privacy policy - europe

CHARLOTTE TILBURY GROUP

PRIVACY POLICY - UK & EEA

MARCH 2023

At Charlotte Tilbury Group, we are committed to protecting your personal data and respecting your privacy. It is your personal data and we respect that. This Privacy Policy tells you about how and why we collect and use the personal data which you provide to us or which we collect about you when you interact with us, for example, when you use our website or visit our stores.

In this notice, when we refer to "Charlotte Tilbury Group", "us", "we" or "our", we mean Charlotte Tilbury Beauty Limited and, where applicable, any entities owned or controlled by Charlotte Tilbury Beauty Limited and which provide you with the Charlotte Tilbury websites or which are responsible for stores, stands or events in your country.

We want you to be fully informed about how we use your personal data, how we keep it secure and your rights in relation to that personal data. We trust this Privacy Policy will answer any questions you have about how we handle your personal data, but if not, we have appointed a data protection officer ("DPO") who will help you with any queries or concerns you may have. Please do get in touch with our DPO directly at dpo@charlottetilbury.com or using the contact details provided in the "Contacting Us" section at the end of this Privacy Policy. It is likely that we will need to update this Privacy Policy from time to time by updating this page. We will notify you of any significant changes, but would encourage you to come back and review it from time to time.

ABOUT US - WHO IS THE CHARLOTTE TILBURY GROUP?

This Privacy Policy is provided by the Charlotte Tilbury Group. When you visit or place an order on one of the Websites or interact with us online, you are contracting with the Charlotte Tilbury Group company listed as the 'Data Controller' in the table below:

Territory Data Controller Website United Kingdom Charlotte Tilbury Beauty Limited www.charlottetilbury.co.uk

European Economic Area (excluding the Netherlands) Charlotte Tilbury Beauty Limited www.charlottetilbury.com/ie

The Netherlands Charlotte Tilbury Beauty Limited www.charlottetilbury.com/nl

The Charlotte Tilbury Group also includes companies that run and operate the Charlotte Tilbury business elsewhere across the globe, including in the United States, Canada and Australia. If you want to know more about the Charlotte Tilbury Group, please get in touch with us using the contact details provided at the end of this Privacy Policy.

RETAIL PARTNERS

You can purchase Charlotte Tilbury products and services via our Retail Partners across the UK and European Economic Area ("EEA"). For example in ASOS, Selfridges Group, Harrods, John Lewis Group, House of Fraser Group, CultBeauty.com, Feelunique.com, Fenwick, Harvey Nichols, Jarrold, Net-A-Porter, Ocado, SpaceNK, World Duty Free Limited (Heathrow), Voisins, Farfetch, Sephora, Breuninger Group, KaDeWe Group, de Bijenkorf, Douglas, Brown Thomas, Zalando, DFS La Samaritain and Le Bon Marché (we refer to these as our "Retail Partners"). Please note that when you are purchasing Charlotte Tilbury products and/or services through a Retail Partner, either online or in one of their stores, you are contracting directly with that Retail Partner and not with us or the wider Charlotte Tilbury Group. Any personal data which you provide to a Retail Partner will be controlled by the Retail Partner and you should visit the Retail Partner’s website or contact them directly if you have any questions about how they process, handle and use your personal data.

ENSURING THE LAWFUL USE OF YOUR PERSONAL DATA

We will only use your personal data where we have a lawful basis to use it. In particular, we will use your personal data in the following circumstances: • We will use your personal data where it is necessary for us to perform our contract with you (for example, to fulfil your order). • We may also use your personal data to pursue our legitimate interests (or those of a third party) in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. For example, we might use your purchase history to send you personalised offers or use your shopping history to identify trends and ensure we can keep up with demand and develop the right new products for our customers. • We may sometimes need to use personal data to comply with our legal obligations (for example to pass on details related to fraud). • In some instances, we will ask for your consent to use your personal data, for example, where you sign-up to receive our email newsletters. You can withdraw your consent at any time by letting us know (see "Your Rights" section below). Please get in touch with us using the contact details provided at the end of this Privacy Policy if you would like further information about why we are using your personal data.

WHAT PERSONAL DATA DO WE COLLECT FROM YOU AND HOW DO WE USE IT?

