Effective Date: Oct 01, 2021
Our Privacy Policy.

Protecting your privacy is extremely important to us at Alpha. 

This Privacy Policy is intended to give you a clear overview of how we handle data in order to earn your trust.

ALPHA is a suite of apps that introduces what is known as "connected clienteling," a new kind of shopping experience tailored to the customer. ALPHA offers an up-to-date client style profile, tailored style requests and suggestions. With its advanced features, ALPHA helps you connect with your favorite Brand and have direct contact with the relevant Sale Associates/Store/Client Advisors/Client Service so you can stay up to date with the latest trends.

SUMMARY

1. CO-OWNERS OF DATA PROCESSING
2. WHAT CATEGORIES OF DATA WE PROCESS
3. LEGAL BASES
4. PURPOSE OF DATA PROCESSING
5. PRIVACY OF MINORS
6. DIRECT CUSTOMER CONTROL OVER DATA
7. SHARING OF CUSTOMER DATA
8. LINKS TO SERVICES OF THIRD-PARTY PROVIDERS
9. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EU
10. PRIVACY FOR CUSTOMERS RESIDING OUTSIDE THE EU
11. DATA RETENTION
12. DATA PROTECTION RIGHTS
13. THE DATA PROTECTION SUPERVISORY AUTHORITY
14. HOW YOUR DATA IS PROTECTED
15. COMMUNICATIONS 


1. WHO IS THE DATA CONTROLLER OF THE DATA YOU PROVIDE TO US

Our App is a licensed SaaS and White Label product.

For this reason, this policy explains how we process your data, while for how the Brand processes your data we suggest you directly view their Privacy Policy, which you will find within their sites or in app when creating your personal account.

The DATA CONTROLLERS and CO-OWNERS of the processing of your personal data in Alpha, ex art. 26 GDPR, are:

  • The Company MEETALPHA SRL, Via del Tiratoio 1, 50124, Firenze (FI) – ITALY P.IVA: 07205120483 n. REA FI-687032, mail : legal@meetalpha.it
  • The Company MEETALPHA INC. 1643 Powell St, San Francisco, CA 94133, Web domain holder, https://www.meetalpha.it/, Does not collect any type of data and does not conduct any profiling. Mail : legal@meetalpha.it

All our servers are physically located in Europe, specifically in Frankfurt (DE).


AS THE CO-OWNERS ARE LEGAL ENTITIES THAT ARE PART OF THE SAME CORPORATE GROUP (INTRA-GROUP DATA TRANSFER), BUT SUBJECT TO ITALIAN AND AMERICAN LAW RESPECTIVELY, THEY HAVE JOINTLY DECIDED TO REGULATE AS FOLLOWS THE DATA PROCESSING THROUGH THE ALPHA APPLICATION, PAYING GREAT ATTENTION TO GDPR COMPLIANCE.

THE CO-OWNERS DECIDED TO APPLY THE EUROPEAN REGULATIONS ALSO TO NON-EU USERS BECAUSE THEY ARE MORE PROTECTIVE PROVISIONS OF THE RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

Article 26(2) of the GDPR Regulations provides that, "The co-ownership agreement shall adequately reflect the roles and relationships of the co-owners with the data subjects. The essential content of the agreement shall be made available to the data subjects."

The parties signed a DPA (Data Protection Agreement) in order to limit the areas of circulation and processing of personal data (e.g., storage, archiving and retention of data on their own servers or in the cloud) to countries that are part of the European Union. Link to the DPA doc.



