Privacy & Cookie Policies

This Privacy Notice is designed to give you clear and accessible information about how ELEMIS uses your personal data. You can read the short summary below for a quick overview.

This summary gives you the key points. Full details are in the sections that follow.

Who we are. ELEMIS Limited is the controller responsible for your personal data when you use our UK website.

What data we collect.We collect contact details, account and order information, payment data, browsing and device data, customer support interactions, subscription preferences, skin analysis results where you use our Virtual Skin Analysis tool, marketing preferences, and product reviews.

Why we use it. We use your data to process and deliver your orders, manage your account and subscriptions, provide customer support, send marketing communications where you have consented, personalise your on-site experience, power our Virtual Skin Analysis tool, prevent fraud, keep our site secure, and meet our legal obligations.

Who we share it with.We share your data with trusted service providers including payment processors and fraud prevention providers, E-commerce and order management platforms, customer support and live chat providers, marketing, CRM and customer data platforms, on-site search and personalisation providers, analytics and performance measurement tools, infrastructure and tag management providers, advertising and affiliate partnet, L’Occitane Group companies, legal, regulatory and professional advisers. Adyen (payments). A full list is in Section 6.

Your rights. You have the right to access, correct, delete or restrict the use of your personal data, to receive it in a portable format, to object to certain processing, and to withdraw consent at any time. To exercise any of these rights, contact us at [email protected].

Supervisory authority.If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or on 0303 123 1113.

ELEMIS Limited is the data controller responsible for personal data collected via this website. We are registered with the Information Commissioner’s Office under reference Z6739759.

Full legal name ELEMIS, Limited
Registered address Unit G2 Titan Road Patchway, Bristol, BS34 6FD
Company number 02279688
ICO registration Z6739759
Data Protection contact [email protected]

As we do not have an establishment in the European Union (“EU”) for the purposes of article 27 of the GDPR we have appointed a representative based in the Republic of Ireland, who you may contact if you are located in the EU to raise any issues or queries you may have relating to our processing of your Personal Data or this privacy notice.

Our EU representative is: Elemis IRL Limited.
Address: 14 Upper Liffey Street, Dublin 1, Republic of Ireland.

Our EU representative can be contacted by emailing them at [email protected].

Our Data Protection team is your first point of contact for privacy queries, rights requests and complaints. We aim to respond within one calendar month.

The categories of personal data we collect depend on how you interact with our website. We collect data across a range of touchpoints including account registration and login, browsing and shopping activity, customer support interactions, marketing communications, and optional features such as our virtual skin analysis tool and treatment bookings. Full details of how each category is used and the lawful basis we rely on are set out in Section 4.

Data you provide directly

• Identity and contact data: name, email address, postal address, telephone number, date of birth (optional)
• Account and authentication data: email address used for password-less login, or email/password for standard login; login history including date, time and outcome; phone number where provided for SMS authentication or marketing
• Order and payment data: products purchased, delivery address, payment card information (tokenised in-browser by payment provider; we do not store full card numbers); saved payment methods managed via Adyen
• Subscription data: subscribe-and-save preferences, frequency settings, active/cancelled subscription status, recurring order history
• Gift card data: gift card balance, redemption history, sender and recipient details for digital gift cards
• Customer support data: enquiries, complaints and live chat transcripts
• Marketing and preference data: email and SMS opt-in status, communication preferences, birthday (optional, for birthday offer)
• User-generated content: product reviews, ratings, images submitted via review platform
• Virtual Skin Analysis data: selfie image processed in real time by the AI tool; skin analysis scores and recommended product/routine output. See Section 3.4 regarding special category considerations.
• Treatment booking data: name, contact details, preferred date, time and location, selected treatment
• Zero-party data: responses to skin quizzes and guided product finders, where voluntarily submitted.

Data collected automatically

• Technical and usage data: IP address, device type, operating system, browser type, pages visited, session duration, click-stream and navigation data
• Search and browsing behaviour: search queries, search result clicks, product interactions, browse behaviour — collected for on-site search and recommendations (truncated IP, pseudonymised user ID)
• Checkout device signals: device fingerprint (OS, browser, fonts, canvas rendering), mouse/keyboard behaviour and page interactions collected for fraud risk scoring at checkout
• Performance data: page load times, device and connection metrics collected for real-user monitoring
• Cookie and tracking data: information collected via cookies and similar technologies in accordance with our Cookie Policy [INSERT LINK]
• Authentication event data: login and checkout attempt records (timestamp, outcome, reason for failure where applicable) used solely for fraud prevention and account security
• Address validation data: address input submitted for postcode autocomplete and validation at checkout and account pages.

