Effective Date: 19th June 2023
ESPA is committed to protecting our customer's privacy. Please take the time to review this notice which explains what information we collect about you, how we use it, and your rights. THG Beauty Limited (“ESPA”, “we” or “us”) is the data controller of the personal data collected via or in connection with espaskincare.com and any associated App (the “Site”).
If you are a resident of California, please also refer to Section13.“CaliforniaPrivacy Supplement” for information about the categories of personal information we collect and your rights under California privacy laws.
What personal data we collect and how
Personal data, or personal information, means any information about an individual from which that person can be identified.
Personal data we collect directly.We collect personal data from you when you provide it to us directly and through your use of the Site, including:
Registration and profile information, such as information you provide to us when you use our Sitee.g. your name, contact details, gender, and any information which you add to your account profile. For example, we may allow you to provide additional (voluntary) information, such as your body type, skin type, hair type, hair condition, training regime, performance goals, height and weight.
Transaction and billing information, if you make any purchases from us or using our Site e.g. credit/debit card details and delivery and shipping information.
Records of your communications and interactions with us, such as when you email, call, or otherwise contact us, we collect and maintain a record of your contact details, communications and our responses. We also maintain records of communications and information that you post in chat sessions, forums and in other areas of the Site, and on our social media channels.
Sweep stakes, contest and promotions information, such as information you provide us when you participate in a competition or promotion.
Surveys and product reviews ,e.g. if you participate in one of our surveys or provide information to us as part of product or service reviews.
Events e.g. if you register for or attend an event that we host or sponsor, we may collect information related to your registration for and participation in such event.
Marketing and communications data e.g. records of your preferences about receiving marketing and communications from us.
Foundation Finder tool - if you choose to use this, we’ll ask you to upload a photograph and answer a few questions so that we can recommend a make-up foundation that matches your skin tone and the style you’re after.
If you shop in one of our stores we may combine any information you provide to us in-store (e.g.when you make a purchase or join our mailing list in-store) with the information we otherwise collect about you.
Personal data collected automatically. We automatically collect personal data related to your use of our Site and interactions with us and others, e.g. using cookies and pixel tags, as well as information we derive about you and your use of theSite. This includes:
Activities and usage information related to your use of the Site, such as links clicked, searches, features used, items viewed, time spent within the Site, files uploaded, products and items you view and items you add to your basket.
Location information. We may collect or derive location information about you, such as through your IP address. With your permission, we may also collect geolocation information from your device. You may turn off location data sharing through your device settings.
Personal data we receive from other sources.In some circumstances, we may receive personal data from third parties, including:
Verification data:e.g. data collected from third party service providers used to verify your identity and prevent fraudulent activity.
Social media monitoring: If you visit our pages on social media sites, we collect information such as what you click on and view, your comments, likes and reactions, your location (country/region),details of your device and internet connection, your social media profile details and user ID.
Operators of other websites:We may receive product reviews from operators of other websites and display such reviews on our own Site.
Demographic information:We may receive demographic information from third party advertising partners to help us better personalise ads. See section 4 “Cookies andPersonalisation” for more information.
How we use personal data
Depending on how you use our Site, your interactions with us, and the permissions you give us, the purposes for which we use your personal data include:
Online accounts. To register you as a customer andmaintain your online account.
Fulfil orders.To fulfil your order, including managing payments, charges,refunds and returns.
Respond to your requests.To manage and respond to any queries or complaints to our customer service team.
Provide recommendations.If you use our product finder tools, such as our Foundation Finder, we use the information youprovide to recommendproductsfor you.We’ll also use the image, details of recommended products and any feedback tofurther improve the functioning of the tool and related services, or to develop similar tools and services.
Personalise content and experiences.To personalise theSite and show you content we think you will be mostinterested in, based on your account information, your purchasehistory and your browsing activity.
Operate and improvetheSite and our business.Todisplay the Site anditsfonts (which may include Google Fonts),improve and maintain the Site, and monitor its usage, to better understand howusers access and use theSite, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our business operations, to develop services and features, and for internal quality control and training purposes.
Events.If we run or sponsorevents we may collect personal data in connection with your attendance.
Research and customer satisfaction.For market research and surveys,e.g. we may contact you for feedback about our products or forcustomersatisfaction purposes.
Marketing and advertising.To send you marketing messages and show you targeted advertising, where we have your consent or are otherwise permitted to do so.
Security and protection of rights.For security purposes, to prevent, detect, and investigate fraud and other unauthorised activities and access, and where necessary to protect ourselves, our business and third parties.
Compliance with law and legal process. To comply with the law and our legal and regulatory obligations, to respond to legal process and in relation to legal proceedings.
