This privacy policy statement describes how Enervit S.p.A. (the Company or Enervit) processes the user’s personal data on the e-commerce area of the Enervit website. It sets out the type of data that Enervit needs to collect in order to enable users to buy its products and thus to enter into a contractual relationship with it. The Company uses that data to operate its business, for legitimate commercial purposes and to meet current and potential customers’ needs effectively.

This privacy policy is provided under and by reason of article 13 of Regulation (EU) 2016/679 (the Privacy Regulation, General Data Protection Regulation or GDPR).

The data controller is the Company, with registered office and address for service at Via Achille Papa 30, 20149 Milan, Italy, in the person of its acting legal representative (the Data Controller).

You can contact the Data Controller via email at privacy@enervit.it or by post at the above address.

The Data Controller may appoint internal or external data supervisors (the Data Supervisors) and appointed people with the authority to process data (the Appointed People). A full up-to-date list of the Data Supervisors and Appointed People is available from the Data Controller at the above addresses.

Under article 37 of the GDPR, the Company has also appointed a Data Protection Officer (DPO), who can be contacted via email at dpo@enervit.it and by post at the above address.

In providing its services, the Company obtains your personal data directly from you. In particular, the Company processes the following kinds of non-sensitive personal data:

• Personal contact details. All the details you provide for us to contact you, e.g. your forename, surname, postal address, email address, social-media details or telephone number.
• Profile information: preferred sports, preferred nutrition products.
• Connection information: coach, training partner, or friends.
• Information for Enervit Nutrition Planner activity: height, weight, sweat rate, actual performance information.
• Events and nutrition plans: planned activities (training and races), nutrition plans as generated by or as modified by you or others on your behalf, planned and actual nutrition, target and actual performance, annotations on plans and performance.
• Account access details. Any information needed for you to access your specific account: e.g. your access ID / email address, user name, password and/or security questions and answers.
• Demographic information. Any information about your demographic or behavioural traits, e.g. your date of birth, age or age group, sex, geographical area (e.g. postcode), favourite products, hobbies and interests, and domestic or lifestyle details.
• Technical information on your computer / mobile device. Information about the IT system or device that you use to access one of our websites or apps, such as the IP address used to connect your computer or device to the internet, the operating system, or the type and version of your web browser. If you access an Enervit website or app via a mobile device, such as a smartphone, then we shall also obtain your device’s unique identifier, advertising ID, geolocation and similar data about it, where permitted.
• Information on website use / communication. When you browse and interact with our websites or newsletter, we use technologies to gather data automatically to obtain certain information about your behaviour. This includes information about the links that you clicked on, the pages or content that you viewed and how long for, and similar information and statistics about your interactions, the time you took to respond to the content, any download errors and how long you spent on certain pages. This information is collected using automated technologies, such as cookies (browser cookies, flash cookies) and web beacons, and via third-party monitoring services. 
• Consumer feedback. Information on your experience with using our products and services that you choose to share with us.
• Consumer-generated content. Any content that you create and share with us on social media or by uploading it to one of our websites or apps, including via network apps such as Facebook. This may include, for example, photos, videos, personal stories or other similar content or media. Where permitted, we collect and publish content generated by users in connection with various activities, including competitions and other promotions, the shared functions of websites, user participation and third-party social events.
• Social-media information. Any information that you share publicly on a social network or information that is part of your profile on a third-party social network (e.g. Facebook) and that you allow the third-party social network to share with us. Examples include basic account information (e.g. name, email address, sex, date of birth, town of residence, profile photo, user ID, list of friends) and all other information or activities that you allow the third-party social network to share. We receive your social-network profile information (or part thereof) whenever you download or interact with an Enervit web app on a social network such as Facebook, whenever you use a function integrated with an Enervit website (e.g. Facebook Connect) and whenever you interact with us via a social network. To find out more about how Enervit obtains your information from third-party social networks or to stop sharing this social-media information, please visit the website of the social network in question.
• Payments and financial information. All the information that we need to fulfil an order or that you use to place one, e.g. your credit or debit card details (cardholder name, card number, expiry date, etc.) or other available payment methods (if any). We handle all payment and financial information in accordance with all applicable laws, regulations and safety standards, e.g. the data protection standards in the payment card sector.
• Telephone calls to Customer Services. Calls to Customer Services may be recorded, in line with the applicable laws, for local operational purposes (e.g. for quality or training purposes) and, in certain cases, to obtain proof of consent for direct marketing or profiling. Payment card details are not recorded. Where the law requires, we shall inform you when calls are recorded at the start of your call, and you will be able to decline.

