LUMENE CONSUMER PRIVACY NOTICE

Last updated 21. August 2023

Lumene Oy

Business I.D. 2377940-8

PL 27

02781, Espoo

lumene.info (at) lumene.com

(“Lumene”, “we”, “us” or “our”)

This Privacy Notice describes the processing of personal data of different consumer data subject groups by Lumene. If you are our customer visiting our website, subscribing for our newsletter, placing orders in or otherwise using our online store, interact with our consumer service or with us through other means, such as through our social media channels, or registering or having registered as our factory outlet loyalty customer, or if you are a consumer survey or consumer competition participant, or a consumer providing feedback such as making a complaint or claiming skin irritation caused by our products and wish to understand how Lumene processes your personal data, you are in the right place.

If you are a representative of our corporate customer, supplier or other business partner, please take a look at our Privacy Notice for Business Partners for information on the processing of your personal data by Lumene.

If you wish to pursue a career at Lumene and wish to submit an application, kindly take a look at our Privacy Notice for Recruitment.

Lumene acts as a controller for the personal data that our consumer customers, including website visitors, newsletter subscribers, online store users or factory outlet loyalty customers, as well as consumer survey or consumer competition participants, or consumers making a complaint or giving other feedback, share with us or which we collect automatically when using our website or online store, or which is provided to us through other channels, such as through our social media sites, our consumer service or our partners providing services to us.

As a controller, we carry the ultimate responsibility for the processing of personal data we hold of you. Privacy is about trust and protecting your privacy and your personal data is of utmost importance to us. Therefore, we collect your personal data only to the extent we need them to offer you a first-class customer experience throughout our activities.

Please note that our website, including our online store, may include links to contents of third-party service providers, and some of the medias through which you can interact with us, such as social media channels, are in fact services provided by third parties, not by us. Any such links to contents of third parties as well as our presence in services of third-party service providers does not constitute our affiliation with or control over such third parties and thus, to the extent permitted by applicable legislation, we are not responsible for such contents or services, their level of data protection nor the actions of such third parties.

WHY WE PROCESS YOUR PERSONAL DATA

We process your personal data only for the purposes described in this Privacy Notice or as otherwise communicated to you when collecting your personal data, and only to the extent it is necessary for each purpose of processing further described herein.

We process your personal data primarily to offer you the opportunity to use our website and its functionalities, including the online store, to process and deliver the order you have placed with us, including the processing of your payments, any returns or complaints, and to fulfil any possible subsequent warranty measures, or to interact with you in relation to your product orders or customer relationship or as requested by you.

Depending on the context in which you interact with us, we also process your personal data for multiple different purposes, as further described below.

By clicking the section headings below, you will find detailed information on the processing of personal data for each different purpose.

The provision of your personal data as described in this Privacy Notice is partially a contractual requirement. For example, when you place an order in our online store, you are required to provide us with certain personal data for purposes of processing and delivering your order, as specified below in this Privacy Notice. Similarly, the creation of a user account to our online store, for example, is not possible without certain personal data we request from you in the context of user account creation. Failure to provide us personal data requested in the context of these activities may prevent us from performing our contractual obligations, which may lead to you being unable to place an order through or to create a user account to our online store.

WEBSITE AND ONLINE STORE VISITORS

When you visit our website, including our online store on the website, we process your personal data to offer you the opportunity to use our website and its functionalities, including the online store. We may also personalise the content of our website and process your personal data for showing you such content on our sites that is most relevant to you, in addition to which we process the personal data for developing our services and products offering, as well as for ensuring the overall security, functionality and stability of the website, including preventing and detecting possible misconduct and attacks towards the security of the website.

The legal basis for the processing described above is Article 6(1)(a) i.e., your consent or Article 6(1)(f) of the GDPR, i.e., our legitimate interest, in which case our legitimate interests are the purposes mentioned above.

The collecting and further processing of your personal data on our website is mostly done by using automated technical means, such as cookies and other similar technologies. For more information on the use of cookies on our website, please look at our Cookie Declaration.

