Hello! We are the company Khooa S.r.l., but you can simply call us Khooa. On this page, we provide you with the necessary information to understand how we handle your personal data.
Khooa's Role in Personal Data Processing
At Khooa, we provide you with personalized image consulting services. In particular, we help you choose the right color palette and clothing using color analysis techniques.
To automate this service and make it accessible to a wider audience, we have developed an artificial intelligence software that processes information and images related to you and communicates the most suitable colors for you, classifying them into the 4 seasons: spring, summer, autumn, and winter.
As you may have understood, in order to do all these things, we need to process your personal data. However, we want to do so in full compliance with your rights and with maximum transparency.
The data controller is the person or legal entity that decides how personal data is processed and for what purposes.
In this case, it's us at Khooa; our company, Khooa S.r.l., is the data controller for the data processing described in this privacy notice.
Here are some detailed information about us:
- Name: Khooa S.r.l.
- Registered Office: Via Fatebenefratelli 19, 20121 Milan (MI) Italy
- VAT Number: 12044650963
- You can contact us using the following email address: [email protected]
Categories of Processing
To help you effectively navigate this document and find what interests you, we have decided to group the information into the following categories of processing:
- Registration on khooa.com
- Color Analysis Test and Digital Wardrobe
- Personalized Advertising
- Payment Processing and Accounting
- Website Navigation Data
- Statistics and Market Research
For each category, we provide you with a brief description of what we do with your data, indicate the types of data processed, the purposes for which we process them, and the legal bases - among those provided for in Art. 6 of the EU Regulation 2016/679 (the famous "GDPR") - that allow us to do so.
You can use the sidebar menu to navigate directly to the section you are interested in.
After describing the individual categories of processing, we provide you with more general information, and in particular: recipients to whom we disclose your personal data and whether this involves transfers outside the European Economic Area; the duration for which we retain the data; what your rights are and how you can exercise them.
Registration on khooa.com
In order to use our services, you first need to register on the website www.khooa.com by providing us with an email address and creating a login password, which you must keep confidential. By registering, you enter into a contractual relationship with Khooa and accept our terms and conditions.
During the registration process, we ask you to provide the following mandatory personal data:
- name and surname
- email address
- date of birth
We need this data to identify you as a contractual party, communicate with you, and verify that you have reached the minimum age necessary to accept our terms and conditions. The legal basis that allows us to process this data is the need to fulfill a contract of which you are a party. Therefore, this data is mandatory, and without it, we cannot allow you to register and therefore access our services.
After you have purchased and benefited from one of our color analysis and digital wardrobe services, we may use the email address you provided during registration to send you commercial communications related to the services for which you have already expressed an interest due to your purchase (known as "soft spam"). Similarly, we may inform you about events organized by us that will take place in your area of residence or domicile that you have communicated to us and which, considering the interest shown in Khooa, we imagine you might want to participate in.
The legal basis that allows us to perform these treatments is the legitimate interest.
If you do not want your email address and/or your residential or domicile address to be processed for these purposes, you can exercise the right to object by writing to [email protected], without having to provide any explanation.
During the registration process, you will also be asked, but you can choose not to answer, the following data:
- your color season (if you already know it); and
- your fashion preferences
We may use this data to create a personal profile of your interests, to be used both to show you personalized advertisements on the website that match your color characteristics and fashion preferences, including through a Pinterest board organized by us and viewable directly from our platform. The legal basis that allows us to carry out this treatment is legitimate interest, and we do not consider it harmful to your rights and freedoms as a data subject since it is reasonable to assume that you, when accessing a fashion and color analysis portal, would like to see content that aligns with your preferences and characteristics. In any case, the lack of communication of this data does not preclude the possibility of using our other services.
You can use your Google account or your Facebook account (Meta) to access the Khooa platform. This way, you don't have to remember the username and password of a new account. In this case, we receive the necessary identification information from Google or Facebook, namely the email address and your UserID. By doing so, you communicate to Google or Facebook (as the case may be) your access to the Khooa platform, and this data will be processed by Google or Facebook as the data controller.
For more information about the service offered by Google, you can visit this page: "Using your Google Account to sign in to other sites and apps". For more information about the service offered by Facebook (Meta), you can view this page: "How are your information shared about Meta Products or with integrated Partners?"
During the registration phase, you will also be asked if you want to subscribe to our Newsletter: you can find all the information about this in the Newsletter section of this notice.
Color Analysis Test and Digital Wardrobe
Once logged in, you can purchase and use our services, as well as access the color analysis tests. The first type of test is based on multiple-choice questions about your image. The personal data collected from the answers are processed automatically, and a result is generated, indicating a reference season among spring, summer, autumn, and winter, along with a suitable color palette for you. Once you receive the result, your answers to the questions are not stored.
For the second type of test, you are asked to upload one or more photos of your face. The images are processed by an artificial intelligence software developed by us, and once again, a reference season and a color palette suitable for you are provided as a result.
