Effective as of 15 May 2017.
Sephora Digital SEA Pte. Ltd. BRN 201111155N
- Collection of Personal Data
1.1 We may collect Personal Data from you through various means, including but not limited to instances when you: · provide your Personal Data through our Site for the purpose of registering for and creating an account; · download or access the App; · agree for the App to access your location; · apply for a membership or account with our Beauty Pass Loyalty Program (“Beauty Pass”), or access your existing Beauty Pass membership through the Site; · participate in a promotion or other website features;
· request for a product or services information or to receive any marketing, promotional or other types of communications; · provide your ratings and review of products as a customer; · make purchases through our retail store or Site; · make enquiries or comments through our Customer Department through email@example.com; and/or · interact with our sales staff or with us, including in store via sign-up pads.
1.2 In addition to the above, we may use the following technologies (elaborated below) to automatically collect information about your activities on the App or Site, as the case may be (each a “Mobile Technology”):
· Cookies · Flash Cookies · Web beacons, clear pixels, or pixel tags · Analytical tags · Web server logs · Geo-location technologies
1.3 You have no obligation to provide any of the Personal Data requested by us. However, depending on circumstances, it may be the case that if you do not provide the requested Personal Data, we may not be able to provide you with certain products and services, or transact with you, that depend on the collection, use or disclosure of your Personal Data.
- Children’s Privacy
2.1 We do not and do not intend to, transact through the Site directly with anyone we know to be under the age of 18. If you are under the age of 18, you should use the Site only with the involvement of a parent or guardian and should not submit any Personal Data to us. By providing any Personal Data to us, you declare that you are over the age of 18.
- Purposes For Collection, Use, Disclosure And Processing Of Personal Data
3.1 SEPHORA will/may collect, use, disclose and/or process your Personal Data for one or more of the following purposes or any other directly related purposes:
(a) administering, facilitating, processing and/or dealing in any matters relating to your use or access of the Site. Without limiting the generality of the foregoing, if you:
(i) gain access to or sign in to the Site, using your login credentials of a Social Networking Site, or (ii) use any features of a Social Networking Site such as its widgets, plug-ins and browser push notifications, made available to you on our Site,
it may result in information or your Personal Data being collected or shared between us and the third party. For example, if you use Facebook’s “Like” feature, Facebook may register the fact that you “liked” a product and may post that information on Facebook. (“Social Networking Site” refers to an online or digital platform owned or operated by a third party, that is used by people to build social networks or social relations, or to interact, with other people, such as but not limited to Facebook, Instagram, Twitter). By your proceeding pursuant to (i) or (ii) above, you consent to such collection, use or disclosure of your Personal Data;
(b) monitoring, processing and/or tracking your use of the Site in order to provide you with a seamless experience, facilitating or administering your use of the Site, and/or to assist us in improving your experience in using the Site;
(c) assessing and processing your request for the purchase of and/or subscription to our products and/or services;
(d) registering you as a customer of SEPHORA and/or to deal with, process and/or administer the account that you may open with us, including to facilitate your transactions or activities on the Site, or your transactions or activities with us;
(e) administering, facilitating, processing and/or dealing with your relationship with us, any transactions or activities carried out by you on the Site or at our retail stores. This includes processing your application, orders and payment transactions; implementing transactions and the supply of products and/or services to you that you have requested. Without limiting the generality of the foregoing, should you make a purchase to be delivered to a third party recipient, you consent to us disclosing Personal Data that identifies you, to the said third party recipient (such as but not limited to your name). Further, you acknowledge and agree that delivery of your purchase could involve disclosure of certain Personal Data about you to bring about delivery of the same such as your name and contact details, which may be disclosed on the cover of the parcel, on an envelope or a delivery related document, as the case may be, which could be seen by third parties who view such parcel, envelope or said document;
(f) carrying out your instructions or responding to any enquiry given by (or purported to be given by) you or on your behalf including responding to your customer service enquiries and complaints; or responding to or dealing with your interactions with us;
(g) contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing your use of the Site, your Beauty Pass membership and/or account with us, your relationship with us or any transactions made by you with us. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain Personal Data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;
(h) providing services to you as our account holder, as our customer, as a member of our loyalty program(s) or when requested by you; dealing with or administering your participation in contests, gamification, social events organized by us;
