1. INTRODUCTION

1.1 WHAT COUNTS AS PERSONAL DATA AND WHAT IS PROCESSING OF PERSONAL DATA?

Personal data is defined as any type of information that can be attributed, whether directly or indirectly, to a natural, living person. For example, images and sound recordings processed on a computer may be personal data even if no names are mentioned. Encrypted data and various types of electronic identities (e.g., IP addresses) are personal data if they can be linked to natural persons. Every action taken with personal data constitutes an instance of processing, irrespective of whether the action is automated or not. Common types of processing include collection, registration, organisation, structuring, storage, treatment, transfer and deletion.

1.2 WHO IS RESPONSIBLE FOR THE PERSONAL DATA WE COLLECT?

United Kingdom & Republic of Ireland: The Make-up Edit is the data controller for the company’s processing of personal data.

2. WHAT DOES The Make-up Edit USE YOUR PERSONAL DATA FOR?

We strive to provide you with a full range of personalised skin care and cosmetic recommendations designed to meet your needs.

You can read about what TME uses your personal data for and why below.

2.1. FOR YOU TO BE ABLE TO MANAGE AND MONITOR YOUR PURCHASES AND SERVICES

Review the history of your purchases and recommendations.Change your personal data and settings.

2.2 TO BE ABLE TO HANDLE ORDERS

Which includes:

Delivery (including notification and contacts regarding the delivery).Identification and age verification.Payment handling (including analysis of possible payment solutions, which may include running a payment history check and retrieving credit reports from financing companies). Address verification against The Make-up Edit complaints and warranty claims.We process the following data:

NamePersonal identity numberContact details (e.g., address, email address and phone number)Payment history/payment informationBilling informationCredit reports from credit report companiesPurchase information (e.g., item ordered or if the item is to be delivered to another address)User information for My Account (if you have a customer account)Legal basis: Execution of the purchase agreement. Such collection of your personal data is required in order for us to fulfil our obligations under the purchase agreement. If the data is not submitted, it will not be possible to meet our commitments, and we will be forced to refuse your purchase.

Retention period: Until the purchase has been completed (including delivery and payment) and for 36 months thereafter for the purpose of handling any complaints and warranty claims.

2.3 TO MEET THE COMPANY'S LEGAL OBLIGATIONS

Handling required for compliance with the company's legal obligations pursuant to statute, court order or regulatory decision (e.g., with law enforcement or other governmental authorities, including but not limited to;

• The Information Commissioner’s Office (ICO)

• The Financial Conduct Authority

• HMRC

or product liability and product safety provisions, which may require that communication and information be provided to the public and customers concerning product alarms and product recalls in case of e.g., defects or products hazardous to health).

For this purpose, we process the following:

NamePersonal identity numberContact details (e.g., address, email and phone number)Payment history Billing information Your correspondence Details regarding purchase date, place of purchase, any defect/complaintUser information for My Account (if you have a customer account)Legal basis: Legal obligation. This collection of your personal data is required by law. If the data is not submitted, it will not be possible to meet our legal obligation and we will therefore be forced to refuse your purchase.

Storage period: Until the purchase has been completed (including delivery and payment) and for 36 months thereafter.

2.4 TO BE ABLE TO HANDLE CUSTOMER SERVICE CASES

Which includes:

Communication and responding to any questions put to customer service (by phone or through digital channels, including social media).Identification and questions concerning user accounts.Investigating any complaints and support cases (including technical support).Questions and advice about and ahead of purchases, questions about products, return management, order modification and similar issues.We process the following data:

NamePersonal identity numberContact details (e.g., address, email and phone number)Your correspondence Details regarding purchase (date, place of purchase, any defect/complaint) The Make-up Edit health data (e.g., allergic reactions and health conditions that you inform us of)User information for My Account (if you have a customer account)Legal basis: Legitimate interest, and explicit consent in cases where we process sensitive data. Processing is necessary in order to cater to both our own and your legitimate interest in the handling of customer service cases.

