CUSTOMER DATA PROTECTION POLICY FRANCE
Last updated: March 3, 2024

Routine Paris respects your concerns about data protection and values the relationship we have with you.

Routine Paris has a diverse portfolio of prestigious brands. You can find a list of these brands on the ELCompanies.com website, each of which is referred to in this Data Protection Policy as a “Brand.”

This Data Protection Policy describes how our Brands in France collect, use, share, and protect your personal data. Unless otherwise stated, all Brands in France follow this Data Protection Policy.

In this Data Protection Policy, references to “we,” “us,” “our,” “DAB Cosmetics” are references to the entity or entities located in France responsible for determining the purposes and means of processing your personal data (as “Data Controller”). See the section entitled “Data Controller” below for more details.

THE DATA WE PROCESS
We may collect or process the following types of data about you. The specific data we collect about you will vary depending on how you interact with us.

• Contact details and personal identifiers, such as your name, first name, address, email address, phone number, and social media username or ID.

• Device identifiers, such as information about your device, such as your MAC address, IP address, or other online identifiers.

• Demographic data, such as your age, date of birth, sex, and gender.

• Physical characteristics, such as your hair type and color, skin type, eye color, and facial geometry if you use some of our virtual try-on apps.

• Commercial data, such as the products or services you have purchased, returned, or selected, and your product preferences.

• Payment data, such as your payment method and credit card information (including credit card number, shipping address, and billing address).

• Identity verification data, such as photo ID for in-store pickups, loyalty program ID, and authentication information (such as passwords).

• Online or network activity data, such as information about your interaction with our websites, mobile applications, digital content and advertisements, data about your browsing and search history on our websites or mobile applications, and data about log files such as the type of browser you use and the web pages you visit.

• Geolocation data, such as data that identifies your physical location (such as your GPS coordinates or the approximate location of your device).

• Audio and image data, such as recordings of your voice when you call our customer service and images we record through video surveillance in our stores.

• Professional or employment-related data, such as professional licenses or certifications related to our professional programs.

• Medical and health data, such as skin conditions, diagnoses, medical reports, and medical history.

• User content, such as your communications with us and any other content you provide (including photographs and images, videos, reviews, articles, survey responses, and comments).

• Inferences drawn or created from any of the above information.

HOW WE COLLECT DATA
We may collect personal data about you from various sources. For example:

• Directly from you, for example when you make a purchase on one of our websites or in one of our stores, when you contact us with a question or complaint, when you use one of our mobile applications or virtual trial experiences, when you create an account on one of our websites, when you sign up for one of our loyalty programs or marketing lists, when you respond to a survey, when you participate in a contest or promotion, when you make an appointment, or when you register for an event.

• From your friends or family members, for example when your friend or family member sends you a gift or recommends you.

• When you interact with our websites or emails. When you visit our websites, or when you open or click on promotional emails we send you, we (and third parties we work with) may automatically collect information from your browser or device, such as device identifiers and online or network activity, through the use of technologies such as cookies, pixel tags, and similar technologies. Cookies are small text files that websites place on your Internet-connected device to uniquely identify your browser or to store data or settings in your browser. Pixel tags are small images that are embedded in our websites or emails. We use pixel tags to collect information about your browser or device, how you interact with our websites, or to determine whether you open or click on emails we send to you. Pixel tags also allow us (and third parties with whom we work) to place cookies on your browser.

• Through in-store technologies and other offline technologies, such as video surveillance, traffic measurement devices, and WiFi in and around our stores, as well as call recording when you call customer service.

• From our business partners and service providers, such as demographic analysis companies, analytics providers, advertising companies and networks, third-party resellers or distributors, and other third parties with whom we choose to collaborate or work.

• From social media platforms and networks, such as Facebook, Instagram, Twitter, Pinterest, and Google. For example, we may obtain your data from a social media platform or network if you interact with us on a social media network or choose to connect to our websites using your social media credentials.

• Other ELC Brands with which you have interacted.

We may combine the data we obtain from the above sources. For example, we may combine the data we collect in our stores with the data we collect online.

HOW WE USE DATA
We may use the data we have about you:

• To provide you with products and services, such as fulfilling orders and processing payments, creating, managing, and/or maintaining your account or membership in a loyalty program, identifying your concerns and assisting you with product recommendations, and managing current or past purchases.

• To communicate with you, including to respond to your requests or complaints, and to help you place an order.

• To manage your participation in special events, contests, sweepstakes, consumer surveys, or promotions.

