1. INTRODUCTION
Rituals Cosmetics Enterprise B.V. (Keizersgracht 683, 1017 DW Amsterdam, The Netherlands) and our affiliated companies (hereinafter: “Rituals”, “we” or “us”) is committed to the proper handling of personal data, in accordance with applicable privacy laws (including where relevant the General Data Protection Regulation).
To ensure your privacy as far as possible, we adhere to the following core values:
In this Privacy Policy (“Privacy Policy”) we describe how we (i) implement these core values to protect your privacy, (ii) how we collect, use, disclose and otherwise process your personal data, and (iii) about the rights and choices you have regarding such personal data. We strongly urge you to read this statement carefully, as it applies to our processing of personal data about customer and prospective customers, including purchasers of our products (“Products”), whether online or in one of our stores or via other Rituals’ points of sale, loyalty program members, visitors to our stores, and users who visit and access our websites, apps, or otherwise interact with us or use our services and applications (collectively referred to as: the "Services").
Our use of the term “personal data” includes “personal information” and other similar terms as defined under applicable privacy laws.
California residents. If you are a California resident, please be sure to review Section 13 “Information for California Residents” below for important information, as required by California privacy laws, about the categories of personal information we collect, use and disclose and your rights under California privacy laws.
2. PERSONAL DATA WE COLLECT AND USE
We collect personal data about you directly (such as when you buy our Products or provide information to us on and offline), automatically (such as when you access our website or use our services), and, in some cases, from third parties (such as social networks when you interact with us or discuss us on social media).
In general, the personal data we collect about you include the following personal data:
3. PURPOSES OF USE PERSONAL DATA
The personal data we collect is exclusively used for the following purposes:
For the performance of our agreement with you:In order to carry out our obligations arising from any contracts entered into between you and us, and to provide you with the Products, Services and information that you request, including managing and handling your requests, inquiries or complaints. This also includes enabling you to make a purchase of our Products, to participate in our MyRituals program, responding to your requests to provide customer service, responding to your inquiries, providing you with essential information regarding our Products and Services you request, etc.For our legitimate commercial interests:We use your personal data as described above (both on aggregated and on individual basis) for the purpose of advertising our Products and Services, to contact you via e-mail, regular mail, social media or otherwise for direct marketing or other commercial purposes. We also use your personal data to validate that the age requirements in order to create a MyRituals account are met and to send you a birthday gift. Furthermore, we use your personal data for analyzing and improving the quality of our Products and Services, such as providing you with customer services and aftersales, and to understand you as a customer (customer optimalization). This enables us to assess what may interest you, to measure or understand the effectiveness of advertising we serve to you and others and to deliver relevant advertising. In addition, based on your use of our Services and Products you purchased, we may target you with advertisement or other marketing materials that are customized to your personal preferences and experiences.
Improving and analyzing our products and services:
We may also use your personal data, for our other legitimate commercial interests such as to operate and expand our business activities; to develop and improve or modify our Products and Services; to better understand how our services and website are accessed and used, in order to administer, monitor, and improve our services, for our internal purposes, and to generate aggregated statistics about the users of our Products and Services for research and analytical purposes.
In support of our general business operations: Where necessary for the administration of our general business, accounting, record keeping and legal functions, including analyze operational and business results and risks, and maintain business records; to operate company policies and procedures; to enable us to negotiate or enter into corporate transactions, such as any merger, sale, reorganization, transfer of Rituals’ assets or businesses, acquisition, bankruptcy, or similar event; or for other legitimate business purposes permitted by applicable law.
To secure and Protect our assets and rights: to protect and defend our (and others’) rights, property or safety; to prevent abuse and fraud related to online sale of our products and to monitor the compliance with our House Rules for the use of our website(s) and apps; to protect our business operations, secure our network and information technology, assets and services; unauthorized activities, access and other misconduct; where we believe necessary to investigate, prevent or take action regarding suspected violations of our General Terms and Conditions and other agreements with you, as well as fraud, illegal activities and other situations involving potential threats to the rights or safety of any person or third party.
