Privacy policy pursuant to Article 13 of EU Regulation 2016/679
(General Data Protection Regulation, hereafter GDPR)

Dear Client,
This policy describes, pursuant to Article 13 of EU Regulation 679/2016 (General Data Protection Regulation, hereinafter “GDPR”), the manner and purpose for which the Data Controller processes your personal data collected when you purchase our GENETICA23 branded products and/or request information about our products and/or services.

GENETICA23 brand cosmetics are tailor-made product formulations, for which Genetica23 proposes a multi-step process leading to the development of a beauty matrix, unique for each client.
For more information, please see our website at:

1) Data controller

The Data Controller is Genetica23 S.r.l. with registered office at Via Anacarsi Nardi 12, 41121 – Modena (MO), which can be contacted at the e-mail address (hereinafter “Genetica23” or “Controller”).

2) Data Protection Officer

In the event of an alleged breach of data protection legislation, you can contact our Data Protection Officer (DPO) at

3) Type of personal data collected

In order to obtain a beauty matrix for each client, Genetica23 may acquire the following special categories of data: 

a) Genetic data:

We will acquire a saliva sample using the handy self-sampling kit. The sample will be analyzed exclusively in relation to those genotypes that we have identified as being responsible for the main cellular metabolic characteristics and predispositions of the skin (such as sebometry, hyperplasia, dyskeratosis, acne or collagen fragility).
Note: the analysis is NOT intended for medical analysis.

b) Lifestyle information:

Certain external factors such as diet, air pollution, sun exposure, etc. have a significant impact on the skin and its condition. Therefore, Genetica23 asks you to complete a self-assessment questionnaire on your lifestyle, limited to factors relevant to your skin condition.

c) Data on skin health:

We can take photographs of your face to obtain a detailed analysis of your skin condition, using a Facial Imaging machine.

Genetica23 will also acquire the following: 

d) Common Data:

Identification data (first name and surname); personal data; contact and shipping data (telephone number, e-mail address, home/domicile address); payment data (credit card number) and billing data (tax code, billing address); data relating to the products purchased.

(The data listed under (a), (b), (c) and (d) above will, collectively, be referred to as ‘Personal Data‘; the data listed under (a), (b), (c) above will, collectively, be referred to as ‘Special Data‘) 

4) Purpose and legal basis of processing by type of data

The data collected will be processed in accordance with the conditions of lawfulness under Articles 6 and 9 of the GDPR for the following purposes:

(I) Provision of the requested service / supply of GENETICA23® branded products

Genetica23 may use your Personal Data in order to provide you with the GENETICA23 branded services and products that you have requested and/or in order to respond to your requests for information, which may also be received by e-mail and/or telephone.

– Genetic Data
– Lifestyle information
– Data on skin health
– Common Data
(Art. 9(2)(a) GDPR)
(II) Complying with legal obligations

Genetica23 may use your Common Data in order to comply with administrative-accounting obligations.

Common Data Fulfilment of legal obligation (Art. 6(c) GDPR)
(III) Soft spam

Genetica23 may use your e-mail address to offer you products, services and/or services (and related informative material) similar to the product(s) you have purchased. If you do not wish to receive such communications, you may notify Genetica23 at any time by using the contact details given in section 1) above or by using the link in the email communications you receive.

Common Data (in particular, e-mail address) Legitimate interest of the Data Controller (Art. 6(f) GDPR)

The possibility of opposing such processing at any time remains unaffected.

(IV) Direct marketing

Genetica23 may send you updates on its products, services and offers by e-mail, telephone or other digital communication tools.

Common Data CONSENT
(Art. 6(a) GDPR)

5) Providing Personal Data

Genetic Data is essential in order to obtain a dermogenetic analysis of your skin and thus to provide you with customized products. Each Client will be free to choose whether or not to purchase our products, thus being able to adequately weigh up whether or not to consent to the processing of their Genetic Data and Lifestyle Information. It is clearly understood that any refusal to communicate such data will result in the impossibility for the Controller to offer its services/products. Similarly, Common Data are necessary for the performance of the contract in place between the parties; while the provision of Skin Health Data is optional and any refusal to communicate such data will have no impact on the provision of the services/purchase of the products requested.

6) Data processing methods

The processing of Personal Data is mainly carried out electronically and telematically at the Controller’s premises by specially authorized internal staff. We adopt appropriate security measures in order to minimize the risks of destruction or loss – even accidental – of data, unauthorized access or processing that is not permitted or does not comply with the purposes of collection.

7) Data retention period

Personal Data are stored in accordance with the principles of necessity and proportionality, in particular: 

(i) (i) In order to offer you the products/services you have requested and to provide continuity for your future purchases, we will retain your Personal Data for the duration of your relationship with Genetica23 and for as long as there may be an interest in using our products/services again (24 months after your last purchase);

(ii) (ii) in order to fulfil administrative-accounting obligations in accordance with applicable national law, we will retain your Common Data for the entire contractual period and, after termination, for a maximum period of 10 years after their collection;

(iii) (iii) for the purposes of soft spam and marketing – taking into account the peculiarity of GENETICA23® branded products and their relative economic value, which leads these products to be considered high-end products – the retention period is 5 years from the last purchase, unless the consent previously given is expressly revoked or cancellation is requested.

8) Disclosure of personal data

Personal Data will not be disseminated.
The Common Data may be communicated to external parties that provide Genetica23 with certain out-sourcing services such as, by way of example, communication services, e-mail marketing, shipping and transport services. These parties act as autonomous data controllers or duly appointed data processors. The complete and updated list of data processors is available upon request. The Common Data may also be communicated to public or private entities that are entitled to access them by virtue of legal provisions.
Special Data will only be processed within Genetica23 and will not be disclosed outside Genetica23, except for the following in relation to the analysis of DNA samples.

DNA sample analysis laboratory:

Genetic Data analyses are carried out by a third party laboratory anonymously; indeed, the swabs sent to the laboratory are only barcoded, without any reference to your person. It will then associate the results provided by the laboratory with your personal data by means of an identification code held only by Genetica23. Once your DNA sample has been analysed, the laboratory will immediately destroy the DNA test.

This data may only be shared, in aggregate and anonymous form, for statistical purposes, with third parties who will carry out related scientific studies, for further development or analysis, as well as for scientific publications edited by Genetica23 or our research partners. As data of an aggregate nature, such data will not allow, even indirectly, your identification.

9) Transfer of personal data

Personal Data are not transferred outside the EU. However if this is necessary for the provision of the services provided, the transfer will be carried out in accordance with Articles 44 et seq. of the GDPR, with appropriate instruments in place to ensure adequate guarantees for the protection of personal data.

10) Rights of the data subject

At any time, pursuant to Articles 15 et seq. of the GDPR, you may – in your capacity as data subject – exercise the following rights:
(i) access to the type of data processed, to obtain information on certain aspects of the processing; (ii) verification of the correctness of the data and request for updating or rectification; (iii) deletion or removal of personal data; (iv) restriction of processing when certain conditions are met; (v) objection to the processing of data when it is carried out on a legal basis other than consent; (vi) withdraw the consent previously given, without affecting the lawfulness of the processing carried out up to that point.
Rights may be exercised by sending a request to the e-mail address
We also remind you that you may always communicate your wish to no longer receive the communications referred to in Article 4, point (iii) (soft spam), by promptly notifying us when you first contact us or, in any event, by using the contact details available in this privacy policy.
Finally, you may also lodge a complaint with the competent data protection supervisory authority or take legal action.

Date of last update: 8 November 2022.