Jump to content
Create an account or log in to unlock 15% off + FREE delivery on your first order* with code DARLING15

privacy policy - europe

CHARLOTTE TILBURY

PRIVACY POLICY – UK & EEA

LAST UPDATED: JANUARY 2026

1. Introduction

At Charlotte Tilbury, we are committed to protecting your personal data and respecting your privacy.

You must be 18 or older to buy our products and services and/or create an account. This website is not intended for children, and we do not knowingly collect data relating to children. Please also refer to our Terms of Sale.

2. Who We Are

Charlotte Tilbury Beauty Limited (referred to in this Privacy Policy as "us", "we" or "our") is the data controller of your personal data for the processing activities described in this Privacy Policy for users located in the UK and EEA, unless we state otherwise.

Charlotte Tilbury Beauty Limited is a company registered in England and Wales (company number 08037372) with registered address 8 Surrey Street, London WC2R 2ND, United Kingdom.

Where this website is operated by, or where products and services are sold by, another Charlotte Tilbury group entity, that entity will act as the data controller for the personal data collected and processed through the website for commercial purposes, because it determines the purposes and means of that processing. The relevant controller will be identified at the point of collection or purchase, where applicable.

Our Group Companies

We are part of the Charlotte Tilbury group, which includes entities owned or controlled by Charlotte Tilbury Beauty Limited that operate Charlotte Tilbury websites or are responsible for stores, concessions, stands or events in your country.

We are also part of the wider Puig group of companies. Where you provide your consent (where required by law), we may share your personal data with other Puig group companies so that they can send you their own marketing communications. We will provide you with the relevant information about this processing at the time we ask for your consent, and you can withdraw your consent at any time.

Retail Partners

Charlotte Tilbury products and services may also be sold through authorised third-party retailers (“Retail Partners”). A list of our authorised Retail Partners is available here. Where you purchase Charlotte Tilbury products from a Retail Partner, that Retail Partner will typically act as an independent controller in relation to its own processing of your personal data. Please refer to the Retail Partner’s privacy notice for information about how they use your personal data.

3. Contact Us

If you have questions, want to exercise your rights, or have a complaint, you can contact us and our EU representative via:

• Online: Privacy Request Portal

• Email: dpo@charlottetilbury.com

• EU Representative Email: dpocharlottetilburyeurope@dentons.com

• Post: Data Protection Officer, Charlotte Tilbury Beauty Limited, 8 Surrey Street, London, United Kingdom WC2R 2ND, UK

For customer service enquiries (non-privacy), please contact Customer Care via our help page.

4. Updates

We may update this Privacy Policy from time to time. If we make material changes that may affect your rights, we may provide additional notice (for example, by email or via our website).

5. When we will collect your personal data

We may collect personal data about you when you:

• use our website or app (including via cookies and similar technologies);

• create or manage an account, or join our loyalty programme;

• buy products or services (online or in-store from us);

• where you purchase from an authorised Retail Partner (in which case we may receive limited information about your purchase from the Retail Partner);

• interact with us in-store (including appointments/consultations) and via in-store technologies (such as CCTV, Wi-Fi and footfall/traffic measurement where used);

• contact Customer Care or otherwise communicate with us;

• submit surveys, reviews, or other feedback, or participate in competitions/events/pop-ups/activations;

• interact with our marketing and advertising (including on third-party platforms);

• interact with our social media pages or mention us (subject to your settings).

Cookies and similar technologies: We use cookies and similar technologies on our website and app. You can manage your preferences using our cookie management tool and by adjusting your browser or device settings. For more information, please see our Cookie Policy. Our websites are not designed to respond to “Do Not Track” signals.

Mandatory vs optional information: Some personal data is required to provide products/services (for example, account, payment and delivery details). If you do not provide required information, we may not be able to process your order, provide a service, or respond to certain requests.

Sensitive Personal Data

We may collect and use certain personal data that is treated under data protection laws as “special category” data or sensitive personal data (referred to in this Privacy Policy as Sensitive Personal Data).

