Privacy

 

DATA PRIVACY POLICY

This policy (together with our terms of website use Terms of Use and any other documents referred to on it) sets out the basis on which we Beauty Luxe Pro, will process any personal data we collect from you, or which you provide to us, in the course of using our sites www.brookeprice.com www.beautyluxepro.com www.beautyluxepro.co.uk (“site”). For the purpose of the Data Protection Act 1998 we are the data controller.

PART A 

1.Definitions

1.1 In this Privacy Policy, the following terms shall have the meanings set outbelow:

1.1.1 “Applicable Law” means any laws or regulations, regulatory policies, guidelines or industry codes (whether national or international) which apply to Company (or any of its Sub-Processors) and/or the provision of or the subject matter of the Services in each case as in force from time to time;

1.1.2 “Company” means Beauty Luxe Pro

1.1.3 “Customer Group Member” means a Customer or any entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.4 “Customer Personal Data” means any Personal Data Processed by Company on behalf of a Customer Group Member pursuant to or in connection with the Principal Agreement;

1.1.5 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.6 “EEA” means the European Economic Area;

1.1.7 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.8 “GDPR” means EU General Data Protection Regulation2016/679;

1.1.9 “Personal Data” means any data that relates to an identified or identifiable natural person and where such data is protected under applicable Data ProtectionLaws;

1.1.10 “Principal Agreement” means the agreement or agreements between Company and the Customer Group Member for the Services Company is providing them.

1.1.11 “Service/s” means the services and other activities to be supplied to or carried out by or on behalf of Company for Customer Group Members pursuant to the Principal Agreement;

1.1.12 “Sub-processor/s” means any person (including any third party and any Company Affiliate) appointed by or on behalf of Company or any Company Affiliate and that Processes Customer Personal Data on behalf of any Customer Group Member; and

1.1.13 “Company Affiliate/s” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.2 The terms, “Commission“, “Controller“, “Processor“, “Data Subject/s“, “Member State“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construedaccordingly.

2. Authority

Company warrants and represents that, before any Company Affiliate Processes any Customer Personal Data on behalf of any Customer Group Member, Company entry into this Privacy Policy as agent for and on behalf of that Company Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Company Affiliate. References to ‘Company’ shall be deemed to include a reference to each Company Affiliate as applicable.

3. Processing of Customer Personal Data

3.1 Scope of this Privacy Policy and Role of Parties. This Privacy Policy applies to theProcessing of Personal Data by Company in the course of providing the Services. For the Purposesof the Services and this Privacy Policy, Customer and each Customer Group Member are theController(s) and Company is the Processor and shall be Processing Personal Data on the Customer’sbehalf, the Customer receiving the Services as principal and as agent of each Customer GroupMember.

3.2 Instructions for Processing Personal Data. Company shall Process Personal Data as reasonably necessary for the provision of the Services arising from the Principal Agreement (inclusive of this Privacy Policy) and in accordance with Customer’s documented instructions which, unless expressly agreed otherwise, shall at all times be consistent and in accordance with the nature of the Principal Agreement. Company may terminate the Principal Agreement if Customer provides instructions to Process Personal Data which are inconsistent with the Principal Agreement, or which Company could not comply with without (i) incurring material additional costs or (ii) undertaking material variations to the manner in which the Services are provided which variations Company does not propose to introduce in respect of the majority of its other customers. Company may Process Personal Data otherwise than in accordance with Customer’s instructions if required to so by Applicable Law. In such case Company shall inform Customer of that legal requirement, unless prohibited from doing so by Applicable Law.

3.3 Compliance with Laws. Company, in Processing the Customer Personal Data in accordance with Clause 3.2 above, shall comply with all applicable Data Protection Laws. Company shall not be responsible for complying with Data Protection Laws applicable to Customer Group Member or its industry that are not otherwise consistent with the provision of the Services or if, and to the extent that, the relevant provision of Data Protection Law would not also apply to Company provision of services equivalent to the Services to other customers. Customer shall comply with all Data Protection Laws applicable to Customer asController.

4. Company Personnel

4.1 Personnel Reliability. Company shall take reasonable steps to (i) require backgroundscreening and to ensure the reliability of any personnel whomay have access to the Customer PersonalData or the Customer environments in which the Personal Data is processed, ensuring in each casethat access is strictly limited to those individuals who need to know / access the relevant CustomerPersonal Data, as strictly necessary for the purposes of the Principal Agreement; and (ii) ensuring thatany personnel are informed of the confidential nature of Personal Data, have received training, andare subject to confidentiality obligations or professional or statutory obligations of confidentiality.

4.2 Data Protection Officer. Company have appointed a data protection officer. The appointed person may be reached at brooke@brookeprice.co.uk.

