Privacy Policy

Privacy Policy

Welcome to our policy on how we handle the important subject of privacy. We have described all relevant details below. We had preferred to just keep it real and human and understandable like ‘you and us sitting in a tree’, but legally and technically we need to explain and describe as we have. If it gets too much lawyer-talk or too extensive or complicated please always feel free to reach out to our customer service at hello@commedeux.com any time, and we will do our best to answer any and all questions you may have. If you have questions about your rights as a data subject, you can either go directly to the section 7 “Your rights as a data subject” below or send an email at hello@commedeux.com. This Privacy Policy applies to any personal data processed by Comme Deux Beauty ApS - the company that fully owns and manages Comme Deux brand - with its registered office at Industrivej 21, 2nd floor, 4000 Roskilde, Denmark, and acting as the data controller of all processing activities in connection with our products and services (the “Services”). These Services include any interaction that you may have with us, through our Website, over the phone, via social networks or any other channels. 

 

When we write “we”, “us” or “our” we mean Comme Deux, and when we write “you”, we mean you as a visitor and/or customer. And everything written here relates to everybody that visits our website (the “Website”) or buys our products or services in any shape or form. We will only collect and process your personal data in accordance with this Privacy Policy, and always in compliance with the General Data Protection Regulation 2016/679 (“GDPR”). If we amend this Privacy Policy, changes will be made available on our Website. We therefore encourage you to review it from time to time to stay informed about the way we are processing your personal information.

 

Privacy Policy structure: in order to make this as easy to access as possible we have organized our Privacy Policy as follows, which also gives you the option to jump directly to the section most relevant for you:

• Global overview of our data processing activities (section 1)
• In more details - which data, for what purpose(s) do we process your data and on which legal ground(s)? (section 2)
• Our retention policy (section 3)
• Our Cookie Policy (section 4)
• Where we store your personal information (section 5)
• When we may disclose your personal information (section 6)
• Your data subject’s rights (section 7)
• How to contact us (section 8)

 Section 1 – Global overview on our processing activities 

First of all, the terms “data”, “personal information” and “personal data” are all referring to the definition of “personal data” in Article 4(1) GDPR; which is basically any information that would allow us to directly or indirectly identify you. It can be your name, your phone number, your order numbers and email address. Most of the time the data that we process is submitted by you directly, when you use our Services. For example, when you order something, you may provide your name, email address and transaction and billing information (e.g., credit card / debit card or other bank information, and delivery information). Sometimes, we also collect your data when you visit our Website (e.g. technical devices and access data which are automatically collected when you interact with our Services), and - depending on your cookie preferences and consent - we may use tracking technologies to check which pages you have viewed, or if you have opened our newsletter emails.

 

We always rely on legal ground to collect and process your personal data. The purposes that may require your prior consent are the following:

• participation in surveys, online competitions or ads campaigns,
• transmission of your data to third parties or third countries (i.e., located outside the EEA) if there is no sufficient safeguards in place (if applicable), and
• cookies and tracking technologies (e.g., to know which pages you have viewed on our Website and if you have opened our newsletter emails).

 Children’s privacy protection: please note that our Website is not intended for, and should not be used by, children under the age of 18. We therefore do not intentionally collect personal information about anyone under the age of 18, unless we received the legal guardian’s prior consent.

 

Section 2 - Which data do we process, for what purpose(s), and on which legal ground(s)?

Use of our Website

We use your data to provide you with access to our Website. Depending on your settings, we may collect the following data during each of your visits:

• Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, language settings, and system authorizations; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time);
• Analytics data: your IP address, operating system and browser type; visits to pages, length of visits and page interactions (such as scrolling, finger gestures, clicks, and mouse-overs); 
• Advertising data: Information about the origin of you visiting  us from a social media or search engine can be shared with our partners, together with a random id allocated to your browser session at each visit.

Purposes: to give you access to our Website, improve your user experience, and/or to ensure a proper use of our Services. In any case we never use this data to identify you specifically.

Legal grounds: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).

 Place and pay your order

When buying our Products online, you can use common payment methods such as your credit/debit card. We process your payment details in order to execute the payment, and may receive additional information from the external payment service providers we work with. This may include your transaction and billing information; e.g., credit/debit card details and delivery information. Please note, however, that we do not store your credit card information - these are located on a specifically encrypted server of our so-called payment gateway, which is PPC certified. 

Purpose: to capture the payment and place the order.

Legal grounds: Contract performance (Article 6(1)(b) GDPR) / Legitimate interest (Article 6 (1)(f) GDPR).

Abandoned Cart Emails or SMS

When navigating on our Website, you may add Products in your cart. Sometimes, it happens that customers think they finalized their shopping, but a piece of information was missing and, therefore, the order cannot be processed correctly. To avoid such an unpleasant situation, we may process the Products you put in your cart together with your name, email address and/or phone number. 