Internal business operations.For general business and operational support,e.g. to consider and implement mergers, acquisitions, reorganisations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions.
Legal bases under EU/UK data protection laws. We rely on the following legalbasesunder data protection law to process your personal data:
Because the processing is necessary toperform a contract with you, or take steps prior toentering into a contract with you (e.g. where you have made a purchase with us, we use your personal data to process the payment and fulfil your order).
Because we have obtained yourconsent(e.g. if you consent to receive marketing from us or agree to the use of non-essential cookies). If you have consented to a processing activity, you can withdraw your consent at any time. We explain how to do this in the Cookiesand Personalisationsection(section 4)and Marketing section (section 5) ofthis policy.
Because it is in ourlegitimate interests as an e-commerce provider tomaintain,promoteand protectour business and services. We are alwaysseeking to understand more about our customersin order to offer the best products and customer experience. We use information about youtotailor your view of theSite, to make it more interesting and relevant in respect of the products and offers on view.
Invery limited cases, because it is necessarytocomply with a legal obligation which we are subject to.
Who do we share personal data with?
We may share your personal data with third parties, for the purposes described above, in the following circumstances:
With other companies in our group of companies.
With our suppliers and service providerswho process the data on our behalf, e.g., payment processors and delivery companies.
With our professional and legal advisors.
With third parties engaged in fraud prevention and detection.
With third party platforms,providers and networks. We maydisclose or make available personaldata to third party platforms and providers that we use toprovideour Site and its features. We may also make personal data available to third parties in support of our marketing, analytics,advertising and campaign management. See Section4 “Cookies andPersonalisation” for more information.
With operators of other websites.We share product reviewssubmitted to our Site with other website operators who display these reviews on their own websites.
With law enforcement or other governmental authorities, e.g., to report a fraud or in response to a lawful request.
Inrelation to mergers, acquisitions, investments and asset transfers,personal data will be transferred to theother party to the transaction.We may also share certain personal data as part of the preparation forthe transaction withlenders, auditors, and third-party advisors, includinglawyers and consultants.
Tocomply with legal obligations. We mayshare personal datawiththird parties tocomply with our legal and compliance obligations and to respond to legal processe.g. in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement and government bodies. This may include responding to national security or law enforcement disclosure requirements and disclosures that wearerequired to make under applicable laws, such as the names of sweepstakes and contest winners.
Otherwise where we have your consent or are legallypermitted to do so.
We use this information toprovide functionalityonthe Site, to understand and measureSite performance, to understand how users access, use and interact with others, and to deliver targeted advertising and content on our Site andthird party sites.
We also use it toidentify and resolve bugs and errors in ourSite and to assess, secure, protect,optimise and improve the performance of ourSite.
Personalisedadvertising.We work with third parties, such as ad networks,social media platforms, analytics and measurement services and others topersonalisecontent and display advertising within ourSite,and to manage our advertising on thirdparty sites, mobileapps and online services.
For example, you may see ads for our Site on third party websites, including on social media. These ads may be tailored to you using cookiesand similar technologieswhich track your web activity on our Site and across other websites and online services,to enable us to serve ads tocustomerswho have visited our Site.
We may also engagethird parties, includingsocial networks to show ads to our customers, or users who match the demographic profile of our customers.This may involve sharinginformation, such asyour name, email address, and other contactand purchaseinformation withthesethird partiesso that we can better target ads and content to you across third party sites,platforms and services.These third parties mayalsohelp us to enhance our customer lists withadditional demographic or other information, so we can better target our advertising and marketing campaigns.
If youdo not want to seepersonalised ads you can change your cookie preferences using the tool available on our Site, as explained below, and by adjusting your privacy settings on third party websites and platforms.
Manageyourpreferences. You can manage your preferences for cookies andpersonalisation used by us asexplained below.
Cookie preference tool.You can review and update yourcookiepreferences for our Site and opt out of most cookies and trackers on our Site (other than those that arestrictlynecessary)within our CookiePreference Toolaccessible via the cookie icon at the bottomleft hand corner of the webpage. Your preferences arebrowserand devicespecific soyou need to set the preference for eachbrowserand device you use to access our Site. If youdelete or block cookies, you may need to reapply these preferences.
Industryad choice programs. You canget more information aboutpersonalisedadvertising and opt out ofpersonalisedadvertising byparticipating thirdparty ad companies through industry ad choices programs, including:
Please note that opting out of cookies and trackers on our Site does not mean that you will no longer see ads from us. You may continue to see generic or “contextual” ads.
We love to communicate with our customers. Depending on your marketing preferences, we may use your personal data to send you marketing messages by email, SMS,phoneand post. Some of these messages may be tailored to you, based on yourprevious browsing or purchase activity, and other information we hold about you.