(i) sharing or disclosing (at our discretion) your suggestions, comments, feedback or content (including audio, video etc.) (collectively “Feedback”) that you provide through Social Networking Sites, to the Site or to us (including at the retail stores), with other users of the Site or with the public, for publicity and/or promotion purposes with a view to marketing or showcasing the business of Sephora, and/or to acquiring customers, and/or for the purpose of providing the public with your Feedback which may be useful for the public’s purchasing decision or for the public’s information or otherwise. This includes us disclosing your name together with your Feedback. Without limiting the generality of the foregoing, in the above regard, your Feedback and name may/will be published or shared by us on public media platforms such as the newspaper, the Internet, in our (including our affiliates’) annual reports (if any) etc., and/or incorporated as part of Sephora’s marketing collaterals/materials or corporate video to be disclosed to the public, and you hereby consent to the same. Do not provide us with Feedback if you do not wish for such Feedback to be disclosed to the public. If you wish to give us your Feedback without it being disclosed to the public, please separately email our Customer Department at firstname.lastname@example.org and head the subject of your email with the word “Confidential”;
(j) where you have provided your consent to us, whether such consent was obtained through the Site, the retail store(s) or otherwise, sharing your Beauty Profile Personal Data with or disclosing your Beauty Profile Personal Data to other users of the Site or with/to the public, through the Site or any other media (whether print, online or otherwise) or communication platform as we so choose, at our discretion, such as but not limited to as part of Sephora’s marketing collaterals/materials or corporate video. “Beauty Profile Personal Data” includes your name, skin type/ concerns, eye colour, hair colour and type and other information which you provide;
(k) carrying out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations (whether Hong Kong or foreign country) applicable to us or our affiliates/associated companies, the requirements or guidelines of governmental authorities (whether Hong Kong or foreign country) which we determine are applicable to us or our affiliates/associated companies, and/or our risk management procedures that may be required by law (whether Hong Kong or foreign country) or that may have been put in place by us or our affiliates/associated companies;
(l) to prevent or investigate any fraud, unlawful activity or omission or misconduct, whether or not there is any suspicion of the aforementioned; dealing with and/or investigating complaints;
(m) complying with or as required by any applicable law, court order, order of a regulatory body, governmental or regulatory requirements of any jurisdiction applicable to us or our affiliates/associated companies, including meeting the requirements to make disclosure under the requirements of any law binding on us or our affiliates/associated companies, and/or for the purposes of any guidelines issued by regulatory or other authorities (whether of Hong Kong or elsewhere), with which we or our affiliates/associated companies are expected to comply;
(n) complying with or as required by any request or direction of any governmental authority (whether Hong Kong or foreign country) which we are expected to comply with; or responding to requests for information from public agencies, ministries, statutory boards or other similar authorities (including but not limited to Hong Kong Customs and Ministry of Health) (whether Hong Kong or foreign country). For the avoidance of doubt, this means that we may/will disclose your Personal Data to such parties upon their request or direction;
(o) conducting research (including customer research), surveys, market surveys, analysis and/or development activities (including but not limited to data analytics, surveys and/or profiling) to improve our services and facilities, or to improve our understanding of your interests, concerns and preferences, in order to enhance any continued interaction between yourself and us connected or in relation to the Site, or improve any of our products or services. Without limiting the generality of the foregoing, we may/will in this regard send you surveys or request a face to face interview survey, by way of email or postal mail;
(p) storing, hosting, backing up (whether for disaster recovery or otherwise) of your Personal Data, whether within or outside Hong Kong;
(q) facilitating, dealing with and/or administering external audit(s) or internal audit(s) of the business of SEPHORA or that of its affiliates/related corporations;
(r) for marketing purpose and in this regard, we would be providing you with marketing, advertising and promotional information, materials and/or documents relating to products, contests, services and/or events(including those of third party organisations whom SEPHORA may collaborate with as set out in paragraph 4.1 below) hat SEPHORA (including its affiliates/related corporations)or such third party organisations set out in paragraph 4.1 below may be selling, marketing, offering, organizing, involved in or promoting, whether such products, services and/or events exist now or are created in the future:
(i) by way of postal mail, electronic transmission to your email address(es), push notifications, other forms of in-app notifications or harnessing other technologies (such as geo-location technology) for our App on your mobile device(s) or other technologies on your computers, and/or through other modes of communication that is not the 3 DNC Modes, in compliance with the PDPO. You may opt out of this or withdraw from this at any time by sending an email to our Data Protection Officer.; and/or
(ii) if you have separately expressly consented to one or more of the following 3 DNC Modes, by way of the 3 modes of communications of voice calls, text messages or faxes (the “3 DNC Modes”) to your Hong Kong telephone number, in compliance with the requirements of the PDPO.