The Company processes your personal data specifically in order to provide services for the following purposes:

1. Selling Enervit products and providing customer service. Our sales and customer services efforts involve using Enervit customers’ general personal and contact details (forename, surname, email address, telephone number, delivery address, billing details and order history).
2. Fulfilling orders. We use your personal data to fulfil and ship your orders, to inform you about the status of your orders and deliveries (which may involve a link to the shipper’s web platform), to enable you to view your order history and amend addresses, and to perform identity checks and other fraud-prevention activities. This involves the use of certain personal and payment method information.
3. Compliance with accounting and tax obligations. We are required by law to comply with specific administrative, accounting, tax and other obligations.
4. Marketing – Company promotional and commercial messages. We use your personal data – with your specific consent – to send you commercial messages about goods or services and to offer you exclusive promotions. This may be done via email, the post, advertising, text messages or telephone calls, as permitted by law. Some of our marketing campaigns may appear on third-party websites and/or social-media sites. This use of your personal data is voluntary; therefore, you may object to having your data processed for these purposes. We use your personal data when you interact with third-party social-media functions, e.g. by clicking on “Like” buttons, in order to send you advertising. To find out more about how these social networks operate, including the profile data that we obtain about you and how you can exercise your rights against them, you can read the privacy policies of the social networks that you use.
5. Marketing – Promotional and commercial messages from third-party companies. With your specific consent, we send your personal data to third-party companies and/or individuals that Enervit works with or has partnership agreements with. Those third parties may process your data in order to send you newsletters or other commercial, promotional, marketing or general information about their products.
6. Profiling (offline and online). With your express consent, we use your personal data (i) to analyse your preferences, habits and consumption choices, (ii) to anticipate your needs based on our analyses of your profile, (iii) to enhance and personalise your experience on our websites and apps, and (iv) to enable you to use interactive functionality, when you wish. For example:
   • We record your access ID / email address or user name so that you can access our website immediately the next time you visit and retrieve the products previously added to your cart.
   • We automatically generate an email to remind you about products that you left in your cart.
   • We send you an email or notification with personalised promotions once you access your personal area.

   Based on this type of information and with your consent, we show you content or specific promotions from Enervit based on your interests. This use of your personal data is voluntary; therefore, you may object to having your data processed for these purposes.

7. Other general purposes (e.g. internal research, analysis and security). We perform internal commercial analyses, including data analyses, research projects and trend analyses for statistical purposes and as surveys, e.g. collecting demographic information about users, information on age, willingness to spend, measuring the effectiveness of advertising campaigns, the amount of time that users spend on web pages, and how they browse the website. That data will be anonymised, and the aggregated information cannot be linked to any specific user.

The lawful bases for processing users’ personal data for the above purposes include:

• to fulfil a contract, including for the purposes in section 3, points a) and b);
• to fulfil one or more of Enervit’s legal obligations, including for the purposes in section 3, point c);
• your consent, such as for the purposes in section 3, points d)–f);
• to pursue Enervit’s legitimate interests, including for the purposes in section 3, point g).

You must provide the personal data that the Company needs to execute its contractual (section 3, letters a)–c)) or legal obligations (section 3, point d)) regarding the services, so no specific consent is needed to that end under GDPR article 7. Nor is consent required about data processed in the Data Controller’s legitimate interest (section 3, point g)). In these scenarios, if you do not provide your personal data or if you do not let us process it, then we shall be unable to enter into a contract with you, and you will be unable to receive our services.

In other scenarios, you will be asked for consent for the Company to use your personal data (section 3, points d)–f)). You do not have to provide your personal data for those purposes, so if you do not do so or if you do not let us process it, then the Company will still be able to enter into a contract with you. The Company and the other companies in Enervit group and any third-party companies will not, however, be able to update you about events, new product/service presentations, promotions, etc., nor will you be able to receive invitations, advertising, information or other publications that might interest you.

Your personal data may also be used, with no need for your prior consent, if it comes from public registers, lists, records or documents accessible to anyone and, in any event, if the data is processed (not including dissemination) to assert or defend the Company’s rights in a court of law.

