PRIVACY POLICY

This Privacy Policy provides users of this Website (the “Website”) with the most complete and clear information on the processing of their personal data through the Website pursuant to the General Data Protection Regulation (GDPR) and the Personal Data Protection Code.

Pursuant to legal requirements, this Privacy Policy also specifies:

  • the nature of the processed personal information;

  • the purposes and means of processing personal information;

  • the identity and contact details of data controllers;

  • contact details of the Data Protection Officer (DPO);

  • any third parties involved in the processing activities;

  • the retention period of personal information;

  • the security measures adopted to protect personal information;

  • the privacy rights of users.

This Privacy Policy applies exclusively to the Website and does not cover any websites or platforms to which the Website may link.

Users under the age of 16 cannot consent to the processing of their personal data without parental authorization.

1. Data Controller

Pursuant to GDPR, the data controller is the entity that, alone or jointly with others, determines the purposes and means of processing personal information.

Joint Controllers for data processing activities related to the Website are:

  • Magicoral S.r.l., Via Leonino da Zara 29, 35020 Albignasego (PD), Italy

  • The Level S.r.l., Piazza Arcole 4, 20143 Milan (MI), Italy

(the “Joint Data Controllers”).

The Data Controller is:

A Data Protection Officer designated by The Level S.r.l. ensures that the Website processes personal information in compliance with GDPR. The Data Protection Officer can be contacted for any requests at the following email addresses: privacy@thelevelgroup.com and dpo@thelevelgroup.com.

Regarding personal information of non-registered users who choose to receive newsletters and marketing communications, The Level S.r.l. and Magicoral S.r.l. act as Joint Controllers.

2. Personal Information. Purpose of Processing.

"Personal Information" refers to any information relating to users that personally identifies them, either alone or combined with other information.

Personal information is collected automatically by the Website or received through multiple sources: forms, chat, email, apps, devices, social media, and other means.

The Website processes personal information in various forms for the following purposes.

3. Navigation Data

The Website automatically collects non-sensitive navigation data to enable and enhance user navigation (e.g., IP address, date/time of visit and duration, referring URLs, pages visited on the Website, device used, and other information).

Processing such information enables users to access the Website and fully enjoy its features and services. Moreover, navigation data may be used to verify that the Website functions correctly.

Occasionally, navigation data is processed anonymously for statistical purposes.

Navigation data is unlikely to identify the data subject directly. However, due to its nature, it might allow identification if associated with other information.

The navigation data described above is stored only temporarily, in compliance with applicable laws.

4. Orders

At checkout, the Website requires users to provide personal information essential to fulfill purchase orders and contractual obligations (e.g., name, email, delivery address, etc.).

This personal information is also essential for Customer Service to assist customers with inquiries and related needs before or after sales (e.g., order status or product returns).

Order-related personal information will be stored for as long as necessary to fulfill contractual obligations and applicable fiscal and financial reporting obligations.

The Website may verify payment instruments used by customers (e.g., credit or debit cards) primarily to prevent fraudulent activities or comply with applicable anti-money laundering laws. Payment verification is fully entrusted to third-party payment processors; Data Controllers do not process or store customers' financial information.

Failure to provide the required personal information at checkout will prevent users from completing orders on the Website.

Based on legitimate interest in improving customer relationships, the Website will send customers email communications with product recommendations, discounts, feedback requests, or other updates. Customers can always unsubscribe from these emails (e.g., by clicking the "unsubscribe" link at the bottom of each email).

5. Website Registration

Users registering a personal Website account are asked to provide personal information (e.g., date of birth, gender). The Website clearly indicates which personal information is mandatory (or optional) for account setup.

Users must provide true and accurate personal information at registration and are encouraged to update their information by accessing their personal account when changes occur.

Users activating or accessing their Website account via social media must be aware that the Website collects certain personal information already provided to the social media (e.g., email address, public Facebook profile).

Data Controllers do not oversee or control these social media services or user profiles on them, nor do they set privacy settings or rules regarding the use of personal information. Users are strongly encouraged to read the applicable social media policies and information regarding personal information processing.

6. Newsletters and Marketing Communications

On the Website, users may choose to receive newsletters and commercial communications.

The Website always collects explicit, free, and unambiguous user consent before sending newsletters and marketing communications or initiating targeted electronic marketing initiatives.

Users can easily withdraw consent to receive newsletters and commercial communications by:

  • Adjusting their account settings;

  • Clicking the "unsubscribe" link in emails;

  • Contacting our Customer Service.

