You can read a particular topic by going to the headings below:

• 1. Information We Collect
• 2. How We Use Information
• 3. How We Disclose Information
• 4. Cookies & Personalization
• 5. Marketing
• 6. How We Protect Information
• 7. How Long We Retain Information
• 8. International Transfers of Information
• 9. Third-Party Websites
• 10. Security
• 11. Your Rights
• 12. Changes To This Privacy Policy
• 13. Children
• 14. Contact Us
• 15. Additional Information for California Residents

1. Information We Collect

“Personal Data” (or “personal information”) refers to any information that identifies, or can reasonably be used to identify, an individual. We collect Personal Data in the following ways:

1.1 Information you provide to us directly

We collect Personal Data when you interact with our Site and Services or provide information directly to us. This may include:

• Account Registration. Profile information you provide when creating or updating your account, including (but not limited to) your name, contact details, gender, and any optional information such as body type, skin type, hair condition, training regime, performance goals, height, and weight.
• Transaction and Billing Information. If you make a purchase via our Site, we may collect payment details (e.g. credit/debit card information), delivery addresses, and order history.
• Customer Communications. Records of communications between you and us, including emails, phone calls, customer service messages, and messages submitted via chat, forums, or social media channels.
• Promotions and Campaigns. Information submitted when you enter competitions, participate in giveaways or engage with other promotional activities.
• Reviews and Surveys. Feedback you provide via product reviews, surveys, or other customer research activities.
• Event Registrations. Information is collected when you register for or attend events that we host, sponsor, or collaborate on.
• Marketing Preferences. Details about your preferences for receiving marketing communications and your subscription settings.
• Interactive Shopping Tools. When using personalization or interactive tools (e.g. product match finders), we may collect information such as uploaded photos and your responses to customization questions to offer tailored product recommendations.
• In-store Interactions. If you shop with us at a physical location (e.g. store or pop-up), we may collect purchase or mailing list information and combine it with your online data.

1.2 Information we collect automatically

We automatically collect certain Personal Data relating to your use of the Site and Services and your interactions with us or others. This may involve technologies such as cookies, pixel tags, log files, and similar tracking tools. The data collected may include, but is not limited to:

• Device and Browsing Data. Information about your device and browsing behavior, including IP address, general location, browser type, device type, device ID, domain name, date/time stamps, Internet service provider, referring and exit URLs, operating system, language, clickstream data, and similar technical data.
• Usage Data. Information on how you interact with the Site and Services, such as pages visited, time spent on pages, features accessed, products viewed or added to cart, links clicked, files uploaded or downloaded, and searches performed.
• Location Data. We may derive location information from your IP address, or—where permitted—collect geolocation data directly from your device. You can disable location tracking via your device settings.

For more detail, see Section 4 “Cookies and Personalisation”.

1.3 Information from third-party sources

In certain circumstances, we may receive Personal Data from external sources, such as:

• Identity Verification Services. Data is provided by third-party services to confirm your identity and prevent fraudulent activity.
• Social Media Platforms. If you interact with us on social media, we may collect data such as your username, profile details, likes, comments, and engagement activity (subject to your privacy settings on the platform).
• Partner Websites. Content shared with us from affiliated or partner websites, such as product reviews, which we may display on our Site.
• Advertising and Analytics Partners. Demographic and analytical data received from third-party marketing or analytics providers to help us personalize content and optimize advertising. See Section 4 “Cookies and Personalization” for further details.

2. How We Use Information

Depending on how you use our Site and Services, your interactions with us, and the permissions you provide, we may use your Personal Data for the following purposes:

• Account Management. To register as a customer and manage your account, including providing access to personalized features.
• Order Fulfilment. To process and fulfill orders, including payment processing, managing deliveries, handling returns, and issuing refunds.
• Customer Support. To respond to your inquiries, resolve complaints, and provide general customer service.
• Product Recommendations. To provide personalized recommendations through our interactive shopping tools (e.g. foundation matches). This may include the use of images, preferences, and feedback to improve these tools or develop similar features.
• Service Notifications. To communicate service-related updates, including changes to our Terms, Privacy Policy, or other policies.
• Personalization. To tailor content, recommendations, and on-site experiences based on your preferences, browsing behavior, purchase history, and other account activity.
• Site and Business Optimisation. To operate, monitor, and improve our Site, its design and performance (including font rendering services), and our broader business processes. This includes analytics, user experience testing, product development, internal training, and quality control.
• Events. If you register for or attend events we host, sponsor, or participate in, we may use your information to manage event logistics and communications.
• Surveys and Feedback. To conduct market research and customer satisfaction surveys, and to collect feedback to enhance our offerings.
• Marketing and Advertising. To send marketing communications and display targeted advertising, subject to your preferences and applicable legal grounds. We may also share certain data with advertising partners to support campaign delivery. You may opt out of such processing at any time—see Section 4 “Cookies and Personalization” and Section 5 “Marketing” for more information.
• Security and Fraud Prevention. To protect our business, systems, and users by detecting and preventing fraud, unauthorized access, misuse, or other security risks.
• Legal and Regulatory Compliance. To comply with applicable laws and regulations, respond to legal requests, and manage legal claims or proceedings.
• Corporate Operations. To support internal business functions, including audits, compliance, record-keeping, financing, mergers, acquisitions, reorganizations, or similar corporate transactions.