Storage period: 12 months after the customer service case has been closed.

2.5 TO BE ABLE TO EVALUATE, DEVELOP AND IMPROVE OUR SERVICES, PRODUCTS AND SYSTEMS FOR OUR CUSTOMER BASE AS A WHOLE, AND TO OFFER YOU A PERSONALISED, RELEVANT EXPERIENCE IN OUR RANGE OF SERVICES AND PRODUCTS.

Customisation of services to make them more user-friendly (for instance, changing the user interface to simplify the flow of information or to highlight features frequently used by customers in our digital channels). Customisation of marketing services such as Google Search, Display and Video and Facebook to become more relevant in our communication (for example, exclude existing customers from Facebook or Google marketing).

Producing data in order to improve product and logistics flows (for instance through the ability to forecast purchases, inventory and deliveries).Producing data in order to develop and improve our product range.Producing data in order to develop and improve our resource efficiency from an environmental and sustainability perspective (e.g. by streamlining purchasing and delivery scheduling). Producing data for the purpose of planning new warehouses and possibly decommissioning other warehouses. Giving our customers the opportunity to influence and review our product range. Producing data in order to improve IT systems for the purpose of generally enhancing security for both the company and for our visitors/customers.Analysis of the data we collect for this purpose. Based on the data that we collect (such as purchase history, age and gender) you will be sorted into a customer group (referred to as a customer segment) on which aggregate-level analyses are then run using anonymised or pseudonymised data, without any connection to you as individual. The insights gleaned from the analysis then form the basis of the products we source and how we develop ‘My Account’ on The Make-up Edit website.

The analysis is also used so that we can provide you with automatically adapted information in the form of e.g., articles, offers and advertisements on our website that are relevant to you based on the result of our analysis of your interests and your user behaviour (so-called profiling).

We therefore process:

Age Gender Place of residence Correspondence and feedback regarding our services and products Purchase and user-generated data (e.g. click and visit history) Information you provided via Quiz Customer satisfaction survey and questionnaires Technical data relating to the devices used and their settings (such as language setting, IP address, browser settings, time zone, operating system, screen resolution and platform)Information about how you interacted with us, i.e. how you used the service, login method, where and for how long different pages were visited, response times, download errors, how and when you leave the service, etc.Information about how you use our websites via “cookies”. You can read more about what cookies are and how we use them here.Legal basis: Legitimate interest. Processing is necessary in order to cater to both our own and our customers' legitimate interest in evaluating, developing and improving our services, products and systems. Agreement in case of data you provided via the skin analysis, and express consent in case of sensitive personal data.

Storage period: From the time of collection and for a period of 36 months thereafter.

2.6 IN ORDER TO PREVENT ABUSE OF A SERVICE OR IN ORDER TO PREVENT, DETER AND INVESTIGATE CRIMES AGAINST THE COMPANY AND CUSTOMERS

Prevention and investigation of potential fraud or other offences. Prevention of junk mailing, phishing, harassment, attempted illegal user account logon or other actions prohibited by law or under our terms of purchase, membership or service. Protecting and improving our IT environment against attack and intrusion.

For this purpose, we process:

Personal identity number Purchase and user-generated data (e.g., click and visit history)Technical data relating to the devices used and their settings (such as language setting, IP address, browser settings, time zone, operating system, screen resolution and platform) Details about how our digital services are used Legal basis: Compliance with legal obligation (if any) or legitimate interest. In the absence of a legal obligation, the processing is necessary in order to cater to our legitimate interest in preventing abuse of a service or in order to prevent, deter and investigate crimes against the company.

Storage period: From the time of collection and for a period of 36 months thereafter.

2.7 TO OFFER CUSTOMERS PERSONALISED SKINCARE CONSULTATION AND ADVICE

Carry out skincare treatment for the customer and possibly follow up on treatment, skin analysis. Product recommendations based on the user's needs and wishes and information about how to use the products for the desired result. Personalised skincare consultation by phone, chat, physical treatment, video or email. Follow-up skincare consultation. Marketing of products based on customer needs and wishes.

