May 13, 2020
INFORMATION WE COLLECT
We may collect information about you from the following categories. In some cases, the information we collect may fall within more than one category. Contact information and personal identifiers, such as your name, shipping address, billing address, birthday, email address, telephone number, site or app username, or social media handle.We may collect information about you from the following categories. In some cases, the information we collect may fall within more than one category. Device identifiers, such as information about your device like your MAC address, IP address, or other online identifiers. Demographic information, such as your age, sex, and gender (some of which may be protected by applicable law). Physical characteristics, such as your hair type and color, skin type, and eye color. Commercial information, such as the products or services you have purchased, returned or considered, and your product preferences. Payment information, such as your method of payment and payment card information (including payment card number, expiration date, delivery address and billing address). Biometric information, such as facial images (for example, if you use product try-on applications or programs). Identity verification information, such as loyalty member ID, account number, and other authentication information like passwords. Online or network activity information, such as information regarding your interaction with our website or mobile applications, other digital properties, and advertisements, information about your browsing and search history on our website or mobile applications, and log file information which includes, but may not be limited to, your browser type, webpages you visit, links you click on, and other electronic network activity. Geolocation information, such as information that can help identify your physical location like your GPS coordinates or the approximate location of your mobile device. Audio and visual information, such as recordings of your voice when you call our customer service and images we record through CCTV in BUHA owned retail stores or at BUHA-hosted events. Professional or employment-related information, such as information from your resume, employment history, Social Security Number, education information and professional licenses or certifications if you apply to work for us, or to become a vendor or distributor of BUHA products, for example. User Content, such as your communications with us and any other content you provide (including photographs, videos, reviews, articles, survey responses and comments). Inferences drawn from or created based on any of the information identified above.
HOW WE COLLECT INFORMATION
Directly from you, such as when you make a purchase on our website, from us through our account on a website such as Amazon.com or in one of our BUHA owned retail stores or events, contact us with a question or complaint, use one of our mobile applications, create an account on our website, register for one of our loyalty or professional programs, respond to a survey, participate in a contest or other promotion, make an appointment, sign up to attend an event, apply for employment, or sign up to receive marketing communications. From your friends or family members, such as when your friend or family member sends you a gift or makes a referral. Cookies and automatic collection methods. When you visit our website or use one of our mobile applications, and when you open or click on emails we send you, we, and third parties we work with, may automatically collect information from your browser or device using technologies such as cookies, web beacons, pixel tags, and similar technologies. Cookies are small text files that websites send to your computer or other Internet-connected device to uniquely identify your browser or to store information or settings in your browser. Web beacons or pixel tags are small images which are embedded into our website or emails that provide us with information about your browser or device, or whether you open or clicked on the emails we send you. These technologies enable us, or the third parties who place such technologies, to collect information such as device identifiers and online or other network activity information. Through in-store and other offline technologies, such as video surveillance and Geolocation technology in and around BUHA-owned retail stores or events, and call recording technology when you speak to our customer service representatives. From our business partners and service providers, such as demographic companies, analytics providers, advertising companies and networks, and other third parties that we choose to collaborate or work with. From social media platforms and networks, such as Facebook, Twitter, Pinterest, and Instagram. For example, we may obtain your information from a social media platform or network if you interact with us on social media or choose to log in to our website using your social media credentials. From other BUHA brands or affiliates with which you interact.
HOW WE USE INFORMATION
We may use the information you provide: To provide products and services to you, such as fulfilling orders and processing payments, creating, servicing and/or maintaining your account or any loyalty program or membership you may have with us, assisting with product selection and replenishment, and managing current or past purchases. To communicate with you, including to respond to your inquiries or complaints, or to help you place an order. To administer your participation in special events, contests, sweepstakes, surveys, promotions and our loyalty or professional programs. For marketing and advertising, such as to send you marketing and advertising materials via postal mail, text message or email, and to show you advertisements for products and/or services tailored to your interests on social media and other websites. For analytics purposes, such as to understand how you use our website and mobile applications, understand your preferred method of purchasing with us, determine which browser and devices you use to visit our website or mobile applications, and to evaluate and improve our products, services, advertisements, website and mobile applications. To operate and improve our business, including to respond to employment applications, provide quality assurance, conduct research and development, to develop new products and services, and perform accounting, auditing and other internal business functions. For legal and security purposes, such as to detect, prevent, and prosecute harmful, fraudulent, or illegal activity, loss prevention, identify and repair bugs on our website or mobile applications, and to comply with applicable legal requirements, relevant industry standards and our own policies. We also may use the information in other ways for which we provide specific notice at the time of collection.
