Privacy Policy
Privacy Policy
​
1. Introduction
1.1. Important information
We ask that you read this website privacy policy carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
​
These terms and conditions of use (Terms) explain how you may use this website (www.curlid.com) and any of its content. These Terms apply between CURL ID Ltd (we, us or our) and you, the person accessing or using the Site (you or your). You should read these Terms carefully before using the Site. By using the Site or otherwise indicating your consent, you agree to be bound by these Terms. If you do not agree with any of these Terms, you should stop using the Site immediately.
​
1.2. About Us
We are Curl ID Limited, a company registered in England and Wales under company number 14206912. Our registered office is at 11a Bank Mill, Berkhamsted, HP4 2ER, United Kingdom.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the European Economic Area (EEA).
1.3. Our Website
This privacy policy relates to your use of our website.
Our Site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Site, we encourage you to read the privacy notice of every website you visit.
​
2. Our Collection and Use of your Personal Information
We collect personal information about you when you access our Site, contact us, and send us feedback. “Personal Information” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous
data).
​
We collect this personal information from you either directly, such as when you contact us or indirectly, such as your browsing activity while on our Site (see ‘Cookies’ below).
The personal information we collect about you depends on the particular activities carried out through our Site. This information includes:
-
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, and photographs and videos that may identify you.
-
Contact Data includes billing address, delivery address, email address and telephone numbers.
-
Financial Data includes bank account and payment card details or other types of electronic payment, details of your membership package and fees and others linked to your membership and the payments you make to us.
-
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
-
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, traffic data, location data operating system and platform and other technology on the devices you use to access our Site.
-
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses and personal or professional interests.
-
Usage Data includes information about how you use our Site, application, products and services.
-
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
​
We may also collect, use and share Aggregated Data such as statistical or demographic data, hair condition, ethnicity, parents ethnicity, gender, how often customers follow their haircare regime for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We may also use, store and transfer Special Category Data about you (this includes details about your race or ethnicity, information about your health and biometric data) in order to deliver our services to you with care to comply with our obligations under health and safety law. Although this aggregated data may be based in part on Personal Data, it does not identify you personally. We may share this type of anonymous data with others, including service providers, our affiliates, agents and current and prospective business partners. We do not collect any information about criminal convictions and offences. Special Category Data includes, but is not limited to:
-
Age
-
Political Data: Information about race, or ethnicity, religious beliefs, sexual orientation and political opinions
We do not generally collect Special Category Data unless it is volunteered by you. By providing the Special Category Data to us, you are consenting to our using it in the manner set out in this Policy.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
In order to collect this special kind of data we need enhanced legal justifications beyond the ordinary legal justifications under the GDPR. We explain which justifications we rely on in paragraph 2.1 below.
​
2.1 The Legal Basis for Collecting That Data
​There are a number of justifiable reasons under the GDPR that allow collection and
processing of Personal Data. The main avenues we rely on are:
​
“Consent”: Certain situations allow us to collect your Personal Data, such as when
you tick a box that confirms you are happy to receive email newsletters from us, or
‘opt in’ to a service.
​
“Contractual Obligations”: We may require certain information from you in order
to fulfil our contractual obligations and provide you with the promised service.
“Legal Compliance”: We’re required by law to collect and process certain types of
data, such as fraudulent activity or other illegal actions.
​
“Legitimate Interest”: We might need to collect certain information from you to be
able to meet our legitimate interests - this covers aspects that can be reasonably
expected as part of running our business, that will not have a material impact on
your rights, freedom or interests. Examples could be your address, so that we know
where to deliver something to, or your name, so that we have a record of who to
contact moving forwards.
​
For the special categories of data that we collect, the enhanced legal justification we rely on is:
​
(a) processing is necessary for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with Article 89(1)
based on Union or Member State law which will be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for suitable
and specific measures to safeguard the fundamental rights and the interests of the
data subject (“Research”)
​
2.2. We use this personal information to:
-
Verify your identity
-
Create and manage your account with us
-
Process and deliver your order(s) including the management of payment(s)
-
Keep you updated with news and information we consider relevant to you
-
Customise our Site and its content to your particular preferences
-
Notify you of any changes to our Site or to our services that may affect you
-
Improve our services
​
This Site is not intended for use by children, and we do not knowingly collect or use personal information relating to children.
