Last updated: 28th January 2026

This Privacy Notice is designed to give you clear and accessible information about how ELEMIS uses your personal data. You can read the short summary below for a quick overview.

Who we are
ELEMIS, Limited is responsible for your personal data when you use our website and online services.

What data we collect
We collect information such as your contact details, account information, order and payment details, browsing activity on our website, and communications with our Customer Care team.

How we use your data
We use your personal data to:
• process and deliver your orders;
• manage your account and provide customer support;
• send marketing communications where you have consented;
• personalise and improve our website and services;
• keep our website secure and prevent fraud; and
• meet our legal and regulatory obligations.

Who we share data with
We share your data with trusted service providers (for example payment processors, delivery partners, IT and marketing service providers) and with other companies within the L’Occitane Group.

Your rights
You have rights under data protection law, including the right to access, correct, delete or restrict the use of your personal data, and to withdraw consent at any time.

Questions or concerns
You can contact us at [email protected]. You also have the right to complain to your local data protection authority.

Controller
ELEMIS, LIMITED, a company registered in England and Wales (company number 02279688) with a registered office at Unit D Poplar Way East, Cabot Park, Avonmouth, Bristol, BS11 0DD, is the controller and responsible for your personal data (referred to as “Elemis”, “we”, “us” or “our”) in this Privacy Notice. We are registered with the Commissioner’s Office in the UK with reference number Z6739759.

Elemis EU representative (Article 27 GDPR)
As we do not have an establishment in the European Union ("EU"), we have appointed, for the purposes of Article 27 of the GDPR, a representative based in the Republic of Ireland, who may be contacted if you are in the EU to raise any issues or queries you may have in relation to our processing of your Personal Data or this privacy notice.
Our representative in the EU is Elemis IRL Limited, based at 14 Upper Liffey Street, Dublin 1, Republic of Ireland.

Contact Details
If you have any questions about this Privacy Notice or our privacy practices, please get in touch with our Data Protection team in the following way:

Full name of legal entity: ELEMIS, LIMITED
Email address: [email protected]
Post address: Unit D, Poplar Way East, Cabot Park, Avonmouth, Bristol, BS11 0DD

Depending on how you interact with us, we may collect:

• Identity and contact data: name, email address, postal address, phone number, date of birth;
• Account data: username, password and account preferences;
• Order and payment data: products purchased, delivery details and payment information (processed securely by our payment providers);
• Customer support data: enquiries, complaints and communications;
• Marketing and preference data: your preferences, survey responses and interactions with our marketing;
• Technical and usage data: IP address, device information, browser type, and how you use our website;
• Location data: where you choose to share this (for example to find nearby stores);
• User-generated content: reviews, comments, photos or videos you choose to share;
• CCTV images: if you visit one of our physical stores.

We may also receive information from third parties, such as social media platforms or analytics providers, where permitted by law.

We use your personal data for the following main purposes:

(a) Orders, Accounts and Services

To create and manage your account, process orders, deliver products, handle payments, and provide customer support.

This includes verifying your identity during login and checkout, including through passwordless authentication methods where offered.

Legal basis: performance of a contract; legal obligations.

(b) Marketing and Communications

To send you newsletters, offers and updates where you have consented, and to manage your communication preferences.

Legal basis: your consent; legitimate interests (for non-intrusive service-related communications)

(c) Personalisation and Improvement

To understand how our website and services are used, improve functionality, and personalise your experience.

Legal basis: legitimate interests.

(d) Security and Fraud Prevention

To protect our website, customers and business from fraud, misuse and security risks.

This includes monitoring and logging login and checkout activity (including unsuccessful attempts), detecting suspicious behaviour, preventing unauthorised access to accounts, and ensuring the security and reliability of our authentication systems, including password-based and passwordless login methods.

Legal basis: legitimate interests; legal obligations.

(e) Legal and Regulatory Compliance

To comply with applicable laws, regulations and to establish, exercise or defend legal claims.