HOW LONG WE KEEP YOUR INFORMATION
HOW TO CONTROL INFORMATION WE GET
OTHER IMPORTANT INFORMATION
Residents of Europe
IF YOU ELECT NOT TO SHARE PERSONAL DATA
You may choose not to provide BUHA with your Personal Data as defined by the General Data Protection Regulation 2016/679 (GDPR). However, if you choose not to provide your Personal Data, you may not be able to enjoy the full range of services offered by BUHA.
HOW TO EXERCISE YOUR RIGHTS
BUHA takes steps to keep your Personal Data accurate and up to date. If you reside in the European Economic Area, you have certain rights to the Personal Data that we have collected about you. To exercise your rights to your Personal Data, please contact us through information in the paragraph entitled CONTACT INFORMATION. Subject to applicable law and in exceptional circumstances only, we may charge for this service and we will respond to reasonable requests as soon as practicable, and in any event, within the time limits prescribed by law. You have the following rights: Right of access to your Personal Data (Art. 15 GDPR): You have the right to ask us for confirmation on whether we are processing your Personal Data, and access to the Personal Data and related information on that processing (e.g., the purposes of the processing, or the categories of Personal Data involved). Right to correction (Art. 16 GDPR): You have the right to have your Personal Data corrected, as permitted by law. Right to erasure (Art. 17 GDPR): You have the right to ask us to delete your Personal Data, as permitted by law. This right may be exercised among other things: (i) when your Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) when you withdraw consent on which processing is based according to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and where there is no other legal ground for processing; (iii) when you object to processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or when you object to the processing pursuant to Art. 21 (2) GDPR; or, (iv) when your Personal Data has been unlawfully processed. Right to restriction of processing (Art. 18 GDPR): You have the right to request the limiting of our processing under limited circumstances, including: when the accuracy of your Personal Data is contested; when the processing is unlawful and you oppose the erasure of your Personal Data and request the restriction of the use of your Personal Data instead; or when you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of BUHA override your grounds. Right to data portability (Art. 20 GDPR): You have the right to receive the Personal Data that you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that information to another controller, including to have it transmitted directly, where technically feasible. Right to object (Art. 21 GDPR): You have the right to object to our processing of your Personal Data, as permitted by law. This right is limited to processing based on Art. 6 (1) (e) or (f) GDPR, and includes profiling based on those provisions, and processing for direct marketing purposes. After which, we will no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
HOW WE MAY DISCLOSE YOUR PERSONAL DATA
We do not collect health data or other sensitive data. The information we collect may include data about eye color, skin type, etc. which is collected solely for the purposes of discussing cosmetic products. This data should not be considered health data, and any discussion thereof it should not, under any circumstances, be considered professional medical advice and is not intended to be used for diagnostic purposes.
Where we are legally required to do so, we ask you for your prior consent before providing you with promotional materials or information. When required by local law, when marketing consent is obtained, we use the double-opt-in method (confirmation of your email address by email before sending you promotional messages) in order to verify your consent. You may revoke your consent at any time (this will not affect the processing of your Personal Data undertaken until the revocation). If you want to stop receiving promotional materials, etc., you can do so at any time as outlined in the section HOW YOU CAN CONTROL INFORMATION WE COLLECT.
