Privacy Policy

Elisa-Rose Company

PRIVACY POLICY - UK & EEA

JANUARY 2024

At Elisa-Rose Company, we are committed to protecting your personal data and respecting your privacy. It is your personal data and we respect that. This Privacy Policy tells you about how and why we collect and use the personal data which you provide to us or which we collect about you when you interact with us, for example, when you use our website or visit our social media.

In this notice, when we refer to "Elisa-Rose Company", "us", "we" or "our", we mean Daylight Vision Limited and, where applicable, any entities owned or controlled by Daylight Vision Limited and which provide you with the Elisa-Rose Company websites or which are responsible for stores, stands or events in your country.

We want you to be fully informed about how we use your personal data, how we keep it secure and your rights in relation to that personal data. We trust this Privacy Policy will answer any questions you have about how we handle your personal data. It is likely that we will need to update this Privacy Policy from time to time by updating this page. We will notify any significant changes but encourage you to come back and review it from time to time.

ABOUT US - WHO IS ELISA-ROSE COMPANY?

This Privacy Policy is provided by the Elisa-Rose Company. When you visit or place an order on one of the websites or interact with us online, you are contracting with the Elisa-Rose Company listed as the 'Data Controller' in the table below:

Territory Data Controller Website United Kingdom Elisa-Rose Company Limited www.elisarosecompany.com / www.elisarosecompany.co.uk

ENSURING THE LAWFUL USE OF YOUR PERSONAL DATA

We will only use your personal data where we have a lawful basis to use it. In particular, we will use your personal data in the following circumstances: • We will use your personal data where it is necessary for us to perform our contract with you (for example, to fulfil your order). • We may also use your personal data to pursue our legitimate interests (or those of a third party) in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. For example, we might use your purchase history to send you personalised offers or use your shopping history to identify trends and ensure we can keep up with demand and develop the right new products for our customers. • We may sometimes need to use personal data to comply with our legal obligations (for example to pass on details related to fraud). • In some instances, we will ask for your consent to use your personal data, for example, where you sign-up to receive our email newsletters. You can withdraw your consent at any time by letting us know (see "Your Rights" section below). Please get in touch with us using the contact details provided at the end of this Privacy Policy if you would like further information about why we are using your personal data.

WHAT PERSONAL DATA DO WE COLLECT FROM YOU AND HOW DO WE USE IT?

The personal data we collect about you and how we will use it, depends on how you interact with us, for example, if you place an order on our Website, contact us with a query by email or phone, make a purchase, or book an appointment in one of our stores. Certain categories of personal data, such as information relating to racial or ethnic origin, health data, genetic data or biometric data (meaning personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals, such as facial or iris scans or voice recognition systems) are classified as “special categories of data” and benefit from additional protection under data protection legislation. We only collect and use 'special category data' where you have provided us with your consent for us to do so. In some instances, you may have requested services or products that do not directly involve the collection of any special categories of data, but may imply or suggest your religion, health or other special categories of data. Below provides some examples of the information we collect about you and how we will use it. The personal data we collect from you How we use it Lawful Basis We will collect the personal data needed to identify you, such as your name, username, password and date of birth. We will also collect your contact details, such as your email address, mobile phone number, telephone number and billing/delivery address. To fulfil your order, for example, by delivering your products to you or to contact you about your order where necessary. We may also share this information with third party delivery and courier services such as Royal Mail, DPD and Evri to enable us to fulfil your order. Performance of our contract with you. To allow you to create an account with us. Legitimate interest (to operate our business and administer the service we offer to you).

To send you email newsletters to keep you up-to-date about our products and services which we think will interest you and our latest offers, and where you opt to participate in our loyalty programmes. Legitimate interest (to develop our products/services and grow our business).

Where you consent (where consent is required under applicable law).

To send you SMS messages to keep you

up-to-date about our products, services and our latest offers which we think will interest you. Legitimate interest (to develop our products/services and grow our business).

Where you consent (where consent is required under applicable law).

To send you information with your Order to keep you up to date about our products,

services and our latest offers which we think will interest you. Legitimate interest (to develop our products/services and grow our business).

Where you consent (where consent is required under applicable law).

To allow you to book an appointment with us or to attend an event. Performance of our contract with you.

Legitimate interest (to administer our service to you).

