Privacy Policy - UK

At Charlotte Tilbury Beauty Limited, we are committed to protecting your personal information and respecting your privacy. It is your personal data and we respect that.

This Privacy Policy tells you about how and why we collect and use the personal data which you provide to us or which we collect about you when you interact with us, for example, when you use our website or visit our stores.

We want you to be fully informed about how we use your data, how we keep it secure and your rights.

We trust this Privacy Policy will answer any questions you have, but if not, please do get in touch with us directly at [email protected] or using the contact details provided at the end of this Privacy Policy.

It is likely that we will need to update this Privacy Policy from time to time by updating this page. We will notify you of any significant changes, but would encourage you to come back and review it from time to time.

This Privacy Policy is provided by Charlotte Tilbury Beauty Limited (referred to as “we”, “us” or “our” in this Privacy Policy). We are the data controller of any personal data we collect about you in the UK, and we are responsible for the Charlotte Tilbury UK Website (www.charlottetilbury.co.uk) and any orders placed by customers on the Website or in any of our UK Charlotte Tilbury free-standing stores.

When you place an order on the Website, you are contracting with Charlotte Tilbury Beauty Limited, but we are part of a wider group of Charlotte Tilbury companies that run and operate the Charlotte Tilbury business elsewhere across the globe. This includes in the US, Canada, the Netherlands, Germany and Hong Kong. When we refer to the ‘Charlotte Tilbury Group’ we are referring to the wider global group of Charlotte Tilbury companies.

If you want to know more about the Charlotte Tilbury Group, please get in touch with us using the contact details provided at the end of this Privacy Policy.

You can purchase Charlotte Tilbury products and services via our retail partners across the UK. For example in Selfridges & Co., Harrods, The John Lewis Partnership, House of Fraser etc (we refer to these as our ‘Retail Partners’). Please note that when you are purchasing Charlotte Tilbury products and/or services through a Retail Partner, either online or in one of their stores, you are contracting directly with that Retail Partner and not with us or the wider Charlotte Tilbury Group.

Any personal data which you provide to a Retail Partner will be controlled by the Retail Partner and you should visit the Retail Partner’s website or contact them directly if you have any questions about how they process, handle and use your personal data.

We will only use your personal data where we have a lawful basis to use it. We will only use your data where it is necessary for us to perform our contract with you (for example, to fulfil your order), or in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. For example, we might use your purchase history to send you personalised offers or combine your shopping history to identify trends and ensure we can keep up with demand and develop the right new products for our customers. Please get in touch with us using the contact details provided at the end of this Privacy Policy if you would like further information about this.

We may sometimes need to use data to comply with our legal obligations (for example to pass on details related to fraud). In other instances, we will ask for your consent to use your data, for example, where you sign-up to receive our email newsletters.

Further details of how we use your personal information are provided below.

The information we collect about you and how we will use it, depends on how you interact with us, for example, if you place an order on our Website, contact us with a query by email or phone, make a purchase, or book an appointment in one of our stores. The table below provides some examples of the information we collect about you and how we will use it.

The personal data we collect from you How we use it Lawful Basis
We will collect the personal data needed to identify you, such as your name, username, password and date of birth. We will also collect your contact details, such as your email address, telephone number and billing/delivery address. To fulfil your order, for example, by delivering your products to you or to contact you about your order where necessary. For example, Royal Mail, DPD. To fulfil our contract with you.

To allow you to create an account with us. Legitimate business purposes.

To send you email newsletters to keep you up-to-date about our products and services which we think will interest you and our latest offers. Where you consent.

To allow you to book an appointment with us or to attend an event. Legitimate business purposes

So that you can enter competitions, events or prize draws run by us. Where you consent.

To communicate with you in relation to your order or booking, or if you raise an enquiry or complaint with us. Legitimate business purposes

To allow you to complete any surveys we send you (if you wish to) or to comment on or review our products or service, to help us to improve them. Legitimate business purposes

Fraud prevention and detection. Legal obligation/legitimate business purposes
Payment details and details of your transactions. To take payment of your order and, if required, to give refunds. We do not store any payment card numbers once the transaction has been completed. We will share this data with credit card companies and other payment providers. To fulfil our contract with you.