Data received from third parties

• Social media platforms: where you interact with our social media pages
• Customer Data Platform: customer segmentation and behavioural data used to power personalised marketing campaigns and on-site personalisation
• Payment providers: transaction confirmation, fraud-screening signals and 3DS authentication events
• Shipment partners: shipment event data for order tracking email triggers
• Advertising and attribution partners: campaign click IDs and conversion signals where consent has been given.

Special category and sensitive data

Our Virtual Skin Analysis tool analyses a selfie image to identify general skin characteristics and provide product recommendations. This tool does not perform biometric identification or uniquely identify you.

However, as the tool analyses physical characteristics from an image, we apply enhanced safeguards and require your consent before you use this feature. You are not required to use this functionality.

Where you report an adverse reaction to a product, we may process limited health-related information on the basis of your explicit consent or, where necessary, for the establishment or defence of legal claims (UK GDPR Article 9(2)(a) and (f)).

We do not otherwise collect or process special category data as part of our standard e-commerce operations.

The table below sets out all purposes for which we process personal data on the UK site, the categories of data involved, the lawful basis under UK GDPR Article 6, and applicable retention periods.

Where our use of personal data involves cookies or similar technologies, we rely on your consent in accordance with the Privacy and Electronic Communications Regulations (PECR). Where personalisation or analytics is carried out using data collected directly in the context of your use of our services and does not rely on non-essential cookies, we rely on our legitimate interests to improve and personalise our services.

Account creation and management
Categories of personal data: Identity, contact, account and authentication data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Passwordless and standard login authentication
Categories of personal data: Email address, one-time code, authentication event log.
Lawful basis: Article 6(1)(b) - Contract and Article 6(1)(f) - Legitimate interests (account security).

Order processing and fulfilment
Categories of personal data: Identity, contact, order, payment and delivery data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Payment processing
Categories of personal data: Payment and order data, tokenised card data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Fraud risk scoring at checkout
Categories of personal data: Device fingerprint, IP address, behavioural signals, order data.
Lawful basis: Article 6(1)(f) - Legitimate interests (fraud prevention).

Subscribe-and-save subscriptions
Categories of personal data: Identity, contact, subscription preferences, payment tokens, recurring order data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Digital gift cards
Categories of personal data: Sender and recipient identity and contact data, gift card balance and redemption history.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Customer support and live chat
Categories of personal data: Identity, contact, order and support interaction data.
Lawful basis: Article 6(1)(b) - Contract and Article 6(1)(f) - Legitimate interests (service improvement and legal claims).

Transactional and service emails
Categories of personal data: Identity, contact, order and account event data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Shipment tracking
Categories of personal data: Order ID, delivery address, contact email.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Email and SMS marketing
Categories of personal data: Identity, contact, marketing preferences, behavioural and purchase data.
Lawful basis: Article 6(1)(a) - Consent.

On-site personalisation - search and recommendations
Categories of personal data: Pseudonymised user ID, search queries, browse behaviour and purchase events.
Lawful basis: Article 6(1)(f) - Legitimate interests.

On-site personalisation - homepage and content
Categories of personal data: Behavioural, purchase and segmentation data.
Lawful basis: Article 6(1)(f) - Legitimate interests (cookie-free signals) and Article 6(1)(a) - Consent where tracking cookies are required.

A/B and multivariate testing
Categories of personal data: Visitor ID, variant assignment, page views and custom events.
Lawful basis: Article 6(1)(a) - Consent.

Web analytics
Categories of personal data: Pseudonymised device and session data, page views, ecommerce events and anonymised cookieless modelling pings when consent is declined.
Lawful basis: Article 6(1)(a) - Consent for identifiable event streams and Article 6(1)(f) - Legitimate interests for anonymised modelling pings only.

Behavioural analytics and session replay
Categories of personal data: User behaviour, heatmaps, scroll depth and session replays (PII masked at capture).
Lawful basis: Article 6(1)(a) - Consent.