If you no longer want to receive marketing communications from us (or would like to opt back in!), you can change your preferences at any time by contacting us (details below), clicking on the ‘unsubscribe’ link in any email, or updating your settings in your account. If you unsubscribe from marketing, please note we may still contact you with service messages from time to time (e.g. order and delivery confirmations, and information about your legal rights).
Transfers ofpersonaldata to other countries
We use service providers, and have group companies, in countries around the world. Your personal data may therefore be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If we transfer personal data outside the UK/European Economic Area we will ensure that your privacy rights are adequately protected byappropriate safeguards, which may include the European Union’s standard contractual clausesand UKequivalent. Please contact us if you would like more information about these safeguards.
We will keep your personal data in line with our data retention policy, for as long as we need it for the purposes set out above,so this period will vary depending on your interactions with us. For example, where you have made a purchase with us, we will keep a record of your purchase for the period necessary for invoicing,tax and warranty purposes. We may also keep a record of correspondence with you (for example if you have made a complaint about a product) for as long as is necessaryin connection with any legal claim.
We implementappropriate technical and organisational security safeguards to protect your data from loss, misuse, and unauthorised access, disclosure,alteration and destruction. We alsomaintain ISO 27001 and PCI DSS (Payment Card Industry - Data Security Standard) security certifications.
However, please be aware that it is impossible for any company to guarantee the absolute security and integrity of the information that has been transmitted to its website.
Our Site is not intended for, and should not be used by, children under the age of 18. We do not knowingly collect personal data from children under 18.
You have choicesregarding our processing of your personal data as described in this section.
Your rights under data protection laws:Youhave the right to:
Ask for a copy of your personal data,make corrections to your personal data, and in some casese.g. where our purposes for processing havecome to an end, ask us todeleteit.
Object to our use of your personal data in certain situations, including where we use your personal data fordirect marketing. See section5 “Marketing” for details of how to opt out of direct marketing.
Transfer your personal data, in certain circumstances, to another provider, in a commonly used format.
Complain tothe data protection regulator in your country. In the UK this is the Information Commissioner’s Office (www.ico.org.uk).
We willcomply with any requests to exercise your rightsin accordance with applicable law. Please be aware, however, that there areseveral limitations to these rights, and there may be circumstances where we are not able tocomply with your request.
You can exercise your rights by firstname.lastname@example.org.
US residents.If you are a California resident, please review our California Privacy Supplement(section 13)below, for specific information about your rights under California privacy laws and how to exercise them. Residents of certainother USstatesincluding Virginia haveadditional rights under applicable privacy laws, subject to certain limitations, which may include:
The right tocorrect inaccuracies inyour personal information,taking into account the nature and purposes of the processing of the personal information.
The right todeleteyour personal information provided to or obtained by us.
The right toconfirm whether we are processingyourpersonal information and toobtain a copyofyourpersonal information in a portable and, to the extent technicallyfeasible, readily usable format.
The right toopt outof (as applicable) the “sale” ofyourpersonal data, targeted advertising, and anyprocessing of personal information forthepurposes of making decisions that produce legal or similarly significant effects.
The right tosubmit an appeal if we deny your request.
You can opt out of targeted advertising on our Site asset outinSection4 “Cookies andPersonalisation”, and opt out of direct marketing as set out in Section 5 “Marketing”.To exercise your other rightspleasecontact email@example.com.
Changes to thisNotice
ThisNotice is current as of the Effective Datestated above. We may change thisNotice from time to time, so please be sure to check back periodically. If we make materialchangeswewill alert youe.g. bypostingaprominent noticeon theSite or via email.
If you have any queries on any aspect ofour PrivacyNotice, please contact us on the details below:
Telephone: 0161 8131481
Address: Customer Services, Meridian House,Gadbrook Park, Cheshire, CW9 7RA
Our EU representative isThe Hut.com (Poland) sp. z o. o.
The Hut.com (Poland) sp. z o. o.can be contacted atEURep@thehutgroup.com.
California Privacy Supplement
Consumersresiding in Californiahaveadditional rightsin relation to their personal information under California privacy law, including the California Consumer Privacy Act (“CCPA”). If you are a California resident, this section applies to you.This section does not address or apply to our handling of publicly available information or other personal information that is exempt under the CCPA.
Categories ofpersonalinformationcollected anddisclosed.Whilst our processing of personal information varies based upon our relationship and interactions with you, the table below identifies, generally,the categories of personal information (as defined by the CCPA) that wemay collect, andhavein the past twelve monthscollected, about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose.
