Privacy policy pursuant to Regulation (EU) 2016/679 

on the protection of personal data

1. Subject

This policy (“Privacy Policy”) is provided pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter the “GDPR”) in order to inform you about the processing of your personal data (hereinafter “Personal Data”) carried out when you interact with the website www.phimostop.com (hereinafter the “Site”).

2. Data Controller and Data Protection Officer

Your Personal Data is processed by Phimomed S.r.l. Tax Code and VAT No. 12625111005, with registered office in Rome, Via Cicerone, 60, certified email address [email protected] (hereinafter the “Company” or the “Data Controller”).

For any information on the processing of Personal Data and to exercise your rights, you may contact the Data Protection Officer appointed by the Data Controller pursuant to Article 37 of the GDPR (hereinafter the “Data Protection Officer” or “DPO”). You may contact the Data Protection Officer at any time at the following email address: [email protected]. 

3. Categories of data subject to processing

The personal data processed by the Data Controller includes:

1. Usage data relating to interaction with the Website, such as, for example, information on the device used, session statistics and number of users, keypress events, clicks made, events related to motion sensors, mouse movements, page scrolling position and mode, and language settings.
2. Payment data necessary for the management of purchases and transactions, such as email address, first name, last name, username, telephone number, payment information, purchase history, and billing address.
3. Health data: the Data Controller does not collect or process health data directly. However, purely potentially, some information relating to your health or that of third parties could be inferred indirectly from the category of product purchased.

4. Cookies and other tracking systems

Cookies are small pieces of code that the websites visited by the user send to the browser, where they are stored before being retransmitted to the same websites during navigation or on the user’s next visit. While browsing, the user may also receive cookies on their device that are sent from different websites or web servers (so-called “third parties”), on which certain elements (such as images, maps, sounds, specific links to pages of other domains) present on the website that the user is visiting may reside. In this way, for example, cookies allow and/or facilitate access to certain web pages to improve the user’s browsing experience (i.e., they allow the storage of visited pages and other specific information, such as frequently visited pages, connection errors, etc.), or they allow profiling activities.

For more information about the use of cookies on the Site, please refer to the Cookie Policy.

5. Purpose and legal basis of processing

Personal Data is processed:

1. in order to allow the purchase of products offered through the Website, as well as to ensure the proper provision of related services and payment management, pursuant to Article 6, paragraph 1, letter b) of the GDPR;
2. on the basis of your explicit consent, pursuant to Article 9, paragraph 2, letter a) of the GDPR, if the purchase of certain products may indirectly reveal sensitive information falling within the categories of special categories of personal data (health data). Failure to consent does not affect your ability to browse the Website, but may prevent you from purchasing specific categories of products.
3. to comply with legal obligations to which the Data Controller is subject, for example in the accounting and tax fields, in accordance with Article 6(1)(c) of the GDPR;
4. in order to satisfy the legitimate interest of the Data Controller in ensuring the security and proper functioning of the Website, in accordance with Article 6(1)(f) of the GDPR;

6. Nature of the provision of Personal Data and consequences of refusal to respond

The provision of Personal Data is optional. However, some Personal Data is necessary in order to allow us to provide the services you have requested and to comply with the legal obligations to which we are subject. Failure to provide such information will prevent you from using the services offered through the Website. 

7. Methods of processing

Personal Data will be processed – in accordance with the principles of fairness, lawfulness, and transparency – using computerized, manual, and/or telematic means and tools, with logic strictly related to the purposes of the processing and, in any case, ensuring the confidentiality and security of the data and compliance with the specific obligations established by law. The availability, management, access, storage, and usability of data relating to you is guaranteed by the adoption of technical and organizational measures to ensure appropriate levels of security in accordance with Articles 25 and 32 of the GDPR, as well as, in relation to the specific purposes of processing identified by the legislation on the protection of personal data, to ensure compliance with the measures guaranteed by the Data Protection Authority and the relevant sectoral provisions under European Union law and national law (e.g., specific provisions on commercial communications). The processing is carried out by persons inside and outside the Data Controller’s organisation who are specifically authorised and trained in full compliance with Articles 28 and 29 of the GDPR. In any case, the logical and physical security and confidentiality of the information processed will be guaranteed.

8. Retention of Personal Data

Personal Data will be retained only for the time strictly necessary for the purposes for which it is collected, in accordance with the principle of minimization referred to in Article 5(1)(c) of the GDPR.

Your data will be processed for a period of time equal to the minimum necessary for the fulfillment of legal obligations, unless it is necessary to store it further to defend or enforce a right or to fulfill further legal obligations or orders from the Authorities. In particular, data relating to payments and invoicing will be stored for 10 years, in accordance with current civil and tax legislation.

9. Recipients of Personal Data

Your data may be shared with: employees and collaborators of the Data Controller, appointed as authorized processors, in accordance with Article 29 of the GDPR; third parties, used by the Data Controller for the provision of services, acting as data processors pursuant to Article 28 of the GDPR; subjects, entities, or authorities, independent data controllers, to whom it is mandatory to communicate your personal data pursuant to legal provisions or orders from the authorities.

10. Transfer of Personal Data outside the EU

Personal Data may be transferred to countries outside the European Union. Such transfer will only take place to countries that guarantee an adequate level of protection according to the European Commission (e.g., Switzerland, Canada, Japan, or Argentina) or, in any case, subject to the adoption of adequate safeguards, such as the signing of Standard Contractual Clauses approved by the European Commission or the selection of entities participating in international programs for the free movement of data.

11. Rights of the Data Subject

You may, at any time, exercise your rights under Articles 15 to 22 of the GDPR and, in particular, obtain:

• confirmation as to whether or not personal data concerning you are being processed and access to the data and the following information: purposes of processing, categories of personal data, recipients and/or categories of recipients, storage period;
• the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data, including by providing a supplementary statement;
• the erasure of personal data, in the cases provided for by the GDPR;
• restriction of processing in the cases provided for by current privacy legislation;
• the portability of data concerning you and, in particular, to request the personal data provided to the Data Controller and/or request the direct transmission of your data to another Data Controller.

Furthermore, you have the right to withdraw any consent you may have given at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal, as well as the right to object, at any time, to the processing of Personal Data, pursuant to Article 21 of the GDPR. 

If you believe that the processing of Personal Data is in violation of the provisions of the Regulation, you have the right to lodge a complaint with the Data Protection Authority as provided for in Article 77 of the GDPR itself, or to take appropriate legal action.

Requests to exercise the above rights should be addressed to the Data Controller or the DPO, at the contact details provided in paragraph 2 of the Privacy Policy.

Last update: 24/02/2026