For this purpose, we process:

Name Contact details (e.g., address, email address and phone number)Gender Approximate age Purchase information Skin tone Image, where the user chooses this. Health data from skin analysis Legal basis: Performance of the skincare consultation agreement and express consent in cases where users provide sensitive information about themselves. Balancing of interests for marketing; it is in the interest of both The Make-up Edit and the user that users purchase products that suit them. Follow-up of treatments over time.

Storage period: 12 months from collection.

2.10 FOR OPT-IN COMMUNICATIONS

If you opt-in during the Make-up Edit site registration process or at other times when you may submit personally identifiable information, the information you provide may be used to create and deliver to you direct marketing.

Direct marketing includes all types of marketing outreach, such as our regular mailing list, SMS and postal send outs, which may consist of promotion alerts, special discounts, new product launches, coming soon updates, skin care advice, product recommendations and other relevant information (“Opt-In Communications”).

3. WHICH SOURCES DO WE RETRIEVE YOUR PERSONAL DATA FROM?

In addition to the data you provide us yourself, or which we collect from you based on your purchases and how you use our services, we may also collect personal data from others (referred to as third parties). The data we collect from third parties are as follows:

Address data from public records in order to be certain that we have the correct address details for you Credit rating data from credit ratings agencies, banks or credit report bureaus

4. WHO HAS ACCESS TO/PROCESS YOUR PERSONAL DATA?

4.1 WHO MAY WE SHARE YOUR PERSONAL DATA WITH?

Personal data assistants.Where required to, and in order for us to be able to offer our services, we share your personal data with companies serving as what are referred to as personal data assistants. A personal data assistant is a company that processes the information on our behalf and according to our instructions. We have personal data assistants that assist us with:

1) Transports (logistics and freight companies)2) Payment solutions (acquiring companies, banks and other payment service providers)3) Marketing (print, social media, media agencies or advertising agencies)4) IT services (companies that handle the necessary operation, technical support and maintenance of our IT solutions)

When your personal data is shared with personal data assistants it is purely done for purposes consistent with the reasons for which we collected the information (for instance in order to fulfil our obligations under the purchase agreement). We run checks on all personal data assistants to ensure that they are able to provide sufficient guarantees as to the security and confidentiality of personal data. We have written agreements in place with all personal data assistants under which they guarantee the security of the personal data processed and it is compulsory for them to comply with our security requirements and with restrictions and requirements concerning the international transfer of personal data.

Companies that are independent data controllers.We also share your data with certain companies that are independent data controllers. The fact that the company is an independent data controller means that we do not control how the information submitted to the company is to be processed. Independent data controllers with whom we share your personal data are as follows:

1) Government authorities (the police, the Swedish Tax Agency, HMRC or other authorities) if we are required to do so by law or in the event of a suspected crime2) Companies that provide general goods transportation (logistics and freight companies)3) Companies that offer payment solutions (acquiring companies, banks and other payment service providers)

When your personal data are shared with a company that is an independent data controller, the data is subject to that company's privacy policy and personal data management.

Other Service Providers We may retain other companies and individuals to perform functions consistent with our Privacy Policy on our behalf. Examples include customer support specialists, webhosting companies, data analysis firms and email service providers. Such third parties may be provided with access to personally identifiable information needed to perform their functions but may not use such information for any other purpose.

Business Transfers As we continue to develop our business, we might sell certain of our assets. In such transactions, user information, including personally identifiable information, generally is one of the transferred business assets, and by submitting your personal information on the Skincity Site you agree that your data may be transferred to such parties in these circumstances.

Financing companies processing of personal data

When buying from us, Klarna's cash register is used as standard, Klarna therefore processes your personal data as the person responsible for personal data. The personal data is processed, among other things, for the fulfilment of the agreement, as well as for carrying out identification and credit checks via external and internal databases. For more detailed information about Klarna's processing of personal data and your rights in connection with the processing, see here.

