With this policy, Moss S.p.A. provides information on the processing of the personal data of its Users, which is collected from their navigation on the Website and when using the Website services and, in case of Users/Consumers, from the online purchase of NovoX products available on the Website (hereinafter the “Services”).

The data thus provided to Moss S.p.A. shall be processed in accordance with the applicable national privacy legislation, as well as with EU Regulation no. 679/2016.



Personal Data”: any information relating to a natural person, identified or identifiable even indirectly by reference to any other information. An identifiable person is any natural person who can be identified, directly or indirectly, by reference in particular to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Consent” of the User: it is the expression of the User’s free, specific, informed and unequivocal intent, by which the User declares his/her consent by means of a statement or an unequivocal positive action, so that personal data concerning him/her may be processed.

Marketing” means the performance of activities of a commercial, advertising and promotional nature, including but not limited to, advertising material, direct sales, market research or commercial communication, or any promotional activities carried out by the Data Controller.

Products means the medical devices of the “NovoX” line available for purchase on the Website in the dedicated “Products” section and in the individual product pages by the User/Consumer.

Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automatic means, such as the collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other forms of data availability, comparison or interconnection, restriction, cancellation or destruction;

Profiling” is the Processing by computer and automated means consisting of the use of Personal Data to evaluate certain personal aspects and/or relating to the professional performance, economic situation, personal preferences, interests, reliability in payments, behaviour, location or movements of the natural person.

Data Controller” is the natural or legal person who, individually or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor” is the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller.


Data Controller

Personal Data Controller is Moss S.p.A., in the person of its legal representative pro tempore, with registered office in Via all’Erno n. 5, Lesa – 28040 – (NO) Italy, and enrolment in the Register of Companies of Novara with Economic and Administrative Index no. 195160, e-mail, phone +39 0322 772109 fax +39 0322 292664.


Personal Data subject to Processing

Personal Data of Users of legal age.

The Personal Data subject to Processing are:

i) those provided by the User to the Data Controller through registration on the Website, such as name, surname, e-mail address, residence, telephone number, tax code, VAT number, billing address, shipping address, as well as any other Personal Data that the User voluntarily provides;

ii) those provided by the User/Consumer to the Data Controller during the transactions for the purchase of Products on the Website, such as name, surname, e-mail address, residence, telephone number, tax code, VAT number, billing address, shipping address, as well as any other Personal Data that the User voluntarily provides;

iii) name, surname and e-mail address of the User given to the Data Controller in order to receive the “newsletter”;

iv) those provided by the User to the Data Controller by filling out the contact/information request form, such as name, surname, e-mail address, telephone number, as well as any other Personal Data that the User voluntarily provides. Moss does not require the provision of any data belonging to special categories, such as data relating to the health of the User. Considering the nature of the Products, the User, without solicitation from the Data Controller, may voluntarily provide data relating to his/her health by filling out the contact/information request forms on the Website to obtain information on the Products.


Purposes of the Processing of Personal Data and legal basis

The purposes for which the Data listed in article 3 above are processed are as follows:

a) with regard to the Data under article 3 point i) above, for the registration of the User on the Website through the creation of a personal account, which allows the User to enter the data necessary for online purchase with a faster checkout, to review the orders placed and to access the purchase history. In case of a refusal or objection to the data processing, registration on the Website will not be possible;

b) with regard to the Data under article 3 point ii) above, to allow the purchase of Products on the Website. In case of refusal or objection to the data processing, the sale of the Products will not be possible;

c) with regard to the Data under article 3 point iii) above, to offer the User the newsletter service, to which the User subscribes on a voluntary basis and which provides news about the Products and news related to Moss S.p.A. and in general for marketing purposes. In case of refusal or objection to the data processing, it will not be possible to receive the newsletter or promotional communications;

d) with regard to the Data under article 3 point iv) above, to reply to the User in the event of a request for information through the appropriate sections of the Website. In case of refusal or objection to the data processing, it will not be possible to answer questions or carry out the User’s requests.

