order processing;

5. Assistance and customer care activities as well as providing feedback on requests, complaints, reports and disputes from Users via email to the Controller's addresses or through other communication channels;

6. Management of User requests via distance communication tools, such as email, chat, telephone, SMS, chatbot, banners, notification systems and other distance communication tools present on the Site and in the App;

7. Fulfillment of obligations deriving from current law, regulations or community legislation (e.g. tax and accounting obligations) or management and response to requests from the competent administrative, tax and judicial authorities;

8. Activities of an administrative, accounting and fiscal nature such as activities connected to the contract concluded through the Site, such as, by way of example, the issuance of receipts and/or invoices, the keeping of accounting records;

9. Response to requests for the exercise of rights recognized to Users by the contract stipulated with the Controller, by law in relation to this contract or by the GDPR, and consequent activities.

10. Fulfilling the legal obligation to communicate to the User whether or not the published reviews come from consumers who have actually purchased or used the product.

For these purposes, the Legal Basis is the necessity to execute pre-contractual and contractual obligations to which the User is a party (art. 6.1.b) of the GDPR) or the fulfillment of legal obligations to which the Controller is subject (art. 6.1.c) of the GDPR). 

Therefore, with the exception of account registration data which is optional, their processing is necessary to allow the conclusion and execution of the contract through the Site or to respond to pre-contractual requests made by the User in relation to the Site. Failure to communicate the data, therefore, will make it impossible for the User to conclude a contract through the Site and/or receive a response to the requests made.

2. Analysis and statistical purposes and other purposes not based on consent

1. Carrying out statistical analysis regarding the use of the Site, navigation, product searches, to improve the site and the offer of products sold through it;

2. Ensuring compliance with the contractual rights of the Data Controller or demonstrating that it has fulfilled the obligations arising from the contract with the data subject or imposed by law, to prevent and/or suppress fraudulent or harmful actions; 

3. Reminding the User who has started the purchase process that they have placed a product in their shopping cart. 

The legal basis for this processing is legitimate interest (art. 6.1.f) of the Regulation). Sometimes the Legal Basis consists of legitimate interest (art. 6, paragraph 1, letter f) in conjunction with recital 47 of the Regulation), for sending transactional email communications (e.g. abandoned cart).

3. Direct Marketing and profiling purposes

1. With the User's consent, we will send commercial communications to show them updates, news, offers and promotions, market research, also through automated processing tools such as emails, newsletters and promotional sms.

2. With the User's consent, as established by Article 4 of the GDPR, we will process their Personal Data to attribute particular characteristics, preferences, and send them, also through automated processing tools such as “retargeting” or through inclusion in clusters of subjects with common characteristics, personalized and diversified commercial communications, based on their profile. 

For these purposes, processing, including the final decision regarding the promotional communication to be sent or displayed to the user based on the cluster(s) they belong to, takes place in an automated way, without human intervention, based on algorithms whose parameters have been previously set.

The legal basis is the express consent of the User to the processing of personal data for these purposes (art. 6.1.a) of the Regulation. The provision of data for these purposes is optional. In case of lack of consent, withdrawal of the same or exercise of the right of opposition, the possibility for the User to make purchases on the Site and in the App will not be prejudiced in any way.

4. Soft-spam

To send commercial communications to propose the direct sale of similar products to the User's email address provided in the context of purchasing products through the Site. This activity does not require the acquisition of prior express consent from the data subject as it is exercised on the legal basis referred to in art. 130, paragraph 4, of the Privacy Code (Legislative Decree 30 June 2003, n. 196) which expressly allows it, provided that the user does not refuse such use, initially or in the occasion of subsequent communications.

Changing choices and revoking consent

In case of granting consent, the User may at any time revoke the consent given and/or oppose the processing of personal data for general marketing and profiling purposes through the methods indicated in the ‘Rights of Data Subjects’ section later in this policy. 

In case of withdrawal of consent, processing carried out on the basis of the consent given before its withdrawal will still be considered legitimate. In case of withdrawal of consent and/or opposition to the processing of their data for the purpose of generic marketing, the user's data will no longer be processed for this purpose and will be kept by the Controller only if another legal basis exists that legitimizes the processing (e.g. contractual execution; legal obligation; legitimate interest).

The provision of certain personal data (such as name, address, contact details and payment information) is necessary for the conclusion of a contract and for the provision of services by GymBeam s.r.o. Failure to provide such data may result in the impossibility of concluding a contract, delivering the ordered goods or providing access to personalized services. The provision of data not marked as mandatory is voluntary and failure to provide it does not affect the fulfillment of the contract.

If personal data is required to fulfill a legal or contractual obligation, failure to provide it may result in the impossibility of fulfilling the contract or providing the service.

