Skip to main content

Privacy Policy

AESOP PRIVACY POLICY

Updated version as of 06/01/2026

We place great importance on the principles of honesty and transparency and are committed to building a strong and lasting relationship with our consumers based on trust and mutual interest. Part of this commitment involves protecting and respecting your privacy and your choices. Respecting your privacy is essential to us. This is why you will find below "Our Commitment to Privacy" as well as our full Privacy Policy.

OUR COMMITMENT TO PRIVACY

  1. We respect your privacy and your choices.

  2. We make sure that privacy and security are embedded in everything we do.

  3. We do not send you marketing communications unless you have asked us to. You can change your mind at any time.

  4. We never offer or sell your data.

  5. We are committed to keeping your data safe and secure. This includes only working with trusted partners.

  6. We are committed to being open and transparent about how we use your data.

  7. We do not use your data in ways that we have not told you about.

  8. We respect your rights, and always try to accommodate your requests as far as is possible, in line with our own legal and operational responsibilities.

For more information about our privacy practices, below we set out what types of personal data we may receive from you directly or from your interaction with us, how we may use it, who we may share it with, how we protect it and keep it secure, and your rights around your personal data. Of course all situations may not apply to you. This Privacy Policy gives you an overview of all possible situations in which we could interact together. This Privacy Policy applies to all processing of personal data carried out by AESOP brand concerning customers in Belgium, The Netherlands and Luxembourg. This includes processing within the framework of our business relationships in our boutiques (offline retail) as well as, in particular, on our websites and within external online presences, such as our social media profiles (hereinafter collectively referred to as 'Webservices'). When you share personal data with us or when we collect personal data about you, we use it in line with this Policy. Please read this information carefully. If you have any questions or concerns about your personal data, please contact us at dpo.benelux@loreal.com Please note that you must be at least 16 years old to visit our Webservices. For further services, e.g. our boutique services, digital services or registration for our loyalty program or newsletter (online and offline), you must be at least 16 years old.

WHAT WILL YOU FIND IN THIS PRIVACY POLICY? [insert hyperlink in the table of content below].

1. WHO WE ARE

L’Oréal France, a general partnership (société en nom collectif), with its registered office at 30 rue d’Alsace 92300 Levallois-Perret, registered with the Nanterre Trade and Companies Register under number 919 434 894 (hereinafter "L’Oréal France"), operates the websites https://www.aesop.be/ https://www.aesop.nl and may collect personal data about you when you consult or use its features. L’OREAL NEDERLAND B.V., hereinafter "L’OREAL NEDERLAND " operates Aesop stores in Belgium, The Netherlands and Luxembourg and may collect personal data about you during your visit to a store. The terms "we," "us," or "our" used herein refer to L’Oréal France and L’OREAL NEDERLAND jointly (except when processing activities specifically falling under only one of these entities are mentioned, in which case the term "we" refers to the concerned entity). Situations in which L’Oréal France or L’OREAL NEDERLAND operates data processing alone as a sole data controller (hereinafter "L’Oréal France Processing" or " L’OREAL NEDERLAND Processing"), as well as situations in which L’Oréal France and L’OREAL NEDERLAND jointly operate data processing (hereinafter "Joint Processing") as joint controllers, are governed by this Personal Data Protection Policy.

  • The list of L’Oréal France Processing is indicated below in the L’Oréal France Processing overview table available in Section 3 of this Privacy Policy.

  • The list of L’OREAL NEDERLAND Processing is indicated below in the L’OREAL NEDERLAND Processing overview table available in Section 3 of this Privacy Policy.

  • The list of Joint Processing is indicated below in the Joint Processing overview table available in Section 3 of this Privacy Policy.

Furthermore, in accordance with applicable regulations, L’Oréal France and L’OREAL NEDERLAND have, in their capacity as joint controllers for certain processing activities, entered into a joint controllers agreement in which each undertakes to implement the Joint Processing in accordance with applicable regulatory requirements. This joint controllers agreement notably provides that:

  • L’Oréal France is responsible for the compliance of Joint Processing when your data is collected directly online from the websites https://www.aesop.be/ https://www.aesop.nl

  • L’OREAL NEDERLAND is responsible for the compliance of Joint Processing when your data is collected from AESOP stores.

  • Information provided to data subjects is issued by both controllers, by L’Oréal France on the website, by L’OREAL NEDERLAND in store.

  • L’ORÉAL NEDERLAND primarily handles the processing of requests regarding your rights under Art. 15-21 GDPR.

  • L'Oréal NEDERLAND and L'Oréal France inform each other immediately about rights asserted by data subjects and provide each other with all information necessary to respond to requests.

  • In any case, L’Oréal France and L’OREAL NEDERLAND are both jointly and severally liable for respecting your rights over your data as provided by applicable regulations.