The personal data we collect about you and how we will use it, depends on how you interact with us, for example, if you place an order on our Website, contact us with a query by email or phone, make a purchase, or book an appointment in one of our stores.

Certain categories of personal data, such as information relating to racial or ethnic origin, health data, genetic data or biometric data (meaning personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals, such as facial or iris scans or voice recognition systems) are classified as “special categories of data” and benefit from additional protection under data protection legislation.

We only collect and use 'special category data' where you have provided us with your consent for us to do so. In some instances, you may have requested services or products that do not directly involve the collection of any special categories of data, but may imply or suggest your religion, health or other special categories of data.

When using our "Pro Skin Analysis" tool on the Charlotte Tilbury Website or app, we will collect and process personal data including facial scans in order to send you product recommendations, advertising and relevant promotions and to improve our skin mapping tools, technologies and services. Please see "Charlotte Tilbury "Pro Skin Analysis" Tool", below.

When we send email marketing to you, our email marketing provider, Emarsys, may collect data about the locations from which you access and interact with those emails and the website pages you visit through links embedded in those emails. Emarsys shares that information with us, which can help us to tailor our marketing to you, for example, by telling you about an event or promotion available at a location which is near to where you frequently interact with our emails and linked website pages.

We use analytics tools to measure the effectiveness of our marketing, understand how customers interact with us on our website and online, and to build a clearer picture of our customers and their motivations. One of our analytics suppliers, Sprinklr, provides us with data about how you interact with Charlotte Tilbury Beauty online. Depending on your privacy settings on certain third-party websites, Sprinklr may collect information about your social media profile, including your follower count thresholds.

Zendesk, our third-party customer service and experience platform, underpins our customer care systems, including the system you use to contact our customer care representatives. Zendesk technology analyses the content of those communications including identifying what language is used, the reason for the communication, and providing our customer care representatives with customer context to communications to ensure your enquiry is handled in an efficient and appropriate manner by our customer care teams.

The table below provides some examples of the information we collect about you and how we will use it. The personal data we collect from you How we use it Lawful Basis We will collect the personal data needed to identify you, such as your name, username, password and date of birth. We will also collect your contact details, such as your email address, mobile phone number, telephone number and billing/delivery address. To fulfil your order, for example, by delivering your products to you or to contact you about your order where necessary. We may also share this information with third party delivery and courier services such as DPD, UPS and DHL to enable us to fulfil your order. Performance of our contract with you. To allow you to create an account with us. Legitimate interest (to operate our business and administer the service we offer to you).

To send you email newsletters to keep you up-to-date about our products and services which we think will interest you and our latest offers, and where you opt to participate in our loyalty and VIP programmes.
Legitimate interest (to develop our

products/services and grow our business).

Where you consent (where consent is required under applicable law).

To send you SMS messages to keep you

up-to-date about our products, services and our latest offers which we think will interest you. Legitimate interest (to develop our products/services and grow our business).

Where you consent (where consent is required under applicable law).

To send you information with your Order to keep you up to date about our products,

services and our latest offers which we think will interest you. Legitimate interest (to develop our products/services and grow our business).

Where you consent (where consent is required under applicable law).

To allow you to book an appointment with us or to attend an event.
Performance of our contract with you.

Legitimate interest (to administer our service to you).

So that you can enter competitions, events or prize draws run by us.
Legitimate interest (to develop our products/services and grow our business).

To communicate with you in relation to your order or booking, or if you raise an enquiry or complaint with us.
Performance of our contract with you

Legitimate interest (to administer our service to you).

To allow you to complete any surveys we send you (if you wish to) or to comment on or review our products or service, to help us to improve them.
Legitimate interest (to

study how customers use our products/services). Fraud prevention and detection. Legal obligation.

Legitimate interest (to prevent and detect fraud, other crime or incidents).

To email you to inform you when a product you want to order is back in stock.	Legitimate interest (to develop our

products/services and grow our business).

Where you consent (where we are required to obtain consent under applicable laws).

Payment details and details of your transactions. To take payment of your order and, if required, to give refunds. We do not store any payment card numbers once the transaction has been completed. We will share this data with credit card companies and other payment providers. Performance of our contract with you. Fraud prevention and detection. Legal obligation.