The third type of test allows you to upload a photo of a clothing item to determine its color season. You can also save the uploaded clothing images and the test results in your personal account, creating your own digital wardrobe.
The processing of images and other personal data in your responses is necessary to provide you with the test results. Without this data, we cannot provide the service. The legal basis for this processing is the necessity to provide a requested service. The same applies to the storage of clothing images in your digital wardrobe.
The images of your face and the uploaded clothing are also stored in our database and periodically used to 'train' the artificial intelligence software. This additional processing of your personal data is based on our legitimate interest in improving the artificial intelligence software and, consequently, our services. This interest does not override your rights and freedoms as the data subject, as it is reasonable to assume that you also want our digital services to continuously improve for more effective use. In any case, to ensure the utmost protection of your personal data, clothing images are permanently and irreversibly dissociated from the person who uploaded them, rendering them anonymous data. Instead, facial images are pseudonymized and associated with a reference code rather than directly with your name. This allows us to trace them in case you wish to exercise your privacy rights. In particular, we remind you that you can object to this processing by contacting us at [email protected] and explaining your reasons.
Khooa manages a newsletter service, through which it periodically sends emails to all subscribers containing news, updates, and information related to image consulting and color analysis, as well as promotions and commercial offers from either Khooa or third parties in this sector. If you request to subscribe to the newsletter to stay informed about image consulting and color analysis topics, we will add your email address to a mailing list so that you can receive our periodic communications. The legal basis for processing this data is its necessity to provide you with the newsletter service you have requested. To stop this processing, you can unsubscribe from the newsletter at any time by following the instructions provided at the bottom of each email.
The data collected about you during registration (e.g., name, surname, email, reference season, fashion preferences, etc.) and the results of the color analysis tests can be used by Khooa to create a profile of your persona. Your profile, in conjunction with contact information, may be shared with third-party companies, which in turn may use it to send you personalized advertising based on your interests. For instance, to suggest the purchase of clothing items or accessories in colors compatible with the results of your color analysis tests.
This processing can be beneficial for both us and you, as it allows you to receive commercial offers based on your interests and aligned with the color analysis test results you've undertaken. However, if not understood or desired, it might lead to a perceived violation of your privacy. For this reason, we are committed to carrying out this data processing in a fully transparent manner and only after obtaining your consent. You can revoke consent at any time, and in such cases, we will work to communicate this revocation to all third parties to whom we have shared your data.
Payment Management and Accounting
To manage payments, Khooa employs third-party intermediaries like PayPal and Stripe. Please note that these entities process your data not on our instruction, but as independent data controllers. Therefore, you should refer to their privacy policies to understand how they process your personal data. When you use these services, we at Khooa receive data related to the payment made and some partial data related to the chosen payment method. We only use this data to receive payments and manage any refund requests. Our legal basis for processing this data is its necessity to fulfill a contract of which you are a part.
Payment-related data is recorded in our accounting system and used for issuing invoices and tax receipts. The legal basis allowing us to process this data is the need to fulfill legal obligations in tax and accounting matters.
Website Navigation Data
However, when you log in to our site, we can record the actions you take (logins and logouts, purchases, test completions, etc.) and associate them with your account. We process this data based on our legitimate interest in monitoring user activities on the website to improve services, ensure platform security, combat fraud, and check for long periods of inactivity to proceed with account deletion. This is an interest compatible with yours, as it improves the web service you have access to. Nonetheless, you can always object to this processing by writing to us at [email protected] and explaining your reasons.
Statistics and Market Research
We process data related to our users, including age, fashion preferences, test results, etc., for statistical purposes and market research. Once collected from your personal profile, data continues to be processed for this purpose in an aggregated form without the possibility of linking them back to you. The processing is based on our legitimate interest in conducting anonymous statistics and market research, including for sale to third parties. This is an interest not incompatible with yours and does not harm your rights and freedoms as the data subject, as the data is processed and provided anonymously and third parties receiving it cannot trace it back to you. On the other hand, they can improve their services thanks to this data. In any case, if you don't want your data to be used for this purpose, you can object to the processing by writing to us at [email protected] and explaining your reasons. Once the data is completely anonymized, you will no longer be able to exercise privacy rights, as they are no longer subject to personal data protection regulations.
Data Recipients and Transfers
Khooa uses the following service providers for services that involve personal data processing:
- Amazon Web Services (AWS) for hosting images used to power the artificial intelligence software.
- MongoDB as the Database for saved data on the www.khooa.com web platform (e.g., user accounts and profiles, sales, color analysis test results, etc.); hosting is provided by Vercel.
- Heroku as the data transfer management platform.
- Klaviyo for newsletter management.
To ensure these entities protect your personal data and do not use it for purposes other than those indicated in this policy, we have appointed them as data processors and have entered into Data Processing Agreements with them.
