Sign up & get
DKK 50,00 off your first order

Sign up for the newsletter and stay updated on great deals and life-saving beauty hacks on how to keep your skin healthy and balanced.

Danish | Perfume-free | Vegan

Toggle Nav

Comme Deux - Privacy policy

Last update: July 16th, 2021


At Comme Deux, we’re committed to protecting your privacy. We’re entirely open about our information gathering practices. So please take the time to read our Privacy Policy. If you have any questions, just email us at [email protected] and we’ll be happy to help. We also have our very own Data Protection Officer and her job is to make  sure that we do everything we can to give you the best possible experience and to keep  your data safe and secure. If you’d like to, you can reach out directly to her at [email protected]

Some quick tips. When we write “we”, “us” or “our” we mean Comme Deux, a brand fully operated by Goodiebox ApS. And when we write “you” we mean you as a visitor or customer. We only collect and process your personal data in accordance with this Privacy Policy, and are always in compliance with the General Data Protection Regulation 2016/679 (hereinafter “GDPR”). If we amend this Privacy Policy, changes will be made available on our website (the “Website”) and, where appropriate, notified to you by email, or by any other available means. We therefore encourage you to review it from time to time to stay informed about the way we are processing your personal information. 

About us

This Privacy Policy applies to any personal data processed by Comme Deux, with its registered office at Artillerivej 86, 5th floor, 2300 Copenhagen S., Denmark (CVR 34087288), the so-called data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with our products and services (the “Services”). These Services include any interaction that you may have with us, through our Website, by emails, over the phone, via social networks or any other channels. 

What’s next

In order to make this as easy to access as possible we have organised our Privacy Policy as follows, which also gives you the option to jump directly to the section most relevant for you: 

(1) Global overview of the data processing activities at Comme Deux
(2) In more details - which data, for what purpose(s) and on which legal ground(s)
(3) Our retention policy
(4) Our Cookie Policy
(5) Where we store your personal information
(6) When we may disclose your personal information
(7) Your data subject’s rights
(8) Contact us


    • Global overview on the processing activities at Comme Deux

      First of all, the terms “data”, “personal information” and “personal data” are all referring to the definition of “personal data” in Article 4(1) GDPR; which is basically any information that would allow us to directly or indirectly identify you. It can be your name, your phone number, your member ID, your order numbers and email address.

      Most of the time the data that we process is submitted by you directly, when you order our products, or when you send us reviews and feedback or contact us for anything else. 

      We will always ask for your prior consent before collecting and processing any special categories of data (i.e., your skin color or skin type), or before you participate in surveys or co-creation programs. Same goes for the transmission of your data to third parties or third countries (i.e., located outside the EEA) if there are no sufficient safeguards in place, and regarding the cookies and tracking technologies (as per our Cookie Policy available here). 

      Regarding our Newsletter, we reserve the right to send you any information about our direct products and services, but if you don’t feel like it or feel spammed or just don’t want to receive emails from us, you can object and unsubscribe at any time by sending us an email at [email protected] or by simply clicking at the bottom of such emails. 

      Children’s privacy protection - Please note that our Website is not intended for, and should not be used by, children under the age of 18. We therefore do not intentionally collect personal information about anyone under the age of 18, unless we received the legal guardian’s prior consent. ️

    • In details - which data, for what purpose(s), and on which legal ground(s)

      Creation of a customer account
      When you create an account, we may collect the following information about you: your full name, email address, password, and phone number.

      Purpose: to provide you with a customer account and the possibility to subscribe and receive our Services.
      Legal grounds: Contract performance (Article 6(1)(b) GDPR / Legitimate interest (Article 6 (1)(f) GDPR).

      Login with your Goodiebox member account
      You may have the option to log in with your Goodiebox member account, and we, therefore, may access some of your information (contact details, order history, etc.).

      to access the exclusive benefits for Goodiebox members, such as but not limited to reduced pricing or early access to new products.
      Legal grounds: Legitimate interest (Article 6(1)(f) GDPR)/ Consent (Article 6(1)(a) GDPR or (Article 9(2)(a) GDPR) for the processing of special categories of data.