Fraud prevention and detection. Legal obligation/legitimate business purposes.
Information you provide to us when you contact us by telephone, by email, by post or on social media. Provide you with the support and customer service you have requested. Legitimate business purposes
CCTV footage in our stores. To record images for security purposes. Read our CCTV Policy here. Legitimate business purposes
Technical information about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies and full details as to how we process and use cookies can be found on our Cookies Policy To administer and to improve our Website, to ensure it is presented in the most effective manner for you and to give you the best Website experience and to allow you to participate in interactive features of our Website if you choose to do so. Legitimate business purposes

For data analysis, testing, research and statistical statistics to help us to improve our products and services. Legitimate business purposes

To keep our Website safe and secure. Legitimate business purposes

To make suggestions and recommendations to you and other users of our Website about products or services that may interest you or them. Legitimate business purposes

To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. Legitimate business purposes
Additional information you choose to provide, including your hair colour, eye colour and skin tone. To assist us to provide you with a more personalised beauty experience. Legitimate business purposes

You don’t have to give us any of the personal data set out above but, if you don’t provide us with certain information, we may not be able to provide you with the goods and services you have requested from us. The forms you fill in on our Website and in our stores will make it clear what information we need in order to provide the product or service you are requesting and what information you can choose to provide if you wish.

To help us form a better, overall understanding of you as a customer, we combine your personal data gathered across the Charlotte Tilbury Group, for example, your shopping history.

We don’t currently carry out automated decision-making, using information we hold about you.

SHARING YOUR DATA WITHIN THE CHARLOTTE TILBURY GROUP

We may share your personal data with other companies within the Charlotte Tilbury Group to enable us to run data analysis, develop new products, for other business development purposes and/or to allow another Charlotte Tilbury Group company to perform services on our behalf. Where we do this, we have written contracts in place between the companies within the Charlotte Tilbury Group to ensure your privacy is secure and respected.

SHARING YOUR DATA WITH TRUSTED THIRD PARTIES

We share your personal data with trusted third parties to allow us to provide our services to you. When we do share your data with these third parties we only provide the information they need to perform the service. We have written contracts in place with them to ensure they only use your data for the purpose we specify to them and that your privacy is secure and respected.

These trusted third parties include the following:

DESCRIPTION EXAMPLES
• Companies that help us fulfil your orders and, where required, get your purchases to you, such as delivery couriers and payment providers Examples, Royal Mail, DPD, Borderfree, Stripe, PayPal
• Professional service providers such as website hosting providers, system providers, website analytics providers, advertisers and appointment booking providers, who help us run our business Examples, Booking Bug, Google Analytics, Doubleclick, Magento.
• Direct marketing companies who help us manage our electronic communications with you Examples, Dotmailer, Ometria, Moveable ink.
• Social Media or Web platforms to show you products that might interest you while you’re browsing the internet Examples, Facebook, Instagram, YouTube
• Companies who send segmented, personalised marketing communications on our behalf Examples, Qubit, Revel, Implicit Design
• Credit reference agencies, law enforcement and fraud prevention agencies, so that we can help tackle fraud Examples, Stripe, PayPal

We may also share your personal data in connection with a business transition (such as a merger, acquisition by another company, or a sale of all of or portion of our assets). In these circumstances, we may need to share your personal data with a prospective buyer and external professional advisors such as accountants, insurers, lawyers or financial institutions.

We may be required to share your personal data with the police, administrative authorities (such as HMRC) or other enforcement, regulatory or Government bodies, where we are legally obliged to do so.

We will only share your personal data with third parties (including our group companies) for them to use for their own direct marketing purposes when you have given your consent for us to do so.

We may receive information about you from third parties, such as partners we run competitions and events with, for example, our Retail Partners and trade shows or from other organisations we work with, or from publicly available sources, such as Companies House, or information which is published in the media.

Depending on your settings or the privacy policies of social media or messaging services, such as Facebook, Twitter or WhatsApp, we may collect information about you from these sources, with your permission.

We may combine the information you have given us, with information obtained from other sources, but we will only do this when we have a lawful basis to do so.

In countries where we do not currently deliver, we work with a third party known as Borderfree, which enables customers in those countries to purchase our products and have such products delivered directly to them. Borderfree shares information with us, such as order placement, product preference, purchase history and where a customer has consented, Borderfree will also share marketing consents with us.

We, like many other companies, target Charlotte Tilbury ads and banners when you are browsing on apps and other websites. We do this by way of various ad exchanges and digital marketing networks. We use various advertising technologies, for instance, ad tag, cookies, pixels, identifiers and web beacons. We also use services offered by some sites and social networks, for example, Facebook's Custom Audiences. The ads and banners you see are based on information that we hold about you, or on your prior use of our Website, for example, products you have browsed previously, content you have read on our Website, or on Charlotte Tilbury banners or ads that you have engaged with in the past.

We are a global business and some of our group companies and service providers are located in countries outside of the EU.

As a result, it may be necessary for the personal data that we collect from you to be transferred to or accessed from outside the EU in order for us to provide our services.

If we do this, we have procedures in place to ensure your data receives the necessary protections. Any transfer of your personal data will follow applicable laws and we will treat the information according to the principles set out in this Privacy Policy.

If you would like further information, please get in touch with us using the contact details provided at the end of this Privacy Policy.

If you are based outside the UK and place an order on the Website, your personal data will be accessed in the UK by Charlotte Tilbury Beauty Limited and the third parties detailed above.