Both L’Oréal France and L’ORÉAL NEDERLAND have appointed a Data Protection Officer whom you may consult on all matters relating to the processing of your personal data under the GDPR and local data protection regulations. The Data Protection Officers can be reached at the following contact details

  • L’Oréal France: Email: donneesperso@loreal.com | By post: 30, rue d’Alsace - 92300 Levallois-Perret, to the attention to the DPO

  • L’ORÉAL NEDERLAND: Email: dpo.benelux@loreal.com | By post: Scorpius 141, 2132 LR Hoofddorp, to the attention to the DPO

For more information on the distribution of responsibilities between L’Oréal France and L’OREAL NEDERLAND within the framework of joint processing and to obtain the main outlines of the contract between these entities, you can contact the Data Protection Officers.

2. WHAT IS PERSONAL DATA?

"Personal data" means any information that can identify you directly (e.g., your name) or indirectly (e.g., through pseudonymized data such as a unique identifier). This means that personal data includes information such as postal/email addresses, mobile phone numbers, usernames, profile pictures, personal preferences and shopping habits, user-generated content, financial data, and beauty/well-being information. Personal data may also include unique digital identifiers such as your computer's IP address or your mobile device's MAC address.

3. WHAT PERSONAL DATA DO WE COLLECT FROM YOU AND HOW DO WE USE IT?

We believe that as a consumer, you are at the heart of everything we do. We love receiving information from you, getting to know you, and creating and providing products and services you enjoy. And we know many of you love communicating with us. For all these reasons, there are many ways you can provide your personal data to us, and how we can collect it.

3.1 HOW DO WE COLLECT OR RECEIVE YOUR PERSONAL DATA? L’Oréal France and/or L’OREAL NEDERLAND may collect personal data from you, or receive it from you, particularly when you make purchases, when you visit an AESOP store or the websites https://www.aesop.be/ https://www.aesop.nl, or via questionnaires, applications, devices, product or brand pages on social networks, or by any other means. In some cases, you provide personal data directly to us (e.g., when creating an account, contacting us, or making a purchase on our website/apps or in-store/beauty salon). In other cases, we collect this data (e.g., using cookies to understand how you use our website/apps) or the data is sent to us by third parties. When we collect data, we indicate mandatory fields with an asterisk. Failure to fill in the fields marked with an asterisk may impact our ability to offer you products and services. You will find in the tables below more detailed information providing explanations on:

  1. In what situations may your personal data be provided or collected?

This column lists the activities you engage in, or the situations you are in, when we use or collect your personal data. For example, if you are making a purchase, signing up for a newsletter, or browsing a website/apps.

2. What personal data can we obtain directly from you or following your interaction with us?

This column specifies which types of data concerning you we are likely to collect, depending on the situation.

3. How and why can we use it?

This column details how we may use your data and the purposes for which it is collected.

4. What is the legal basis for our use of your personal data? (Consent, Legitimate Interest, Contract Performance, Legal Obligation).

This column explains the reason why we may use your data. Depending on the purpose for which the data is used, the legal basis on which the processing of your data relies may be:

  • Your consent;

  • Our legitimate interest, which may consist of:

  • Improving our products and services, and more specifically our commercial interests, to help us better understand your needs and expectations and thus improve our services, websites / applications / devices, products, and brands in the interest of our customers.

  • Fraud prevention, to ensure that payments are completed and have not been subject to any fraud or misappropriation.

  • Securing our tools, to ensure the protection and security of the tools you use (our websites/applications/devices) and to ensure they function properly and are constantly improved.

  • Performance of a contract, and more specifically the provision of the services you request from us.

  • Legal obligations, where applicable legislation requires the processing of data.

3.1.1 Overview of L’OREAL FRANCE processing (operated by L’Oréal France as sole controller)

In which situations may your personal data be provided or collected?

What personal data may L’Oréal France obtain directly from you or following your interaction with L’Oréal France?

How and why may L’Oréal France use your personal data?

On which legal basis is the processing of your personal data carried out?

Account creation and management Data collected when creating an account and/or joining a loyalty program, on L’Oréal France websites/applications.

Depending on the frequency of your interactions with us, such personal data may include:

First and last name ;

Title ;

Email adress ;

Postal adress ;

Phone number ;

Photograph ;

Date of birth or age range ;

Identifier, username and password;

Personal description or preferences ;

Information relating to orders;

Professional life;

Social media profile (if you use social networks).

We use such data in order to :

Create your account;

Manage your online orders;

Respond to your questions and otherwise interact with you;

Offer you a loyalty program;

Enable you to manage your preferences;

Performance of a contract To provide you with the service you have requested (e.g. creating an account, participating in a survey or purchasing a product).

Send you commercial communications through advertising displays while you browse third-party websites;

Enrich your profile in order to personalize such communications based on your interests (for further details, please refer to the profiling section following this table);

Consent To send you tailored commercial prospecting messages adapted to your interests.

Offer you personalized services based on your beauty characteristics;

Monitor and improve our websites and applications;

Carry out audience analyses or produce statistics;

Secure our websites/applications and ensure protection against fraud.

Legitimate interest To ensure the security of our websites/applications and protect them against fraud, as well as to help us better understand your needs and expectations and, consequently, improve our services, products and brands.

