Personal data policy

The types of personal data we collect about you and how we use it 

Personal data means any information about an individual from which that person can be identified. 

We may collect, use, store and transfer different types of personal data about you as described below. We also describe the legal basis we rely on to do so and we have identified what our legitimate interests are where appropriate. 

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. By law we have to keep basic information about our customers for six years after they cease being customers for tax purposes. 

In some circumstances you can ask us to delete your data: see paragraph ‘Your rights regarding your data’ for further information. 

Your in-store purchases

• Types of data collected: contact data such as email address or telephone number.  

• Purpose: to provide you with a paperless purchase receipt.  

• Legal basis: legitimate interests of Aroma-Zone as part of its commercial management and compliance with its legal obligations. 

• Retention period: we keep records of transactions for a period of 6 years.  

Your purchases on the aroma-zone.com website

• Types of data collected: transaction data such as the contents of your basket; identity data such as first name and surname; contact data including delivery address and billing address as well as financial data such as payment card details.  

• Purpose: to process and deliver your order, including managing payment. 

• Legal basis: performance of a contract with you.  

• Retention period: data related to online orders is kept on your account for 6 years from the delivery of your order or until your account is deleted. Data relating to shopping baskets is kept for 3 months, and data sent to our service providers for delivery of your order is kept for 12 months. 

Collecting your feedback

• Data collected for feedback: contact details, product ordered, date of purchase, feedback request and feedback given.

• Purposes and legal basis: this information is used to collect your opinion on products purchased or your purchasing experience, on the basis of your consent.

• Retention period: duration of review's publication or until consent is withdrawn.

Your Aroma-Zone account

• Types of data collected: identity data such as first name, surname, gender and date of birth; contact data such as email address; profile data such as username and password as well as your interests, preferences, loyalty card details and recipe book. 

• Purpose: to register you as a new customer and to manage our relationship with you.  

• Legal basis: performance of a contract with you; necessary to comply with a legal obligation; and necessary for our legitimate interests (to keep our records updated and manage our relationship with you). 

• Retention period: we retain this data for as long as your account is active and for a period of 6 years after you ceased to be a customer.   

Our newsletters

• Types of data collected: identity data such as first name and surname, contact data including email address, postal address and telephone numbers as well as marketing and communications data which includes your preferences in receiving marketing from us and your communication preferences.  

• Purpose: to send you relevant marketing communications and make personalised suggestions and recommendations to you about our products that may be of interest to you based on your profile data.  

• Legal basis: necessary for our legitimate interests (to carry our direct marketing, develop our products and grow our business) or consent, having obtained your prior consent to receiving direct marketing communications.  

• Retention period: we retain this data for 3 years from the last contact from you unless you object. 

Our launch offers and product discoveries

• Types of data collected: identity data such as first name, surname and age range; contact data such as email address and delivery address; skin data such as your skin type and your product preferences and profile data including your preferences, feedback and survey responses.  

• Purpose: to allow you to participate in launch offers which include sending you products for you to try and provide feedback on.  

• Legal basis: performance of a contract with you; necessary for our legitimate interests (to study how our customers use our products, develop them and grow our business).  

• Retention period: for the duration of the application phase and, if you are selected, for product testing, then archiving for 5 years.  

Your workshop bookings

• Types of data collected: identity data such as first name, surname and date or birth; contact data including email address and telephone number; booking data such as additional requests, requests for a reminder by email and health-related questions as well as financial data including payment card details.  

• Purpose: to process your order and manage your workshop bookings.   

• Legal basis: performance of a contract with you. 

• Retention period: 6 years from the completion of the workshop or until your account is deleted. 

Your Beauty Appointment bookings with experts

• Types of data collected: identity data such as first name, surname and age; contact data including email address and telephone number; booking data such as age range, skin type and hair type as well as financial data including payment card details. 

• Purpose: to process your order and manage your booking and appointments.  

• Legal basis: performance of a contract with you. 

• Retention period: until the date of the appointment and the data will then be archived on a separate server for a period of 6 years. 

Your interactions with our Customer Service department 

• Types of data collected: identity data such as first name, surname, date of birth and gender; contact data including email address and telephone number; transaction data including details about the products you have purchased from us, order numbers and payments from you as well as profile data including your account details and preferences.  

