ESPA is committed to protecting our customer's privacy. Please take the time to review this notice which explains what information we collect about you, how we use it, and your rights. THG Beauty Limited (“ESPA”, “we” or “us”) is the data controller of the personal data collected via or in connection with ESPA and any associated App (the “Site”).
If you are a resident of California, please also refer to Section 13. “California Privacy Supplement” for information about the categories of personal information we collect and your rights under California privacy laws.
What personal data we collect and how
Personal data, or personal information, means any information about an individual from which that person can be identified.
Personal data we collect directly. We collect personal data from you when you provide it to us directly and through your use of the Site, including:
- Registration and profile information, such as information you provide to us when you use our Site e.g. your name, contact details, gender, and any information which you add to your account profile. For example, we may allow you to provide additional (voluntary) information, such as your body type, skin type, hair type, hair condition, training regime, performance goals, height and weight.
- Transaction and billing information, if you make any purchases from us or using our Site e.g. credit/debit card details and delivery and shipping information.
- Records of your communications and interactions with us, such as when you email, call, or otherwise contact us, we collect and maintain a record of your contact details, communications and our responses. We also maintain records of communications and information that you post in chat sessions, forums and in other areas of the Site, and on our social media channels.
- Sweepstakes, contest and promotions information, such as information you provide us when you participate in a competition or promotion.
- Surveys and product reviews, e.g. if you participate in one of our surveys or provide information to us as part of product or service reviews.
- Events e.g. if you register for or attend an event that we host or sponsor, we may collect information related to your registration for and participation in such event.
- Marketing and communications data e.g. records of your preferences about receiving marketing and communications from us.
- Foundation Finder tool - if you choose to use this, we’ll ask you to upload a photograph and answer a few questions so that we can recommend a make-up foundation that matches your skin tone and the style you’re after.
- If you shop in one of our stores we may combine any information you provide to us in-store (e.g. when you make a purchase or join our mailing list in-store) with the information we otherwise collect about you.
Personal data collected automatically. We automatically collect personal data related to your use of our Site and interactions with us and others, e.g. using cookies and pixel tags, as well as information we derive about you and your use of the Site. This includes:
- Activities and usage information related to your use of the Site, such as links clicked, searches, features used, items viewed, time spent within the Site, files uploaded, products and items you view and items you add to your basket.
- Location information. We may collect or derive location information about you, such as through your IP address. With your permission, we may also collect geolocation information from your device. You may turn off location data sharing through your device settings.
Personal data we receive from other sources. In some circumstances, we may receive personal data from third parties, including:
- Verification data:e.g. data collected from third party service providers used to verify your identity and prevent fraudulent activity.
- Social media monitoring: If you visit our pages on social media sites, we collect information such as what you click on and view, your comments, likes and reactions, your location (country/region), details of your device and internet connection, your social media profile details and user ID.
- Operators of other websites: We may receive product reviews from operators of other websites and display such reviews on our own Site.
- Demographic information: We may receive demographic information from third party advertising partners to help us better personalise ads. See section 4 “Cookies and Personalisation” for more information.
How we use personal data
Depending on how you use our Site, your interactions with us, and the permissions you give us, the purposes for which we use your personal data include:
- Online accounts. To register you as a customer and maintain your online account.
- Fulfil orders. To fulfil your order, including managing payments, charges, refunds and returns.
- Respond to your requests. To manage and respond to any queries or complaints to our customer service team.
- Provide recommendations. If you use our product finder tools, such as our Foundation Finder, we use the information you provide to recommend products for you.We’ll also use the image, details of recommended products and any feedback to further improve the functioning of the tool and related services, or to develop similar tools and services.
- Personalise content and experiences. To personalise the Site and show you content we think you will be most interested in, based on your account information, your purchase history and your browsing activity.
- Operate and improve the Site and our business. To display the Site and its fonts (which may include Google Fonts), improve and maintain the Site, and monitor its usage, to better understand how users access and use the Site, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our business operations, to develop services and features, and for internal quality control and training purposes.
- Events. If we run or sponsor events we may collect personal data in connection with your attendance.
- Research and customer satisfaction. For market research and surveys, e.g. we may contact you for feedback about our products or for customer satisfaction purposes.
- Marketing and advertising. To send you marketing messages and show you targeted advertising, where we have your consent or are otherwise permitted to do so.