Online purchasing and order management Data collected during the purchase process on L’Oréal France’s website, mobile applications, and social media pages

Depending on the frequency of your interactions with L’Oréal France, such personal data may include:

First and last name;

Email address;

Postal address (delivery and billing);

Phone number;

Personal presentation or preferences ;

Social media profile (if you use social networks to log in or if you communicate such personal data to us);

Information relating to any transaction, including purchased products;

Payment-related information or purchase history.

L’Oréal France uses such data in order to:

Contact you to finalise your order if you have saved your shopping cart or added products to your cart without completing the payment;

Inform you of the availability of a product you wish to purchase;

Process and monitor your order, including delivery of the product to the address you have provided;

Manage payment for your order. It is specified that payment-related information (credit card number / PayPal details / bank details) is not collected by L’Oréal France, but directly by payment service providers;

Manage any contact you may have with L’Oréal France regarding your order;

Performance of a contract To provide you with the service you have requested (purchase).

Protect transactions against fraud (including through profiling techniques). L’Oréal France uses a solution provided by a third-party service provider to detect fraud and ensure that payment is carried out by you or by any person duly authorised by you;

Enrich your profile if you make a purchase using your account details;

Send you satisfaction surveys following interactions with us (e.g. after a purchase or contact with customer service);

Assess consumer satisfaction;

Manage any dispute relating to an online purchase;

Produce statistics;

Legitimate interest To ensure your protection and our protection against fraudulent transactions, to ensure that payments are duly carried out and not subject to fraud or misappropriation, and to help us better understand your needs and expectations in order to improve our services, products and brands.

Send you commercial advertising communications while you browse third-party websites;

Enrich your profile in order to personalise such communications based on your interests – for further details, please refer to the profiling section following this table.

Consent To send you commercial prospecting messages tailored to your interests.

Use of applications and devices Data collected in connection with your use of L’Oréal France applications and/or devices within our Webservices.

Depending on the frequency of your interactions with L’Oréal France, such personal data may include:

First and last name ;

Email address ;

Phone number ;

Location ;

Date of birth ;

Personal presentation or preferences ;

Geolocation data.

L’Oréal France uses such data in order to:

Provide you with the requested service (e.g. virtual try-on of our products, purchase of products via the application or on associated e-commerce websites, advice and notifications relating to your sun exposure or your hair-care routine) ;

Analyse your beauty/well-being characteristics and recommend appropriate routines and products (including customised care) ;

Provide you with recommendations relating to products and routines;

Performance of a contract To provide you with the requested service (including, where necessary, the performance of an analysis by the research and innovation team of the algorithm required to deliver the service).

Promote research and innovation carried out by L’Oréal Group researchers;

Monitor and improve our applications and devices;

Produce statistics;

Legitimate interest To continuously improve L’Oréal France products and services in order to meet your needs and expectations and to advance research and innovation.

Send you commercial communications through advertising displays while you browse third-party websites;

Enrich your profile in order to personalise such communications based on your interests – for further details, please refer to the profiling section following this table;

Consent To send you commercial prospecting messages tailored to your interests.

3.1.2 Overview of L’OREAL NEDERLAND processing (operated by L’OREAL NEDERLAND as sole controller)

In which situations may your personal data be provided or collected?

What personal data may L’OREAL COUNTRY obtain directly from you or following your interaction with L’OREAL COUNTRY?

How and why does L’OREAL COUNTRY use such data?

On which legal basis is the processing of your personal data carried out?

Purchases in AESOP stores Data collected during the purchase process carried out in an AESOP store.

Depending on the frequency of your interactions with L’OREAL NEDERLAND, such personal data may include:

Identification data / Civil status;

Title;

First and last name;

Phone number;

Email address;

Date of birth;

Postal address.

Other categories of data relating to the transaction:

Products purchased;

Purchase history;

Payment data.

L’OREAL COUNTRY uses such data in order to: 

Provision of contractual services and customer services;

Security measures;

Management and response to inquiries;

Fulfillment of legal documentation and retention obligations.

Performance of a contract To provide you with the products and services you have requested (purchase). Legal Obligation To store transactional information.

CCTV  Data collected during your visit to one of the AESOP stores.

Video recordings

Ensuring the safety and security of people and property

Intrusion detection and prevention

Processing of data resulting from alert and/or alarm triggers (photo, video)

Legitimate interest  To ensure the security of property and individuals.

3.1.3 Overview of Joint Processing Activities (carried out by L’Oréal France et L’OREAL NEDERLAND acting as joint data controllers)

In which situations may your personal data be provided or collected?

What personal data may we obtain directly from you or following your interaction with us?

How and why may we use your personal data?

On which legal basis is the processing of your personal data carried out?

Creation and management of an account Personal data collected when creating an account on L’Oréal France websites/applications, through a connection via social networks or in-store.

Depending on the frequency of your interactions with us, such personal data may include:

First and last name;

Title;

Email address;

Postal address;

Telephone number;

Photograph;

Date of birth or age range;

Identifier, username and password;

Personal presentation or preferences;

Information relating to orders;

We use such data in order to:

Offer you personalised services based on your beauty characteristics;

Carry out audience analyses;

Ensure the accuracy and consistency of the information collected in stores by L’OREAL NEDERLAND with the information collected online by L’Oréal France;

Assess customer satisfaction;

Manage any dispute;

Legitimate interest  To help us better understand your needs and expectations and, as a result, improve our services, products and brands, and ensure an omnichannel view of the customer relationship.