Targeted advertising and retargeting
Categories of personal data: Page views, ecommerce events, hashed PII (email, phone, name where submitted for Enhanced Conversions), click IDs and conversion data.
Lawful basis: Article 6(1)(a) - Consent.

Address autocomplete and validation
Categories of personal data: Address input and session metadata.
Lawful basis: Article 6(1)(b) - Contract.

Virtual Skin Analysis
Categories of personal data: Selfie image, skin analysis scores and product recommendations.
Lawful basis: Article 6(1)(a) - Consent.

Skin quiz and guided product finder
Categories of personal data: Quiz responses (zero-party data), IP address, browser data, timestamps and any PII voluntarily submitted.
Lawful basis: Article 6(1)(a) - Consent and Article 6(1)(f) - Legitimate interests (aggregated analytics only).

Treatment bookings
Categories of personal data: Name, contact details and booking preferences.
Lawful basis: Article 6(1)(b) - Contract.

Product reviews
Categories of personal data: Identity (name or nickname), review text, ratings and images.
Lawful basis: Article 6(1)(f) - Legitimate interests.

Site security, bot protection and CDN
Categories of personal data: IP address, TLS/HTTP metadata and bot-management signals.
Lawful basis: Article 6(1)(f) - Legitimate interests (security and integrity).

Legal and regulatory compliance
Categories of personal data: Data required by applicable law.
Lawful basis: Article 6(1)(c) - Legal obligation.

Legitimate Interests Assessment

Where we rely on legitimate interests (Article 6(1)(f)), we have carried out a balancing assessment to ensure that our interests are not overridden by your rights and freedoms.

These interests include preventing fraud, maintaining the security of our website, improving our services, and providing a more relevant and personalised user experience.

You have the right to object to this processing at any time - see Section 9.

Marketing Consent

We will only send marketing communications by email or SMS where you have given your consent. Consent is collected at account registration, checkout (optional tick-box, not pre-ticked), and via footer newsletter/SMS sign-up. You may withdraw consent at any time by:

• using the unsubscribe link in any marketing email or SMS;
• updating your preferences in My Account (TBC); or
• contacting [email protected].

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Automated Processing and AI-Assisted Technologies

We use automated and AI-assisted technologies across the following features on the UK website:

• AI-powered on-site search and product recommendations based on your browsing and purchase behaviour
• Customer segmentation and predictive modelling to inform personalised marketing journeys and on-site content
• Virtual Skin Analysis: real-time AI analysis of a selfie to generate skin concern scores and product recommendations
• Automated fraud risk scoring at checkout using device, behavioural and order data
• GA4 Advanced Consent Mode: behavioural modelling using anonymised/cookie-less pings to estimate conversion behaviour where consent has not been given
• AI-Powered security tools

We do not rely solely on automated decision-making that produces legal or similarly significant effects on you. Where automated fraud scoring flags an order, a human reviewer is involved before any adverse action is taken. You have the right to request human intervention, to express your view, and to contest any automated outcome - see Section 9.

We use cookies and similar tracking technologies deployed via Google Tag Manager (client-side) and a server-side GTM container (Stape, EU-hosted for UK traffic) to operate the website, analyse performance, and deliver advertising where you have consented. All non-essential cookies are gated by our consent management platform.

Full details of all cookies, tracking technologies, vendors, consent categories and how to manage your preferences are set out in our Cookie Policy.

We share personal data with the following categories of recipients, where necessary to operate our business.

The table below identifies our most relevant partners and service providers in each category. This is not an exhaustive list of every sub-processor or technology vendor we engage; however, it covers all material relationships involving the processing of your personal data.

All processors are engaged under UK GDPR-compliant data processing agreements. Where vendors act as independent controllers (e.g. social media advertising platforms), your relationship with them is governed by their own terms and privacy notices.

We do not sell personal data to third parties.

Group Companies

L'Occitane Group Companies

Purpose: Group-wide operations and shared services.
Data shared/processed: Identity, contact, account and order data.

E-commerce and Order Management

CommerceTools

Purpose: E-commerce platform supporting product catalogue, orders, cart and promotions.
Data shared/processed: All order, product, account and cart data.

Ordergroove

Purpose: Subscribe-and-save subscription management.
Data shared/processed: Subscription preferences, recurring order data and saved payment tokens.

Royal Mail

Purpose: Shipment tracking email triggers for UK deliveries.
Data shared/processed: Order ID, delivery address and contact email.

