This Privacy Notice explains how ELEMIS collects, uses and protects your personal data in connection with personalised skincare recommendations, skincare treatments and spa treatments (collectively “Therapies”). It has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), EU GDPR and the Data Protection Act 2018.

Before receiving a Therapy, you will be asked to complete a Health Questionnaire and provide Explicit Consent for us to process sensitive health data. Please read this Notice carefully before completing those forms.

This summary gives you the key points. Full details are in the sections that follow.

Who we are
ELEMIS Limited is the controller responsible for your personal data in connection with Therapies.

What data we collect
Identity and contact details, health and skin condition data collected via the Health Questionnaire, skin images captured via our Reveal machine, and treatment records.

Why we use it
To deliver your Therapy, recommend appropriate products and treatments, retain treatment records accessible across our concessions and spas, and handle any adverse reaction or legal claims.

Who we share it with
L'Occitane Group companies, Reveal technology providers, IT and hosting providers, insurers, legal advisers, and any acquirer in a business sale or restructuring.

Your rights
Access, rectification, erasure, restriction, portability, objection and withdrawal of consent. Contact us at [email protected].

Supervisory authority
UK: Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
EU: Your local data protection authority.

ELEMIS, Limited is the data controller responsible for personal data collected in connection with Therapies. We are registered with the Information Commissioner’s Office under reference Z6739759.

Full legal name ELEMIS Limited
Registered address Unit G2 Titan Road, Patchway, Bristol, BS34 6FD
Company number 02279688
ICO registration Z6739759
Data Protection contact [email protected]

EU Representative (Article 27 GDPR)

As ELEMIS does not have an establishment in the European Union, we have appointed an EU representative for the purposes of Article 27 GDPR. EU-based individuals may contact our representative to raise any queries relating to the processing of their personal data.

EU Representative Elemis IRL Limited
Address 14 Upper Liffey Street, Dublin 1, Republic of Ireland
Contact [email protected]

Our Data Protection team is your first point of contact for privacy queries, rights requests and complaints. We aim to respond within one calendar month.

We collect two categories of personal data in connection with Therapies: data you provide directly, and special category health data which requires your explicit consent.

Data You Provide Directly

Identity and Contact Data
Name, postal address, email address, telephone number, date of birth, occupation, gender, nationality and country of residence.

Therapy and Booking Data
Type of service requested, treatment history and product preferences.

Skin Analysis Data
Images of your skin captured via the Reveal skincare analysis machine for the purpose of recommending appropriate products or treatments.

Customer Support Data
Enquiries, complaints and communications relating to your Therapy.

Payment and Transaction Data
Products purchased and payment information processed securely by our payment providers.

Special Category Data (Health Data)

The Health Questionnaire collects sensitive health data including information about skin conditions, pregnancy status, health history and contraindications relevant to your Therapy. This constitutes special category data under UK/EU GDPR Article 9.

We collect this data only on the basis of your explicit consent (Article 9(2)(a)). You will be asked to sign a separate Consent Form before your Therapy. You may withdraw that consent at any time by contacting [email protected], though this may affect our ability to provide or continue the Therapy.

We may also process health data without consent where necessary for the establishment, exercise or defence of legal claims (Article 9(2)(f)) - for example, where you report an adverse reaction to a product or treatment.

We do not use automated decision-making or profiling when processing your health data.

The information below sets out all purposes for which we process personal data in connection with Therapies, the categories of data involved, and the lawful basis under UK GDPR Article 6 (and Article 9 where applicable).

Register You as a Client and Manage Your Therapy Booking

Categories of data: Identity and contact data.
Lawful basis: Article 6(1)(b) - Performance of a contract.

Deliver the Therapy and Tailor It to Your Skin and Health Needs

Categories of data: Identity, contact, health data (special category data) and skin analysis data.
Lawful basis: Article 6(1)(b) - Contract and Article 9(2)(a) - Explicit consent for health data.

Recommend Appropriate ELEMIS Products and Treatments Using Reveal Technology

Categories of data: Identity, skin analysis data and health data.
Lawful basis: Article 6(1)(b) - Contract, Article 6(1)(f) - Legitimate interests (product suitability), and Article 9(2)(a) - Explicit consent for health data.

Retain Treatment Records Accessible Across ELEMIS Concessions and Spas

Categories of data: Identity, contact, health data, treatment history and skin analysis data.
Lawful basis: Article 6(1)(f) - Legitimate interests (continuity of care) and Article 9(2)(a) - Explicit consent.

Process Payments and Manage Associated Transactions

Categories of data: Identity, contact, financial and transaction data.
Lawful basis: Article 6(1)(b) - Contract.

Handle Adverse Reactions and Assess Associated Claims

Categories of data: Identity, contact and health data.
Lawful basis: Article 6(1)(f) - Legitimate interests and Article 9(2)(f) - Legal claims.

Manage Our Relationship With You
This includes notifying you of changes to terms or this Privacy Notice.

Categories of data: Identity, contact, profile, marketing and communications data.
Lawful basis: Article 6(1)(b) - Contract, Article 6(1)(c) - Legal obligation and Article 6(1)(f) - Legitimate interests.