5. Sub-processors

5.1 Appointment of Sub-processors. Subject always to section 3.2 above, each Customerauthorizes Company to appoint Sub-processors in accordance with this section 5 to Process Customer

Personal Data. Company shall be responsible for ensuring that each Sub-processor has entered into a written agreement requiring the Sub-processor to comply with terms no less protective than those provided in this Privacy Policy (a summary of such terms will be made available to Customer on request). Company shall be liable for the acts and omissions of any Sub-processor to the same extent as if the acts and omissions were performed by Company. Sub-processors may process such data within the EU or outside the EU.

5.2 Notification of New Sub-processors. Company may continue to use those Sub-processors already engaged by Company or any Company Affiliate as at the date of this Privacy Policy. Company shall make available to Customer through Company customer website a list of Sub-processors authorized to Process Customer Personal Data (“Sub-processor List”) and provide Customer with a mechanism to obtain notice of any updates to the Sub-processor List (“Sub-processor Notice”). At least thirty (30) days prior to authorising any new Sub-processor to Process Personal Data, Company shall provide notice by updating the Sub-processor List.

5.3 Sub-processor Objection Right. This section 5.3 shall apply only where and to the extent that Customer is established within the EEA or where otherwise required by Data Protection Laws applicable to the Customer. In such an event, If Customer notifies Company in writing of any objections (on reasonable grounds) to a Sub-processor added to the Sub-processor List within fourteen (14) days after the date of the applicable Sub-processorNotice:

5.3.1 Company shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that Proposed Sub-processor; and

5.3.2 where such a change cannot be made and Company choose to retain the Sub-processor, Company shall notify Customer at least fourteen (14) days prior to the authorisation of the Sub-processor to Process Personal Data and the Customer may discontinue using the relevant services and terminate the relevant portion of the Services which require the use of the Proposed Sub-processor immediately upon written notice to Company, such notice to be given by Customer within thirty (30) days of having been so notified by Company.

6. Support in Complying with Data SubjectRights

6.1 Requests from Data Subjects. Customer acknowledges, as part of the Services, it isresponsible for responding to any Data Subjects’ request under any Data Protection Law to exercisethe Data Subject’s right of access, right of rectification, restriction of Processing, right to be forgotten,data portability, object to processing, or its right not to be subjected to an automated decision-makingprocess (“Data Subject Request”). Company shall:

6.1.1 to the extent permitted by Applicable Law, promptly notify Customer if it receives a Data Subject Request from a Data Subject; and

6.1.2 taking into account the nature of the Processing, reasonably assist Customer to access Customer Personal Data to the extent that Customer Personal Data is not accessible to Customer (as part of the Services) to fulfil the Customer’s obligations, as reasonably understood by Customer, to respond to Data Subject Requests and to comply with Data Protection Laws.

6.2 Government and Law Enforcement Authority Requests. Unless prohibited by Applicable Law or a legally-binding request of law enforcement, Company shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.

7. Breach Incident Notification.

7.1 Breach notice. Company shall notify Customer within 24 hours upon Company becomingaware of a confirmed Personal Data Breach affecting Customer Personal Data. To the extent ablewithin the scope of the Services, Company will provide Customer with sufficient information to allow itto meet any obligations to report or inform Data Subjects of the Personal Data Breach under the DataProtection Laws.

7.2 Investigatory Cooperation. Company shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal DataBreach.

8. Security

8.1 Technical and organisational measures. Company shall implement and maintainappropriate technical and organisational measures designed to protect the security, confidentiality andintegrity of Customer Personal Data, including to protect Personal Data against accidental or unlawfuldestruction, loss, alteration, unauthorised disclosure of, or access to, such Personal Data as set forthin Schedule A. Company regularly monitors compliance with these measures. Company reserves theright to update its technical and organisational measures and will not materially decrease the overallsecurity of the Services pursuant to the Principal Agreement.

8.2 Audit. Customer agrees that Company then-current attestation of compliance (“AOC”) as applicable to the Services, will be used to satisfy any audit or inspection requests by or on behalf of the Customer, including any Customer Group Member arising from this Privacy Policy, and at the Customer’s written request, a copy of such AOC shall be provided to the Customer by Company. In the event that Customer, any Customer Group Member, a regulator, or Supervisory Authority requires additional information, including information necessary to demonstrate compliance with this Privacy Policy, Company will provide commercially reasonable cooperation to make such information available.

8.3 Customer Applications. Customer acknowledges that if at any time it installs, uses or enables products or applications that operate using the Services, but are not part of the Service itself, then by such action Customer is instructing Company to cause the Service to allowsuch products or applications to operate and potentially access Personal Data. Accordingly, this Privacy Policy does not apply to the processing of Personal Data by such products or applications.