      Placing an order and payment details
      For us to be able to process your order, we need to know your name, email address, delivery address, phone number, credit/debit card number, security code and expiry date. This Website employs VeriSign and industry-standard SSL to provide secure credit card transactions. SSL is a communications protocol for transmitting private information over the internet; it works by encrypting data that’s transmitted over the SSL connection so that no one can read or access the data being transmitted. We do not store your credit card information - these are located on a specifically encrypted server of our so-called payment gateway, which is PPC certified.

      Purpose: to execute the purchased agreement and deliver our products.
      Legal grounds: Contract performance (Article 6(1)(b) GDPR) / Legitimate interest (Article 6 (1)(f) GDPR).

      Abandoned Cart Emails
      When navigating on our Website, you may add products in your cart. Sometimes, it happens that customers think they finalized their shopping, but a piece of information was missing and, therefore, we will not process the sale and deliver the product(s). The same is true in case you are in a hurry and simply close the webpage without finalizing your order. To avoid such an unpleasant situation, we may process the products you put in your cart when you are logged in to your customer account, together with your name and your email address. Purpose: to contact you to remind you that you have an outstanding product(s) in your cart and ensure that the non-completion is not due to a bug. We may contact you if you were close to have a fulfilled transaction but did not complete it (e.g., if you selected a product but did not complete the transaction, or if you entered some information details during the check out that makes us think that you were interested in purchasing such product despite the non-completion of the transaction).

      Legal grounds: Legitimate interest (Article 6(1)(f) GDPR). You may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email.

      Activating your Full Satisfaction Money Back Guarantee
      If you are not satisfied with a product and requested the refund, as per our “Fully Satisfaction Money Back Guarantee” (the “FSMBG”), we will process the following information: your order number, contact details and the feedback you will provide us to help us improve the product that was not suitable to you.

      to ensure the best customer experience possible by refunding you the products that do not fit your skin (as per the FSMBG requirements) and improving the product according to your feedback.

      Legal grounds: Legitimate interest (Article 6(1)(f) GDPR) / Contract performance (Article 6(1)(b) GDPR) to improve our products. You may object to such a processing, at any time, but you will not be able to get a refund, as per the FSMBG requirements.

      Co-creation of products, feedback, products reviews and surveys
      You may decide to join us in the process of co-creation of products, or simply wish to provide us with feedback, product reviews or participate in interviews. If it is the case, we may collect, in addition to your feedback, the following personal information: your name and email address, product preferences and any comment you may have added. As we love to be challenged, we have a specific section about it called “Ask Us Anything” where we aim to create the dialogue around products, diversity, sustainability, charity, career, etc. We may, therefore, collect and process anything you may write in here.

      Purposes: to continue co-creating products with our customers, Goodiebox members and our own community, or to improve existing products and provide the best customer experience possible, and adjust our actions to your needs.

      Legal grounds: Legitimate interest (Article 6(1)(f)GDPR) - under no circumstances will we use the collected data to determine your identity and you may, for reasons arising from your particular situation, object to such a processing, at any time, by writing us an email. Consent when the other legal grounds do not apply (Article 6(1)(a) GDPR or (Article 9(2)(a) GDPR) for the processing of special categories of data.

      Interactions, messages, conversations
      We love interacting with our customers and, when chatting by any available means, we may collect information about you, such as some of the conversation content, your name, email address, address, phone number and/or profile name on the social media platforms. Please note that we do not record the telephone conversations and, if it becomes the case in the future, it will only be based on your prior consent, and you will be informed about your right to withdraw such a consent at any time with effect for the future. Please also note that we are not responsible for the terms of use for social media platforms that you may use to contact us.

      to ensure a proper follow up, and improve our Services. We may also use your contact information to send you a new box in case of a product issue (when applicable).

      Legal grounds: Legitimate interest (article 6(1)(f)GDPR) / Contract performance (Article 6(1)(b)GDPR).

