Who are we?
et al. is based at Riverside House, 2A Southwark Bridge Road, London SE1 9HA and is part of the International Institute for Active Ageing. At the IIAA, we offer world-class skin consultancy and training to salons across the UK backed up by a range of market-leading skin supplements and products available both to salons and direct-to-end customers.
We operate conscientiously within the requirements of the General Data Protection Regulations 2016 (GDPR) and the Data Protection Act 2018 and other electronic marketing legislation. We work within the principles of fair data processing, namely:
- - Using information in a way that people would reasonably expect.
- - Thinking about the impact of our processing.
- - Being transparent and ensuring that people know how we'll use their information.
This statement (together with our Terms and Conditions), as may be amended from time to time by updates on this page, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us, as data controller and a data processor. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
What this Privacy Statement covers
This statement covers how we treat any personal information that we collect and receive either from our website or as part of our broader operating processes. We do not sell or pass on any personal information about our customers, prospective customers or employees for marketing purposes without their express consent. Some data we collect may be stored on secure third-party platforms and in these cases, we have satisfied ourselves that these are robust. Some data will be shared with third party suppliers to facilitate order fulfilment – for example our finance partner and logistics providers.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy statement.
2. Information we collect
Information is collected when you fill in forms on our site. This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you report a problem with our site.
- - If you contact us, we may keep a record of that correspondence.
- - Details of transactions you carry out through our site and of the fulfilment of your orders.
- - Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
- - Sensitive personal data you provide us with - i.e., data relating to your health and/or racial origin (e.g., before and after photography and face scans, your conditions, treatments received, testimonials)
- - We may collect personal data from other social media accounts belonging to you if you log in to our website via a social media account. You should refer to the privacy notice on your social media account if you wish to know how the social media account provider processes your personal data.
2.1 Sharing Your Data
When you give us consent to use your Data for Marketing Purposes (and specifically give us consent to share it with others) we will share it with:
- - Our UK and Ireland Salon customers
- - Our international distributors - who will then share it with their salon customers
For details on our international distributors, please contact our Customer Services on +44 (0)20 8438 3270 or email them at firstname.lastname@example.org
Please note: the current EU states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
EEA states are Iceland, Norway and Liechtenstein.
The EEA Joint Committee has ruled that data transfers to the above and also to the following non-EU countries are not “restricted”:
Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
The Commission has also made partial findings of adequacy about Canada and the USA:
- - The adequacy finding for Canada only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. For more details please see the Commission's FAQs on the adequacy finding on the Canadian PIPEDA.
- - The adequacy finding for the USA is only for personal data transfers covered by the EU-US Privacy Shield framework.
The Privacy Shield places requirements on US companies certified by the scheme to protect personal data and provides for redress mechanisms for individuals. US Government departments such as the Department of Commerce oversee certification under the scheme.
BY GIVING US YOUR CONSENT TO SHARE YOUR DATA FOR MARKETING PURPOSES YOU ARE ALLOWING YOUR DATA TO BE TRANSFERRED TO SOME COUNTRIES THAT ARE OUTSIDE OF THE ABOVE ARRANGEMENTS - THIS ACTIVITY IS CALLED A “RESTRICTED TRANSFER”. WE ARE ABLE TO MAKE THE RESTRICTED TRANSFER BECAUSE OF AN “EXCEPTION” - IE YOUR EXPLICIT CONSENT / PERMISSION FOR US TO DO SO. FOR YOUR CONSENT TO BE EXPLICIT YOU NEED TO GIVE IT IN AN INFORMED CONTEXT WITH US HAVING TOLD YOU:
- - The identity of the receiver, or the categories of receiver - i.e. our UK and Ireland Salon customers and our international distributors
- - The country or countries to which the data is to be transferred - i.e. please refer point (b) above under Sharing Your Data
- - Why we need to make a restricted transfer - i.e. to share your story with others
- - The type of data - where you have indicated, your before and after photography and face scans, your conditions, treatments received, testimonials and naming convention you have given us (your contact details will not be passed on)
- - Your right to withdraw at any time consent in the future (If you withdraw your consent we will stop processing your personal data. This will not affect the lawfulness of us having processed your personal data based on your consent prior to you withdrawing it)
- - The possible risks involved in making a transfer to those countries outside of the non-restricted areas described where there may not be equivalent or adequate protection for personal data, for example, no local supervisory authority, or no (or only limited) individual data protection or privacy rights.
et al. makes you aware as above and also that in the interests of protecting your right to withdraw consent, we have in place data sharing agreements with distributors, who will remove your data if we request them to.