2.1 Legal Bases for Processing (UK/EU GDPR)

We rely on the following lawful bases under data protection law to process your Personal Data:

• Contractual necessity – Where the processing is required to perform a contract with you or to take steps at your request before entering into a contract (e.g. processing orders and delivering products).
• Consent – Where you have given explicit consent (e.g. for marketing communications or the use of non-essential cookies). You may withdraw your consent at any time. See Sections 4 and 5 for more details.
• Legitimate interests – Where it is in our legitimate business interests to process your data, provided those interests are not overridden by your rights. This includes understanding user behavior, improving services, and securing our platform.
• Legal obligation – Where processing is necessary to comply with our legal or regulatory obligations.

3. How We Disclose Information

In addition to the specific circumstances described elsewhere in this Privacy Policy, we may disclose your Personal Data to the following categories of recipients, where necessary and in accordance with applicable data protection laws:

• The COSME Group and Affiliates. We may share your information with other entities within The COSME Group Ltd and its affiliated companies, where required for the operation, support, and enhancement of our Services, including for marketing, analytics, fulfillment, legal, and compliance purposes.
• Business Transfers. In the event of a potential or actual business transaction, such as a merger, acquisition, reorganization, asset sale, or insolvency, we may disclose or transfer your personal data as part of that transaction. This may include sharing data during due diligence or transferring data to a successor entity. If our business or assets are acquired, your personal data may be one of the transferred assets. During such processes, we may also share certain personal data with transaction advisors, including auditors, consultants, and legal representatives.
• Service Providers. We may disclose your data to trusted third parties who perform services on our behalf. This includes, but is not limited to, payment processors and financial service providers, fulfillment and delivery companies, IT and hosting providers, customer support and CRM platforms, survey and research tools, and analytics and marketing technology providers. These service providers are contractually bound to handle your data securely and only for the purposes outlined in this Privacy Policy.
• Professional and Legal Advisors. We may share your personal data with our legal advisors, accountants, or other professional consultants where necessary to obtain legal advice, conduct audits, manage legal claims, ensure compliance, or support risk and financial oversight.
• Advertising and Marketing Partners. We may disclose non-identifiable, aggregated, or pseudonymized data to advertising networks, media platforms, or campaign partners to help deliver relevant advertising to you. This may include data used to define advertising audiences such as demographics and interests, encrypted identifiers (such as a hashed email) shared with platforms like Meta or Google to create custom audience segments or run lookalike campaigns, and performance data from ad interactions such as clicks and conversions. You can manage your advertising and cookie preferences as described in Section 4 “Cookies and Personalisation”.
• Third-Party Advertising. We work with third-party advertising partners to help deliver content that is relevant and tailored to your interests. These companies may collect data about your interactions with our Site and Services in order to build a profile of your preferences and serve personalized advertisements across other websites, apps, or platforms. To support these efforts, we may share limited data with advertising platforms in hashed or pseudonymized form (e.g. email addresses or device identifiers). For example, we may use audience matching services such as Meta Custom Audiences or Google Customer Match, which allow us to show tailored ads to our customers or users with similar characteristics. You can control how these third parties use your data through the settings provided on their respective platforms and manage your advertising and cookie preferences via our Cookies and Personalisation section (see Section 4).
• Third-Party Platforms and Tools. We may disclose personal data to third-party platforms, technology providers, and networks that support or enable features on our Site or Services. This includes tools that provide functionality such as review sections, personalized recommendations, interactive content, account login integration, analytics, and campaign management. See Section 4 “Cookies and Personalisation” for more details.
• User Profiles and Submissions. Certain profile information you choose to provide, such as your name, location, or any content (including photos or videos) uploaded to the Site or Services, may be visible to other users, particularly when used to enable interaction or respond to service requests. Depending on the features you use, your profile settings may allow you to control what personal data is visible to others. Please note that any content or information you voluntarily post in public areas of the Site such as discussion boards, comment sections, forums, or other interactive features may become publicly accessible and could be viewed, collected, or used by others. Your username may also be visible to other users if you engage in public interactions such as comments or messages.
• Product Reviews Shared to External Sites. Reviews you submit to our Site may be shared with external retailers, marketplaces, or partner websites that display product information. This helps broaden the reach of product feedback and may appear on websites other than our own.
• Collaboration Partners. Where we have a legitimate interest, we may share anonymized insights, consumer trends, and campaign reporting data with brands or manufacturers we collaborate with. This data will not include information that directly identifies you.
• Legal and Regulatory. We may process and disclose your personal data where necessary to comply with applicable legal and regulatory obligations. This includes responding to lawful requests from public authorities, regulatory bodies, law enforcement agencies, or courts. Such disclosures may be required for purposes including, but not limited to, tax reporting, consumer protection, anti-fraud efforts, national security, or enforcement of intellectual property rights. We may also disclose your personal data to comply with legal obligations arising under UK or international law, or in response to legal proceedings such as subpoenas, court orders, or official investigations. Where appropriate, we will take reasonable steps to ensure that any disclosure is lawful, limited to what is necessary, and handled with appropriate safeguards.
• Fraud Prevention and Detection. We may use and share your personal data where necessary to detect, prevent, or investigate fraud, suspicious activity, security breaches, and other unlawful or harmful conduct. This includes verifying your identity, monitoring transactions, assessing risk, and enforcing our Terms of Use or other applicable agreements. We may also disclose information to third parties, such as payment processors, fraud prevention agencies, law enforcement, or regulatory authorities, where such sharing is required or justified in connection with safeguarding our customers, our business, or the integrity of our Services.
• Other Disclosures Without Your Consent. We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request. This includes responding to subpoenas, court orders, or other lawful requests from authorities. We may also share your information to establish or exercise our legal rights, defend against legal claims, investigate suspected illegal activity or fraud, enforce our Terms of Use or other agreements, or protect the rights, property, or safety of The Nutricosmetic Company, The COSME Group, our users, or others. Additionally, we may disclose data as necessary to fulfill your request for services involving third-party intermediaries (such as delivery or logistics partners).
• Other Disclosures With Your Consent. We may disclose your personal data to third parties when you have given us your express consent to do so, or where you have directed us to share your information for a specific purpose.