So that you can enter competitions, events or prize draws run by us. Legitimate interest (to develop our products/services and grow our business). To communicate with you in relation to your order or booking, or if you raise an enquiry or complaint with us. Performance of our contract with you

Legitimate interest (to administer our service to you).

To allow you to complete any surveys we send you (if you wish to) or to comment on or review our products or service, to help us to improve them. Legitimate interest (to

study how customers use our products/services). Fraud prevention and detection. Legal obligation.

Legitimate interest (to prevent and detect fraud, other crime or incidents).

To email you to inform you when a product you want to order is back in stock. Legitimate interest (to develop our

products/services and grow our business).

Where you consent (where we are required to obtain consent under applicable laws).

Payment details and details of your transactions. To take payment of your order and, if required, to give refunds. We do not store any payment card numbers once the transaction has been completed. We will share this data with credit card companies and other payment providers. Performance of our contract with you. Fraud prevention and detection. Legal obligation.

Legitimate interest (to prevent and detect fraud, other crime or incidents).

Information you provide to us when you contact us by telephone, by email, by post or on social media, via our Website, via LiveChat or via VideoChat including your telephone phone number, mobile phone number, email address, social media profile/handle and image, as applicable. Provide you with the support and customer service you have requested. Performance of our contract with you.

Technical information about your equipment, browsing actions and patterns. Information about how you use the Website and pages on the Website, such as the pages and links you access, the time you access them and the duration, and choices you make when using the Website. We collect this personal data by using cookies, server logs and other similar technologies such as web beacons or pixels on our Website, apps and emails, and full details as to how we process and use cookies can be found in our Cookies Policy To administer and to improve our Website, to ensure it is presented in the most effective manner for you and to give you the best Website experience and to allow you to participate in interactive features of our Website if you choose to do so. Legitimate interest (to improve your experience when you shop and to keep our website updated and relevant).

For data analysis, testing, research and statistical statistics to help us to improve our products and services. Legitimate interest (to improve your experience when you shop and to keep our website updated and relevant). To keep our Website safe and secure. Legal obligation

Legitimate interest (to prevent and detect crime and other incidents).

To make suggestions and recommendations to you and other users of our Website about products or services that may interest you or them. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to inform you about products and services that may interest you).

To provide you with information about

and remind you about the products and services that you have looked at on our Website. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

To identify behavioural flows from emails we send to you, so that we are able to monitor and analyse the effectiveness of those emails. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

To assist us to provide you with a more personalised experience, for example in order to provide you with tailored product recommendations when you use our Rossoe Wellness Custom Fragrance feature. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

Photographs, videos and video stills of you, where you choose to provide them to us. For use on the Elisa-Rose Company Websites, social media channels (such as Instagram and TikTok) and other Elisa-Rose Company channels and promotional materials for marketing purposes and for product recommendations. Where you consent (where we are required to obtain consent under applicable laws).

Legitimate interest (to manage and improve your shopping experience).

Personal data provided in audio or video recordings, such as when you call us, customer care calls or online consultation services To improve and monitor our services and for learning and development, training and quality purposes. Legal obligation

Legitimate interest (to manage the way in which we deliver our service to you).

Performance of our contract with you.

Social media handles where you have provided us with your social media handle to participate in a Elisa-Rose Company programme or similar, to enable us to identify and view your social media account(s). Legitimate interest (to manage and improve your shopping experience).

You don’t have to give us any of the personal data set out above but, if you don’t provide us with certain information, we may not be able to provide you with the goods and services you have requested from us. The forms you fill in on our websites and in our stores will make it clear what information we need in order to provide the product or service you are requesting and what information you can choose to provide if you wish.

To help us form a better, overall understanding of you as a customer, we combine your personal data gathered across the Elisa-Rose companies, for example, your shopping history.

AUTOMATED DECISION MAKING AND PROFILING

When we send or display personalised communications or content, we may use a technique known as "profiling". This means any form of automated processing of personal data to evaluate certain aspects about an individual, in particular to analyse or predict aspects concerning their personal preferences, interests, economic situation, reliability, behaviour, location, or movements. This means that we may collect personal data about you in the different scenarios described in the table above, and use that data to analyse, evaluate, or predict your personal preferences, interests, behaviour and/or location. In some cases we might also use personal data, including digitally created profiles, to make decisions by automated means.

