Privacy Notice

Last updated: 5 June 2024

  1. Introduction

This Privacy Notice provides details about our processing of your personal data, including how and why we use your personal data and how we keep it safe. It also explains the rights you have over your personal data.

 

The controller responsible for processing your personal data is Soho House Limited (‘Soho Skin’, 'we', 'us' and 'our') with which you have dealings as a website visitor, customer or prospective customer, a subscriber to our publications or newsletters or with which you otherwise engage or communicate.

 

Specific information relating to the types of personal data processed and our purposes of processing that data is set out below.

 

This Privacy Notice covers all jurisdictions in which we operate and/or in which, or to which, we offer our goods or services.

 

You should read this Privacy Notice so that you know what we do with your personal data. Please also read any other privacy notice that we may provide to you from time to time that may apply to our use of your personal data in specific circumstances.

 

This Privacy Notice only applies to the use of your personal data processed by us through your use of our website www.sohoskin.com (the “Site”) and/or in connection with the provision of our products or services to you.  However, our Site may contain links to third party website, plug-ins or applications. We do not have control over third party website or other online services, and this Privacy Notice does not apply to any interactions you may have with these third parties.

 

Please see the 'How to contact us' section at 18 below for details about how to contact us. 

  1. Explanation of terms

In this Privacy Notice:

 

'personal data' (also referred to in this Privacy Notice as 'personal information') means any information that relates to you from which you can be directly or indirectly identified;

'process' means any activity relating to personal data, including collection, use, sharing, storage and transmission; and

 

'controller' is a legal term and refers to the company that makes decisions about how and why your personal data is processed and is therefore responsible for ensuring that the processing is done in accordance with relevant data protection laws.

 

  1. How do we obtain your personal data?

 

Most of the personal data we process is provided to us directly by you when you engage with us, such as when you register to be a customer, complete our web forms in order to make an information request, make an enquiry, purchase our goods or services or when you subscribe to our newsletter or exclusive offers and promotions.

 

We process personal data about you when you use or interact with our Site create an account, set your preferences on our Site (such as choice of language), conversations and connections you have with other users and comments you make via our messaging services.

 

When you visit, use or navigate our Site, we may process certain information about you automatically. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our services, and other technical information which may identify you. This information is primarily needed to maintain the security and operation of our Site, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies, which you can read more about in our Cookie Policy.

 

We may also collect personal data from available sources in the public domain.

 

In addition, we may receive personal data about you from third parties.  Such third parties may include analytics providers, data brokers, third party directories and third parties that provide technical services to us so that we can provide our Site and our products and services.

 

In certain circumstances, we will also require certain personal data in order to manage our relationship with you/provide you with our services (e.g., your payment card details to take payment or certain information to enable you to create an account with us).

 

Please note that we may combine the personal data that you provide to us with other information we collect about you when you make a purchase through third party services, such as online marketplaces selling our goods and products on our behalf, so that we may process your requests.

 

Where we don't need your personal data, we will make this clear, for instance we will explain if any data fields in our forms are optional and can be left blank.

 

If you submit any personal data relating to another person, you represent that you are authorised by that person to do so and to permit us to use that data in accordance with this Privacy Notice.

 

  1. What personal data do we collect?

 

We collect personal data about you, including the following:

 

Identity and Contact Data: first name, last name, title, postal address, email address and telephone numbers.

 

Registration Data: Username, password, security questions and answers; and any other personal data that you may provide to register an account with us.

 

Profile Data: age; gender; date of birth; country of residence; nationality and citizenship; information about your interests and preferences ((which may be voluntarily provided by you and/or derived from your purchase of our products or services or Usage Data (as defined below); other information that you supply in connection with your use of our Site or in your communications with us, including through your participation in our promotions or competitions; your provision of feedback and survey responses; or the content of any communications when you contact us.

 

Transaction Data:  Information about our supply of products and services, or the products or services that you or your organisation supplies to us, and details of products purchased from us.

 

Usage Data:  Data observed or collected in relation to browsing activity on our Site or online services that are used in connection with our Site (such as pageviews and events, including information about your views or purchases of our products or services) and interaction with our emails or social media pages, including through the use of cookies, pixel tags or other similar technologies; information about the referring URL (the webpage or other source that you were previously on before you reached our Site); ad-click information in URL parameters; information about when your current or previous sessions started; advertising or other identifiers associated with you or your device (e.g. your device’s IDFA (iOS) or AAID (Android)).

