Name and address of the person responsible
We are based both in the US and Ireland. The responsible person within the meaning of the GDPR is:
Professional Hair Labs
Scientific Cosmetix LLC
3795 Correia Drive,
Zephyrhills, Florida, 33542 USA
Professional Hair Products Ltd
Saint Martins Road,
Wexford, Y35 C434 Ireland
Acting as the data controller for the respective regions. (Referred to as “Professional Hair Labs”, “we” or “us”).
Scope of the processing of personal data
As a matter of principle, we collect and use personal data of our users only insofar as this is necessary for the provision of a functional website as well as our contents and services. The collection and use of our users’ personal data regularly only takes place with the user’s consent. An exception applies in those cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.
Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) of the GDPR serves as the legal basis for the processing of personal data.
- Performance of a contract or pre-contractual measures
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
- Legal obligation
Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) c GDPR serves as the legal basis.
- Vital Interests
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) GDPR serves as the legal basis.
- Legitimate Interest
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.
Rights of the data subject
If personal data is processed by us, you are a data subject within the meaning of the GDPR and you are entitled to the following rights:
Right to information
You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If there is such processing, you may request information from the controller about the following:
- the purposes for which the personal data are processed,
- the categories of personal data which are processed,
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed,
- the envisaged duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period,
- the existence of a right to rectify or erase personal data concerning you, a right to have processing restricted by the controller or a right to object to such processing,
- the existence of a right of appeal to a supervisory authority,
- any available information on the origin of the data, if the personal data are not collected from the data subject,
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. You have the right to request information on whether personal data concerning you are transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
Right to rectification
You have a right to rectification and/or completion, insofar as the personal data processed concerning you are inaccurate or incomplete. The controller must make the rectification without undue delay.
Right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions:
- if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data,
- the controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise, or defence of legal claims; or
- if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been determined whether the controller’s legitimate grounds override your grounds.
Where the processing of personal data relating to you has been restricted, such data may only be processed – apart from being stored – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
Right to erasure
You may request the controller to erase the personal data concerning you without undue delay and the controller is obliged to erase such data without undue delay if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
- You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The erasure of the personal data concerning you is necessary for compliance with a legal obligation.
- The personal data concerning you has been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.
The right to erasure does not apply insofar as the processing is necessary:
- for the exercise of the right to freedom of expression and information,
- for compliance with a legal obligation,
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR,
- for the assertion, exercise or defence of legal claims.
Right to information
If you have asserted the right to rectification, erasure or restriction of processing, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients by the controller.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
Right to revoke your consent
You have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
Provision of the website and creation of log files
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:
- Information about the type of browser and the version used.
- The user’s operating system
- The user’s Internet service provider
- The IP address of the user
- Date and time of access
- Websites from which the user’s system accesses our website
- Websites that are accessed by the user’s system via our website.
The log files contain IP addresses or other data that enable an assignment to a user. This could be the case, for example, if the link to the website from which the user arrives at the website or the link to the website to which the user goes contains personal data. This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible. The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR. The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 (1) lit. a GDPR if the user has consented to this.
HOW WE USE YOUR INFORMATION
The main reason we process your information is to provide and improve our services. In addition, we process your information to ensure your safety and to send you advertisements that may be of interest to you. If you would like a more detailed explanation of the various reasons why we process your data and are interested in some practical examples, please read on.
- To manage your account and provide you with our services.
- To create and manage your account
- To serve you as a customer and respond to your inquiries
- To fulfil your requests
- To communicate with you about our services, including order management and invoicing
- To communicate with you by email and phone or via social media or mobile devices about our products and services that we think may be of interest to you
- To improve our services and develop new ones
- To manage audiences and surveys
- To research and analyse user behaviour to improve our Services and content (e.g., we may decide to change the look and feel of the Service or even make a material change to a particular feature based on user behaviour).
- To develop new features and services (for example, we may decide to develop a new interest-based feature based on user requests).