For data retention by AWS, Heroku, and MongoDB, we have chosen data centers located within the European Economic Area or in countries that have received an adequacy decision from the European Commission. However, since these providers are based in the United States or are part of international corporate groups based in the United States, they might be subject to requests for the disclosure of personal data hosted in their data centers by U.S. public authorities. Therefore, the use of providers like AWS, MongoDB, Heroku (and Klaviyo) may involve the transfer of your personal data to the United States. To ensure this transfer respects your rights, we have ensured that the contracts signed with these entities include the Standard Contractual Clauses approved by the European Commission in decision 2021/914 to allow cross-border transfers of data between a data controller and a data processor. For more information or to request a copy of the SCCs used, you can write to us at [email protected].
Data obtained from color analysis test results, your fashion preferences, and your contact information (name, surname, and email address) may be shared by Khooa with third-party companies to enable the sending of personalized advertising based on test results. This transfer only occurs if you have provided consent.
Personal data contained in our accounting records may be shared with external professionals and consultants, such as accountants, as well as the Tax Authority.
Retention Periods and Duration of Processing
The data collected during registration or subsequently, which are necessary for the execution of the contract (name, surname, email address, date of birth, purchased services, payments, etc.), are retained for as long as you keep your account active and for the following 10 years.
On the other hand, optional data contained in your account (fashion preferences, color analysis results, images in your digital wardrobe, etc.) and your residence or domicile address will be deleted upon account removal. You can request the removal of your account at any time by writing to [email protected]. If you have provided consent to process this data for marketing purposes and to share it with third-party companies, the deletion of the account does not automatically lead to the erasure of this data, which may continue to be processed for its respective duration or until the consent is revoked.
If your account remains inactive for 24 months (no login activity), we will send you an email asking you to confirm your interest in maintaining your account, giving you a reasonable time to respond. In the event of no response, we will proceed with account deletion.
Data processing for marketing purposes based on our legitimate interest (soft spam) lasts as long as your account remains active. With the deletion of your account (voluntary or due to inactivity), it is assumed that you are no longer interested in receiving our communications.
Data processing for marketing purposes for which you have given consent has a duration of 24 months from the consent collection. However, you can revoke consent at any time to stop this processing earlier. Third-party companies that have received data from us are obligated to inform you of how long they will retain the data in their respective policies.
Processing related to sending newsletters continues until you unsubscribe from the newsletter.
Facial images used to train our artificial intelligence software are retained for 5 years from collection. However, images of clothing are anonymized and subsequently stored indefinitely.
Personal data contained in accounting records (e.g., provided services and related payments) are retained for 10 years from their registration.
Your Privacy Rights
The GDPR (Articles 15-22) recognizes important rights concerning the protection of personal data, which you can exercise by contacting the data controller.
Right of Access
You have the right to know whether personal data concerning you are being processed and to know: the origin of the data; the categories of data processed; the recipients; the purposes of processing; the existence of automated decision-making, including profiling; the storage period of the data.
Right to Rectification
If your data is incorrect, outdated, or incomplete, you have the right to request correction and/or supplementation, and you can demand that the data controller communicate this to recipients to whom the data has been transferred, unless it is impossible or requires disproportionate effort.
Right of Cancellation
You have the right to have your data erased in cases provided by Art. 17 of the GDPR and in any case when: they are no longer necessary for the purpose for which they were collected; you have revoked your consent to processing, and there is no other valid legal basis; you object to processing, and there is no overriding legitimate grounds for processing; the data has been processed unlawfully; erasure is necessary to fulfill a legal obligation. You have the right to have the data controller communicate this to potential recipients of the data, unless it is impossible or requires disproportionate effort.
Right to Restriction of Processing
You have the right to request the restriction of the processing of your data when: you contest their accuracy, for the period necessary for verification; if processing is unlawful but you do not want the data to be deleted; when the controller no longer needs it but you want to retain it for exercising a legal claim; when you have objected to processing, pending verification of the controller's legitimate grounds. You have the right to have the data controller communicate this to potential recipients of the data, unless it is impossible or requires disproportionate effort.
Right to Data Portability
When data processing is based on your consent or necessary for the performance of a contract and is carried out by automated means, you have the right to receive your data in a commonly used structured format or request that it be transmitted to another controller, if technically feasible.
Right to Object
You can object to the processing of your personal data based on the data controller's legitimate interest or public interest for reasons related to your specific situation. You can object to the processing of your personal data for marketing purposes without the need to justify the objection.
Right to Withdraw Consent
You can withdraw your consent for data processing at any time.
Right to Lodge a Complaint
If you believe your rights have been violated, you can file a complaint with the Data Protection Authority.
Exercising Your Rights
You can exercise your rights by submitting a request to exercise your rights in writing to [email protected]. We are required to respond within 1 month to your request or to communicate and justify any delay in response, which, however, cannot exceed 2 months.
If the response is not received within the indicated timeframe or you find it unsatisfactory, you can contact the Data Protection Authority through a complaint in accordance with Article 77 of the Regulation or the judicial authority.
To exercise your rights, you can use the template provided on the website of the Data Protection Authority www.garanteprivacy.it."
© 2023 Khooa
Khooa Srl, Via Fatebenefratelli 19, 20121 Milano, P.IVA 12044650963, REA MI - 2637254