 

Preference Data: Preferred language, direct marketing and cookie preferences.

 

Financial Data: bank account details, tokenised payment card data (debit card and credit card) and billing information.

 

Technical Data: device identifiers such as internet protocol (IP) address, full web page URL, browser type, device type and operating system, geolocation data, login data, and any other unique identifiers assigned to a device or browser (including cookie preferences).

 

Payment information

 

Any credit/debit card payments and other payments you make through our Site will be processed by our third-party payment providers: [Visa, Mastercard, Maestro, American Express, Discover, Diners Club, Union Pay. Shop Pay, Apple Pay, Google Pay, Bancontact & iDEAL. The payment data you submit will be securely stored and encrypted by our payment service providers using up to date industry standards. Please note that aside from card information tokenisation, we do not directly process or store the debit/credit card data that you submit; this is handled by our third party payment provider.

Personal data of children

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16 and therefore do not knowingly sell or share personal data of individuals under 16 years of age. If you are under 16, do not use or provide any information on this service or on or through any of its features/register on the services or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn we have collected or received personal data from a child under 16, we will delete that information as soon as possible. If you believe that a child under 16 may have submitted personal data to us, please contact us at dpo@sohoskin.com

 

  1. What are our lawful bases for processing your personal data?

 

We ensure that we have a lawful basis or bases for processing your personal data. Our lawful bases for processing your personal data (which are based on data protection law requirements in the United Kingdom (UK) and European Economic Area (EEA)) are as follows:

  • It is necessary in our legitimate interests. We have a legitimate business interest in processing your personal data. Our legitimate interests are in:
    • Providing our products and services.
    • Analysing, managing, evaluating and improving our business.
    • Dealing with your queries and feedback.
    • Improving our customers’ experiences
    • Operating our facilities and events.
    • Ensuring the security of our premises, facilities and property.
    • Detection and prevention of crime.
    • Maintaining the security of our website.
    • Communicating with you regarding your purchases and our products and services.

Where we rely on legitimate interests, we have balanced our rights against your interests, fundamental rights and freedoms and determined that our legitimate interests are not overridden in those circumstances.

 

  • It is necessary to comply with a legal obligation. We collect and process some information about you to comply with our legal obligations (e.g., in relation to accounting and tax requirements) and keep records as required by law.

 

  • It is necessary for the performance of a contract between you and us or to take steps at your request prior to entering into the contract, for example, we will need to process your personal data to fulfil a transaction with you to provide our goods or services.

 

  • In limited circumstances and where required by law, we may request your consent to process your personal data.

 

When we process particularly sensitive personal data (also known as special categories of personal data) – e.g., health/disability data, sexual orientation, ethnicity/race or religious beliefs – we have an additional lawful basis for the processing of such personal data based on data protection law requirements in the UK and EEA. In the limited circumstances where we process such personal data:

 

  • We will request your explicit consent to do so.
  • It is necessary for the establishment, exercise or defence of legal claims.
  • It is necessary for reasons of substantial public interest.
  • The personal data is manifestly made public by you.

 

  1. How and why do we use your personal data?

 

Please see the table below for details of the different purposes for which we use your personal data, as well as the lawful basis or bases relied upon for each purpose of use:

Purpose

 

Personal Data

Lawful basis or bases

Supply of products and services through our Site: To process transactions and deliver your order, including (a) managing payments, fees and charges, and (b) collecting and recovering any money owed to us.

To enable you to receive any products and services you have ordered.

To maintain our user databases.

To keep a record of how our services are being used.

Identity and Contact Data

Registration Data

Transaction Data

Financial Data

This processing is necessary for the performance of a contract and Soho Skin’s legitimate interests.

Response to enquiries: We may process information contained in or relating to any communication that you send to Soho Skin. This data may include the communication content and metadata associated with the communication.

Identity and Contact Data

Profile Data

This processing is necessary for the purposes of our legitimate interests to respond to your queries.

Refunds and returns: To assist you with the return of any products that you purchase from us

Identity and Contact Data

Transaction Data

Financial Data

 

Necessary to perform our obligations in accordance with any contract that we may have with you.

 

Necessary for our legitimate interest so that we can help you with your return, provide a good standard of service and improve our customer services.

Social media interaction: To gain insight into your interaction with our social media pages such as on Facebook, Instagram, YouTube, TikTok or Pinterest  (including interacting with any ‘like’ or similar embedded features on our Site or social media accounts).

