Our Role in Data Processing

1. Information We Collect

We collect personal information that you provide directly, information generated automatically when you use our Services, and information obtained from third-party tools that support our operations. The specific personal information we collect depends on how you interact with our Services, the features you use, and the choices you make.

Personal information we receive directly from you or collect automatically includes:

Some features of our Services require specific personal information to function.

All personal information you provide must be accurate, complete, and up to date. You are responsible for notifying us if any of your information changes so we can maintain accurate records.

2. How We Collect Information

We collect personal information through a combination of information you provide directly, information gathered automatically when you use our Services, and information supplied by third-party providers that support our operations.

Information You Provide Directly

We collect personal information that you choose to provide when you interact with our Services. This includes information submitted when you:

• create an account or update profile details
• complete forms, make purchases, or engage with customer support
• respond to surveys, request information, or communicate with us

This information typically includes identifiers (such as name, email, phone number), account details, and any other information you voluntarily provide as part of your use of the Services.

Information Collected Automatically

When you visit our website or use the Services, we automatically collect certain technical and usage information. This data does not usually reveal your identity but may include:

• IP address and device identifiers
• browser type, operating system, and device characteristics
• language settings and time zone
• pages viewed, links clicked, and navigation patterns
• error logs, performance data, and diagnostic information
• cookie data, analytics events, and usage logs

This information helps us operate, secure, and optimize the Services, and supports internal analytics, reporting, and service improvement.

Information From Your Interactions With the Services

We collect information related to your actions within the Services, including:

• features you use
• content you view
• settings or preferences you configure
• interactions with user interfaces or in-app tools

This data helps us personalize the experience and understand how users engage with our platform.

3. How We Use Your Information

We only process personal information when we have a valid legal basis under applicable data protection laws. This means we process data when it is necessary to provide our Services, fulfill our contractual obligations, comply with legal requirements, protect important interests, or pursue legitimate business purposes that do not override your rights.

Legal Bases We Rely On

We may rely on the following legal bases to process personal information:

• Contract - when processing is necessary to provide the Services or take steps at your request.
• Consent - when you voluntarily provide information for a specific purpose; you may withdraw consent at any time.
• Legitimate interests - when processing is necessary for our business operations and does not override your rights.
• Legal obligation - when we must process data to comply with applicable laws.
• Vital interests - when necessary to protect the safety or vital interests of an individual.

Purposes for Which We Process Personal Information

• We use personal information to create, maintain, and manage user accounts or profiles.

  Legal basis: with your consent

• We use personal information to provide customer support, answer inquiries, and resolve issues.

  Legal basis: with your consent

• We use personal information to process transactions, manage billing, and fulfill orders or service requests.

  Legal basis: with your consent

• We may send newsletters, updates, or promotional content. Users can opt out at any time.

  Legal basis: with your consent

• We analyze usage data to understand how our Services are used and to improve functionality, performance, and user experience.

  Legal basis: with your consent

• We may process personal information to detect, prevent, or investigate fraud, abuse, or security incidents.

  Legal basis: with your consent

• We may process personal information as required by applicable laws, regulations, or legal processes.

  Legal basis: with your consent

4. How We Process Your Information

We process personal information in ways that are appropriate to the nature of the data and the purposes for which it is collected. This includes storing, organizing, using, transmitting, and deleting information when it is no longer required. We apply principles of data minimization, purpose limitation, and accuracy to ensure that personal information is processed only when necessary and for clearly defined purposes.

Access to personal information is limited to authorized personnel who require it to perform their job duties and who are bound by confidentiality obligations. We implement technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, or misuse. These measures may include access controls, authentication procedures, logging, encryption in transit and at rest (where appropriate), monitoring, and routine security assessments.

We may combine information collected from different sources when this is necessary to operate the Services or when required to meet a lawful purpose, such as preventing fraud or maintaining the security of our platform.

We retain personal information only for as long as needed for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. For more details, see the “How Long We Retain Information” section.

Where required by applicable laws, we provide users with the ability to access, update, delete, restrict, or withdraw consent to the processing of their personal information. Additional rights may apply depending on your location; see the “Your Rights” section for more information.

5. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling in a way that produces legal or similarly significant effects. If this changes in the future, we will update this Policy and provide any required notices or options.

6. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons, tags, and pixels) to operate our website, understand how it is used, improve performance, and enhance your experience. These technologies help us maintain platform security, remember your preferences, prevent errors, and support essential site features.

We may use the following categories of cookies:

• Necessary / Essential Cookies: Required for the website to function properly and to provide services explicitly requested by the user.
• Functional / Preference Cookies: Enable a website to remember user preferences or settings.
• Analytics / Performance Cookies: Collect aggregated or behavioral data to help website owners understand usage and improve performance.