2.2 Opting Out of Marketing Communications
Subject to paragraph 8, you can follow this link to contact us and unsubscribe to Et al marketing emails.
2.3 IP Addresses and Cookies
We may also collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns and does not identify any individual.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
2.4 Uses made of the information
We use this information held about you in the following ways:
- - To ensure that content from our site is presented in the most effective manner to you and to your computer
- - To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
- - To carry out our obligations arising from any contracts entered into between you and us.
- - To allow you to participate in interactive features of our service, when you choose to do so.
- - To notify you about changes to our service.
We may also contact you by email, post or telephone. Please note that where you have provided sensitive data to us, we will only use your sensitive data for the purpose for which the data was provided to us. We may also process sensitive personal data for equal opportunities monitoring, in relation to legal claims or where it is needed to protect your vital interests (or someone else's vital interests).
If you do not want us to use your data in this way, or wish to withdraw your consent for use of the data, you can do so by contacting us via telephone on 0208 438 3270 or email at email@example.com
Please note that at the time you contact us, it may be the case that we no longer process, hold or store your personal information/data as data processor, in which case we would advise you of this and the need to contact the data controller.
2.5 Legal basis for processing your personal data
The legal bases we rely on for processing your personal data are:
- - Your consent - e.g. when you of register to use our site, subscribe to our service or post material on our site
- - Performance of a contract with you - i.e. transactions you carry out through our site and of the fulfilment of your orders
- - Compliance with our legal obligations - e.g. to keep you informed about how we process your personal data and to protect the rights, property, or safety of our customers, prospective customers, stockists or others
- - Vital interests - in limited circumstances, where it is necessary to protect your or someone else's vital interests and you or the other person are not capable of giving consent
- - Our legitimate interests - i.e. to conduct and manage our business and this has been balanced with any potential impact on you (e.g. marketing, keeping our records updated, developing and growing our business, network security, prevention of fraud, or in the context of a business reorganisation)
2.6 Legitimate Interest
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
2.7 Performance of Contract
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
2.8 Your sensitive personal data
We will normally only process your sensitive personal data based on your explicit consent.
We may also process your sensitive personal data where it is needed in the public interest, such as for equal opportunities monitoring. Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public.
2.9 Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
2.10 If you fail to provide personal data
Where we need to collect personal data by law, or to perform the contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
2.11 Disclosure of this information
We may disclose your personal information to third parties:
- - If et al or substantially all of our assets are acquired by a third party, in which case personal data held by it about our customers, prospective customers, stockists, employees or others will be one of the transferred assets. If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of our customers, prospective customers, stockists or others.
- - Our site may, from time to time, contain links to and from the websites of our partner networks, clients, affiliates or other external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these privacy policies. Before you submit any personal data to our site, you may want to check the policies of our client, for whom we are collecting the data, and whom for your purposes is the data controller. In the absence of any details being listed on our site, you may contact us at or on the details provided below.
3. Sharing Disclosure, and Retention
(a) Sharing. Et al does not share, sell, rent or trade personal information with any third parties for marketing or promotional purposes unless express consent has been given (see previously).
- - Where consent has been given, our employees and our customers are advised to read the second part of section 2 above thoroughly and to check this policy on a regular basis for updates.
- - Without consent, et al does share small quantities of employee data internally for administrative and legal purposes.
- - It also reserves the right to share data with relevant authorities if compelled to do so to comply with legal obligations. We will use third party payment processors for card transactions to pay for goods and services but these third parties are authorised to use the data only as necessary to provide these services to us and are prohibited from using your personal information for promotional purposes.