This means we will only process Sensitive Personal Data where an appropriate condition under UK/EU data protection law applies (for example, explicit consent and/or another permitted condition for meeting legal and regulatory obligations, such as product safety reporting).

Examples include:

• allergy or skin-sensitivity information you provide (for example, for appointments);

• information about undesirable side-effects, including photos or information you choose to share, which our Customer Care and Regulatory teams may assess for product safety and compliance; and

• dietary or accessibility requirements you provide for events.

Where we process facial imagery for features such as skin analysis or virtual try-on, we use it to provide the requested feature and do not use it to verify your identity or for identity authentication purposes.

Where we rely on your explicit consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Where we must process and retain information to comply with legal obligations (for example, product safety reporting), we may continue to process that information even if consent is withdrawn.

6. How we use your personal data and legal basis

The table below provides some examples of the information we collect about you and how we will use it. We only process personal data where a legal basis applies, such as consent, contract performance, legitimate interests, legal obligation, or vital interests. Where we rely on legitimate interests, we have carried out a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may request further information about these assessments by contacting us.

 

Data Category

What Data We May Use

Why We Use It

Legal Basis

Identity & Contact Details

Name, email address, postal address, telephone number, account credentials

Account creation and management; authentication; order processing; service communications; deduplication

Contract; Legitimate Interest

Demographic Information

Age, gender, optional demographic indicators.

Segmentation; birthday treats; service optimisation

Legitimate interests; Consent

Beauty Profile & Preferences

Skin tone, hair/eye colour, preferences, quiz responses, beauty goals.

Personalisation; recommendations; user experience

Legitimate Interest; Consent

Skin Information

Limited health info (e.g., allergies/reactions)

Product safety; compliance; customer claims

Explicit consent; Legal obligations

Pro Beauty Tech

Facial imagery, skin analysis, virtual try-on scans, optional storage

Feature delivery; personalised recommendations

Consent

Transactional

Purchases, payment method, billing details, order history, refunds

Transactions; fraud prevention; accounting/audit

Contract; Legal Obligation; Legitimate Interest

Order Delivery

Name, address, order details, recipient message

Delivery via couriers/postal services

Contract

Technical and Usage

IP address, device IDs, cookie IDs, browser/OS, logs, session data, language, referrer, usage

Security; performance; analytics; personalisation; fraud detection

Legitimate interests; Consent (where required for cookies)

Location

Approximate location (IP); precise location (opt-in)

Location-based content; analytics; fraud prevention

Legitimate interests; Consent (precise location).

Customer Care  and Communications

Emails, chat, SMS/WhatsApp, call recordings (where applicable), logs and correspondence

Responding to requests; complaint handling; quality assurance; training

Contract; Legitimate Interest.

Marketing & Communications

Contact details, preferences, purchase/browsing activity, VIP/store/advisor preferences

Marketing communications; tailored offers; events; back-in-stock messages

Consent (electronic direct marketing, subject to applicable “soft opt-in” rules); Legitimate interests (postal marketing and preference/suppression management); Contract (requested service messages such as back-in-stock)

Survey and Feedback

Survey responses, reviews, ratings, contest submission

Improve products/services; satisfaction analysis

Consent; Legitimate Interest

Social media and Public Profile

Handles, profile info (depending on settings), public posts/interactions (depending on user settings), public posts, interactions with brand accounts.

Community engagement; social listening; complaint handling

Legitimate Interest; Consent (platform-dependent).