Technical Data

Usage Data

Legitimate interest to ensure that we provide the Site in an effective way and to promote our products and services via social media.

 

Marketing and promotions: To communicate news and promotions to you relating to Soho Skin’s products and services via email, text message, phone or post where we have a lawful basis to do so.

 

Identity and Contact Data

Profile Data

Usage Data

This processing is carried out with your consent where this is required by law.

 

Where consent is not required by law, we carry out this processing where necessary for our legitimate interests to decide what marketing content we think may appeal to you and ensure our marketing is most effective.

 

If you do not wish to receive any direct marketing communications from us, you can ask us to stop using your personal data and providing your personal data to any other third parties for direct marketing purposes at any time. You can do this without charge by contacting us using the details set out under “How to contact us” in section 18 below. 

 

Social media advertising: We may share your data with third party providers of social media platforms, such as Facebook, Instagram, Google, YouTube, TikTok, Pinterest and other similar platforms (“Social Media Platforms”) to “match” your data with the data of their registered users on their Social Media Platforms in order to serve relevant advertising to you or people who have similar interests to you.

 

Please note that the Social Media Platforms may also collect information about your interaction with our Site directly through their own tags or tracking technology. Please see our Cookie Policy for more information.

Identity and Contact Data

Technical Data

Usage Data

We will only share your personal data with the third party providers of the Social Media Platforms, so that we can advertise our products and services to you when you use those Social Media Platforms, where you have provided your consent (where this is required) or where it is otherwise in our legitimate interests to do so to promote our products and services.

 

Please review the privacy notices of the relevant Social Media Platforms. For more information about how they process your personal data.

Insight and analysis:  To count users of our Site or those who have opened an email from us.

 

To gain general insights about our users and customers, including to understand browsing habits.

 

To measure the effectiveness of our content and our marketing emails so that we can understand what content is most likely to appeal to our users.

 

To learn what parts of our Site are most popular and what kind of features and functionalities our users enjoy.

 

To help us develop and improve our Site and our products and services, including with the selection of future product and service lines and Site design.

 

To measure the effectiveness of our online advertising (for example, by counting how many people click on our advertisements on other Site and platforms to be redirected to our Site), including to help us to understand the type of advertising and marketing content that is most likely to appeal to our users and customers.

 

To provide a personalised experience to our users and customers, as further described in

the “Online personalisation” section below.

 

In some of our email messages, we use a “click-through URL” linked to certain website administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications.

 

Where we use Identity and Contact Data for the purposes described above, we usually use your email address which we securely share (usually in an encrypted or “hashed” form) and ask our third party partners to match it with their data.

Technical Data

Usage Data

Profile Data

Necessary for our legitimate interest to understand how our products and services are being used, measure, improve and enhance our Site and the experience that we provide to our users.

 

Where your data is collected through the use of non- essential cookies, we rely on consent to collect your personal data and for the onward processing purpose.

 

Please see our Cookie Policy for further details.

 

 

Online personalisation: To tailor your experience on our Site.

 

To deliver personalised marketing and/or advertising.

 

Where we use Contact Data for the purposes described above, we usually use your email address which we securely share (usually in an encrypted or “hashed” form) and ask our third party partners to match it with their data.

Technical Data

Usage Data

Profile Data

Necessary for our legitimate interest to personalise the experience that we provide to you on our Site, including for our advertising and marketing activities as described in this table.

 

Where your data is collected through the use of non- essential cookies, we rely on consent to collect your personal data and for the onward processing purpose.

 

Please see our Cookie Policy for further details.

 

Use of third party data brokers:  To enrich your existing profile that we have about you.

 

To match your data with our existing datasets.

 

To carry out data cleansing in order to ensure the data we hold is accurate.

 

To carry out audience segmenting using data provided by data brokers in order to send you relevant suggestions and recommendations.

Identity and Contact Data

Profile Data

Necessary for our legitimate interests in order to develop our products and services and grow our business.

 

Detection and prevention of unlawful activity: To obtain legal advice and/or to protect us, our staff, members and customers and the public against injury, theft, legal liability, fraud, abuse and other misconduct. This includes maintaining the security of our Houses through the use of CCTV. Please note that footage is retained for one calendar month from the date of collection.

Identity and Contact Data

Technical Data

Usage Data

This processing is necessary for the purposes of our legitimate interests.