Your personal data is processed by people with the necessary training in personal data processing. They may be employees, contract staff or external consultants specifically appointed by the Data Controller as Data Supervisors or Appointed People within the context of their respective roles. Your personal data is also processed using electronic, automated, telematic and digital means and, in any event, for reasons strictly related to the above purposes, in order to keep the personal data confidential and secure. The Company processes data lawfully, transparently, meticulously and proportionately, with honesty and integrity, only where the processing is relevant to and necessary for the purposes involved, while safeguarding your privacy and your rights.

We shall keep your personal data for the period of time permitted by law or by regulations, where applicable, and in any event for no longer than is strictly necessary for the purposes involved and in line with Enervit’s Data Retention policy. Your personal data will be processed and kept in electronic storage systems at the Company headquarters and at the offices of the professionals and/or service companies to which your personal data is sent for the above purposes and in line with our supplier/consultancy agreements with them.

To comply with specific legal obligations or for reasons strictly instrumental to the execution of the contract with the Company, your personal data gathered in the process of supplying the service may be shared for the above purposes with the following recipients:

• freelance professionals and advisors providing legal, tax and commercial services;
• banks and financial institutions;
• service suppliers and other third parties, where strictly necessary for the above purposes, or to parties permitted to access the data under secondary or European Union law;
• Enervit group companies;
• the Fondazione Paolo Sorbini food science foundation;
• social media (e.g. Facebook).

The service suppliers are external companies that we use to help run our business (for order fulfilment, payment processing, fraud monitoring, identity verification, credit recovery, developing or operating our website, support services, promotions, data analysis, customer services, etc.). The service suppliers and their appointed personnel may access and use your personal data only on our behalf and in line with our instructions. These recipients are obliged to keep your personal data confidential and secure.

To comply with specific legal obligations or for reasons strictly instrumental to the execution of the contract, your personal data may be shared with other companies in our group. If your data is sent outside the EU, then your rights will be safeguarded and protected to the same extent as under the GDPR.

1. to ask the Data Controller for access to your personal data, to have it corrected or deleted, or to restrict how it is processed;
2. to object to having your personal data processed;
3. to exercise your right to data portability;
4. to withdraw your consent at any time (without affecting the lawfulness of the processing carried out based on your consent before you withdrew it);
5. to complain to a supervisory authority.

You can exercise the above rights by contacting the Data Controller informally via email at privacy@enervit.it or by post at Via Achille Papa 30, 20149 Milan, Italy.

Enervit S.p.A. (Enervit or the Company) wants its relationships with its customers and users to be founded on transparency. Accordingly, it applies this principle when handling personal data.

The website users’ personal data is processed as set out below.

This privacy policy statement is provided under article 13 of Regulation (EU) no. 2017/679, “Protection of natural persons with regard to the processing of personal data and the free movement of such data” (the GDPR), to those who interact with the Enervit web services accessible electronically at www.enervit.com/en.

The policy is also based on Recommendation no. 2/2001, adopted by the European personal-data protection authorities on 17 May 2001 at the meeting of the working group established under article 29 of directive no. 95/46/EC. The Recommendation sets out core requirements for collecting personal data online – in particular, the means used, the timescales involved, and the kind of information that data controllers must give to users when they connect to webpages for whatever reason.

The data controller is Enervit S.p.A., with registered office at Via Achille Papa 30, 20149 Milan, Italy.

Under article 37 of the GDPR, the Company has also appointed a Data Protection Officer (DPO). They can be contacted via email at dpo@enervit.it and by post at the above address.

An internal data supervisor has been appointed along with the external data supervisors with which the data is shared in order to be processed.

For a full list of the data supervisors, email Enervit at privacy@enervit.it.

Data is processed in association with the web services for this website at the Company headquarters and at the offices of the external companies appointed by Enervit as data supervisors under GDPR article 28.

Website-use data

The information systems and software procedures deployed to run this website gather some personal data during their normal operation. These data items are sent to us as an inevitable result of communicating via the internet.

When collecting this information, Enervit does not seek to associate it with identified individuals. By its nature, however, it could potentially be used – by processing it and linking it with data held by third parties – to identify users.

Website-use data includes: the IP addresses or domain names of computers that users use when visiting the website; URI (Uniform Resource Identifier) addresses of the resources requested; the time of the request; the method used to send the request to the server; the size of the file obtained in response; the numeric code for the response status from the server (success, error, etc.); and other parameters about the user’s operating system and computing environment.

This data is used only to obtain anonymous statistical information on use of the website and to ensure that the website is working properly; the data is deleted immediately after being processed. The data could be used to investigate who is responsible for damage to the website in a cybercrime.