- To prevent, detect and take action against fraud or other illegal or unauthorized activity
- To respond to actual or alleged misconduct
- To perform data analysis to better understand and develop countermeasures against such activity
- To prevent recurrences of fraudulent activity
- To ensure legal compliance
- To comply with legal requirements
- To support law enforcement activities
- To process your data as described above, we rely on the following legal bases:
Providing our services to you: Generally, we process your data to fulfil the contract you have with us. For example, while you are using our services to meet contacts, we process your data to manage your account and profile, make it visible to other users and recommend other users to you.
Legitimate Interests: We may use your data if we can demonstrate a legitimate interest to do so. For example, we analyse the behaviour of users of our services to continuously improve our services, we suggest offers that we think may interest you, and we process data for administrative, anti-fraud and other legal purposes.
Consent: We may ask you from time to time for your consent to use your data for certain purposes. You may withdraw your consent at any time by contacting us.
When contacting us, personal information is collected. Which information is collected in the case of a contact form can be seen from the respective contact option. This information is stored and used exclusively for the purpose of responding to your request or for contacting you and the associated technical administration. Your information will be deleted after final processing of your request, this is the case if it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.
The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the user has given his or her consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
The user has the option of revoking his or her consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. The following is a description of how to revoke consent and object to storage. All personal data stored in the course of contacting us will be deleted in this case.
User account / registration
It is also possible for you to create a membership account. For this purpose, you will need to provide us with the following: Full, Name, Email, Telephone and Password. Providing those will enable you to log in more easily without having to enter your data again when you use our services next. Professional Hair Labs stores the data you enter to set up a customer account. We will hold your data for further orders as long as you maintain your registration. You have the right to access, correct or delete your registration data at any time. The legal basis for the storage is Art. 6 Para. 1 lit. a) GDPR.
When creating an account, we require certain personal or business personal data from you in order to carry out our services. As such we may ask you for your: First Name, Last Name, Telephone, Password and Business Registration Number, VAT Number and address or business address. We will hold your data for further orders as long as you maintain your registration. You have the right to access, correct or delete your registration data at any time. The legal basis for the storage is Art. 6 Para. 1 lit. a) GDPR.
You should never disclose your password for accessing our portal to any third party and you should change it regularly. If you want to leave your account, you should press the logout and close your browser to prevent anyone from gaining unauthorized access to it.
Data processing in the context of our shop
The protection of your data is particularly important to us in the performance of our services and when you make a purchase in our shop. When you place an order in our online shop, we store the following information in order to fulfil the contract concluded between you and Professional Hair Labs or to carry out pre-contractual measures in accordance with Article 6 lit. b) GDPR:
When placing an order in the online shop, all data necessary for execution and processing are requested by means of mandatory fields: Your full name, your e-mail address, your address (billing address and, if applicable, different delivery address), phone number. Your data will only be used to process your order.
If you submit data to Professional Hair Labs for an order, your data will be stored for as long as necessary for the processing of the purchase and mandatory according to the legal retention periods. The extended storage for the fulfilment of the storage obligations is carried out according to article 6 lit. c) GDPR.
Your personal data will only be passed on to third parties within the scope of the online shop if it is necessary for the purpose of processing the contract, for accounting purposes or for the collection of the payment or for shipping your order.
Any credit card information you provide will not be stored by Professional Hair Labs but will be encrypted and collected directly from the payment service provider via hypertext transfer protocol secure (“https”).
Commercial and business services
We process data of our contractual and business partners, e.g., customers and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to answer enquiries.
We process this data to fulfil our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization. We only disclose the data of the contractual partners to third parties within the scope of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the contractual partners (e.g., to participating telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).
Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioural marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Blog and comment data
Within the Blog you may be able to display certain personal information, share certain details, engage with others, exchange knowledge and insights, post and view relevant comment. Comment and data is publicly viewable. You have choices about the information on your comment. You don’t have to provide additional information on your comment; however, comment information helps you to get more from our Services. It’s your choice whether to include sensitive information in your comment and to make that sensitive information public. Please do not post or add personal data in your comment that you would not want to be available.
When do we disclose your Personal Data?
We may share your information with organizations that help us provide the services described in this policy and who may process such data on our behalf and in accordance with this policy, to support our online offer and our services.