Account set-up and access:  We will process your information to enable you to create an account and log-in to them via the Site.

 

Identity and Contact Data

Registration Data

Technical Data

Usage Data

This processing is necessary for the purposes of our legitimate interests.

To identify usage trends and understand our customer journeys: We will process information about how you use our website.

 

Technical Data

Usage Data

This processing is carried out where you consent to non-essential cookies via our website.

Website security monitoring: We utilise various tools in order to ensure the security of our website.

 

Technical Data

Usage Data

This processing is necessary for the purposes of our legitimate interests.

Internal business purposes: For our internal business purposes, such as data analysis, audits, market research, developing new products, improving our services, obtaining statistical information, identifying usage trends and visiting patterns, determining the effectiveness of our promotions and meeting contractual obligations.

Technical Data

Usage Data

This processing is necessary for the purposes of our legitimate interests in improving our products and services and for performing a contract.

 

Our Site: To improve, promote and develop our Site and promote popular conversations, programs and campaigns on the Site.

Technical Data

Usage Data

This processing is necessary for the purposes of our legitimate interests.

Administrative and other communications: To send you important information regarding our Site, changes to our terms, conditions, and policies, or other administrative information (e.g., information about your orders), to enforce our terms and conditions and policies, to provide you with customer/user support and to contact you for public health reasons and to comply with government guidelines, regulations and mandates.

Identity and Contact Data

Transaction Data

Profile Data

 

This processing is necessary for the purposes of our legitimate interests, and/or is necessary to comply with a legal obligation.

 

For any special categories of personal data processed: explicit consent, legal claims, public information, vital interests and substantial public interest.

Our legal duties: To comply with legal and regulatory requirements or demands in accordance with applicable law, a court order, subpoena, or other legal process.

All information mentioned in section 4 (“What personal data do we collect?”)

This processing is necessary to comply with a legal obligation.

 

Corporate arrangements: To facilitate the sale or potential sale of our business or part of our business.

All information mentioned in section 4 (“What personal data do we collect?”)

This processing is necessary for the purposes of our legitimate interests.

 

  1. Do we share the personal data we receive?

 

  • Sharing within our group

 

As Soho Skin is part of the Soho House & Co Inc. group, we may share your personal data with our group and affiliated companies in order to provide our services and benefits to you, such as to enable you to avail of membership services outside your home country or for our general business management and corporate reporting purposes. With your consent, other group or affiliated companies may send information about their products or services to you. We also share personal data where support or functions are provided by other group and affiliated companies, such as in relation to customer services, website hosting and IT support and maintenance.

 

  • Sharing outside our group

 

We may also share your personal data with third party service providers outside our group to provide us with services, such as

  • e-commerce platform providers including Matrix who currently manages our e-commerce and marketing operations on our behalf;
  • card processing or payment service providers;
  • credit reference agencies;
  • IT suppliers and contractors (e.g. data hosting providers)
  • analytics providers/ web analytics providers;
  • providers of digital advertising services;
  • event organisers; and
  • providers of CRM, marketing and sales software solutions.

We carry out due diligence to check that these service providers have appropriate security in place to protect your personal data and we enter into written contracts with them to impose appropriate security obligations on them.

We may also share your personal data with third parties who act as controllers of that data. We may share your personal data with:

  • consultants and professional advisors, including our lawyers and accountants;
  • prospective sellers, buyers or other third parties if we transfer, purchase, reorganise, merge or sell any part of our business;
  • business partners;
  • courts and court-appointed persons/entities;
  • trade associations;
  • our insurers; and
  • government departments and statutory and regulatory bodies, including data protection regulators, law enforcement and tax/revenue offices.

 

 

  1. Is your personal data sent outside your home country?

 

Soho House, which the Soho Skin brand is part of, is a global organisation that operates in many countries. We may share your personal data  with other group or affiliated companies, our service providers, and other third parties that may be located in other countries. Although the data protection laws of these various countries may differ from those in your own country, we will take appropriate measures to ensure that your personal data is handled as described in this Privacy Notice and in accordance with the applicable law.

If we transfer your personal data outside the UK or EEA (including within our group or to our affiliated companies), we will implement appropriate safeguards for that transfer in accordance with the applicable law, such as implementing standard contractual clauses for data transfers approved by the relevant data protection authorities or by transferring your data to countries which have been deemed by the relevant data authorities to provide adequate levels of data protection. If you would like to receive more information on the safeguards that we implement, including copies of relevant clauses of data transfer contracts, please contact us as indicated below.