- Security and protection of rights. For security purposes, to prevent, detect, and investigate fraud and other unauthorised activities and access, and where necessary to protect ourselves, our business and third parties.
- Compliance with law and legal process. To comply with the law and our legal and regulatory obligations, to respond to legal process and in relation to legal proceedings.
- Internal business operations. For general business and operational support, e.g. to consider and implement mergers, acquisitions, reorganisations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, record keeping, and legal functions.
Legal bases under EU/UK data protection laws. We rely on the following legal bases under data protection law to process your personal data:
- Because the processing is necessary to perform a contract with you, or take steps prior to entering into a contract with you (e.g. where you have made a purchase with us, we use your personal data to process the payment and fulfil your order).
- Because we have obtained your consent (e.g. if you consent to receive marketing from us or agree to the use of non-essential cookies). If you have consented to a processing activity, you can withdraw your consent at any time. We explain how to do this in the Cookies and Personalisation section (section 4) and Marketing section (section 5) of this policy.
- Because it is in our legitimate interests as an e-commerce provider to maintain, promote and protect our business and services. We are always seeking to understand more about our customers in order to offer the best products and customer experience. We use information about you to tailor your view of the Site, to make it more interesting and relevant in respect of the products and offers on view.
- In very limited cases, because it is necessary to comply with a legal obligation which we are subject to.
Who do we share personal data with?
We may share your personal data with third parties, for the purposes described above, in the following circumstances:
- With other companies in our group of companies.
- With our suppliers and service providers who process the data on our behalf, e.g., payment processors and delivery companies.
- With our professional and legal advisors.
- With third parties engaged in fraud prevention and detection.
- With third party platforms, providers and networks. We may disclose or make available personal data to third party platforms and providers that we use to provide our Site and its features. We may also make personal data available to third parties in support of our marketing, analytics, advertising and campaign management. See Section 4 “Cookies and Personalisation” for more information.
- With operators of other websites. We share product reviews submitted to our Site with other website operators who display these reviews on their own websites.
- With law enforcement or other governmental authorities, e.g., to report a fraud or in response to a lawful request.
- In relation to mergers, acquisitions, investments and asset transfers, personal data will be transferred to the other party to the transaction. We may also share certain personal data as part of the preparation for the transaction with lenders, auditors, and third-party advisors, including lawyers and consultants.
- To comply with legal obligations. We may share personal data with third parties to comply with our legal and compliance obligations and to respond to legal process e.g. in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement and government bodies. This may include responding to national security or law enforcement disclosure requirements and disclosures that we are required to make under applicable laws, such as the names of sweepstakes and contest winners.
- Otherwise where we have your consent or are legally permitted to do so.
Cookies and Personalisation
We use this information to provide functionality on the Site, to understand and measure Site performance, to understand how users access, use and interact with others, and to deliver targeted advertising and content on our Site and third party sites.
We also use it to identify and resolve bugs and errors in our Site and to assess, secure, protect, optimise and improve the performance of our Site.
Personalised advertising. We work with third parties, such as ad networks, social media platforms, analytics and measurement services and others to personalise content and display advertising within our Site, and to manage our advertising on third party sites, mobile apps and online services.
For example, you may see ads for our Site on third party websites, including on social media. These ads may be tailored to you using cookies and similar technologies which track your web activity on our Site and across other websites and online services, to enable us to serve ads to customers who have visited our Site.
We may also engage third parties, including social networks to show ads to our customers, or users who match the demographic profile of our customers. This may involve sharing information, such as your name, email address, and other contact and purchase information with these third parties so that we can better target ads and content to you across third party sites, platforms and services. These third parties may also help us to enhance our customer lists with additional demographic or other information, so we can better target our advertising and marketing campaigns.
If you do not want to see personalised ads you can change your cookie preferences using the tool available on our Site, as explained below, and by adjusting your privacy settings on third party websites and platforms.
Manage your preferences. You can manage your preferences for cookies and personalisation used by us as explained below.
- Cookie preference tool. You can review and update your cookie preferences for our Site and opt out of most cookies and trackers on our Site (other than those that are strictly necessary) within our Cookie Preference Tool accessible via the cookie icon at the bottom left hand corner of the webpage. Your preferences are browser and device specific so you need to set the preference for each browser and device you use to access our Site. If you delete or block cookies, you may need to reapply these preferences.
