HYDRAFACIAL PRIVACY NOTICE

OUR PRIVACY NOTICE AT A GLANCE

1. Our promise. Hydrafacial is committed to the protection of your Personal Information. We will always treat your Personal Information with respect and design our products and services with your privacy in mind.
2. Data we collect. In order to provide you with our services, we will need to process your Personal Information, such as contact details and shipping address, account information, treatment history, skin data, payment details, machine identifiers, info about how you interacted with us.
3. How we collect your data. We will collect your data from you, from your use of our products and services, and from external sources.
4. How we use your data. Your data could be used for a variety of reasons under legal standings. The processing of your data could be based on your consent (e.g. account creation, survey data, treatment recommendations or set up a consultation), the performance of a contract (e.g. customer service), a legal obligation (e.g. exercise your rights or fulfill a claim) or our legitimate interest (e.g. some marketing and promotional activities and/or fraud prevention).
5. Sharing data.We mainly share your data with service providers who provide us with assistance and support, these being companies in the Hydrafacial Group or third party providers.
6. Protecting your data. We strives to implement approapriate technical and organisational measures in order to protect your Personal Information against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing.
7. How long do we keep your data. We will not process your Personal Information for longer than is necessary nor will we process it for purposes beyond what it was collected for.
8. Children’s privacy. We do not knowingly collect any personal information from children under 13.
9. Links to other websites. We have no responsibility for the linked websites.
10. Your rights. You may have certain rights relating to your Personal Information depending on your location and subject to local applicable laws (e.g. the right to be informed; the right of access; the right to rectification; the right to erasure; the right to object). Additional information for consumers in the United States below.

We encourage you to read our full Privacy Notice and the  Cookie Policy   linked below to understand in depth the way we will use your Personal Information and your rights over your data. For more information about our Terms of Use, please visit them here.

Our promise

Here at Hydrafacial, we are committed to protecting your Personal Information, and we will always treat it with respect and design our products and services with your privacy in mind.

Hydrafacial is a flagship brand of The Beauty Health Company (hereinafter “Hydrafacial”, “our”, “us” or “we”). Hydrafacial is a global category- creating company focused on delivering beauty health experiences by reinventing our consumer’s relationship with their skin, their bodies and their self-confidence.

The flagship brand, HydraFacial, created the category of hydradermabrasion by using a Vortex-Fusion Delivery System to cleanse, peel, exfoliate, extract, infuse, and hydrate the skin with proprietary solutions and serums.

This Privacy Notice covers the Personal Information that Hydrafacial, its subsidiaries and affiliates located worldwide within The Beauty Health Company family of companies (“Affiliates”) collect and process through the different means.

Definitions

“Personal Information” means information that identifies, relates to, describes, or is reasonably capable of being associated, linked or linkable with a particular individual or household, including any information that is subject to applicable data protection laws.

“Controller” means a party that sets out the purposes and means of processing of personal data.

“Processor”, “Service Provider”, ”Contractor” or “Third Party” means a party that processes Personal Information on the Controller’s behalf.

“Client” or “Consumer” means an individual that receives a Hydrafacial treatment.

“Treatment provider” or “Esti” means a professional that performs a Hydrafacial treatment.

“Provider” or “Costumer” means a clinic or center that provides Hydrafacial treatments.

Data we collect

In order to provide you with our products and/or services, we will need to process your Personal Information. The personal information we collect about you may include:

• Your contact details, such as your full name, physical and email addresses, phone number(s), clinic/center name & details – including, if you are an esthetician, the name of your business or employer, address and phone number in order to do business with you.
• Your account information, such as your email address, full name, username & password, phone number, date of birth, ZIP/postal code, geolocation, skin information, reward points and profile & self-assessment picture. Your CV information and data provided during the recruitment process.
• Your treatment history*, such as type of treatment received, any add-ons adjustments, and the products used (as applicable) when you have a Hydrafacial account.
• Your payment information and/or banking details in order to complete your purchase orders.
• Machine identifiers include: your IP address, operating system, device, and location when you use our online services.
• Information about how you interacted with us, our websites and our services.
• Your Hydrafacial education and certification history so you can track, log, and repeat your participation in our education courses, print certificates upon completing courses, and share such information with your employers as a Customer.

*Consumers have the option to share their treatment history with the treatment providers. Likewise, when treatment providers use a HydraFacial device, they have the option to sync their application account with the device in order to have a record of the providers’ treatment history. Treatment providers will see aggregated treatment data on treatments they have given. No Personal Information is tied to the treatments that the treatment provider sees. Access to the treatment history/consumer profile is restricted and must be granted by the consumer via a PIN code system. Each time the provider requests access to the treatment history/profile, an SMS/email will be sent to the consumer with a time limited PIN code which the consumer should provide directly to the provider to grant access and then access to the profile will be granted for a limited time.

Biometric Information

If you consent to collection of biometric information and use the Selfie Assessment (the “Tool”), an image of your face, which may include biometric information (i.e., face geometry), is used to enable the feature to work. You confirm that you are providing images of yourself, and, if relevant, your own contact details via the Tool, and not those pertaining to any other individual. We do not retain your image, or any biometric information and all information is deleted when you finish using the Tool.

How we collect your data

We will collect data from you, from your use of our services and from external sources (e.g., publicly accessible sources).