  1. How do we protect your personal data?

 

We take the security of the personal data we collect seriously. We have implemented and maintain technical and organisational security measures (as required by applicable data protection laws) to protect your personal data  from accidental or unlawful destruction, damage, loss, alteration or unauthorised disclosure or access. 

Unfortunately, the transmission of information over the internet or public communications networks can never be completely secure and we therefore cannot 100 per cent guarantee the security of personal data that you provide to us online.

  1. For how long will we keep your personal data?

 

We will keep your personal data only for as long as is necessary for the purposes outlined in this Privacy Notice, or for the duration required by any legal, regulatory, accounting or reporting requirements, whichever is longer. We will only ever retain your personal data for a limited period of time.

To determine the appropriate retention period for your personal data, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it, applicable legal requirements or operational retention needs and whether we can achieve those purposes through other means.

Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

 

 

  1. Automated decision making

 

Automated decisions are where a computer makes decisions about you without a person being involved. Profiling is the recording and analysis of a person's psychological and behavioural characteristics, to assess or predict their capabilities or to assist in identifying or classifying categories of people.

 

We may engage in profiling and automated decision-making in some circumstances, for example by using automated tools to understand your interests, preferences and behaviour and send personalised offers or content to you where we have a lawful basis to do so, as set out in section 6 (“How do we use your personal data?”).  

 

You have the right to object to this processing in certain circumstances, as set out in section 13 below (“Your personal data protection rights”).

 

 

  1. Cookies

 

We and our third-party partners use cookies, web beacons, pixel tags and other similar technologies (“Cookies”) for some of the purposes described in this Privacy Notice, including for the purposes of insight, analysis and personalisation as described in section 6 above (“How and why do we use your personal data?”). To find out further information about the Cookies that we use on our Site and how you can manage your consent to our use of non-essential Cookies, please see our Cookie Policy.

“Do Not Track” requests (US customers only)

“Do Not Track” (DNT) signals are options available on your internet browser to tell operators of website that you do not wish to have your online activity tracked.  Our Site currently do not respond to “do not track” or similar signals.

 

  1. Your personal data protection rights

 

You have certain rights in relation to the personal data we hold about you.  These rights include:

Right of access: If you ask us, we will confirm whether we are processing your personal data and, subject to certain conditions, we will provide you with a copy of that personal data along with certain other details such as the purpose(s) of the data processing.

Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.   Please help us to keep your personal data up to date by letting us know of any changes to your personal data (including changes to your contact details) as soon as possible.

Right to erasure: Subject to certain conditions, you may ask us to delete or remove your personal data, such as where we no longer need the personal data for the purposes for which it was collected or our legal basis for the processing is your consent and you withdraw consent. 

Right to restrict processing: You may ask us to restrict or 'block' the processing of your personal data in certain circumstances, such as where you contest the accuracy of the personal data or object to us processing it. We will tell you before we lift any restriction on processing.

Right to data portability: You have the right to obtain from us (or to have transferred to another controller) your personal data that we process by automated means on the basis of your consent or necessity for a contract with you. We will provide the personal data in a structured, commonly used and machine-readable format.

Right to object: You may object to our processing your personal data, and we will stop processing your personal data if (i) we are relying on a legitimate interest to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or (ii) we are processing your personal data for direct marketing purposes.

Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your personal data carried out before we received notice that you wished to withdraw your consent.

If you would like to exercise any of these rights or have any questions about how we use your personal data, please contact us using the details set out in section 18 below (“How to contact us”).

Depending on the country you are located in, the rights you have in relation to your personal data may be different. Please see section 19 (“International Provisions”) below, which explains the rights you may have under local law in certain countries.

  1. Joint controller activities (UK and EEA)

 

This section explains the circumstances where we may be joint controllers for the purpose of data protection law requirements in the United Kingdom (UK) and European Economic Area (EEA)) with third parties in respect of certain advertising and marketing activities.

Meta

We are joint controllers with Meta in respect of advertising and marketing activities involving advertising to you on platforms owned and operated by Meta. When we refer to Meta, we mean Meta Platforms, Inc. if you are a UK data subject and Meta Platforms Ireland Limited if you are an EU data subject. 