4. Cookies & Personalization

We and our third-party service providers use cookies, pixels, local storage objects, APIs, and other similar technologies to automatically collect certain information about your device, browser, interactions with our Site, and browsing behavior. These technologies help us understand how the Site is accessed and used, provide essential functionality, deliver personalized content and advertising, and improve overall performance.

4.1 Use of Cookies and Tracking Technologies

These technologies are used for various purposes including:

• Operating and securing the Site
• Measuring and analyzing Site traffic and performance
• Delivering tailored content and advertisements
• Identifying and fixing bugs or errors
• Enhancing user experience and functionality
• Conducting analytics and customer behavior research

Some cookies are strictly necessary for the Site to function, while others are optional and used for analytics, advertising, and personalization purposes.

4.2 Personalised Advertising and Marketing

We work with third-party partners, including advertising networks, social media platforms, and analytics providers, to deliver personalized advertising on our Site and across other digital platforms. These third parties may use cookies or similar technologies to track your online activity and show ads that are more relevant to your interests.

In some cases, we may share limited data with these partners such as your email address in hashed form to create custom audiences or lookalike audiences for campaigns on platforms like Meta (Facebook and Instagram), Google, or similar services. These platforms may also assist us by supplementing our customer records with demographic or behavioral insights to help refine our targeting strategies.

4.3 Managing Your Preferences

You can manage your preferences regarding cookies and personalization in the following ways:

• Cookie Preference Tool. A cookie settings icon is available on our Site (typically in the bottom left corner). Through this tool, you can opt out of non-essential cookies at any time. Your preferences are browser- and device-specific, so you’ll need to configure them on each browser and device you use. If you delete or clear your cookies, you may need to reset your preferences.
• Browser Settings. Most browsers allow you to manage cookies directly through their settings. You can block or delete cookies, though doing so may affect how our Site functions.
• Industry Programmes. You may opt out of interest-based advertising from participating third parties through the following links:
  • UK/EU: www.youronlinechoices.eu
  • US: www.aboutads.info
  • Canada: www.youradchoices.ca

Please note that opting out does not mean you will no longer see any advertisements; you may still see contextual or non-targeted ads.

