Privacy Policy

Welcome to our website www.kamaayurveda.com (hereinafter, the “Website”). Please read this Privacy Policy carefully.

Sections 1-13 serve as our Privacy Policy. Additional notices may be made at the point of collection, in which case those will supplement this Privacy Policy and govern that collection in the event of a conflict with this main Privacy Policy. Capitalized terms used but not defined herein will have the meanings given to them in applicable laws where we are subject to such laws, which may differ from one applicable jurisdiction to another.

Section 14 of this Privacy Policy describes Consumers’ privacy rights under State Privacy Laws that apply to us (“State Privacy Rights”) and how to exercise them and serves as our pre-collection notice.

1. Our commitments

We respect Users' (defined below) right to be informed regarding the processing of their personal information or personal data (referred herein as “Personal Data”), as those terms are defined under the applicable law.

For the purposes of the Data Protection Legislation (as defined below) companies of the PUIG Group that may need to have access to and process the Personal Data collected on the Website for one of the purposes listed below shall be considered as separated and independent controller of your Personal Data. In this context, the following companies (hereinafter, jointly referred as to the “Companies”) may be classified as controller of your Personal Data with respect to the following data processing activities:

• Online Sales & Virtual Appointments (as defined below): Online Store located in United Kingdom (including customer service functions provided in conjunction with online sales): PUIG UK Limited. – a United Kingdom company with its registered office at 5th floor, Russell Square House, 10-12, London (UK) WC1BEH, or as applicable, as per the corresponding online store location, another entity within the PUIG Group or duly authorized by Puig, acting as the relevant selling entity (hereinafter, referred to as “Selling Entity”).
• Marketing purposes (as defined below) (including general Online Customer and Information/Complaint Services regarding the Website): ANTONIO PUIG S.A. - a Spanish company with registered office at Plaça d’Europa 46-48, 08902, L’Hospitalet de Llobregat, Barcelona, Spain, holder of Tax Identification Number nº A08158289 and intra-European number VAT: ESA08158289, recorded with the Commercial Registry of Barcelona (hereinafter, referred to as “ANTONIO PUIG S.A. or APSA”).

This Privacy Policy relates to Personal Data collected when a user accesses our Website including purchasing goods and/or filling out forms. This Privacy Policy is designed to help you understand how the Companies collect and use your Personal Data, the purposes for which it is collected, and to set out the rights you have in relation to your Personal Data. 

To ensure the accuracy of your Personal Data in our files, please communicate any changes to our customer service department, the contact details of which are below. We reserve the right to suspend or interrupt the provision of any requested services should you provide inaccurate Personal Data. This is without prejudice to any other cause of action we may have. 

For any issues or questions relating to this Privacy Policy you can contact our Customer Service via the helpdesk here.

This Privacy also ensures compliance with data protection regulations applicable in all jurisdictions where the Company operates.

2. Applicable Law

Any and all Personal Data sent to the Companies through the Website and/or the course of the purchase of products will be collected and/or processed by the Companies pursuant to the laws applicable to the state/country of residence of the customer including, as it pertains to residents of the European Union, EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) and the UK GDPR (General Data Protection Regulation) and Data protection Act 2018, without prejudice however to any applicable local mandatory laws benefitting to consumers, in accordance with EU Regulation 593/2008 (“ROME I”) of 17 June 2018, or any other conflict of laws rules applicable in the United Kingdom (together, “Data Protection Legislation”).

In addition to the above, the Companies comply with the data protection laws, as applicable based on the user’s jurisdiction where the Company offers goods or services:

• European Union: General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”)

• United Kingdom: UK GDPR and Data Protection Act 2018
• Singapore: Personal Data Protection Act (PDPA)
• United States: Applicable state-level privacy laws, including the CCPA/CPRA and other similar laws in force in certain U.S. states. The specific privacy policy is in the Section 14.
• Other jurisdictions as applicable depending on your location

Where country-specific requirements apply (such as additional rights, lawful bases, data transfer conditions), they are addressed in this Privacy Policy or available upon request.

3. Who collects and Processes Yours Personal Data, How and For Which Purposes?

The Company may collect and process your Personal Data for a variety of different purposes. The reasons for collecting Personal Data are expressly listed in the information below. The responsible controller is specified per each particular purpose.

• Online Sales

Your Personal Data may be processed to provide you with e-commerce services, for example to:

• Fulfil placed orders for products;
• Communicate with you in relation to the order (including shipping updates, returns, or payment verification);
• Provide you Personal Data to our service providers strictly as needed to fulfil your order;
• Process refunds, issue invoices, and respond to post-sale claims or complains.

This data processing is based on the fulfilment of our contractual obligations with the client in relation to the order.

Your Personal Data may also be processed to enable us to send users information such as newsletters, commercial information and updates related to previously purchased products, offers, exclusive sales, promotional campaigns, events and similar initiatives organized by the Companies. You can opt out of receiving such communications at any time.

At times we may be the recipient of Personal Data of third parties when disclosed by a user of our website, for example when a customer purchases a product to be delivered to a friend as a gift, or a customer provides a friend’s email address to receive promotional email addresses.

In this case, please make sure you receive the consent of such individuals before disclosing their Personal Data to us and make sure you inform them about this Privacy Policy; you will be the only person liable in connection with the disclosure of information and data regarding such third parties if they have not provided you with their prior explicit consent for it and for any improper and unlawful use of that information. In any event, we shall fulfil any obligation to inform third parties required by law and, when necessary, shall request their explicit consent upon registering in their archives the Personal Data of the User indicated.

The specific Company, which is acting as a seller, shall be considered as the controller of the Personal Data collected and processed on the Website for Commercial Purposes, as it will determine the purposes and means of processing such data: PUIG UK.

• Virtual Appointments and Store Services

In addition to online purchases, we may also collect and process your Personal Data when you book virtual or in-store appointments with our consultants via the Website.

This data includes, but is not limited to: Name and surname; Email address; Phone number; and Preferred point of sale or consultation slot.

This Personal Data is processed for the following purposes:

• To manage your booking and ensure the appointment is scheduled and confirmed correctly.
• To personalize your in-store or virtual experience by understanding your interests or needs in advance.
• To send follow-up communications, promotional information, or product recommendations related to the consultation. You may opt out of receiving suck communications at any time.

The corresponding Selling Entity, will be the controller of the Personal Data collected through appointment forms and may share this data with other Puig Group affiliates or service providers involved in managing such consultations (e.g., IT support, customer service teams, CRM systems), always under appropriate contractual safeguards.

Your Personal Data will be retained only as long as necessary to provide the consultation service or fulfill applicable legal obligations (such as for recordkeeping, invoicing, or warranty purposes.

• Marketing Purposes (Website and individual Online-Shops)

With your explicit consent, your Personal Data may also be processed to:

• Send you commercial communications via email, SMS, phone;
• Send you complimentary product samples, where applicable;
• Notify you about new collections, exclusive launches, brand events and offers;
• Offer loyalty program services or birthday rewards;
• Personalize your experience and display content based on preferences or purchase history.

You may opt out of receiving such communications at any time by contacting our Customer Service Department here. You can always withdraw your consent regarding the data processing for Marketing Purposes by informing us using the contact information provided in below clause 8.

Your Personal Data will not be disclosed to third parties outside of the PUIG group other than us for purposes which are not permitted by law or without your consent.

ANTONIO PUIG S.A. shall be considered as the controller of your Personal Data collected and processed on the Website for Marketing Purposes, as it determines the purposes and means of processing Personal Data.

• Browsing Data and Analytics

Personal Data in the form of web browsing data (“traffic data”) may also be collected when you use the Website. These data are collected primarily to:

• Facilitate navigation and improve the technical performance of the Website;
• Enable personalized product suggestions and advertising;
• Analyze aggregated statistics regarding website use;
• Detect fraudulent or suspicious activity.

Such information may include your IP address, browser type, operating system, date and time of access, the website from which you accessed ours, and how you interact with our site.

• Security Purposes: Based on the Company’s legitimate interest, your Personal Data may be processed to:
• Detect fraudulent activity on your device and to keep the Website and Online Sales away from attackers who may try to access your account by impersonating you. In particular, the Selling Entity may use IP address, device, profile, usage, payment data and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, phishing, incentive abuses); and monitor all actions that could cause fraud or in the commission of a criminal offence related to the payment method employed by you; if any irregularities are detected, the Company reserves the right to retain the data provided and share it with the competent Authorities to carry out the relevant investigation.

APSA shall be considered as the controller of your Personal Data collected and processed for the abovementioned purposes.

• • CCTV surveillance and Traffic analytics (footpath analysis sensors) systems in place across our Stores/SPAs to safeguard the safety and security of team members, customers, property, and assets; to prevent and detect crime, including theft, fraud, and vandalism; and to monitor the operation of our Stores/SPAs for the purposes of improving customer service and team member training.

The corresponding Selling Entity, shall be considered as the controller of your Personal Data collected and processed for the abovementioned purposes.

4. Choices: Tracking and Communications Options

A. Tracking Technologies Generally

Our Website uses cookies and similar technologies (such as pixels, tags, or device identifiers) to provide and improve services, analyze traffic, and deliver personalized content or advertising. Most web browsers are configured to accept cookies by default, but you may modify your browser settings to refuse or remove cookies.

Please note that disabling or rejecting cookies may affect your ability to use certain features of the Website or limit the overall user experience.

Where legally required, we will request your prior consent before setting non-essential cookies on your device. You may change or withdraw your cookie preferences at any time by accessing the “Cookie Settings” section available through our Website banner.

If you have activated a Global Privacy Control (GPC) signal in your browser, we will honor that signal as a valid opt-out request in jurisdictions where it is legally recognized.

B. Analytics and Advertising Technology

We may work with third-party providers, including advertising platforms and analytics services (such as Google Ads, Meta, or similar), to collect data about your interactions with the Website. These third parties may use cookies, device identifiers, and other tracking technologies to analyze browsing behavior, measure the effectiveness of marketing campaigns, and serve personalized ads based on your preferences or prior activity.

In some cases, we may use hashed versions of your email address to create custom or lookalike audiences on social media platforms for targeted advertising purposes. These audiences are generated through secure matching processes and are subject to the policies of the relevant platform.

You can manage your preferences regarding interest-based advertising by adjusting the cookie settings on our Website or using tools provided by industry organizations, such as the Digital Advertising Alliance (DAA). Please note that opting out of such advertising does not mean you will no longer see ads—only that they may be less tailored to your interests.

Residents of certain U.S. states have additional, more comprehensive, rights more fully explained in the Do Not Sell/Share/Target Opt-out subsection of the State Privacy Rights section.

5. What happens if you Do Not Disclose Your Personal Data to us?

Granting your Personal Data to us (in particular, your personal details, your e-mail address, your address, your Credit/Debit Card numbers and bank code and your telephone number) is necessary for:

• Processing your order for the purchase of products on the Website;
• Supplying other services provided on the Website upon your request;
• Complying with obligations required by law or regulations.

The refusal to provide us with some of your Personal Data necessary for performing the above purposes may consequently prevent us from:

• Processing your order for the purchase of products sold on the Website;
• Sending you requested Newsletters;
• Providing access to certain Website features;
• Complying with applicable legal obligations (e.g., tax, accounting, fraud prevention).

Therefore, failing to provide Personal Data may constitute, in some cases, a legitimate and justified reason for not processing your order for the purchase of products sold on the Website or not providing the Website’s services.

Disclosure of further Personal Data to us other than that required for fulfilling legal or contractual obligations and to be properly browse our services with necessary traffic data is, on the contrary, optional and does not have any effect on the use of the Website and of its services or on the purchase of products on the Website.

We will inform you at every step whether disclosing your Personal Data to us is compulsory or optional by marking with an appropriate symbol (*) the information that is compulsory, or data needed for the purchase of products on the Website.

6. To Whom Your Personal Data Will Be Disclosed

Your Personal Data will be disclosed to trusted third party providers that perform a range of business operations (hereinafter, the "Trusted Third Parties"), such as:

• Customer service: handling support, returns, queries;
• Payment providers: processing transactions securely;
• IT and hosting: platform and data infrastructure support;
• Marketing partners: CRM platforms, newsletter management tools;
• Analytics platforms: analyzing site usage and behavior;
• Delivery/logistics: shipping, order tracking, customs clearance;
• Referral programs: e.g., MentionMe for customer referrals.
• Security services, for purposes related to payment fraud, identity fraud, account hacking, phishing, incentive abuses, etc. (“Fraud Detectors”). Fraud Detectors collect Personal Data from the Website (e.g., identifiers and contact information, personal records, commercial information, internet activity, geolocation data, and inferences) and elsewhere and use that data to analyze, evaluate, and predict whether a particular transaction is unusual for a particular consumer or otherwise indicative of fraudulent activity, such as if a credit card is suddenly used for multiple transactions in different locations within a short period, or if the proposed transaction does not align with the prior purchase behavior of a particular consumer, including spending patterns, location, transaction amounts, frequency of transactions, and types of merchants. If the Fraud Detectors detect fraud or illegal activity, then you may be prevented from completing a transaction/purchase. This Fraud Detector activity is beneficial to consumers because it is meant to prevent misuse of consumers’ credit card information on our Website and to otherwise protect consumers’ other Personal Data.
• CCTV vendors, for purposes related to in-Store safety, crime prevention, and training purposes.
• Moreover, your Personal Data may be disclosed to the police or to judicial authorities, according to applicable laws and upon a formal request by such entities, for example in the event we need to prevent fraud on the Website.

Where Processors are located outside your country or outside the European Economic Area (EEA), appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms are in place to ensure the protection of your Personal Data.

7. Security Measures and Retention Period

We have adopted security measures to protect Personal Data against:

• Accidental or unlawful destruction;
• Accidental loss;
• Alteration;
• Unauthorised disclosure or access;
• And against all other reasons for data processing that do not comply with this Privacy Policy.

For the best possible protection of your Personal Data outside the limits of our control and management of the same, it is advisable that your computer be provided with software devices that protect network data transmission/receipt (such as updated antivirus systems) and that your Internet service provider take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).