4.2 NO DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION FOR THIRD PARTY MARKETING WITHOUT YOUR CONSENT

We will never share your personal details with any third parties for their use in marketing their products or services to you without your consent.

4.3 WHERE DO WE PROCESS YOUR PERSONAL DATA?

We always strive to ensure that your personal data is processed within the EU/EEA, and all of our own IT systems are located within the EU/EEA. For purposes of system support and maintenance however, we may be forced to transfer the information to a non-EU/EEA country, for instance if we share your personal data with a personal data assistant that is, whether in its own capacity or through a subcontractor, established in or stores information in a non-EU/EEA country. In these cases, the assistant may only examine the information of relevance to the purpose (such as log files).

Regardless of the country in which your personal data is processed, we take all reasonable legal, technical and organisational measures to ensure that the level of protection is the same as that within the EU/EEA. In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision of the EU Commission to the effect that the country in question ensures an adequate level of protection, or through the application of what is referred to as appropriate safeguards. Examples of appropriate safeguards include an approved code of conduct in the recipient country, standard contract clauses, binding internal company rules or Privacy Shield. Feel free to contact us if you wish to receive a copy of the safeguards that have been implemented or information about where they have been posted.

4.4 HOW LONG DO WE SAVE YOUR PERSONAL DATA FOR?

We will never save your personal data for longer than necessary for the respective purpose. See more about the specific storage periods under the respective purpose.

5. YOUR RIGHTS & CONSENT

WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

Right of access (referred to as a ‘register extract’). We are always open and transparent about how we process your personal data, and if you wish to gain deeper insight into the personal data that we process about you in particular, you may request access to the data. The information is provided in the form of a register extract, specifying the purpose(s), categories of personal data, categories of recipient, storage periods, information about where the information was collected, and the occurrence of automated decision making.Please remember that if we receive a request for access, we may request additional information in order to ensure effective handling of your request, and to ensure that information is disclosed to the right person.

Right to rectification. You may request that your personal data be rectified if the data is incorrect. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data.Keep in mind that if you have a customer profile on The Make-up Edit website, you can change some data directly via My Account.

You have the right to withdraw a consent you have given us at any time. A consent to send newsletters, for example.

Right to be forgotten. You may request erasure of personal data we process about you if:The data is no longer necessary for the purposes for which they were collected or processed You object to a balancing of interests we performed on the basis of a legitimate interest and your reason for objecting outweighs our legitimate interest You object to processing for purposes of direct marketing The personal data is being processed in an unlawful manner The personal data must be erased in order to comply with a legal obligation to which we are the subject in question Personal data has been collected about a child (under age 13) for whom you have parental responsibility, and the data collection occurred in connection with the offering of information society services (e.g. social media)Keep in mind that we may have the right to deny your request if legal obligations prevent us from immediately erasing certain personal data. This obligation derives from bookkeeping and tax legislation, banking and anti-money laundering legislation, but also from consumer rights legislation. The processing may also be necessary for us to establish, assert or defend legal claims. Should we be unable to accommodate a request for erasure, we will instead block the personal data from use for purposes other than the purpose precluding the requested erasure.

Right to restriction. You are entitled to request that our processing of your personal data be restricted. If you dispute the correctness of the personal data that we process, you may request restricted processing during the period we require in order to verify whether the personal data is correct. If we no longer need the personal data for the defined purposes, but you do need them in order to be able to establish, assert or defend legal claims, you may request that we subject the data to restricted processing. This means that you may request that we refrain from erasing your data. If you have objected to the balancing of a legitimate interest that we have performed as the legal basis of a purpose, you may request restricted processing during the period we require in order to verify whether our legitimate interests outweigh your interests in having the data erased.If data processing has been restricted in accordance with any of the above situations, we may only, beyond the act of storage, process the data in order to establish, assert or defend legal claims, in order to protect someone else's rights, or if you have given your consent.