We and Meta have entered into Meta’s Controller Addendums (available here (EU) and here (UK)) to determine our and Meta’s respective responsibilities for compliance with data protection obligations in respect of these activities. In particular, we are each responsible for providing information about how your data might be processed in connection with these activities in our respective privacy notices. Where we or Meta have a direct relationship with the data subject, we or Meta (as applicable) will be responsible for complying with any rights requests from the relevant data subject. However if you are not a user of our Services, Meta will take primary responsibility for giving effect to your data subject rights (see section 13, “Your data protection rights” above) in respect of these activities.

For further information about how we and Meta use your personal data in connection with these activities, including the legal basis Meta relies on and the ways to exercise your data subject rights against Meta, please see Meta’s Data Policy at https://www.facebook.com/about/privacy.

Google

In relation to Google Advertising products

Google has published information about how it uses personal data in connection with its services here. In addition, Google provides further information about how it uses personal data in connection with online advertising in its Privacy Policy and here. You can also use Google’s Ad Settings to manage your online advertising preferences.

Twitter

Twitter has published information about how it uses your personal data in connection with its advertising services, including how you can opt-out of Twitter’s interest-based advertising, here: https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads].

TikTok

We are joint controllers with TikTok in respect of advertising and marketing activities involving advertising to you on TikTok. When we refer to TikTok, we mean TikTok Information Technologies UK Limited if you are a UK data subject and TikTok Technology Limited if you are an EU data subject.

We and TikTok have entered into TikTok’s Jurisdiction Specific Terms (which includes the Joint Controller Terms) (available at https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms) to determine our and TikTok’s respective responsibilities for compliance with data protection obligations in respect of these activities.  In particular, we are each responsible for providing information about how your data might be processed in connection with these activities in our respective privacy notices. Where we or TikTok have a direct relationship with the data subject, we or TikTok (as applicable) will be responsible for complying with any rights requests from the relevant data subject. However, TikTok will be responsible for giving effect to your data subject rights with regard to any personal data stored or otherwise processed by TikTok after the joint processing.

For further information about how TikTok uses your personal data in connection with these activities, including the legal basis TikTok relies on and the ways to exercise your data subject rights against TikTok, please see TikTok’s Privacy Notice at https://www.tiktok.com/legal/page/us/privacy-policy/en.

 

  1. Right of complaint to your data protection authority

 

If you have a concern about our privacy practices, including the way we handled your personal data, we would appreciate the opportunity to put it right. However, you may be able to make a complaint to your data protection regulator.

 

If you are located in the UK, you have the right to complain to the Information Commissioner's Office (ICO) (https://ico.org.uk/).

 

If you are located in the EEA, you have the right to complain to the competent data protection authority for your jurisdiction, a list of which can be found at https://edpb.europa.eu/about-edpb/board/members_en.

 

  1. Third party notices

 

This Privacy Notice may contain links to other third party web. We are not responsible for the content of these other Site and you should read the privacy notices provided by such websites.

 

  1. Changes to this Privacy Notice

 

We keep our Privacy Notice under regular review. Any changes we may make to our Privacy Notice in the future will be posted to this Site. Please check back frequently to see any updates or changes to this Privacy Notice.

 

  1. How to contact us

 

If you have any questions about this notice or how we handle your personal data, please contact our Data Protection Officer at dpo@Soho Skin.com.  Alternatively, you can contact us at Soho Skin70 New Oxford St, London WC1A 1EU.

If you would like to exercise any of your rights in relation to your personal data as set out in this Privacy Notice, please contact our third party e-commerce platform Matrix, who currently manages our e-commerce and marketing operations on our behalf, at support@sohoskin.com 

  1. International Provisions

 Depending on the country you are located in, the following additional provisions may apply to our processing of your data.

 

California

 

This section of this Privacy Notice applies solely to website visitors and members who are residents of the State of California. This section uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively the 'CCPA'). 

 

What information do we collect?

The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include:

  1. Information that is lawfully made available from federal, state, or local government records;
  2. De-identified or aggregated information; and
  3. Information excluded from the CCPA such as health or medical information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and financial information covered under the Fair Credit Reporting Act (“FCRA”) or Gramm-Leach Bliley Act (“GLBA”).

Within the past 12 months, we may have collected and we may continue to collect the following categories of personal information set forth below from the categories of sources described above in Section 3 (“How do we obtain your personal data?”)

 

Personal Information Category

Source

Sold or Shared

Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers.

Directly from you.  For example, from forms you complete.