User-Generated Content

Reviews, photos, videos, comments

Publishing content; marketing (where permitted); product improvement

Consent; Legitimate Interest

CCTV and In-Store Surveillance

Video recordings in retail locations/counters

Security; safety; loss prevention; incident investigation

Legitimate interests; Legal obligation (where applicable)

Behavioural

Behavioural profiles; predicted preferences; wishlists; searches/returns

Personalisation; product development; targeted marketing; analytics

Legitimate Interest

Optional Additional Information

Birthday; physical characteristics; optional preferences

Enhanced personalisation; virtual tools

Consent; Legitimate Interest

Advertising & Cross-Device Tracking

Email/device IDs, hashed identifiers, browsing history

Personalised advertising; measurement; cross-device targeting

Consent

Behavioural and AI-Powered Experiences

Prompts (text/images) submitted to AI tools; outputs

Virtual assistants; recommendations; analytics; safety monitoring

Consent; Legitimate Interest

Anti-Counterfeit & IP Enforcement Data

ID data, contact info, purchase history, social handles

Prevent and investigate counterfeit activity, protect IP, manage enforcement actions, and comply with legal obligations

Legitimate interest; Legal Obligation

Event/ Image Data

Photos/videos at events/in-store or submitted

Marketing and promotional activities

Consent

Global Account Recognition

Account info, customer ID, transaction history, preferences

Recognition across channels for consistent service

Legitimate Interest

Anonymised and aggregated data

We may also anonymise and/or aggregate personal data, so it no longer identifies you, and use it for testing, research, analytics, and product/service improvement.

AI-enabled features and chatbots

We may offer AI-enabled features, including chatbots and virtual assistants, to help you interact with our services more efficiently (for example, to answer questions, provide product information, support customer care queries, and offer personalised recommendations). When you use these features, we may process the information you choose to provide in your prompts (such as text and, where the feature allows, images), together with related interaction data (for example, date/time, device and session identifiers, and the content of our responses) in order to provide the feature, improve user experience, protect the security and integrity of our services, and detect and prevent misuse or fraud.

Please do not include unnecessary personal data in your prompts, and do not share special category data (such as health information) or any sensitive or confidential information. AI outputs may be inaccurate or incomplete and should be reviewed. Additional information about specific AI features (including the data used, retention, and any relevant technology providers) will be provided at the point you use the feature and/or in the relevant feature terms.

Automated decision making

We use automated tools to help operate our services (for example, to prevent fraud, protect security and personalise content). We do not make decisions about you that produce legal effects (or similarly significant effects) based solely on automated processing. If you would like more information, please contact us.

App permissions

When you use our app, we process device and usage information and, if you enable it, location information. We use this to operate app features (including push notifications), maintain performance and improve the app. You can manage app permissions at any time via your device settings.

Email marketing and analytics

If you opt in to receive marketing emails, our email marketing provider may collect engagement information (such as email opens, clicks and approximate location) to help us understand how our emails perform and tailor communications.

We also use analytics tools (including cookies and similar technologies) to:

• measure the effectiveness of our marketing;

• understand how visitors use our website and app;

• improve our products and services;

• tailor recommendations and content; and

• help deliver and measure advertising.

For more information and to manage your choices, please see our Cookie Policy.

Charlotte’s Darlings Loyalty Club

If you join Charlotte’s Darlings Loyalty Club, we may use your interactions with us (for example, purchases and engagement) to build a profile so we can administer the programme, provide benefits and send tailored offers. If you do not want your data used for tailoring within the programme, please contact us.

Basket reminders

If you are a registered customer and have opted in to marketing emails, we may send you reminders about items left in your basket. You can opt out at any time using the unsubscribe link in our emails.

Pro Skin Analysis

If you use Pro Skin Analysis, we process facial scan data and related analysis data to provide personalised insights and recommendations. We do not store your image unless you choose to save it to your account.

If you save your image, we retain the saved image and related analysis data for up to 12 months from capture and then delete it. If you do not use the feature for 6 months, we may notify you that your saved data will be deleted within a further 6 months unless you use the feature again. We provide additional information at the point of collection. For more details, please see the Pro Skin Analysis Terms of Use.

7. Sharing your personal data

We may share your personal data with:

• Charlotte Tilbury group companies: We may transfer your personal data to our subsidiaries and affiliates worldwide for the purposes described in this Privacy Policy including to provide you with a consistent and personalised level of service across our global operations.

• Our parent company: PUIG BRANDS, S.A.

