OUR PRIVACY COMMITMENT.
What information do we collect about you?
Personal data, or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The personal data which we collect of you will very much depend on the reason why we need your personal data and who you are (i.e. any visitor to our website; a Job Applicant; a Guest Customer; a Registered Customer; a Former Guest/Registered Customer; and Business Partner and/or Supplier) as is set out below.
- Any visitor to our website: Technical Data automatically collected by our website. See our Cookies Policy.
- Job Applicant: Basic Job Applicant Information; Job Applicant Due Diligence Information.
- Guest Customer: Basic Contact Details; Payment Details; Transaction Details; Your Feedback; Allergy and Intolerance Information.
- Registered Customer: Basic Contact Details; Payment Details; Transaction Details; Your Feedback; Allergy and Intolerance Information.
- Former Guest/Registered Customer: We do not specifically collect information from former customers other than what is necessary to comply with our legal and regulatory obligations of records keeping and keeping data up to date.
- Business Partner and/or Supplier: Basic Contact Details; Supplier/Partner Due Diligence Information.
Basic Contact Details.
These include the following personal data: name, email and/or phone number.
Basic Job Applicant Information.
These many include the following personal data if you send us your CV and/or motivation letter in application for an advertised position or as a spontaneous application:
- Your basic contact details (i.e. name, email, phone number) and/or that of your referee
- Your residential address
- Identification documents information (e.g. place and date of birth, visa and immigration status, your picture, your gender)
- Your education and employment details
- Any other personal data that you volunteered in your communication with us and was not requested from you.
Job Applicant Due Diligence Information.
If we decide to move forward with your job application, we may collect additional personal data to establish and verify your identity, qualifications and fitness for the position. In such a case, we will send you a specific privacy notice. If you sign a contract with us and become an employee, contractor or worker, we will request additional personal data and provide you with an additional privacy notice.
In order to fulfil your order and perform our contract with you, we will need you to provide details pertaining to payment and delivery. This may include the following:
- Your payment card details (we accept most major credit and debit payment cards on our website)
- Your bank account details
- Your billing address
- Your delivery address.
These include details about payments to and from you and details regarding the products and services which you have purchased from us. If you decide to register as a user on our website, your payment information may be stored under your customer account.
Registered Customer Details.
If you decide to register as a user on our website, we may process the following personal data:
- Your basic contact details
- Your username and password
- Your security question(s) and answer(s)
- Your date of birth
- Your gender
- Purchases or orders made by you.
This includes any information that you voluntarily provide to us regarding your experience in using our products, attending our events, browsing our website and otherwise.
Allergy and Intolerance Information.
This includes information related to your allergies and intolerances which you provide to us through our customer service in order to continually develop and improve our products. As a special category of data, we will only process this information with your explicit consent.
Supplier and/or Partner Due Diligence Information.
This may include limited personal data on registered addresses, financial details, family details, lifestyle and social circumstances, and/or political affiliations of the owners, leaders or employees of our suppliers and/or partenrs which might be collected to establish that they are running a sound and reliable business, and in order to prevent any reputational and other risk for our company in dealing with such suppliers/partners which might be involved in bribery and corruption.
Special Category Data.
(E.g. allergy information) will be processed only under certain conditions: if you have given us your explicit consent; and/or the processing is necessary in the context of employment law; and/or where you have manifestly made it public and we collect it as part of our work for you. If you do not allow us to process your special category data, and such processing was based solely on your consent, this may mean that we are unable to enter and/or continue our contractual relationship with you. You must inform us in writing if you remove consent for us to process such personal data.
A special note about children.
Our website is not intended for children and we do not knowingly collect data relating to children.
Refusal to provide personal data by you.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract (e.g. to send you one of our products) we have or are about to enter into with you. If we already have a contract in place, we may have to cancel a service or product you have with us.
When and how do we collect your personal data?
Your personal data is collected using different methods as follows:
Through your direct interactions with us.
You may give us your personal data in person, by filling in forms or by corresponding with us by post, phone, email or using any other channels of communication such as social media (e.g. Instagram, LinkedIn, Facebook).
This includes personal data you provide when you:
- Purchase our products or services;
- Subscribe to our services or publications;
- Request marketing to be sent to you;
- Sign up for a loyalty or artistry programme;
- When you sign up for a competition or participate in a survey;
- Provide us with allergy information due to a reaction to any of our products;
- Book a ticket for any of our events;
- Request to be employed by us;
- Request to provide service to us or otherwise do business with us;
- Give us feedback on our products, website, and brand experience;
- File a complaint.