Loqate

Purpose: Address autocomplete and validation at checkout and account pages.
Data shared/processed: Address input and session metadata.

Payment Processing and Fraud Prevention

Adyen

Purpose: Primary payment gateway, card tokenisation and 3DS authentication.
Data shared/processed: Tokenised card data, 3DS events and SDK error/form data.

Klarna

Purpose: Buy-now-pay-later payment option.
Data shared/processed: Browser fingerprint (user agent, timezone and language) and IP address for fraud scoring.

PayPal

Purpose: Express checkout payment option.
Data shared/processed: Transaction confirmation data.

Signifyd

Purpose: Real-time fraud risk scoring at checkout.
Data shared/processed: Device fingerprint, IP address, behavioural signals and order session data.

Customer Engagement, CRM and Support

Bloomreach CDP

Purpose: Customer data platform supporting transactional emails, marketing emails, CDP tracking and on-site personalisation.
Data shared/processed: Behavioural data, identity data, purchase history and hashed email/phone data.

Zendesk

Purpose: Live chat customer support.
Data shared/processed: Session state, chat messages, page URL and visitor identifier.

Bazaarvoice

Purpose: Product ratings, reviews and post-purchase review solicitation.
Data shared/processed: IP address, click-stream activity within widgets, review submissions and conversion data.

Appointedd

Purpose: In-store treatment and consultation booking.
Data shared/processed: Name, contact details and booking preferences.

Zenoti

Purpose: In-store treatment and consultation booking.
Data shared/processed: Name, contact details and booking preferences.

On-site Personalisation and Search

Constructor

Purpose: On-site search, product listing pages and personalised product recommendations.
Data shared/processed: Pseudonymised user ID, search queries, browse behaviour, purchase behaviour and truncated IP address.

Revieve

Purpose: AI-powered Virtual Skin Analysis tool.
Data shared/processed: Selfie image (processed client-side), skin analysis scores and product recommendations.

Analytics, Testing and Performance

Google Analytics 4 (via sGTM)

Purpose: Web analytics, including consented event streams and anonymised Advanced Consent Mode pings.
Data shared/processed: Page views, device and session data, ecommerce events and Client/User IDs where consent has been provided.

Contentsquare

Purpose: Heatmaps, scroll depth analysis and session replay analytics with PII masked at capture.
Data shared/processed: User behaviour data and customer IDs.

AB Tasty

Purpose: A/B and multivariate testing.
Data shared/processed: Visitor ID, variant assignment, page views and custom events.

IMPACT

Purpose: Real-user monitoring and frontend performance measurement.
Data shared/processed: UUID, user agent string, device and connection data and performance metrics.

Infrastructure, Tag Management and Consent

Google Tag Manager (Client-side and sGTM/Stape)

Purpose: Tag orchestration and consent-gated script deployment.
Data shared/processed: Data layer variables. No personal data is collected directly.

OneTrust

Purpose: Cookie consent management platform.
Data shared/processed: Consent status, country/region geolocation and interaction timestamps.

Cloudflare

Purpose: Web application firewall (WAF), DDoS protection, CDN and edge proxy services.
Data shared/processed: IP address, TLS/HTTP metadata and bot-management signals.

Vercel

Purpose: Frontend hosting and server-side rendering.
Data shared/processed: Page views, country, operating system, browser, device type and a daily-rotated hashed visitor ID. No persistent cookies are used.

Advertising and Affiliate Partners (Consent-Gated)

The following vendors receive data only where you have consented to marketing and advertising cookies via our cookie consent banner.

Meta (Facebook Pixel / CAPI)

Purpose: Ad targeting, retargeting and conversion measurement.
Data shared/processed: Page views, ecommerce events and hashed personal information including email, phone number, name and address.

Google Ads (Conversion, Remarketing and Floodlight)

Purpose: Conversion tracking, smart bidding, remarketing, campaign measurement and Advanced Consent Mode processing.
Data shared/processed: Conversion data, Enhanced Conversions hashed personal information, Dynamic Remarketing product data and click IDs.

Reddit

Purpose: Ad targeting and conversion measurement.
Data shared/processed: Page views, ecommerce events and hashed email and phone data.

TikTok

Purpose: Ad targeting and conversion measurement.
Data shared/processed: Page views, conversion data and hashed email and phone data.

