For the purpose of the Data Protection Act 1998 (the Act) and from the 25 May 2018, the EU General Data Protection Regulation 2016/679 (the GDPR), the data controller is Cult Beauty Limited (company no. 6195011), having its registered office at 37 Chamberlain Street, Wells, Somerset BA5 2PQ United Kingdom.
Date of last update: 24 May 2018
What do we collect and use personal information for?
In order to:
- reply to your enquiries and requests for information;
- receive and process orders submitted by you;
- customise the service we provide to you;
- carry out our obligations in relation to any agreement you have with us;
- verify your identity;
- anticipate and resolve problems with any goods or services supplied to you;
- carry out market research and tracking of sales data;
- send you newsletters, surveys or other information about our products and services by post, e-mail or SMS.
- publish on the Site, at our discretion, your Submission comments.
If you place an order with us, you will need to set up an account before ordering. During this set up we will ask you to provide some personal information such as:
- Full name;
- Postal address and/or billing address;
- Telephone number(s);
- Email address;
- Age and/or Date of Birth;
If you place an order with us, we will also ask for your payment details.
We also ask you for other optional information such as what sort of device you use such as a mobile telephone or PDA or tablet, how you heard about our Site and what sort of subjects interest you. If you choose to give us this information, we will use it to help us to provide you with the best possible service that is personalised to your needs and preferences. Although we do not make it compulsory to give us every item of information we ask for, the more information you volunteer (and the more accurate it is), the better we can tailor our services for you.
Log files/IP addresses
When you visit our Site, we automatically log your IP address (the unique address which identifies your computer on the internet) which is automatically recognised by our web server. We use IP addresses to help us administer the Site and to collect broad demographic information for aggregate use. Your IP address is also logged when you make a purchase as a fraud prevention measure required by the payment gateway.
Credit and debit card information
If you select the option to allow us to store your card details, then we will do so using the Sage Pay Token System. If you select a Repeat Purchase Product, then we will automatically store your card details via the Sage Pay Token System.
The Token System is a safe way of Cult Beauty keeping card details without actually storing them. Sage Pay store and convert a customer's sensitive payment information into a secure token or "alias". This token is then used by Cult Beauty to process future transactions as and when required, without asking for your card details each time.
We may automatically collect non-personal information about you such as the type of internet browsers you use or the site from which you linked to our Site. You cannot be identified from this information and it is only used to assist us in providing an effective service on our Site. We may from time to time supply the owners or operators of third party sites from which it is possible to link to our Site with information relating to the number of users linking to our Site from their sites. You cannot be identified from this information.
Information placed on your computer
We may store some information (commonly known as a “cookie”) on your computer when you look at our Site. This information facilitates your use of our Site and helps us to understand how our Site is used. You can erase or block cookies from your computer if you want to (your help screen or manual should tell you how to do this), but certain Cult Beauty services may not work correctly or at all if you set your browser not to accept cookies.
Improving our service
Staff from Cult Beauty, or from our service providers, may contact you from time to time using the contact means you have supplied to us in order to get your views and comments on the service we provide to you.
Information about products and services.
It is very important to us that we provide you with the highest level of service. In order to help us do this, from time to time we may contact you using one of the contact methods you have provided, with details of our newsletters, surveys, products and services which we think may be of interest to you. If at any time you do not wish to receive these details, then send an e-mail message titled “unsubscribe” to email@example.com. Please note that active customers will continue to receive order and account communications from us.
How do we use your information?
Data Protection says that Cult Beauty is allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:
- Contract - your personal information is processed in order to fulfil a contractual arrangement e.g. in order to send you your Order.
- Consent – where you agree to us using your information in this way e.g. for storing your payment card details.
- Legitimate Interests - this means the interests of Cult Beauty in managing our business to allow us to provide you with the best products and service in the most secure and appropriate way e.g. to transfer your data to certain Third Party’s such as delivery partners.
- Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes.
Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.
Who we share your information with and why
Other than the disclosures referred to in this policy, we will not disclose any personal information without your permission unless we are legally entitled or obliged to do so (for example, if required to do so by Court Order or for the purposes of prevention of fraud or other crime).
We will only disclose and/or transfer your personal information to a third party either as part of a reorganisation or a sale of the assets of a Cult Beauty, or having ensured that steps have first been taken to ensure that your privacy rights continue to be protected.
Cult Beauty works with a number of national and international trusted suppliers, individuals, agencies and businesses in order to provide you the high quality goods and services you expect from us such as delivery companies, fraud prevention agencies, beauty and cosmetic brands and market research companies amongst others. Some examples of the categories of third parties with whom we share your data are:
Cult Beauty works with a number of trusted partners who supply products and services on our behalf. We will only hold the minimum amount of personal information needed in order to fulfil the orders you place or provide a service on our behalf.
Delivery and Logistics Partners
In order for you to receive your goods, Cult Beauty works with a number of delivery and logisitics partners. We only pass limited information to them in order to ensure successful delivery of your order.