• Other Puig group companies for their own marketing (with your consent): where you have consented, we may share your personal data so they can send you their marketing communications You can find a list of Puig brands that form part of the Puig Group here.

• Service Providers: We share your personal data with trusted third parties who process personal data on our behalf (for example, hosting, IT support, analytics, payment processing, delivery, customer care tools, fraud prevention, advertising/marketing partners, event providers and technology providers supporting features such as skin analysis). Where service providers process personal data on our behalf, we require them to process data only on our instructions, apply appropriate security measures, and maintain confidentiality.

We may also share personal data:

• with fraud prevention and security providers to help detect and prevent criminal activity (for example, suspicious transactions);

• in connection with a business transaction (such as a merger, acquisition, or sale of assets), with appropriate safeguards; and

• with regulators, law enforcement, courts and authorities where required by law or where necessary to protect rights, safety or prevent fraud.

Profiling and personalised advertising

Building up a picture of you

We analyse information about how you use our services (for example, the products you view or buy and how you interact with our website/app) to understand customer preferences, measure marketing effectiveness and provide more relevant content and offers across channels, including online advertising and social media

Personalised advertising and audiences

We may work with advertising and social media partners to show you adverts that are more likely to be relevant and to measure campaign performance. Depending on your choices (including cookie preferences, where required), this may involve:

• using cookies/trackers on our website/app; and/or

• sharing certain identifiers with partners (including hashed identifiers) to create “custom audiences” or similar audience models (including “lookalike” audiences).

You can manage your preferences using our cookie management tool and, where available, via settings on the relevant third-party platforms. For more information, see our Cookie Policy. Advertising on third-party platforms

We may run campaigns on third-party platforms (such as Facebook, Instagram, Google, TikTok, Snapchat, Pinterest). In some cases, we may share a hashed version of your contact details (such as email address or phone number) so the platform can match it to its users and help us:

• show our adverts to existing customers; and/or

• reach new audiences with similar characteristics (lookalike audiences).

We do not receive the identity of individuals in a lookalike audience unless they engage with our adverts. We do not share personal data collected directly from you on our site with third parties for their direct marketing purposes unless you have consented.

Information we receive from third parties

We may receive information about you from third parties such as Retail Partners, competition partners, review platforms, and public sources (including social media, subject to your settings). Where you interact with us on social media or mention us publicly, we and third-party analytics providers we engage may process information from publicly available posts to help us understand engagement, improve our services, and manage customer support. These providers may use AI-enabled tools to assist with this analysis. Where we have a lawful basis to do so, we may combine this information with information you provide to us.

Marketing service providers

We may share limited information with selected marketing service providers who support us with audience insights, segmentation, measurement and campaign optimisation. Where appropriate, we use measures such as hashing, encryption and/or pseudonymisation before sharing data. These providers may be able to combine the information we share with other data they hold in order to provide their services to us, subject to contractual restrictions and appropriate safeguards.

8. International transfers of your personal data

We are a global business and some of our group companies and service providers are located in countries outside of the UK or EEA.As a result, it may be necessary for the personal data that we collect from you to be transferred to or accessed from outside the UK or EEA (a "third country") in order for us to provide our services.

Where your personal data are transferred outside of the UK/EEA, we require that one of the following appropriate safeguards is in place, in accordance with data protection laws:

• ensure that the destination country is recognised as providing an adequate level of protection under UK and/or EU data protection law (as applicable); or

• in the absence of such a decision, ensure that appropriate safeguards are in place, including the EU Standard Contractual Clauses (SCCs) and the UK Addendum to the SCCs and/or the UK International Data Transfer Agreement (IDTA), as applicable.;

Some transfers are necessary to provide our services (for example, where our group companies or service providers operate internationally). If you do not want your personal data transferred outside the UK/EEA, you may be unable to use certain services, and you may choose to close your account.

9. Security and Retention

Security

We are committed to ensuring that your personal data is secure and we have put in place suitable physical, electronic, contractual and managerial procedures, including our Information Security Management System and Secure Sockets Layer (SSL) encryption, to protect your personal data. Our employees who have access to and process your personal data are obliged to respect the confidentiality and security of your personal data.