Purpose: to contact you to remind you that you have an outstanding Product in your cart, and ensure that the non-completion is not due to a bug. We may contact you if you were close to have a fulfilled transaction but did not complete it (e.g. if you selected a Product but did not complete the transaction, or if you entered some information details during the check out that makes us think that you were interested in purchasing such product despite the non-completion of the transaction). 

Legal grounds: Legitimate interest (Article 6(1)(f) GDPR). You may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email (as explained in section 7 below).

 

Information collected on online media platforms

We maintain online media platforms (such as, but not limited to, Facebook, Instagram, Messenger, Tiktok, YouTube, WhatsApp, Snapchat, Pinterest, Google - etc.), and regularly post contents, offers, promotions and organize online competitions (see specific subsection below). When you use these online media, the network operators may process your information, such as your age, gender and geographic location. Please bear in mind that we are not responsible for the way they collect and process your data for their own purposes. We have no influence over these data processing activities, and advise you to read their own privacy policy if you want to know more. We are only responsible for the data you provide during your visit to our online media pages (e.g. the information you provide us directly when you post something on our pages, or when you send us private messages). If you have a public account, we may also be able to see your public information (e.g., the content you published and shared with a public audience).

Purposes: to better understand how customers view our Products and identify beauty trends; to increase our visibility on the market and continuously develop our brand.

Legal ground: Legitimate interest (Article 6(1)(f) GDPR.

Online competitions

We sometimes organize and initiate online competitions through our online media platforms, where the participants are encouraged to, as an example but not limited to, vote, share, like or comment or otherwise interact with a post, or invite a friend to follow us in order to maybe win prizes or awards. We may therefore process personal information such as participants’ usernames, and ask the winner of such online competition for further information such as their name, email address and delivery information in order to send the prize/award. Sometimes we take care of the delivery ourselves, but sometimes the brand partner that cooperates with us on the competition delivers the gift directly. If this is the case, we inform the winner in advance about the fact that their information will be shared with such a brand, only for the purpose of delivering the prize/award. We have data processing agreements in place with all the brands we cooperate with, and the shared personal information is only used for the aforementioned purpose.

Purpose: to increase our mutual customer engagement or make our mutual followers discover our services. The processing of the above data is necessary to perform the online competition and deliver the prize/award to the winner. 

Legal grounds: Legitimate interest (Article 6(1) f GDPR) / Contract performance (Article 6(1)(b)GDPR). 

Subscribing to our newsletter, receiving promotional emails or any other marketing materials

We may use your personal information to send you marketing content by email, phone (calls/SMS) or post. These messages may sometimes be customized, based on your previous browser or purchasing activity, or any other information we may have collected about you. If you no longer wish to receive marketing communications from us or any individual product recommendation, or if on the contrary you would like to subscribe again to it, you can modify your settings at any time by contacting us, or by clicking on the "Unsubscribe" link in an email. If you opted-out of our marketing, please note that we may still contact you from time to time with service messages (e.g., order and delivery confirmations, payment methods and information about your legal rights).

Purpose: to receive direct marketing (products and services). You can modify your marketing settings at any time by using the link at the bottom of each marketing email, or by sending your un- subscription request by email.

Legal ground: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).

Co-creation of products, feedback, products reviews and surveys

You may decide to join us in the process of co-creation of products, or simply wish to provide us with feedback, product reviews or participate in interviews. If it is the case, we may collect, in addition to your feedback, the following personal information: your name and email address, product preferences and any comment you may have added. 

Purposes: to send you relevant information on Comme Deux developments; ensure you have the possibility to participate in customer research (e.g. surveys); continue co-creating products with our customers, or improve existing products and provide the best customer experience possible, and adjust our actions to your needs. 

Legal grounds: Legitimate interest (Article 6(1)(f)GDPR) - under no circumstances will we use the collected data to determine your identity and you may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email / Consent when the other legal grounds do not apply (Article 6(1)(a) GDPR or (Article 9(2)(a) GDPR) in case of processing of special categories of data. 

Use of product reviews for statistical purposes

You may have the possibility to add product reviews and, when assessing them, we may process some personal information; e.g. any personal information you may have included in the content of your review (if applicable), your geographic location (if applicable), and the time and date of the review. We never use the reviews in order to identify you.

Purpose: We may process pseudonymized data to carry out aggregate statistics (such as ratings or preferences of certain Products), and may present such summarized statistics to our third-parties partners, always on an irreversibly anonymized basis.