2. WHAT CATEGORIES OF DATA WE PROCESS

Personal data (hereinafter referred to as "Data") is information that refers to an identified or identifiable physical person. Within the scope of the processing purposes highlighted in the following paragraph, we process the following categories of data:

  1. "Common" type personal data having, but not limited to first and last name, residence, email address, phone number. 
  2. Shopping preferences and interests (likes to Brand's products), photos you voluntarily share with the Brand's Sales Associates, information about your size.
  3. History of interactions between the Customer and the Brand/Sales Associate/Client Advisor/Client Service when they use our internal chat. We save likes or dislikes to Brand products.
  4. Biometric data (user photos), if voluntarily in the private chat of the app the Customer sends photos about him or herself or creates his or her own personal wardrobe. The content of instant messaging and photos voluntarily sent via app are stored in our servers in encrypted form "at rest".
  5. Aggregate data that we analyze by merging the collected information with other data for reasons of reporting, planning, development, operation/functionality, maintenance and management, and app improvement. We may share this aggregate data with our Business Partners. 
  6. Technical cookies (website only) to enable you to navigate our website efficiently and safely and allow you to use certain features. This is information that is not collected to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified.

 

The information collected could be as follows: 

- internet protocol (IP) address associated with device used to connect.

- browser type and parameters of device used to connect to the site.

- name of internet service provider (ISP).

- date and time of visit.

- visitor's source (referral) and exit web page.

- possibly the number of clicks made within the site and any preference expressed.

There are only technical cookies/necessary for the basic functionality of the site on our website. Through the site there is no collection of personal data or profiling.



3. LEGAL BASES 

We process data with your CONSENT.

By using our App, you explicitly approve the Privacy Policy of the app, consenting to the processing of your personal data in point 2) in relation to the methods and purposes described below, but explicit consent will only be required through the choice of checking the box in the account creation window, if necessary. Consent, according to the European Regulation (Art. 4 GDPR), is any free, specific, informed, and unambiguous manifestation of will, following our clear and concise request.

If you do not provide consent, we will not be able to allow your account registration and App functionality to continue.


Your provided consent applies to all processing activities performed for the same purpose(s).


We process personal data without your consent only for the following legal bases and purposes:

CONTRACTUAL or PRECONTRACTUAL BASIS.

  • To perform/fulfill specific contractual or pre-contractual obligations undertaken towards you (Art. 6(b) GDPR).
  • for instant messaging content or the creation of your own wardrobe in the app, the legal basis for processing is Articles 6 and 7 GDPR 679/16.  The choice to use chat constitutes free manifestation of consent by unequivocal positive action to the processing of personal data in execution of pre-contractual and contractual measures to receive assistance from a Sale Associate.

LEGAL OBLIGATIONS

  • To comply with the provisions of laws and regulations (national and/or EU), or to comply with orders and requirements imposed on the Co-owners by judicial authorities, supervisory bodies, and professional bodies (Art. 6, lett. c, GDPR).
  • to exercise the rights of the Joint Holders, in particular that of defense in court (art. 6, lett. f, GDPR).


LEGITIMATE INTEREST

Based on the legitimate interest of the Contact Persons to establish and maintain profitable and optimal professional relationships with their customers, actual and potential (Art. 6, lett. f, GDPR), your personal data may be processed by the Contact Persons for the following purposes:

  • To carry out "customer relationship management" activities, consisting mainly of tracking and managing the relationships and interactions held with the "contact persons" of customers, actual and potential in order to better understand their needs and expectations, improve their services, as well as increase their business.
  • Profiling may also be based on the legitimate interest of the Data Controllers, as the level of detail, completeness of profiling, impact of profiling and security measures to ensure fairness, non-discrimination and accuracy in the profiling process are limited and adequate.
  • Retention of login data in server log files. When you visit our website, we may store access data in server log files, such as the name of the requested file, date and time of access, volume of data transferred, and requesting provider. We use this data only to ensure efficient operation of the site. For security purposes (spam filters, firewalls, virus detection), automatically recorded data may possibly also include personal data such as IP address, which could be used, in accordance with relevant laws, in order to block attempts to damage the site itself or to harm other users, or otherwise harmful or criminal activities. This information is processed according to the legitimate interests of the owner.


Our App does not engage in marketing activities, but consents may be asked for the purpose of direct marketing or marketing by third party companies that are licensees of the App (indirect) and for this please refer to the Privacy Policies you will find at the consent checkbox from time to time referring to the company ("Brand") using our Clienteling App. Therefore, we encourage, always take a look at any links to the privacy documents in the App.


