Privacy Policy

This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (the "GDPR") and the Swiss Federal Act on Data Protection of 25 September 2020 (the "revFADP / nLPD"). It explains how Reina Olga SA processes the personal data (any information that directly or indirectly identifies a natural person) of users who visit, register on, or purchase through the website www.reinaolga.com and the wholesale platform wholesale.reinaolga.com (together, the "Site"), as well as the personal data of the representatives of our business clients. Together with the Cookie Policy and the applicable Terms of Use / General Conditions of Sale, it sets out the basis on which users' personal data is processed.

------------------------------------------------------------------------

1. DATA CONTROLLER

The controller of the personal data collected through the Site is:
Reina Olga SA, registered office at Via Arona 30, 7500 St. Moritz, Switzerland — UID CHE-271.649.623 (the "Controller").
Contact for any data protection matter and for exercising your rights: help@reinaolga.com.

------------------------------------------------------------------------

2. APPLICABLE LAW

Reina Olga SA is established in Switzerland and offers goods to customers located in Switzerland, the EU/EEA and the United Kingdom. The Controller therefore processes personal data in compliance with both the Swiss revFADP/nLPD and, where applicable under Article 3 GDPR (offering goods or services to data subjects in the Union), the GDPR. The two frameworks are applied in parallel; where they differ, the stricter standard is observed.

------------------------------------------------------------------------

3. WHO THIS POLICY COVERS

This Policy applies to:
(a) consumers who visit or purchase on the Site (B2C);
(b) representatives, buyers and contacts of our wholesale and business clients (B2B), whose business contact data (name, role, business email and telephone) we process to manage the commercial relationship, including the designated payment contact;
(c) any other individual who contacts us or whose data we lawfully receive.

For B2B relationships, the business client and Reina Olga SA each act as independent data controllers in respect of the contact data they exchange, each responsible for its own processing.

------------------------------------------------------------------------

4. CATEGORIES OF PERSONAL DATA PROCESSED

- Identification, contact and access data: name and surname, email address, shipping and billing address, telephone number, account access credentials and any other data voluntarily provided. For B2B: company name and the name, role, email and telephone of the buyer and of the designated payment contact.
- Purchase and order data: products ordered, order history, wholesale orders and related commercial information.
- Billing and payment data: IBAN/bank details for wire transfers, tax code and billing address. Card data is handled directly by the payment provider and is not stored by the Controller.
- Browsing and usage data: IP address, device and browser parameters, log data, registration data, interaction and transaction events, performance indicators, navigation flows and use of Site features.

------------------------------------------------------------------------

5. PURPOSES OF PROCESSING AND LEGAL BASIS

5.1 Contract and legal obligations
Browsing the Site; registration and management of the account (including credential recovery and closure) and connected services; activities necessary to conclude and perform purchase contracts (B2C and B2B wholesale orders); order processing and fulfilment; customer care and handling of requests, reports and complaints received by email or other channels; administrative, accounting and tax activities, including issuing of receipts/invoices and keeping of accounting records; responding to requests from competent administrative, tax and judicial authorities; handling requests to exercise data subject rights.
Legal basis: performance of (pre-)contractual obligations to which the user is a party (Art. 6.1.b GDPR / Art. 31 revFADP) and compliance with legal obligations to which the Controller is subject (Art. 6.1.c GDPR). Except for account registration data, which is optional, provision of this data is necessary to conclude and perform the contract or to respond to pre-contractual requests; failure to provide it makes it impossible to conclude the contract or obtain a response.

5.2 Analytics, legitimate interest and security
Statistical analysis of Site use, navigation and product searches to improve the Site and the product offer; ensuring and demonstrating compliance with the Controller's contractual rights and legal obligations; preventing and detecting fraud or harmful activity; reminding a user who has started a purchase that a product remains in the shopping cart.
Legal basis: the legitimate interest of the Controller (Art. 6.1.f GDPR), including, for transactional emails such as abandoned-cart reminders, the legitimate interest read together with Recital 47 GDPR.

5.3 Marketing and profiling (consent)
With the user's consent, the Controller sends commercial communications, newsletters, updates, offers, promotions and market-research invitations, including by automated tools such as email and newsletters; and, again with consent, processes data to attribute preferences and characteristics to the user — including through retargeting or grouping users into clusters with common features — in order to send personalised and differentiated commercial communications based on the user's profile. Where this profiling occurs, it is carried out by automated means on the basis of pre-set parameters, for the sole purpose of tailoring marketing content; it does not produce legal effects on the user nor similarly significantly affect the user, and the user is never subject to a decision based solely on automated processing within the meaning of Art. 22 GDPR. Profiling does not include any special categories of data.
Legal basis: the user's express consent (Art. 6.1.a GDPR). Provision of data for these purposes is optional. The absence, withdrawal or objection to consent does not affect in any way the user's ability to purchase on the Site.

5.4 Communications to existing customers (soft opt-in)
The Controller may send the user, at the email address provided in the context of a purchase, communications relating to its own similar products, unless the user objects. This does not require prior express consent, as it is based on the Controller's legitimate interest in direct marketing to existing customers, in line with applicable e-privacy rules; the user may object at any time, free of charge, both at the time of collection and in each subsequent communication.