Complying with Legal Obligations: To comply with the law or legal proceedings. For example, we may use information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements.
Use of information based on your consent: Under circumstances we will also ask your consent for the processing of your personal data. For example, when you have not purchased our Products but would like to receive (MyRituals) direct marketing communications (such as newsletters, promotions, news on products) via email, other electronic means or telephone. Or when you would like to participate in our raffles, contests or our marketing campaigns.
For children under the age of 16 we require consent of their parent or legal guardian be provided in order to perform a purchase. You can withdraw your consent at any time (see under Section 12A below).
4. SOCIAL MEDIA
You may find or engage with Rituals content on third-party sites, apps or social media services, such as Facebook, Twitter, Pinterest, Instagram, LinkedIn, etc. Please note that the respective third-party privacy policies and terms apply to those sites and services, not Rituals. You should be familiar with and understand the tools provided by those third parties that allow you to make choices about how you share personal data in your social media profile(s).
We encourage you to read the applicable privacy notices, terms of use and related information about how your personal data is used in these third party environments.
Please note that depending on your choices and settings on these third party web and social media sites (and/or in combination with your settings on the Rituals pages), certain personal data may be shared by third parties with Rituals about your online activities and social media profiles (e.g. interests, marital status, gender, username, photo, comments and other content you have posted/shared on your social media profile).
5. SHARING YOUR PERSONAL DATA
We share your Personal Data with the following parties:
-Service providers, suppliers (such as IT service providers) and sub-contractors;
- Customer service and call centers, to assist us with the Consumer Service-department;
- Advertising and media companies that carry out marketing and media activities on our behalf (including affiliate marketing);
- Analytics and search engine providers that assist us in the improvement and optimization of our website and apps, such as Google Analytics.
In providing their services, these third parties may access, receive, maintain or otherwise process personal data on our behalf. Our contracts with these service providers do not permit use of your personal data for their own commercial purposes. Consistent with applicable legal requirements, we take commercially reasonable steps to require such third party suppliers to adequately safeguard your personal data and only process it in accordance with our instructions.
6. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
Rituals is headquartered in the European Union, where most of the data processing takes place. However, please be informed that Rituals may transfer and process any Personal Data you provide to us to and in countries other than your country of residence. Data protection laws in these countries may not be considered to provide an equivalent level of protection to your Personal Data in your jurisdiction. Rituals will therefore seek to ensure that your personal information is subject to appropriate safeguards. For additional information regarding the mechanism under which your personal data is transferred outside of your country, and to receive a copy of such documentation you may make a request by emailing us at privacy@rituals.com.
7. SECURITY
We will take reasonable steps to implement appropriate technical, physical, and organizational measures designed to protect your personal data against unauthorized or unlawful use, alteration, unauthorized access or disclosure, accidental or wrongful destruction, and loss. Please be aware that despite our efforts, no data security measures can guarantee security.
We take steps to limit access to your Personal Data to those persons who need to have access to it for one of the purposes listed in this Privacy Policy. Furthermore, we contractually ensure that any Third Party supplier processing your Personal Data equally provide for confidentiality and integrity of your data in a secure way.
8. DATA RETENTION
We generally retain your Personal Data for as long as required to satisfy the purpose for which they were collected and used (for example, for the time necessary for us to provide you with customer service, answer queries or resolve technical problems), unless a longer period is necessary to comply with our legal obligations, resolve a dispute, maintain appropriate business records, enforce our agreements, or to defend a legal claim.
9. CHILDREN
Our Services are not targeted to minors under the age of sixteen (16) and we do not knowingly or specifically collect personal data about minors under the age of 16. If you believe we have unintentionally collected such data, please notify us as set out in the Contact Us section below.