Retention

We will only keep your personal data for as long as we have a legal or business reason to do so. In general, this means, as long as you remain a Charlotte Tilbury Group customer or as required to meet our legal obligations, resolve disputes or enforce our terms and conditions.

We may also keep hold of some of your personal data if we are required to do so for legal purposes. For example, we will retain order and transaction records for as long as necessary for legal, tax and accounting purposes. In many cases this will be for up to six years after the end of the relevant financial year in which the transaction took place

When we are no longer required to keep your personal data, your data will either be deleted or anonymised, so that you can no longer be identified from it.

Third Party Links

Our Website may contain links to other websites of interest that are not run by us but by third parties. However, we do not have any control over these third-party websites and they will be governed by their own privacy policies and terms and conditions, not this Privacy Policy. You should review the privacy notices and terms and conditions of any other websites that you use.

10. Your Marketing Choices

We love keeping you up to date by email, post and by SMS/WhatsApp about our latest products, services, offers and events, subject to your marketing preferences. How can I unsubscribe from marketing communications?

• Emails: To unsubscribe from emails, click on the 'unsubscribe' button on any email we send you.

• Text Messages: To unsubscribe from SMS, find instructions on how to do this in any SMS message that we send you.

• Push Notifications: In our App, you can manage your preferences and opt out from push notifications in the ‘Settings’ section.

• Other marketing: We may include marketing inserts in parcels or order communications where permitted by law.

Your online account may offer you the ability to edit your marketing preferences. You can also opt out any time using the methods above or by contacting us.

Mobile Device & Browser Preferences: Depending on your mobile device or web browser, we may request your location or request to send you push notifications. You can edit your preferences using the settings on your device.

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are updated. Whilst opting out of marketing messages will not stop service communications, such as order updates, or where you have asked for a specific ‘back in stock’ notification.

11. Your rights in relation to your personal data

You have the following rights (with some exceptions) in relation to the personal data we hold about you:

• Right to be informed: you have the right to obtain clear, transparent and easily understandable information about how we use your personal data, and your rights This is why we provide you with this Privacy Policy.

• Right of access: you have the right to access to the personal data we hold about you.

• Right of rectification: The right to have your personal data rectified if the personal data that we hold about you if it is incorrect, outdated and/or incomplete.

• Right to restriction of processing: you have the right to ask us to restrict the processing of your personal data in certain circumstances (for example, where you contest the accuracy of the data or object to our processing)

• Right to erasure/right to be forgotten you have the right to have your personal data erased or deleted. Please note this is not an absolute right, as we may have legal or legitimate grounds for retaining your personal data.

• Right to object: you have the right to request that we stop processing your personal data, in specific circumstances. For example, when you have withdrawn consent, or object for reasons related to your individual circumstances. Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data.

• Right to object, direct marketing: you can unsubscribe or opt out of our direct marketing communication via any channel at any time. You are also able to request to receive non-personalised communications about our products and services.

• Right to data portability: you have the right to move, copy or transfer data from our database to another. This only applies to data that you have provided, where processing is based on a contract or your consent, and the processing is carried out by automated means.

• Right to withdraw consent: If we process your personal data on the basis of your consent, then you can withdraw your consent at any time.

• Right to complain you also have the right to contact the data protection authority of your country in order to lodge a complaint against the data protection and privacy practices of Charlotte Tilbury. We would like the chance to resolve directly any complaints you have concerning the way we have responded to your request, but you have the right at all times to raise a complaint with the Information Commissioner’s Office (ICO). Goto: https://ico.org.uk/ for further information. We also wish to inform you about the contacts of other authorities in Europe that you can find and contact on the website of the European Data Protection Board:

https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

To submit a request, please use the Privacy Request Portal and/or the contact details provided at the top of this Privacy Policy. We may require proof of your identity and full details of your request before we process it.

© CHARLOTTE TILBURY BEAUTY LIMITED 2026. All rights reserved.