Typically, and unless otherwise stated in this policy, data may be shared on the basis of our contractual and pre-contractual obligations, in accordance with Art. 6 para. 1 lit. b) GDPR. Equally, if you have consented to it, or where there we have a legal obligation to do so or on the basis of our legitimate interests (e.g., when using agents, hosting providers, tax, business and legal advisors, customer care, accounting, billing and similar services that allow us to perform our contractual obligations, administrative tasks and duties efficiently and effectively).
If we commission third parties to process data on the basis of a so-called “processing agreement”, this is done on the basis of Art. 28 GDPR.
In relation to meta data obtained about you, we may share a cookie identifier and IP data with analytic service providers to assist us in the improvement and optimization of our website which is subject to our Cookies Policy.
We may also disclose information in other circumstances such as when you agree to it or if the law, a Court order, a legal obligation or regulatory authority ask us to. If the purpose is the prevention of fraud or crime or if it is necessary to protect and defend our right, property or personal safety of our staff, the website and its users.
If we are involved, in whole or in part, in a merger, sale, acquisition, takeover, restructuring, reorganization, dissolution, bankruptcy or other change of ownership or control, we may also disclose your information as necessary.
We may disclose your information to third parties if required to do so: (i) in the course of legal proceedings, such as pursuant to a court order, subpoena or search warrant, a regulatory/criminal investigation, or to comply with other legal process; (ii) to assist in crime prevention or investigation (in each case, as required by applicable law); or (iii) to protect the safety of another person.
We may also disclose information: (i) if disclosure would reduce our liability in any legal action actually brought or threatened; (ii) if necessary to protect our legal rights and the legal rights of our users, business partners or other interested parties; (iii) to enforce our agreements with you; and (iv) to investigate, prevent, or otherwise take action regarding illegal activities, suspected fraud, or other misconduct.
We may ask for your consent to share your information with third parties. In such a case, we will make clear why we want to share the data.
We may use and share non-personal information (i.e., information that alone is not sufficient to identify you as an individual, such as device information, general demographic information, general behavioural information, geolocation in anonymized form), as well as personal information in hashed, human-unreadable form, in the circumstances described above.
Cross-border data transfer
Sharing of data sometimes involves cross-border data transfers, for example, to the U.S. and other countries. For example, if a service allows users to be located in the European Economic Area (“EEA”), their personal data will be transferred to countries outside the EEA. We use standard contractual clauses approved by the European Commission or other appropriate safeguards to enable the transfer of data from the EEA to other countries. Standard contractual clauses are binding commitments to protect the privacy and security of your data between companies that transfer personal data.
How we protect your data
We work hard to protect you from unauthorized access to or alteration, disclosure, or destruction of your personal information. However, as with all technology companies, although we take steps to protect your information, there can be no 100% security.
We regularly review our systems for potential vulnerabilities and attacks, and periodically revise our information collection, storage, and processing practices to update our physical, technical and organizational security measures.
We may suspend all or part of your use of the Services without notice if we suspect or discover a security breach. If you believe that your account or data is no longer secure, please notify us immediately here.
How long do we store your data
We will only store your personal data for as long as we need it for legitimate purposes and as permitted by applicable law. To ensure the security of our users inside and outside our Services, we retain your data for one year after deleting your account. During this time, the account data will remain stored, although your profile will of course no longer be visible to anyone.
In practice, this means that we will delete or anonymize all your data either one year after deleting your account or after two years have passed since the last activity on the platform, unless:
- we need to keep it to comply with legal requirements (e.g., some “traffic data” is kept to comply with legal retention requirements),
- an outstanding question, claim or dispute causes us to retain the relevant information until the issue is resolved; or
- the information must be retained for our legitimate business interests, such as combating fraud and improving user safety. For example, we need to retain data to prevent users who have been suspended for their behaviour or security incidents from opening a new account.
Please note that due to technical limitations, we cannot promise that all data will be deleted within a certain period of time, even if our systems are designed to perform data deletion procedures in accordance with the above guidelines.