We will only hold your Personal Data for so long as is necessary for us to fulfil the purposes set out in this Privacy Policy (e.g., in case of online sales for as long as required by local tax, corporate and warranty laws; in case of a consent as long as you revoke your consent). Where we no longer need to process your Personal Data for the purposes set out in this Privacy Policy, then we will delete your Personal Data from our system.

8. Transfer of your Personal Data to other countries

The Personal Data we collect from you is currently held within the European Union (‘EU’), except personal data which is collected via Cookies on the Website of the Companies. However, it is possible that in the future such Personal Data may be transferred, stored and/or processed outside the EU.

By submitting your Personal Data, you agree to this transfer, storing and/or processing. Please note that some cookie providers and data recipients may be in the United States or other countries which may have a lower level of data protection. For further information, click on "Cookie Settings” in the Cookie Banner. However, we will take reasonable steps to ensure that your Personal Data is given equivalent protection in accordance with the Data Protection Legislation, by implementing adequate contractual conditions in our agreements with business partners dealing with transfer of Personal Data to ensure that Personal Data are processed according to our instructions, and in such a way to maintain their integrity and security.

9. Children and Teens

Our Website is intended for individuals who are of the age of majority in the jurisdiction in which they reside, and are not directed at, marketed to, nor intended for children or other minors. Dr. Sturm does not knowingly collect any data, including Website Personal Data, from children or other minors. If you believe that we have inadvertently collected Personal Data from a child under 13 years of age, please contact us, and we will take immediate steps to delete or otherwise treat the data as required by applicable law. Some State Privacy Laws provide additional consideration for children and teens. More information on the privacy of the Personal Data of / from children and, where regulated by State Privacy Laws, teen (collectively “Child-Aged”) consumers is included in the Child-Aged Consumers of Certain States subsection of the State Privacy Rights section below.

10. Your rights in relation to your Personal Data

We set out below a summary of the rights available to you in connection with your Personal Data, in accordance with applicable data protection laws.

For your convenience, and without prejudice to certain formal requirements set out in the Data Protection Legislation, you can exercise any of these rights by contacting us via our helpdesk here.

Right to withdraw your consent:

You may withdraw the consent you give to the Companies for processing your Personal Data at any time. Please note, however, that where you do withdraw your consent or otherwise object to our processing of your Personal Data then this may affect our ability to provide you with goods and services or affect the functionality of our Website.

In addition, if you want to stop receiving future marketing messages, communications, and materials at any time, you can do so alternatively by clicking the 'unsubscribe' link, which is included in all our email marketing messages.

If you would like to close your account with us, please contact customer service by submitting a request here.

Right to access your Personal Data in our possession:

You are entitled to obtain, at any time, confirmation from us as to whether or not we are processing your Personal Data and, where that is the case, access such Personal Data.

Moreover, you are entitled to receive from us information on:

• The source of your Personal Data;
• The purposes and methods of processing;
• The logic applied if the processing is carried out by electronic means;
• The identity and contact details of the controller and of any data processors;
• The entities or categories of entities to whom your Personal Data may be disclosed.

Right to rectification:

You have the right to obtain from us without undue delay the rectification of inaccurate Personal Data that we hold and which, which concerns you. This includes the right to have incomplete data completed, including by providing a supplementary statement.

Right to erasure (“right to be forgotten”):

You have the right to obtain from us the erasure without undue delay of Personal Data concerning you where one of the grounds set out in the Data Protection Legislation applies, such as when:

• The data are no longer necessary for the purposes for which they were collected;
• You withdraw consent and there is no other legal basis for the processing;
• The data have been unlawfully processed.

Right to restriction of processing:

You may request the restriction of processing of your Personal Data where:

• You contest the accuracy of the data;

• The processing is unlawful and you oppose the erasure;
• We no longer need the data but you require them for legal claims;
• You have objected to processing pending the verification of legitimate grounds.

Right to data portability:

You have the right to receive from us the Personal Data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us. This right shall include the right to require us to transmit the relevant Personal Data to another controller on your behalf, where technically feasible. This right only applies to personal data that: (i) we gain your consent to process; or (ii) we obtain to perform our contractual obligations to you, and in each case to the extent we process your Personal Data by automated means.

Right to object:

You may object at any time to the processing of your Personal Data for direct marketing purposes, including profiling to the extent that it is related to such marketing. You also have the right to object to processing based on legitimate interest, unless we can demonstrate compelling legitimate grounds.

Right to lodge a complaint

You are entitled to exercise your right to lodge a complaint with a competent supervisory authority, in particular in the Member State or in the UK depending on your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes Data Protection Legislation.

The relevant authority in the UK to make a complaint is the Information Commissioner Office (ICO). And in EU your national data protection authority (e.g., AEPD in Spain, CNIL in France).