Categories of Personal Information
Categories ofThird Party Disclosures
Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier; email address, phone number,address and other contact information; IP address and other online identifiers.
Includese.g. name, account name, user ID, contact information, account number, and financial or payment information), that individualsprovide usin order topurchase or obtain our products and services. For example, this may include information collected when an individual register for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.
Includes records ofpersonal property, products or servicespurchased, obtained, or considered, or other purchasing or use histories or tendencies. For example, this may include demographic information that we receive from third partiesin order to better understand and reach our customers.
Internet and electronic network activity information
Including, but not limited to, browsing history, clickstream data, search history, and informationregarding interactions with an internet website, application, or advertisement, including other usage data related to your use of any of ourSite or other online services.
Location information about a particular individual or device e.g., derived from your IP address.
Audio, visual and other electronic data
Includes audio, electronic, visual,thermalor similar information, such as thermal screenings and CCTV footage (e.g., collected from visitors to our stores,offices andpremises; photographs and images (e.g., that youprovide us or post to your profile) and call recordings (e.g., of customer support calls).
Includes professional and employment-related information such as current and former employer(s) and position(s), job application information, business contact information and professional memberships).
Profiles and inferences
Including inferences drawn from any of the informationidentified above to create a profile reflecting aconsumer’s preferences, characteristics,behavior or attitudes.
We collect some information that is considered a protected classification under California/federal law, such as your gender, date of birth, citizenship,andmarital status.
Sensitive personal information
In limited circumstances, we may collect:
Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
Sales andsharing. California privacy laws define a "sale" asdisclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. While we do notdisclose personal information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by theCCPA):identifiers andinternet and electronic network activity information to/withthird-party advertising networks, analytics providers, and social networks. We do soin order to improve and evaluate our advertising campaigns and better reach customers and prospective customers with more relevant ads and content. We do not sell or share sensitive personal information, nor do we sell orshare any personal information about individuals who we know are under sixteen (16) years old.
Sources ofpersonalinformation.In general, we may collectpersonal information from the following categories of sources:
Directly from the individual
Data analytics providers
Internet service providers
Operating systems and platforms
Fraud prevention service providers
Purposes of collection, use and disclosure. As described in more detail in Section2 “How we use personal data” andSection3 “Who do we share personal data with”, we collect, use,disclose and otherwise process the above personal informationfor thefollowing business or commercial purposes and as otherwise directed or consented to by you:
Respond to yourrequests
Manage our relationship withyou
Personalize content,ads andexperiences
Operate and improve the Site and ourbusiness
Research andcustomer satisfaction
Marketing and advertising
Security and protection of rights
Compliance with law and legal process
Internal business operations
Sensitive personal information. Notwithstanding the above, we only use and disclose sensitive personal information as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, (vi) to our service providers who perform services on our behalf, and (vii) for purposes other than inferring characteristics about you. We do not use ordisclose your sensitive personal information other than as authorizedpursuant to section 7027 of the CCPA regulations (Cal. Code. Regs., tit. 11, § 7027 (2022)).
Retention. Weretain personal information only as reasonably necessary for the purposes described above or otherwisedisclosed to you at the time of collection.
CCPArights. Under the CCPA, California residents have the following rights (subject to certain limitations):
The righttoopt-out of our sale and sharing ofyour personal information.
The right tolimit our use or disclosure of sensitive personal information to those authorized by the CCPA.
The rightto thedeletion ofyour personal information that we have collected, subject to certain exceptions.
The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.
The right to correct inaccurate personal information that we maintain about you.
The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.
Submitting CCPA requests. California residents may make requests to access/know, correct and delete their personal information maintained by us online by emailing firstname.lastname@example.org or by visiting this page. Once we receive your request, we will take steps to verify it by asking you to provide information related to your account or your recent interactions with us, such as information regarding a recent purchase.We will process your request based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request. In some cases, we may request additional informationin order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor.If you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid authorization to submit requests on your behalf and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
Opt-out requests.OurSite responds to global privacy control—or “GPC”—signals, which means that if we detect that your browser is communicating a GPC signal, we will process that as a request to opt that particular browser and device out of sales and sharing (i.e., via cookies and tracking tools) on ourSite. Note that if you come back to ourSite from a different device or use a different browser on the same device, you will need to opt out (or set GPC for) that browser and device as well. More information about GPC is available at:https://globalprivacycontrol.org/. You can also opt out of online tracking on our Site via the cookie preference tool (see Section 5for details).
California residents may exercise their right to opt out online by submitting an opt out request to email@example.com by visiting this page https://www.espaskincare.com/help-centre.list. We will apply your opt out based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request.
For more information about our privacy practices, you may contact us as set out in the “Contact Us” section above.