4. FOR WHAT PURPOSES WE WILL PROCESS YOUR INFORMATION

We collect Personal Information directly from you when you interact with us to:

  • Create a user account (individual or corporate).
  • Request support.
  • Request product information.
  • Participate in surveys or ratings.
  • Interact with likes and dislikes.
  • Submit questions or comments.
  • Receive giveaway promotions.


We will process data for the following main reasons:

  • To fulfill requirements dictated by national and/or EU regulations: 
  • To fulfill obligations under laws, regulations, EU legislation, civil and tax regulations.
  • We are subject to certain legal obligations in the operation of the website. This includes, among other things, the obligation to ensure data security when using our websites. For this purpose, we may process user data as part of the measures to be taken to ensure data security.


For profiling activities

  • To analyze or predict the preferences or behaviors of those who use our App.
  • The information collected is necessary for the operation of the chat platform and to enable the Brand to provide personalized assistance, respond to Customer requests, monitoring and improving the quality of service.

Our App does not use the information obtained through the chat platform for marketing purposes.
Data will be processed for the sole purpose of aggregate statistics and reports, therefore, anonymously in order to improve the quality of service and will all be encrypted "at rest."


5. PRIVACY OF MINORS.

We recognize the importance of protecting the personal information of minors. That is why our app provides services that cannot be provided to minors as specified by law in your jurisdiction.  

We do not knowingly collect personal information from minors. If we become aware that we have unintentionally collected personal information from a minor, we will take steps to delete such information as soon as possible. In this regard, our app implements "by design and by default" processes and protections to keep their personal information safe.


6. CONTROL OVER YOUR DATA

You can control your data in these ways:

  • Change or delete your personal data from the Account.

You can change or delete your personal data at any time. Always check that the data is correct, true, and up to date. If you have any doubts or questions about how to rectify/delete, you can contact us at the email below: legal@meetalpha.it


  • Control Push Notifications 

You can stop push notifications by changing your preferences in IOS from the notification’s settings menu on your device.



7. WITH WHOM WE SHARE YOUR DATA

We always take appropriate measures to ensure that your data is processed, protected, and transmitted in accordance with applicable legal requirements.

For the purposes set out in section 3) above, the personal data you provide may be made accessible to:

  1. to employees and contractors of each Data Controller, in their capacity as authorized data processors (or so-called "Data Processors").
  2. to judicial or Supervisory Authorities, administrations, agencies, and public bodies (domestic and foreign).
  3. to professionals and consultants, appointed by each Data Controller to carry out activities related to the administrative management of the corporate structure to which they belong, the management of professional assignments or the possible defense in court.


SUBPROCESSORS/THIRD PARTIES 

  • AWS: Controller of Personal Information. When Amazon Web Services EMEA SARL is the provider of an AWS Offering, Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg, is the data controller of personal information collected or processed through the AWS Offering. Amazon Web Services EMEA SARL is also the authorized representative of Amazon Web Services, Inc. in the EEA
  • NOVALAB SRLS UNIPERSONALE (single-member-company), Reggio Emilia, Via della Previdenza Sociale n. 11 – 42124 Reggio Emilia (RE), REA al n. RE – 311903, C.F./VAT 02769560356



8. LINKS TO THIRD PARTY PROVIDER SERVICES 

If the app allows interaction between you and the Brand through end-to-end messaging channels of Third-Party Providers, by way of example but not limited to WhatsApp, please refer to the specific privacy policy, because under no circumstances can the Owners be held responsible for compliance with privacy regulations implemented by third parties.


9. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EU

Your data will not be transferred outside the EU. The management and storage of your personal data takes place in the cloud and on servers located within the European Union (Frankfurt - Germany) owned and/or at the disposal of the Joint Data Controllers and/or third-party companies duly appointed as data controllers.

Any cross-border transfer of data to countries takes place in accordance with the applicable regulatory provisions, as well as in compliance with the provisions assumed by the European Court of Justice and domestic and foreign Authorities on the protection of personal data.

In the absence of consent, your personal data will not be disseminated. 

