Jump to content
Create an account or log in to unlock 15% off + FREE delivery on your first order* with code DARLING15

magic hub, intranet – privacy notice

1. Overview

This privacy notice applies to Charlotte Tilbury Beauty Limited and its subsidiary entities (together, “Charlotte Tilbury”, “we”, “us”). It explains how we process your personal data when you access and use the Magic Hub intranet via the mobile or desktop app.

Magic Hub is provided by LumApps, an AI-enabled intranet platform that integrates with Google Workspace and Microsoft 365 to support corporate news, collaboration and knowledge sharing. This notice supplements the Employee Privacy Policy.

2. Who is the data controller and who processes your data

Charlotte Tilbury is the data controller for personal data processed through Magic Hub for employees and other authorised users.

LumApps provides the Magic Hub platform and acts as our data processor, processing personal data on our instructions. LumApps may engage approved sub-processors for hosting, support and related services. Details of LumApps’ current sub-processors are available here.

We may also share personal data with other entities within the Charlotte Tilbury Group and, where relevant, Puig Group entities that provide group services (for example, IT, security, corporate communications, compliance or administrative support), as described in this notice.

3. What personal data we process

We process personal data that is necessary to provide, secure and improve Magic Hub and to support corporate communications and collaboration. This may include:

• Identity and work contact details: name, corporate email address, work telephone number, job title, department/team, business location/address, employee ID (where applicable).

• Account and authentication data: usernames, access roles/permissions, single sign-on identifiers, access timestamps.

• Device and technical data: IP address, device identifiers, browser/app version, operating system, technical logs and security events.

• Usage and engagement data: activity and engagement metrics such as pages viewed, features used, time spent, access times, and (where enabled) participation in activities including scores, results, progress, points and start dates.

• Profile content and contributions (voluntary): profile photo/avatar, biography, interests, skills, and information you choose to add to your profile; and content you create or share within Magic Hub (for example posts, comments, reactions, uploads and files), subject to the visibility settings of the relevant space/community.

Mandatory vs optional data: Core identity data (such as name, corporate email and employee ID) is required to create and maintain your account and provide access. Profile fields such as avatar, biography, interests and other optional information are voluntary; choosing not to provide them will not affect access to core Magic Hub functions.

Special category data: Magic Hub is not intended for special category data (for example, data about health, religion, or trade union membership) or criminal offence data. Please do not upload such information to Magic Hub.

Sources of data: We collect personal data:

• directly from you when you use Magic Hub and add content or profile information; and

• from relevant Charlotte Tilbury/Puig source systems that integrate with the platform, such as SuccessFactors, corporate directories, and identity and access management systems.

4. Processing purposes & lawful basis

We use your personal data to provide you with secure access to Magic Hub, deliver corporate communications and community features, enable collaboration and knowledge sharing, personalise your experience and surface relevant content, measure adoption and engagement, monitor and protect the security and integrity of the service, support helpdesk and troubleshooting, and comply with legal or regulatory obligations.

Lawful basis: We process your personal data primarily on the basis of:

• performance of your employment contract (to provide corporate communication and collaboration tools and related support);

• legitimate interests (to operate, administer, secure and improve corporate systems, and to measure adoption/engagement in a proportionate manner); and

• legal obligations (where processing is necessary to meet applicable legal or regulatory requirements).

Optional profile information (such as your avatar or biography) is not required. You can update or remove optional profile information at any time in your profile settings

AI powered features and automated decision making. Magic Hub includes AI-enabled features (for example, content recommendations, search relevance and summaries). These features may use usage/engagement data and available content to improve your experience. Magic Hub does not use AI to make decisions about you that produce legal effects or similarly significant effects, and it is not used for performance management.

5. Data Sharing

Within Charlotte Tilbury / Puig Group support functions: Your data may be accessed by authorised personnel (including Magic Hub administrators) on a need-to-know basis for purposes such as IT support, security, corporate communications administration, and compliance.

Service providers: Outside Charlotte Tilbury, your data is processed by LumApps and its approved sub-processors for hosting, support, analytics and security, under our instructions and subject to contractual safeguards.

Visibility of content: Where you post to communities or collaboration spaces, your content will be visible to other employees and authorised users according to the space’s visibility settings and your organisation’s configuration.

International data transfers

Your data may be transferred to, stored in, or accessed from countries outside the UK/EEA where necessary to provide Magic Hub (for example, cloud hosting locations or support services). Where this happens, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses (as applicable), together with supplementary measures where required.

6. Data Retention

We retain personal data for as long as necessary to provide Magic Hub, to support security and audit requirements, and in accordance with our data retention policy. In general:

• account and profile information is retained while you remain an authorised user of Magic Hub (and for a limited period afterwards to support account closure, audit and security);

• technical/security logs are retained for limited periods to support security monitoring and incident investigation; and

• content you post may remain available according to the relevant space’s settings and our retention schedule.

Aggregated or anonymised analytics may be retained for longer.

7. Security

Charlotte Tilbury and LumApps implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest (where applicable), logging and monitoring, vulnerability management and regular security assessments. Access to administrative functions is limited to authorised personnel.

8. Your Rights

Subject to applicable law, you may have rights to:

• request access to your personal data;

• request rectification of inaccurate data;

• request erasure of your personal data (note: this is not an absolute right);

• restrict processing in certain circumstances;

• data portability (where applicable); and

• object to processing based on legitimate interests.

You also have the right to complain to the Information Commissioner’s Office if you are unhappy with how we process your data, and EEA based employees may complain to their local supervisory authority.

9. Contact

For questions, to exercise your rights or to obtain more information about international transfer safeguards, please contact the Charlotte Tilbury Data Protection Officer via dpo@charlottetilbury.com .

10. Changes to this notice

We may update this notice to reflect changes to Magic Hub or our processing. Material changes will be communicated through Magic Hub or usual internal channels, and the latest version will be available to employees.