Data provided by the user

When a user voluntarily and expressly chooses to send email to the addresses stated on this website, the Company will obtain the sender’s email address, which is necessary in order to reply, and any other personal data included in the message.

Technical information about your computer / mobile device

We obtain information about the IT system or other device that you use to access our websites or apps, such as the IP address used to connect your computer or device to the internet, the operating system, or the type and version of web browser. If you access an Enervit website or app via a mobile device, e.g. a smartphone, the information gathered will also include, where permitted, your device’s unique identifier, advertising ID, geolocation and similar data about it.

Browsing / communication data

When you browse and interact with our websites or newsletter, we use technologies to gather data automatically to obtain certain information about your behaviour. This includes details about the links that you have clicked on, the pages or content that you have viewed and how long for, and similar information and statistics about your interactions, the time you take to respond to the content, any download errors, and how long you spent on certain pages. This information is collected using automated technologies, such as cookies (browser cookies, flash cookies) and web beacons, and via third-party monitoring services.

Further to the remarks about website-use data in section 4, the personal data that users provide via the website is processed for the following purposes:

1. to manage the Company’s essential dealings with users, such as – purely by way of example – answering questions received via email, enabling access to private sections of the website, managing newsletter subscriptions, and handling CVs for staff recruitment purposes and other relevant information sent by the user;
2. to enable the Company to fulfil its contractual obligations to its customers and users, and vice versa, along with the resulting accounting and tax obligations;
3. to enable the Company to comply with its legal and regulatory obligations, with EU law and with measures laid down by legally authorised authorities and by supervisory and regulatory bodies;
4. where necessary to establish, exercise or defend a right in a court of law and whenever the judicial authorities exercise their judicial functions;
5. to provide information about other products and/or services provided by the Company and/or third-party companies and to send commercial, marketing and advertising content in newsletter form, with your consent;
6. to profile users, with their consent, into groups so as to avoid sending general commercial and advertising information to all users indiscriminately. This enables us to segment the user base, by creating groups with different interests, based on their country of origin, language, gender and purchase history, for example. Thus we can send commercial messages that are as relevant and unintrusive as possible, to reduce the likelihood (as far as is possible) of users receiving unwanted messages. Note that consent given for advertising messages includes not only messages sent via automated systems without operator intervention (e.g. email) but also traditional contact methods such as the post. You can always withdraw consent for having your data processed for this purpose or give consent for certain methods only: e.g. to receive advertising by post but not via automated systems;
7. for research/statistical purposes based on aggregated or anonymised data, in which users cannot be identified, in order to monitor how the website and its functions operate and to resolve any technical issues.

Some specific services cannot be provided without your personal data; detailed privacy notices are available in the website pages for particular on-demand services.

The lawful basis for processing personal data for the purposes in point a) is to provide a service or respond to a request; by law, the user’s consent is not required.

For purposes b)–d), the data must be processed to pursue the Company’s legitimate interests.

For purposes e) and f), the user’s data is processed only with their express consent, given by signing the relevant summary information notices, which will be provided or displayed on the webpages provided for particular on-demand services. No personal data is processed for purpose g).

Except as stated for the website-use data, users are free to provide their personal data and to consent to the types of processing stated in the specific privacy notices.

The Company website may include third-party advertising messages and links to other websites and apps selling products and services. Our third-party advertising partners may gather information about you when you interact with their content, adverts or services.

Your personal data is processed with automated tools for as long as is strictly necessary for the purposes for which it was collected and in line with Enervit’s Data Retention policy.

We apply dedicated security measures to prevent data loss, unlawful or improper use, and unauthorised access attempts.

You have the right at any time to be told whether or not we hold data about you, to know what it contains and where it came from, to check if it is correct, and to ask for it to be added to, updated or corrected under GDPR articles 15 et seq.

Under those articles, you are also entitled to have data deleted, anonymised or frozen if it has been processed unlawfully. In any event, you can also object for legitimate reasons to your data being processed.

To exercise your rights, email us at privacy@enervit.it.

To comply with specific legal obligations or for reasons strictly instrumental to the execution of the contract, your personal data may be shared with other companies in our group. If your data is sent outside the EU, then your rights will be safeguarded and protected to the same extent as under the GDPR.

The Company may amend this Privacy Policy at any time, if the applicable law changes or for other reasons, by updating this page. You should check the Privacy Policy from time to time in order to stay up to date.