      Information collected on online media platforms
      We maintain online media platforms (such as, but not limited to, Facebook, Instagram, Messenger, Tiktok, YouTube, WhatsApp, Snapchat, Pinterest, Google - etc.), and regularly post contents, offers, promotions and organise online competitions. If you participate and win a prize through our online competitions, we may process personal information such as participants’ usernames, and ask the winner of each online competition for further information such as their name, email address and delivery information in order to send the prize/award. Sometimes we take care of the delivery ourselves, but sometimes the brand that cooperates with us on the competition delivers the gift directly. If this is the case, we inform the winner in advance about the fact that their information will be shared with such a brand, only for the purpose of delivering a prize/award. We have data processing agreements in place with all the brands we cooperate with, and the shared personal information is only used for the aforementioned purpose. When you use these online media, we are only responsible for the data you provide during your visit to our online media pages (e.g., the information you provide us directly when you post something on our pages, or when you send us private messages). If you have a public account, we may also be able to see your public information (e.g., your username and the content you published and shared with a public audience). The network operators may also process your information; please bear in mind that we are not responsible for the way they collect and process your data for their own purposes. We have no influence over these data processing activities, and advise you to read their own privacy policy if you want to know more.

      Purposes: to better understand how customers view our products and identify beauty trends, increase our visibility on the market and continuously develop our brand, and increase our customers’ engagement or make our followers discover our products. The processing of the above data is necessary to perform the online competition and deliver the prize/award to the winner
      Legal ground: Legitimate interest (Article 6(1)(f) GDPR /Contract performance (Article 6(1)(b)GDPR).

      Subscribing to our newsletter, receiving promotional emails or any other marketing materials
      Depending on your marketing preferences, we may use your personal information to send you marketing content by email, phone (calls/SMS) or post. Some of these messages can be customized for you based on your previous browser or purchasing activity, or any other information we may have collected about you. If you no longer wish to receive marketing communications from us or any individual product recommendation, or if on the contrary you would like to subscribe again to it, you can modify your settings at any time by contacting us, or by clicking on the "Unsubscribe" link in an email. If you opted-out of our marketing, please note that we may still contact you from time to time with service messages (e.g., order and delivery confirmations, payment methods and information about your legal rights).

      Purpose: to receive direct marketing (products and services). If you don’t want to receive promotional emails from us anymore, just click the ‘unsubscribe’ link at the bottom of one of the emails, or send us your un-subscription request by email, and we’ll take your name off our mailing list.
      Legal ground: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).

      Monitor usage to improve and maintain our Websites, ensure proper use, and successful reception of our transactional emails
      While using our Services or receiving service messages (transactional emails), we may collect and process the following data: device ID, IP address, operating system and browser type, length of visits to certain pages, and your page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date, products checked, previous boxes looked, and member account creation started.

      to ensure proper reception and assess the service in order to improve it; to ensure proper use and successful reception of transactional emails.
      Legal ground: Legitimate interest (Article 6(1)(f) GDPR). Under no circumstances will we use the collected data to determine your identity. You may, for reasons arising from your particular situation, object to such a legitimate processing at any time by writing us an email.

      Receiving the best online beauty experience possible
      We keep track of the products you buy from us as well as the way you interact with our Website (and therefore may collect your IP address, operating system and browser type, length of visits to certain pages, and page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date). By knowing this, we can send you information about the products and services you’ll most likely be interested in, rather than offering you things you might find irrelevant.

      to tailor how you see our Website and which products could be of interest to you, to make the whole online experience (the products and offers you see) more interesting and relevant to you.
      Legal ground: Consent (Article 6(1)(a) GDPR) – you can customize your tracking settings at any time.

      Use of our Website
      We use your data to provide you with the access to our Website. Depending on your settings, we may collect the following data during each of your visits: (1)Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, language settings, and system authorizations; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time);

      (2)Analytics data:
      your IP address, operating system and browser type; visits to pages, length of visits and page interactions (such as scrolling, finger gestures, clicks, and mouse-overs).

      (3)Advertising data: Information about the origin of you visiting us from a social media or search engine can be shared with our partners, together with a random id allocated to your browser session at each visit.

      Purposes: to give you access to our Website(s), improve your user experience, and/or to ensure a proper use of our Services. In any case we never use this data to identify you specifically.
      Legal grounds: Legitimate interest (Article 6(1)(f) GDPR) / Consent (Article 6(1)(a) GDPR).

      Performance reports
      While navigating on our Website(s), we may also collect and process the following data: errors, crash reports, IP address, URL, geographic location, time and date of navigation.

      Purpose: to ensure the functionality of our Services; our Websites cannot function properly without this processing.
      Legal ground: Legitimate interest (Article 6(1)(f)GDPR). Under no circumstances will we use the collected data to determine your identity.