10. YOUR RIGHTS
Subject to the conditions set forth in the applicable law, you have the following rights with regard to our processing of your Personal Data:
For further information regarding your rights, or to exercise any of your rights, please complete this
Privacy Request Form
If you are a California resident, please review Section 13, which includes information about your rights under California privacy law and how you can exercise these rights.
11. CHANGES TO THE POLICY
This Privacy Policy may be revised from time to time. If we make changes to this Policy, we will post the updated version of this Policy on our website. If the changes materially affect the way we collect, use, disclose or otherwise process your personal data, we will endeavor to notify you in advance of such change(s), such as by sending a notice to the primary email address associated with your account or by posting a notice on the website. We encourage you to periodically check back and review this Policy for the latest updates.
12. CONTACT US
If you have any queries about this Privacy Policy or our handling of your Personal Data in general, please email us at privacy@rituals.com and be sure to indicate the nature of your query.
13. INFORMATION FOR CALIFORNIA RESIDENTS
In this section, we provide additional information for California residents, as required under California privacy laws including the California Consumer Privacy Act (“CCPA”). This section does not address or apply to our handling of publicly available information lawfully made available by state or federal government records or other personal information that is exempt under the CCPA. While our collection, use and disclosure of personal information varies based upon our relationship and interactions with you, in this section we describe, generally, how we may collect (and in the prior 12 months have collected) personal information about California residents, as well as how we have disclosed such information for a business purpose.
Personal Information Collection
Category: Identifiers
Description: Includes direct identifiers, such as name, alias user ID, username, account number; email address, phone number, address and other contact information; IP address and other online identifiers; SSN, driver’s license number, passport number, tax ID and other government identifiers; and other similar identifiers.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Customer Records
Description: Includes personal information, such as name, account name, user ID, contact information, employment information, account number, and financial or payment information), that individuals provide us in order to purchase or obtain our products and services. For example, this may include account registration information, or information collected when an individual purchases or orders our products and services or enters into an agreement with us related to our products and services.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Commercial Information
Description: Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Internet and Other Electronic Network Activity Information
Description: Includes browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual’s interaction with our websites, mobile apps and other Services, and our marketing emails and online ads.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Audio, video and electronic data
Description: Includes audio, electronic, visual, thermal, olfactory, or similar information such as CCTV footage (e.g., collected from visitors to our offices/premises, photographs and images (e.g., that you provide us or post to your profile) and call recordings (e.g., of customer support calls).
Categories of Third Parties to Whom We May Disclose this Information:
Category: Geolocation
Description: Information such as location information about a particular individual or device.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Education information
Description: Information about an individual’s educational history such as the schools attended, degrees you were awarded, and associated dates.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Inferences
Description: Includes inferences drawn from other personal information that we collect to create a profile reflecting an individual’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities or aptitudes. For example, we may analyze personal information in order to identify the offers and information that may be most relevant to customers, so that we can better reach them with relevant offers and ads.
Categories of Third Parties to Whom We May Disclose this Information:
Category: Sensitive personal information
Description: In limited circumstances, we may collect:
• [Social security, driver’s license, state identification card, or passport number.]
• [Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.]
• [Precise geolocation.]
• [Racial or ethnic origin, religious or philosophical beliefs, or union membership.]
• [The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.]
• [Genetic data.]
• [Biometric information.]
• [Personal information collected and analyzed concerning a consumer’s health.]
• [Personal information collected and analyzed concerning a California resident’s sex life or sexual orientation.]
Categories of Third Parties to Whom We May Disclose this Information:
• [TBD]
Aggregate and Non-Identifiable Information. As permitted by CCPA, we may collect, use, share, disclose, and otherwise process aggregate, anonymous, and in some cases de-identified information related to our business and the Services for research, marketing, analytics, and other purposes. Where we use, disclose or process de-identified information, we will maintain and use this information in de-identified form and not to attempt to reidentify the information, except in accordance with applicable privacy laws.