• For marketing and advertising, such as sending you postal mail, text messages, emails, push notifications, or other messages, displaying advertisements for products and/or services tailored to your interests or profile on social media and other websites.

• To operate and understand your use of our websites and mobile applications, for example to remember your data so that you do not have to re-enter it, to understand your preferred method of shopping with us, to determine which browser and devices you use to visit our websites or mobile applications, and to evaluate and improve our services, advertising, websites, and mobile applications. For example, we use Google Analytics on our websites. For specific information about how Google collects and uses your personal data when we use these services, please see this link: Google's use of information from sites or apps that use our services.

• To carry out and improve our business, including to perform analytics, provide quality assurance, and handle complaints related to adverse events or products, conduct research and development, and perform accounting, auditing, and other internal business functions.

For legal and security purposes, such as detecting, preventing, and prosecuting harmful, fraudulent, or illegal activities, preventing losses, identifying and fixing bugs on our websites or mobile applications, and complying with applicable legal requirements, applicable industry standards, and our internal policies.

We may also use your information in other ways, for which we will provide specific notice at the time of collection.

LEGAL BASES FOR DATA PROCESSING
Where required by law, we will use the data you provide for the purposes indicated above when:

• it is necessary to perform a contract to which you are a party (for example, to process your payment and fulfill your order);

• we have obtained your consent (for example, to send you marketing communications);

• we have a legitimate interest in doing so (including a legitimate interest in carrying out marketing, video surveillance, research, data analysis, internal administration functions, or for fraud prevention purposes and to conduct our business in accordance with relevant industry standards and our policies); or

• we must comply with a legal obligation under applicable laws.

HOW WE SHARE DATA
We may share your personal data with:

• Our Brands. When you interact with one of our Brands, we may share your data with other ELC Brands. Our other Brands may use your personal data for marketing and advertising purposes and for other purposes identified in this Data Protection Policy.

• Our Subsidiaries and Affiliated Companies. We may transfer your data to our subsidiaries and affiliated companies only when they need access to it for the purposes identified in this Data Protection Policy.

• Service Providers. We may transfer personal data to service providers who provide services on our behalf and based on our instructions. We do not authorize these service providers to use or disclose the data, except as necessary to provide services on our behalf or to comply with legal requirements. These service providers include entities that process credit card payments, fulfill orders, and provide functionality for our websites and applications, as well as hosting, analytics, advertising, and marketing services.

• Parties to a business transaction. We also reserve the right to transfer personal data we have about you in the event that we sell or transfer all or part of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution, or liquidation).

• Advertising agencies. We work with third-party advertising agencies (such as advertising networks) to serve advertisements on our behalf. For more information, see the section titled “How we use data for advertising.”

• Other third parties. In addition, we may share personal data about you (i) if required to do so by law or legal process, (ii) to law enforcement authorities or other public authorities, (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity, (iv) when disclosure of your personal data is otherwise required or permitted by law, or (v) with your consent (e.g., with salons and spas operated by third parties).

HOW YOU CONTROL YOUR DATA
You have rights and choices regarding the personal data we hold about you.

• Rights of data subjects: Under applicable laws, you have certain rights in relation to your personal data. For example, you may request access to the personal data we hold about you, the updating and correction of inaccuracies in your personal data, the deletion or portability of the data to a third party. You may also request to withdraw your previously given consent, restrict or object to the processing of your data, or provide us with general or specific instructions regarding the storage, deletion, and disclosure of your data after your death. You can exercise these requests through our PRIVACY PORTAL. We may take reasonable steps to verify your identity when you submit a request. You also have the right to file a complaint with the relevant data protection authority.

• Marketing and advertising preferences: Your online account may offer you the option to change your marketing preferences. You may also opt out of receiving marketing communications (such as emails, postal mail, or text messages) by following the unsubscribe instructions in each such communication or by submitting a request through our PRIVACY PORTAL. When you unsubscribe from our marketing communications, we will no longer use the corresponding data (such as your email address and phone number) for targeted advertising purposes.

• Mobile device and browser preferences: Depending on your mobile device or web browser, we may request your location or ask to send you push notifications. You can change your preferences using your device settings.

• Cookie preferences: You can choose how certain cookies are used on our websites. You can change your cookie preferences at any time by changing your browser settings or by clicking on the “Manage Cookies” link available at the bottom of each of our Brand websites. For more information, see the section entitled HOW WE USE COOKIES.