Send you commercial communications by direct means (email, SMS);

Enrich your profile in order to personalise such communications based on your interests.

For further details, please refer to the profiling section following this table

Consent To send you commercial prospecting messages tailored to your interests.

Online browsing Data collected through cookies or similar technologies like tags, … (“Cookies”) when you browse L’Oréal France websites/applications or third-party websites/applications. For any information relating to specific Cookies placed through a given website/application, please refer to the Cookies table available on the relevant website/application.

Depending on the frequency of your interactions with us, such personal data may include:

Data relating to your use of our websites/applications;

Last website visited ;

Connection data ;

Pages viewed ;

Videos viewed ;

Advertisements you clicked on ;

Products searched for ;

Your location ;

Duration of your visit ;

Products selected to build your shopping cart.

Technical information :

IP Address ;

Browser-related data ;

Device-related data (unique identifier assigned to each visitor and expiry date of such identifier)

We use Cookies, where applicable, in combination with other personal data you have already provided to us (e.g. previous purchases or subscription to online newsletters), for the following purposes:

Ensure the proper functioning of L’Oréal France websites/applications, including:

Appropriate display of content ;

Creation and storage of a shopping cart;

Creation and storage of login data ;

Interface personalisation (such as language) ;

Device settings (including screen resolution, etc.);

Improve L’Oréal France websites/applications, for example by testing new ideas.

Ensure the protection and security of websites/applications and protect you against fraud or fraudulent use, including by performing login operations.

Carry out statistical analyses in order to:

Avoid double-counting visitors ;

Understand users’ reactions to advertising campaigns;

Improve L’Oréal France offers ;

Understand how you discovered L’Oréal France websites/applications.

Deliver online behavioural advertising :

To identify you when you browse one of our websites and display advertising on third-party websites for products and services of L’Oréal Group brands;

To enrich your profile and personalise advertising based on your interests inferred from your browsing activity (pages viewed, abandoned shopping carts, etc.)

(For further details, please refer to the profiling section following this table).

Adapt services to you, including:

Sending you recommendations, commercial communications or content tailored to your profile and centres of interest;

Offering personalised websites/applications (e.g. remembering your shopping cart, login details, language preferences, interface customization Cookies, device settings, font preferences, etc.).

Enable the sharing of L’Oréal France content on social networks (sharing buttons increasing website visibility).

Legitimate interest To ensure that websites/applications, advertising and communications function properly, and to continuously improve cookies that are:  (i) essential for the operation of L’Oréal France’s website; and  (ii) used to ensure the protection and security of our website. Consent For all other Cookies.  

User-generated content Data collected when you post content on one of our social media platforms or when you agree that we reuse content that you have published on social networks.

Depending on the frequency of your interactions with us, such personal data may include:

First and last name or alias;

Email address ;

Photograph ;

Personal presentation or preferences

Social media profile (if you use social networks to log in or if you communicate such personal data to us) ;

Any other information you have provided to us concerning you (for example, via your “My Account” page, by contacting us, or by providing your own content such as photographs or comments, including through the “conversation/chat” feature available on certain websites/applications).

In accordance with the specific terms and conditions you have accepted:

Publish your comments or content online;

Ensure the promotion of our products.

Consent To reuse content that you have published online.

Produce statistics

Legitimate interest   To help us better understand and anticipate your needs and expectations and, as a result, improve and promote our services, products and brands.

Promotional activities Data collected when you take part in a game, a competition, a promotional offer, request a sample, or participate in a survey.

Depending on the type of interaction with us, such personal data may include:

First and last name;

Email address;

Phone number;

Date of birth;

Gender ;

Title;

Postal address;

Personal presentation or preferences;

Any other information that you have communicated to us concerning you (for example, via your “My Account” page, by contacting us, by providing your own content such as photographs or comments, or by participating in a competition, a game or a survey).

We use such data in order to:

Carry out the tasks you have requested us to perform, for example managing your participation in competitions, games and surveys, including taking into account your feedback and suggestions;

Consent To provide you with the service you have requested if combined with the subscription to commercial communication Performance of a contract    To provide you with the service you have requested.

Carry out audience analyses.

Legitimate interest To help us better understand and anticipate your needs and expectations and, as a result, improve our services, products and brands.

Requests for information Data collected when you submit questions (e.g. via customer service) regarding our brands or products and their use.

Depending on the type of your interaction with us, such personal data may include: Identification data / Civil status

First and last name ;

Title;

Phone number ;

Email address;

Date of birth;

Postal address.

Other categories of data relating to the transaction:

Other information that you have provided to us about yourself in connection with your request (which may include, for example, information relating to your well-being and health),

We use such data in order to:

Respond to your requests;

Refer you to the appropriate service where necessary.