Sales and Sharing of Personal Information. Categories of Personal Information Sold. The CCPA defines ‘sale’ as disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration, and ‘share’ broadly as disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. We do not disclose personal information to third parties in exchange for monetary compensation. We may sell or share (as broadly defined by the CCPA): identifiers and internet and other electronic activity information to third-party ad companies, data analytics providers, and social media companies (e.g., through third-party tags and social buttons on our websites), in order to improve and measure our ad campaigns and reach our customers and potential customers with more relevant ads and tailored content. Where relevant, users can opt out of third-party tags and cookies, other than those that are “necessary”, by adjusting their cookie settings here We do not knowingly sell or share sensitive personal information about California residents, nor do we sell or share any personal information about California residents we know to be younger than sixteen (16) years old.
Sources of personal information. As further described in the Section ‘Personal Data We Collect and Use’ above, we may collect personal information from the following sources:
Purposes of Collection, Use and Disclosure. As described in more detail in the Section “Purposes of Use of Personal Data” and the Section “Sharing Your Personal Data” above, we collect, use, disclose and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:
Sensitive Personal Information]. Notwithstanding the above, should there be any sensitive personal information, we only use and this as authorized pursuant to the CCPA. Accordingly, we will only use and disclose sensitive personal information as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, (vi) to our service providers who perform services on our behalf, and (vii) for purposes other than inferring characteristics about you.
Retention. We generally retain your personal information for as long as required to satisfy the purpose for which they were collected and used (for example, for the time necessary for us to provide you with customer service, answer queries or resolve technical problems), unless a longer period is necessary to comply with our legal obligations, resolve a dispute, maintain appropriate business records, enforce our agreements, or to defend a legal claim.
California residents’ rights. Subject to the exceptions set forth under the CCPA, in general, California residents have the following rights with respect to their personal information:
Submitting CCPA requests. California residents (or their authorized agents) may submit a verifiable CCPA requests to know (access), correct, and delete their personal information by submitting a request online via our privacy request form. You may also submit request to us by phone at 1-855-635-8537(US Toll Free). We will respond to California residents’ requests as required by the CCPA. You must complete all required fields on our online privacy request webform (or otherwise provide us with this information via phone). We will take steps to verify your request by matching the information provided by you with the information we have in our records. If we are unable to adequately verify a request, we will notify the requestor. In some cases, we may request additional information in order to verify your request or where necessary to process your request. Authorized agents may initiate a request on behalf of another individual by contacting us through the above listed method; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
Submitting an Opt-Out Request. You (or your authorized agent) may also submit a request to opt out of “sales” and “sharing” as defined by the CCPA by turning on “global privacy control”—or GPC—signals for your browser. If we recognize that your browser is transmitting a GPC signal, we will opt that browser out of “sales” and “sharing” (i.e., via third party tags and cookies for our website). You may also click the [“Do Not Sell or Share My Personal Information”] link (as well as the “Cookie Settings” link) in the footer of our website and turn off all cookies (other than those that are strictly necessary to the operation of our website), to opt out of sales and sharing (i.e., via cookies and tags on our website).
Please note that your opt out is browser and device specific. If you come to the website from a different device or a different browser on the same device, you will need to apply your preferences or turn on GPC for that browser or device as well.
Financial Incentives. We may make available certain programs or offerings that are considered “financial incentives” under the CCPA (each a “Program”). Your participation in a Program is entirely voluntary, and you are free to withdraw from the Program any time. If you choose to register for and participate in a Program, we may make available to you any certain incentives, such as special offers, programs, discounts and other benefits, as described here in the Terms and Conditions of our My Rituals Membership program. The value of these incentives is reasonably related to the value of the personal information we collect, and process related to the Program. In our analysis, when estimating the value of the personal information, we take into account, without limitation, the expenses that are incurred with the collection of your personal information, the offering and administration of the incentives (including third-party costs), any improvements made to our products and services based on the information obtained through the Program and the revenue generated by the use of the financial incentive by our customers.
For more information about our privacy practices, you may contact us as set forth in the Contact Us section above.