Privacy Policy
Palera Milano — paleramilano.com
Last updated: 30/06/2026
This Privacy Policy is issued in compliance with Regulation (EU) 2016/679 (“GDPR”), the Italian Personal Data Protection Code (Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018), and is drafted with regard to the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, Brazil’s LGPD, and Canada’s PIPEDA for the benefit of our international clientele.
1. Who We Are
Palera Milano S.r.l. (“Palera Milano,” “we,” “us,” or “our”) is an Italian limited liability company with its operating office at Via Vallarsa 26, 20139 Milan (MI), Italy, VAT and tax identification number 12427630962. We are the Data Controller responsible for the personal data we collect and process in connection with our website at paleramilano.com (the “Site”), our customer service channels (including email and WhatsApp), and our private showroom and brand events.
We are an Italian fashion house selling and shipping to clients worldwide, and we have written this Policy to be clear and useful regardless of where you are visiting us from. Where local law gives you additional or different rights — for example under the laws of California, the United Kingdom, Brazil, or Canada — we explain those separately in Section 11.
This Privacy Policy should be read together with our Cookie Policy, which contains the full, authoritative list of cookies and tracking technologies we use, their purposes, and how to manage your preferences. Where this Policy refers to cookies or tracking, the Cookie Policy governs the specifics.
2. The Personal Data We Collect, Why, and on What Legal Basis
We only process personal data where we have a clear legal basis to do so under Article 6 of the GDPR. The table below sets out, in plain terms, the categories of data we collect, what we use them for, and the legal basis that applies to each.
| Category of Data | What We Collect | Why We Use It | Legal Basis |
|---|---|---|---|
| Identity & Contact Data | Full name, billing and shipping address, email, phone number | To process your order, arrange shipping, prepare made-to-order items, issue invoices required by Italian tax law, and communicate with you about your order | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (invoicing) |
| Payment & Transaction Data | Payment details (processed by our PCI-compliant payment processor — we do not store full card numbers), order value, transaction history | To process payment, manage refunds and returns, and screen for fraudulent transactions | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (fraud prevention) |
| Technical & Usage Data | IP address, device and browser type, operating system, pages viewed, referring URLs | To keep the Site secure and functioning, detect fraud, and (only with consent) understand how visitors use the Site | Art. 6(1)(f) — legitimate interest (security); Art. 6(1)(a) — consent (analytics) |
| Marketing Data | Email address, name, engagement with our campaigns (opens, clicks) | To send newsletters, lookbooks, and promotional communications you have signed up for | Art. 6(1)(a) — explicit consent |
| Existing-Client Soft-Opt-In Marketing | Email address, products purchased | To tell existing clients about similar products or services, under the Italian “soft-spam” exception | Art. 6(1)(f) — legitimate interest, applied per Art. 130(4) Italian Privacy Code; free, instant opt-out offered with every email |
| Styling Profile & Preferences | Purchase history, browsing and style preferences, size information you choose to share | To offer personalised styling recommendations and invitations to private collections, where you have opted in | Art. 6(1)(a) — separate, specific consent (not bundled with general marketing consent) |
Where we ask you to provide personal data to enter into a contract with us (for example, to complete an order), providing that data is necessary: if you do not provide it, we will not be able to process your order. Fields marked as optional on our forms are exactly that — optional, and not providing them will not affect your purchase.
2.1 Automated Decision-Making and Fraud Screening
We use automated fraud-screening tools provided by our payment and e-commerce platform to flag transactions that may be fraudulent. These tools may temporarily hold or decline an order based on automated risk scoring. This screening does not produce decisions with legal or similarly significant effects on you without the possibility of human review: if your order is declined or flagged, you can always contact us at the address in Section 12 to request a manual review.
3. How We Collect Your Data
- Directly from you: when you create an account, place an order, sign up for our newsletter, contact customer service, message us on WhatsApp, or attend one of our private events.
