Depending on how you interact with us (online, offline, by phone, etc.), we may collect from you various categories of Data, which are described in more details below.

a) Data you provide to us

You may provide the following categories of Data when you interact with us for instance when you visit our Sites, our stores, or when you participate in one of our promotional operations, etc.

• Identification information: this includes information such as your name, surname, age or age range, title, date of birth, general geographic location (e.g., postcode or city and state), etc.

• Contact information : this includes any information that would allow us to personally contact you, such as your home address, billing address, your email address, or your phone number (home, mobile), etc.

• Order and product information: this includes details of the products you have ordered and searched for online or in our shops, the date and time of your orders and searches and the shops you prefer to visit, etc.

• Habits and preferences: this includes any information related to your preferences and interests such as your favourite products, lifestyle information, your concerns in terms of beauty and care, etc.

• Payment and transaction-related information: this includes any information that you use to make a purchase, such as your payment card details. Payments made on the Site are made through our payment gateway providers, ADYEN, PAYPAL, APPLE PAY, or AFTERPAY. Please note that we do not have access to the payment details you provide to these providers which operate autonomously. For more information please refer to the relevant service providers privacy policy.

• User-generated content and posts: this refers to any content (suggestions, testimonials, surveys or other any other feedback) that you voluntarily share with us about your experience in using our products or services. This also includes your posts on our applications, such as our Facebook fan pages (photos, videos, personal stories, or other similar media or content).

• Information on adverse events: this might include information on your allergies, intolerances and other health-related information, which might be related to our products, that you provide to our customer service. Please note that we only use this information in accordance with our legal obligations to follow-up on adverse events reported to us by our customers (in accordance with EU Regulation on cosmetic products no.1223/2009 as transferred under UK law).

• CCTV: your image may be recorded on CCTV when you visit one of our shops. We might have to use it for security reasons. We regularly delete the footage unless an incident or alleged incident requires investigation or action.

b) Automatically collected Data

The following categories of Data may be collected automatically when you navigate though our Sites, thanks to various tracking technologies such as browser cookies:

• Technical information: such as your IP address, the browser you use or other technical data related to your device, etc.

• Connection data: such as your identifiers, date and time of connection to your account, to our Sites, etc.)

• Data relating to your use of our Sites and applications: pages viewed, products you searched for, duration of your visit, etc.

For more information on our use of cookies, please see out Cookie Policy

c) Data we receive and collect from other sources

• Third parties and advertising partners: we may obtain information, including Data, from third parties and sources other than our Site, such as our partners or advertisers. This may be the case when you accept cookies, which help us understand your activities, how you use our services, the purchases you make, the advertisements you watch, etc.

• Social media partners: we might receive information from social media platforms when you use your social network account such as Facebook, to access one of our services (eg to participate in one of our promotional operations or to make a purchase without having to create an account on our site) or when using social media plug-ins (eg “like” and “share” buttons).

We generally use your Data on the basis of the following grounds:

• The performance of the contract we have with you: in certain circumstances, we need your Data to execute our contractual obligations. For example, if you buy products through our Site, we need your name and contact details so we can communicate with you and deliver the products you ordered. If you do not provide your Data, we will not be able to provide you with the requested products and services;
• Your prior consent: in certain cases, we may ask for your consent before using your Data. For instance, we will always ask for your permission to send you promotional communications. In other cases, we may also obtain your explicit consent (e.g., in relation to the profiling activities referred to in Section 5 below);
• Compliance with a legal obligation applicable to us: sometimes we have to collect and use your Data in order to comply with our own legal obligations. For example, tax laws require us to keep trace of invoices related to your purchases;
• Our legitimate interests:this is a legal term which means we have a good and fair reason to use your Data and we do so in ways which do not hurt your rights and interests. For instance, we do analyse how you interact with our Site so we can better understand what elements of the design are working well and which are not working so well. This allows us to improve and develop the quality of the online experience we offer to our users;
• Your vital interests: in certain cases, we may process your personal data to protect your vital interests (e.g., to notify you if we become aware of product safety issues relating to products you have purchased); and/or
• Legal claims: in certain cases, we may process your personal data in the context of establishing, exercising or defending legal claims.

We may collect, use and disclose your Data for the main following purposes:

To have a better overall understanding of you as a customer, we may combine information about you gathered across various channels. For example, Data collected in the course of your online activity (e.g. shopping, account creation, etc.) may be combined with Data we collect when you visit one of our stores (if you have consented).

This Data enrichment may also occur between different brands of the Orveon Group. For example, if you make an online purchase on the bareMinerals website and then create an online account with the same email address on the website of another Orveon Group brand (e.g., Laura Mercier or BUXOM), the Data collected through these two websites may be combined to enrich your customer profile.