Pinterest

Purpose: Ad targeting and conversion measurement.
Data shared/processed: Page views, ecommerce data, hashed email, phone number and customer ID.

Amazon Advertising (DSP and Pixel)

Purpose: Programmatic display targeting and conversion attribution.
Data shared/processed: Page views and conversion events.

Bing Ads UET

Purpose: Microsoft Ads conversion tracking and audience building.
Data shared/processed: Page views and conversion data.

Partnerize / Pepperjam

Purpose: Affiliate marketing tracking and commission attribution.
Data shared/processed: Page views, conversion data and affiliate click IDs.

Legal, Regulatory and Corporate

Professional Advisers (Legal, Audit and Insurance)

Purpose: Legal advice, compliance and risk management.
Data shared/processed: Information required for the relevant matter.

Law Enforcement and Regulatory Authorities

Purpose: Compliance with legal, court or regulatory obligations.
Data shared/processed: Information required by applicable law.

Acquirers in a Business Sale or Restructuring

Purpose: Due diligence and transaction completion.
Data shared/processed: Information required for the transaction.

Some of our providers are located in the United States and other countries outside the United Kingdom. Where this occurs, we relyon the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

Some providers may also be certified under recognised international frameworks where applicable.

We have implemented appropriate technical and organisational measures proportionate to the risks involved in our processing activities. These include:

• TLS encryption in transit; encryption at rest for sensitive data
• Cloudflare WAF and DDoS protection across all site traffic
• Card data tokenised in-browser by Adyen (PAN never transmitted to ELEMIS servers)
• PII masking in Contentsquare session replays
• Server-side tag processing (sGTM/Stape) to reduce client-side data exposure
• Role-based access controls and the principle of least privilege
• Regular security assessments and penetration testing
• Incident response and breach notification procedures in accordance with UK GDPR Articles 33 and 34

Third-party processors are subject to security due diligence and contractual security obligations before onboarding.

You have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions under the Data Protection Act 2018. We will respond within one calendar month (extendable by two months for complex requests, with notice to you).

Right of Access (Article 15)

You have the right to receive a copy of the personal data we hold about you, together with information about how and why we process it. This information will generally be provided free of charge.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. You may also be able to update certain account details directly through your account settings.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data where there is no longer a lawful basis for retaining it. This right may be limited where we are required to retain information to comply with legal, regulatory or accounting obligations, such as financial record-keeping requirements.

Right to Restriction of Processing (Article 18)

You have the right to request that we temporarily suspend the processing of your personal data while we verify concerns relating to the accuracy of the data, the lawfulness of the processing, or an objection you have raised.

Right to Data Portability (Article 20)

You have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may also request that this information be transferred directly to another organisation. This right applies where processing is based on consent or contract and is carried out by automated means.

Right to Object (Article 21)

You have the right to object to processing that is based on our legitimate interests, including personalisation and analytics activities. You also have the right to object to the use of your personal data for direct marketing purposes. If you object to direct marketing, we will stop processing your personal data for that purpose immediately.

Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. This includes consent for marketing communications, advertising and targeting cookies, use of the Virtual Skin Analysis tool, and any other consent-based processing activities. Withdrawing consent does not affect the lawfulness of any processing carried out before consent was withdrawn.

Rights Relating to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing where those decisions produce legal effects or similarly significant effects on you. You may request human review of any such decision, express your point of view, and challenge the outcome.

How to Exercise Your Rights

Contact our Data Protection team:

• Email: [email protected]
• Post: Data Protection Team, ELEMIS, Limited, Unit D Poplar Way East, Cabot Park, Avonmouth, Bristol, BS11 0DD

We may need to verify your identity before processing your request. No fee is charged for legitimate requests unless a request is manifestly unfounded or excessive.

Retention periods are set out in the processing table in Section 4. In determining appropriate periods, we consider:

• whether the original processing purpose has been fulfilled;
• legal, accounting and regulatory requirements (HMRC: 6–7 years; limitation periods for legal claims: 6 years);
• the nature and sensitivity of the data and risk from continued retention; and
• whether the purpose can be achieved with anonymised or aggregated data.

On account closure, we retain order and financial data for 7 years to meet HMRC obligations. Marketing preference records (including suppression lists) are retained indefinitely to prevent re-contacting individuals who have opted out. These retention periods are based on legal requirements, industry standards, and the need to retain data for legitimate business purposes.