REGISTERING TO AND PLACING ORDERS IN OUR ONLINE STORE

Please note that our online store is on our website and therefore, what is stated above on the processing of personal data of our website and online store visitors apply to you too. When you decide to register as our online store customer or place an order with us though our online store, we process your personal data primarily to enable your user account registration or to process and deliver the order you have placed with us, including the processing of your payments, any returns or complaints, and to fulfil any possible subsequent warranty measures. We also process your personal data to send you updates about your order and its delivery.

In addition to the foregoing, we process your personal data for the purposes of management, analysis and development of the customer relationship between you and us, for example, to provide you customer service, to carry out customer communications and to send you questionnaires to measure your satisfaction for example with our website and online store, products and delivery process. We may also process your personal data to alert you on new and interesting products, special offers, and updates on our website or online store within the limits of applicable legislation and to the extent you have not opted-out from receiving such communications.

In this context, the legal basis for processing your personal data is either compliance with the agreement entered into between you and us, compliance with legal obligations to which we are subject, or our legitimate interest.

Contractual and statutory obligations: Processing of your personal data to certain extent is necessary to enable us to fulfil the agreement we have concluded with you, and so the legal basis of processing is Article 6(1)(b) of the GDPR. For example, when you register as a customer or place an order in our online store, it is necessary for us to process your personal data so that we can carry out our contractual obligations and register your user profile or deliver your order in accordance with your request and the agreement between you and us. Your placing of order also creates certain statutory obligations to us related to for example product safety, quality of our products and product returns, in which case the legal basis of processing is Article 6(1)(c) of the GDPR.

Our legitimate interest: We process your personal data based on our legitimate interest (Article 6(1)(f) of the GDPR) to offer you first-class customer experience in our online store and other medias and to provide you the most relevant online and newsletters content as well as for administrative purposes including the management, analysis and development of the customer relationship between you and us.

ONLINE STORE PRODUCT REVIEWS OR QUESTIONS

Everyone can publish reviews on our products or ask questions on them in our online store. After making a purchase through our online store you may be sent an invitation through email to review the purchased product, but no online store purchase is required for reviewing our products or asking questions on them on our online store. In the context of publishing product reviews or questions, you are requested to provide certain data which may, either alone or in combination with other data, be personal data.

The legal basis for this processing is our legitimate interest (Article 6(1)(f) of the GDPR), and the legitimate interests include the promotion of our products through reviews, and the improvement and further development of our products though the feedback received. The legal basis for processing of sensitive data you may provide to us in this context (e.g., information on your skin concern) is either your explicit consent (Article 9(2)(a) of the GDPR) or Article 9(2)(e) of the GDPR (processing relates to personal data which you have made public).   

CONSUMER SURVEYS

We utilise consumer surveys for purposes such as adjusting the development of new products and the deliverables of our marketing to better fit the perceived needs of our customers. In the conduct of consumer surveys, we normally use third-party service providers to recruit the respondents based on the attributes we have defined for a specific survey, as well as to collect the responses from the respondents. After having collected the data, our service providers compile the results of the survey and delivers them to us in non-identified form. Although we normally do not process the data in identified form, we however act as a controller for the personal data of the respondents collected by our service providers.

Sometimes we however perform the survey and analyse the results by ourselves.

The legal basis for this processing is your consent (Article 6(1)(a) of the GDPR) or our legitimate interest (Article 6(1)(f) of the GDPR), namely the improvement and development of our products and services as well as the promotion of our business. The legal basis for processing of sensitive data you may provide to us in this context is your explicit consent (Article 9(2)(a) of the GDPR).  

COMPLAINTS AND OTHER FEEDBACK

When you make a complaint or provide to us other feedback on our products, we will generally receive also personal data regarding you. As a manufacturer of cosmetic products, we are obliged to collect data on skin irritation caused by our products, and in case the undesirable effect caused by the product is serious, to report the effect to the competent authorities. After we have responded to the consumer and otherwise handled the matter so that we have been able to make sure that the consumer is satisfied with the result, we will close the case and anonymise the data. Any reporting of serious undesirable effects to the competent authorities will not identify the data subject. In addition to addressing the consumer’s claim and to reporting the serious undesirable effect to the competent authorities, we may further process the data reported by the consumer for R&D purposes, but only in non-identified form.