Retention time

The Controller will process the personal data of Users for the time necessary to achieve the purposes for which such data were collected, as defined in this policy. However, for each of the purposes indicated, the personal data collected will be kept for the time specified below: 

1.  For purposes relating to the Contract, the Controller will process User data for the time strictly necessary to carry out the individual processing activities, provided that, once this term has expired, the Controller may keep the data for the purposes and for the maximum retention periods referred to in the other sections of this policy, if relevant and/or, in any case, in the cases established by the GDPR and/or by law.

2. For fiscal, administrative, accounting and legal purposes, until the expiration of the legal terms provided for carrying out each fulfillment and/or for the retention times provided by law. In case of account closure at the User's initiative, the data reported in it will be kept for administrative purposes for a period equal to 30 days from the closure of the account.

3. For purposes based on the legitimate interest of the Controller, it will process User data for the time strictly necessary to satisfy this interest, unless, in the face of disputes and/or complaints, the Controller needs to keep personal data to carry out defense activities (letter l) for the following 10 years (prescribed period) or, in the presence of litigation, further retention is determined by the duration of the litigation or by specific requests from the authority. The User can obtain more information on the legitimate interest pursued by contacting the Controller.

4. For the purpose of direct marketing and profiling, as long as consent is not withdrawn or registration on the Site is not canceled and in any case for a period equal to 12 months from when consent was given or renewed by the User, on the occasion of a new purchase or from the date of the last contact with the User, meaning, for example, opening the newsletter.

Once these retention times have passed, Personal Data will be deleted and the User will no longer be able to exercise the rights of access, cancellation, rectification and portability of the Data.

Communication and dissemination of data

In addition to the Controller, in some cases, the following may have access to the Data:

1. subjects involved in the organization of the website (for example: administrative, commercial, marketing staff);

2. third parties who perform ancillary and instrumental tasks with respect to the activity of the Controller and who process personal data on behalf of the Controller (for example: payment services, legal, accountants, system administrators, logistics companies, newsletter services);

3. public or private subjects who can access the Data in compliance with law, regulations and measures issued by the competent authorities; 

4. potential buyers of the Controller company and entities resulting from the merger or any other form of transformation.

Such recipients, depending on the case, process User personal data as appointees, data processors or independent controllers. The User can request the updated list of Data Processors referred to in art. 28 GDPR. 

Place of Processing and transfer of Data abroad 

The processing of Data takes place essentially in Italy and in European Union Countries. Some third-party tools may process the data of users of this website in Countries outside the European Economic Area (the “Third Countries”).

The transfer of data to Third Countries can also occur through the use of external tools that allow certain services (e.g. newsletter, remarketing, advertising, use of social buttons, video display). 

Sometimes the use of such tools can imply the transfer of personal data of users who visit this website to a third country for which there is no adequacy decision by the European Commission.

If there is a need to transfer data to Third Countries, the Controller undertakes to ensure that the Country to which the data will be sent guarantees an adequate level of protection, as provided for by article 45 GDPR; such transfer will be regulated on the basis of the standard data protection contractual clauses approved by the European Commission for the transfer of personal information outside the EEA pursuant to article 46.2 GDPR.

Cookies

This website uses cookies. Cookies are small text files that can be installed by websites on users' devices to make the browsing experience more efficient and to personalize content and ads, provide social network functions and analyze traffic. To learn more, read the Cookie Policy.

Third-Party Tools that process Personal Data

REGISTRATION ON THE SITE

Google OAuth (Google Ireland Limited)

Google OAuth is a service provided by Google Ireland Limited and connected to the Google network, which allows the user to register on the Site and in the App and authenticate using their Google credentials.

Personal Data processed: various types of Data as specified by the privacy policy of the service. Place of processing: Ireland – Privacy Policy.

Facebook Login (Meta Platforms Ireland Limited)

Facebook Login is a service provided by Meta Platforms Ireland Limited and connected to the Facebook network, which allows the user to register on the Site and in the App and authenticate using their Facebook credentials. Personal Data processed: Tracking Tools; various types of Data. Place of processing: Ireland – Privacy Policy.

NEWSLETTER

The newsletter service allows the Data Controller to send promotions and commercial communications to users via email. This Site uses the following service:

Brevo formerly Sendinblue (Brevo formerly Sendinblue SAS) Brevo is an address management and email message sending service provided by Brevo formerly Sendinblue SAS. Place of processing: FRANCE – View the Privacy Policy of the service to know the data processed by it. If the User does not want their personal data to be managed by Brevo, it will be necessary for them to cancel their subscription to the newsletter. To this end, the Controller provides an unsubscription button (link of unsubscribe) in every commercial communication.