For example, we may use automated processing to create a list of customers that are eligible for a loyalty programme, based on their purchases and amounts they have spent, or to identify the types of advertising or marketing you might be interested in. We ensure that we have a legal basis to process your personal data when we carry out profiling activities and/or automated decision-making, as set out above.

You may in some circumstances have the right to request that we don’t use your personal data in this way. Please see "Your Rights" section of this privacy policy below.

SHARING YOUR PERSONAL DATA

SHARING YOUR PERSONAL DATA WITHIN THE Elisa-Rose companies

We may share your personal data with other companies within Elisa-Rose Company to enable us to run data analysis, develop new products, for other business development purposes and/or to allow another Elisa-Rose companies to perform services on our behalf.

SHARING YOUR PERSONAL DATA WITH TRUSTED THIRD PARTIES

We share your personal data with trusted third parties to allow us to provide our services to you. When we do share your personal data with these third parties we only provide the information they need to perform the service. These trusted third parties include the following:

DESCRIPTION EXAMPLES

Companies that help us fulfil your orders and, where required, get your purchases to you, such as delivery couriers and payment providers DPD, Royal Mail, Evri, UPS, FedEx, Ecwid, Klarna, Stripe, PayPal, Apple Pay etc.

Professional service providers such as website hosting providers, system providers, website and social media analytics providers, advertisers and appointment booking providers, who help us run our business Google Analytics, IONOS etc.

Direct marketing companies who help us manage our electronic communications with you and social media or web platforms to show you products that might interest you while you’re browsing the internet Emarsys, Attentive, Appointedd, Movable Ink, Zendesk, Partnerize, Narrativ, Twitch, Google Ads, Amazon Ads, Yahoo Ads, Tiktok, Pinterest, Snap, Reddit, Facebook, Instagram, YouTube.

We may also share your personal data in connection with a business transition (such as a merger, acquisition by another company, or a sale of all of or portion of our assets). In these circumstances, we may need to share your personal data with a prospective buyer and external professional advisors such as accountants, insurers, lawyers or financial institutions.

We may be required to share your personal data with the police, administrative authorities (such as national tax authorities) or other enforcement, regulatory or Government bodies, where we are legally obliged to do so.

We will only share your personal data with third parties (including our group companies) for them to use for their own direct marketing purposes when you have given your express opt-in consent for us to do so.

INFORMATION WE RECEIVE FROM THIRD PARTIES

We may receive certain information about you from third parties, such as partners we run competitions and events with, our Retail Partners and trade shows or from other organisations we work with, such as, publicly available sources, Pinterest or TikTok, or information which is published in the media or where you have written a review about us.

Information about you may also be shared with us when you use social media or messaging services, such as Facebook, Twitter or WhatsApp. The information that is shared with us will depend on the privacy settings you select when you use those services. You should review the privacy notices of any social media or messaging services that you use to understand how your personal data will be used in that context.

We may combine the information you have given us, with information obtained from other sources, but we will only do this when we have a lawful basis to do so as set out in the table above.

SEEING ADVERTISEMENTS FOR OUR WEBSITE ONLINE

We may collaborate with third parties to provide us with analytics services and serve Elisa-Rose companies ads and banners when you are browsing on apps and other websites. We do this by way of various ad exchanges and digital marketing networks. We and our advertising partners use various advertising technologies, for instance, ad tag, cookies, pixels, identifiers and web beacons. This information may be used by Elisa-Rose companies and others to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Websites and other websites, and better understand your online activity.

The ads and banners you see are based on information that we hold about you, or on your prior use of our Websites, for example, products you have browsed previously, content you have read on our Websites, or on Elisa-Rose companies banners or ads that you have engaged with in the past.

We may also work with and use services offered by other third parties to serve ads to you as part of a customised campaign on third-party sites and platforms (such as Facebook or Instagram). As part of these ad campaigns, we or the third parties may convert information about you, such as your email address and phone number, into a unique value that can be matched with a user account on these platforms to allow us to learn about your interests and to serve you advertising that is customised to your interests. For more information about this advertising, or to opt out of seeing these types of customised ads, please visit these third-party sites and platforms, which may offer you choices about this type of customised advertising.

For more information about interest-based ads, or to opt out of having your web browsing activity used for behavioural advertising purposes, please visit our Cookies Policy and use our cookie management tool to manage your preferences.