To the extent you provide us sensitive data, such as information on allergic reactions you have suffered, or other health-related data, the legal basis of processing is your explicit consent (Article 9(2)(a) of the GDPR). Otherwise, the legal basis for this processing is either a legal obligation to which we are subject (Article 6(1)(c) of the GDPR), or our legitimate interest (Article 6(1)(f) of the GDPR), namely the improvement and development of our products.

OTHER PROCESSING OF CONSUMER’S PERSONAL DATA

Processing context or purpose

Description

Legal basis

Newsletter subscriptions

You can sign up to our newsletter and get updates about the latest products and offers from us.

Your consent (Article 6(1)(a) of the GDPR) or our legitimate interest (Article 6(1)(f) of the GDPR).

SMS marketing subscriptions

You can subscribe to receive updates about the latest products and offers from us by SMS.

Your consent (Article 6(1)(a) of the GDPR).

Factory Outlet Loyalty Customer Program

You can register as our factory outlet loyalty customer and thereby receive updates from our factory outlet as well as campaigns and offers we provide to our loyalty customers.

Your consent (Article 6(1)(a) of the GDPR).

Consumer service

You can contact our consumer service through multiple channels, such as the online form available on our website. We will process your personal data to respond to you. Unless necessary for us to be able to do so, we will not process your personal data when we take steps to address the content of your communications internally.

Our legitimate interest (Article 6(1)(f) of the GDPR), namely carrying out activities in the ordinary course of our business to respond to requests or enquiries from potential or existing customers and to further address the issue internally.

Consumer competitions

You can participate in a consumer competition organised by us through different channels to win e.g., our products. We process your personal data to organise the competition, contact the winners and reward the people who participated in the competition.

Your consent (Article 6(1)(a) of the GDPR).

Social media channels

We are present in social media platforms such as Facebook and Instagram, through which you can interact with us. We consider these platforms as extended customer service.

Please note that also the relevant social media platform provider processes your personal data when you use those platforms, and Lumene cannot control the way these service providers process your personal data. You should therefore familiarise yourself with the privacy and data protection related notices of these parties.

To learn more about our usage of social media channels and your personal data processing in context of these channels, please visit our separate Guidance on social media platforms and advertising.

Our legitimate interest (Article 6(1)(f) of the GDPR), namely carrying out activities in the ordinary course of our business to respond to requests or enquiries from potential or existing customers and to further address the issue internally. The legal basis for processing of sensitive data you may provide to us in this context is your explicit consent (Article 9(2)(a) of the GDPR).

For forwarding the data to our social media partners for advertising purposes, our legal basis for processing is consent according to Article 6(1)(a) of the GDPR. If you do not want us to use your data to present you with personalised advertising on social networks, you can refuse to consent to the forwarding of your data. You are also free to withdraw your consent anytime.

 

ALL PROCESSING CONTEXTS: LIMITED PROCESSING FOR OTHER LEGITIMATE INTERESTS

In addition to the primary purposes of processing elaborated above, we may process the personal data collected in each identified processing context for a limited number of other legitimate interests, such as protecting our property; preventing and investigating suspected malpractices; defending against or prosecuting a legal claim; analysing and compiling statistics for business purposes, developing our products and business, reorganisation of our business and for scientific research purposes, but only to the extent the processing is proportionate to the interests of the data subjects and the processing can be considered to be in line with the reasonable expectations of them. To the extent identification of a data subject for these processing purposes is not necessary, we will use the data for these purposes in non-identified form.

THE CATEGORIES OF DATA WE PROCESS

In the context you provide us product feedback or return us a product, or in other similar context, you may voluntarily share with us sensitive personal data, such as, information on allergic reactions you have suffered after using our products, or other health related data.