Automatically through your visit to our website.
As you interact with our website on your computer or other device, we may automatically collect technical data about your equipment and browsing actions.
Information collected from third parties or publicly available sources.
We may receive personal data about you from various third parties and public sources, as set out below.
- Affiliates and affiliated individuals of our customers and/or prospective customers, where relevant;
- Third party introducers (referees) should you choose to interact with them;
- Social media platforms including but not limited to when you interact with us on those platforms or access our social media content;
- Search information providers;
- Subscription services;
- Employment recruiters should you, as an applicant for a position with us, choose to interact with them;
- Credit reference agencies, where relevant.
How and why we use your personal data | Purpose & Legal Grounds
We will only use your personal data when the law allows us to, namely on legal grounds (sometimes also referred to as lawful grounds or legal basis). Most commonly, we will use your personal data for the purposes set out in further detail below:
Based on the legal ground which is the performance of the contract or to take steps at your request prior to entering into a contract, we shall use your personal data for the following purposes:
- To respond to your request to purchase products or services from us;
- To respond to your offer of services/products if you are a supplier and/or a partner, or acting on their behalf;
- To respond to your application if you are a job applicant;
- To manage and perform the contract we have with you or your organisation, as relevant;
- To update your records;
- To manage and collect payments, fees and charges, where relevant;
- To manage our relationship with you, including notifying you about changes of our terms of engagement if you are an existing customer;
- To establish, exercise or defend legal claims.
Based on the legal ground which is to comply with a legal obligation, we shall use your personal data for the following purposes:
- To comply with our data protection legal obligations to verify your identity before we respond to your data subject requests;
- To comply with our employment law obligations if you are a job applicant;
- For prevention of crime and fraud, where relevant;
- To respond to requests for information from the police and government bodies in case of a criminal investigation;
- To resolve any dispute in relation to our provision of products and services, or your services to us as a supplier/partner.
Based on the legal ground which is the legitimate interest, where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override our legitimate interests, we shall use your personal data for the following purposes:
- To respond to queries and complaints of our customers, prospective customers, suppliers and partners (which are not categorised as a dispute or a legal claim);
- For management information purposes to assist us improve our offering to our customers;
- To collect and recover money owed to us;
- To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
- Subject to your marketing preferences, to make recommendations to you about the services and products that may be of interest to you.
Based on the legal ground which is your consent, we shall use your personal data for the following purposes:
- To email you marketing information in line with your marketing preferences about products and services that might interest you; or
- To process a special category of data where our processing does not, or is likely not to, benefit from one of the legal exemptions; or
- For any other purpose which we will communicate to you when we request your consent.
When processing of your personal data is based on your consent only, you have the right to withdraw consent at any time by contacting us at [email protected].
Please contact us if you need details about the specific legal ground we are relying on to process your personal data, or the specific purpose for which that data is used.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you.
You may receive marketing communications from us if you have requested information from us or purchased services or products from us, or if you provided us with your details when you registered for a promotion and, in each case, you have not opted out of receiving that marketing.
Third Party Services.
We will never sell, rent or provide your personal data to third parties for marketing purposes.
Updating Marketing Preferences.
You can ask us to stop sending you marketing messages at any time by updating your marketing preference following the opt-out links on any marketing message sent to you or by contacting us at any time.
Change of Purpose.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using solely automated means. However, we will notify you in writing if this position changes and will inform you of your rights as required by the applicable law.
Disclosure of your personal data to third parties.
In line with our professional and ethical obligations, we will not disclose your personal data unless we are permitted, required or authorised under applicable law, or where we need to do so in order to conduct our business (for example where we outsource services or other people process data for us) or when disclosure of your information is in your interest.
Only in the above-mentioned cases of disclosure, will we share with and/or allow access to information to the following categories of third-parties as relevant:
- Companies that help us fulfil your orders and get your online purchases to you, such as delivery couriers and payment providers (e.g. Royal Mail, DPD, Stripe, etc.);
- Suppliers and service providers (such as information technology providers, system administration services, web-hosting companies, analytics providers, event hosting services, but also professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services);
- Direct marketing companies that help us manage our marketing communications to you (e.g., Klaviyo);
- Government bodies and agencies in the UK and overseas (e.g. the National Crime Agency, Her Majesty’s Revenue and Customs, the Information Commissioner’s Office);
- Courts and tribunals, to comply with legal requirements and the administration of justice;
- Complainants, enquirers;
- Financial organisations;
- Fraud prevention agencies, debt collection and tracing agencies, and credit reference agencies;
- Private investigators;
- Family, associates or representatives of the person whose personal data we are processing, where relevant;
- Current, past or prospective employers, employment and recruitment agencies, educators and examining bodies;
- Healthcare professionals, social and welfare organisations;
- Trade associations and professional bodies;
- Anyone else where we have your consent, or we are required by law.
