- Our Commitment
- What Types of Personal Data We Collect
The types of personal data we collect may include but not limited to:
(a) your title, name, gender, telephone number, email address, home, mailing, billing, delivery address or other contact information, your day and month of birth, your payment or credit card information, username and password, and other personal data you voluntarily provide to us; and
(b) IP address, real-time geographic location data, browser settings, browsing records, referring websites, and other internet log on information of your computer, mobile, or other electronic/communication devices.
- How We Collect Personal Data
We may obtain personal information about you in a number of ways, such as:
(a) when you shop at our online or physical stores;
(b) when you participate in our events or promotions;
(c) when you apply for or use our membership card or participate in any of our loyalty or promotion programs;
(d) when you register an account with us;
(e) when you participate in any surveys or marketing campaigns;
(f) when you login to visit our websites, use our mobile applications or view any of our social media pages;
(g) when you use the wifi service at our stores or events;
(h) when you contact us whether in person, by phone, by email or via any social media platforms, to make enquiries or provide information;
(i) when verifying your identity; and
(j) when you subscribe to our marketing or promotional materials.
You are not required to provide the personal information that we request, but we may not be able to provide you with our products, services or benefits or you may not be able to login to our platforms or use certain features without such information.
You have the right to request access to the personal information we have about you, and to request us to make corrections of, update or delete the information. If you live in the EU, you have certain additional rights to your personal information. Please refer to “Your Rights as a Data Subject” in paragraph 11 below.
- Purposes of Collection
Your personal data may be used for one or more of the following purposes (“Purposes”):
(a) communicating with you;
(b) verifying your identity and any accounts you have with us;
(c) administering any loyalty or other marketing, promotional or corporate programs that we are involved in, including providing you with the benefits that you are entitled;
(d) processing your orders for products and services you place with us (such as maintaining your shopping cart, attending to billing, payments, refunds and delivery arrangements);
(e) handling and responding to your inquiries, suggestions or complaints;
(f) conducting customer surveys or organizing events for customers;
(g) providing you with customer service;
(h) conducting analysis to help us better understand our customers and to improve our services and products;
(i) customising the information displayed on our shopping websites/apps and social networking/media platforms to create better customers experience;
(j) designing targeted promotional offers;
(k) conducting advertising activities, including targeted advertising;
(l) conducting direct marketing activities;
(m) fulfilling our obligation to maintain records of processing activities;
(n) meeting legal, regulatory or compliance requirements, dealing with enquires from law enforcement or regulatory bodies or for the purpose of obtaining legal advice; and
(o) any other purposes directly related to any of the above purposes.
We only collect personal data we actually need for or directly related to our specific Purposes. If we intend to use the personal information for purposes other than the above, we will seek your consent prior to using your personal data.
- Direct Marketing
We intend to use your personal information for direct marketing which will include the marketing and promotion of all products and services offered by Gusteau’s. We will not provide your personal information to third parties for use in their direct marketing activities.
You may withdraw your consent for us to use your personal information in our direct marketing activities by indicating your preference where appropriate or request us to change your preference (without any fees), at any time by contacting our representative listed in the “Contact Us” section below. For direct marketing sent by emails, you may also unsubscribe with the link provided at the bottom of our emails.
For customers in Hong Kong and Singapore, we will not use your personal information for the purpose of direct marketing without your consent. We will use your personal information such as name, mobile phone number, email address and/or residential address to inform you of our new beauty products and/or latest promotional and marketing events.
For customers in the EU, we rely on our legitimate interests as the legal basis to send you direct marketing materials unless you object to our use of your personal information in direct marketing. You have the right to opt-out of our direct marketing activities at any time. You can do this by: (a) contacting our representative listed in the “Contact Us” section below; or (b) in the case of emails, by clicking the unsubscribe link at the bottom of the emails. Your withdrawal will be properly documented and withdrawal will not affect the lawfulness of processing before the withdrawal.
- How We Will Use Your Personal Data
We will process (including without limitation collect, store, hold, use, transfer and disclose) the information you provide in a manner compatible with the required laws and regulations. We will endeavour to keep your information secured, accurate and up to date, and not keep it for longer than is necessary.
- Our Legal Basis for Processing Personal Data for Customers in the EU
There are a number of different ways that we are lawfully able to process your personal data. We have set these out below:
Where using your data is in our legitimate interests
We are allowed to use your personal data where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.