Legal ground: The processing is necessary for statistical purposes, and we may only provide our third-parties partners with anonymized and summarized statistics from which the identification of a specific natural person is impossible (Article 9(2)(j) GDPR). Our legitimate interest in processing data for these purposes is to provide our third-party partners with an overview of the trends and preferences and thus improve your experience. You may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email (as explained in section 7 below

Monitor usage to improve and maintain our Websites, ensure proper use, and successful reception of our transactional emails

While using our Services or receiving service messages (transactional emails), we may collect and process the following data: device ID, IP address, operating system and browser type, length of visits to certain pages, and your page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date and products checked.

Purposes: to ensure proper reception and assess the service in order to improve it; to ensure proper use and successful reception of transactional emails.

Legal ground: Legitimate interest (Article 6(1)(f) GDPR). Under no circumstances will we use the collected data to determine your identity. You may, for reasons arising from your particular situation, object to such a legitimate process at any time by writing us an email (further details in Section 7 below)

Performance reports

While navigating on our Website(s), we may also collect and process the following data: errors, crash reports, IP address, URL, geographic location, time and date of navigation.

Purpose: to ensure the functionality of our Services; our Websites cannot function properly without this processing. 

Legal ground: Legitimate interest (Article 6(1)(f)GDPR). Under no circumstances will we use the collected data to determine your identity.

Security, fraud prevention and choice of payment methods

Your security is our top priority, and in order to avoid or to detect any data security breaches, our Services are encrypted in transmission with the coding system SSL (“Secure Socket Layer”). This means that the data is encrypted when you leave our Website(s), and that during this process, information or data is converted into a code to prevent unauthorized access. We have technical and organizational measures in place to secure our systems against loss, destruction, unauthorized access. This implies the processing of your data, including your name, device and access data (IP address), your shopping information (delivery and billing address) and payment details. While we do everything we can to ensure that personal information is always protected from our Websites, we cannot guarantee the security and integrity of the information sent to our Websites.

Purpose: to identify fraud patterns and prevent fraud.

Legal ground: Legitimate interest (Article 6 (1)(f)GDPR).

Job application

Candidates may apply to join us, when there are open positions, via our “Career” link, as available from time to time at the bottom page of our Website. When applying for a position, candidates may be requested to provide information such as their name, email address, phone number, geographic location (city), resume, LinkedIn profile (optional), that we may collect together with the time and date of the application.

Purpose: to check the candidate suitability for the position (or any other vacancies within Goodiebox group).

Legal ground: to take steps at the candidate request prior to entering into a contract (Article 6(1)(b) GDPR). 

Section 3 – Storage policy 

We retain your personal information for the period necessary to fulfill the purposes described in above section 2, always in compliance with the data minimization principle. If your personal information is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principles.

Purpose: marketing purposes

Storage duration: 3 years after your last activity, e.g., purchases, communication activities or visits to our Website. 

Purpose: order history and obligations to execute orders on our Website

Storage duration: 7 years from your order, or as long as we have to meet the legal requirements.

Purpose: customer service for our Services

Storage duration: 3 years or as long as we have to meet the legal requirements.

Purpose: fraud and risk assessment

Storage duration: 3 years from your last activity, e.g., purchases, communication activities or visits to our Website, or as long as we have to meet the legal requirements.

Purpose: compliance with the legislation relating to our Services

Storage duration: as long as we are obliged to comply with the statutory provisions, according to each country-specificity.

Purposes: performance report and monitoring of usage data to ensure proper use, functioning, maintenance and improvement of the Services and transactional emails

Storage duration: 30 days unless a security-relevant event occurs (for example, a Distributed Denial of Service attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

Purpose: Optimizing our marketing initiatives

Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected, or you revoke your consent. The data we process for the purpose of tracking is removed latest within 180 days.

Purpose: commercial and tax laws

Storage duration: as long as we are obliged to comply with the statutory provisions, according to each country-specificities, up to ten years.

Purpose: job application

Storage duration: in the event of a rejection, candidate data will be deleted after 6 months. If you have agreed to further storage of your personal data, we will add your data to our applicant pool. The data will be deleted after two years from that moment. If you are offered a job in the context of the application process, the data from the data system will be transferred to our Human Resources information system.

Section 4 – Cookie Policy

Our Website uses so-called "cookies". Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term "cookies" to refer to all tools that may collect your indirect/pseudonymized personal data on our Website, such as your IP address, place and time of your visit. Those cookies and similar technologies help us provide certain website functions, understand and measure performance, and serve targeted ads. The processing of this data is always carried out on a legal basis and, where required by law, based on your consent. For detailed information on the cookies we use, the purposes for which we use them, and to manage your cookie preferences, see our Cookie Policy.

 Section 5 – Where do we store personal information?