Right to object to a certain type of processing. You are always entitled to avoid direct marketing and to object to any processing of personal data based on a balancing of interests.Legitimate interest: In cases where we rely on a balancing of interests as the legal basis for a purpose, you have the opportunity to object to the processing. In order to continue processing your personal data after such an objection, we must be able to refer to a compelling legitimate interest in the processing in question that outweighs your interests, rights or freedoms. Otherwise, we may only process the data in order to establish, exercise or defend legal claims.

Direct marketing (including analyses performed for direct marketing purposes): You have the option to object to your personal data being processed for direct marketing. Such an objection also includes the analysis of personal data (referred to as profiling) performed for direct marketing purposes. Direct marketing refers to all types of marketing outreach (e.g., via mail, email and SMS). Marketing actions are where you as the customer have actively chosen to use one of our services or have otherwise sought us out to learn more about services do not count as direct marketing (such as product recommendations or other features and offers in My Account).If you object to direct marketing, we will discontinue the processing of your personal data for that purpose and will cease every type of direct marketing action as well. You may change this by changing the settings in My Account, by using the unsubscribe link in marketing mailings, or by contacting customer service.

Right to data portability. If our right to process your personal data is based either on your consent or on the performance of an agreement with you, you are entitled to request that the data concerning you and which you have submitted to us be transferred to another data controller (referred to as data portability). A prerequisite for data portability is that the transfer must be technically possible and can take place in automated form.

6.SECURITY - HOW IS YOUR PERSONAL DATA PROTECTED?

We use IT systems in order to shield confidentiality, privacy and access to personal data. We have implemented special security measures in order to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage). Only those persons who actually need to process your personal data in order for us to be able to fulfil our specified purposes have access to them.

7. COOKIES & TRACKING

7.1 WHAT ARE COOKIES AND HOW DO WE USE THEM?

Cookies are small alphanumeric text files that are served by our web server and stored on your browser or device. We use cookies on this Site so we can recognise you as a return user and personalise your experience and your use of The Make-up Edit Site.

At TME, we use the following cookies:

1) Session cookies (a temporary cookie that expires when you close your browser or device)2) Permanent cookies (cookies that remain on your computer until you remove them, or they expire)3) First-party cookies (cookies placed by the website you visit)4) Third-party cookies (cookies placed by a third-party website. We primarily use them for analytics, such as Google Analytics)5) Similar techniques (techniques that save information to your browser or device in a manner similar to cookies)

The cookies we use generally improve the services we offer. Some of our services require cookies in order to work properly, whereas others improve the services for you. We use cookies for higher-level analytical information about the way you use our services and in order to save functional settings like language and other information. We also use cookies in order to help us target you with relevant marketing.

7.2 CAN YOU CONTROL THE USE OF COOKIES YOURSELF?

Yes! Your browser or device allows you to change the settings regarding the usage and scope cookies. Go to your browser settings or device settings to learn more about how to adjust the settings for cookies. Examples of parameters you can adjust include blocking all cookies, only accepting first-party cookies, or deleting cookies when you close your browser. Keep in mind that some of our services may not work if you block or delete cookies. 

7.3 ADDITIONAL TRACKING MEASURES

We may also use IP addresses to analyse trends, administer the Site, track traffic patterns, and gather demographic information for aggregate use, as well as in combination with your personally identifiable information for credit fraud protection and risk reduction.

When you visit this Site or view one of our emails, we may use pixel tags (also called "clear" gifs), tracking links and/or similar technology to note some of the pages you visit on our Site and personalise your experience. We may also use pixel tags to determine what types of email your browser supports. We may use the information collected through pixel tags, tracking links and similar technology in combination with your personally identifiable information.