We do not sell or share this information and we have not sold or this information in the preceding 12 months

Categories of personal information described in Cal. Civ. Code § 1798.80(e), such as name, signature, physical characteristics or description, address, telephone number, bank account number, credit card number, debit card number, or any other financial information.

Directly from you.  For example, from forms you complete.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Characteristics of protected classifications under state or federal law, such as age, citizenship, and sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions).

Directly from you.  For example, from forms you complete.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Commercial information, such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Directly from you.  For example, from forms you complete.

Indirectly from you. For example, from observing your actions on our Site.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Biometric information

No

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

Indirectly from you.  For example, from observing your actions on our Site.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Geolocation data

Directly from you.  For example, from forms you complete.

Indirectly from you. For example, from observing your actions on our Site.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Audio, electronic, visual, thermal, olfactory, or similar information.

Directly from you. For example, from video you upload to our Site.

Indirectly from you. For example, from observing your actions on our Site (from CCTV footage).

 

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Inferences drawn from other personal information to create a profile about a consumer reflecting a consumer’s preferences, characteristics, and trends.

Indirectly from you. For example, we may combine various piece of personal information to develop inferences.

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

Sensitive Personal Information (sexual orientation data, data related to race and ethnic origin, disability data, account login information, financial account information, debit and credit card numbers with any required security code, password, or credentials allowing access to an account, and geolocation data).

Directly from you.  For example, from forms you complete.

 

We do not sell or share this information and we have not sold or this information in the preceding 12 months.

 

As we do not knowingly collect the personal information of individuals under the age of 16, we do not knowingly sell or share the personal information of consumers under 16 years of age.

 

How do we use your personal information?

We may use or disclose your personal information for the purposes described in this Privacy Notice.  For more information on why we collect such personal information and how we may use it, please see section 6 of this Privacy Notice (“How and why do we use your personal data?”). 

We will not collect additional categories of personal information or use the personal information we collect for material different, unrelated, or incompatible purposes without providing you with notice.

What are your personal data protection rights?

Residents of California have certain rights. Please note that the below rights are not absolute, and we may be entitled to refuse requests, wholly or in part, where exceptions apply.

Right to Access

You have the right to access personal information that we may collect or retain about you. If requested, we shall provide you with a copy of your personal information which we collected as permitted by the CCPA.

You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another entity ('data portability').

Right to Know

You have the right to request that we disclose the following about your personal information, as defined by the CCPA:

  • The specific personal information we may collect;
  • The categories of personal information we may collect;
  • The categories of sources from which we may collect your personal information;
  • The business purpose(s) for collecting, selling, or sharing your personal information;
  • The categories of personal information we may disclose for business purposes; and
  • The categories of third parties to whom we may sell or share your personal information.

 

Do Not Share or Disclose My Sensitive Personal Information

We may collect sexual orientation data, data related to race and ethnic origin, disability data, account login information, financial account information, debit and credit card numbers with any required security code, password, or credentials allowing access to an account, and geolocation data. You may have the right to request that we limit our use of such information.  You can make such a request by clicking on the “Limit the Use of My Sensitive Personal Information” link at the bottom of our homepage and submitting a request via the authorized methods.

Right to Deletion

In certain circumstances, you have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (instructions and description below), we will delete, and, if applicable, direct our service providers to delete, your personal information, unless an exception applies.

Right to Correct/Right to Rectification

In certain circumstances, you have the right to request correction of any inaccurate personal information. Upon verifying the validity of a valid consumer correction request, we will use commercially reasonable efforts to correct your personal information as directed, taking into account the nature of the personal information and the purposes of maintaining your personal information.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you with a different level or quality of goods or services; or
  • Suggest that you receive a different price or rate for goods or services or a different level or quality of goods or services.

 

California Shine the Light Law

California Civil Code Section 1798.83 permits our visitors who are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact dpo@sohoskin.com.

Exercising Your Rights

If you are a resident of California, you may be able to exercise any of your rights as described in this Notice and under the CCPA by emailing us at dpo@sohoskin.com or by calling us at +4420 8673 0000 . Except as provided for under applicable privacy laws, there is no charge to exercise any of your legal rights.  However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may (as permitted under the CCPA):

  • Charge a reasonable fee taking in account the administrative costs of providing the information or taking the action requested; or
  • Refuse to act on the request and notify you of the reason for refusing the request. 

What Personal Information Do I Provide to Verify My Identity?