      Security, fraud prevention and choice of payment methods
      Your security is our top priority, and in order to avoid or to detect any data security breaches, our Services are encrypted in transmission with the coding system SSL (“Secure Socket Layer”). This means that the data is encrypted when you leave our Website(s), and that during this process, information or data is converted into a code to prevent unauthorized access. We have technical and organizational measures in place to secure our systems against loss, destruction, unauthorized access. This implies the processing of your data, including your name, device and access data (IP address and member ID), your shopping information (delivery and billing address) and payment details. While we do everything we can to ensure that personal information is always protected from our Websites, we cannot guarantee the security and integrity of the information sent to our Websites. Purpose: to identify fraud patterns and prevent fraud. Legal ground: Legitimate interest (Article 6 (1)(f)GDPR). Job application We’re always on the lookout for great people to join our team. Check out our open positions on the site of Goodiebox here. If you don’t see something that is interesting to you, feel free to also send us an email at [email protected] with your CV and a brief introduction. When applying for a position, candidates may be requested additional information such as their name, email address, phone number, geographic location (city), resume, LinkedIn profile (optional), that we may collect together with the time and date of the application.

      Purpose: to check the candidate suitability for the position (or any other vacancies within Goodiebox / Comme Deux).
      Legal ground: to take steps at the candidate request prior to entering into a contract (Article 6(1)(b) GDPR).

    • How long do we store and process your personal information

      We retain your personal information for the period necessary to fulfil the purposes described in this Privacy Policy, always in compliance with the data minimization principle. If your personal information is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons (employees) who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principles.

      If your customer account stays inactive for more than 30 months, we will contact you to check whether you wish to continue using our Services. If you then leave your member account unused for another 6 months, we will restrict access and/or delete it.

      When the processing of your personal information is no longer necessary for any purpose, we may either irreversibly anonymize it, or securely erase it.

      As an exception, we will retain your personal information for a longer retention period if it is required or permitted by law for legal, tax or statutory reasons (e.g., for the purposes of establishing, exercising or defending against legal claims), or for other legitimate business reasons. This may go up to ten years according to local specificities and business needs. You can see below our retention period for specific purposes:

      Marketing purposes
      - 3 years after your last activity, e.g., purchases, communication activities or visits to our Websites.

      Order history and obligations to execute orders on our Website - 7 years from your order, or as long as we have to meet the legal requirements.

      Customer service for our Services - 3 years or as long as we have to meet the legal requirements.

      Fraud and risk assessment - 3 years from your last activity, e.g., purchases, communication activities or visits to our Website(s), or as long as we have to meet the legal requirements.

      Compliance with the legislation relating to our Services - as long as we are obliged to comply with the statutory provisions, according to each country-specificities.

      Performance report and monitoring of usage data to ensure proper use, functioning, maintenance and improvement of the Services and transactional emails - 30 days unless a security-relevant event occurs (for example, a Distributed Denial of Service attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

      Optimizing our marketing initiatives - your data will be stored until it is no longer required for the purpose for which it was collected, or you revoke your consent. The data we process for the purpose of tracking is removed latest within 180 days.

      Commercial and tax laws - as long as we are obliged to comply with the statutory provisions, according to each country-specificities, up to ten years. Job application - in the event of a rejection, candidate data will be deleted after 6 months. If you have agreed to further storage of your personal data, we will add your data to our applicant pool. The data will be deleted after two years from that moment. If you are offered a job in the context of the application process, the data from the data system will be transferred to our Human Resources information system.

    • Cookies

      Our Websites use so-called "cookies". Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term "cookies" to refer to all tools that may collect your indirect/pseudonymized personal data on our Website(s), such as your IP address, place and time of your visit. Those cookies and similar technologies help us provide certain website functions, understand and measure performance, and serve targeted ads. The processing of this data is always carried out on a legal basis and, where required by law, based on your consent. For detailed information on the cookies we use, the purposes for which we use them, and to manage your cookie preferences, see our Cookie Policy.