Legitimate interest (to prevent and detect fraud, other crime or incidents).

Information you provide to us when you contact us by telephone, by email, by post or on social media, via our Website, via LiveChat or via VideoChat including your telephone phone number, mobile phone number, email address, social media profile/handle and image, as applicable. Provide you with the support and customer service you have requested. Performance of our contract with you.

Legitimate interest (to meet your needs or requests, manage complaints and resolve any disputes). CCTV footage in our stores. To record images for security purposes. Legitimate interest (prevent and detect anti-social behaviour, fraud and other crime or incidents)

Technical information about your equipment, browsing actions and patterns. Information about how you use the Website and pages on the Website, such as the pages and links you access, the time you access them and the duration, and choices you make when using the Website. We collect this personal data by using cookies, server logs and other similar technologies such as web beacons or pixels on our Website, apps and emails, and full details as to how we process and use cookies can be found in our Cookies Policy To administer and to improve our Website, to ensure it is presented in the most effective manner for you and to give you the best Website experience and to allow you to participate in interactive features of our Website if you choose to do so. Legitimate interest (to improve your experience when you shop and to keep our website updated and relevant).

For data analysis, testing, research and statistical statistics to help us to improve our products and services.
Legitimate interest (to improve your experience when you shop and to keep our website updated and relevant).

To keep our Website safe and secure.
Legal obligation

Legitimate interest (to prevent and detect crime and other incidents).

To make suggestions and recommendations to you and other users of our Website about products or services that may interest you or them.
Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to inform you about products and services that may interest you).

To provide you with information about

and remind you about the products and services that you have looked at on our Website. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

To identify behavioural flows from emails we send to you, so that we are able to monitor and analyse the effectiveness of those emails.
Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

Additional information you choose to provide us, including your birthday, physical characteristics including hair colour, eye colour, make-up tone and skin tone and beauty preferences. We may collect this information in different ways, including via your Charlotte Tilbury account, via bookings you make, via virtual or in-person consultations or appointments you have with us, via games you play on our Website or via emails we send you or via marketing campaigns to collect additional optional data.

To assist us to provide you with a more personalised beauty experience, for example in order to provide you with tailored product recommendations when you use our Pro Skin Analysis tool. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

Photographs, videos and video stills of you, where you choose to provide them to us. For use on the Charlotte Tilbury Websites, social media channels (such as Facebook and TikTok) and other Charlotte Tilbury channels and promotional materials for marketing purposes and for product recommendations. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

Personal data provided in audio or video recordings, such as when you call us, customer care calls or online consultation services To improve and monitor our services and for learning and development, training and quality purposes. Legal obligation

Legitimate interest (to manage the way in which we deliver our service to you).

Performance of our contract with you.

Social media handles Where you have provided us with your social media handle to participate in a Charlotte Tilbury programme or similar, to enable us to identify and view your social media account(s). Legitimate interest (to manage and improve your shopping experience).

You don’t have to give us any of the personal data set out above but, if you don’t provide us with certain information, we may not be able to provide you with the goods and services you have requested from us. The forms you fill in on our Websites and in our stores will make it clear what information we need in order to provide the product or service you are requesting and what information you can choose to provide if you wish.

To help us form a better, overall understanding of you as a customer, we combine your personal data gathered across the Charlotte Tilbury Group, for example, your shopping history.

AUTOMATED DECISION MAKING AND PROFILING

When we send or display personalised communications or content, we may use a technique known as "profiling". This means any form of automated processing of personal data to evaluate certain aspects about an individual, in particular to analyse or predict aspects concerning their personal preferences, interests, economic situation, reliability, behaviour, location, or movements. This means that we may collect personal data about you in the different scenarios described in the table above, and use that data to analyse, evaluate, or predict your personal preferences, interests, behaviour and/or location. In some cases we might also use personal data, including digitally created profiles, to make decisions by automated means.

For example, we may use automated processing to create a list of customers that are eligible for a loyalty programme, based on their purchases and amounts they have spent, or to identify the types of advertising or marketing you might be interested in. We ensure that we have a legal basis to process your personal data when we carry out profiling activities and/or automated decision-making, as set out in the table above.