​
2.3. Our Legal Basis for Processing your Personal Information
When we use your personal information, we are required to have a legal basis for doing so. There are various different legal bases on which we may rely, depending on what personal information we process and why. The legal bases we may rely on include:
-
Consent: where you have given us clear consent for us to process your personal information for a specific purpose
-
Contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
-
Legal obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations)
-
Legitimate interests: A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
​
2.4. Use of Information
The table below explains what we use (process) your personal information for and our reasons for doing so:
​
What we use your personal information for:
To provide services to you and fulfil your order such as using payment card details to collect payment for goods and services, carry out contractual obligations, facilitate bookings of consultations and appointments
Our reason: For the performance of our contract with you or to take steps at your request before entering into a contract. To address queries and to contact you with marketing and/or promotional materials and any information that may be relevant to you.
​
What we use your personal information for: To prevent and detect fraud against you
Our reason: For our legitimate interests or those of a third party, i.e., to minimise fraud that could be damaging for us and for you
​
What we use your personal information for: Ensuring business policies are adhered to, e.g., policies covering security and internet use
Our reason: For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
​
What we use your personal information for: Operational reasons, such as improving efficiency, training, troubleshooting, data analysis, testing and quality control
Our reason: For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
What we use your personal information for: Ensuring the confidentiality of commercially sensitive information
Our reason: For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information. To comply with our legal and regulatory obligations
​
What we use your personal information for: Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, service range or other efficiency measures
Our reason: For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
​
What we use your personal information for: Updating and enhancing customer records, and responding to enquiries
Our reason: For the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations. For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products
​
What we use your personal information for: Statutory returns
Our reason: To comply with our legal and regulatory obligations
​
What we use your personal information for: Ensuring safe working practices, staff administration and assessments
Our reason: To comply with our legal and regulatory obligations. For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
​
What we use your personal information for: When conducting our marketing campaigns:
-
to deliver relevant advertisements, newsletters and promotions
-
to you to recommend services and offers that may be of interest to you
-
to measure the effectiveness of the advertising provided
-
to improve our Site, services, marketing, customer experiences
-
for market research and survey purposes
Our reason: We rely on your consent to use your personal data when conducting our marketing campaigns. For our legitimate interests or those of a third party, i.e., to promote our business to existing and former customers
​
What we use your personal information for: Credit reference checks via external credit reference agencies
Our reason: For our legitimate interests or those of a third party, i.e., to ensure our customers are likely to be able to satisfy invoices for our services.
​
What we use your personal information for: External audits and quality checks, e.g., for ISO or Investors in People accreditation and the audit of our accounts
Our reason: For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards. To comply with our legal and regulatory obligations
​
What we use your personal information for: Managing your account with us: To create and manage your account with us and to communicate with you about your account, fees, and membership terms, inform you of products and services that may be of interest to you and to allow you to participate in interactive features of our services.
Our reason: For the performance of our contract with you or to take steps at your request before entering into a contract. For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products
​
Marketing
We may use your personal data to send you updates (by email, text message, telephone, or post) about our services, including exclusive offers, promotions, or new services.
We have a legitimate interest in using your personal data for marketing purposes (see above ‘Use of Information’). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this separately and clearly.
You have the right to opt out of receiving marketing communications at any time by contacting us at jasmine@curlid.com
We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
We will always treat your personal data with the utmost respect and never sell it with other organisations for marketing purposes.
​
2.5. Who we Share your Personal Information with
We routinely share personal information with:
-
Third parties we use to help deliver our products and services to you, e.g., payment service providers, suppliers, and business partners
-
Other third parties we use to help us run our business, e.g., marketing agencies, mailing houses, systems providers, accounts payable, website hosts, our banks and couriers
-
Third parties approved by you, e.g., social media sites you choose to link your account to or third party payment providers; and
-
Credit reference agencies, HM Revenue & Customs, regulators and other authorities who may act as processors who require reporting of processing activities in certain circumstances
​
We will share personal information with law enforcement or other authorities if required by applicable law. We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information.
We also impose contractual obligations on service providers ensuring they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
​
2.6. Where your Personal Information is Held
Information may be held at our offices and those of our third party agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal information with’).
​
2.7. How Long your Personal Information will be Kept
We will keep your personal information while you have an account with us, or we are providing products and services to you. Thereafter, we will keep your personal information for as long as is necessary:
-
to respond to any questions, complaints or claims made by you or on your behalf;
-
to show that we treated you fairly;
-
to keep records required by law.
​
2.8. Transferring your Personal Data out of the UK
To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK, e.g.:
​
If you are based outside the UK:
Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK where:
-
the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
-
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
-
a specific exception applies under data protection law
These are explained below.