11. Opt-in/Opt-out

Each time your consent is required for the processing of your Personal Data, the Companies will inform you in advance and will give you the opportunity to explicitly provide or withhold your consent for the use of your Personal Data, including your e-mail address, for the above purposes, by ticking the appropriate boxes or selecting your preferences in our online forms.

Where required by applicable law, consent will be:

• Freely given, specific, informed and unambiguous;

• Granular, meaning you can choose which types of processing (e.g., marketing emails, profiling, third-party sharing) you accept;

• Verifiable, and where necessary, collected through double opt-in;
• Easily withdrawable at any time through the mechanisms indicated in this Privacy Policy or our communications.

12. Contact Us

You may contact the Companies at any time for any concern, request, or question regarding this Privacy Policy or the processing of your Personal Data.

You can reach us by email at: [email protected]

13. Amendments and updating of this Privacy Policy

We may amend or simply update all or part of this Privacy Policy, including when amendments are made to legal provisions or regulations, which govern data protection and protect your rights.

The amendments and the updating of the Privacy Policy shall be binding as soon as they are published on the Website in this section.

You are therefore encouraged to regularly check this section to consult the publication of the most recent and updated version.

When we introduce material changes that affect your rights or the way we process your Personal Data, we will notify you directly (e.g., via email or pop-up notice) and request renewed consent where required by law.

If you have any questions or concerns about how we process and use your Personal Data, please contact Puig Data Protection Officer at [email protected]

14. U.S. State Privacy Notice for our Customers in Certain U.S. States

EFFECTIVE DATE: 29/05/2025

This U.S. State Privacy Notice (“Privacy Notice”) supplements the information contained in this Privacy Policy and applies only to Consumers, as defined under the applicable State Privacy Laws (defined below), who do not interact with us in the HR Context (defined below) (“Consumers”). In California, the term “Consumer” is not limited to data subjects acting as individuals in a household goods and services context and includes individuals acting in a business-to-business context.

This Privacy Notice is designed to provide Consumers with notice of our Personal Information or Personal Data (as those terms are defined under the State Privacy Laws and hereinafter collectively referred to as “Personal Data”) practices over the prior 12 months, including our online and offline business activities (the “Business Activities”), and to meet the notice requirements of:

• California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”),

• Colorado Privacy Act,

• Virginia Consumer Data Protection Act,

• Utah Consumer Privacy Act,

• Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring,

• Oregon Consumer Privacy Act,

• Texas Data Privacy and Security Act,

• Montana Consumer Data Privacy Act (effective October 1, 2024),

• Chapter 603A of the Nevada Revised Statutes,

• and, effective January 2025: Delaware Personal Data Privacy Act, Iowa Consumer Data Protection Act, Nebraska Data Privacy Act, New Hampshire Data Privacy Law, New Jersey Privacy Law, and substantially similar state consumer privacy laws that may hereafter be applicable (collectively “State Privacy Laws”).

If our processing materially changes between updates to this Privacy Notice, we will provide a supplemental notice when or before the changes apply. Otherwise, this Privacy Notice serves as our notice at collection (i.e., pre-collection notice).

A. Notice of Collection and Privacy Practices

If you interact with us in the “HR Context” (e.g., as a California employee, former employee, job applicant, independent contractor, etc.) this Privacy Notice does not apply to you. Please contact our HR Department to obtain a copy of the Privacy Notice that applies to Personal Data collected in the HR Context.

This Privacy Notice also does not apply to data that is not treated as Personal Data or that is subject to an exemption under applicable State Privacy Laws.

Generally, we collect, retain, use, disclose and otherwise process your Personal Data in connection with our Business Activities for purposes including:

• Providing or promoting to you our products and services;

• Operating our business;

• Sharing with Third-Party Digital Businesses.

This may include disclosing or making Personal Data available to service providers or “processors” (as defined under State Privacy Laws) acting on our behalf, as well as to third parties. The categories of sources from which we collect your Personal Data include:

• You, directly;

• Other Consumers;

• Your employer (in a B2B context);

• Our Processors;

• Third-Party Digital Businesses.

To learn about your privacy rights under State Privacy Laws and how to exercise them, please refer to the Your Rights and Choices section, which includes a notice of how to exercise Do Not Sell/Share/Target Opt-out rights.