8.4 Return and Deletion of Personal Data. Upon termination of the Services, Company shall at Customer’s option, return and/or delete any Personal Data retained on the Services in accordance with the terms of the Principal Agreement and not retain any copies unless Company is required to do so by Applicable Law.

9.Location and Storage of Personal Data

Personal Data may be stored at various data centre premises as part of the Services (the“Designated Data CentreLocation”).

10. General Terms

10.1 Without prejudice to any Mediation and Jurisdiction and Governing Law of any other agreement between the parties, or the applicability of any Data ProtectionLaws:

10.1.1 the parties to this Privacy Policy hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Privacy Policy, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

10.1.2 the obligations of Company and Company Affiliates arising hereunder are subject to and governed by the laws of the country or territory expressly set forth in the Principal Agreement.

10.2 With regard to the subject matter of this Privacy Policy, in the event of inconsistencies between the provisions of this Privacy Policy and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Privacy Policy, the provisions of this Privacy Policy shall prevail.

10.3 Customer is responsible for coordinating all communication with Company on behalf of its

Customer Group Members with regard to this Privacy Policy. Customer represents that, in relation to this Privacy Policy, it, as agent for its Customer Group Members (where applicable), is authorized to issue instructions; make and receive any communications or notifications; and enter into any agreement expressly contemplated herein for and on behalf of any of its Customer Group Members.

10.4 Customer and/or its Customer Group Members may only disclose the terms of this Privacy Policy to a Supervisory Authority to the extent required by law or such Supervisory Authority. Customer shall reasonably ensure that the Supervisory Authority does not disclose the terms of this Privacy Policy to the public or any third party, including: (i) marking copies of this Privacy Policy as “Confidential and Commercially Sensitive”; (ii) requesting return of copies of this Privacy Policy once the governmental regulatory notification has been completed or approval granted; and (iii) requesting prior notice and consultation before any disclosure of this Privacy Policy by the Supervisory Authority.

10.5 The Company and/or Company Affiliates’ aggregate liability to the Customer and/or any Customer Group Member arising from a breach of this Privacy Policy (including the Standard Contractual Clauses) shall be subject to the terms of the Principal Agreement.

PART B 

In addition to the terms set out in Part A above, the terms set out in this Part B shall apply to the Processing of Personal Data by Company on behalf of a Customer established in the European Union or otherwise subject to the requirements of the GDPR.

11. Additional European Terms.

11.1 General Data Protection Regulation. With effect from 25 May 2018, Company will Processany Personal Data in accordance with the requirements of GDPR as directly applicable to Companyprovision of the Services.

11.2 Subject Matter, Nature, Purpose and Duration of Data Processing. Company will Process Customer Personal Data to provide the Services. The duration of the Processing of Personal Data shall be for the term of the PrincipalAgreement.

11.3 Types of Personal Data and Categories of Data Subjects. The types of Personal Data and categories of Personal Data shall be those determined by the Customer being the Customer Personal Data which, along with the categories of Data Subjects, may be more particularly described in the Principal Agreement.

11.4 Data Protection Impact Assessment and Prior Consultation. The Customer for itself and on behalf of each Customer Group Member (where applicable) agrees that Company then-current standard policies & documented information about the Services, will be used to carry out Customer’s data protection impact assessments and prior consultations, and Company shall make such information available to the Customer where requested. Company and each Company Affiliate shall provide reasonable assistance to each Customer Group Member with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Customer Personal Data by, and taking into account the nature of the Processing and information available to, Company. The Customer shall ensure, to the extent that such data protection impact assessments and, where necessary, prior consultations with Supervisory Authorities, are required by Data Protection Laws, that Customer and relevant Customer Group Members take such steps as are required to implement such assessments and consultations. If, following the implementation of a data protection impact assessment or a consultation, the Customer reasonably determines that it would be a breach of Data Protection Laws to continue with the Services, Customer shall notify Company and the parties shall attempt to reach a solution. If the parties fail to agree a solution within thirty (30) days of commencing discussions, the Customer shall be entitled to terminate the Services, subject to the payment of an early termination fee determined in accordance with the PrincipalAgreement.

11.5 Access to Personal Data. Unless otherwise agreed and notwithstanding Section 9 above,

in order to provide the Services Company and its Sub-processors will only access Personal Data from (i) countries in the EEA, (ii) countries or territories formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) the United States provided, in this case, that Company makes available to the Customer a Valid Transfer Mechanism in accordance with Section 11.6 below. When Company or its Sub-processors access Personal Data from outside the Designated Data Center Location for the purposes of providing the Services, the Customer agrees that such Personal Data may be transferred accordingly.