This helps us to propose products and advice that is most relevant to your interests at particular times, by email (where we have your consent) or when you visit one of our stores.

Under no circumstances will this enrichment allow us to send you communications relating to another brand of the Orveon Group if you have not consented to it.

You can object to these “profiling” operations at any time by contacting us. Please refer to the “Your rights and choices” section.

• Other brands of the Orveon Group: Some of your Data may be shared with the other brands of the Orveon Group (e.g., Laura Mercier or BUXOM), for example, to enrich your customer profile and to update your Data as regularly as possible.
• Other members of the Orveon Group:your Data may be shared with the other members of the Orveon Group who are involved in our customer relationship management.
• Third party vendors and providers:your Data may be accessible to selected third parties vendors or providers acting on our behalf and our instructions, for the needs of the purposes described above in section 4. For example, our transporters will need to access your Data to deliver the products you ordered, our marketing campaign providers will need to access your Data to send you the relevant communications, our maintenance providers might need to access your Data in case of technical incident, etc.
  In any case, we require such third parties to:
  • be subject to strict contractual data protection and confidentiality obligations;undertake to comply with all applicable data protection laws and exclusively for the purposes specified in the contract with have with them;
  • implement appropriate technical and organizational security measures designed to protect the integrity and confidentiality of your Data.

• Public and judicial authorities: we might need to share your Data with public authorities when the law requires us to do so. For instance, we might be requested to provide invoices to tax or financial authorities, or to provide information related to adverse events linked to the use of our products to health authorities. We might also need to share your Data with judicial authorities in the event of a litigation.
• Our professional advisers: we also may share your Data when necessary with our professional advisers, such as our accountants, auditors, lawyers, insurers, etc.
• Potential acquirers and other stakeholders involved in our business transfers:we might share your Data in the event of an acquisition, merger, sale, corporate restructuring. In this context, the acquirer will act as the new controller of your Data.

In any case, please rest assured that we only grant access to your Data on a need-to-know basis, and that such access is limited to the Data that is strictly necessary to perform the purpose for which such access is granted. We will never rent, trade or sell your Data to third party companies.

Orveon is a multinational organization with affiliates, vendors and partners located in many countries around the world. For that reason, we may need to share your Data with entities located in jurisdictions which may not be regarded as providing the same level of protection as yours.

In all cases, we ensure that adequate safeguards, as required under the applicable data protection legislation, are in place. Such safeguards may include:

• adequacy decisions issued by the UK Government (that data protection legislation in the recipient jurisdiction provides an ‘adequate’ level of protection for personal data);
• Standard Contractual Clauses approved by the EU Commission (with respect to transfers out of the EEA) and the UK Government (with respect to transfers out of the UK); or
• our providers’ Binding Corporate Rules (often known as ‘BCRs’)

For more information about the transfer of your Data, you can contact our Data Protection Officer (please refer to the “Your rights and choices” section).

We know how much data security matters to all our customers and take all appropriate steps to protect your Data from unauthorized access, alteration, disclosure, or destruction. We pay particular attention to sensitive data, especially payment card data, allergy or intolerance data.

Please note, however, that any information you choose to share in public areas such as our website community features, or other social areas is by definition considered as public and can be seen by anyone accessing the related platform.

We will retain your Data for the period necessary to fulfil the purposes outlined in this Policy (see section 4).

The criteria used to determine such retention periods include:

• the length of time we have an ongoing relationship with you;
• whether there is a legal obligation to which we are subject imposing or authorizing us to keep you Data.

Our Sites are not directed to anyone under 16 years of age. We do not solicit or collect any type of information from a person known to be under the age of 16.

If we become aware that we have accidentally collected information from a child, we will remove that information from our records as soon as feasibly possible.

In accordance with the applicable data protection law, you have the right to request:

• Access to the Data we hold about you;
• The correction of your Data if they are incomplete or inaccurate;
• The erasure of your Data, in the cases provided by law. Please note that in some cases, we may be obliged to retain your Data anyway, for legal or legitimate reasons;
• The interruption of the use of your Data by withdrawing your consent at any time where our “lawful basis” is consent, or by objecting to the use of your Data where our “lawful basis” is our legitimate interests and that we have no legitimate overriding interest;
• The restriction of the use of your Data, in the cases provided by law (e.g., for us to stop carrying out the data enrichment and profiling activities described in Section 5); and/or
• To obtain a copy of the Data you provided us, in a commonly used format, to transmit it to another data controller, in the cases provided by law.

To exercise your rights or for any further questions related to the use of your Data, please contact our Data Protection Officer:

• Via our online contact form
• Via our postal address: The Adelphi, 1-11, John Adam St, Floor 10, London, WC2N 6HT, UK

Please note that to process your request, we may ask you for proof of identity.

If you feel that your Data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your Data, you have the right to lodge a complaint with your local data protection authority.