​
Adequacy Decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
-
all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
-
Gibraltar; and
-
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
​
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.
​
Transfers with Appropriate Safeguards
Where there is no adequacy decision, we may transfer your personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally-approved standard data protection contract clauses.
To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact us (see ‘How to contact us’ below).
​
Transfers Under and Exception
In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.:
-
you have explicitly consented to the proposed transfer after having been informed of the possible risks;
-
the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;
-
the transfer is necessary for a contract in your interests, between us and another person; or
-
the transfer is necessary to establish, exercise or defend legal claims
​
We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights, and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.
​
European Commission Adequacy Decision
The European Commission has the power to determine whether a country or international organisation provides an adequate level of protection for personal information and, if it does, to issue an ‘adequacy decision’. The effect of such a decision is that personal information can flow from the UK to that country without any further safeguards being necessary.
It can take several years for the European Commission to issue an adequacy decision and only a small number of countries currently benefit from one.
​
2.9. Further Information
If you would like further information about data transferred outside the UK, please contact us (see ‘How to contact us’ below).
​
3. Your Rights
You have the following rights, which you can exercise free of charge:
​
Access: Rectification
The right to be provided with a copy of your personal information (the right of access): The right to require us to correct any mistakes in your personal information
​
Access: To be forgotten
The right to be provided with a copy of your personal information (the right of access): The right to require us to delete your personal information—in certain situations
Access: Restriction of processing
The right to be provided with a copy of your personal information (the right of access): The right to require us to restrict processing of your personal information—in certain circumstances, e.g., if you contest the accuracy of the data
​
Access: Data portability
The right to be provided with a copy of your personal information (the right of access): The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
​
Access: To object
The right to be provided with a copy of your personal information (the right of access): The right to object:
-
at any time to your personal information being processed for direct marketing (including profiling);
-
in certain other situations to our continued processing of your personal information, e.g., processing carried out for the purpose of our legitimate interests.
​
Access: Not to be subject to automated individual decision making
The right to be provided with a copy of your personal information (the right of access): The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
​
For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
​
If you would like to exercise any of those rights, please:
-
email us —see below: ‘How to contact us’;
-
let us have enough information to identify you;
-
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
-
let us know what right you want to exercise and the information to which your request relates.
​
4. Keeping your Personal Information Secure
We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
​
4.1. How to Complain
We hope that we can resolve any query or concern you may raise about our use of your information.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.
​
5. Changes to this Privacy Policy
This privacy notice was published on the 16 September 2022, and amended the 18th of April 2023. We may change this policy from time to time, when we do we will inform you via email. Your continued use of CURL iD Ltd website after any modification to this Privacy Policy will constitute your acceptance of such modification.
​
6. How to Contact Us
If you wish to contact us, please send an email to jasmine@curlid.com
​
7. Cookies and Other Tracking Technologies
A cookie is a small text file which is placed onto your device (e.g., computer, smartphone or other electronic device) when you use our website. We use cookies, web beacons, tracking pixels and other tracking technologies on our website including other media channels, mobile websites, or mobile applications related or connected to our Site. This helps us recognise you and your device and store some information about your preferences or past actions.
For further information on cookies and web beacons, tracking pixels and other tracking technologies on our website, and our use of such tracking technology, when we will request your consent before placing them and how to disable them, please see our Cookie Policy:
​
8. Interpretation
All uses of the word "including" mean "including but not limited to" and the enumerated examples are not intended to in any way limit the term which they serve to illustrate. Any email addresses set out in this policy may be used solely for the purpose for which they are stated to be provided, and any unrelated correspondence will be ignored. Unless otherwise required by law, we reserve the right to not respond to emails, even if they relate to a legitimate subject matter for which we have provided an email address. As a matter of common sense, you are more likely to get a reply if your request or question is polite, reasonable and there is no relatively obvious other way to deal with or answer your concern or question (e.g. FAQs, other areas of our website etc.)
Our staff are not authorised to contract on behalf of Curl Id Limited, waive rights or make representations (whether contractual or otherwise). If anything contained in an email from a Curl Id Limited address contradicts anything in this policy, our terms or any official public announcement on our website, or is inconsistent with or amounts to a waiver of any Curl Id Limited rights, the email content will be read down to grant precedence to the latter. The only exception to this is genuine correspondence expressed to be from the Curl Id Limited legal team.
​
Contact us
If you have any questions about the Website or Services, please do not hesitate to contact us at jasmine@curlid.com