In any case, transfers of personal data to countries outside the European Economic Area (EEA) or to an international organization are permitted provided that the adequacy of the third country or organization is recognized by a decision of the European Commission (Article 45 of EU Regulation 2016/679).

In the absence of such a decision, the transfer is permitted where the data controller or processor provides adequate safeguards that provide for enforceable rights and effective remedies for data subjects (Art. 46 of EU Regulation 2016/679).


AS THE CO-OWNERS ARE LEGAL ENTITIES THAT ARE PART OF THE SAME CORPORATE GROUP (INTRA-GROUP DATA TRANSFER), BUT SUBJECT TO ITALIAN AND AMERICAN LAW RESPECTIVELY, THEY HAVE JOINTLY DECIDED TO REGULATE AS FOLLOWS THE PROCESSING OF DATA THROUGH THE ALPHA APPLICATION, PAYING GREAT ATTENTION TO COMPLIANCE WITH THE GDPR.

THE CO-OWNERS DECIDED TO APPLY THE EUROPEAN REGULATIONS ALSO TO NON-EU USERS AS PRVISIONS MORE PROTECTIVE OF THE RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

Article 26(2) of the GDPR Regulations provides that, "The co-ownership agreement shall adequately reflect the roles and relationships of the co-owners with the data subjects. The essential content of the agreement shall be made available to the data subjects."

The parties have signed a DPA (Data Protection Agreement) in order to limit the areas of circulation and processing of personal data (e.g., storage, archiving and retention of data on their own servers or in the cloud) to countries that are part of the European Union.

Link to the DPA doc



10. FOR NON-EU RESIDENTS

For non-EU residents, current privacy regulations will apply, subject to all standards of security and respect for all rights accorded to citizens of the European Union.


COUNTRY-SPECIFIC INFORMATION

  • NEVADA: For residents of the State of Nevada, under the new chapter of Nevada Revised Statutes, Chapter 603A, entitled Security and Privacy of Personal Information, to govern how a business must respond to breaches of a security system and required data collection operators to provide customers with notification regarding any security breach involving an individual's personally identifiable information. The law requires companies to take reasonable steps to delete or destroy records or data containing personally identifiable information. To submit a request in this regard, please contact: legal@meetalpha.it


  • CALIFORNIA: For residents of the State of California, the California Privacy Rights Act (CPRA), which recently went into effect on January 1, 2023, amended and expanded the CCPA by granting additional rights to consumers that limit the use of personal information, correction of personal information, opt-out rights related to personal information, and established the California Privacy Protection Agency (CCPA) to enforce violations of the CCPA and CPRA. 

     Under the CPRA amendment, users can choose not to share their personal information (including sensitive personal information) with third parties. For the purposes of the above, please contact legal@meetalpha.it and provide the information to be added to our "opt-out list."


  • UNITED KINGDOM: As of 01.01.2022, GDPR ceased to have direct effect in the UK. 

     However, given the trade agreement, the UK is committed to maintaining an equivalent data protection regime. the EU and UK have a trade agreement (the EU-UK Trade & Co-operation Agreement) that sets legislative standards for data protection.


  • SWITZERLAND: As an independent authority, the Federal Data Protection, and Information Commissioner (FDPIC) oversees data protection. The Guarantor, noting the adequate level of protection guaranteed by Switzerland, authorized the transfer of personal data from Italy to the Swiss Confederation by Order No. 275 of November 26, 2001.



11. HOW LONG YOUR DATA WILL BE STORED FOR

In accordance with Article 17 of the GDPR, your data will be stored for as long as we are legally required to or as long as we need your data for the stated purposes. 

Your data will then be deleted in accordance with the principle of data minimization:

  • FOR ACCOUNT MANAGEMENT PURPOSES: Your data is retained only for as long as it is necessary for the purposes of managing the account you have created to access our services offered and, in any case, will be retained until you request deletion of your account.


  • FOR PROFILING PURPOSES: your data will be retained in accordance with the principle of proportionality and in any case until the purposes of the processing have been pursued or until - if previously - the revocation of specific consent by the data subject.