You may also provide your personal data to us in other contexts, such as, when you communicate with us through our consumer service channels or through social media, which leads us to processing the contents of the communications between you and us, as well as other personal data you provide to us in these contexts.

By clicking the section headings below, you will find detailed information on the of personal data we process in each different context.

WEBSITE AND ONLINE STORE VISITORS

When you visit our website or the online store on the website, we automatically collect certain data on your terminal device as well as details on your visit, such as your IP address, information on your operating system and interface, your web browser type, version and language, the time of your visit, referral page and the amount of data transferred. The collecting and further processing of your personal data on our website is mostly done by using automated technical means, such as cookies and other similar technologies. For more information on the use of cookies on our website, please take a look at our Cookie Declaration.

REGISTERING TO AND PLACING ORDERS IN OUR ONLINE STORE

When you create a user account to our online store, you will be asked to provide certain personal data, including the following: name, contact information, date of birth, phone number, password, as well as billing and delivery details, such as billing and delivery address. You can also voluntarily provide us information about your interests, as well as your consent to receive direct marketing. Your user account information is constantly updated (for example by your purchase history).

When you place orders in our online store, we process certain personal data and information relating to you and the order you have placed, such as: user account details (or your name, delivery and billing address(es) and phone number), type and amount of products you ordered, purchase price, date of placing the order, status of your order, method of payment and specifics related to your payment, product returns and related customer service requests.

ONLINE STORE PRODUCT REVIEWS OR QUESTIONS

In the context of product reviews or questions you may publish on our online store, you are requested to provide certain data, including your name or a pseudonym and email address which may, either alone or in combination with other data, be personal data. In addition, your review or question itself may be or contain personal data, also sensitive data, such as information on your skin concern you decide to share in your review or question.

CONSUMER SURVEYS

The data collected varies by survey, but generally contains at least personal data for filtering those respondents that meet the attributes we have defined for the survey in question (for example, for testing an anti-ageing concept, we will seek respondents from a specific age group). This filtering data may include for example information on gender, age group, skin type or skin concern. Other personal data may also be collected depending on the survey.

COMPLANITS AND OTHER FEEDBACK

Consumers that make complaints or give us other feedback, for example due to having suffered skin irritation can report to us various information. We normally receive the consumer’s complaint, feedback, or report on skin irritation through email sent by the consumer and accordingly cannot control the contents of the email. The data received generally contains identifying information, such as name, contact information, and the actual feedback, which may contain also personal data, such as symptoms caused, and information on possible treatment required, such as a visit to a dermatologist.  Sometimes in cases of skin irritation claims, we will have to request more information to be able to assess whether the skin irritation was caused by our product or its ingredients, or whether the cause of the irritation was something else.

OTHER PROCESSING OF CONSUMER’S PERSONAL DATA

Processing context or purpose

Personal data

Sensitive data

Newsletter subscriptions

Email address and, in case you wish us to personalise the contents of the newsletters, other data such as your date of birth/age and preferences.

N/A

SMS marketing subscriptions

Phone number and, in case you wish us to personalise the contents of the communications, other data such as your date of birth/age and preferences.

N/A

Factory Outlet Loyalty Customer Program

Email address and in some cases name of the loyalty customer

N/A

Consumer service

Personal data that you choose to provide, generally containing at least identifying information such as name; and contact details, such as email address, street address and phone number, as well as the contents of communication between you and us.

N/A

Consumer competitions

Identifying information, such as name; contact details, such as email address, street address and phone number. On a case-by-case basis, to the extent necessary for arranging of the competition in question, also other personal data may be collected.

NA

Social media channels

Personal data you choose to provide, generally containing at least identifying information such as name; and contents of the communications between you and us.

Data subject choosing to interact with us though social media may voluntarily provide to us sensitive data of their own choosing, e.g., information on a skin concern.

 

TRANSFERS AND DISCLOSURES OF YOUR PERSONAL DATA

Why we transfer or disclose your personal data

We may to transfer or disclose your personal data to other companies within the worldwide Lumene group or to external service providers as follows.