Withdrawal of consent and objection
Where processing is based on consent, the user may withdraw it at any time, and may object to processing for marketing and profiling purposes, using the methods set out in Section 9. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Following withdrawal or objection, the data is no longer processed for that purpose and is retained only where another legal basis applies (e.g. contract performance, legal obligation, legitimate interest).

------------------------------------------------------------------------

6. METHOD OF PROCESSING AND SECURITY

Personal data is processed lawfully, fairly and transparently, and in a manner that ensures appropriate confidentiality and security, using IT and/or electronic tools with organisational methods and logic strictly related to the stated purposes. The Controller adopts appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration or destruction of personal data, and limits access to authorised staff and processors bound by confidentiality. Data is transmitted over the Site via encrypted (HTTPS) connections, and the principle of data minimisation is applied — only data necessary for the stated purposes is collected.

------------------------------------------------------------------------

7. RETENTION

Personal data is kept only for as long as necessary for the purposes for which it was collected, and in any event:
- Invoices and accounting records: 10 years (Art. 958f Swiss Code of Obligations).
- Order and contract data: for the duration of the relationship and up to 10 years thereafter for legal-defence purposes (statutory limitation); in case of litigation, for the duration of the proceedings or as required by the competent authority.
- Account data (on closure at the user's request): 3 months for administrative purposes, then deleted.
- Marketing and profiling data (consent): until consent is withdrawn and in any event no more than 12 months from the last contact or renewal of consent (e.g. a new purchase or opening of a newsletter).
- Customer-care tickets: 24 months from closure.
After these periods, personal data is deleted or anonymised, and the user can no longer exercise the rights of access, erasure, rectification and portability over it.

------------------------------------------------------------------------

8. RECIPIENTS OF DATA

In addition to the Controller's authorised staff (administrative, commercial, marketing and IT personnel), personal data may be accessed by third parties that perform services on the Controller's behalf as data processors (Art. 28 GDPR / Art. 9 revFADP), bound by data-processing agreements, and by public or private bodies entitled to access it under the law. The Controller's current processors include:
- E-commerce and payments: Shopify / Shopify Payments (Shop Pay) for the online store; Stripe for card payments; Klarna for instalment/deferred payments where offered.
- Logistics and fulfilment: Monta (Netherlands, EU) for EU orders; ShiptQuick, Inc. (USA) for US orders.
- Email marketing: Klaviyo, Inc. (USA).
- Customer care and messaging: Google Workspace (Gmail) and TextYess (automated WhatsApp assistance).
- Analytics and advertising: Google (Analytics / Ads), Meta (Facebook / Instagram Pixel), TikTok.
- Wholesale order management: the Controller's B2B ordering platform and, where used, the dedicated wholesale management system.
- Accounting: bexio AG (Switzerland) and the Controller's external fiduciary.
Recipients act, as the case may be, as processors, controllers or independent controllers. An updated list of processors under Art. 28 GDPR is available on request at help@reinaolga.com.

------------------------------------------------------------------------

9. INTERNATIONAL DATA TRANSFERS

Personal data is processed primarily in Switzerland and the EU/EEA. Some providers process data in the United States or other third countries. Where data is transferred outside Switzerland or the EEA to a country without an adequacy decision, the Controller ensures an adequate level of protection through: (i) the EU-US Data Privacy Framework and its Swiss-US extension, where the recipient is certified; or (ii) the European Commission's Standard Contractual Clauses 2021/914, supplemented for Switzerland by the FDPIC addendum and, where necessary, by a transfer impact assessment. Users may obtain a copy of the relevant safeguards by writing to help@reinaolga.com.

------------------------------------------------------------------------

10. RIGHTS OF DATA SUBJECTS

Users may exercise the rights granted by Articles 15-22 GDPR and the corresponding provisions of the revFADP, namely: access to their data and information on its origin, purposes, processing logic and recipients; rectification, updating and integration; erasure ("right to be forgotten"); restriction of processing; data portability (to receive the data in a structured, commonly used, machine-readable format); objection to processing, including for direct marketing, direct sales and market research; and withdrawal of consent at any time. Where data is processed by automated means, the user has the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

Requests may be sent to the Controller at help@reinaolga.com. The Controller will respond within the time limits set by applicable law.

------------------------------------------------------------------------

11. CHILDREN

The Site and its products are directed at adults. The Controller does not knowingly collect personal data of minors under the age applicable in the user's jurisdiction without the consent of a parent or legal guardian. If a parent or guardian becomes aware that a minor has provided personal data, they may contact help@reinaolga.com to have it deleted.

------------------------------------------------------------------------

12. COOKIES

The Site uses cookies and similar technologies. For details on the cookies used, their purposes and how to manage consent, please refer to the Cookie Policy published on the Site.

------------------------------------------------------------------------

13. SUPERVISORY AUTHORITY

The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC / PFPDT), Feldeggweg 1, 3003 Bern — www.edoeb.admin.ch. Users resident in the EU/EEA may alternatively lodge a complaint with the supervisory authority of their Member State of residence.

------------------------------------------------------------------------

14. CHANGES TO THIS POLICY

The Controller may update this Policy at any time, publishing changes on this page with the revision date indicated below. Users are invited to consult this page periodically. Unless otherwise stated, the previous version continues to apply to data collected up to the date of the change.

------------------------------------------------------------------------

Privacy Policy updated June 2026 · Reina Olga SA · Via Arona 30, 7500 St. Moritz, Switzerland · help@reinaolga.com