• Purpose: to deal with your requests, complaints and queries.  

• Legal basis: necessary for our legitimate interests (to manage our relationship with you and keep our records updated).   

• Retention period: 5 years from the date of the complaint. Prospective customers' data regarding requests for information is kept for 3 years from last contact. 

Your answers to our beauty questionnaires or personalisation of neutral bases 

• Types of data collected: identity data such as first name, surname, age and gender; contact data including email address and beauty data including data about your skin type and tone, make-up habits, frequency of exposure to the sun, smoking information, area of the face to be treated, any concerns, product preferences, scent preferences, allergies.  

• Purpose: to enable us to respond to your requests in a personalised manner (e.g. hair routine, face routine).  

• Legal basis: performance of a contract with you.  

• Retention period : for the duration of account activity and until you delete your account. Otherwise, after a period of inactivity on your account of 2 years. 

Job applications

• Types of data collected: identity data such as first name and surname; contact data such as email address and telephone number and application data such as CV and cover letters.  

• Purpose: to enable us to search for relevant profiles (unsolicited applications and responses to job offers) and to manage recruitment procedures 

•  Legal basis: our legitimate interests in the context of our recruitment activities; execution of pre-contractual measures when the candidate is selected and/or consent.  

• Retention period: as long as is necessary to complete the recruitment process. If the candidate is selected, their data will be included in their administrative file and kept for the period applicable to this file. If the unsuccessful candidate does not consent to their data being kept in our CV database, we will delete their data after 3 months following the decision to refuse.  If the unsuccessful candidate consents to their data being kept in our CV database, we will delete their data after 2 years following the last contact. 

Direct marketing  

During the registration process on our website or in-store when your personal data is collected, you will be asked to indicate your preferences for receiving direct marketing communications from us via [EMAIL, SMS, TELEPHONE, POST].  

We may also analyse your identity, contact and profile data to form a view which products and offers may be of interest to you so that we can then send you relevant marketing communications. 

Recipients of your data

We may share your personal data where necessary with the parties set out below for the purposes set out in the preceding section:  

• Internal third parties: companies of our Group. 

• External third parties: bankers, auditors and other professionals. 

• Specific third parties such as IT services provides, sales and marketing canvassing, travel management suppliers, reception and event management companies as well as security management companies.  

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.  

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

How is your data processed on social networks?

Aroma Zone has a presence on social networks (Instagram, Facebook, TikTok, Snapchat, etc.) where you can interact directly with us. 

Your use of these social networks may lead to exchanges of personal data about you between Aroma-Zone and these social networks, based on your consent. 

The privacy and security practices of these social networks are not covered by this privacy policy. 

We therefore recommend that you refer to the privacy policy of these social networks for more information. 

International transfers  

We share your personal data within the Aroma-Zone Group. This will involve transferring your data outside the UK to our overseas offices in France and Belgium.  Those countries provide provide the same level of data protection as English law and any transfers to such countries are made pursuant to the UK government's adequacy decision in favour of countries in the EEA.  

Your data is hosted on the European servers of APTUM, a SASU with capital of 3,000 euros, registered with the Nanterre Trade and Companies Register under number 840 569 156 and whose registered office is located at 12 RUE SOLFERINO 92100 BOULOGNE-BILLANCOURT FRANCE. 

Your data may be transferred to and processed in a country outside the European Economic Area (EEA) and the UK, in particular by our Klaviyo and Cheetah Messaging emailing solutions, social networks or Google. In such cases, Aroma-Zone ensures a similar degree of protection is afforded to it by ensuring that the safeguards are in place and using only specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers. To obtain a copy of these contractual safeguards, please contact us takes the necessary steps with its subcontractors and/or partners to guarantee an adequate level of protection for your data, in full compliance with the applicable regulations.  

How do we protect your personal data?

Aroma Zone secures your personal data by putting in place appropriate physical, organisational and technical measures to prevent unauthorised access, alteration, use, disclosure, modification or destruction, in accordance with the relevant legislation. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.  

Although Aroma Zone makes every effort to protect your personal data, we cannot ensure the security of information transmitted to our website when it travels over the Internet using an unsecured protocol.