You may in some circumstances have the right to request that we don’t use your personal data in this way. Please see "Your Rights" section of this privacy policy below.

CHARLOTTE TILBURY "PRO SKIN ANALYSIS" TOOL

Our Pro Skin Analysis Tool uses a combination of machine learning tools and statistical algorithms to perform personalised skin analysis based on the facial scans you provide to us. Our Pro Skin Analysis Tool works by analysing these facial scans to provide you with personalised skincare insights and recommended skincare products designed to target any skin concerns that have been identified in our skin analysis such as visible wrinkles, dehydrated skin or dark circles. We do not automatically save your photograph but if you would like to track in your skin analysis, you can choose to save your photographs and skin analysis to your Charlotte Tilbury user account. We will ask for your consent to use your photograph for these purposes when you use the Pro Skin Analysis Tool.

When you use the Pro Skin Analysis Tool, we will not retain your photograph unless you expressly allow us to do so by confirming your consent for the image to be saved to your user account. If you choose not to save your image to your user account, your image, the facial scans and skin analysis data provided to us through this feature are automatically deleted.

If you choose to save your image, facial scan, skin analysis data and any other information relating to your skincare profile to your Charlotte Tilbury account, we will keep this information for a period of 12 months from the date each image is captured for the purposes of quality control and the development and improvement of our Pro Skin Analysis Tool as well as providing personalised product recommendations to you, following which, the information will be deleted.

If you stop using the Pro Skin Analysis Tool for a period of 6 months or more, we will send you a reminder to let you know that your image, facial scan, skin analysis data and any other information relating to your skincare profile that is saved to your user account will be deleted within 6 months of that reminder. If you do not want us to delete this information, you will be required to interact with the Pro Skin Analysis tool and complete the scans.

SHARING YOUR PERSONAL DATA

SHARING YOUR PERSONAL DATA WITHIN THE CHARLOTTE TILBURY GROUP

We may share your personal data with other companies within the Charlotte Tilbury Group to enable us to run data analysis, develop new products, for other business development purposes and/or to allow another Charlotte Tilbury Group company to perform services on our behalf. Where we do this, we have written contracts in place between the companies within the Charlotte Tilbury Group to ensure your privacy is secure and respected.

SHARING YOUR PERSONAL DATA WITH TRUSTED THIRD PARTIES

We share your personal data with trusted third parties to allow us to provide our services to you. When we do share your personal data with these third parties we only provide the information they need to perform the service. We have written contracts in place with them to ensure they only use your personal data for the purpose we specify to them and that your privacy is secure and respected. These trusted third parties include the following:

DESCRIPTION EXAMPLES

Companies that help us fulfil your orders and, where required, get your purchases to you, such as delivery couriers and payment providers DPD, Royal Mail, Evri, UPS, FedEx, E-Shop World, Skynet, AMS, Farrow, ILG, Kerry, Klarna, Stripe, PayPal, Rebound, Afterpay, Apple Pay, Narvar.

Professional service providers such as website hosting providers, system providers, website and social media analytics providers, advertisers and appointment booking providers, who help us run our business Google Analytics, BazaarVoice, Flowerbx, Sprinklr, Unbabel,Trustpilot, Algolia, Doubleclick, Traackr, Snowplow.

Companies that help us to provide our services, such as image analysis software relating to our Pro Skin Analysis Tool and similar tools MIME, Holition, Perfect Corp.

Direct marketing companies who help us manage our electronic communications with you and social media or web platforms to show you products that might interest you while you’re browsing the internet Emarsys, Attentive, Appointedd, Movable Ink, Zendesk, Partnerize, Narrativ, Twitch, Google Ads, Amazon Ads, Yahoo Ads, Tiktok, Pinterest, Snap, Reddit, Facebook, Instagram, YouTube.

Companies who send segmented, personalised marketing communications on our behalf Revel, Implicit Design, Emarsys.

Credit reference agencies, law enforcement and fraud prevention agencies, so that we can help tackle fraud Stripe, PayPal, Klarna, Beacon.

We may also share your personal data in connection with a business transition (such as a merger, acquisition by another company, or a sale of all of or portion of our assets). In these circumstances, we may need to share your personal data with a prospective buyer and external professional advisors such as accountants, insurers, lawyers or financial institutions.