    • Where do we store your personal information

      The personal data that we collect from you is stored in the European Union on Google Cloud Services (Google EMEA HQ - 4 Barrow St Ringsend, Dublin 4, D04 V3A0, Ireland However, we use suppliers all over the world and, therefore, your personal data may be processed by processors and/or sub-processors operating outside of the European Economic Area (“EEA”). Those processing activities are always based on a data processing agreement, and only if the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR, such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments. Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

    • Who we may share your data with

      We may share your personal data with Goodiebox, our sister company, as long as this is necessary for the operation of our Website and direct products, and/or to provide our Services. Access is always controlled on a need-to-know basis, and it is intended that our subsidiaries are not considered as “third parties”, and are all compliant to GDPR.

      We also have business and technical partners who we share data with to handle orders, process credit/debit card payments and provide a range of services, including those linked with fraud protection. These third parties are bound by Data Protection covenants and must process the personal information in accordance with this Privacy Policy. But you should be aware that, if the police or any other regulatory authority who are investigating suspected illegal activities ask us to provide your personal information, we are obligated and entitled to do so.

      If we sell or buy any business or assets, we might disclose your personal data to the prospective seller or buyer of that business or those assets. If we are required to disclose or share your personal information with the police, any public authority or any other competent authority in order to comply with our legal obligations such as ensuring information security at all times, or to defend ourselves against any fraudulent attempt.

      If we are required to disclose or share your personal information with law enforcement or other government agencies, or on the basis of EU law of the law of a Member State. We would rely on our legal obligation to do so (Article 6(1)(c) GDPR)).

      We might also use your data (or permit our group companies to use your data) to provide you with information about goods and services you might be interested in. If this is the case, we or they may contact you about these.

      Service providers who process personal data on our behalf outside the EEA (or “third countries”) will only be used if such recipients have received a European Commission decision on appropriateness, or if there are suitable or appropriate guarantees for the third country, or if we have received your prior consent. Goodiebox commits to ensure that your data will not be transmitted to a country with a lower data protection standard than the European Union.

    • Your data subject’s rights

      Under GDPR and as a “data subject”, you have various rights in relation to your personal information, e.g., the right to be informed, to deletion, to correction, to restriction of the processing, to data portability, to lodge a complaint with a supervisory authority, to withdraw your consent, and to object to particular data processing activities. If you have any questions about it, or if you want to exercise one/several of them, please send us an email at [email protected].

      We may ask some additional information to verify your request (such as confirming your email address associated to your member account, a proof of ID, or any other information) to ensure that you are the owner of the customer account, and to avoid disclosing any data to third parties in the course, for example, of a request for information.

      Right to withdraw your consent at any time -where the processing of your personal information relies on your prior consent, you have the right to withdraw such a consent at any time, but please note that this will not affect the lawfulness of the processing based on consent up until the point of withdrawal.
      Right to object to the processing - you can object to the processing of your personal data
      (1) for advertising purposes, including direct marketing, at any time and without any reasons
      (2) for any purposes based on our legitimate interest, on grounds relating to your particular situation, at any time. In this case, we will no longer process your information, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. Same applies if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfilment of statistical purposes.

      Right to be informed - you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to such personal data (including the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed). Please note that you can find most of your information yourself, directly in your customer account.

      Right to erasure
      - as a data subject, you have a right to erasure (“right to be forgotten”) without undue delay except in some cases. For example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. Thus, the relevant data will not be deleted, but will be blocked for further processing (i.e., the data will be securely stored with different access rights and technical and organisational measures to ensure that only a few employees can access such relevant data when needed). Before deleting your information, we may anonymize it for statistical purposes.

      Right to restriction of processing - you have the right to obtain from us the restriction of processing if one of the conditions applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts until we are able to verify its accuracy. Restriction means that stored personal data are marked with the goal of restricting their future processing.

      Right to data portability - you may receive from us the personal data which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on or on a contract, and where the processing is carried out by automated means.

      Right to rectification - you may request for rectification and receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.

      Right to complain - The supervisory authority responsible for us is the Danish Data Protection Agency (Datatilsynet). You can contact any data protection authority, in any Member State (in particular at your place of residence); your complaint will then be forwarded to the competent authority.

    • Can’t find the answer you’re looking for?

      If you’ve got any other questions, email us at [email protected]. We’re here to help (and we love doing just that). For specific request, you can also write to our Data Protection Officer directly at [email protected], or by post at the following address: Comme Deux ApS (to the attention of the Data Protection Officer) , Artillerivej 86, 5th floor, 2300 Copenhagen S, Denmark.