For statistical purposes

For cosmetovigilance* purposes in order to:

Monitor and prevent any undesirable effects linked to the use of our products;

Collect reports of undesirable effects;

Implement and ensure the follow-up of corrective actions, where necessary;

* Cosmetovigilance is the ongoing and systematic monitoring of the safety of cosmetic products with regard to human health.

Performance of a Contract To process your request related to your purchase. Legitimate Interest To work on your request and answer your questions and help us better understand the needs and expectations of our customers and, consequently, to improve our services, products, and brands. Legal obligation To comply with the legal obligation to monitor undesirable effects of its products.

Subscription to newsletters and commercial communications

Depending on the frequency of your interactions with us, such personal data may include:

First and last name;

Email address;

Postal address (delivery and billing);

Phone number;

Personal presentation or preferences;

Social media profile (if you use social networks to log in or if you communicate such personal data to us).

Information relating to any transaction, including purchased products;

Payment-related information or purchase history.

We use such data in order to:

Sending you commercial communication tailored to your profiles by direct means (email, SMS);

Enrich your profile in order to personalise such communications based on your interests;

Online Marketing;

For further details, please refer to the profiling section following this table.

Consent To send you commercial prospecting messages tailored to your interests.

We use such data in order to:

Send you satisfaction surveys following interactions with us (e.g. after a purchase or contact with customer service);

Produce statistics.

Legitimate interest To help us better understand the needs and expectations of our customers and, as a result, improve our services, products and brands.

For cosmetovigilance purposes:

Monitor and prevent any undesirable effects linked to the use of L’Oréal France products;

Carry out studies relating to the safety of use of L’Oréal France products;

Implement and ensure the follow-up of corrective actions, where necessary.

Legal obligation To comply with the legal obligation to monitor undesirable effects of its products.

Carry out audience analyses;

Legitimate interest To adapt our commercial communications and assess their effectiveness, ensure that you benefit from the most appropriate experience, and help us better understand and anticipate your needs and expectations and, as a result, improve our services, products and brands.

“Rewards” Program

Depending on the type of interaction with us, such personal data may include:

First and last name;

Title

Gender

Email address;

Postal address;

Phone number;

Photograph;

Date of birth or age range;

Identifier, username and password;

Presentation or

personal preferences;

Name of the Aesop store at the origin of the data onboarding;

Total cumulative amount of purchases;

Average basket.

Manage the Rewards Program

Send personalised offers and rewards relating to our products by email, based on your purchase history;

For other commercial communications please, refer to Subscription to newsletters and commercial communications section above For further details, please refer to the profiling section following this table.

Contract To manage your program membership.

Organization and Implementation of Events

First and last name;

Title;

Phone number;

Email address;

Date of birth;

Postal address ;

Personal presentation or preferences;

Information relating to any transaction, including purchased products.

To manage registrations

To communicate event details and updates.

To design and deliver targeted event experiences

Legitimate Interest For targeted event design and participation management.

Studies and statistics

Depending on the type of interaction with us, such personal data may include: 

First and last name;

Title;

Email address;

Postal address;

Phone number;

Photograph;

Date of birth or age range;

Identifier, username and password;

Personal presentation or preferences;

Information relating to orders;

Name of the Aesop store at the origin of the data onboarding.

Other categories of data: 

Length of time since recruitment;

Annual spend;

Purchase frequency;

Purchase behaviour data;

Total cumulative amount of purchases;

Average basket;

Products purchased.

Organise your data in a pseudonymised form for purely statistical and analytical purposes.

Legitimate interest We analyze business data and market trends based on our legitimate interest to continuously improve our products and services. To protect your privacy, we primarily use pseudonymized or anonymized data for this purpose.

3.2. AUTOMATED INDIVIDUAL DECISION-MAKING FOR SECURING TRANSACTIONS

To secure transactions on L’Oréal France websites/apps/devices and protect them against fraud and misappropriation, L’Oréal France uses a solution developed by third-parties providers.

In particular, one of our trusted partners, Forter Solutions UK Ltd (30 Old Bailey London EC4M 7AU, England), may process your identification data as well as your online browsing data to help us prevent online fraud, specifically to combat the resale of our products through unauthorized distribution networks. You can learn more about how they may use and process your personal information in their privacy policy: https://www.forter.com/privacy-policy/.

The fraud detection solution is based, in particular, on profiling and the following methods: simple comparisons, association rules, clustering, prediction, and outlier detection using intelligent agents, data fusion techniques, and various data mining techniques.

This fraud detection process may be completely automated or may involve human intervention where the final decision is made by a person. In all cases, L’Oréal France takes all reasonable precautions and safeguards to limit access to your personal data.

Due to automatic fraud detection, (i) the processing of your order/request may be delayed while L’Oréal France reviews your transaction; and (ii) you may be excluded from receiving a service or access to the service may be limited if a fraud risk is detected. You have the right to access the information upon which L’Oréal France's decision is based. Refer to the "Your Rights and Choices" section below.

3.3. PROFILING AND ADVERTISING TARGETING

When L’Oréal France sends or displays personalized communications or content, certain techniques qualified as "profiling" may be used (defined as any form of automated processing of personal data consisting of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict elements concerning personal preferences, interests, financial situation, behavior, location, health, reliability, or movements of that natural person).