MARKETING SERVICE PROVIDERS

Your personal data, which includes but is not limited to demographic information, transaction history, and online behaviour, may be shared with selected marketing service providers for the purposes of the following and is typically known as data profiling:

• helping us better understand the likely characteristics of our customers;

• creating predictive models that can offer suggestions and recommendations to you and other users about products or services that may interest you or them;

• improving the relevancy and appropriateness of our marketing to customers (e.g. offers, its products and services); and

• helping us to communicate with our customers more effectively offline and online. This may mean that you receive tailored advertising via direct mail or when you visit a website.

To ensure the security and protection of your data, all information shared with any marketing service providers will be transformed into a non-readable format. This means that your identifiable information will be removed and replaced with pseudonymous identifiers or encrypted tokens. The marketing service providers may have the capability to match the data we share with them with data from their or other third party sources. For example, combining the non-readable data received from us with data collected from various reputable sources to gain more comprehensive insights into consumer behaviour and preferences.

INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA

We aim to eventually operate our business globally and some of our service providers are located in countries outside of the UK or EEA.

As a result, it may be necessary for the personal data that we collect from you to be transferred to or accessed from outside the UK or EEA (a "third country") in order for us to provide our services.

If we do this, we have procedures in place to ensure your personal data receives the necessary protections: • If you are located in the UK, we may transfer your personal data to third countries:

o where the UK Government has recognised the relevant third country as providing an adequate level of protection under UK adequacy regulations. For further details, see the ICO website (www.ico.org.uk); or

in the absence of UK adequacy regulations, in reliance on an appropriate safeguard in accordance with applicable data protection laws, such as the standard contractual clauses (or equivalent) approved for use in the UK. For further details, see the ICO website (www.ico.org.uk).

• If you are located in the EEA, we may transfer your personal data to third countries:

o where the European Commission has recognised the relevant third country as providing an adequate level of protection pursuant to an adequacy decision; or

o in the absence of an adequacy decision of the European Commission, in reliance on an appropriate safeguard in accordance with applicable data protection laws - typically the EU standard contractual clauses.

Any transfer of your personal data will comply with applicable laws and we will treat the information according to the principles set out in this Privacy Policy.

If you would like further information or a copy of the standard contractual clauses we use, please get in touch with us using the contact details provided at the end of this Privacy Policy.

HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

We will only keep your personal data for as long as we need to for the reason we collected it, as set out in this Privacy Policy. For example, for as long as needed to allow us to fulfil your order or to provide any customer services support you have requested, to provide you with the Rossoe Wellness Custom Fragrance or for as long as you hold an account with us.

We may also keep hold of some of your personal data if we are required to do so for legal purposes, for example, to meet our legal or regulatory requirements or to prevent fraud and abuse, or for tax and accounting purposes. For example, we will keep your order data for five years after you place an order with us to allow us to comply with our legal obligations.

When we are no longer required to keep your personal data, your data will either be deleted or completely anonymised. For example, by aggregation with other data so that it can be used in a non-identifiable way for business planning and analysis purposes.

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us using the details at the end of this Privacy Policy.

ENSURING YOUR PERSONAL DATA IS UP TO DATE AND CORRECT

It is important that the personal data we hold about you is accurate and current. If you have an account with us, please keep your details up-to-date but if you do not have an account with us, please contact hello@elisarosecompany.co.uk with any new information.

SECURITY

We are committed to ensuring that your personal data is secure and we have put in place suitable physical, electronic, contractual and managerial procedures, including our Information Security Management System and Secure Sockets Layer (SSL) encryption, to protect your personal data. Our employees who have access to and process your personal data are obliged to respect the confidentiality and security of your personal data.

THIRD PARTY LINKS

Our Website may contain links to other websites of interest that are not run by us but by third parties. However, we do not have any control over these third party websites and they will be governed by their own privacy policies and terms and conditions, not this Privacy Policy. You should review the privacy notices and terms and conditions of any other websites that you use.

HOW CAN I UNSUBSCRIBE FROM MARKETING COMMUNICATIONS?

We love keeping you up-to-date by email (and or) SMS about our latest products, services, offers and events, subject to your marketing preferences. However, if you decide that you don’t want to receive these communications at any point, you can unsubscribe at any time as follows:

To unsubscribe from emails, click on the 'unsubscribe' button on the bottom of any email we send you. If you have an account with us, you can also unsubscribe by going to the Account Information page on the relevant Elisa-Rose Company website, clicking on Newsletters, and unsubscribing to general subscription.