- Automatically: through cookies and similar technologies when you browse the Site (see our Cookie Policy for full details).
- From third parties: such as our shipping and logistics partners (delivery confirmations), our payment processor (payment confirmations), and, where you have connected a social account, from that platform.
4. Who We Share Your Data With
We do not sell your personal data. We share it only with carefully selected partners who need it to help us run our business, each acting either as an independent Data Controller for their own purposes or as our Data Processor under a written data processing agreement that binds them to GDPR-standard confidentiality and security obligations.
| Category of Recipient | Examples & Purpose | Role |
|---|---|---|
| E-commerce platform | Shopify Inc. — hosts our online store, processes orders, manages checkout security | Processor |
| Payment processors | Shopify Payments and other PCI-DSS compliant payment gateways — process your payment securely | Processor / independent Controller for fraud and compliance obligations |
| Logistics & couriers | DHL, FedEx, and other carriers — receive your name, address, and phone number solely to deliver your order | Independent Controller (for customs, transit, and delivery purposes) |
| Analytics providers | Google LLC (Google Analytics), Microsoft Corporation (Clarity) — help us understand site performance, only where you have consented | Processor (where configured for analytics) |
| Advertising partners | Meta (Facebook/Instagram), TikTok, Pinterest, Google Ads — show you relevant advertising, only where you have consented | Independent Controller (these platforms generally process pixel data for their own advertising purposes too) |
| Email marketing platform | Klaviyo — stores contact details and sends our newsletters and transactional emails on our behalf | Processor |
| Translation app | Transcy — displays the Site in your preferred language | Processor |
| Professional advisers & authorities | Our accountants, lawyers, insurers, and, where legally required, tax or law-enforcement authorities | Independent Controller / as required by law |
4.1 WhatsApp and Messaging Channels
If you contact us via WhatsApp, your messages and the metadata associated with them (such as your phone number) are processed using WhatsApp’s infrastructure, operated by Meta. This involves a transfer of your data to the United States under Meta’s own privacy terms and applicable transfer safeguards. We use WhatsApp only for direct customer service communications that you initiate or consent to.
5. International Data Transfers
Because we work with global service providers and ship worldwide, your personal data may be transferred to, and processed in, countries outside the European Economic Area (“EEA”), including the United States, Canada, and the United Kingdom. We only make such transfers where one of the following safeguards applies:
- Adequacy decisions: where the European Commission has formally determined that a country offers an adequate level of data protection. This currently includes the United Kingdom and, for private-sector organisations only, Canada (Canada’s adequacy decision covers commercial activities regulated by PIPEDA and does not extend to all Canadian organisations or government bodies).
- The EU-U.S. Data Privacy Framework: for transfers to U.S. organisations that are certified under this Framework, which the European Commission has recognised as providing adequate protection.
- Standard Contractual Clauses (SCCs): approved by the European Commission, used where a recipient is not covered by an adequacy decision or the Data Privacy Framework, together with a case-by-case assessment of additional safeguards where required.
6. How Long We Keep Your Data
We keep personal data only for as long as necessary for the purposes set out in this Policy, and in any event no longer than required by law.
| Category | Retention Period | Why |
|---|---|---|
| Order, invoicing, and fiscal records | 10 years from the date of the transaction | Mandatory under Italian tax and accounting law (Art. 2220 of the Italian Civil Code) |
| Account and order-history data not subject to fiscal retention | For as long as your account remains active, plus 24 months of inactivity | To allow you to manage orders, returns, and warranty claims; deleted or anonymised afterward |
| Marketing and newsletter data | Until you withdraw consent or after 24 months of no engagement | Consent-based; kept current and relevant |
| Styling profile / CRM personalisation data | Up to 7 years from your last interaction | Reflects the typical lifecycle of a long-term client relationship in the luxury sector |
| Customer service correspondence | 3 years from the last exchange | To handle any follow-up queries or disputes |
| Technical/security logs | Up to 12 months | Security monitoring and fraud prevention |
7. How We Protect Your Data
We apply technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS), restricted access to personal data on a need-to-know basis, secure hosting through reputable, audited infrastructure providers, and regular review of our security practices. No method of transmission or storage is completely secure, but we work to protect your data to a standard consistent with industry best practice and our obligations under Art. 32 GDPR.