To perform such profiling, L’Oréal France (with L’OREAL NEDERLAND if applicable) uses personal data about you collected in the various scenarios mentioned in the tables above (see the L’Oréal France Processing table and the Joint Processing table - e.g., when you create an account online, buy one of our products, subscribe to our newsletter, browse the website, etc.). L’Oréal France also uses, as indicated in the first table above, personal data about you transmitted by its business partners if you have given them your consent for such transmission. L’Oréal France (with L’OREAL NEDERLAND if applicable) then centralizes this data, after pseudonymizing it if necessary (i.e., replacing your nominative data with a unique identifier), and then analyzes it to evaluate and predict your personal preferences and/or interests and thus identify products and services likely to please you.

Based on this analysis, L’Oréal France and/or L’OREAL COUNTRY sends you communications and/or displays on third-party sites (i.e., the sites and other communication services of our business partners and/or social networks and/or search engines with which it contracts) content adapted to your preferences/interests relating to one of the brands operated by L’Oréal France (including brands of which you are not yet a customer). L’Oréal France may also use your data to try to identify, within its database or the database of its partners and/or social networks and/or search engines with which it contracts, people with the same socio-demographic characteristics and/or preferences as you and who are therefore likely to be interested in the same advertising content as you.

As indicated in the tables above, L’Oréal France acts as the sole data controller regarding profiling implemented for the purpose of displaying targeted advertisements during your browsing on third-party sites. Conversely, L’Oréal France and L’OREAL NEDERLAND act as joint data controllers regarding profiling implemented for the purpose of sending personalized communications by email/SMS.

Please note that, in order to display adapted advertisements on third-party sites, L’Oréal France must transmit to the publishers of these sites your identification data - namely your last name, first name, and contact data (notably email address, phone number, postal address) - to allow said publishers (see the section below regarding the recipients of your data for more information on the publishers concerned) to find you among their customers/users and display to you (and to people with a profile/interests similar to yours) advertisements about our products and services. These organizations also communicate reports to L’Oréal France on the results of advertising campaigns (number of clicks, conversion rate, audience profile, etc.) to allow L’Oréal France to improve its future campaigns. L’Oréal France acts, within the framework of these activities, as a joint data controller with each organization concerned. Such profiling and data sharing for advertising purposes will only be carried out with your prior consent.

3.4. WHO CAN ACCESS YOUR PERSONAL DATA?

We may share your personal data within the L’Oréal Group, to comply with our legal obligations, prevent fraud and/or secure our tools, improve our products and services, or after obtaining your consent. Depending on the purposes for which your data was collected, and only if necessary, some of your personal data may be accessible to L’Oréal Group entities worldwide, if it is pseudonymized (not allowing direct identification) and if necessary to provide you with the requested services. L’Oréal France may also share your personal data in pseudonymized form (not allowing direct identification) with scientists in the L’Oréal France Research & Innovation division, including those located outside your country, for research and innovation purposes. If permitted, we may also share some of your personal data, including that collected through Cookies, between our brands to harmonize and update the information you provide us, enrich our customer knowledge, perform statistics based on your characteristics, and tailor our communications and the targeted advertising we may display on third-party sites. For more information, we invite you to consult the websites of the L’Oréal Group. We may communicate your personal data for advertising targeting purposes to third parties. We may communicate your personal data for commercial prospecting purposes (including advertising targeting) to third parties. We only communicate your personal data to third parties for commercial prospecting purposes (including advertising targeting) with your consent. We only provide them with the information they need to perform the service and request that they do not use your personal data for other purposes. We always make every effort to ensure that all these third parties we work with maintain the confidentiality and security of your data. If you have agreed to receive direct communications (email, SMS) from a partner of L’Oréal France through a dedicated registration/opt-in procedure, in this case your data is transmitted to the concerned partner and processed by the latter acting as a separate data controller under its own terms and in accordance with its personal data protection policy. We recommend that you carefully check their information before consenting to the communication of your data to this third party. We may also communicate your personal data to our partners and/or search engines and/or social networks of which you are a member and with which we contract for advertising targeting purposes. Indeed, as indicated above in the profiling section, we are likely to share the personal data you have provided (your last name, first name, contact data (notably email address, phone number, postal address)) with the following organizations so they can find you among their customers/users and display on their site(s) (including any other communication service), for your attention and those of people with a profile similar to yours, targeted advertising on our products and services. These are:

Note that some of these partners (namely Facebook – see the section below for more information on data collected by Facebook – and Google) may also collect data directly from you during your navigation on our site, if you consent (notably via Cookies). The aforementioned organizations and L’Oréal France act in this context as joint data controllers. We can provide you with the main outlines of the data processing contracts concluded with these organizations upon request to the contact address indicated at the bottom of this Policy. Your personal data may also be processed on our behalf (L’Oréal France and L’OREAL NEDERLAND) by trusted service providers. We use trusted third parties to perform a range of business operations and tasks on our behalf. We only provide them with the information they need to perform the service and request that they do not use your personal data for other purposes. We always make every effort to ensure that all these third parties we work with maintain the confidentiality and security of your data. We may, for example, ask to provide services that require processing your personal data to: • Third parties who assist and help us provide digital and e-commerce services, such as social listening, store location, loyalty programs, identity management, rating and review management, customer relationship management (CRM), web analytics, and search engines, user-generated content creation tools; • Advertising agencies, marketing agencies, social and digital agencies to help us carry out advertising, marketing, and commercial campaigns, analyze their effectiveness, and manage your contacts and questions; • Third parties we need to provide and deliver a product to you and invoice you, for example, for postal/delivery or billing services; • Third parties who assist and help us provide IT services, such as platform providers, hosting services, maintenance, and technical support services for our databases as well as for our software and applications that may contain data about you (these services may sometimes require access to your data to perform the requested tasks); • Payment service providers and credit reporting agencies for the purpose of assessing your creditworthiness and verifying your information when required to enter into a contract with you; • Third parties who help us with customer service and cosmetovigilance. We may also communicate your personal data to third parties: • If we sell a business or assets, in which case we may communicate your personal data to the potential buyer of that business or those assets. If L’Oréal France or L’OREAL NEDERLAND in the context of joint processing, or any part of their assets are acquired by a third party, personal data held about their customers and related to those assets may be one of the transferred assets. If applicable, in the latter case, the buyer acting as the new data controller processes your data and its personal data protection policy governs the processing of your personal data. • If we are forced to disclose or share your personal data to comply with a legal obligation, or to enforce or apply our terms of use/sale or any other conditions you have accepted; or to protect the rights, property, or safety of L’Oréal France or L’OREAL NEDERLAND , their customers or employees. • If we have your consent. • Or if the law allows us to. L’Oréal France may communicate your personal data to its partners (applicable only for L’Oréal France Processing): • If the service you join was created by L’Oréal France in collaboration with a partner (e.g., a co-branded application). In this case, L’Oréal France and the concerned partner each process your personal data to fulfill their own purposes. Thus, your data is processed:

  • by L’Oréal France in accordance with this Personal Data Protection Policy;

  • by the partner also acting as a data controller according to its own terms and conditions and in accordance with its own personal data protection policy.

• L’Oréal France may publish content from social networks on its media. If you consult content from social networks on the L’Oréal France website/apps, a Cookie from the concerned social network may be placed on your device. For any additional information, L’Oréal France invites you to read the cookie policy of these social networks. We do not offer or sell your personal data. 3.5. WHERE DO WE STORE YOUR PERSONAL DATA? The data we collect from you may be transferred to, accessed from, and stored in a country located outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers. We transfer personal data outside the EEA only in a secure manner and in compliance with applicable legislation. Since some countries may not have laws governing the use and transfer of personal data, we undertake to take all necessary measures to ensure that the third parties concerned comply with the conditions set out in this Policy. These measures may include checking the standards applied by these third parties in terms of personal data protection and security and/or signing appropriate contracts (based on the model adopted by the European Commission, available here). For any further information, please contact us according to the instructions in the "Contact" section below. 3.6. HOW LONG DO WE KEEP YOUR PERSONAL DATA? We keep your personal data only as long as necessary to achieve the purpose for which we hold this data, to meet your needs, or to fulfill our legal obligations. To determine the retention period of your data, we apply the following criteria: • If you buy products and services, we keep your personal data for the duration of our contractual relationship; • If you join a rewards program, we keep your personal data for the duration of your participation in the program; • If you participate in a competition, we keep your personal data for 12 months from the end of the competition concerned; • If you wish to be informed of the availability of a product, we keep your personal data for 3 months from the notification sent to you for this purpose; • If you create a beauty profile (for example, to receive information on a suitable skincare routine), we keep your personal data for 3 months from the sending of this information; • If you participate in a promotional offer, we keep your personal data for the duration of the promotional offer concerned; • If you contact us regarding a question or complaint, we keep your personal data for the duration necessary to process your request ; • If you create an account, we keep your personal data until you ask us to delete it or after a period of inactivity (no active interaction with brands) defined in accordance with local regulations and currently up to 3 years of inactivity; • If you have consented to receive commercial prospecting messages and to benefit from advertisements adapted to your interests during your browsing on third-party sites, we keep your personal data until you unsubscribe and/or withdraw your consent or until you ask us to delete it or after a period of inactivity (no active interaction with brands) of 3 years; • If Cookies are placed on your computer, we keep your data only as long as necessary to achieve their purpose (e.g., for the duration of a session for cookies linked to the shopping cart or session identification cookies) and for any period defined in accordance with local regulations and instructions. • If you visit one of our AESOP shops, we keep CCTV recordings for a period of 30 days from your visit. We may keep certain personal data to fulfill our legal or regulatory obligations, and to allow us to exercise our rights (e.g., file a claim before any court) or for statistical or historical purposes. • If you purchase products or services, we retain your personal data (in particular invoices, contracts, and payment data) for a period of up to 10 years after completion of the purchase in order to fulfill our statutory retention obligations under the LOCAL LAW.