We require all third parties with whom we share your personal data to respect your personal data and to treat it in accordance with the privacy and security obligations consistent with this policy and the applicable law. Where we share your personal data for the purpose of conducting our business, we take all reasonable steps to ensure that such third party enjoys a sound business reputation and provides at least the same level of privacy protection that we offer to our customers. We do not permit our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes identified by us and in accordance with our instructions.
Fiils Beauty Ltd is based in the United kingdom (UK). However, we may have to share your personal data with third parties located outside of the UK, or process your data ourselves, directly or through our affiliates, outside of the UK. Any transfers made will be in compliance with all aspects of the UK Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).
When we do transfer your personal data out of the UK, we will ensure that your personal data is transferred in accordance with the legal requirements, and in particular the GDPR. This means that, where your personal data is sent outside the UK, we shall be:
- Transferring your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK. For further details, see the List of countries which were provided adequate level of protection; or
- Entering into specific contracts approved by the United Kingdom which give personal data the same protection it has in Europe.
- Where we use providers based in other countries, we shall check if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between UK and other countries.
As permitted under the GDPR, please note however that it might be the case where neither of the above applies, but the international transfer to a particular country of personal data can benefit from a legal derogation/exception such as in one of the following situations:
The international transfer:
- Is necessary to establish, exercise or defend legal claims;
- Is necessary for the performance of the contract concluded between us and a third party in your interest;
- Is necessary for the performance of the contract between you and us, or pre-contractual steps taken at your request;
- Is necessary for important reasons of public interest, or is in your vital interest; or
- You have given us your explicit and informed consent for such an international transfer.
Please contact us at [email protected] if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Unfortunately, no data transfer over the Internet or any other network can be guaranteed as entirely secure, but we take appropriate steps to try to protect your personal data. We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a strict duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and competent regulators of a breach where we are legally required to do so.
How long do we keep your personal data for (referred to as ‘data retention’)?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for as set out in this policy, or for as long as we reasonably consider necessary to establish, exercise or defend our legal rights. In any event, we shall retain your personal data in accordance with the applicable statutory and regulatory requirements.
The specific statutory and regulatory criteria used to determine these retention periods include but are not limited to:
- Our obligation of compliance with the statutory retention periods for accounting records, as set out by the Companies Act and the HM Revenues and Customs.
Other commercially justifiable criteria may include, among others, our need to comply with the requirements of our professional indemnity insurer, our need to keep your personal data as long as necessary to resolve any query, complaint or dispute, our need to keep your personal data for as long as you might legally bring claims against us, and our need to enable us to provide you with our products and services. If you are an unsuccessful job applicant, we will keep your personal data for 6 months unless you ask us in writing to delete it sooner than that.
Please contact us if you want further information on the specific retention mechanism used in relation to a specific type of your personal data.
Warning regarding third-party links.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of the website which you visit.
Your Rights and Duties.
Your duties to inform us of changes.
It is important that the personal data that we hold is accurate and current. If you have a business relationship with us and you have provided us with personal data, or you have provided us with personal data on behalf of someone else, you are required to inform us as soon as possible if that personal data changes.
You have the following rights in relation to the data we collect about you:
- Right of access to your personal data (commonly known as a “data subject access request”). This enables you, among others, to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Right to rectification of inaccurate and completion of incomplete personal data. This enables you to have any inaccurate or incomplete information we hold about you rectified or completed respectively.
- Right to object to processing of your personal data under specific conditions.
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.
- Right to erasure of your personal data (the “right to be forgotten”). This enables you to ask us to erase your personal data without undue delay under specific conditions.
- Right to the restriction of processing of your personal data under specific conditions.
- Right to the transfer of your personal data to another party who is a data controller (“data portability”). Please note that exceptions might apply.
If you wish to exercise any of the rights set out above, please contact us at [email protected]
No fee usually required.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We will respond to all legitimate requests without undue delays and within one month of receipt of your request.
Furthermore, you also have the right to make a complaint at any time. If you would like to make a complaint, please contact us at [email protected]. You also have a right to file a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
How to contact us.
If you wish further information about your rights, you can email us at [email protected] or write to us at:
Fiils Beauty Ltd.
20-22 Wenlock Road