We may be required to share your personal data with the police, administrative authorities (such as national tax authorities) or other enforcement, regulatory or Government bodies, where we are legally obliged to do so.

We will only share your personal data with third parties (including our group companies) for them to use for their own direct marketing purposes when you have given your express opt-in consent for us to do so.

INFORMATION WE RECEIVE FROM THIRD PARTIES

We may receive certain information about you from third parties, such as partners we run competitions and events with, our Retail Partners and trade shows or from other organisations we work with, such as BazaarVoice, or from publicly available sources, such as Pinterest or TikTok, or information which is published in the media or where you have written a review about us.

Information about you may also be shared with us when you use social media or messaging services, such as Facebook, Twitter or WhatsApp. The information that is shared with us will depend on the privacy settings you select when you use those services. You should review the privacy notices of any social media or messaging services that you use to understand how your personal data will be used in that context.

We may combine the information you have given us, with information obtained from other sources, but we will only do this when we have a lawful basis to do so as set out in the table above.

E-SHOP WORLD AND SKYNET

In countries where we do not currently deliver, we work with third parties known as E-Shop World and Skynet, which enables customers in those countries to purchase our products and have such products delivered directly to them. E-Shopworld and Skynet share information with us, such as order placement, product preference, purchase history and where a customer has consented, E-Shop World and Skynet will also share marketing consents with us.

SEEING ADVERTISEMENTS FOR OUR WEBSITE ONLINE

We may collaborate with third parties to provide us with analytics services and serve Charlotte Tilbury ads and banners when you are browsing on apps and other websites. We do this by way of various ad exchanges and digital marketing networks. We and our advertising partners use various advertising technologies, for instance, ad tag, cookies, pixels, identifiers and web beacons. This information may be used by Charlotte Tilbury Group companies and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Websites and other websites, and better understand your online activity.

The ads and banners you see are based on information that we hold about you, or on your prior use of our Websites, for example, products you have browsed previously, content you have read on our Websites, or on Charlotte Tilbury banners or ads that you have engaged with in the past.

We may also work with and use services offered by other third parties to serve ads to you as part of a customised campaign on third-party sites and platforms (such as Facebook or Instagram). As part of these ad campaigns, we or the third parties may convert information about you, such as your email address and phone number, into a unique value that can be matched with a user account on these platforms to allow us to learn about your interests and to serve you advertising that is customised to your interests. For more information about this advertising, or to opt out of seeing these types of customised ads, please visit these third-party sites and platforms, which may offer you choices about this type of customised advertising.

For more information about interest-based ads, or to opt out of having your web browsing activity used for behavioural advertising purposes, please visit our Cookies Policy and use our cookie management tool to manage your preferences.

INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

We are a global business and some of our group companies and service providers are located in countries outside of the UK or EEA.

As a result, it may be necessary for the personal data that we collect from you to be transferred to or accessed from outside the UK or EEA (a "third country") in order for us to provide our services.

If we do this, we have procedures in place to ensure your personal data receives the necessary protections: • If you are located in the UK, we may transfer your personal data to third countries:

o where the UK Government has recognised the relevant third country as providing an adequate level of protection under UK adequacy regulations. For further details, see the ICO website (www.ico.org.uk); or

o in the absence of UK adequacy regulations, in reliance on an appropriate safeguard in accordance with applicable data protection laws, such as the standard contractual clauses (or equivalent) approved for use in the UK. For further details, see the ICO website (www.ico.org.uk).

• If you are located in the EEA, we may transfer your personal data to third countries:

o where the European Commission has recognised the relevant third country as providing an adequate level of protection pursuant to an adequacy decision; or

o in the absence of an adequacy decision of the European Commission, in reliance on an appropriate safeguard in accordance with applicable data protection laws - typically the EU standard contractual clauses.

Any transfer of your personal data will comply with applicable laws and we will treat the information according to the principles set out in this Privacy Policy.

If you would like further information or a copy of the standard contractual clauses we use, please get in touch with us using the contact details provided at the end of this Privacy Policy.

HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

We will only keep your personal data for as long as we need to for the reason we collected it, as set out in this Privacy Policy. For example, for as long as needed to allow us to fulfil your order or to provide any customer services support you have requested, to provide you with the Pro Skin Analysis Tool (see above) or for as long as you hold an account with us.

We may also keep hold of some of your personal data if we are required to do so for legal purposes, for example, to meet our legal or regulatory requirements or to prevent fraud and abuse, or for tax and accounting purposes. For example, we will keep your order data for five years after you place an order with us to allow us to comply with our legal obligations.

When we are no longer required to keep your personal data, your data will either be deleted or completely anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for business planning and analysis purposes.

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us using the details at the end of this Privacy Policy.

ENSURING YOUR PERSONAL DATA IS UP TO DATE AND CORRECT

It is important that the personal data we hold about you is accurate and current. If you have an account with us, please keep your details up-to-date but if you do not have an account with us, please contact customercare@charlottetilbury.com with any new information.

SECURITY

We are committed to ensuring that your personal data is secure and we have put in place suitable physical, electronic, contractual and managerial procedures, including our Information Security Management System and Secure Sockets Layer (SSL) encryption, to protect your personal data. Our employees who have access to and process your personal data are obliged to respect the confidentiality and security of your personal data.

THIRD PARTY LINKS

Our Website may contain links to other websites of interest that are not run by us but by third parties. However, we do not have any control over these third party websites and they will be governed by their own privacy policies and terms and conditions, not this Privacy Policy. You should review the privacy notices and terms and conditions of any other websites that you use.

HOW CAN I UNSUBSCRIBE FROM MARKETING COMMUNICATIONS?

We love keeping you up-to-date by email and by SMS about our latest products, services, offers and events, subject to your marketing preferences. However, if you decide that you don’t want to receive these communications at any point, you can unsubscribe at any time as follows:

To unsubscribe from emails, click on the 'unsubscribe' button on the bottom of any email we send you. If you have an account with us, you can also unsubscribe by going to the Account Information page on the relevant Charlotte Tilbury website, clicking on Newsletters, and unsubscribing to general subscription.

To unsubscribe from SMS, follow the link at the end of any SMS we send to you. You can also email us at customercare@charlottetilbury.com You can also find instructions on how to do this in any SMS message that we send you.

We may also send you details of products, services, offers and events we think you may be interested in when we send you your Order. If you do not want to receive these communications, please let us know by contacting customer care using our contact form at https://help.charlottetilbury.com/hc/en-gb, emailing customercare@charlottetilbury.com or by logging on to your account and updating your marketing preferences or on the following telephone numbers: • UK - +44 (0) 1202 629527 - Standard rates apply • EU - +44 (0) 808 196 4760 - Toll free (variable rates apply, depending on phone provider)

YOUR RIGHTS

You have the following rights in relation to the personal data we hold about you: • The right to insist that companies who hold your personal data are fair and transparent about how and the manner in which they process and use your personal data. This is why we provide you with this Privacy Policy.

• The right to access the personal data we hold about you (commonly known as a "data subject access request") including obtain a copy of it. There are some exemptions, which means you may not always receive all the information we process, for example if the records contain personal data of other individuals.

• The correction of the personal data that we hold about you if it is incomplete or inaccurate (although if you hold an account with us, you may be able to do this in certain cases yourself by visiting the Account Information page on the Charlotte Tilbury website).

• The deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it. If you have successfully exercised your right to object to us processing your personal data or if we have processed your personal data unlawfully or we are required to stop processing your personal data as a matter of local law, then you can ask us to delete your personal data.

• For our processing of your personal data to be restricted if: (i) you want to make sure the personal data is accurate; (ii) where our use of the personal data is unlawful but you don't want us to erase it; (iii) where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

• You can ask us to transfer your personal data to a third party but this right only applies to automated information you initially allowed us to process.

• The right to withdraw consent. If we process your personal data on the basis of your consent, then you can withdraw your consent and we must cease processing it in future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

We may need to ask you for specific information to help us confirm your identity before dealing with your request. This is a security measure to ensure your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to Object

Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data.

If you are dissatisfied with how we have handled your personal data, you have the right to make a complaint to your data protection regulator.