We believe that our use of your personal data is within a number of our legitimate interests, including but not limited to:
• conducting business by providing services to you, including verifying your identity and any accounts you have with us; administering any loyalty or other marketing activities, processing your orders for products and maintaining your shopping cart, attending to billing, payments, refunds and delivery arrangements; handling and responding to your inquiries, suggestions or complaints; conducting analysis and for other Purposes, providing you with direct marketing communication as you can reasonably expect at the time and in the context of collection of your personal information that processing for direct marketing purpose may take place;
• to help us satisfy our legal obligations (for example, in relation to prevention of money laundering and anti-terrorism);
• to help us understand our customers better and provide better, more relevant services to them;
• to ensure that our service runs smoothly;
• to help us keep our systems secure and prevent unauthorised access or cyber-attacks; and
• to drive commercial value for the benefit of our shareholders.
Where you give us your consent to use your personal data
We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
• It has to be given freely, without us putting you under any type of pressure;
• You have to know what you are consenting to – so we will make sure we give you enough information;
• You should only be asked to consent to one thing at a time – we therefore avoid “bundling” consents together so that you do not know exactly what you are agreeing to; and
• You need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this in the “Contact Us” section below.
Where using your personal data is necessary for us to carry out our obligations under our contract with you
We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you. For example, we need to collect your credit card and bank account details in order to be able to process your payments.
Where processing is necessary for us to carry out our legal obligations
As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations.
- Cookies and Other Automated Means
(a) Strictly Necessary Cookies. These cookies are essential, as they enable you to browse our website and use its features, such as accessing log-in or secured areas. These cookies cannot be switched off or otherwise the website would not work properly. However, these cookies do not store any personal data.
(b) Functionality Cookies. These cookies are used to enhance your shopping experience. For example, they allow us to remember what your preferred country is and what items you have added to your shopping cart when you visit our website again. The information these cookies collect may be anonymous, and they are not used to track your browsing activity on other sites. They are optional to users.
(c) Targeting Cookies. Many of these are provided by third parties. These cookies can remember that your device has visited a site, and may also be able to track your device’s browsing activity on other sites. Examples of what we are using are Google Analytics and Adobe Analytics. Such information may be shared with other advertising networks to deliver the advertising. Again, you can block these cookies.
If you continue without changing your setting, you have consented to use of all our cookies in this website.
How to control and delete cookies
You can set your browser to block some or all cookies. Please refer to the following links for your browser:
Internet Explorer: https://support.microsoft.com/en-gb/help/17442/
Note that if you set your browser to disable cookies, you may not be able to access certain parts of our website and other parts of our service may not work properly.
Apart from cookies, we may also collect information by automated means when you visit any of our mobile or on-line platforms, such as web server logs. Web server logs are records of activity created by the mobile device or computer that delivers the webpages you request to your browser. For example, a web server log may record the search term you entered or the link you clicked to bring you the webpage. The web server log also may record information about your browser, such as your IP address and the cookies set on your browser by the server. Information collected from these automated means may be used for some of the Purposes.
Our stores are equipped with CCTV cameras for security reasons. Information obtained through the CCTV system will only be used in compliance with the requirements of the applicable data protection laws in your jurisdiction and will not be kept for longer than is necessary.
- What Information We Share and How We Share Them
We may disclose or transfer your personal data to companies within Gusteau’s or to any third party service providers or business partners, whether within or outside your jurisdiction, as necessary on a need-to-know basis to fulfil any of the Purposes. For transfer of personal data outside your jurisdiction, we will adopt contractual or other appropriate measures to safeguard your personal data, to provide a standard of protection at least comparable to that standard under the data protection laws in your jurisdiction, and to use them only to fulfil the above Purposes on our behalf or otherwise in accordance with any other cross-border data transfer mechanisms under the data protection laws of your jurisdiction.
We may also disclose or transfer your personal data to any other party when we believe such disclosure or transfer is required for legal or regulatory reasons or where it is necessary to protect our interests (as permitted by law), for example, to our insurers in cases of potential claims.
We also reserve the right to transfer your personal information with us in the event we are involved in any merger, acquisition or corporate reorganization (as permitted by law).
- Your Rights as a Data Subject
You have the right to request a copy of the information that we hold about you and to correct the personal data that we hold about you that is inaccurate or incomplete. We will seek to deal with your request without undue delay, and in any event within the applicable time period under the data protection laws in your jurisdiction (subject to any extensions to which we are lawfully entitled). In the event that we refuse your requests to have access to or correction of your personal information, we will provide you with a reason as to why.