4.4 Do Not Track Signals

At this time, we do not respond to “Do Not Track” browser settings or similar signals. You can still manage your cookie preferences through the tools listed above.

4.5 Further Information

For more detailed information about the specific cookies used on our Site and how to manage them, please refer to our Cookie Policy.

5. Marketing

We enjoy keeping our customers informed about new products, exclusive offers, and tailored content. Depending on your marketing preferences, we may use your personal data to send you promotional communications via email, SMS, telephone, or post. These messages may be personalized based on your purchase history, browsing behavior, and other information we hold about you to ensure they are relevant and of interest.

If you no longer wish to receive marketing communications from us or if you’d like to opt back in, you can manage your preferences at any time by:

• Clicking the ‘unsubscribe’ link in any of our marketing emails;
• Updating your settings in your account (where available); or
• Contacting us directly at privacy@thenutricosmeticcompany.com.

Please note that even if you opt out of marketing, we may still contact you with service-related communications when necessary, for example, to confirm your orders, provide delivery updates, or inform you of changes to our Terms or Privacy Policy.

6. How We Protect Information

We take the security of your personal data seriously and implement appropriate technical and organizational measures to safeguard it against unauthorized access, loss, misuse, alteration, or disclosure. These measures include secure server connections, access controls, encryption where appropriate, and regular system monitoring.

However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use reasonable and commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event that we are legally required to notify you of a data breach involving your personal information, we will do so in accordance with applicable laws. This may include providing notice electronically, in writing, or by telephone, where legally permitted.

When you create an account on our Site, you will be required to set a password. You are responsible for maintaining the confidentiality of your login credentials and for any activities or actions taken under your account, whether authorized by you or not. You must notify us immediately if you become aware of any unauthorized access or use of your account or password.

7. How Long We Retain Information

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, tax, accounting, or reporting requirements. In some circumstances, we may retain your data for a longer period if required or permitted by law, such as to establish, exercise, or defend legal claims.

To determine the appropriate retention period, we consider several factors including the nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether those purposes can be achieved through other means, as well as applicable legal, regulatory, and contractual requirements. Once your personal data is no longer needed for the purposes for which it was collected, we will securely delete or anonymize it, unless we are required to retain it for a longer period under applicable law.

8. International Transfers of Information

As a multi-national organization, we may transfer your personal data across borders to our affiliates, service providers, and partners located in other countries. This means your information may be processed in jurisdictions that may not offer the same level of data protection as your home country. However, we take appropriate steps to ensure that your personal data continues to be protected in accordance with applicable legal requirements and the privacy principles under which the data was originally collected. Where applicable, this includes implementing safeguards such as Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner’s Office or relying on other valid legal mechanisms for data transfers.

By submitting your personal data to us, you acknowledge and agree that it may be transferred, stored, and processed in a country outside your country of residence, including but not limited to the United States, where our global operations are based. If you would like further details about the measures we take to protect your data when transferred internationally, or to request a copy of any applicable Standard Contractual Clauses, please contact us using the details provided in the “Contact Us” section below.

9. Third-Party Websites

For your convenience, our Site may contain links to third-party websites, services, or content that are not owned or operated by The Nutricosmetic Company. Please be aware that we are not responsible for the privacy practices of these third parties. These third-party websites and services may have their own privacy policies or notices, which we strongly encourage you to review before providing any personal data. Your use of any linked site, service, or feature is subject to that third party’s terms and policies, and we do not accept any responsibility or liability for their content, actions, or data handling practices.

10. Security

We implement appropriate technical and organizational safeguards to protect your personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include maintaining industry-recognized security certifications such as ISO 27001 and PCI DSS (Payment Card Industry Data Security Standard). Despite our efforts, no method of transmission over the Internet or electronic storage method is completely secure. As such, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

11. Your Rights

You have certain rights under data protection and privacy laws, which give you control over your personal data and how it is used. These rights include:

• Access. You have the right to request a copy of the personal data we hold about you.
• Correction. You may ask us to correct inaccurate or incomplete personal data.
• Deletion. In certain circumstances, such as where we no longer need your personal data for the purposes for which it was collected, you can request that we delete it.
• Objection. You can object to the processing of your personal data in certain cases, including where we use it for direct marketing purposes. See Section 5 “Marketing” for information on how to opt out of marketing communications.
• Portability. You may request that we transfer your personal data to another provider, where technically feasible and where applicable.
• Complaint. You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (www.ico.org.uk).

We will respond to all valid requests in accordance with applicable data protection laws. Please note that these rights are not absolute and may be subject to limitations, for example, where we are legally required to retain your data or where we need it to establish or defend legal claims.