- Industry ad choice programs. You can get more information about personalised advertising and opt out of personalised advertising by participating third party ad companies through industry ad choices programs, including:
Please note that opting out of cookies and trackers on our Site does not mean that you will no longer see ads from us. You may continue to see generic or “contextual” ads.
We love to communicate with our customers. Depending on your marketing preferences, we may use your personal data to send you marketing messages by email, SMS, phone and post. Some of these messages may be tailored to you, based on your previous browsing or purchase activity, and other information we hold about you.
If you no longer want to receive marketing communications from us (or would like to opt back in!), you can change your preferences at any time by contacting us (details below), clicking on the ‘unsubscribe’ link in any email, or updating your settings in your account. If you unsubscribe from marketing, please note we may still contact you with service messages from time to time (e.g. order and delivery confirmations, and information about your legal rights).
Transfers of personal data to other countries
We use service providers, and have group companies, in countries around the world. Your personal data may therefore be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If we transfer personal data outside the UK/European Economic Area we will ensure that your privacy rights are adequately protected by appropriate safeguards, which may include the European Union’s standard contractual clauses and UK equivalent. Please contact us if you would like more information about these safeguards.
We will keep your personal data in line with our data retention policy, for as long as we need it for the purposes set out above, so this period will vary depending on your interactions with us. For example, where you have made a purchase with us, we will keep a record of your purchase for the period necessary for invoicing, tax and warranty purposes. We may also keep a record of correspondence with you (for example if you have made a complaint about a product) for as long as is necessary in connection with any legal claim.
We implement appropriate technical and organisational security safeguards to protect your data from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We also maintain ISO 27001 and PCI DSS (Payment Card Industry - Data Security Standard) security certifications.However, please be aware that it is impossible for any company to guarantee the absolute security and integrity of the information that has been transmitted to its website.
Our Site is not intended for, and should not be used by, children under the age of 18. We do not knowingly collect personal data from children under 18.
You have choices regarding our processing of your personal data as described in this section. Your rights under data protection laws: You have the right to:
- Ask for a copy of your personal data, make corrections to your personal data, and in some cases e.g. where our purposes for processing have come to an end, ask us to delete it.
- Object to our use of your personal data in certain situations, including where we use your personal data for direct marketing. See section 5 “Marketing” for details of how to opt out of direct marketing.
- Transfer your personal data, in certain circumstances, to another provider, in a commonly used format.
- Complain to the data protection regulator in your country. In the UK this is the Information Commissioner’s Office (www.ico.org.uk).
We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are several limitations to these rights, and there may be circumstances where we are not able to comply with your request.
You can exercise your rights by contacting firstname.lastname@example.org.
US residents. If you are a California resident, please review our California Privacy Supplement (section 13) below, for specific information about your rights under California privacy laws and how to exercise them. Residents of certain other US states including Virginia have additional rights under applicable privacy laws, subject to certain limitations, which may include:
- The right to correct inaccuracies in your personal information, taking into account the nature and purposes of the processing of the personal information.
- The right to delete your personal information provided to or obtained by us.
- The right to confirm whether we are processing your personal information and to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
- The right to opt out of (as applicable) the “sale” of your personal data, targeted advertising, and any processing of personal information for the purposes of making decisions that produce legal or similarly significant effects.
- The right to submit an appeal if we deny your request.
You can opt out of targeted advertising on our Site as set out in Section 4 “Cookies and Personalisation”, and opt out of direct marketing as set out in Section 5 “Marketing”. To exercise your other rights please contact email@example.com.
Changes to this Notice
This Notice is current as of the Effective Date stated above. We may change this Notice from time to time, so please be sure to check back periodically. If we make material changes we will alert you e.g. by posting a prominent notice on the Site or via email.
If you have any queries on any aspect of our Privacy Notice, please contact us on the details below:
California Privacy Supplement
Consumers residing in California have additional rights in relation to their personal information under California privacy law, including the California Consumer Privacy Act (“CCPA”). If you are a California resident, this section applies to you. This section does not address or apply to our handling of publicly available information or other personal information that is exempt under the CCPA.