(b) Disclosure. Et al may disclose personal information under the following circumstances:
- - In certain situations, we may disclose personal data in response to lawful requests by public authorities, including but not limited to national security or law enforcement requests. We may also disclose your personal information as required by law, such as to respond to court orders, or similar legal processes, to establish or exercise our legal rights or, defend against legal claims, or if in our judgment in such circumstances disclosure is required or appropriate.
(c) Retention. We will retain engagement and transactional information relating to customers and employees for as long as their customer account or employment remains active or as needed to provide our services and where required to comply with our legal obligations, resolve disputes, and enforce our agreements. We will retain data that facilitates the issuing of marketing materials to customers, prospective customers and past customers ongoingly until any such time that we receive a request from them to opt-out.
4. Confidentiality and Security
- - We use physical, electronic, and procedural safeguards to protect personal information - Our IT arrangements aspire to “Data Protection by Design” and should be able to detect a significant data breach. Where such a breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage we will notify the ICO. Where a breach is likely to result in a high risk to the rights and freedoms of individual data subjects, we will also notify those concerned directly and at the earliest practical opportunity. We shall then fully investigate a data breach and implement corrective action to prevent recurrence.
- - By using our services or providing personal information to us, you are consenting to Et al communicating with you electronically regarding security, privacy, and administrative issues related to your use of our services. We may post a notice on our Website if a security breach occurs. In these circumstances, we may also send an email to you at the email address you have provided to us.
- - Data transmissions over the Internet are not 100% secure. Consequently, we cannot guarantee or warrant the security of any information you transmit to us and you do so at your own risk. Once we receive your transmission, we use reasonable efforts to ensure security on our systems.
5. Right to Be Informed
We strive to ensure that all those engaging with us are informed of our arrangements for processing personal data through this Privacy Statement which is linked to from our email signatures and Website home page.
6. Right of Access
We will respond to data requests within 1 month and will only charge for requests that are manifestly unfounded or excessive. If we have grounds to refuse a request we will inform the data subject and make them aware of their right to complain to the ICO or to seek civil action - again within 1 month of receiving the request.
7. Right to Rectification
For personal data obtained directly from a data subject under the legal basis of consent - and obtained indirectly from a data subject under the legal basis of legitimate interest - we will correct any inaccuracies in a data subject's personal data upon receipt of a request. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to correct the data upon request but may not be able to do so if changing the data may conflict with our legal obligations or disadvantage us in a future legal action. In cases where we cannot rectify the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action.
8. Right to Erasure
For personal data obtained directly from a data subject under the legal basis of consent - and obtained indirectly from a data subject under the legal basis of legitimate interest - we will erase a data subject's personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to erase data upon request but will not be able to do so if holding the data is necessary to fulfil our legal obligations or may be necessary as evidence in a future legal action involving us. In cases where we cannot erase the data for these reasons we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action.
9. Right to Restrict Processing
For personal data obtained directly from a data subject under the legal basis of consent - and obtained indirectly from a data subject under the legal basis of legitimate interest - we will restrict the processing of a data subject's personal data upon receipt of a request / opt-out notification. For personal data held under the legal basis of “Contract” or “Vital Interests” or “Legal Obligations” we will endeavour to facilitate the requested restriction upon request but will not be able to do so if restricting the processing of the data prevents us from fulfilling our legal obligations or the current processing of the data may be necessary as evidence in a future legal action involving us. In cases where we cannot restrict the processing of the data for these reasons, we shall inform the data subject and make them aware of their right to complain to the ICO or to seek civil action.
10. Right to Data Portability
For personal data obtained directly from a data subject under the legal basis of consent - we shall provide, upon receiving a request, the data that we hold in a standard, widely accessible format.
11. Right to Object
For personal data obtained directly from a data subject under the legal basis of consent - and obtained indirectly from a data subject under the legal basis of legitimate interest - we will cease to process a data subject's personal data upon receipt of a request / opt-out notification.
12. Changes to this Privacy Statement
Et al reserves the right to revise, modify, or update this statement at any time. We will notify you via email about material changes in the way we treat personal data or by placing a prominent notice on this Website.
13. Contacting Et al
If you have a privacy concern regarding Et al, or this statement, you may contact us via firstname.lastname@example.org.