In the UK, this is the Information Commissioner's Office (ICO). You can make a complaint to the ICO by calling their helpline on 0303 123 1113 or on their website at www.ico.org.uk/concerns.

In the Netherlands, this is Autoriteit Persoonsgegevens who can be contacted on +31 (0)70 888 85 00 or on their website https://autoriteitpersoonsgegevens.nl/.

In France, this is Commission Nationale de l'Informatique et des Libertés (CNIL) who can be contacted on +33 1 53 73 22 22 or on their website https://www.cnil.fr/en/contact-us. In Germany, this is Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit who can be contacted on +49 228 9977990 or by email to poststelle@bfdi.bund.de.

In Spain, this is Agencia Española de Protección de Datos (AEPD) who can be contacted on +34 91 266 3517 or by email to internacional@aepd.es. We would, however, appreciate the chance to deal with your concerns before you approach your data protection regulator, so please do contact us in the first instance.

CHILDREN

Customers need to be over the age of 18 to create an account with us or to sign up for our newsletter or to contact us or to liaise with us via LiveChat or VideoChat. We will not knowingly collect personal data about under 18s and if you are under 18, please do not provide us with your personal data. We would ask parents to please ensure that their children that are under 18 do not provide us with any personal data without their permission. If you believe that a child who is under 18 has provided personal data to us, please contact us, using the details below and we will seek to delete that data from our systems.

LOOKALIKE AUDIENCES

For advertising purposes, we occasionally use information about our customers to generate a "lookalike audience" or similar audience of prospective customers through the Facebook, Google, Snapchat, Pinterest or TikTok advertising platforms. This allows us to target advertisements on their networks to potential customers who appear to have shared interests or similar demographics to our existing customers, based on the platforms' own data. We typically do this by uploading a list of email addresses. These third parties’ policy is to irreversibly hash (encrypt) such lists prior to uploading, match the hashed data against their own customers, generate the lookalike audience, then delete the uploaded list and use it for no other purpose. We do not have access to the identity of anybody in the lookalike audience, unless they choose to click on the ads. Based on this, we believe that generating lookalike audiences poses little or no threat to the privacy of our customers. If you wish to opt out of "similar audiences" in Google, you can do so through your Ads Settings. Many of the companies that display interest-based advertising are members of the Network Advertising Initiative ("NAI") and/or Digital Advertising Alliance ("DAA"). To learn more about interest-based advertising and how you may be able to opt-out of interest-based advertising, tracking, and/or sharing of tracking data by their members, visit their online resources at www.networkadvertising.org/choices and www.aboutads.info/choices, respectively. Other resources (not affiliated with NAI or DAA) include http://preferences-mgr.truste.com/, or for EU residents, www.youronlinechoices.eu.

MARKETING SERVICE PROVIDERS

Your personal data, which includes but is not limited to demographic information, transaction history, and online behaviour, may be shared with selected marketing service providers for the purposes of the following and is typically known as data profiling:

• helping us better understand the likely characteristics of our customers;

• creating predictive models that can offer suggestions and recommendations to you and other users about products or services that may interest you or them;

• improving the relevancy and appropriateness of our marketing to customers (e.g. offers, its products and services); and

• helping us to communicate with our customers more effectively offline and online. This may mean that you receive tailored advertising via direct mail or when you visit a website.

To ensure the security and protection of your data, all information shared with any marketing service providers will be transformed into a non-readable format. This means that your identifiable information will be removed and replaced with pseudonymous identifiers or encrypted tokens. The marketing service providers may have the capability to match the data we share with them with data from their or other third party sources. For example, combining the non-readable data received from us with data collected from various reputable sources to gain more comprehensive insights into consumer behaviour and preferences.

CONTACTING US

If you have any queries, comments or requests regarding this Privacy Policy, you have a complaint or you would like to exercise any of your rights set out above, you can contact us in the following ways: • By email at dpo@charlottetilbury.com; or

• By telephone on the following numbers: o UK - +44 (0) 1202 629527 - Standard rates apply, o EU - +44 (0) 808 196 4760 - Toll free (variable rates apply, depending on phone provider)

• By post at Data Protection Officer, Charlotte Tilbury Beauty Limited, 8 Surrey Street, London, United Kingdom WC2R 2ND.