To unsubscribe from SMS, follow the link at the end of any SMS we send to you. You can also email us at hello@elisarosecompany.co.uk. You can also find instructions on how to do this in any SMS message that we send you.

We may also send you details of products, services, offers and events we think you may be interested in when we send you your Order. If you do not want to receive these communications, please let us know by contacting customer service using our contact form at https://elisarosecompany.com/contact, emailing hello@elisarosecompany.co.uk or by logging on to your account and updating your marketing preferences.

YOUR RIGHTS

You have the following rights in relation to the personal data we hold about you: • The right to insist that companies who hold your personal data are fair and transparent about how and the manner in which they process and use your personal data. This is why we provide you with this Privacy Policy.

• The right to access the personal data we hold about you (commonly known as a "data subject access request") including obtain a copy of it. There are some exemptions, which means you may not always receive all the information we process, for example if the records contain personal data of other individuals.

• The correction of the personal data that we hold about you if it is incomplete or inaccurate (although if you hold an account with us, you may be able to do this in certain cases yourself by visiting the Account Information page on the Elisa-Rose Company website).

• The deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it. If you have successfully exercised your right to object to us processing your personal data or if we have processed your personal data unlawfully or we are required to stop processing your personal data as a matter of local law, then you can ask us to delete your personal data.

• For our processing of your personal data to be restricted if: (i) you want to make sure the personal data is accurate; (ii) where our use of the personal data is unlawful but you don't want us to erase it; (iii) where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

• The right to withdraw consent. If we process your personal data on the basis of your consent, then you can withdraw your consent and we must cease processing it in future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

We may need to ask you for specific information to help us confirm your identity before dealing with your request. This is a security measure to ensure your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to Object

Where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing it and we must do so unless we believe we have an overriding legitimate reason to continue processing your personal data.

If you are dissatisfied with how we have handled your personal data, you have the right to make a complaint to your data protection regulator.

In the UK, this is the Information Commissioner's Office (ICO). You can make a complaint to the ICO by calling their helpline on 0303 123 1113 or on their website at www.ico.org.uk/concerns.

CHILDREN

Customers need to be over the age of 18 to shop with us, create an account with us or to sign up for our newsletter or to contact us or to liaise with us via LiveChat or VideoChat. We will not knowingly collect personal data about under 18s and if you are under 18, please do not provide us with your personal data. We would ask parents to please ensure that their children that are under 18 do not provide us with any personal data without their permission. If you believe that a child who is under 18 has provided personal data to us, please contact us, using the details below and we will seek to delete that data from our systems.

LOOKALIKE AUDIENCES

For advertising purposes, we occasionally use information about our customers to generate a "lookalike audience" or similar audience of prospective customers through the Facebook, Google, Snapchat, Pinterest or TikTok, or any other advertising platforms. This allows us to target advertisements on their networks to potential customers who appear to have shared interests or similar demographics to our existing customers, based on the platforms' own data. We typically do this by uploading a list of email addresses. These third parties’ policy is to irreversibly hash (encrypt) such lists prior to uploading, match the hashed data against their own customers, generate the lookalike audience, then delete the uploaded list and use it for no other purpose. We do not have access to the identity of anybody in the lookalike audience, unless they choose to click on the ads. Based on this, we believe that generating lookalike audiences poses little or no threat to the privacy of our customers. If you wish to opt out of "similar audiences" in Google, you can do so through your Ads Settings. Many of the companies that display interest-based advertising are members of the Network Advertising Initiative ("NAI") and/or Digital Advertising Alliance ("DAA"). To learn more about interest-based advertising and how you may be able to opt-out of interest-based advertising, tracking, and/or sharing of tracking data by their members, visit their online resources at www.networkadvertising.org/choices and www.aboutads.info/choices, respectively. Other resources (not affiliated with NAI or DAA) include http://preferences-mgr.truste.com/, or for EU residents, www.youronlinechoices.eu.

CONTACTING US

If you have any queries, comments or requests regarding this Privacy Policy, you have a complaint or you would like to exercise any of your rights set out above, you can contact us in the following ways:

• By email at hello@elisarosecompany.co.uk