We use external service providers to provide us services, for example, services related to the technical maintenance or hosting of our online store, in the context of which these service providers process personal data as processors on our behalf, and we require that these parties agree to process personal data based on our instructions and in compliance with this Privacy Notice. We may also disclose personal data to our partners within the limits permitted by law, e.g. for purposes of carrying out deliveries, billing or marketing. For example, to execute your orders, we use services of our partners (such as payment services offered by banks or credit card companies or shipping and delivery services offered by dispatching companies). We will only provide these partners the information they need to deliver the services agreed, such as, to process your payment and to deliver your order. If we advertise through social networks (e.g., Facebook, Instagram), we may provide information about the data subjects (e.g., device and usage information, ad and cookie IDs, email addresses) in encrypted form to the respective social network service provider.

In addition, we may disclose your personal information if we are required to do so by law (e.g., serious undesirable effects or skin irritation reports to the competent authorities) or if we in good faith believe that such action is necessary to conform to the provisions of the law or comply with legal process served on Lumene or to protect and defend the rights or property of Lumene.

We may share limited amounts of personal data within Lumene group of companies for legitimate business purposes, such as to develop and improve our business or products and analyse and enhance customer experience. In case we sell our business or part of it or otherwise reorganize our business we may disclose and transfer personal data to buyers and their advisors in accordance with the limits of applicable legislation.

International transfers of personal data

We use partners in business activities requiring the processing of personal data, and in this context, we or our partners may, in accordance with applicable legislation, process personal data anywhere in the world and thus transfer the personal data also outside EU or EEA area. Regarding transfers of personal data to countries where the local data protection legislation does not provide adequate level of data protection, the transfers are based on appropriate safeguards, such as standard contractual clauses approved by the European Commission or a competent supervisory authority.

To learn more about the appropriate safeguards we use, please send us an email at lumene.info (at) lumene.com.

HOW DO WE SECURE YOUR PERSONAL DATA?

We have taken appropriate technical and organizational measures to protect the security of your personal data and to ensure that your choices for its intended use are honoured. We protect your data from loss, misuse, unauthorized access or disclosure, alteration, or destruction by appropriate technical measures such as firewalls.

We do not share your personal data outside Lumene, its subsidiaries, affiliates or other partners, except under conditions and for purposes explained in this Privacy Notice, or unless otherwise required under mandatory applicable law. Within Lumene, its subsidiaries, affiliates and other partners, personal data is stored in password-controlled environments with limited access granted only to such persons whose work requires the processing or personal data.

HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

The retention time of the collected personal data is subject to the legal basis and processing purpose for which the data were collected. We will retain your personal data for as long as they are necessary for carrying out the processing purposes for which it was collected, as specified in this Privacy Notice, in particular for the fulfilment of our contractual and statutory obligations (e.g., return and limited warranty periods). Where the processing is based on our legitimate interest, we will retain your personal data for as long as our legitimate interest can be deemed valid, or until you request the deletion of your personal data.

For more information on the retention periods, please click the section heading below.

RETENTION PERIODS

Your personal data is not necessarily stored for the same length of time for all processing purposes. The maximum storage periods are set out below.

Data subject group

Retention period

Website and online store visitors

According to our Cookie Declaration .

Registered online store users

If you decide to delete your user account, we will delete all related personal data, unless the data falls also to another category which is subject to longer statutory or other compelling retention periods (such as information on your purchase orders).

We reserve the right to delete your user account and most of the personal data connected with it after two years of inactivity by you.

Consumers placing orders in our online store

We will retain the information on product orders and the related payment details as per the requirements of the Finnish accounting legislation, i.e., current year and six years.

Consumers publishing product reviews or related questions in our online store

Until the product delisting or until deletion request or withdrawal of consent by the data subject.

Consumer survey respondents

We will retain the collected data as long as necessary for the purposes of the particular survey, however, in general, the data is retained without personal identifiers.

