Your cart is empty
You may check out all the available products and buy some in the shop
Return to shopPrivacy Policy
Preamble
The Fantino House, operated by the company LakeHouse S.à r.l-S, makes bespoke garments. This activity inherently involves the collection and processing of personal data, including particularly intimate data: the customer's body measurements.
This policy describes, in full transparency, what data is collected, why, for how long, who accesses it, and how the customer can exercise their rights. It complies with Regulation (EU) 2016/679 (GDPR) and the Luxembourg law of 1 August 2018 organizing the National Commission for Data Protection.
1. Data controller
- Controller: LakeHouse S.à r.l-S
- Operating the brand: Fantino® (BOIP no. 1547041)
- Registered office: 25B Boulevard Royal, L-2449 Luxembourg
- RCSL: B300387
- GDPR contact: contact@fantinolux.com
- Phone: +352 661 502 12
Given the size of the company and the nature of the processing, the formal appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 of the GDPR. A data protection contact is nevertheless identified internally and reachable at the address indicated above.
2. Categories of data collected
The House carefully distinguishes three categories of data, processed with different levels of precaution:
- a) Identification and contact data
• Title, surname, first name, date of birth (optional).
• Postal address, delivery address.
• Email address, telephone number.
• Customer account identifiers (email, encrypted password). - b) Order and payment data
• Order history, delivery preferences, saved addresses.
• Payment methods: processed exclusively by approved providers (Visa/Mastercard/American Express, PayPal, SEPA). The House does not keep any banking data on its servers.
• Delivery tracking numbers, history of communication with customer service. - c) Body measurement and style profile data
This category requires particular attention and is the subject of a dedicated chapter below (section 3).
3. Specific processing of body measurements
WHY A SEPARATE CHAPTER?
Body measurements are personal data within the meaning of the GDPR. Depending on the circumstances and their level of precision, they may approach or fall under health data (Article 9 GDPR) when they reveal elements relating to weight, body shape, build or a possible physical particularity.
The House considers as a matter of principle, and out of an abundance of caution, that this data deserves a reinforced level of protection, whether or not it is formally classified as sensitive data.
3.1 Precise nature of the measurements collected
- Chest, waist and hip circumference.
- Shoulder width, back width.
- Back length, front length, total garment length.
- Neck, biceps, wrist circumference, sleeve length.
- Total height, inside and outside leg length, thigh circumference, calf circumference.
- Postural observations: asymmetrical shoulders, curvature, head carriage, pelvic tilt, etc.
- Where applicable, indicative weight and height if communicated by the customer.
This data may be supplemented by fitting photographs taken during fittings, only with the customer's explicit consent.
3.2 Exclusive purposes
- The making of the ordered garment.
- The associated fittings and alterations.
- Archiving the customer's pattern to allow future orders without completely retaking the measurements.
- The production of anonymized internal statistics, where applicable, for the purpose of improving the workshop (standard templates, evolution of standards) — never for a commercial or advertising purpose.
3.3 Legal basis
The processing of measurements is based on the performance of the making contract (Article 6(1)(b) of the GDPR). The collection of the data necessary for the making is an essential condition for the provision of the service: a refusal makes performance impossible.
Fitting photographs, if taken, are subject to explicit consent that is revocable at any time (Article 6(1)(a) and Article 9(2)(a) of the GDPR).
3.4 Reinforced security measures
- Access strictly limited to the tailors, cutters and workshop staff directly involved in the order concerned.
- Storage on a secure internal system, encrypted at rest and in transit, separate from marketing or accounting tools.
- Pseudonymization during external exchanges with any partner workshops: measurements are never communicated with full identification data.
- Possible physical archiving under secure conditions (locked cabinets, access-controlled premises).
- Formal prohibition on staff sharing, photographing, exporting or using this data outside its purpose.
3.5 Retention
The measurement data is kept:
- For the entire duration of the commercial relationship.