Our website is not directed at children. We do not knowingly collect or process personal data from individuals under the age of 18 without verifiable parental or guardian consent.

If you believe that an individual under 18 has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information.

Our website may contain links to third-party websites (including social media platforms) and embedded third-party experiences. Once you leave our site or interact with an embedded third-party widget, that party’s own privacy notice governs your data. We are not responsible for their privacy practices and encourage you to review their notices.

We may update this Privacy Notice to reflect changes to our processing activities, vendor stack, or applicable law. The current version, with the “Last updated” date, is always published at [INSERT URL].

Where changes are material, we will notify you by email (where we hold your contact details) or by prominent notice on the website prior to the change taking effect. Fresh consent will be sought where required.

If you have a concern about how we have handled your personal data, please contact our Data Protection team at [email protected] in the first instance. We will investigate and respond promptly.

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner’s Office (ICO)

Website: https://ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

This section gives you a plain-language summary of how we use cookies. The full details are in the sections below.

What are Cookies?
Small text files stored on your device when you visit a website. They help the site work properly, remember your preferences, and improve your browsing experience.

Why we use Cookies?

• To make our website work
• Remember your choices
• Understand how the site is used
• Show relevant content and advertising (where you agree)

Your choices
You are always in control of your cookie preferences. You can accept or reject optional cookies at any time using our cookie banner or by visiting the cookie preference centre.

Category Strictly Necessary
Purpose Essential for the site to function
Default (UK) Always ON
Can you opt out? No - cannot be disabled

Category Functional
Purpose Remembers your preferences
Default (UK) ON (opt-out available)
Can you opt out? Yes - via Cookie Settings

Category Analytics & Performance
Purpose Helps us understand site usage
Default (UK) OFF until consent
Can you opt out? Yes - via Cookie Settings

Category Marketing & Advertising
Purpose Delivers relevant advertising
Default (UK) OFF until consent
Can you opt out? Yes - via Cookie Settings

ELEMIS, Limited is responsible for the use of cookies on this website.

Legal entity ELEMIS, Limited

Registered address Unit G2 Titan Road Patchway, Bristol, BS34 6FD

Company number 02279688

ICO registration Z6739759

Data Protection contact [email protected]

Cookies are small text files placed on your computer or mobile device when you visit a website. Similar technologies - such as pixels, tags, and scripts - work in a comparable way; all are covered by this policy. When we refer to “cookies” we mean both cookies and these similar technologies.

Cookies are either:

• Session cookies - deleted automatically when you close your browser.
• Persistent cookies - stored on your device for a defined period or until you delete them.

Cookies may be set by us (first-party cookies) or by third-party vendors acting on our behalf or for their own purposes (third-party cookies).

For further information on how cookies work, please visit www.allaboutcookies.org

Cookies help us to:

• ensure the website functions correctly;
• remember items in your shopping basket and your login status;
• understand how visitors use our website;
• improve website performance and user experience; and
• deliver content and advertising that is relevant to you, where permitted by law.

Our website uses four categories of cookies, aligned with the options in our cookie banner and preference centre.

Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off. They are set automatically in response to actions you take, such as logging in, completing a purchase, or setting your privacy preferences. They do not store information that identifies you beyond what is operationally required.

Legal basis: Exempt from consent under PECR Regulation 6(4). Disclosure is required under UK GDPR Article 13. These cookies cannot be disabled.

Default state: Always ON. These cookies cannot be switched off as they are essential for the website to operate.

Functional Cookies

These cookies enable enhanced features and personalisation beyond what is strictly necessary to operate the website. They remember choices you make to provide a more tailored experience. Disabling them will not prevent you from using the website, but certain features may not work as intended.

Legal basis: The Digital Update Act 2025 (DUAA 2025) introduces a functionality/appearance exemption (amending PECR Regulation 6) where use is strictly limited to adapting the site’s appearance or functionality for your device or preferences. Transparency and opt-out are required. Where any Functional cookie extends beyond this exemption, consent applies.

Default state: ON by default where the DUAA 2025 exemption applies. You can turn these off at any time via the Cookie Settings link below.