Categories of personal information collected and disclosed. Whilst our processing of personal information varies based upon our relationship and interactions with you, the table below identifies, generally, the categories of personal information (as defined by the CCPA) that we may collect, and have in the past twelve months collected, about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose
|Categories of Personal Information||Categories of Third Party Disclosures||Categories of Third Parties|
|Identifiers||Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers.||
|Customer Records||Includes e.g. name, account name, user ID, contact information, account number, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services. For example, this may include information collected when an individual register for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.||
|Commercial information||Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies. For example, this may include demographic information that we receive from third parties in order to better understand and reach our customers.||
|Internet and electronic network activity information||Including, but not limited to, browsing history, clickstream data, search history, and information regarding interactions with an internet website, application, or advertisement, including other usage data related to your use of any of our Site or other online services.||
|Geolocation data||Location information about a particular individual or device e.g., derived from your IP address.||
|Audio, visual and other electronic data||Includes audio, electronic, visual, thermal or similar information, such as thermal screenings and CCTV footage (e.g., collected from visitors to our stores, offices and premises; photographs and images (e.g., that you provide us or post to your profile) and call recordings (e.g., of customer support calls).||
|Professional information||Includes professional and employment-related information such as current and former employer(s) and position(s), job application information, business contact information and professional membership(s).||
|Profiles and inferences||Including inferences drawn from any of the information identified above to create a profile reflecting a consumer’s preferences, characteristics, behavior or attitudes.||
|Protected classifications||We collect some information that is considered a protected classification under California/federal law, such as your gender, date of birth, citizenship, and marital status.||
|Sensitive personal information||In limited circumstances, we may collect:
Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
Sales and sharing. California privacy laws define a "sale" as disclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. While we do not disclose personal information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA): identifiers and internet and electronic network activity information to/with third-party advertising networks, analytics providers, and social networks. We do so in order to improve and evaluate our advertising campaigns and better reach customers and prospective customers with more relevant ads and content. We do not sell or share sensitive personal information, nor do we sell or share any personal information about individuals who we know are under sixteen (16) years old.
Sources of personal information. In general, we may collect personal information from the following categories of sources:
- Directly from the individual
- Advertising networks
- Data analytics providers
- Social networks
- Internet service providers
- Operating systems and platforms
- Fraud prevention service providers
- Data brokers
- Business customers/clients
Purposes of collection, use and disclosure. As described in more detail in Section 2 “How we use personal data” and Section 3 “Who do we share personal data with”, we collect, use, disclose and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:
- Fulfil orders
- Maintain online accounts
- Respond to your requests
- Provide recommendations
- Manage our relationship with you
- Personalize content, ads and experiences
- Operate and improve the Site and our business
- Research and customer satisfaction
- Marketing and advertising
- Security and protection of rights
- Compliance with law and legal process
- Internal business operations
Sensitive personal information. Notwithstanding the above, we only use and disclose sensitive personal information as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, (vi) to our service providers who perform services on our behalf, and (vii) for purposes other than inferring characteristics about you. We do not use or disclose your sensitive personal information other than as authorized pursuant to section 7027 of the CCPA regulations (Cal. Code. Regs., tit. 11, § 7027 (2022)).
Retention. We retain personal information only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection.
CCPA rights. Under the CCPA, California residents have the following rights (subject to certain limitations):
- The right to opt-out of our sale and sharing of your personal information.
- The right to limit our use or disclosure of sensitive personal information to those authorized by the CCPA.
- The right to the deletion of your personal information that we have collected, subject to certain exceptions.
- The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.
- The right to correct inaccurate personal information that we maintain about you.
- The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.
Submitting CCPA requests. California residents may make requests to access/know, correct and delete their personal information maintained by us online by emailing firstname.lastname@example.org or by visiting this page. Once we receive your request, we will take steps to verify it by asking you to provide information related to your account or your recent interactions with us, such as information regarding a recent purchase. We will process your request based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request. In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor. If you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid authorization to submit requests on your behalf and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
Opt-out requests. Our Site responds to global privacy control—or “GPC”—signals, which means that if we detect that your browser is communicating a GPC signal, we will process that as a request to opt that particular browser and device out of sales and sharing (i.e., via cookies and tracking tools) on our Site. Note that if you come back to our Site from a different device or use a different browser on the same device, you will need to opt out (or set GPC for) that browser and device as well. More information about GPC is available at: https://globalprivacycontrol.org/. You can also opt out of online tracking on our Site via the cookie preference tool (see Section 5 for details).
California residents may exercise their right to opt out online by submitting an opt out request to email@example.com or by visiting this page. We will apply your opt out based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request.
For more information about our privacy practices, you may contact us as set out in the “Contact Us” section above.
Last Revised: 30 June 2023