9. #YESTHEMAKEUPEDIT

We at The Makeup Edit love to see your beauty journeys – and we really enjoy seeing our products in your home environments! In fact, we enjoy it so much that we may request to share pictures posted by you on Instagram in our different channels, such as Instagram, newsletters, our blog and website

If you receive a request from us to share your picture (and you feel like that is something you would like to do), you can respond with the hashtag #YESTHEMAKEUPEDIT on the picture and thereby agree to the following:

United Kingdom & Republic of Ireland: You provide  The Makeup Edit Ltd Company No. 14451292 , registered in Cardiff with its registered office in England and Wales, 41 Eastwood Road, London - a non-exclusive, royalty-free, worldwide license to use, in any manner to be determined in The Make-up Edit sole discretion and without any obligations to you, to use your pictures in their marketing and / or advertising, including inter alia the right to reproduce, distribute, alter and edit your photos. Furthermore, you give Skincity your consent to use photos where you can be identified for marketing and / or advertising purposes.

You represent and warrant that you own or control the rights to the material you have submitted and that you have permission from any person(s) appearing in the photos. Moreover, you certify that you are an individual (i.e., not a corporation), you are at least 18 years old or have parental consent, and that The Make-up Edit's use of your pictures will not violate any rights of a third party or any law.Hereby, you release The Make-up Edit from all obligations to pay you for the use of your pictures and freeing and agreeing to keep The Make-up Edit and all persons acting for The Make-up Edit from all claims (including claims from third party), liabilities, irrespective of nature, in connection with the use of the pictures as described above.

Rest of World: You provide The Make-up Edit, a English company, a non-exclusive, royalty-free, worldwide license to use, in any manner to be determined inThe Make-up Edit's sole discretion and without any obligations to you, to use your pictures in their marketing and / or advertising, including inter alia the right to reproduce, distribute, alter and edit your photos. Furthermore, you give The Make-up Edit your consent to use photos where you can be identified for marketing and / or advertising purposes.You represent and warrant that you own or control the rights to the material you have submitted and that you have permission from any person(s) appearing in the photos. Moreover, you certify that you are an individual (i.e., not a corporation), you are at least 18 years old or have parental consent, and that The Make-up Edit's use of your pictures will not violate any rights of a third party or any law.Hereby, you release The Make-up Edit from all obligations to pay you for the use of your pictures and freeing and agreeing to keep The Make-up Edit and all persons acting for The Make-up Edit from all claims (including claims from third party), liabilities, irrespective of nature, in connection with the use of the pictures as described above.

If you want to withdraw consent to share your pictures with The Make-up Edit, you have to contact us by email.

10. LINKS

This Site may contain links to or from other websites. Please be aware that we are not responsible for the privacy practices of other websites. This Privacy Policy applies only to the information we collect on this Site. We encourage you to read the privacy policies of other websites you link to from our Site or otherwise visit.

11. ACCURACY OF AND UPDATING YOUR INFORMATION

We will take reasonable steps to create an accurate record of any personal information you have submitted through this Site. However, we do not assume responsibility for confirming the ongoing accuracy of your personal information.

You are responsible for keeping your information on file with us up to date. You may review and change the personally identifiable information you provide to us at any time by logging into your account and amending the details.

12. THE LOCAL DATA PROTECTION AUTHORITY

What does it mean that the Data Protection Authority is the supervisory authority?

The Data Protection Authority is responsible for monitoring implementation of the law, and anyone who believes that a company is handling personal data improperly may file a complaint with the local Data Protection Authority.

13. QUESTIONS & NOTIFICATION OF CHANGES

If you have any questions regarding data protection, you can always pose your questions to customer relations at info@themakeupedit.com. 

We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the website. For updates that are of critical importance to our processing of personal data (such as changes to specified purposes or categories of personal data) or updates that are not of critical importance to processing, but which may be of critical importance to you, you will receive information on The Make-up Edit website and by email (if you have provided your email address) in due time before the updates take effect. When we make information about updates accessible, we will also explain the meaning of the updates and how they may affect you.

The Make-up Edit Ltd

14451292, Registered at Companies House, Cardiff

London