B. Processing of Personal Data

We collect, retain, use, and disclose your Personal Data to provide you with our products and services, or information about them, and to operate our business, including for one or more of the following “Business Purposes”:

• Providing Products or Services: Processing transactions and payments, fulfilling orders, delivering products, enabling product reviews, managing accounts, sending order confirmations and other transactional communications, and providing customer service and support.
• Managing Interactions and Transactions: Administering loyalty programs, promotions, or surveys; managing subscriptions; personalizing user experiences and interactions with our services; managing customer preferences and communications.
• Security and Debugging: Detecting and responding to security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and maintaining the security and integrity of systems and data.
• Advertising and Marketing: Sending marketing emails or communications about our products and offers, analyzing engagement, conducting advertising campaigns (excluding targeted advertising where opt-out rights apply), and evaluating the effectiveness of our communications and promotional activities.
• Quality Assurance: Monitoring and improving customer service interactions, including through call recordings, surveys, and feedback.
• Research and Development: Conducting internal testing, analytics, and research to develop new products and improve existing offerings and user experience.
• Operation of Our Business: Engaging third-party service providers and consultants who process data on our behalf for operational support, handling claims, maintaining business records, complying with legal obligations, and supporting merger or acquisition processes. These activities are carried out consistent with applicable State Privacy Laws and are not considered “sales,” “shares,” or “targeted advertising” unless otherwise specified.

In addition to the above, we may also disclose Personal Data for Commercial Purposes, which may be considered a “sale,” “share,” or involve “targeted advertising” under certain State Privacy Laws. These disclosures generally involve providing access to digital activity data (such as IP addresses and browsing behavior) to third-party digital platforms or analytics partners. The objective is to enhance the relevance of our marketing and content to you. These activities are described in detail in Section C, including by category of Personal Data and recipient.

The Business Purposes and Commercial Purposes described above may apply to all categories of Personal Data collected, unless otherwise stated. Processing of Sensitive Personal Data, when applicable, is addressed separately in the detailed tables in Section C.

C. Collection, Disclosure and Retention of Personal Data

Sensitive Personal Data

We also collect and process Sensitive Personal Data, as defined under certain State Privacy Laws. The table below sets out the details:

Sources of Personal Data

We obtain the categories of Personal Data and Sensitive Personal Data listed above from the following sources:

• Directly from consumers, such as during purchases or account registration.

• Indirectly from consumer interactions with our website or advertisements.

• Through Third-Party Digital Businesses when you interact with our ads or submit content on social media platforms.

D. Disclosures of Personal Data

As described in the Collection, Disclosure and Retention of Personal Data section and Processing of Personal Data section above, we may disclose your Personal Data to a third party for a Business Purpose.

Certain disclosures of Personal Data to Third-Party Digital Businesses (e.g., for advertising or analytics purposes) may be considered a “sale” or “share” under applicable State Privacy Laws due to the broad definitions of these terms. However, the Company does not “sell” or “share” Personal Data in the ordinary sense of selling data for money. Where our activities fall within the definitions of “sale,” “share,” or “targeted advertising,” we honor the consumer’s right to opt-out, as detailed in Section E below.

We disclose Personal Data to the following categories of recipients:

• Operational Service Providers: These include vendors who provide cloud hosting, website support, payment processing, order fulfillment, analytics, marketing support, and customer service.
• Corporate Recipients: Other entities within our corporate group or in the context of a merger, acquisition, or other corporate transaction.
• Government: Government authorities or regulators when required to comply with legal obligations or lawful requests.
• Other Business Recipients: Professional advisors (e.g., legal or accounting firms), or other third parties at your direction or with your consent.

We disclose Personal Data only to the extent necessary to carry out legitimate Business Purposes, Commercial Purposes, or legal obligations, in compliance with applicable State Privacy Laws.

E. Your Rights and Choices

Subject to meeting the requirements for a Verifiable Consumer Request and any limitations under applicable State Privacy Laws, the Company provides Consumers in states with relevant privacy laws the rights described in this section.

If you reside in a state where we are not subject to that state's privacy law (e.g., due to not meeting applicability thresholds), we may still consider your request at our discretion.

To exercise any of your rights, or to designate an authorized agent to make a request on your behalf, please refer to Section F below. We do not process Consumer rights requests through other channels (e.g., social media, chatbots, etc.). Please reply to any follow-up requests to help us complete your submission.

1. Right to Limit Sensitive Personal Data Processing

We only process Sensitive Personal Data for purposes that are exempt from consumer choice under State Privacy Laws. For example, we process your Personal Data to perform the services/provide the goods that you requested. In addition, we may process Consumers’ Personal Data with their consent where required by State Privacy Laws. If a Consumer provides us with their sensitive Personal Data for a particular purpose, they will have consented to processing for that purpose.

2. Right to Access Categories / Confirm Processing

California residents have a right to submit a request for any of the following for the period that is 12 months prior to the request date:

• The categories of Personal Data we have collected about you.
• The categories of sources from which we collected your Personal Data.
• The Business Purposes or Commercial Purposes for our collecting, selling, or sharing your Personal Data.
• The categories of third parties to whom we have disclosed your Personal Data.
• A list of the categories of Personal Data disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
• A list of the categories of Personal Data sold or shared about you and, for each, the categories of recipients, or that no sale or share occurred.