We will only keep your personal data for as long as we need to for the reason we collected it, as set out in this Privacy Policy. For example, for as long as needed to allow us to fulfil your order or to provide any customer services support you have requested, or for as long as you hold an account with us.

We may also keep hold of some of your personal data if we are required to do so for legal purposes, for example, to meet our legal or regulatory requirements or to prevent fraud and abuse. For example, we will keep your order data for five years after you place an order with us to allow us to comply with our legal obligations.

When we are no longer required to keep your personal data, your data will either be deleted or completely anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for business planning and analysis purposes.

It is important that the personal data we hold about you is accurate and current. If you have an account with us, please keep your details up-to-date.

We are committed to ensuring that your personal data is secure and we have put in place suitable physical, electronic, contractual and managerial procedures, including our Information Security Management System and Secure Sockets Layer (SSL) encryption, to protect your personal data. Our employees who have access to and process your personal data are obliged to respect the confidentiality and security of your personal data.

Our Website may contain links to other websites of interest. However, we do not have any control over third party websites and they will be governed by their own privacy policies, not this Privacy Policy.

We love keeping you up-to-date by email about our latest products, services, offers and events, but if you decide that you don’t want to receive these communications at any point, you can unsubscribe as follows:

Email us at: [email protected] or click on the unsubscribe button on the bottom of any email we send you. If you have an account with us, you can also unsubscribe by going to the Account Information page on the Charlotte Tilbury website, clicking on Newsletters, and unsubscribing to general subscription.

You have the following rights in relation to the personal information we hold about you, to request:

• access to the personal data we hold about you (commonly known as a "data subject access request") including a copy of it.

• the correction of the personal information that we hold about you if it is incomplete or inaccurate (although if you hold an account with us, you may be able to do this in certain cases yourself by visiting the Account Information page on the Charlotte Tilbury website);

• the deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it or where you have exercised your right to object to processing (see below);

• for our processing of your personal information to be restricted in certain circumstances, for example if you want to establish its accuracy or the reason for processing it; and

• to obtain a copy of the personal information you’ve provided us with and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.

We may ask you for proof of your identity before dealing with your request, as a security measure to protect your data.

Right to Object

Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data.

If you are dissatisfied with how we have handled your personal data, you have the right to make a complaint to your data protection regulator. In the UK, this is the Information Commissioner's Office (ICO). You can make a complaint to the ICO by calling their helpline on 0303 123 1113 or on their website at www.ico.org.uk/concerns.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO or, (if you’re based outside of the UK, your data protection regulator), so please do contact us in the first instance.

Customers need to be over 18 to create an account with us or to sign up for our newsletter. We will not knowingly collect data about under 18s and if you are under 18, please do not provide us with your personal information. We would ask parents to please ensure that their children that are under 18 do not provide us with any personal information without their permission. If you believe that a child who is under 18 has provided personal data to us, please contact us, using the details below and we will seek to delete that data from our systems.

SCOPE

Charlotte Tilbury Beauty Limited (“Charlotte Tilbury”) has in place a CCTV surveillance system (the “CCTV System”) across its UK shop locations. This policy details the purpose, use and management of the CCTV System at Charlotte Tilbury, and details the procedures to be followed in order to ensure that the organisation complies with relevant legislation and the current Information Commissioner’s Office CCTV Code of Practice (“ICO Guidance”).

The use of the CCTV System will comply with the General Data Protection Regulation (“GDPR”), and other applicable legislation. Although not a relevant authority, Charlotte Tilbury will also have due regard to the Surveillance Camera Code of Practice, issued under the Protection of Freedoms Act 2012 and in particular the 12 guiding principles contained therein.

This policy is based on the ICO Guidance.

This policy and procedures apply to all of Charlotte Tilbury’s CCTV Systems that capture images of identifiable individuals for the purpose of viewing and or recording the activities of such individuals. CCTV images are monitored and recorded in strict accordance with this policy.

RESPONSIBILITY

The Head of Workplace Technology and Infrastructure is responsible for the overall management and operation of the CCTV System, including activities relating to installations, recording, reviewing, monitoring and ensuring compliance with this policy.

Additionally, the Head of Workplace Technology and Infrastructure is responsible for ensuring that adequate signage is displayed in compliance with the ICO Guidance.

Charlotte Tilbury’s usage of CCTV and the contents of this policy will be reviewed annually by the Head of Workplace Technology and Infrastructure with reference to the relevant legislation or guidance in effect at the time. Further reviews will take place as required.

All staff involved in the operation of Charlotte Tilbury’s CCTV System will be made aware of this policy and will only be authorised to use the CCTV System in a way that is consistent with these purposes and procedures.

All Charlotte Tilbury staff with responsibility for accessing, recording, disclosing or otherwise processing CCTV images will be required to undertake training in data protection and the correct operation of the CCTV System.