For the avoidance of doubt, this subparagraph is without prejudice to subparagraph (o) above for which you have hereby consented to us contacting you for a survey, which you may subsequently opt out of by sending our Data Protection Officer notice;
(s) dealing with and/or facilitating a business asset transaction or a potential business asset transaction, where such transaction involves SEPHORA as a participant or involves only a related corporation or affiliated company of SEPHORA as a participant or involves SEPHORA and/or any one or more of SEPHORA’s related corporations or affiliated companies as participant(s), and there may be other third party organisations who are participants in such transaction. “business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation;
(t) to implement and maintain our information technology systems, including to store and process Personal Data in computer databases and servers located within and outside Hong Kong;
(u) anonymization of your Personal Data. In this regard, you acknowledge that Personal Data that has been anonymized to the extent that your identity could not be practicably revealed directly or indirectly is no longer Personal Data and the requirements of the PDPO would no longer apply to such anonymized data.In this connection, we will not attempt to re-identify any individuals from anonymised data or to use the information or any individuals even if re-identification is possible;
(v) record-keeping purposes and producing statistics and research for internal and/or statutory reporting and/or record-keeping requirements, of SEPHORA or of its affiliates/related corporations; and
(w) SEPHORA, SEPHORA Group Companies’ or SEPHORA’s parent corporation’s reporting purposes including but not limited to reporting on SEPHORA’s business performance (“SEPHORA Group Companies” means SEPHORA, its affiliates, related corporations and associated companies globally);
(the purposes set out in this paragraph 3.1 above shall be collectively referred to as the “Purposes”).
3.2 For the avoidance of doubt, you acknowledge and consent to SEPHORA sharing anonymised information such as but not limited to in the following circumstances. For the further avoidance of doubt, the PDPO does not apply to anonymised data that does not identify an individual and the PDPO does not provide you with a right to object to an organisation handling or processing anonymised data:
(a) Aggregate information. We may share anonymised aggregate information about our customers with advertisers and marketing partners;
(b) Behavioural-based advertising. A third party may use technology to collect anonymised information about your use of Site so that they can provide advertising about products and services tailored to your interest. That advertising may appear either when you are using the Site, or using the Internet or your mobile device to visit other websites.
- Sharing and Disclosure of Personal Information
4.1 SEPHORA may/will need to disclose your Personal Data to third parties, whether located within or outside Hong Kong, for one or more of the above Purposes, as such third parties, would be processing your Personal Data for one or more of the above Purposes. In this regard, you hereby acknowledge, agree and consent that we are permitted to disclose your Personal Data to such third parties (whether located within or outside Hong Kong) for one or more of the above Purposes and for the said third parties to subsequently collect, use, disclose and/or process your Personal Data for one or more of the above Purposes. Without limiting the generality of the foregoing or of paragraph 3, such third parties include :
(b) any of our agents, contractors or third party service providers that process or will be processing your Personal Data on our behalf or otherwise, including but not limited to those which provide administrative or other services to us such as mailing houses, call centres, telecommunication companies, logistics companies, information technology companies and data centres;
(c) our business partners including those in skincare, body care, cosmetics, entertainment, leisure and sports, health and wellness, food and beverage, telecommunications, media and public relations, information technology, property, banking, financial, transportation, travel and tourism industries;
(d) any actual or proposed assignee or transferee of the business of SEPHORA, or a merged entity in the event SEPHORA is merged to create the said merged entity for the same or directly related Purposes; or
(e) any other person to whom such disclosure is required by law or regulatory requirement or pursuant to a court order.
4.2 We will provide our preferred service providers with the information they need to perform their services and work with them to respect and protect your Personal Data. We require our service providers to adhere to strict privacy guidelines and not to use your Personal Data for unauthorised purposes.
4.3 Where your Personal Data is to be transferred out of Hong Kong, we will comply with the PDPO in doing so.
- Provision Of Third Party Personal Data By You
5.1 To the extent permitted under the applicable laws, should you provide SEPHORA with Personal Data of individual(s) other than yourself, you represent and warrant to SEPHORA and you hereby confirm that :
(a) prior to disclosing such Personal Data to us, you would have notified all the terms and conditions of this Privacy Notice to, and had obtained consent from the individuals whose Personal Data are being disclosed to us, to:
(i) permit you to disclose the individuals’ Personal Data to SEPHORA for the Purposes; and
(ii) permit SEPHORA to collect, use, disclose and/or process the individuals’ Personal Data for the Purposes, as set out in paragraph 3 above;
(b) any Personal Data of individuals that you disclose to us is accurate; and
(c) you are validly acting on behalf of such individuals and that you have the authority of such individuals to provide their Personal Data to SEPHORA and for SEPHORA to collect, use, disclose and process such Personal Data for the Purposes.