ADDITIONAL USE OF PERSONAL DATA
LEGAL BASE FOR PROCESSING UNDER THE GDPR
In this section we provide information on the legal basis for our processing of your Personal Data as required by Art. 13 and 14 of the GDPR: When you register for an account or interact with our services, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. For non-sensitive Personal Data which we need in order to perform the services, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. With regard to other non-sensitive Personal Data, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to enhance our services. When we collect precise Location Data following your prior consent, we process such data on the basis of your prior consent, Art. 6(1)(a) GDPR. In other cases where we process your Location Data without consent, for example in order to provide our services, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. When you communicate with us or sign up for promotional materials, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to provide you with our promotional messages. Where we are required under applicable local law to obtain your consent for sending you marketing information, the legal basis is your consent, Art. 6(1)(a) GDPR. When you participate in special activities, offers, or programs. For non-sensitive Personal Data, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to provide you with our promotional messages or to allow you to participate in our special activities, offers or programs. When you engage with our online communities or advertising and we actively collect your Personal Data in this context, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to provide you with our promotional messages. When you access third party products and services and we obtain Personal Data about you from such third party sources: For Personal Data that we need in order to perform the services (e.g. if you pay for third party products through our services), (e.g. if you pay for third party products through our services), such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. With regard to other Personal Data, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to enhance your experience and to improve our services. When you connect with us through social media: Where we collect your consent in such case, for instance for marketing purposes, we process such data on the basis of your prior consent, Art. 6 (1) (a) GDPR. Where we do not collect your consent in such case, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is providing you with better services and to enable you to use the full range of our services (Art. 6 (1) (f) GDPR). When we collect data from third parties or publicly-available sources: For Personal Data which we need in order to perform the services (e.g. for email verification purposes), such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. With regard to other Personal Data, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is providing you with better services and to enable you to use our services more efficiently. When we leverage and/or collect cookies, device IDs, Location Data, data from the environment, and other tracking technologies, we process such data on the basis of your consent, Art. 6 (1) (a) GDPR, and based on our legitimate interest, Art. 6 (1) (f) GDPR, where we do not obtain your consent and our legitimate interest is to provide you with better services or marketing. When we track you in a store, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest in enhancing your shopping experience as well as loss or crime prevention. When we use coarse location and data from sensors, we process such data for strictly necessary purposes in order to perform our services, Art. 6 (1) (b) GDPR); and for our legitimate interest in marketing and improving our services, Art. 6 (1) (f) GDPR). When we aggregate or centralize data, such processing is either necessary for the performance of our services, Art. 6 (1) (b) GDPR, or we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to provide you with better or customized services and marketing. When you sign up for our services that consist of social sharing and communication with others (including linking you to friends across platforms: Where we collect your consent in such case, we process such data on the basis of your prior consent, Art. 6 (1) (a) GDPR. Where we do not collect your consent in such case, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. When we provide you geographically relevant services, offers, or advertising: Where we collect your consent in such case, we process such data on the basis of your prior consent, Art. 6 (1) (a) GDPR. Where we do not collect your consent in such case, for such data that we need in order to perform the services, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR. Where we do not collect your consent in such case and where we do not need such data in order to perform the services, we process such data for our legitimate interest in offering you marketing and improving our services, Art. 6 (1) (f) GDPR). When we disclose Personal Data to our affiliates and partners, and to our service providers and vendors: Where we collect your consent in such case, we process such data on the basis of your prior consent, Art. 6 (1) (a) GDPR. Where we do not collect your consent in such case, such processing is necessary for the performance of our services, Art. 6 (1) (b) GDPR, or we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to provide you with better services and marketing. When we process or share Personal Data in the event of an actual or contemplated sale, we process such data for our legitimate interest in offering, maintaining, providing, and improving our services, Art. 6 (1) (f) GDPR). When we conduct analytics, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to enhance your experience and to develop and improve our services. When we investigate suspected illegal or wrongful activity, we process such data on the basis of our legitimate interest, Art. 6 (1) (f) GDPR, and our legitimate interest is to ensure compliance with legal requirements and law enforcement requests and for public safety purposes.
RIGHT TO LODGE A COMPLAINT BEFORE THE DATA PROTECTION AUTHORITY
We encourage you to contact us directly and allow us to work with you to address your concerns. Nevertheless, you have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State where you reside, work or the place of the alleged infringement. You have the right to do so if you consider that the processing of Personal Data relating to you infringes applicable data protection laws.
CHANGES TO THESE PRIVACY POLICIES
HOW TO CONTACT US OR OUR PRIVACY OFFICE
In case of questions about the processing of your Personal Data please contact us through information in the paragraph entitled CONTACT INFORMATION. If we are required under applicable law to appoint a data protection officer (DPO), you can contact the DPO that is responsible for your country/region through information in the paragraph entitled CONTACT INFORMATION. BUHA International, LLC. is the data controller for BUHA.