Analytics and Performance Cookies

These cookies collect information about how visitors interact with our website, including pages visited, session duration, navigation flows, and errors encountered. This data is used in aggregated or pseudonymised form to improve website performance and inform our digital strategy. Although these cookies do not directly identify you, the underlying data may constitute personal data under UK GDPR.

Legal basis (UK): Consent under UK GDPR Article 6(1)(a) and PECR Regulation 6(1). Legitimate interests is not a valid basis where device access is involved (ICO guidance).

Default state: OFF until consent is given. You can enable these via the Cookie Settings link below.

Marketing and Advertising Cookies

Marketing cookies are set by us and our advertising partners to build a profile of your interests based on your browsing behaviour on our website and across other platforms. They are used to deliver relevant advertising, measure campaign performance, and limit ad repetition. These cookies uniquely identify your browser or device and may involve disclosure of your data to third-party platforms.

This category covers all advertising-related cookies, including retargeting, programmatic advertising, and social media platform pixels.

Legal basis (UK): Consent under UK GDPR Article 6(1)(a) and PECR Regulation 6(1). Legitimate interests is not available as a basis under PECR for device-based marketing cookies.

Default state: OFF until consent is given. You can enable these via the Cookie Settings link below.

A detailed list of all cookies in use on this website - including cookie name, provider, purpose, type, and maximum duration - is available in our cookie preference centre:

The cookie list is updated automatically following each scheduled scan. A full scan is conducted at least every six months, or following any material change to our vendor stack or website functionality.

You are always in control of your cookie preferences. You can accept or reject optional cookies at any time using the following methods:

Cookie banner

When you first visit our website, a consent banner is displayed before any non-essential cookies are activated. The banner provides equal-prominence options to Accept All, Reject All, or Manage Preferences (category-by-category).

Cookie preference centre

You can review and update your choices at any time by clicking the “Cookie Settings” link below. This gives you granular control over each non-essential cookie category.

Browser settings

Most browsers allow you to block or delete cookies via the settings or ‘Help’ menu. Please note that disabling strictly necessary cookies may impair site functionality, including the ability to log in or complete a purchase. Instructions are available via your browser’s Help function.

Consent records

Your consent choices are recorded and stored for up to five years, in line with ICO guidance. The date, time, and policy version in force at the time of consent are logged. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Some cookies on our website are set by third-party vendors. These vendors may use cookies in accordance with their own privacy and cookie policies. The table below lists our key third-party providers; the full list is available in the cookie preference centre.

Vendor Google Analytics 4
Category Analytics
Further information / opt-out https://tools.google.com/dlpage/gaoptout

Vendor Contentsquare
Category Analytics
Further information / opt-out https://contentsquare.com/privacy-center/

Vendor AB Tasty
Category Analytics
Further information / opt-out https://www.abtasty.com/privacy-policy/

Vendor Meta (Facebook Pixel)
Category Marketing & Advertising
Further information / opt-out https://www.facebook.com/about/privacy

Vendor TikTok Pixel
Category Marketing & Advertising
Further information / opt-out https://www.tiktok.com/legal/privacy-policy

Vendor Pinterest Tag
Category Marketing & Advertising
Further information / opt-out https://policy.pinterest.com/en/privacy-policy

Vendor Snap Pixel
Category Marketing & Advertising
Further information / opt-out https://snap.com/en-US/privacy/privacy-policy

Vendor Bazaarvoice
Category Functional / Analytics
Further information / opt-out https://www.bazaarvoice.com/legal/privacy-policy/

Vendor OneTrust
Category Strictly Necessary
Further information / opt-out https://www.onetrust.com/privacy-notice/

ELEMIS enters into data processing agreements with all vendors that process personal data on our behalf as data processors. Where vendors act as independent controllers (e.g. social media platforms), your relationship with them is governed by their own terms.

We review this Cookie Policy at least every six months, and following any material change to our cookie practices, vendor stack, or applicable law. The current version, with the “Last updated” date, is always available on this page.

Where changes are material, we will re-present the consent banner to obtain fresh consent where required by law.

If you have any questions about our use of cookies, or wish to exercise your data protection rights, please contact our Data Protection team:

• Email: [email protected]
• Address: Data Protection Team, ELEMIS Limited, Unit G2 Titan Road Patchway, Bristol, BS34 6FD

If you are unhappy with how we have handled a complaint, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• Website: https://ico.org.uk
• Telephone: 0303 123 1113