- Request For Access And/ Or Correction Of Personal Data
6.1 You may request to access and/or correct your Personal Data currently in our possession or control by submitting a written request to us. We will need enough information from you in order to ascertain your identity as well as the nature of your request, or to deal with your request. Please submit your written request to email@example.com.
6.2 For a request to access Personal Data, once we have sufficient information from you to deal with the request, we will seek to provide you with the relevant Personal Data within 30 days. Where we are unable to respond to you within the said 30 days, we will notify you of the soonest possible time within which we can provide you with the information requested[, and in any event within 40 days after receiving your data access request (a) inform you in writing that (i) we are unable to comply with your data access request with the reasons, and (ii) comply with your data access request to the extent, if any, that we are able to comply with the same; and (b) as soon as practicable after the expiration of the said 40 day period, fully comply with your data access request]. The PDPO exempts certain types of Personal Data from being subject to your access request.
For a request to correct Personal Data, once we have sufficient information from you to deal with the request, we will deal with your request in compliance with the PDPO, including correct your Personal Data within 30 days. Where we are unable to do so within the said 30 days, we will notify you of the soonest practicable time within which we can make the correction[, and in any event within 40 days after receiving your data correction request (a) inform you in writing that (i) we are unable to comply with your data correction request with the reasons, and (ii) comply with your data correction request to the extent, if any, that we are able to comply with the same; and (b) as soon as practicable after the expiration of the said 40 day period, fully comply with your data correction request]. Note that the PDPO exempts certain types of Personal Data from being subject to your correction request as well as provides for situation(s) when correction need not be made by us despite your request.
6.3 We may also charge you a reasonable fee for the handling and processing of your requests to access your Personal Data. If so, we will provide you with a written estimate of the fee. Please note that we are not required to respond to or deal with your access request unless you have agreed to pay the fee.
- Request To Withdraw Consent
7.1 You may withdraw your consent for the collection, use and/or disclosure of your Personal Data in our possession or under our control by submitting your request to firstname.lastname@example.org.
7.2 We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will subsequently not collect, use and/or disclose your Personal Data in the manner stated in your request, unless the law or the PDPO allows us to.
7.3 However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal. In this regard, depending on the extent of your withdrawal of consent for us to process your Personal Data, it may mean that we may not be able to fulfill the transaction you have entered into with us or continue with your relationship with us, or send you information that you have requested, as examples depending on the circumstances.
- Protecting and Managing Your Personal Data
8.1 We will endeavour to take all reasonable steps to ensure your Personal Data is kept confidential and secure, and to take appropriate technical and organizational measures to prevent unlawful or accidental destruction, accidental loss, unauthorized disclosure or access or other unlawful forms of processing. We will not rent, trade, distribute or sell any Personal Data that you give us to any third party unless we receive your prior consent or applicable law permits the same.
8.2 We will put in place reasonable security arrangements to ensure that your Personal Data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of your Personal Data. However, we cannot assume responsibility for any unauthorized use of your Personal Data by third parties which are wholly attributable to factors beyond our control.
8.3 We will take reasonable efforts to ensure that your Personal Data is accurate and complete, if your Personal Data is likely to be used by us to make a decision that affects you, or disclosed to another organisation. However, this means that you must also update us of any changes in your Personal Data that you had initially provided us with. We will not be responsible for relying on inaccurate or incomplete Personal Data arising from you not updating us of any changes in your Personal Data that you had initially provided us with.
8.4 We will also put in place measures such that your Personal Data in our possession or under our control is destroyed and/or anonymized as soon as it is reasonable to assume that (i) the purpose for which that Personal Data was collected is no longer being served by the retention of such Personal Data; and (ii) retention is no longer necessary for any other legal or business purposes directly related to the Purposes.
8.5 For your convenience, the App includes functionality allowing you to remain logged in to the App so that you do not have to re-enter your password each time you access the App. IF YOU CHOOSE TO REMAIN LOGGED IN, YOU SHOULD BE AWARE THAT ANYONE WITH ACCESS TO YOUR MOBILE DEVICE WILL BE ABLE TO ACCESS AND MAKE CHANGES TO YOUR ACCOUNT AND MAY BE ABLE TO MAKE PURCHASES THROUGH YOUR ACCOUNT. For that reason, if you choose to remain logged in to your device using the App, we strongly recommend that you enable the “Passcode Lock” security feature on your mobile device to protect against unauthorized access to and use of your mobile device and your App account. Please also notify us as soon as possible if you suspect any unauthorized use of your account or password. You agree that we will not be responsible for any unauthorized transactions or activities with us using your App account as we logically are only in a position to assume that any user of your App account is you.