11.6 Transfers Required by Applicable Law. Notwithstanding the foregoing, Company shall be entitled to access Personal Data from, or transfer Personal Data to, territories outside the EEA other than in the circumstances specified in clause 11.6 if required to do so by Applicable Law. Unless prohibited by Applicable Law, Company shall not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

  • the Customer or the Provider has provided appropriate safeguards in relation to the transfer;

  • the data subject has enforceable rights and effective legal remedies;

  • the Provider complies with its obligations under the Data Protection Legislation by providingan adequate level of protection to any Personal Data that is transferred; and

  • the Provider complies with reasonable instructions notified to it in advance by the Customerwith respect to the processing of the Personal Data;

  • assist the Customer, at the Customer’s cost, in responding to any request from a Data Subjectand in ensuring compliance with its obligations under the Data Protection Legislation with respect tosecurity, breach notifications, impact assessments and consultations with supervisory authorities orregulators;

  • notify the Customer without undue delay on becoming aware of a Personal Data breach;

  • at the written direction of the Customer, delete or return Personal Data and copies thereof tothe Customer on termination of the agreement unless required by Applicable Law to store the PersonalData; and

  • maintain complete and accurate records and information to demonstrate its compliance with this clause.

ACCEPTABLE USE POLICY

This is the acceptable use policy, which, together with our terms of website use, Terms of Use, sets out the terms under which we I Heart My Life allow you to use our site www.iheartmylife.com (“site”) whether you are a visitor or a registered user. All enquiries should be directed to brooke@brookeprice.co.uk Please read the terms of this policy carefully, as by using our site you indicate that you agree to comply with and be bound by them.

PROHIBITED USES OF OUR SITE

Whether you are a visitor or registered user, you must comply with our terms of website use Terms of Use, and use our site for lawful purposes only. In particular, you must not use our site for the uses listed (without limitation) below:

  • any fraudulent activity;

  • any activity which breaches any applicable law or regulation, whether national or international;

  • any activity which may cause or result in harm to a child under 18 years of age;

  • sending unsolicited advertising or other content (spam), or entering into any arrangement for such material to be sent;

  • reproducing, selling or otherwise handling our site or its contents in breach of our terms of website use;

  • knowingly introducing to our site, or transmit  or attempt to transmit to any other site, computer or network, viruses, trojans, worms, logic bombs or other material, code or program which is malicious or technologically harmful;

  • attempting to gain unauthorized access to our site, our software, our server, or any server, computer or database connected to our site; or

  • attacking our site via a denial-of-service attack or a distributed denial-of service attack.

CONTRIBUTING AND INTERACTING

Our site may offer users the facilities to upload or contribute content or other material, or to interact with other users. When making use of these facilities, it is your responsibility to ensure that any contribution or interaction is, as far as you are aware, factually correct, represents your honest opinion, and does not breach any applicable law or regulation.

In addition, any contribution or interaction must not include any material which (without limitation):-

  • is defamatory, obscene, offensive, hateful or inflammatory;

  • is, or refers to material which is, sexually explicit;

  • promotes violence, illegal activity or any form of discrimination;

  • infringes any other person’s copyright, database right or trade mark;

  • threatens, harasses, upsets, embarrasses, alarms or annoys any other person, or is likely to do so;

  • advocates, promotes or assists any illegal activity;

  • is likely to deceive any person or is made in breach of a legal duty owed to a third party (such as a duty of confidence);

  • invades another’s privacy or cause inconvenience or anxiety to any person;

  • is used to impersonate any person, or to misrepresent your identity or affiliation with any person; or

  • gives the impression that the material emanates from us, if this is not the case.

MODERATION

If we at any time use our site to provide users with any interactive service, the following moderation provisions will apply:-

  • we will notify users if moderation is in place, and, if so, whether the moderation is provided by a person or is automated;

  • if moderation is in place, we will give you a means to contact the moderator;

  • although we will do our best to assess any risks which such interactive service may pose, we will be under no obligation to moderate it, and we expressly exclude any liability for any loss or damage to any person caused by use of it; and

  • children should at all times be supervised when using the interactive services on our site, whether such services are moderated or not.

BREACHES OF THIS POLICY

Any breach of this acceptable use policy will be dealt with in the same way as breach of our terms of website use Terms of Use, and we reserve the right to take any other action we reasonably deem appropriate, including restricting your use of our site and/or taking legal action against you. We are not liable for any loss or damage caused by any breach of this acceptable use policy.

AMENDMENTS

Please check this page regularly, as we may revise this acceptable use policy at any time. We may also change or update our acceptable use policy at any time by means of notices published anywhere on our site.