The personal data that we collect from you is stored in the European Union on Google Cloud Services (Google EMEA HQ - 4 Barrow St Ringsend, Dublin 4, D04 V3A0, Ireland). However, we use suppliers all over the world and, therefore, your personal data may be processed by processors and/or sub-processors operating outside of the European Economic Area (“EEA”). Those processing activities are always based on a data processing agreement, and only if the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR, such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments. Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

 Section 6 – Disclosure of your personal information

 

Technical service providers: we work with technical service providers in order to operate our Website and provide you with our Services. These technical service providers act as our processors based on a data processing agreement and therefore may process your data under special conditions, always according to above section 3. It concerns, for example, our CRM, IT services such as our platform providers, hosting services, maintenance and support on our databases.

Payment service providers: we offer several payment methods and in this context we may transfer some of your data to your chosen payment service provider, only to provide you with our Services. We are not responsible for the payment service providers' way of processing your data, so before you choose one, we encourage you to read their own privacy policy.

Logistics / Shipping companies: we work with external shipping companies (e.g. DAO) to deliver our products. These shipping companies receive the following data to execute the relevant order: your full name, delivery address, post number if applicable, email address if applicable (if the shipping company wishes to inform you of the provisional delivery date by email), phone number if applicable (you may receive SMS notifications of delivery, either to your home address or to a parcel pick up point) or any other necessary information. We also work with warehouses that receive the brand products delivered in your boxes, but they do not receive any of your personal information.

Professional and legal advisors: in case of a conflict or dispute resolution, we may work with external agencies and legal advisors that may receive your personal information. If this becomes the case, we will ensure to have a data protection agreement with such professional and legal advisors beforehand. 

 In addition, we will not transfer your personal data to any third party,  except, when applicable, for the following purposes:

• If we are required to disclose or share your personal information with the police, any public authority or any other competent authority in order to comply with our legal obligations such as ensuring information security at all times, or to defend ourselves against any fraudulent attempt;
• If we are required to disclose or share your personal information with law enforcement or other government agencies, or on the basis of EU law of the law of a Member State. We would rely on our legal obligation to do so (Article 6(1)(c) GDPR)).

Service providers who process personal data on our behalf outside the EEA (or “third countries”) will only be used if such recipients have received a European Commission decision on appropriateness, or if there are suitable or appropriate guarantees for the third country, or if we have received your prior consent. We commit to ensure that your data will not be transmitted to a country with a lower data protection standard than the European Union.

Section 7 – Your data subject’s rights

Under GDPR and as a “data subject”, you have various rights in relation to your personal information, e.g., the right to be informed, to deletion, to correction, to restriction of the processing, to data portability, to lodge a complaint with a supervisory authority, to withdraw your consent, and to object to particular data processing activities. If you have any questions about it, or if you want to exercise one/several of them, please send an email at hello@commedeux.com. 

Right to withdraw your consent at any time: where the processing of your personal information relies on your prior consent, you have the right to withdraw such a consent at any time, under the condition of Article 7 (3) GDPR. Please note that this will not affect the lawfulness of the processing based on consent up until the point of withdrawal.

Right to object to the processing: you may object to the processing of your personal information under the conditions of Article 21 GDPR as follows:

• when you want to object to the processing of your data for advertising purposes, including direct marketing, at any time and without any reasons;

-    when we are processing your information under our legitimate interest, or when we make anonymous statistics based on your pseudonymised information - as a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. Same applies if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfillment of statistical purposes;

-    when we are processing your information under our legitimate interest to optimize our marketing initiatives, at any time and without any reasons.

 Right to be informed: you have a right to obtain access and information under the conditions provided in Article 15 GDPR. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. 

Right to erasure: you have a right to erasure (“right to be forgotten”) under the conditions provided in Article 17 GDPR. This means that you generally have the right to obtain from us the erasure of your personal data, and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. The right to erasure does not by exception apply if the processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e) GDPR). Thus, the relevant data will not be deleted, but will be blocked for further processing (i.e., the data will be securely stored with different access rights and technical and organizational measures to ensure that only a few employees can access such relevant data when needed). Before deleting your information, we may anonymize it for statistical purposes.

Right to restriction of processing: you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts until we are able to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4(3) GDPR).

Right to data portability: you have a right to data portability under the conditions provided in Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract (pursuant to Article 6(1)(b) GDPR), and where the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible (Article 20(2) GDPR).

Right to rectification: you have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.

Right to complain: you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR. The supervisory authority responsible for us is the Danish Data Protection Agency (Datatilsynet). You can contact any data protection authority, in any Member State (in particular at your place of residence); your complaint will then be forwarded to the competent authority.

Section 8 – Contact

Again, we want what’s best for you. Please always feel free to reach out to our customer service team at any time and we will do our best to answer any and all questions you may have. You can email us at hello@commedeux.com or by post at  the following address:

Comme Deux Beauty ApS
Industrivej 21, 2nd floor,
4000 Roskilde, Denmark