- Cookies and Mobile Technology
9.2 Flash Cookies. "Flash Cookies" (also called Local Shared Objects or "LSOs") are data files similar to cookies, except that they can store more complex data. Flash Cookies are used to remember settings, preferences, and usage, particularly for video, interactive gaming, and other similar services.
9.3 Web Beacons. Web beacons are small graphic images on a web page or in an e-mail that can be used for such things as recording the pages and advertisements clicked on by users, or tracking the performance of e-mail marketing campaigns.
9.4 Analytics Tags. We use analytical tags to analyse what our clients like to do and the effectiveness of our features and advertising. They can also help us customize your browsing and shopping experience. We may use information collected through analytical tags or tracked links in combination with your Personal Data. We may also combine Personal Data you provide to us with other Personal Data (such as purchase history and demographic information). We often work with other companies such as, for example, AppsFlyer Ltd., to help us track, collect and analyse this information but they are prohibited from using this information for any other purpose.
9.5 Web Server Logs. Web server logs are records of activity created by the mobile device or computer that delivers the webpages you request to your browser. For example, a web server log may record the search term you entered or the link you clicked to bring you the webpage. The Web server log also may record information about your browser, such as your IP address and the cookies set on your browser by the server.
9.6 Geo-Location Technologies. Geo-location technology refers to technologies that permit us to determine your location. We may ask you to manually provide location information (like your postal code), or to enable your mobile device to send us precise location information. For example, the first time you download the App you will/may be asked to choose between allowing or not allowing the App to access your location and/or to send you mobile notifications. If you choose “Do Not Allow,” you will have opted-out of having the App accessing your location to send you location-specific offer notifications. If you choose “OK” the App will communicate with your mobile device and collect certain data as provided in this Policy in order to send you targeted offers based on your location. You can always opt-out of sharing location data with the App by changing your device settings.
9.7 We utilise software manufactured by Sailthru Inc (or any other third party) and as the case may be, other software developers which works with your mobile device running the App to create a more personalised experience to make you aware of in-store offers, events and products. If you have enabled access to your location, depending on the features included in the App, Sephora may collect the following information:
· Information about your mobile device including make, model, operating systems and similar information;
· The state of your mobile device (e.g. location services on/off, Bluetooth on/off, WiFi on/off, cellular data on/off, and other similar information);
· Information about your version and your use of the App such as your use of various features, functions or clicks on notifications or content as well as application permissions (e.g., deliver notifications, use location services, use Bluetooth, and other similar information);
· Information about your Beauty Pass membership status (if applicable) and products you have expressed an interest in (including those in your basket, in wishlist or that you have purchased); · Information you may provide to us by participating in a survey, labelling a location you visit, providing feedback, sending us questions or otherwise responding to requests for information; · Periodic collection of your location (e.g., latitude and longitude coordinates) and time of day or your location when/if your device is near any stores or other locations; and · Attributes of WiFi networks visible to your device.
- Registration Information
Our Site contains areas where you can submit information to us (such as our registration service), and we also have features (such as cookies and performance tracking technology) that automatically collect information from the visitors to our Site. During the registration process, you must provide us with a password, your name, address and a valid email address, etc. It is your responsibility to keep your password strictly confidential.
- Problems, queries or complaints
12.2 You may also contact us at the details above if you have a complaint about how we have handled your Personal Data. We will investigate your complaint and will use reasonable endeavours to respond to you in writing as soon as possible.
13.2 For the avoidance of doubt, in the event that Hong Kong Personal Data protection law or any other applicable laws permits an organisation such as us to collect, use or disclose your Personal Data without your consent, such permission granted by the law shall continue to apply. APPENDIX A
COUNTRIES IN WHICH OVERSEAS RECIPIENTS ARE LIKELY TO BE LOCATED
Aruba; Australia; Austria; Bahrain; Barbados; Belgium; Bermuda; Brazil; Canada; Chile; China; Colombia; Czech Republic; Denmark; Dominican Republic; Finland; France; Germany; Greece; Guam; Hong Kong; Hungary; India; Indonesia; Ireland; Israel; Italy; Japan; Kazakhstan; Kuwait; Lebanon; Luxembourg; Macau; Malaysia; Mexico; Mongolia; Morocco; Netherlands; New Zealand; Norway; Panama; Philippines; Poland; Portugal; Qatar; Romania; Russian Federation; Saipan; Saudi Arabia; Singapore; South Africa; South Korea; Spain; Sweden; Switzerland; Taiwan; Thailand; Turkey; Ukraine; United Arab Emirates; United Kingdom; Uruguay; United States of America; Vietnam.