Residents of other applicable states are entitled to confirm our processing of their Personal Data. They can do so by making a Categories request.

For Delaware residents, you may request a list of the categories of third parties with whom we have disclosed your Personal Data. For Oregon residents, you may request a list of the specific third parties with whom we have disclosed your Personal Data, if we are able to, or Personal Data generally.

3. Right to Access Specific Pieces of Data

Consumers have a right to obtain a transportable copy, subject to applicable request limits, of your Personal Data that we have collected and are maintaining. California residents may also request specific pieces of their Personal Data. For a copy of your specific pieces of Personal Data, as required by applicable State Privacy Laws, we will apply heightened verification standards. We have no obligation to re-identify data or to keep Personal Data longer than we need it or are required to by applicable law to comply with access requests.

4. Do Not Sell/Share/Target Opt-out

Consumers of certain states have a right to opt-out of Personal Data “sales”; provided, however, that Nevada residents are only entitled to the non-cookie opt-out explained below. California also has an opt-out for “sharing” for cross-context behavioral advertising. Non-California states have an opt-out of “targeted advertising.”

Third-Party Digital Businesses may associate cookies and other Tracking Technologies that collect Personal Data about you on our Website, or otherwise collect and process Personal Data that we make available about you. We will treat such Personal Data collected by Third-Party Digital Businesses, where not limited to acting as our Processor, as a sale/sharing that is subject to a Do Not Sell/Share/Target opt-out request.

Opt-out for Non-Cookie Personal Data: To opt-out of the sale/sharing/targeted advertising of non-cookie Personal Data (e.g., your email address), submit an opt-out request via Section 15.F., below.

Opt-out for Cookie Personal Data: To opt-out of cookie-related Personal Data processing, use our consent management tool, accessible via the “Do Not Sell or Share My Personal Information” link in the Website footer. Preferences must be set on each website, browser, and device. Blocking or clearing cookies resets your preferences.

Opt-out Preference Signals (Global Privacy Control, “GPC”): We recognize GPC signals in accordance with State Privacy Laws and apply them to browser-specific cookie Personal Data. We do not process GPC signals for non-cookie Personal Data due to lack of matching capability.

We may disclose your Personal Data for the following purposes, which are not a sale or sharing: (i) if you direct us to disclose Personal Data; (ii) to comply with a privacy rights request you submit to us; (iii) disclosures within the Company or in the context of a Corporate Transaction; and (iv) as otherwise required or permitted by law.

5. Child-Aged Consumers of Certain States

We do not knowingly sell/share/use for targeted advertising the Personal Data of Child-Aged Consumers, as defined under applicable State Privacy Law, unless we obtain proper opt-in consent. If you believe we have done so without consent, please report it to us.

6. Deletion Requests Rights

You have the right to request that we delete any of your Personal Data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your Verifiable Consumer Request, we will delete your Personal Data from our records and direct our Service Providers, and third parties to delete from their records, unless an exception applies. If an exception applies, we will limit processing to such permitted purposes and to the duration of those purposes.

We may deny your deletion request if retaining the Personal Data is necessary for us or our Service Providers to:

1. Complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.).
6. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
7. Comply with a legal obligation.
8. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
9. Other purposes permitted by State Privacy Laws.

Please be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of your Personal Data or content that you may have posted. Note also that depending on where you reside (e.g., California), we may not be required to delete your Personal Data that we did not collect directly from you.

7. Correction Request Rights

You have a right to request correction of inaccurate Personal Data we maintain about you. We will act upon such requests as required by law.

8. Automated Decisionmaking / Profiling

We use Fraud Detectors that may involve profiling and automated decision-making. This includes processing Identifiers, Personal Records, Commercial Information, Geolocation Data, Internet Activity, and Inferences. We cannot offer opt-out of this processing due to its importance in fraud prevention and compliance.

F. Exercising Your Consumer Privacy Rights

To submit a request to exercise your consumer privacy rights, or to submit a request as an authorized agent, please submit a Verifiable Consumer Request to us by email at [email protected] . Please respond to any follow-up inquiries we make to help us complete your request. We do not accept or process consumer privacy rights requests through other means (e.g., via fax, chats, or social media, etc.), except that notices of Child-Aged Personal Data issues and general privacy inquiries may be directed to us by contacting us.

1. Authorized Agent Requests

Only you or a person that you authorize to act on your behalf may make a Verifiable Consumer Request related to your Personal Data, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you, in accordance with the Verification of Your Request section below. You may also make a Verifiable Consumer Request on behalf of your minor child. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable laws.