     Chat content will be archived for only the 12 months preceding the last interaction, after which it will be permanently deleted from our servers.

     Therefore, if the chat is used for much longer periods, only the last 12 months of instant messaging will always be stored on our servers.


FOR LEGAL OBLIGATIONS: Data having civil, accounting, tax nature will be kept for the term of ten years, as provided by law. 

They will be processed and stored in the following terms:

  • with respect to the execution/fulfilment of contractual or pre-contractual obligations undertaken towards you by the Controller, for a period of 10 years increased by 12 months.
  • with regard to compliance with the provisions of laws and regulations, to processing aimed at complying with orders and prescriptions imposed by judicial authorities, Supervisory Bodies, as well as to enable the Data Controller to exercise its/their rights, in particular, that of defense in court: for the period of prescription/expiration established by the specific reference legislation increased by 12 months.
  • with regard to the transmission of publications, studies, reports, and other types of informative material of a professional nature: for no longer than 2 years from the date of the last transmission.
  • with regard to "customer relationship management" activities: for a period of 6 months following the last interaction (e.g., exchange of e-mails, telephone calls, organization of meetings or similar activities) attesting that there is an active relationship with the Interested Party.


Type of Data
Short Description
Legal Bases
for Processing
PERSONAL DATA OF "COMMON" TYPE
INFORMATION RELATING TO THE PHYSICAL PERSON, e.g., full name, residence, email address, telephone number.
10 YEARS
CHASING PREFERENCES AND INTERESTS
INFORMATION INTENDED TO EVALUATE DETERMINED PERSONAL ASPECTS RELATED TO A PHYSICAL PERSON, particularly to analyze or predict aspects regarding personal preferences, interests, e.g., likes to Brand products, information about your size, etc. This is data that is shared voluntarily with the Brand's Sales Associates.
12 MONTHS (for profiling purposes, to which an additional period of 3 months may be added)

24 MONTHS (for direct marketing purposes by the brand)
HISTORY OF INTERACTIONS
LIKE OR DISLIKE TO BRAND PRODUCTS during interactions with the Sales Associate and the Brand.
12 MONTHS (for profiling purposes, to which an additional period of 3 months may be added)

24 MONTHS (for direct marketing purposes by the brand)
BIOMETRIC DATA (PHOTOS OF USERS)
SENDING PHOTOS ON A VOLUNTARY BASIS in the app's private chat: Customers send photos of themselves or create their own personal wardrobe.
12 MONTHS (for profiling purposes, to which an additional period of 3 months may be added)

24 MONTHS (for direct marketing purposes by the brand)
AGGREGATE DATA
Aggregated data may be derived from PERSONAL DATA PROVIDED BY THE USER, BY JOINING THE COLLECTED INFORMATION WITH OTHER DATA, but they are not considered personal data because, they do not allow either directly or indirectly the identification of the person concerned.
12 MONTHS (for profiling purposes, to which an additional period of 3 months may be added)

24 MONTHS (for direct marketing purposes by the brand)
TECHNICAL COOKIES (WEBSITE ONLY)
These are the cookies THAT ARE USED TO CARRY OUT NAVIGATION OR PROVIDE A SERVICE REQUIRED BY TE USER. They are not used for any other purpose andre normally installed directly by the website owner.
6 MONTHS

12. WHAT DATA PROTECTION RIGHTS YOU CAN CLAIM AS A DATA SUBJECT

You can exercise multiple rights to which you are entitled as a data subject. 

To do so, please see the contact details in Section 15 of this privacy policy.


Right of access

You can request information about your stored personal data (Art. 15 of the GDPR). This information includes the categories of data processed by us, the purposes of the processing, the origin of the data if we have not collected it directly from you, and if applicable the recipients to whom we have transmitted your data.  You may receive from us a free copy of your data, which is the subject of the agreement. If you are interested in additional copies, we reserve the right to bill you for any additional copies.


Right to rectification and erasure

You can request rectification of inaccurate personal data and completion of incomplete personal data about you. (Art. 16 of the GDPR). In addition, you can request the deletion of your data under the terms and conditions of Art. 17 of the GDPR. 