Cult Beauty works with businesses and individuals who support our website and our other business systems.
Cult Beauty works with marketing companies who help us manage our electronic communications with you or carry out surveys and product reviews on our behalf.
Payment Processing Companies
Cult Beauty works with trusted third party payment processing providers in order to securely take and manage payments.
Keeping our records accurate
We aim to keep our information about you as accurate as possible. If you would like to review or change the details you have supplied us with, or you would like to remove your published Submission from the Site you may do so at any time by using the Contact Us page on this Site.
You should be aware that the internet is an insecure environment. We have implemented technology and employee policies to help safeguard your privacy from unauthorised access and improper use. We will continue to update these measures, as appropriate, when new technology becomes available.
Third party sites
We cannot be responsible for the privacy policies and practices of other third party sites, or for advertisers on our site, even if you access them using links from our Site and we recommend that you check the policy of each site you visit. In addition, if you linked to our Site from a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and we recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions.
Unless expressly stated, we are not agents for these third party sites or for any third party advertisers on our Site, nor are we authorised to make representations on their behalf.
Transferring your personal information outside the European Economic Area
We may need, as part of the services offered to you though our Site, to communicate your details outside the European Economic Area (“EEA”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA or one of our service providers is located in a country outside of the EEA.
We are obliged to satisfy ourselves before transferring your information to a country outside the EEA that it provides adequate protection for your data protection rights. The EEA comprises of the EU countries and Norway, Iceland and Liechtenstein. Countries outside the EEA may not have similar data protection laws to the EEA.
If we do transfer your information outside of the EEA in this way, we will take reasonable steps to ensure that your privacy rights continue to be protected.
Our Site is hosted on servers located in the United Kingdom.
How long we keep your information
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws.
We will not keep Your personal data for longer than is necessary for the purpose or purposes for which they are collected, unless there is another legal reason for us to retain the data. We will take all reasonable steps to destroy or erase from our systems all data which is no longer required. We will keep your personal data for the duration of Your account being active and for 7 years after our contract with you has terminated.
What are your rights
We endeavour to process all personal data in line with Your rights under the GDPR. In particular, You have the rights to:-
- Withdraw Your consent to Our processing Your personal data at any time. You can do this at any time by changing Your “Preferences” when you log in to Your account or by contacting Us at firstname.lastname@example.org. In certain circumstances, We can process Your personal data without Your consent in line with the lawful processing requirements in GDPR. These include (amongst other reasons) where processing is necessary to comply with a legal obligation, or to protect your vital interests.
- Ask Us to rectify inaccurate or incomplete personal data. We would seek to rectify the data as soon as possible and usually within one month unless the request is complex
- Ask Us to erase Your personal data. This is commonly referred to as the right to be forgotten. This right is only applicable where there is no compelling reason for the continued processing of Your personal data. There are some circumstances where this right to erasure does not apply and in such cases We would notify You of the reason(s) why We need to retain Your personal data (unless prevented to do so by law).
- Restrict processing of Your personal data where, for example, the data is inaccurate, being processed unlawfully or where the data is no longer relevant to the specific purpose for processing. In such cases, We would retain the data but We would not process it further without Your consent, or if processing your data is for establishing, exercising or defending a legal claim, or for the protection of rights of other individuals, or for public interest reasons. In such circumstances, We would let You know that We intend to lift the restriction on processing Your personal data.
- Request access to Your personal data via a subject access request. Your request should be made to Us in writing and We may ask you for proof of your identity before providing You with the data. There is usually no fee for making such a request however, in limited circumstances, We can charge an administrative fee (which will be based on the administrative cost of providing the information).
- You have the right to ask Us not to process Your personal data for marketing purposes (including profiling). We will usually inform You (before collecting your data) if We intend to use your data for such purposes or if We intend to disclose your information to any third party for such purposes. You can exercise Your right to prevent such processing by checking certain boxes on the forms We use to collect your data. You can also exercise the right at any time by contacting us at email@example.com
- Obtain and reuse Your personal data for Your own purposes across different services (right to data portability). This right is only applicable to data that You have provided to Us, where We are processing the data based on Your consent or for the performance of a contract and when the processing is carried out by automated means. Where this right applies, the data will be provided to You in a structured, commonly used and machine-readable format.
If at any time you would like to contact us with your views about our privacy practices, or with any enquiry relating to your personal information, you can do so by sending an e-mail to us at firstname.lastname@example.org, or via post at Data Protection Officer, Cult Beauty Limited, 46 Colebrooke Row, London N1 8AF United Kingdom. You are entitled to ask for a copy of the information we store about you (for which we may charge a small fee) and can ask for that information to be corrected or erased where appropriate.
If you have any complaints regarding our handling of Your personal data, we would appreciate the chance to deal with your concerns in the first instance. However, if you wish, you may make a complaint directly to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (www.ico.org.uk or 0303 123 1113)