2. Verification of Your Request

We do not verify opt-outs of sale/sharing or requests to limit sensitive Personal Data processing unless we suspect fraud. As permitted or required by State Privacy Laws, any other request you submit to us must be a “Verifiable Consumer Request,” meaning when you make a request, we may ask you to provide verifying information, such as your name, email, phone number, account, and/or transaction information. We will review the information you provided and may request additional information (e.g., customer history) via email or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Access Categories / Confirm Processing, Right to Access Specific Pieces of Information, Deletion, or Correction request(s) unless you have provided sufficient information for us to reasonably verify you are the consumer about whom we collected Personal Data. Only you, or someone legally authorized to act on your behalf (your authorized agent), may make a Verifiable Consumer Request related to your Personal Data or the Personal Data of your child.

We verify each request as follows:

• Right to Access Categories / Confirm Processing (California residents only): We verify your request to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for verifying you. If we cannot do so, we will refer you to this Privacy Notice for a general description of our data practices.
• Right to Access Specific Pieces of Information: We verify your request to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable, together with a signed declaration under penalty of perjury that you are the consumer whose Personal Data is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will treat your request as a Right to Access Categories / Confirm Processing request.
• Do Not Sell/Share/Target Opt-out: No specific verification required unless we suspect fraud.
• Deletion Request: We verify your request to a reasonable degree of certainty (two data points) or to a reasonably high degree of certainty (three data points), depending on the sensitivity of the Personal Data and the risk of harm posed by unauthorized deletion.
• Correction Request: We verify your request to a reasonable or reasonably high degree of certainty (two or three data points), depending on the sensitivity of the Personal Data and the risk of harm posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use Personal Data provided in a Verifiable Consumer Request only to verify your identity and authority to make the request and to track and document request responses unless you also gave it to us for another purpose.

3. Response Timing and Format

We endeavor to respond to a Verifiable Consumer Request within the time permitted under State Privacy Laws. To the extent permitted, if we require more time, we will inform you of the reason and extension period in writing. We will deliver our response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily usable and should allow you to transmit the information from one entity to another without hindrance. We endeavor to respond to requests to opt-out of sale/sharing within 15 days of receipt.

We do not charge a fee to process or respond to your Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Consistent with State Privacy Laws and our interest in the security of your Personal Data, we will not deliver information regarding your Social Security number, driver’s license number, or other government-issued ID number, financial account number, an account password, or answers to security questions in response to a privacy rights request; however, you may be able to access some of this information yourself through your account if you have one with us.

4. Appeals

You may appeal Company’s decision regarding a privacy rights request you submitted (or that was submitted on your behalf by your authorized agent) by following the instructions provided in our response. California and Utah residents are not entitled to request an appeal.

G. Non- Discrimination

We will not discriminate against you for exercising any of your rights under State Privacy Laws. Unless permitted by such laws, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate or different level or quality of goods or services.

H. Notice of Financial Incentive

We may offer discounts or other rewards (“Incentive(s)”) from time to time to Consumers who provide us with Personal Data, such as name, phone number, email address, IP address, or location. You may opt in to Incentives by entering a competition, promotion, or survey or other loyalty programs (“Program(s)”) we may offer. Each Program may have additional terms, available on the Program page or at Program sign-up. The Incentives will be described in the Program page or at Program sign-up.

We measure the value of your Personal Data collected from Programs by the cost of operating the applicable Program (excluding Incentive costs) and/or the cost of providing the Incentive. We deem the value of the Personal Data to be reasonably related to the value of the Incentive, and by subscribing to these Programs, you agree. If you do not agree, please do not subscribe. If you wish to withdraw from the Programs, the method for doing so will be explained in the applicable terms. A deletion request will not delete Program Personal Data necessary to maintain participation. If you wish to delete such data, terminate participation before submitting a deletion request.

I. Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use, and disclose your Personal Data as required or permitted by applicable law and this may override your rights under State Privacy Laws. We are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

J. Additional Notice for California Residents

This Privacy Notice provides information about our online practices and your California rights specific to our Website. Californians who visit our Website and seek to acquire goods, services, money, or credit for personal, family, or household purposes are entitled to the following:

California’s “Shine the Light” law (Civil Code section 1798.83) permits users who are California residents to request certain information about our disclosure of Personal Information to third parties (including our affiliates) for those third parties’ direct marketing purposes. We do not currently disclose Personal Information to third parties other than our affiliates for such purposes. To make such a request, email [email protected] or write to us at PUIG UK Limited – a United Kingdom company with its registered office at 5th floor, Russell Square House, 10-12, London (UK) WC1BEH. Include “Shine the Light Request” in the body of your message. In your request, please attest that you are a California resident and provide a current California address. This right is separate from consumer privacy rights and must be requested separately. We will not accept Shine the Light requests by telephone or fax and are not responsible for improperly labeled or incomplete requests.

Last update: May 2025

© ANTONIO PUIG S.A. 2025. All rights reserved.