All data transmitted by you personally will be transferred using the generally accepted and secure standard SSL (Secure Socket Layer). SSL is a secure and proven standard that is also used, for example, for online banking. You can recognise a secure SSL connection, among other things, by the appended s at the http (i.e., https://…) in the address bar of your browser or by the lock symbol in the lower area of your browser.
Economic analyses and market research
For business reasons and in order to be able to recognise market trends, wishes of contractual partners and users, we analyse the data we have on business transactions, contracts, inquiries, etc., whereby the group of persons concerned may include contractual partners, interested parties, customers, visitors, and users of our online offer.
The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). In doing so, we may, if available, take into account the profiles of registered users together with their details, e.g., regarding services used. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised, i.e., anonymised values. Furthermore, we take the privacy of users into consideration and process the data for analysis purposes as pseudonymously as possible and, if feasible, anonymously (e.g., as summarised data).
It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.
Data subject access request
For clarification, you have the right to request confirmation from us at any time as to what information we hold about you and to request that we amend, update, or delete that information. We may comply with your request in response. In addition, we have the following options: Ask you to confirm your identity, or ask you for more information about your request, and were permitted by law, refuse your request. (However, in this case we will explain the reasons for the refusal).
We integrate Google`s reCAPTCHA function to be able to recognise whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called “bots”). The data processed may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies as well as results of manual recognition processes (e.g., answering questions asked or selecting objects in images). The legal basis is Art. 6 (1) (f) GDPR.
We only use Google Analytics with IP anonymization activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user’s browser is not merged with other data from Google.
You can also prevent the storage of cookies by Google Analytics by selecting the appropriate settings in your browser software. You can also prevent the collection of information generated by the cookie by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout. If you are visiting our website via a mobile device, you can deactivate Google Analytics by clicking on this link.
Within our website, so-called “Facebook pixels” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), are used. With the help of the Facebook pixel, it is possible for Facebook to determine the visitors to our offer as a target group for the display of advertisements, so-called “Facebook ads”. Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our website. This means that with the help of the Facebook pixel we want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Facebook pixel, we can also track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad.
The Facebook pixel is directly integrated by Facebook when our web sites are accessed and can save a so-called cookie, i.e. a small file, on your device. If you subsequently log in to Facebook or visit Facebook while logged in, your visit to our website will be noted in your profile. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible. The processing of the data by Facebook takes place within the framework of Facebook’s data usage policy. Accordingly, you can find more information on how the remarketing pixel works and generally on the display of Facebook ads, in Facebook’s data usage policy: https://www.facebook.com/policy.php.
You can object to the collection by the Facebook pixel and use of your data for the display of Facebook ads. To do so, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads or declare the objection via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/ . The settings are platform-independent. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
Affiliate Registration requires some personal information, the following information is collected: First Name, Last Name, Email, Password, Phone Number. Full registration is necessary to use our Affiliate services. Your e-mail address is required in particular for the following purposes: Delivery of temporary passwords (forgotten password), delivery of forgotten username, notifications, Notification of changes to terms and conditions and prices, notification of important new features, newsletter distribution (if consent has been given), contact by us to resolve problems, answering support queries.
Name, title and address(es) are required for the following purposes: Creation of invoices, partly for the execution of payments by means of payment service provider, partly for salutation in notifications from us.
The processing of the entered data is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time. To do so, simply send a message to one of the contact addresses listed in the imprint. The legality of the data processing already carried out remains unaffected by the revocation.
The data collected in this way will be deleted upon termination or revocation of consent. Data subject to statutory retention periods (e.g., invoices) remain unaffected by this.
In addition, we may retain personal data of deleted accounts to protect our legitimate interests pursuant to Art. 6(1)(f) GDPR if required by applicable law, for fraud prevention, to enforce fee claims, to support investigations, and to take other actions permitted or required by applicable national law. If it is no longer necessary for us to retain your personal data, we will destroy it, but no later than 10 years.
We do not use automated decision-making or profiling.
Our Services are restricted to users who are at least 18 years of age. We do not allow users under the age of 18 to use our Platform and we do not knowingly collect any data from minors.
Because we are always looking for new and innovative ways to help you, this policy may change over time. We will notify you in a timely manner before any material changes take effect so that you have time to review the changes.