It is the responsibility of all Charlotte Tilbury employees to comply with this policy. Failure to comply with this policy could result in potential enforcement action from regulators, claims from data subjects and reputational damage, in addition to increased costs of storage and the increased workload from handling data subject individual rights requests. Non-compliance with this policy may lead to disciplinary action.

POLICY

1. Charlotte Tilbury is the data controller for the images produced by the CCTV System. Charlotte Tilbury is registered with the Information Commissioner’s Office and the registration number is ZA222382. The CCTV System operates in a manner that meets the requirements of the GDPR and the ICO’s Guidance, and in a manner that is consistent with respect for the individual’s privacy.

2. Charlotte Tilbury makes use of a CCTV System, as follows:

‘General purpose’ CCTV

i. For the prevention, reduction, detection and investigation of crime and other incidents

ii. To ensure the safety of staff, visitors and customers

iii. To assist in the investigation of suspected breaches of Charlotte Tilbury regulations by staff, visitors or customers

3. The CCTV System is operational and is capable of being monitored for 24 hours a day, every day of the year.

4. All CCTV installations are subject to a Data Protection Impact Assessment.

5. For ‘general purpose’ CCTV usage, the cameras are monitored in a restricted area in shop locations, which are accessible only to staff. Images are recorded on systems stored in this location, and access to historical images is only granted to shop managers and Retail Operations staff.

6. The cameras installed provide images that are of suitable quality for the specified purposes for which they are installed, and all cameras are checked daily to ensure that the images remain fit for purpose and that the date and time stamp recorded on the images is accurate. All images recorded by the CCTV System remain the property and copyright of Charlotte Tilbury.

7. All cameras are sited in a way that they will only capture images of individuals entering into Charlotte Tilbury retail locations, strictly for the purposes as specified in Point ii.

8. Appropriate signage will be in place in all locations where CCTV Systems are deployed, to inform individuals of their presence. Signage will be clearly visible and readable, state the purpose for using the system and provide contact details for the party responsible for operating the system.

9. The CCTV System does not compare images against a reference database for matching purposes.

10. Appropriate security measures are applied to ensure that the CCTV Systems and images produced by it are protected against unauthorised access and use.

11. Requests by individuals for images relating to themselves should be submitted to [email protected], or by post to General Counsel, Charlotte Tilbury Beauty Limited, Unit 5, 50 Brook Green, London W6 7BJ, together with proof of identification. Further details of this process are detailed in the Charlotte Tilbury Individual Rights (Subject Access Request) Policy. In order to locate the images on the CCTV System, sufficient detail must be provided by the individual in order to allow the relevant images to be located and the data subject to be identified. For example, date and approximate time of day when images may have been captured, and location, would allow us to more easily identify all images.

12. Where Charlotte Tilbury is unable to comply with a Subject Access Request without disclosing the personal data of another individual who is identified or identifiable from that information, it is not obliged to comply with the request unless satisfied that the other individual has provided their express consent to the disclosure, or if it is reasonable, having regard to the circumstances, to comply without the consent of the individual.

13. A request for images made by a third party should be made in writing to [email protected] or by post to General Counsel, Charlotte Tilbury Beauty Limited, Unit 5, 50 Brook Green, London W6 7BJ. In limited circumstances it may be appropriate to disclose images to a third party, such as when a disclosure is required by law, in relation to the prevention or detection of crime or in other circumstances where an exemption applies under relevant legislation.

14. Where a suspicion of misconduct arises and at the formal request of the People Team, the Head of Workplace Technology and Infrastructure may provide access to CCTV images for use in staff disciplinary cases.

15. A record of any disclosure made under this policy will be maintained by Charlotte Tilbury, itemising the date, time, camera, requesting party, authorising party and reason for the disclosure.

16. Unless required for evidential purposes, the investigation of an offence or as required by law, CCTV images will be retained for no longer than the period stated in the Charlotte Tilbury Data Retention Policy. Images will be automatically overwritten after this point. Where an image is required to be held in excess of this retention period, the Head of Workplace Technology and Infrastructure will be responsible for authorising such a request. Images held in excess of their retention period will be reviewed on a three monthly basis and any not required for evidential purposes will be deleted.

17. Complaints concerning Charlotte Tilbury’s use of its CCTV System or the disclosure of CCTV images should be made in writing to [email protected] or by post to General Counsel, Charlotte Tilbury Beauty Limited, Unit 5, 50 Brook Green, London W6 7BJ.

If you have any queries, comments or requests regarding this Privacy Policy, you have a complaint or you would like to exercise any of your rights set out above, you can contact us in the following ways:

• by email at [email protected]; or

• by post at General Counsel, Charlotte Tilbury Beauty Limited, Unit 5, 50 Brook Green, London W6 7BJ.