Some cookies are set directly by us (“first-party cookies”), while others may be placed by third-party providers that support our operations (“third-party cookies”), such as analytics, advertising, or customer support tools.

Where required by law, we display a cookie banner or notice to obtain consent and to give users control over cookie settings.

Necessary/Essential cookies are always active, while Analytics/Performance, Advertising/Marketing, and Functional/Preference cookies are used only with consent where required by law. You can manage your preferences at any time through the Cookie Banner or settings page.

7. How We Share Your Information

We may share personal information with trusted third-party service providers that help us operate our Services, perform functions on our behalf, or support our business operations. These third parties may access personal information only as necessary to perform their tasks, must protect it through appropriate contractual safeguards, and are not permitted to use it for their own purposes. They must also retain the data only for the period we instruct.

We may share personal information with the following categories of third parties:

• Hosting and infrastructure providers: Support the operation, storage, and hosting of our website or Services.
• Analytics providers: Help us understand how our Services are used and improve performance.
• Payment processors: Manage and process payments securely.

We may also share information in the following situations:

• Business transfers: We may disclose or transfer information in connection with (or during negotiations of) any merger, sale of assets, financing, or acquisition of all or part of our business.
• Affiliates: We may share information with our affiliates, in which case they must honor this Privacy Policy. Affiliates include subsidiaries, parent companies, or other entities under common ownership or control.
• Business partners: We may share information with partners to offer joint products, services, or promotions when applicable.

We only share personal information when necessary to provide our Services, comply with legal obligations, or protect our rights and the rights of others.

8. International Transfers

We do not share personal information with third parties, except when required by law or to protect our legal rights.

9. How Long We Retain Information

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory requirements, resolve disputes, and enforce our agreements. We do not keep personal information longer than needed, and retention periods may vary depending on the type of data and the reason it was collected.

When we no longer have a legitimate business need to process personal information, we will delete or anonymize it. If deletion is not immediately possible (for example, due to technical constraints or backup systems), we will securely store the information and isolate it from further processing until deletion is feasible.

We retain personal information for the following periods:

• Account information: Until users delete their account.
• Profile and preferences: Until users terminate their accounts.
• Cookies and tracking data: Session only (deleted when browser closes).

With regard to cookies and tracking data, we retain personal information according to the durations listed in the Cookie Policy. If no specific retention period applies, we delete or anonymize personal information once it is no longer necessary for the purpose collected.

10. How We Keep Your Information Safe

We implement appropriate technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures are designed to provide a level of security appropriate to the risks associated with processing personal information.

Our safeguards may include:

• Encryption of data in transit and at rest
• Access controls to limit who can view or handle information
• Monitoring and logging of system activity to detect potential issues
• Regular security assessments and updates to our systems
• Secure data storage and transmission practices
• Employee training on data protection and security

While we take reasonable steps to safeguard personal information, no system or method of transmission over the internet is completely secure. Because of this, we cannot guarantee absolute security.

If we identify a data breach that affects your personal information, we will notify you and any applicable supervisory authorities when required by law.

11. Your Rights

Individuals have certain rights regarding their personal information. These rights vary depending on where they live, but we aim to provide clear and accessible options for all users.

Rights for Users in the European Union (EU/EEA)

If you are located in the EU/EEA, you have the following rights under the GDPR:

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request that we correct inaccurate or incomplete information.
• Right to deletion: Request deletion of your personal information in certain circumstances.
• Right to restrict processing: Request that we limit how your data is used.
• Right to object: Object to processing based on legitimate interests or direct marketing.
• Right to data portability: Request your information in a structured, commonly used format.
• Right to withdraw consent: Withdraw consent at any time when processing is based on consent.

If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with a data protection authority. You can usually contact the authority in your country of residence, place of work, or where you believe a violation has occurred.

You can submit a request to exercise your rights by contacting us using the details provided in the “How To Contact Us” section. Users in jurisdictions requiring consent for cookies and tracking (e.g., EU/EEA) may withdraw consent at any time via the cookie banner, privacy settings page, or by contacting us. Withdrawal does not affect the lawfulness of processing performed before withdrawal. We may need to verify your identity before processing your request.

12. Children's Privacy

Our Services are not intended for children under 16, and we do not knowingly collect personal information from individuals under this age. If we become aware that we have collected personal information from a child under 16, we will delete it as soon as reasonably possible.

If you believe that a child has provided personal information to us, please contact us using the details in the “How To Contact Us” section.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, operational needs, or applicable laws. When we make changes, we will update the “Last Updated” date at the top of this Policy.

We use the following method(s) to notify users of significant changes to this Privacy Policy:

• Posting a notice on our website
• Sending an email notification

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal information.

14. How to Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our handling of personal information, you may contact us using the details below:

KOST Cosmetics Italy
contact@kostcosmetics.be