This could happen, for example:

  • if your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • if you withdraw the consent on which the processing is based and if there is no other legal basis for the processing.
  • if you express opposition to the processing of your data and there is no overriding legitimate ground for processing.
  • if personal data have been processed unlawfully except where the processing is necessary to comply with a legal obligation requiring us to process your data:
  • in particular, with regard to legitimate retention periods.
  • to establish, exercise or defend a right.


Right to restrict processing

You have the right to limit the processing of your personal data, e.g., by marking your stored data for the purpose of limiting its future processing. For this purpose, you must meet one of the conditions specified in Art. 18 of the GDPR, e.g.

  • you dispute the accuracy of your personal data, so during the period of verifying the accuracy of such personal data we restrict processing.
  • the processing is unlawful but instead you request that its use be restricted.
  • we no longer need your personal data, but you need it for the establishment, exercise, or defense of a legal claim.
  • you have objected to the processing pending verification as to whether our legitimate grounds for processing outweigh yours.

Right to data portability

You have the right to receive in a structured, commonly used, machine-readable format the personal but non-particular content data you have provided to us. You can transfer said data to another data controller without hindrance. You have the right to obtain direct transmission of personal data to another data controller, if technically feasible (Art. 20 GDPR).


Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, provided that the processing of the data is based on your consent or on our legitimate interests or those of a third party. In such a case, we will refrain from further processing your personal data unless you demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of a legal claim. You can object to the processing at any time if your personal data is processed by us for direct marketing purposes (Art. 21 GDPR). The right to withdraw your consent to processing remains freely revocable at any time, regardless of your right to object.


Right to lodge a complaint with a supervisory authority

We work together with you to achieve a fair resolution of any complaints regarding data protection. You have the right to file a complaint with the Data Protection Authority if you believe that our processing of your personal data violates applicable data protection law.

Please note that you will be able to exercise your rights by simply sending a request via e-mail to the Data Controller's Internal Data Protection Contact, indicated in point 1 of this Privacy Policy, as well as being able to use the additional IT systems, adopted by the Data Controllers, which will allow you to independently modify or revoke the consents previously expressed and, where possible, to re-evaluate your preferences regarding the processing carried out (e.g. mail-in and preference center managed on IT platforms).



13. THE PERSONAL DATA PROTECTION SUPERVISORY AUTHORITY

The personal data protection provisions, contained within the GDPR, are available and accessible by clicking this link.

The Supervisory Authorities relevant to the processing of personal data covered by this privacy policy are:

- Garante italiano per la protezione dei dati personali, Italian personal data Protection guarantor
- Garante europeo per la protezione dei dati personali, European Data Protection Supervisor

- European Data Protection Board/EDPB



14. HOW YOUR DATA IS PROTECTED

The processing of your personal data is carried out by means of the operations indicated in Article 4, No. 2), GDPR - carried out with or without the aid of computer systems - namely: collection, recording, organization, structuring, updating, storage, adaptation or modification, extraction and analysis, consultation, use, communication by transmission, comparison, interconnection, limitation, deletion, or destruction.

In any case, the logical and physical security of the databases and, in general, the confidentiality of the personal data processed will be guaranteed, putting in place all the necessary technical and organizational measures adequate to ensure their security.

It should be noted that:

  • the connection to the server is encrypted.
  • the saved data are encrypted "at rest" and visible only upon authentication.
  • images voluntarily shared by the User in chat or personal wardrobe are not saved in chat but only the URL to the (encrypted) image is saved.
  • the chat is not encrypted end to end.
  • All our servers are physically located in Europe in Frankfurt.


It should be noted that "at rest" or "not yet (or no longer) in use or in motion," is all that data stored on any local or remote storage drive, to backups made on our local storage drives or cloud network servers that are encrypted by us for the purpose of protecting data security.



15. COMMUNICATIONS

If you have any questions, concerns or requests regarding this Privacy Policy or the processing of your personal data, you may contact us as a data subject at the following e-mail address: legal@meetalpha.it