Privacy policy

MHADLY.COM PRIVACY POLICY

Who is the Data Controller?¹

MHADLY by Blue Series S.r.l. with registered office in via Salaria 14 63077 Monsampolo del Tronto (AP) Italy (VAT number: IT02099810448) (hereinafter, "Controller")

How can I contact them?

The company's contact details are:
Certified email (PEC): blueseries@legalmail.it
Address: info@mhadly.com

1. Introduction

Pursuant to the European Regulation on the protection of personal data (GDPR), legal entities are not considered data subjects and therefore the European regulation does not apply. However, if, in the context of collecting company data, personal data referring to a natural person is entered, that person is to be considered a data subject within the meaning of the aforementioned regulation, with the consequent applicability of the relevant legislation.

2. What processing is carried out through the site?
And what are the legal bases, the purposes and the retention periods?

B2B REGISTRATION

PURPOSE
The purpose of the data processing is to register on the site and to be able to make purchases. After submission, the registration request will be subject to an internal check for approval. The data may be used to protect or exercise a right in the event of litigation.

LEGAL BASIS
Contract performance. Legitimate interest of the Controller in the event of litigation.

RETENTION PERIOD
If the account remains inactive for 3 years, we will send you an email to ask whether you are still interested in keeping it active; otherwise the account will be deleted.
The data will be processed for a longer period in the event of litigation.

OTHER INFORMATION
Providing the data is mandatory and, if you refuse to provide it, it will not be possible to purchase the requested products.

B2C REGISTRATION

PURPOSE
The purpose of the data processing is to register on the site and to be able to make purchases more easily.

LEGAL BASIS
Consent of the Data Subject.

RETENTION PERIOD
If the account remains inactive for 3 years, we will send you an email to ask whether you are still interested in keeping it active; otherwise the account will be deleted.

OTHER INFORMATION
Providing the data is not mandatory, since purchases can also be made in "guest" mode.

PURCHASE

PURPOSE
The main purpose of the data processing is to allow the User to purchase and receive the requested product and, moreover, the data is necessary for the fulfillment of legal obligations (including of an accounting and tax nature). The data may be needed in the event of disputes raised regarding the correct performance of the contract.

LEGAL BASIS
Performance of a contract and consequent fulfillment of the legal obligations incumbent on the data controller. In the event of litigation, the data will be processed to act or defend in court, and this corresponds to the legitimate interest of the data controller.

RETENTION PERIOD
The data will be deleted 10 years after the fulfillment of the contract. It may be kept longer only in the event of disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

OTHER INFORMATION
Providing the data is mandatory and, if you refuse to provide it, it will not be possible to purchase the requested products.

PURCHASE WITH QUICK CHECKOUT

PURPOSE
The main purpose of the data processing is to allow the User to purchase and receive the purchased product. The data is also necessary for the fulfillment of legal obligations (including of an accounting and tax nature). Finally, it may be needed in the event of disputes raised regarding the correct performance of the contract.

LEGAL BASIS
Performance of a contract and consequent fulfillment of the legal obligations incumbent on the data controller. In the event of litigation, the data will be processed to act or defend in court, and this corresponds to the legitimate interest of the data controller.

RETENTION PERIOD
The data will be deleted 10 years after the fulfillment of the contract. It may be kept longer only in the event of disputes and therefore to exercise or defend a right based on the legitimate interest of the data controller.

SOURCE AND CATEGORIES OF DATA PROCESSED
In the case of purchase through quick checkout, the personal, shipping, billing and contact data will be imported from Shop Pay (art. 14 GDPR)

NEWSLETTER / DEM

PURPOSE
The purpose of the data processing is to send the User newsletters and DEM through traditional methods or also through automated methods.

LEGAL BASIS
Consent given by the Data Subject pursuant to articles 6, par. 1, letter a) GDPR and 130 par. 1-2 of Legislative Decree 196/03

RETENTION PERIOD
1 year from the last send or until consent is withdrawn.

OTHER INFORMATION
Consent may be withdrawn at any time. The User is entirely free to provide the requested data, since there is no legal obligation to provide it. However, if the user chooses not to provide the data marked as essential, the Controller will not be able to achieve the indicated purpose.