HOW WE USE COOKIES
Cookies are small text files that websites place on your Internet-connected device to uniquely identify your browser or to store information or settings in your browser, allowing us to remember you when you return to our websites and to provide you with personalized content and advertising. We use different types of cookies on our websites, including strictly necessary cookies, performance cookies, functional cookies, and advertising targeting cookies.

You can view the types of cookies used on our websites and change your preferences by accessing the “Manage Cookies” link at the bottom of each of our Brand websites. You can also change your cookie preferences through your browser settings. When you change your cookie preferences, please note that your settings will only apply to the web browser you are using when you submit your withdrawal of consent. Therefore, if you use multiple browsers or devices, you must withdraw your consent in each browser and on each device. Withdrawal of consent is enabled using cookies. Therefore, if you delete the cookies stored in your browser on a device, you will need to opt out of cookies again when you use that same browser on your device.

Our websites are not designed to respond to “do not track” signals from browsers.

HOW WE USE DATA FOR ADVERTISING
We may use, share, or otherwise process your personal data to promote our products and services in various ways, including through targeted advertising. We work with third-party advertising agencies (such as advertising networks) to serve ads on our behalf. These advertising agencies may use cookies, pixel tags, and similar technologies to collect device identifiers, online or network activity information, commercial information, or inferences, such as information about the websites you visit over time and the advertisements you click on, in order to deliver targeted advertisements to you or your profile. You can opt out of receiving cookie-based advertising when you visit our sites by changing your cookie preferences as described in the HOW WE USE COOKIES section. Please note that even if you withdraw your consent, you may continue to see our ads, but they will not be targeted based on the websites you visit over time and the ads you click on, and may therefore be less relevant to you and your interests.

We also work with third-party platforms, including platforms operated by social networks, to display advertisements to you or measure the effectiveness of our advertisements. We may convert your email address, phone number, or other data into a unique identifier and ask these third-party platforms to match that unique identifier with a user on their platform or with other data they may hold. This matching allows us to display advertisements to you and others on these platforms. You can also opt out of our use of your personal data in this way by contacting us through our PRIVACY PORTAL.

INTERNATIONAL TRANSFERS
In offering and providing our products and services to you, your personal data may be transferred, stored, or processed in countries other than the country in which the data was originally collected (such as the United States). These countries may not have the same data protection laws as your country of residence, and your data will be subject to applicable foreign laws. When we transfer your personal data to other countries, we protect it as described in this Data Protection Policy. We will also comply with applicable legal obligations to provide adequate protection for the transfer of personal data, including by entering into data transfer agreements, signing Standard Contractual Clauses, or any other applicable data transfer mechanism. If you have any questions about our data transfers or would like to receive a copy of any applicable data transfer agreement (where required by law), you can submit a request via our PRIVACY PORTAL.

HOW WE PROTECT DATA
We maintain administrative, technical, and physical safeguards designed to protect the personal data you provide against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. We restrict access to personal data to authorized employees and service providers who need access to such information to fulfill their job responsibilities.

HOW LONG WE RETAIN DATA
In general, we retain personal data for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy. We use many factors to determine how long to retain personal data, such as:

• the purposes for which the personal data was collected, including to provide our products and services;

• your marketing preferences and how you interact with our Brands;

• any legal or regulatory requirements that apply to personal data; and whether the personal data may be useful to us to protect our own rights (e.g., applicable statute of limitations).

For additional information about our data retention policies, please submit a request through our PRIVACY PORTAL.

HOW WE PROCESS DATA RELATING TO MINORS
Our products and services are designed for a general audience and are not intended for minors.

UPDATES TO OUR DATA PROTECTION POLICY
This Data Protection Policy may be updated periodically and without notice to reflect changes in our data protection practices. We will post a notice on our websites to notify you of any significant changes to our data protection practices and will indicate at the top of the Data Protection Policy when it was last updated.

YOUR DATA CONTROLLERS
The data controller is the entity (or entities) that determines the purposes and means of the processing of your personal data. The data controller in France is as follows:

France
Data controller for all DAB Cosmetics brands DAB Cosmetics S.R.L.
371-383 Splaiul Unirii
030139 Bucharest – Romania

HOW TO CONTACT US
If you have any questions or comments about this Data Protection Policy or if you wish to exercise your rights, you can contact our Data Protection Officer (DPO) by submitting a request via our PRIVACY PORTAL or by sending us an email at the following address: office@routineparis.com.

If we need to, or are required to, contact you about an event involving your personal data, we may do so by post, telephone, email or via a notice on our websites.