Legal & Privacy

Privacy Policy

This Privacy Policy explains how BEAUTY DEF S.R.L. (ISARO) processes personal data on the ISARO online shop.

Last updated: 10 May 2026 · Version 1.1

1. Data Controller

The data controller is BEAUTY DEF S.R.L., trading as ISARO, with registered office at Viale Montello 7, 20154 Milano (MI), Italy, VAT ID 08968280969.

Email: service@beautydef.it.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store and share personal data when you visit the ISARO online shop, browse products, use the cart, create or access a customer account, place an order through Shopify checkout, contact us, apply to become a dealer, or interact with our cookie and analytics tools.

This Policy is intended for customers and visitors in the European Union and European Economic Area and should be read together with our Cookie Policy.

3. Personal Data We Process

Identity and contact data: name, email address, telephone number, billing and shipping address, company name, VAT number and business details where applicable.
Account data: Shopify customer account identifier, login/session data, profile details, addresses and order history made available through Shopify Customer Account.
Cart and order data: cart identifier, selected products, quantities, order details, checkout information, returns, refunds, invoices and customer service history.
Payment data: payment and transaction information processed by Shopify checkout and payment providers. We do not store full payment card details.
Technical and usage data: IP address, device and browser information, operating system, language preference, pages viewed, products viewed, search terms, cart interactions, referrer and consent status.
Cookie and local storage data: cookie consent choices, cart cookies, authentication cookies, language preference and the local storage cart state used to keep the cart available in the browser.
Dealer application data: contact name, company name, email, phone, country, city, business type, expected order volume, website, social profile, sales channels, message, application date, locale and consent confirmation.
Communications data: emails, support requests, complaints, feedback and other messages sent to us.

4. Purposes and Legal Bases

Purpose	Personal data used	Legal basis
To operate the website, cart, checkout, account login, security and language routing	Technical, cookie, local storage, cart and account data	Performance of a contract, Article 6(1)(b) GDPR; legitimate interests, Article 6(1)(f) GDPR; legal obligation where applicable
To process orders, payments, delivery, returns, refunds and customer support	Identity, contact, order, delivery, transaction and communication data	Performance of a contract, Article 6(1)(b) GDPR; legal obligation, Article 6(1)(c) GDPR
To manage customer accounts through Shopify Customer Account	Account, identity, contact, address and order history data	Performance of a contract, Article 6(1)(b) GDPR
To respond to enquiries and dealer applications	Contact, communication and dealer application data	Steps prior to a contract, Article 6(1)(b) GDPR; legitimate interests, Article 6(1)(f) GDPR
To protect the website against spam, fraud and abuse, including through Cloudflare Turnstile on dealer applications	Technical data, verification data and dealer application metadata	Legitimate interests, Article 6(1)(f) GDPR
To comply with tax, accounting, consumer protection and legal obligations	Order, invoice, transaction and communication data	Legal obligation, Article 6(1)(c) GDPR
To use analytics, marketing or profiling technologies such as Google Analytics 4, Google Tag Manager and Microsoft Clarity, where enabled	Cookie, usage, device, event and consent data	Consent, Article 6(1)(a) GDPR and applicable ePrivacy rules

5. Cookies, Consent and Similar Technologies

We use strictly necessary cookies and similar technologies to run the website, maintain the cart, support checkout, provide account login, remember language preferences and store consent choices.

Optional analytics, marketing and profiling technologies are disabled unless you consent to the relevant category. You can accept, reject or manage optional categories in the cookie banner and change your choice at any time through the “Cookie settings” link in the footer.

We also use browser local storage for the persisted cart state under the key “isaro-cart”. This helps keep the cart available in the browser and is treated as a similar technology.

The ISARO storefront and Shopify checkout operate under the same root domain, isaromilano.com. At the date of this Policy, Shopify Customer Privacy API integration is not active in the custom storefront. Our website cookie banner controls the optional scripts loaded by this storefront, including Google Analytics 4, Google Tag Manager and Microsoft Clarity where configured.

Cookie Policy

6. Analytics and Profiling Technologies

Where you consent, we may use Google Analytics 4 to measure website performance, product views, cart interactions and similar usage events.

Our Google Analytics 4 property is currently configured to retain event data and user data for 14 months. The retention period is reset when there is new user activity, according to the current GA4 property setting.

Where you consent to profiling or personalization cookies, we may use Microsoft Clarity for session insight, heatmaps and website experience analysis. Microsoft Clarity retains playback or recording data for 30 days, and click data, heatmaps, labeled sessions and favorited sessions for up to 13 months.

7. Dealer Applications and Lark

If you apply to become a dealer or wholesale partner, we process the information submitted through the dealer application form, including contact name, company name, email address, phone number, country, city, business type, expected order volume, website, social profile, sales channels, application message, locale, submission date and consent confirmation.

We use Cloudflare Turnstile to help protect the dealer application form against spam and abuse.

Dealer application data may be stored and managed in Lark / Larksuite, which we use as an internal business record and workflow tool for reviewing dealer and wholesale applications.

The legal basis for processing dealer application data is taking steps prior to entering into a contract, Article 6(1)(b) GDPR, and our legitimate interests in reviewing business partnership applications and protecting the form from abuse, Article 6(1)(f) GDPR.

8. Service Providers and Recipients

Shopify, including Shopify Storefront, checkout and Customer Account services.
Payment providers available through Shopify checkout.
Hosting, infrastructure, security and deployment providers, including Cloudflare where used.
Cloudflare Turnstile for spam and abuse prevention on dealer applications.
Lark / Larksuite for storing and managing dealer and wholesale applications.
Google Ireland Limited for Google Analytics 4 and Google Tag Manager, where consent is given and the relevant services are configured.
Microsoft Ireland Operations Limited / Microsoft Corporation for Microsoft Clarity, where consent is given and the relevant service is configured.
Logistics, fulfilment, tax, accounting, legal and professional advisers where necessary.
Public authorities, courts or regulators where required by law.

9. International Transfers

Some providers may process personal data outside the European Economic Area. This may apply to Shopify, Google, Microsoft, Cloudflare, Lark and other infrastructure or support providers.

Where required, we rely on appropriate safeguards such as European Commission adequacy decisions, Standard Contractual Clauses, transfer impact assessments or other lawful transfer mechanisms under Chapter V GDPR.

10. Retention

We keep personal data only for as long as necessary for the purposes described in this Policy.

When data is no longer needed, we delete, anonymise or restrict access to it.

Data category	Retention period or criterion
Order, invoice, tax and accounting records	For the period required by Italian and EU tax and accounting law.
Customer account data	While the account remains active or until deletion is requested, unless retention is required by law.
Cart cookie	Currently 14 days.
Customer account authentication cookies	Currently up to 30 days for access and expiry cookies and up to 60 days for refresh and ID token cookies.
Temporary OAuth cookies	Approximately 10 minutes.
Cookie consent record	Currently 180 days.
Google Analytics 4 event data and user data	Currently 14 months, with retention reset on new user activity.
Microsoft Clarity playback or recording data	30 days.
Microsoft Clarity click data, heatmaps, labeled sessions and favorited sessions	Up to 13 months.
Dealer application data	For the review period and a limited period afterwards for business records, follow-up and legal protection.
Customer service communications	For as long as needed to handle the request and protect legal rights.

11. Your GDPR Rights

Subject to legal conditions, you may request access, rectification, erasure, restriction of processing, portability and objection to processing based on legitimate interests or direct marketing.

Where processing is based on consent, you may withdraw consent at any time without affecting processing carried out before withdrawal.

To exercise your rights, contact: service@beautydef.it.

You also have the right to lodge a complaint with the Garante per la protezione dei dati personali in Italy or with the supervisory authority in the EU Member State where you live, work or believe an infringement occurred.

Garante per la protezione dei dati personali

12. Automated Decision-Making and Profiling

We do not use personal data for decisions based solely on automated processing that produce legal or similarly significant effects.

Where optional analytics, heatmap, session insight or marketing tools are enabled, they may involve limited profiling for website improvement or marketing measurement. These tools are subject to consent where required.

13. Security

We apply appropriate technical and organisational measures to protect personal data, including HTTPS, secure checkout, access controls, authentication cookies marked as HTTP-only where applicable, service provider controls and limited access to business records.

No online transmission or storage system is completely secure.

14. Children

The website and products are not intended for children. We do not knowingly collect personal data from children under the age required by applicable EU Member State law.

If you believe a child has provided personal data, contact us at service@beautydef.it.

15. Third-Party Links

The website may link to third-party websites, social platforms or checkout/payment services. Their privacy practices are governed by their own notices.

16. Changes

We may update this Privacy Policy when our website, providers, technologies or legal requirements change. The latest version will be published on this page. Where required by law, we will provide additional notice before material changes take effect.

17. Contact

BEAUTY DEF S.R.L.

Viale Montello 7, 20154 Milano (MI), Italy

Email: service@beautydef.it

VAT ID: 08968280969