For non-registered users receiving newsletters and marketing communications, The Level S.r.l. is the sole data controller.

7. Profiling

With user consent, newsletters and marketing communications may be tailored to user profiles based on collected personal information.

For customers, profiling aims to offer products aligned with their tastes, shopping habits, and interests.

Personal information may also be used for remarketing, retargeting, or profiling through third parties (e.g., social networks).

The Website and Data Controllers never profile children.

8. Cookies

Information about cookies used on the Website is available at: Cookie Policy.

9. Sharing and Transfer of Personal Information

Data Controllers may transfer customers' personal information to primary third-party providers ("Data Processors") to perform essential business operations necessary to fulfill contractual obligations.

Data Controllers ensure Data Processors implement industry best practices to protect personal information and use it only for agreed-upon purposes.

Personal information may be shared with categories of Data Processors such as:

  • Couriers and postal operators;

  • Order fulfillment centers and warehouses;

  • Advertising, digital, marketing, and social media agencies;

  • IT service providers;

  • Customer service providers;

  • Payment service providers.

Personal information sharing with Data Processors is essential to fulfill contractual obligations and improve Website products and services.

Users may request an updated list of Data Processors involved in personal information processing by emailing privacy@thelevelgroup.com.

Data Controllers may disclose personal information as required by law (e.g., law enforcement requests) or to protect the rights of Data Controllers, their affiliates, or third parties.

Personal information may also be disclosed to other companies within the same corporate group or third parties during corporate restructuring, fully compliant with applicable law.

Any other sharing of personal information requires prior explicit user consent unless permitted by an alternative legal basis.

Data Controllers do not transfer personal information outside the European Economic Area (EEA) without explicit user authorization or a legally permissible GDPR basis.

10. Processing Methods and Security Measures

Personal information is processed by Data Controllers using IT, automated, electronic tools, and occasionally, physical documentation. GDPR-compliant security measures prevent data loss, misuse, and unauthorized access.

Only authorized employees of Data Controllers and third-party providers, acting as Data Processors, have access to personal information. Data Processing agreements ensure compliance with GDPR security standards.

Despite implementing primary security measures, online data transmission inherently poses security risks. Users acknowledge these risks and do not hold the Website liable for security breaches, except for those caused by Website negligence or intentional misconduct.

11. Retention of Personal Information

Data Controllers retain personal information for the necessary period to provide requested services or comply with legal or tax obligations.

To determine appropriate retention periods for stored personal information, Data Controllers consider:

  • Purpose for retaining personal information;

  • Legal, fiscal, and regulatory obligations;

  • Nature of the ongoing relationship with users (frequency of account access, marketing communications, purchasing habits);

  • User requests for data deletion;

  • Legitimate commercial interests.

Personal information no longer needed or required by law is promptly deleted or anonymized.

Sales-related personal data is retained for the duration necessary to perform the contract and related services and subsequently as mandated by civil and fiscal regulations. Personal data collected for analysis of consumption habits, upon user consent, is retained for a maximum of 10 years from the user's last interaction.

12. Connections to Third-Party Websites or Platforms

The Website may contain banners, advertisements, or links to third-party websites or platforms. Data Controllers cannot control nor be held responsible for the privacy practices of third-party websites or platforms. Users are encouraged to review their privacy policies for further details on personal information processing.

13. User Rights

Users have the right to confirmation of whether Data Controllers hold their personal information.

Under GDPR, users also have the right to:

  • Be informed about collection and use of their personal information;

  • Access their personal information free of charge;

  • Rectify inaccurate or incomplete personal information;

  • Request deletion of personal information ("right to be forgotten");

  • Restrict or suppress their personal information processing under specific conditions;

  • Obtain and reuse their personal information across different services ("data portability") when processing is contract or consent-based and automated;

  • Object to processing of their personal information under specific conditions;

  • Object anytime to profiling or automated decision-making;

  • File complaints related to personal information collection and processing with competent supervisory authorities;

  • Withdraw consent to personal data processing at any time.

Users may contact the Website to exercise their privacy rights by emailing: privacy@thelevelgroup.com.

14. Amendments to this Privacy Policy

Future amendments to this Privacy Policy will be published on the Website and, where appropriate, notified to users via email. Users are encouraged to frequently review this Privacy Policy to stay updated on any changes.

Last updated: March 2025