NEWSLETTER / DEM "Soft spam"

PURPOSE
The purpose of the data processing is to send you newsletters and DEM. In the event of purchase of our product, your data will be exported to a CRM for sending commercial information on products similar to those purchased.

LEGAL BASIS
In the event of purchase, your consent is not necessary under art. 130 par. 4 of Legislative Decree no. 196/03.

RETENTION PERIOD
1 year from the last send or until consent is withdrawn.

OTHER INFORMATION
You can opt out at any time.

PROFILING

PURPOSE
The purpose of the data processing is to send you newsletters and DEM in line with your preferences.

LEGAL BASIS
Consent of the Data Subject.

RETENTION PERIOD
1 year from the last send or until consent is withdrawn.

OTHER INFORMATION
You can opt out at any time.

TRANSACTIONAL EMAILS

PURPOSE
The purpose of the data processing is to send the User information relating to the purchase made or to complete the registration.

LEGAL BASIS
Contract performance.

RETENTION PERIOD
Until the delivery of the order or the completion of the registration.

OTHER INFORMATION
Transactional emails are sent to allow better order management and to provide the Customer with confirmation relating to the purchase, shipping and registration.

MARKETING AND PROFILING THROUGH DIGITAL PLATFORMS

PURPOSE
The purpose of the data processing is to show marketing content based on your interests, as identified by your interactions on our site or social media. This includes the use of retargeting tools from digital platforms to deliver targeted advertising messages.

LEGAL BASIS
Consent, which may be acquired through various methods:
1. Through the Cookies on our Site: Your consent to marketing and profiling cookies is collected through the cookie settings on our site.
2. For CRM Custom Audience Campaigns (Prospecting and Retargeting): For these campaigns, we obtain your explicit consent to use your contact data (e.g. email address) for marketing purposes.
3. Interaction with Social Pages: If you have given consent to the use of profiling cookies on our Site, we may process your contact data and the information communicated during the interaction with the Social Pages. We use this information, in accordance with your privacy settings on social media, to show personalized marketing ads.

RETENTION PERIOD
The data will be kept until consent is withdrawn through the cookie settings.

OTHER INFORMATION
1. Consent acquired through the Cookies on our Site: The User can manage or withdraw this consent at any time, as described in our Cookie Policy. We also inform you that cookies may be both first and third party and therefore installed, through us, directly by Meta.
2. Consent acquired for CRM Custom Audience Campaigns (Prospecting and Retargeting): This consent allows us to process your data to identify similar audiences (lookalike) and to show targeted advertising on social media and other digital platforms.
In the case of simple User segmentation, your consent is not required.

ABANDONED CART

PURPOSE
The purpose of the data processing is to be able to send 1 email to invite the user to finalize the purchase interrupted on the site.

LEGAL BASIS
Legitimate interest of the Controller in the completion of the purchase.

RETENTION PERIOD
72 hours.

OTHER INFORMATION
The provision of data is automatic and follows the partial completion of the shopping cart.

CONTACT

PURPOSE
The purpose is to contact the company to ask for information.

LEGAL BASIS
Performance of pre-contractual measures carried out at the request of the Data Subject / Contract performance.

RETENTION PERIOD
We will process the data for the time necessary to respond to the requests and will subsequently delete the data.

OTHER INFORMATION
The check on the obsolescence of the data is carried out every 12 months. The User is entirely free to provide the requested data, since there is no legal obligation to provide it. However, if the user chooses not to provide the data marked as essential, the Controller will not be able to achieve the indicated purpose.

FEEDATY REVIEWS

PURPOSE
The purpose is to share your experience and promote the company

LEGAL BASIS
Legitimate interest of the Controller in requesting the review and the consent given by the Data Subject to the tool. This review may be imported onto the site.

RETENTION PERIOD
The reviews will be published on the site until they become obsolete and/or until consent is withdrawn.

OTHER INFORMATION
The provision of data for the request is automatic and follows the purchase of the product. The consent given to the tool to which the review was provided can be withdrawn at any time.