Consumers making complaints, giving other feedback or claiming skin irritation

We will retain the collected data in identified form only as long as we have responded to the consumer and otherwise handled the matter so that we have been able to make sure that the consumer is satisfied with the result, after which we will close the case.

After the case has been closed, we will remove direct identifiers from the data. The non-identified feedback data will be retained for a minimum of 10 years.

Newsletter subscribers

Until the recipient unsubscribes.

SMS marketing subscribers

Until the recipient unsubscribes.

Factory Outlet Loyalty Customers

Until the recipient unsubscribes.

Data subjects contacting our consumer service

We will retain the collected data in identified form only as long as we have responded to the consumer and otherwise handled the matter so that we have been able to make sure that the consumer is satisfied with the result, after which we will close the case. After the case has been closed, we will either delete direct identifiers from the data or delete the communications in their entirety, depending on whether we need to address the matter further internally.

Unless necessary for us to be able to do so, we will not process your personal data when we take steps to address the content of your communications internally.

Consumer competition participants

We will retain the collected data as long as necessary for the purposes of the particular competition, however, in general, maximum of three months. 

Customers contacting us through social media platforms

In accordance with the terms of use of the social media platform in question.

 

When we no longer need the collected personal data, the data will be safely destroyed or irrevocably anonymized. If you delete your user account, we will delete all data stored about you, unless contractual or statutory retention periods apply. If the complete deletion of your data immediately after you have deleted your user account is not possible or necessary for legal reasons, access to your data for further processing will be prevented.

We may also retain certain personal data after the termination of the initial processing purpose, should such retention of personal data be necessary to comply with other applicable laws or should we need the personal data to establish, exercise or defend a legal claim, on a need-to-know basis only.

WHAT RIGHTS DO YOU HAVE?

Below we have summarized the rights that you as a data subject have under the European data protection legislation. The “data subject” refers to natural persons whose personal data is processed by us, i.e., our customers and other groups of consumers the personal data of whom we process as specified in this Privacy Notice. Some of the rights are complex and are subject to certain exceptions, and to keep this Privacy Notice concise, not all of the details have been included in the below summaries. If you want to know about your rights in different situations in detail, please consult the page of the Finnish Data Protection Ombudsman here: https://tietosuoja.fi/en/what-rights-do-data-subjects-have-in-different-situations.

The data subjects have the right to access the data processed by us as a controller and to get incorrect personal data related to them rectified. If you wish to use your right of access or rectification, please proceed as follows.

Your request on the right of access or rectification must be in written or in electronic form and be signed and sent using the contact details mentioned in this Privacy Notice. The request shall contain the basic information needed for finding the requested data. After receiving and processing the request, we will send you a copy of the personal data by mail or electronically. We reserve the right not to complete your request if the request is manifestly unfounded. Should you request for multiple copies, or should you wish to submit more than one request per year, we may charge you a reasonable fee based on administrative costs for the execution of your request.

You also have the right at any time to request us to erase the personal data concerning you and processed by us and we are obliged to erase the data if there is no longer a legal ground for processing the data. Please note that certain data processed by us are subject to statutory retention requirements, and regardless of a request of erasure, such data we cannot erase until the end of the statutory retention period. You also have the right to object to the processing of your personal data if the data has been processed on the basis of our legitimate interest, and we are obliged to stop processing such personal data unless we can demonstrate compelling legitimate grounds for further processing of such personal data. You also may have the right to obtain from us restriction of our processing of your personal data.

If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

To exercise the above rights, reach out to us using the contact details mentioned in the beginning of this Privacy Notice.

If you consider that our processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

IN CONCLUSION

We reserve the right to update and modify this Privacy Notice. Unless otherwise provided by mandatory applicable legislation, we may not personally post changes to this Privacy Notice to the data subjects in person, and therefore we prompt you to check this Privacy Notice from time to time for possible changes.

If for some reason you believe that we have not adhered to the foregoing, please notify us by email at lumene.info (at) lumene.com, and we will do our best to determine and correct the problem promptly.