SOCIAL NETWORK BUTTONS

The User can use the social buttons to visit the social pages of the Site, through the following social tools which in any case collect users' personal data as traffic data on the pages visited and on which they are installed. The Site makes available the following social buttons:

Instagram (Meta Platforms Ireland Limited) The Instagram button is a service for interacting with the Instagram social network, provided by Meta Platforms Ireland Limited. Personal Data collected: Cookies, Usage Data and other data as per the relative privacy policy. Place of processing: IRELAND – UNITED STATES - Privacy Policy.

Facebook (Meta Platforms Ireland Limited) The Facebook button and social widgets are services for interacting with the Facebook social network, provided by Facebook Ireland Ltd. Personal Data collected: Cookies and Usage Data. Place of processing: IRELAND – UNITED STATES  Privacy Policy.

Youtube (Google Ireland Limited) The Youtube button and social widgets are services for interacting with the Youtube platform, provided by Google Ireland Ltd. Personal Data collected: Cookies and Usage Data. Place of processing: IRELAND – UNITED STATES Privacy Policy.

TikTok (TikTok Technology Limited)  The TikTok button and social widgets are services for interacting with the TikTok social network, provided by TikTok Technology Limited. Personal Data collected: Cookies and Usage Data. Place of processing: UNITED STATES - MALAYSIA - SINGAPORE  Privacy Policy

REVIEWS

Trustpilot (Trustpilot Group plc)

Trustpilot is an online review platform provided by Trustpilot Group plc, which allows the User to release an evaluation on a specific service or product.

Personal Data processed: various types of Data as specified by the privacy policy of the service. Place of processing: EUROPE - Privacy policy.

PAYMENT MANAGEMENT

ADYEN (Adyen N.V.)

Adyen is a financial technology platform integrated on the Site and in the App provided by Adyen N.V., which manages all online payments and guarantees maximum security of transactions. Personal data collected: Cookies and various types of Data as specified by the privacy policy of the service. Place of processing: NETHERLANDS - Privacy Policy.

PayPal (Paypal Europe S.à.r.l. et Cie, S.C.A Inc.)

PayPal is a payment service provided by PayPal Europe S.à.r.l. et Cie, S.C.A Inc., which allows the User to make online payments using their PayPal credentials. Personal data collected: Cookies and various types of Data as specified by the privacy policy of the service. Place of processing: LUXEMBOURG - Privacy Policy.

GOOGLE PAY (Google Ireland Limited)

Google Pay is a payment service provided by Google Ireland Limited that allows the User to make online payments using their credentials. For more information on the data collected by the application, please view the relative Privacy Policy.

KLARNA (Klarna Bank AB)

Klarna is a payment service provided by Klarna Bank AB that allows the User to make installment payments without interest or additional costs. For more information on the data collected by the application, please view the relative Privacy Policy.

STATISTICS 

Statistical services allow the Data Controller to monitor and analyze traffic data and are used to keep track of User behavior. This Site uses the following third-party services:

Google Analytics (Google Ireland Limited)

Google Analytics is an analysis service provided by Google Ireland Limited. Google uses the Personal Data collected for the purpose of tracking and examining the use of this Site, compiling reports and sharing them with other services developed by Google. Google could use Personal Data to contextualize and personalize the ads of its own advertising network. Google can also transfer this information to third parties where required by law or where such third parties process the aforementioned information on behalf of Google. On this site, the IP address anonymization function is active. The IP address transmitted by the browser for purposes connected to Google Analytics will not be incorporated with other data already in Google's possession.

The use of Google Analytics may in some cases involve the transfer of personal data of users who visit this website to a third country, such as the United States, for which there is no adequacy decision by the European Commission.

At the following link https://tools.google.com/dlpage/gaoptout?hl=it Google makes available the browser add-on for deactivating Google Analytics. Personal Data collected: Cookies, IP Address, Usage Data and other personal data defined in the Google privacy policy.  Place of processing: IRELAND and in certain cases UNITED STATES – Privacy Policy.

Facebook Pixel (Meta Platforms Ireland Limited)

This site uses the Facebook Pixel, a Facebook conversion monitoring tool provided by Meta Platforms, Inc. This analyzes conversions attributable to sponsorships on the Facebook social network through the use and analysis of some Personal Data of the user. Personal Data collected: Cookies; Usage Data. Place of processing: Ireland and in certain cases UNITED STATES - Privacy Policy.