- Then for an additional period of ten (10) years after the last order, in order to allow new making or alterations without completely retaking the measurements, in accordance with the practices of the trade and the heritage value of a bespoke pattern.
- At the end of this period, the data is deleted, unless an extended retention request is expressly made by the customer, or if the law requires it for other reasons (accounting, ongoing dispute).
The customer may at any time request the early deletion of their measurements, without prejudice to the consequences for the performance of an ongoing order or for the possibility of ordering again without retaking measurements.
3.6 Recipients
Measurement data is only communicated to the persons and entities strictly necessary for the performance of the order:
- Authorized staff of the House (tailors, cutters, workshop, customer relations).
- Partner workshops and makers under a subcontracting contract compliant with Article 28 of the GDPR, in pseudonymized form as far as possible.
- No transfer for commercial, advertising or public statistical purposes. No sale, no rental, no sharing with non-provider third parties.
4. Other processing purposes and legal bases
- Management of customer accounts, cart, wishlist (legal basis: performance of the contract).
- Invoicing, accounting and tax obligations (legal basis: legal obligation).
- Fraud prevention and site security (legal basis: legitimate interest).
- Sending the newsletter and commercial communications (legal basis: consent, revocable at any time).
- Management of reviews, testimonials and editorial photographs (legal basis: explicit consent of the customer).
- Service improvement and site usage statistics (legal basis: legitimate interest; the data is aggregated or anonymized as far as possible).
5. Retention periods — overview
| DATA CATEGORY | RETENTION PERIOD |
|---|---|
| Customer account (identifiers, contact details) | Duration of the relationship + 3 years after the last contact |
| Measurements and patterns | Duration of the relationship + 10 years after the last order |
| Fitting photographs (if consented) | 5 years, or until consent is withdrawn |
| Order history | 10 years (accounting obligation) |
| Invoices and accounting documents | 10 years (legal obligation) |
| Newsletter | Until consent is withdrawn |
| Browsing data and cookies | 13 months maximum (CNPD recommendation) |
| Customer service correspondence | 3 years after the closure of the exchange |
6. Recipients and processors
The data is processed by the authorized staff of the House and by strictly selected processors. The main ones are:
- Hostinger International Ltd. (Cyprus, EU) — site hosting.
- Approved payment providers — secure processing of bank transactions.
- Carriers — delivery of orders.
- Emailing platform — sending the newsletter (subject to consent).
- Partner workshops and makers — making, under a subcontracting contract compliant with Article 28 of the GDPR.
No data is transferred outside the European Union without appropriate contractual safeguards (standard contractual clauses or adequacy decision).
7. Your rights
In accordance with Articles 15 to 22 of the GDPR, each data subject has the following rights:
- Right of access to the processed data.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction of processing.
- Right to portability, for processing based on the contract or consent.
- Right to object, in particular to commercial solicitation.
- Right to withdraw consent at any time, for processing based on it.
- Right to define guidelines regarding the fate of their data after their death.
To exercise these rights, simply write to contact@fantinolux.com or by post to the registered office address. A response will be sent within one month (extendable by two months for complex requests, with reasoned information).
8. Cookies
The use of cookies on fantinolux.com is governed by a separate Cookie Policy, accessible from the footer of the site. The customer can manage their preferences at any time via the dedicated module.
9. Security
The House implements appropriate technical and organizational measures to protect the data: SSL encryption in transit, encryption at rest for sensitive data, restricted access to databases, encrypted backups, two-factor authentication for critical tools, regular internal awareness. In the event of a data breach presenting a risk to the data subjects, the CNPD is notified within 72 hours in accordance with Article 33 of the GDPR, and the data subjects are informed if the risk is high (Article 34).
10. Changes
This policy may be updated to reflect changes in our practices, the tools used or the regulations. The version in force is the one published on fantinolux.com. Substantial changes are brought to the attention of customers by email or by a visible notification on the site.