Maximum Period: If there are multiple different retention or erasure periods for the same data, the longest period shall always prevail.

Commencement of Period: Unless a period of at least one year expressly begins on a specific date, it shall start automatically at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships, this is the point in time at which the termination becomes effective or the legal relationship otherwise ends.

Purpose Limitation during Retention: Data that we no longer keep for the originally intended purpose, but rather due to legal requirements (e.g., tax law), will be processed exclusively for those legally justified reasons and blocked for other processing.

When we no longer need to use your personal data, we delete it from our systems and files or anonymize it so that it no longer identifies you.

3.7. IS THE SECURITY OF YOUR PERSONAL DATA ENSURED?

We place great importance on the protection of your personal data and take all reasonable precautions for this purpose. We require trusted third parties who manage your personal data on our behalf to do the same via contract. We constantly do our best to protect your personal data. Upon receipt of your data, we apply strict procedures and security measures to try to prevent unauthorized access. As data transmission over the Internet is not completely secure, we cannot guarantee the security of your data transmitted to our site. Therefore, any transmission is at your own risk.

3.8. LINKS TO THIRD-PARTY SITES AND SOCIAL MEDIA LOGIN L’Oréal France websites and applications may occasionally contain links to websites belonging to our networks, advertisers, and partner affiliates. If you follow a link to any of these websites, please note that these sites have their own personal data protection policies and that L’Oréal France is not responsible for these policies. L’Oréal France invites you to review these policies before sending any personal data to these websites. L’Oréal France may also offer you the possibility of logging in using your social media accounts. If you decide to do so, L’Oréal France draws your attention to the fact that you provide us with your profile information based on the settings of the social networks you use. L’Oréal France invites you to visit the concerned social network and consult its personal data protection policy to understand how your data is shared and used in this context. Information Facebook collects and shares with L’Oréal France: All Facebook features and services available on L’Oréal France websites/applications are governed by Facebook's Privacy Policy, where you can find more information about your rights and setting options. By using one of L’Oréal France's websites/applications, you can:

  1. Register with your Facebook account. In this case, you consent to share certain information from your public profile with L’Oréal France;

  2. Use Facebook social plug-ins, such as "like" or "share" our content on the Facebook platform;

  3. Accept cookies from this website/application (also known as "Facebook pixel"), which help us understand your activities, including information from your device, how you use L’Oréal France services, purchases you make, and advertisements you watch, whether or not you have a Facebook account or are logged in to Facebook.

When you use these Facebook features, L’Oréal France collects data that helps us: • Display advertisements that might interest you on Facebook (or Instagram, Messenger, or any other Facebook service); • Measure and analyze the effectiveness of L’Oréal France websites/applications and its advertisements. 3.9. SOCIAL NETWORKS AND USER-GENERATED CONTENT

Some of L’Oréal France's websites and applications allow users to upload their own content. We remind you that any content transmitted to one of the social networks it uses may be accessible to the public. Thus, we invite you to be cautious regarding the communication of certain personal data such as financial data or an address. We decline all responsibility regarding any measures taken by third parties in the event that you post personal data on one of its social networks and recommends that you do not share this information.

4.YOUR RIGHTS AND CHOICES We respect your right to privacy

It is important that you have control over your personal data. You have the following rights:

Your rights

What it means

Right to be informed

You have the right to obtain clear, transparent, and understandable information about how we use your data.

Right of access

You have the right to access the personal data we hold about you.

Right to rectification

You have the right to have your data corrected if it is inaccurate or obsolete.

Right to erasure / Right to be forgotten

In certain cases, you have the right to have your data deleted. This is not an absolute right as we may have legal grounds to keep it.

Right to object to direct marketing / profiling

You can unsubscribe from our marketing at any time via the link in our emails.

Right to withdraw consent

You can withdraw consent at any time for processing based on consent.

Right to object to processing based on legitimate interest

You can object to processing at any time when it is based on legitimate interests.

Right to lodge a complaint with a supervisory authority

You have the right to contact the data protection authority (e.g. CNIL for L’Oréal France) to challenge our practices.

Right to data portability

You have the right to move, copy, or transfer data from our database to another.

Right to restriction of processing

You have the right to request that we limit the processing of your data (keeping it without using it).

Right to deactivate Cookies

You can change your browser settings to restrict or block cookies.

You can exercise your rights by sending a notification to the entities mentioned in the 'CONTACT' section or to our Data Protection Officer. Please note that we may need to request proof of your identity (e.g., a copy of your ID with non-required information redacted) and, if necessary, further details to verify your identity beyond doubt and to process your request in a legally secure manner.

5.CONTACT

If you have questions or remarks about how we process and use your personal data, or if you wish to exercise any of your rights mentioned above, you can contact the single point of contact established for this purpose:

L’Oréal NEDERLAND B.V.

Scorpius 141, Hoofddorp, 2132 LR, The Netherlands aesop@nl.oaccare.com

For Belgium: aesop@be.oaccare.com

For other questions related to data protection, you may contact our Data Protection Officers directly (see section 1. above)