In order to process your deletion and/or access request, we are required by law to collect certain information about you to verify your identity.  If we cannot verify your identity from the information already maintained by us, we may request additional information from you in order to do so, such as your:

  • First name*
  • Last name*
  • Middle initial
  • Email address
  • Phone number
  • Order number
  • *required field

We will only use this information for the purposes of verifying your identity under the CCPA, and for security or fraud prevention purposes.

What If You Cannot Verify My Identity?

If we cannot verify your identity, we will not be able to process your request to know what personal information we have about you or to delete the personal information we have about you. If we are unable to verify your identity, it may impact our ability to process your request and we may only be able to provide a report with category-level information and we may not be able to delete some of your information.

How to Submit a Request Using an Authorized Agent

An authorized agent is a person or business who has authorization to request to know what personal information we have about you, to delete the personal information we have about you, or to opt out of the sale of personal information on behalf of a California resident. Authorized agents use the same links described above to submit requests.

If you are submitting a request on behalf of another person, we require a valid power of attorney or other documentation demonstrating your authority to submit this request. This can be a letter or other documentation signed by the California resident authorizing you to submit this request. You can download a sample letter from the request form.

How Do I Send You My Documentation?

You can send us your information by  emailing us at dpo@sohoskin.com or by calling us at +4420 8673 0000.

Response Timing and Format

We will confirm receipt of a request within 10 days and provide information about how we will process the request. We will make every effort to respond to your request within 45 days from when you contacted us.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosure we provide will only cover the 12-month period preceding receipt of your request. The response we provide will also explain any reasons why we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

If you submit a request to opt out of us sharing or selling your personal information, such request will be processed by applying the signal to not share or selling your personal information to your device, browser, consumer account, and/or offline sales, and in what circumstances.

We will not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

If you wish to appeal our decision, please submit your appeal to the above contact information by emailing us at dpo@sohoskin.com or by calling us at +4420 8673 0000..  Please clearly state that it is an appeal.

Notice of Financial Incentive

We offer our customers an opportunity to receive certain discounts, exclusive offers, and event invitations if they sign up to receive our newsletters. When you sign up to receive our newsletters, we typically ask you to provide your name and contact information (such as email address). We do not assign a specific, independent monetary value to personal information collected in connection with this offer. To the extent that we estimate the value of personal information that we collects through these offers, we do so in good faith based on the expenses related to the collection and retention of that personal information and such estimate is reasonably related to, and generally less than, the value of the discounted products or services, or other benefits that you obtain or that are provided as part of you signing up for this offer.

You may withdraw from receiving our newsletters at any time by emailing us at emailing us at dpo@sohoskin.com or by calling us at +4420 8673 0000.  We reserve the right to modify any financial incentive program or this notice, in whole or in part, at any time, at our sole discretion.

 Hong Kong

This supplementary notice applies to website visitors, members or membership applicants, customers or prospective customers, attendees at our events, subscribers to our publications or newsletters or individuals otherwise engaging or communicating with us who are living in Hong Kong.

For the purposes of this supplementary notice for Hong Kong, “personal data” means any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and in a form in which access to or processing of the data is practicable.

Where there is a conflict between our general Privacy Notice and this supplementary notice for Hong Kong, the provisions set in this supplementary notice prevail insofar as they relate to personal data collected, held, processed or used within or from Hong Kong.

Personal Data (Privacy) Ordinance

We comply with the Personal Data (Privacy) Ordinance ('Ordinance'). You may wish to visit the official website of the Office of the Privacy Commission for more information about this Ordinance.

Data processing

If you are located in Hong Kong, the processing of your personal data as set out in section 6 above (“How and why do we use your personal data?”) is based on your consent or in compliance with applicable laws and regulations, and not on the basis of necessity to carry out a contract with you, a legal obligation or our overriding legitimate interest.

Where we carry out direct marketing, we will obtain your explicit consent.  We will not share your personal data with third parties for direct marketing purposes without your consent.

You may opt out from receiving marketing communications from us at any time, free of charge, by contacting our Data Protection Officer at dpo@sohoskin.com.

Personal data protection rights

Under Hong Kong law, you have the right to request access to and correction of information held by us about you. If you wish to access or correct your personal data, please contact our Data Protection Officer at dpo@sohoskin.com.

In accordance with the Ordinance, we are entitled to charge a reasonable fee for processing any data access or correction requests.

SOHO SKIN IS LAUNCHING SOON