For customers in Singapore, you have the right to withdraw your consent for the collection, use or disclosure of your personal data at any time by writing to us using one of the channels set out in the “Contact Us” section below. Upon the receipt of such withdrawal of consent, we will cease to collect, use and disclose your personal data unless otherwise permitted by law. However, such withdrawal of consent is likely to affect our ability to continue to provide products and services to you. You also have certain personal data rights, including to access what personal information we have about you, make corrections, update or require that we cease to use and disclose, or under certain circumstances and subject to restrictions and exemptions, delete the personal information that we have collected about you.
For customers in Malaysia, you may exercise your statutory rights including to: (i) opt-out of direct marketing; or (ii) withdraw your consent to our processing of your personal data, by contacting us via the contact details listed in the “Contact Us” Section below.
If you are residents in the EU, at any point while we are in possession of or processing your personal data, you also have the following rights under the General Data Protection Regulation (GDPR):
(i) Right to object
• You have the right to object to us processing your personal data for one of the following reasons: (i) where it is within our legitimate interest; (ii) to enable us to perform a task in the public interest or exercise official authority; (iii) to send you direct marketing materials; and/or (iv) for scientific, historical, research, or statistical purposes.
• The “legitimate interests” category above is the one most likely to apply in relation to our relationship, and if your objection relates to us processing your personal data because we deem it necessary for our legitimate interests, we will act on your objection by ceasing the activity in question unless we:
• have compelling legitimate grounds for processing which overrides your interests; or
• are processing your data for the establishment, exercise or defence of a legal claim.
(ii) Right to withdraw consent
• Where we have obtained your consent to process your personal data for certain activities (for example, for automatic profiling), you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to, unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of the same.
(iii) Right to submit a data subject access request (DSAR)
• You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you for more information about your request. We may refuse your request where we are legally permitted to do so, and we will inform you of the reasons for our refusal. If we provide you with access to the information we hold about you, we will charge you if your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible.
(iv) Right to erasure
• You have the right to request that we “erase” your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
• the data is no longer necessary for the purpose for which we originally collected and/or processed them;
• where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
• the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
• it is necessary for the data to be erased in order for us to comply with our obligations as a data controller under EU or Member State law; or
• if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
• We would only be entitled to refuse to comply with your request for erasure for one of the following reasons:
• to exercise the right of freedom of expression and information;
• to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
• for public health reasons in the public interest;
• for archival, research or statistical purposes; or
• to exercise or defend a legal claim.
• When complying with a valid request for the erasure of data, we will take all reasonably practicable steps to delete the relevant data.
(v) Right to restrict processing
• You have the right to request that we restrict our processing of your personal data in certain circumstances*1. Upon acceptance of your request, we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances (as listed in *1) is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
• The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
• where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
• where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
• where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
• where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
• If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will notify you before lifting any restriction on processing your personal data.
*1:The circumstances in which you are entitled to request that we restrict the processing of your personal data are: (a) where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified; (b) where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data; (c) where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and (d) where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
(vi) Right to rectification
• You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
(vii) Right of data portability
• The right of data portability applies to: (i) personal data that we process automatically (i.e. without any human intervention); (ii) personal data provided by you; and (iii) personal data that we process based on your consent or in order to fulfil a contract.
• You have the right to transfer your personal data between data controllers which means that you are able to transfer the details we hold on you to another employer or a third party. We will provide you with your data in a commonly used machine-readable format to allow you to effect such transfer. Alternatively, we may directly transfer the data for you.
(viii) Right to lodge a complaint with a supervisory authority
• You also have the right to lodge a complaint with your local supervisory authority.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection in your habitual residence or to our representative whose contact details may be found at the “Contact Us” section below.
- Retention of Personal Data
We will periodically review the personal data we hold. We will retain your personal data for as long as it is necessary to fulfil the Purposes for which the personal data is to be used, and delete any of your personal data that we have stored as soon as reasonably practicable, subject to, or where otherwise required or permitted by law.
While we will endeavour to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again.
- Protection of Information
In order to protect your personal data against accidental, unlawful or unauthorized access, we will implement appropriate measures to protect the confidentiality and security of the personal data that we collect and process.
- Websites of Third Parties
- Children’s Privacy
We do not intend to transact through our website or mobile application directly with anyone we know to be under the age of 16. If you are under the age of 16, you should use our website or mobile application only with the involvement of a parent or guardian and should not submit any personal data to us.
- Contact Us
• by telephone: +852 2363 4611;
• by e-mail: email@example.com; or
• by mail: Gusteau’s Lifestyle Limited, 21/F On Hong Commercial Building, 145 Hennessy Road, Wanchai, Hong Kong