BROWSING DATA

PURPOSE
Security of the site

LEGAL BASIS
We will process the data based on the legitimate interest of the company in IT security and in the fulfillment of legal obligations. The legal basis for the processing of cookies other than the necessary ones is consent

RETENTION PERIOD
24 months

OTHER INFORMATION
For the rules on cookies, please refer to the dedicated policy.

3. What else do I need to know?

The data will be processed lawfully, fairly and with the utmost confidentiality, in compliance with adequate security measures as provided by the Code and the Regulation. The processing will be carried out by digital means. The data will not be subject to public disclosure except for the reviews. Furthermore, the user will not be subject to automated decision-making processing such as profiling unless they consent to it through the installation of cookies or other tracking tools, for the regulation of which please refer to the dedicated policy.

4. To whom will my data be communicated?

The Controller may communicate the data to all those to whom the communication is mandatory by law for the fulfillment of the purposes provided by law. The Controller also makes use of certain companies or IT tools that carry out processing activities on the personal data of the data subjects in the exclusive interest of the Controller, all duly appointed as data processors pursuant to art. 28 GDPR. The data will also be communicated to the payment gateways as autonomous controllers. The list of data processors is available on site. The Company makes use of subjects designated as System Administrators, responsible for the management and maintenance of the IT systems. The updated list of System Administrators is available at the Office of the Controller and can be consulted upon request by the data subject.

5. What is the place of storage and transfer of the data?

The management and storage of personal data will take place on servers located within and outside the EU. The Controller guarantees that the extra-EU transfer takes place in compliance with articles 44-47 Chapter V of the GDPR through the signing of standard contractual clauses and/or through the Adequacy Decisions of the EU Commission.

6. What are my rights and how can I exercise them?

a) Rights of the data subject
The user, in their capacity as data subject, has the rights referred to in art. 15 et seq. of the Regulation and precisely:

1. RIGHT OF ACCESS (art. 15 GDPR)
The data subject has the right to obtain confirmation of the existence or otherwise of personal data concerning them, even if not yet recorded, and their communication in an intelligible form.

2. RIGHT OF RECTIFICATION (art. 16 GDPR)
The data subject has the right to obtain the rectification of inaccurate personal data concerning them and also the integration of incomplete data.

3. RIGHT OF ERASURE (art. 17 GDPR)
The data subject has the right to obtain the erasure of personal data in the presence of particular reasons such as the withdrawal of consent, opposition to processing, or if the data is no longer necessary in relation to the purposes for which it was collected and processed, or in the event of unlawful processing. It will not always be possible to proceed with erasure, but it will certainly be the responsibility of the data controller to provide adequate justification.

4. RIGHT TO RESTRICTION OF PROCESSING (art. 18 GDPR)
The data subject has the right to obtain the restriction of processing in the presence of particular cases such as, for example, in the case of a request for rectification or opposition during the time of evaluation of the requests.

5. RIGHT TO PORTABILITY (art. 20 GDPR)
If the processing is based on consent or on the contract and is carried out by automated means, the data subject can receive it in a structured, commonly used and machine-readable format, or ask to transmit it to another controller.

6. RIGHT TO OBJECT (art. 21 GDPR)
The data subject has the right to object, in whole or in part:
a) for legitimate reasons, to the processing of personal data concerning them, even if relevant to the purpose of the collection;
b) to the processing of personal data concerning them for the pursuit of purposes not contemplated by art. 2.
The user can submit a request to object to the processing of their personal data pursuant to article 21 of the GDPR, giving evidence of the reasons that justify the objection: the Controller reserves the right to evaluate the request, which would not be accepted in the event of compelling legitimate grounds to proceed with the processing that override the interests, rights and freedoms of the user.

7. RIGHT TO LODGE A COMPLAINT
The data subject has the right to lodge a complaint with the competent supervisory authority pursuant to article 77 of the GDPR if they believe that the processing of their data is contrary to the legislation in force.

 

b) Methods of exercise:
The data subject can at any time exercise the rights referred to in the previous article by contacting the data controller at the addresses indicated above.

Last version: 18 June 2026
This policy was drafted by Polimeni.Legal

 

¹ Pursuant to art. 4 no. 7 GDPR: the data controller is the one who determines the purposes and means of the processing of personal data, and their responsibilities are identified by art. 24 GDPR.