Administer and Protect the Reveal Skincare Analysis Technology
This includes troubleshooting, testing, system maintenance and hosting.

Categories of data: Identity, contact and technical data.
Lawful basis: Article 6(1)(f) - Legitimate interests including IT administration, fraud prevention and network security.

Comply With Legal and Regulatory Obligations

Categories of data: Information required by applicable law.
Lawful basis: Article 6(1)(c) - Legal obligation.

Legitimate Interests Assessment

Where we rely on legitimate interests (Article 6(1)(f)), we have carried out a balancing assessment to confirm that our interests are not overridden by your rights and freedoms. These interests include maintaining accurate treatment records, preventing adverse reactions, protecting against legal claims, and operating our Reveal technology securely. You have the right to object to this processing at any time — see Section 9.

We share your personal data only where necessary to deliver the Therapy and operate our business. All processors are engaged under UK GDPR-compliant data processing agreements. We do not sell your personal data.

L'Occitane Group Companies

Purpose: Group-wide operations and shared services.
Data shared: Identity, contact, account and order data.

Reveal Technology Provider

Purpose: Skin analysis platform powering personalised product and treatment recommendations.
Data shared: Skin images, skin analysis scores and product recommendations.

IT and Hosting Service Providers

Purpose: Infrastructure, data hosting and system maintenance.
Data shared: Operational data as required.

Insurers

Purpose: Risk management and claims handling.
Data shared: Identity, contact and health data where required for a claim.

Legal and Risk Management Advisers

Purpose: Legal advice, compliance and defence of claims.
Data shared: Information required for the relevant matter.

Law Enforcement and Regulatory Authorities

Purpose: Compliance with legal, court or regulatory obligations.
Data shared: Information required by applicable law.

Acquirers in a Business Sale or Restructuring

Purpose: Due diligence and transaction completion.
Data shared: Information required for the transaction.

Where your personal data is transferred outside the UK or the European Economic Area (EEA), we ensure that appropriate safeguards are in place. For UK transfers, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. For EU transfers, we rely on the Standard Contractual Clauses approved under EU GDPR Article 46.

If you require further information about these safeguards, please contact our Data Protection team at [email protected].

We have implemented appropriate technical and organisational security measures designed to protect your personal data from loss, unauthorised access, alteration or disclosure. These include:

• access controls limiting data access to employees, agents and contractors who require it to deliver your Therapy;
• confidentiality obligations binding all persons who handle your data;
• contractual security obligations imposed on all third-party processors before onboarding; and
• incident response and breach notification procedures in accordance with UK GDPR Articles 33 and 34.

Given the sensitive nature of health data collected in connection with Therapies, we apply enhanced safeguards to this category of data.

We retain your personal data only for as long as is necessary to fulfil the purposes described in this Notice, taking into account our legal, accounting and regulatory obligations.

In determining the appropriate retention period, we consider: the amount, nature and sensitivity of the data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process it; whether those purposes can be achieved by other means; and the period during which you should be able to access your treatment records at any of our concessions or spas.

Health data collected via the Health Questionnaire and Consent Form is retained in accordance with our Data Retention Policy. For further information on specific retention periods, contact us at [email protected].

You have the following rights in relation to your personal data under UK GDPR (and, where applicable, EU GDPR). These rights are not absolute and may be subject to exemptions under the Data Protection Act 2018. We will respond to rights requests within one calendar month (extendable by two months for complex or multiple requests, with notice to you).

Right of Access (Article 15)

You have the right to receive a copy of the personal data we hold about you. This will normally be provided free of charge, although a reasonable fee may apply for requests that are manifestly unfounded or excessive.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data where there is no longer a lawful basis for retaining it, subject to overriding legal obligations.

Right to Restriction of Processing (Article 18)

You have the right to request that we suspend active processing while we verify concerns relating to accuracy, lawfulness or an objection you have raised.

Right to Data Portability (Article 20)

You have the right to receive personal data you have provided in a structured, machine-readable format where processing is consent-based or contract-based and carried out by automated means.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease direct marketing immediately on request.

Right to Withdraw Consent

You may withdraw consent at any time for health data processing and any other consent-based activity. Withdrawal does not affect prior lawful processing but may affect our ability to provide the Therapy.

Rights Regarding Automated Decisions (Article 22)

You have the right not to be subject to solely automated decisions with legal or similarly significant effects. We do not rely on automated decision-making in connection with Therapies.

How to Exercise Your Rights

Contact our Data Protection team:

• Email: [email protected]
• Post: Data Protection Team, ELEMIS, Limited, Unit D Poplar Way East, Cabot Park, Avonmouth, Bristol, BS11 0DD

We may need to verify your identity before processing your request. No fee is charged for legitimate requests unless they are manifestly unfounded or excessive.

We may update this Privacy Notice to reflect changes to our processing activities or applicable law. The current version, with the “Last updated” date, is always available at https://elemis.com/uk/treatments-privacy-policy.

Where changes are material, we will notify you before the change takes effect. Fresh consent will be sought where required.

If you have a concern about how we have handled your personal data, please contact our Data Protection team at [email protected] in the first instance. We will investigate and respond promptly.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

Jurisdiction United Kingdom

Supervisory Authority Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF