The purpose of this document (hereinafter “Privacy Policy“) is to provide information to Users regarding their personal data, defined as any information that may allow the identification of a physical person (hereinafter “Personal Data”), collected by the website and the application (hereinafter “Application“).  The Data Controller, as identified below, may modify or update this policy wholly or partially, and inform the User of this. Modifications and updates will be binding once published on the Application. The User is therefore invited to read the Privacy Policy each time they access the Application. If the User does not accept modifications to this Privacy Policy, they should stop using the Application and ask the Data Controller to delete their Personal Data.
  1. Personal Data collected by this Application
The Data Controller collects the following types of Personal Data:
    1. Content and information provided voluntarily by the User 
      • Contact information and content: this is Personal Data that the User provides voluntarily to the Application during its use, such as personal details, contact details, login details to access services and/or products, interests, personal preferences and other personal information. 
Failure by the User to provide Personal Data which is legally required, contractual or necessary for the use of a service or the fulfilment of a contract will make it impossible for the Data Controller to deliver such services wholly or partially. A User who discloses the Personal Data of third parties is directly and exclusively responsible for its provenance, collection, processing, disclosure or circulation.
    1. Data and content acquired automatically during use of the Application
      • Technical data: digital systems and software procedures responsible for the functioning of this Application acquire, during their normal operation, certain Personal Data, whose transmission is inherent in the use of internet communication protocols. This information is not collected in order to associate it with identifiable Users, but it may, by its very nature, allow the identification of Users through processing and association with Data held by third parties. This category includes IP addresses or domain names used by the User to connect to the Application, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to convey the request to the server, the size of the file obtained in response etc. 
      • User data: Personal Data regarding the User’s use of the Application may also be collected, such as pages visited, actions taken, functions and services used. 
      • Localisation data: the Application may collect Personal Data regarding the User’s location, which may be GNSS data (Global Navigation Satellite System, for example GPS) in addition to data which identifies the nearest repeater, wifi and bluetooth hotspots, which are communicated when accessing products or functions based on location. 
    1. Personal Data collected using cookies or similar technology 
This Application uses cookies, web beacons, univocal identifiers and similar technologies to collect Personal Data regarding pages and links visited and other actions carried out when using our services. These are memorised and then retrieved on subsequent visits by the same User. Users can consult the entire Cookie Policy at the following address: www.onirisjewels/privacypolicy.
  1. Purposes
 Personal Data collected may be used to fulfil contractual and pre-contractual obligations and for legal purposes, in addition to the following: 
    1. External handling of payments by credit card, bank transfer or other means: to handle Users’ payments via external platforms which acquire payment information without the Controller of the Application having access to the same. 
    2. The sending of emails or newsletters and the management of mailing lists: to contact Users via emails containing sales and promotional information associated with the Application. 
  1. Methods of data processing
Personal Data is processed by computerised and/or telematic methods, in accordance with organisational models and logistics closely related to the aforementioned purposes. In certain cases Personal Data may also be accessed by individuals involved in the Data Controller’s organisation (for example HR staff, sales staff, system administrators etc) or external bodies (such as IT companies, service providers, carriers, hosting providers etc). When necessary, such bodies may be appointed Data Supervisors by the Data Controller, and may also access Users’ Personal Data whenever deemed necessary; these will be contractually obliged to ensure the confidentiality of Personal Data.  The updated list of Data Supervisors can be requested by email at 
  1. Legal basis of data processing
 The processing of Users’ Personal Data is founded on the following legal principles: 
    1. the User’s consent for one or more specific purposes;
    2. processing is necessary for the fulfilment of a contract with the User and/or the fulfilment of pre-contractual procedures;
    3. processing is necessary for compliance with a legal obligation on the Data Controller;
    4. processing is necessary for the fulfilment of a task in the public interest or for the exercise of public powers held by the Data Controller;
    5. processing is necessary for the pursuit of the legitimate interests of the Data Controller or of third parties;
    6. processing is necessary for the pursuit of the vital interests of the Data Controller or of third parties.
However, Users can always ask the Data Controller to clarify the legal basis for each instance of processing, by emailing
  1. Location
Personal Data is processed at the operational headquarters of the Data Controller and in any other place where parties involved in data processing are located. For further information, contact the Data Controller at the following email address:, or by post at Via Andrea Solari 11, 20144 Milan, Italy. Personal Data may be transferred to extra-EU countries: USA, Switzerland. For these countries the European Commission has adopted decisions regarding suitability or, in the absence of such decisions, further information can be requested from the Data Controller regarding the appropriate measures adopted, and the procedure for obtaining a copy of the Data or the specific place where it was made available.
  1. Security measures
Data processing is carried out using methods and instruments which guarantee the security and confidentiality of Personal Data, since the Data Controller has implemented appropriate technical and organisational measures which guarantee, and allow it to demonstrate, that processing is carried out in compliance with relevant legislation.
  1. Period of data storage
Personal Data is stored for the time period necessary to complete the purposes for which it was collected. Specifically, Personal Data is stored for the entirety of the contractual relationship, for the fulfilment of obligations inherent in and consequent to said relationship, in compliance with applicable legal and regulatory obligations and for the purposes of defence of the Controller or third parties. Where the processing of Personal Data is based on the User’s consent, the Data Controller may retain the Personal Data until consent is withdrawn. Personal Data may be stored for a longer period if necessary to fulfil a legal obligation or on the order of an authority. All Personal Data will be deleted or stored in a form which does not permit identification of the User within 30 days of the end of the storage period. Upon the expiry of this period, the rights of access, deletion, rectification and portability relating to Personal Data may no longer be exercised.
  1. Automatic decision-making processes
Personal Data collected will not be subject to automated decision-making processes, including profiling, which may result in legal effects to the individual or may impact significantly on them.
  1. Rights of the User
Users may exercise certain rights regarding Personal Data pertaining to them and processed by the Data Controller. Specifically, the User has the right to:
    1. withdraw consent at any time;
    2. object to the processing of their Personal Data;
    3. access their Personal Data;
    4. verify and request correction;
    5. obtain a limitation on processing;
    6. obtain the deletion of their Personal Data;
    7. receive their Personal Data or transfer it to another Data Controller;
    8. make a compliant to the Data Protection authority and/or take legal action.
To exercise their rights, Users should address their request to the contact addresses of the Data Controller as indicated in this document. Requests are made free of charge and handled by the Data Controller as quickly as possible and in any case within a period not exceeding 30 days.
  1. Data Controller
 The Data Controller is UTOPIA SRL, with registered offices at Via Andrea Solari 11, 20144 Milan, Tax ID/VAT no. 12454670964, email address, PEC address, telephone +39 0258303592.  Latest update: 28/06/2020