Legal basis: legal obligations; legitimate interests.

(f) Use of Automated and AI-Assisted Technologies

We may use automated tools, including artificial intelligence (AI) and algorithm-based technologies, to help us operate, improve and personalise our website and services.

These technologies may be used, for example, to:

- personalise content and product recommendations;

- analyse website usage and performance;

- improve customer support and fraud prevention; and

- support marketing and analytics activities where permitted by law.

Any such processing is designed to support our services and improve your experience. It does not involve decisions that produce legal or similarly significant effects about you without appropriate safeguards.

Where required by law, we rely on your consent for the use of automated technologies, and you have the right to object to certain types of processing or to request human intervention.

(g) Login and Checkout Security

When you log in to your account or complete a checkout, we may process limited technical and authentication-related information, such as the email address or phone number entered, the time of the attempt, and whether it was successful.

Where a login or checkout attempt is unsuccessful, we may also record the reason (for example, an expired or incorrect authentication code). We use this information solely to protect customer accounts, prevent fraud, and maintain the security and stability of our services. It is not used for marketing or profiling purposes.

We use cookies and similar technologies to make our website work, analyse performance and, where you agree, for advertising and personalisation.

You can find full details about the cookies we use and how to manage your preferences in our Cookie Policy

We may share your personal data with:

• companies within the L’Occitane Group;
• service providers who support our business (such as payment processors, delivery partners, IT, analytics and marketing providers);
• professional advisers and authorities where required by law; and
• third parties in connection with a business sale, merger or reorganisation.

All service providers are required to protect your data and only use it in accordance with our instructions.

If your personal data is transferred outside the UK or the European Economic Area, we ensure appropriate safeguards are in place, such as standard contractual clauses or other approved mechanisms.

We have put in place security measures to protect the personal data you have trusted us with. The security measures are designed to prevent your personal data from being lost, used or accessed unauthorizedly, altered or disclosed. We further secure your personal data by limiting its access to only employees, agents, contractors and other third-party service providers who require it to fulfil their specified purpose in delivering our services. They only process your personal data in the manner prescribed by us, and they are all subject to a duty of confidentiality.

We keep your personal data only for as long as necessary for the purposes set out in this notice, taking into account legal, accounting and regulatory requirements.

You have the right to:
• access your personal data;
• correct inaccurate or incomplete data;
• request deletion of your data;
• restrict or object to certain processing;
• request portability of your data; and
• withdraw consent at any time where processing is based on consent.

To exercise your rights, contact us at [email protected].

We may amend this Privacy Notice from time to time. If we decide to change this Privacy Notice, we will update those changes here so you are always aware of what information we collect, how we use it, and the circumstances under which, if any, we disclose it. If we decide to collect personal data or use any collected information in a manner different from that stated when it was collected, we will notify you. We will use personal data only by this Privacy Notice under which the personal data was collected.

If you have any complaints concerning our processing of your personal data, please get in touch with our Data Protection Team at [email protected]. 

You have also the right to submit a complaint with the supervisory authority or regulatory body responsible for protecting personal data in the country where you live or work or where you think a breach of data protection laws might have occurred.

For convenience, the main supervisory authorities in our key European markets are listed below:

France
Commission Nationale de l’Informatique et des Libertés (CNIL)

Website: https://www.cnil.fr

Germany
The competent supervisory authority depends on your federal state. A list of German data protection authorities is available at: https://www.datenschutzkonferenz-online.de

Italy
Garante per la Protezione dei Dati Personali

Website: https://www.garanteprivacy.it

Spain

Agencia Española de Protección de Datos (AEPD)

Website: https://www.aepd.es

Republic of Ireland

Data Protection Commission (DPC)

Website: https://www.dataprotection.ie/ 

You may also find information about supervisory authorities in other EU Member States on the European Data Protection Board website: https://edpb.europa.eu