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Garante per la protezione dei dati personali within the timeframe required by law and, where the risk is high, notify you directly.
8. Your Rights
Under Articles 15 to 22 of the GDPR, you have the right to:
- Access: obtain a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your data, where it is no longer needed and we are not legally required to keep it (e.g., fiscal records subject to the 10-year retention period cannot be deleted early).
- Restriction: ask us to limit how we use your data in certain circumstances.
- Portability: receive your data in a structured, commonly used, machine-readable format.
- Object: object to processing based on our legitimate interest at any time and free of charge.
- Withdraw consent: withdraw any consent you have given at any time, without affecting prior lawfulness.
To exercise any of these rights, contact us at the email address in Section 12. We will respond within one month, as required by Art. 12(3) GDPR (extendable by two further months for complex requests, in which case we will explain why).
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali (www.garanteprivacy.it), or with the supervisory authority of your own EU member state of residence.
9. Cookies and Tracking Technologies
Our Site uses cookies and similar technologies for essential functionality, analytics, and marketing. Full details of every cookie we use, its purpose, retention period, and how to manage your preferences are set out in our Cookie Policy, which forms part of this Privacy Policy. You can change your cookie preferences at any time using the “Cookie Settings” link in our website footer.
10. Children's Privacy
Our Site and products are intended for adults. We do not knowingly collect personal data from anyone under the age of 16, which is the general threshold under the GDPR for a child to consent to information society services without parental authorisation (Italy applies this same threshold of 16 under national implementing law). If we become aware that we have collected personal data from a child without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us using the details in Section 12.
11. Additional Rights for Visitors Outside the EU/EEA
We ship worldwide and want every client to understand their rights clearly, wherever they are.
11.1 United Kingdom
If you are in the UK, the UK GDPR and the Data Protection Act 2018 apply to our processing of your data in substantially the same way as the EU GDPR. You have the same rights described in Section 8, and you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.
11.2 California (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use it, to request deletion of your personal information (subject to certain exceptions, such as fiscal record-keeping obligations), to correct inaccurate information, and to opt out of the “sale” or “sharing” of your personal information for cross-context behavioural advertising. We do not sell personal information for monetary consideration. Our use of advertising cookies may constitute “sharing” under the CPRA; you can opt out at any time via our Cookie Settings link, or by sending a recognised Global Privacy Control (GPC) signal. We will not discriminate against you for exercising these rights.
11.3 Brazil (LGPD)
If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) gives you rights of access, correction, deletion, portability, and withdrawal of consent that are equivalent to those described in Section 8. The European Union and Brazil have mutually recognised each other’s data protection frameworks as adequate, which supports the lawful transfer of your data between Brazil and the EU.
11.4 Canada (PIPEDA)
If you are in Canada, our handling of your personal information is consistent with the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA), including accountability, consent, limiting collection, and safeguarding your information. You may contact us to access or correct your information at any time.
11.5 Other Jurisdictions
If your local law provides rights not otherwise described here, we will honour those rights to the extent required by applicable law. Contact us and we will do our best to assist you.
12. Contact Us
We have not appointed a statutory Data Protection Officer, as this is not currently mandatory for our processing activities under Art. 37 GDPR. For any question about this Policy, to exercise your rights, or to raise a concern, please contact our privacy team:
Palera Milano S.r.l.
Via Vallarsa 26, 20139 Milan (MI), Italy
Email: clientservice@paleramilano.com
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or the law. We will post the updated version here with a new “Last updated” date, and where changes are material, we will provide additional notice (for example, by email or a prominent notice on the Site) before the changes take effect.