The legal bases of the Data Processing are:

– with regard to the purposes indicated in points a), b) above, the performance of the contract of sale of the Products to which the User is a party;

– with regard to the purposes indicated in point c), d) above, the User’s consent.



The Website uses automatic systems to collect data not directly provided by Users, such as cookies, small text files that the websites visited by Users send to their terminals, where they are stored and then retransmitted to the same websites on the next visit.

The “technical” cookies (first party cookies) are used on the Website for the sole purpose of making it possible for the User to navigate the Website and to use its features. These cookies, being of a technical nature, do not require the prior consent of the User to be installed and used.

Analytics cookies (third party cookies), on the other hand, are used on the Website to collect statistical information, in aggregate form or otherwise, on the number of users accessing the Website and how they visit it. The User’s consent will always be required for the installation of analytics cookies. Furthermore, the User is free to block the installation of analytics cookies at any time, which will not prevent him/her to visit the Website and enjoy its contents.


Data access

Personal Data will be processed by:

  1. employees, collaborators and/or consultants, associates and partners of the Data Controller, in their capacity as parties in charge and/or internal data processors and/or system administrators;

  2. third party companies or other subjects (by way of example, Website providers, cloud providers, hardware and software support technicians, etc.) who carry out activities on behalf of the Data Controller, in their capacity as Data Processors.

The Data Controller adopts suitable security programs on all its information systems, in order to guarantee the confidentiality of information. Our security programs are periodically updated to any technological developments.


Methods of data processing

The Processing of Personal Data is carried out by means of the following operations: collection, recording, organization, storage (where necessary), consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of Personal Data carried out with the help of electronic instruments and/or manually, ensuring the use of appropriate measures for the security of the data processed and ensuring data confidentiality.

The User’s Personal Data are collected electronically during the use of the requested Services, also through data cross-referencing, as well as through the use of the e-mail service.

The User’s data, stored on electronic/magnetic/informatics media, are kept and archived on a server located in the EU territory; the Personal Data stored on hard copy will be kept in special registers and/or cards; they will be filed in special containers and kept in appropriately set up rooms.

The User’s data stored on the server and/or in appropriately set up rooms shall be protected against the risk of intrusion and unauthorized access and are subject to security measures to ensure its integrity and availability.


Disclosure of Personal Data

Personal Data may be communicated to specific subjects for the performance of the Services requested and for the fulfilment of regulatory obligations.

In particular, the User’s Personal Data will be communicated to:

  1. subjects designated and/or appointed by the Data Controller to carry out the activities or part of the activities related to the provision of the requested Services, and to any other external collaborator to whom the communication is necessary for the proper performance of the Services;

  2. supervisory bodies, Judicial authorities, insurance companies for the provision of insurance services, as well as to all those subjects to whom communication is mandatory by law.

In any case, the data processed will not be disseminated.


Transfer of Personal Data to a Third Country

The User’s Personal Data may not be transferred to non-EU Countries, with the exception of services expressly requested by the User or in specific cases for which the Data Controller will adopt adequate guarantees and will inform the User.


User Rights

Users are entitled to obtain, at any time, confirmation of the existence of their Personal Data and the purposes for which the data are processed.

Users also have the right to request the updating, rectification, deletion or blocking of Personal Data and to object to their Processing in whole or in part; they also have the right to data portability.

The User’s rights regarding privacy are explained below. Specifically:

  1. Users have the right to obtain confirmation as to whether or not their Personal Data are being processed, and to obtain access to said Personal Data and to the following information.