To exercise your rights, please contact us at: privacy@thenutricosmeticcompany.com

11.1 Additional Rights for U.S. Residents

If you are a resident of California or another U.S. state with applicable privacy legislation (such as Virginia or Colorado), you may have additional rights, including:

• The right to correct inaccuracies in your personal information.
• The right to request deletion of your personal data.
• The right to confirm whether we process your personal data, and to receive a copy in a portable and readily usable format.
• The right to opt out of:
  • The “sale” of personal data.
  • Targeted advertising.
  • Automated profiling or decision-making with legal or similarly significant effects.
• The right to appeal any decision we make in relation to a privacy rights request.

You can manage preferences for targeted advertising as explained in Section 4: Cookies and Personalization, and opt out of marketing communications as detailed in Section 5: Marketing.

To exercise your rights under applicable U.S. privacy laws, please contact us at: privacy@thenutricosmeticcompany.com

12. Changes To This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal obligations, or other factors. Any updates will take effect immediately upon posting unless otherwise specified. You can refer to the “Last Updated” date at the top of this page to see when this Policy was last revised.

Where appropriate, we will take reasonable steps to notify you of significant or material changes. This may include posting a prominent notice on our Site, sending you an email, or using other appropriate means of communication.

13. Children

As outlined in our Terms of Use, our Services are not intended for individuals under the age of 18. We do not knowingly collect or solicit personal information from anyone under 18 years of age. If you are under 18, please do not register for the Services, make purchases, or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a child under the age of 18, we will promptly delete such data. If you believe that a child under 18 may have provided us with personal information, please contact us using the details provided in the “Contact Us” section below.

14. Contact Us

If you have any questions, comments, or complaints concerning our privacy practices, or if you need to access this Privacy Policy in an alternative format due to having a disability, please contact us at privacy@thenutricosmeticcompany.com or by regular mail via:

The Nutricosmetic Company Intl Ltd
85 Great Portland Street,
London,
W1W 7LT,
United Kingdom

You may also reach out to our data protection officer at dpo@thecosmegroup.com.

If you are not satisfied with our response and are in the European Union or United Kingdom, you may have a right to lodge a complaint with your local supervisory authority.

15. Additional Information for California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). This section provides additional details about our practices and your rights under California law.

15.1 Categories of Personal Information Collected, Used and Disclosed

In the preceding 12 months, we may have collected and disclosed the following categories of personal information for business or commercial purposes:

• Identifiers – such as your name, email address, phone number, or other similar identifiers.
• Commercial information – including purchase history and consumer preferences.
• Internet or network activity – such as browsing history, search history, and interactions with our website or ads.
• Geolocation data – general location information, such as city or region.
• Inferences – drawn from other data to create a profile reflecting preferences or interests.
• Sensitive personal information – such as login credentials or limited demographic information provided voluntarily (e.g., race, ethnicity), collected only for specific features like community tags or personalized content.

We may disclose this information to:

• Our service providers and contractors (e.g. hosting, delivery, analytics, and marketing platforms)
• Legal and regulatory authorities, when required
• Affiliates within The COSME Group
• Advertising partners and technology providers
• Third-party platforms that support our campaigns and audience management

We do not sell personal information for monetary compensation. However, we may “share” personal information (as defined under California law) for the purposes of cross-context behavioral advertising.

15.2 Shine the Light

California residents may request information regarding our disclosure of personal data to third parties for their direct marketing purposes (where applicable). To make such a request, please contact us using the details provided in the “Contact Us” section.

15.3 Notice of Financial Incentive

From time to time, we may offer programs that provide benefits (e.g., promotional discounts, referral bonuses, or exclusive offers) in exchange for signing up, referring others, or providing certain personal data. Participation is entirely voluntary and subject to the terms of each program. You may withdraw at any time by contacting us. We do not assign a specific monetary value to your personal data, but incentives are reasonably related to the value of the data provided and used.

15.4 Your California Privacy Rights

California residents have the right to:

• Access the categories and specific pieces of personal data we have collected about you.
• Request deletion of your personal information, subject to exceptions.
• Correct inaccurate personal data we hold about you.
• Opt out of the sale or sharing of your personal information.
• Limit the use of sensitive personal information (where applicable).

Non-discrimination means we will not treat you differently for exercising your privacy rights.

You may exercise these rights by submitting a request via the “Contact Us” section below. To protect your information, we may verify your identity before processing any request.

If you are an authorized agent making a request on behalf of a California resident, we may require additional documentation.