REMARKETING

These services allow this Site to communicate, optimize and offer advertisements based on past use of this website by the User. This activity is carried out through tracking Usage Data and the use of Cookies. This website uses the following services:

Facebook Remarketing (Meta Platforms Ireland Limited)

Facebook Remarketing is a Remarketing and Behavioral Advertising service provided by Meta Platforms Ireland Limited (‘Meta’), which links the activity of this Site with the Meta advertising network. This Site makes use of the Facebook Pixel tool in order to measure conversions. Thanks to the Facebook Pixel, it is possible to understand the actions people perform on the Site and in the App. The Data collected can be used to ensure that advertisements are shown to the right people; create audience groups to target advertisements; take advantage of further advertising tools of the platform on which you advertise.

The information detected is anonymous to the operators of this Site and cannot be used to identify the identity of an individual user. However, the information is saved and analyzed by Facebook, which could link the action back to an individual profile and use this information for internal Facebook advertising purposes, as outlined by Facebook's privacy policy. This will allow Facebook to show advertisements both on Facebook and on third-party sites. For more information on how Facebook treats personal data of users, we refer to the relative privacy policy. Place of processing: IRELAND and in some cases United States - Privacy Policy.

Google ADS (Google Ireland Limited) 

Google ADS is a service provided by Google Ireland Limited that links this website with the Google advertising network. This website makes use of the Google Analytics Remarketing features combined with the possibility of adaptation to different Google ADS devices. This feature makes it possible to link the target groups for promotional campaigns created by the Google Analytics Marketing function with the adaptability to different Google ADS devices. This allows showing advertisements based on the user's personal interests, identified through an analysis of the user's behavior on the web, whether it be on a mobile device or on other devices. It is possible to permanently disable targeting and remarketing functions by disabling the “personalized advertising” function in your Google account. To do so, simply follow the opt out link. Personal Data collected: Cookies and Usage Data. Place of processing: Ireland and in some cases United States - Privacy Policy - Opt out.  

VIRTUAL TRIAL ("VIRTUAL MIRROR") 

When using the "Virtual Trial" function on our pages dedicated to clothing products, users can upload a personal photo to generate a virtual representation of how a selected garment might look worn. The uploaded image is processed through the Google Vertex AI artificial intelligence system, which automatically analyzes the photo to position the garment appropriately. Pursuant to Article 9 of the GDPR, this constitutes processing of biometric data. Processing is carried out exclusively on the basis of the user's explicit consent pursuant to Articles 6(1)(a) and 9(2)(a) of the GDPR, provided through the voluntary upload of the image. We inform you that Google Vertex AI is the third-party tool used for this function. The photo is processed only temporarily for the duration of the virtual trial and is automatically and permanently deleted immediately after viewing the generated image to the final user. Neither GymBeam nor Google store or keep the data voluntarily provided by the user (in this case, the images).

Rights of Data Subjects

Data subjects have the right to exercise the options provided for in articles 7, 15-22 of the Regulation. 

In particular, Users have the right to obtain: access, updating, rectification or, when they have an interest, integration of data; cancellation, transformation into anonymous form or blocking of data processed in violation of law, including those whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed; certification that the above operations have been brought to the knowledge, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment proves impossible or involves a use of means manifestly disproportionate to the protected right.

Furthermore, Users have the right to withdraw consent at any time, if the processing is based on their consent, to request data portability, i.e. to receive all personal data concerning them in a structured format, commonly used and readable by an automatic device), to request the limitation of the processing of personal data and/or cancellation (“right to be forgotten”), as well as the right to object to the processing of personal data concerning them and to the processing for purposes of sending advertising material, direct sales and for carrying out market research.

Pursuant to the Applicable Regulations, the Controllers inform that Users have the right to obtain indication of (i) the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied in case of processing carried out with the aid of electronic tools; (iv) the identification details of the Controllers and data processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as data processors or appointees. 

Data subjects can exercise their rights, by sending a specific communication to the Controller or by using the data subject rights exercise form, obtainable at this link, to be sent, duly completed and signed with attachments, to the Controller via email to: [email protected].

Data subjects, if they believe that the processing concerning them violates the Regulation, also have the right to lodge a complaint with the Privacy Guarantor as the supervisory authority for the protection of personal data (Guarantor for the protection of personal data, with office in Piazza Venezia n. 11 - 00187 – Rome (http://www.garanteprivacy.it/).

Changes to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time by advertising it to Users on this page. Therefore, please consult this page often, referring to the date of the last modification indicated at the bottom. In case of non-acceptance of the changes made to this Privacy Policy, the User is required to cease using this website and can request the Data Controller to remove their Personal Data. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that moment. The Controller is not responsible for updating all the links viewable in this Privacy Policy, therefore whenever a link is not working and/or updated, Users recognize and accept that they must always refer to the document and/or section of the websites referred to by such link.

Privacy Policy updated as of October 2023