Users are entitled to obtain:

  1. name and contact details of the Data Controller and, where applicable, of its representative;

  2. contact details of the Data Protection Officer, where applicable;

  3. categories of Personal Data, their origin, the purposes of the Processing for which such data are intended and the legal basis of the Processing;

  4. legitimate interests, if any, pursued by the Data Controller or by third parties;

  5. any recipients or categories of recipients of Personal Data;

  6. where applicable, the Data Controller’s intention to transfer Personal Data to a third Country or to an international organisation and the existence or absence of a Commission adequacy resolution or reference to appropriate or adequate safeguards, as well as the means of obtaining a copy of such data or the place where such data have been made available.

In addition to the above-mentioned information, the Data Controller informs the User of the following rights:

  1. to know the period of retention of Personal Data or, if this is not possible, the criteria used to determine such period;

  2. to request from the Data Controller access to and rectification or deletion of Personal Data or restriction of their Processing, or to object all together to their Processing, as well as about the right to data portability;

  3. if the Processing is based on the User’s Consent, about the existence of the right to revoke it at any time without prejudice to the lawfulness of the Processing based on the Consent given before the revocation;

  4. to lodge a complaint with a supervisory authority (Privacy Authority or similar EU bodies);

  5. to know whether the disclosure of Personal Data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract and whether the User has an obligation to provide Personal Data, as well as the possible consequences of not providing such data;

  6. to know about the existence of an automated decision-making process, including profiling, and, if this process produces legal effects concerning the User or significantly affects his/her person, meaningful information on the logic used, as well as the importance and the expected consequences in relation to such processing for the User.

Users also have the right:

  1. to obtain from the Data Controller the rectification of any inaccurate Personal Data concerning them, without undue delay. Taking into account the purposes of the Processing, the User has the right to obtain the supplement of incomplete Personal Data, also by providing an additional declaration;

  2. to receive, in a commonly used and easily readable format, their Personal Data and to transmit such data to another Data Controller without hindrance;

  3. to obtain from the Data Controller the deletion of their Personal Data, in connection with the obligation of the Data Controller to delete the Personal Data without undue delay, if one of the following reasons exists:

    • Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    • the User revokes the consent on which the Processing is based and if there is no other legal basis for the Processing;

    • the User objects to the Processing and there is no overriding legitimate reason to proceed with the Processing;

    • Personal Data have been unlawfully processed;

    • Personal Data must be deleted in order to comply with a legal obligation imposed by the European Union or by the Member State law to which the Data Controller is subject;

  1. to obtain from the Data Controller a limitation of the processing operations.

In order to exercise the above-mentioned rights, as well as to receive information regarding the subjects to whom the data are disclosed, or the subjects who, in their capacity as managers or appointees, may become aware of the data, the User may contact the Data Controller by sending a request to the latter using the contact details provided in this policy and available on the website.

The Data Controller shall provide the User with information regarding the action taken with respect to a request made by him/her without undue delay and, in any event, no later than 1 (one) month after receipt of the request. This period may be extended by 2 (two) months if necessary, taking into account the complexity and the number of requests. The Data Controller shall inform the User of such extension and the reasons for the delay, within 1 (one) month of receipt of the request. If the User submits a request by electronic means, the information shall be provided, where possible, by electronic means, unless otherwise specified by the User.

If the answers and the assistance provided by the Data Controller are not satisfactory, the User has the right to contact the Data Protection Authority.


Processing duration

The processing of Personal Data shall have a duration equal to that necessary for the performance of the Services requested, to which shall be added the further period provided for by law in compliance with all the applicable civil, fiscal and tax obligations.

At the end of the period of Personal Data Processing, the Personal Data shall be deleted or permanently anonymised.


Privacy Policy Updates

This policy is subject to occasional revisions.

If changes are introduced to the Processing, the Data Controller shall give appropriate notice to the User, by publishing said changes on the Website. Where required by the applicable legislation, the User shall be entitled to give his/her consent to any new processing. In case of refusal, the User’s data shall not be processed based on the changes contemplated in the privacy policy.


Data Processors

The updated list of the Data Processors is kept at the headquarters of the Data Controller. The User may request this list at any time.