We will collect your Personal Information when:

• You register for information about our products or other services.
• You interact with us or make enquiries including through social media.
• You create or update your account.
• You use the Hydrafacial app and Hydrafacial app features.
• You complete the skin profile survey in your Hydrafacial Account Profile.
• You want to receive advice on Hydrafacial treatments.
• You want to set up a consultation with a Hydrafacialist.
• You want to find a Hydrafacialist near you or in a specific area.
• You make a purchase.
• You use our product or services.
• You are a recipient or provider of Hydrafacial courses.
• You are a job applicant or you are in the recruitment process.
• You respond to communications or surveys.
• You navigate through our website or online services.

We collect data about you using technology such as cookies, pixels, and device fingerprinting, in other words, techniques used to combine information that help us identify your device.

We may use Google Analytics to track statistics of visitors to our website like tracking: (i) page views; (ii) where online users came from before visiting the Hydrafacial app or website, (iii) the behavior & average time visitors spend on each page, among other statistics we collect. This is used to determine how products and services are displayed and how much traffic we have.

To find out more information about Google analytics, visit Google Partner Site Policies at: https://policies.google.com/technologies/partner-sites.

You have the ability to accept or decline cookies from any website by modifying the settings in your browser. If you wish to restrict or block the cookies which are set by our website, you can do this through your browser settings. For information about how to manage and disable cookies you can use the 'Help' function within your browser or please visit https://www.aboutcookies.org/   or  https://www.allaboutcookies.org/ . However, please note that by deleting or disabling cookies this could affect the functionality of our website and you may not be able to access certain areas or features of our site.

If you would like information about how we use cookies and similar devices that may be installed on the terminals of our customers and users, we recommend you consult our  Cookie Policy .

How we use your data

Your data could be used for a variety of reasons under various legal basis, such as:

• Contact you to provide you with the information requested - based on your consent.
• Schedule a consultation with a Hydrafacialist near you or in your search area if you have a Hydrafacial account – based on your consent.
• Advise you on personalized Hydrafacial treatment packages if you complete the skin survey and/or the self-assessment tool and wish to receive recommendations via your Hydrafacial account – based on your consent.
• Provide Hydrafacial training and certification – based on your consent.
• Provide you with the Provider Rewards Program (the “Program”).
• Provide “stored” information for auto-fill information such as credit card payment information – based on your consent
• Process your payment for orders and for other business and accounting purposes – based on a legal obligation and/or the performance of a contract.
• Provide customer service – based on a legal obligation and/or the performance of a contract.
• Process your request to conduct business with us – based on consent.
• Account creation, update, support and management – based on consent and the performance of a contract.
• Keeping you informed about promotions and new developments by email, telephone, SMS, social media or post, and inviting you through email/SMS to create an account when you use our product or services (dependent on your preferences) – based on consent or legitimate interest where applicable.
• Provide you and other customers with relevant information through our marketing program – based on legitimate interest.
• Review your professional profile and background when you apply for a job and during the recruitment process to select the right candidate.
• Undertaking market research, product development and statistical purposes -based on legitimate interest.
• Fraud detection and prevention, unauthorized access to the product and/or services, and other illegal activities – based on legitimate interest.
• Administering debt recoveries – based on legitimate interest.
• For assessment and analysis to enable us to review, develop and improve the services we offer – based on legitimate interest.

As said, sometimes we need to use your Personal Information for legitimate business purposes to ensure that we continue to provide a great customer experience. In every instance, we will always balance our interests against yours.

The processes below are considered examples of our legitimate interests:

• Fraud detection and prevention across Hydrafacial, which may include conducting checks against publicly available information and social media profiles.
• Engaging and contacting you to ensure you have a good experience as a Hydrafacial customer.
• Internally auditing our processes to maintain our high standards.
• Some of our marketing activities.
• Sharing data with selected third parties in order to add value to our products.

Hydrafacial may contact you from time to time to ask you to take part in a survey, in order to enable us to review, develop and improve our services.

Your survey responses, including any Personal Information provided, will only be used by Hydrafacial for the purposes stated within this Privacy Notice. Personal Information can include (but is not restricted to) your name, age and e-mail address. We may also collect special category Personal Information, depending on the survey to which you are responding.

Sharing data

We do not sell your personal information to third parties.

We may employ other companies, including Processors (service providers), to perform functions on our behalf. We may share your Personal Information with these Processors who assist us with our business functions, such as payment processing, packaging, and shipping; law firms, consultants, auditors in case needed; CRM services, e-mail services, product feedback or help desk software; website analytics. If Hydrafacial receives your Personal Information and subsequently transfers that information to a Processor for processing, Hydrafacial remains responsible for ensuring that such Processor processes your Personal Information to the standard required by the applicable privacy laws, including the European General Data Protection Regulation (“GDPR”). These transfers will typically be based on our legitimate interests or agreed upon in the Agreement.

When you request a consultation with a Hydrafacialist using the Hydrafacial app, we will use the information you provide to schedule your appointment and to make the process more efficient and convenient by sending the information you provide us to the Hydrafacialist, always with your prior consent.

It may be necessary to transfer your Personal Information to other Group companies or service providers located in the United States. In these instances, we will take steps to ensure that your data is given an adequate level of protection according to the applicable regulations and for purposes consistent with this Privacy Notice and based on our legitimate interest or contractual necessity.

There are also some circumstances where we will share your data with external companies. At all times, privacy remains paramount, and we will endeavour to minimize the data shared at every opportunity.

These circumstances include:

• Sharing with carefully selected partners in order to add value to our products.
• Sharing with third parties so they can provide you with surveys.
• Building a marketing profile to find similar customers with similar needs.

As well as what has been mentioned above, there are further scenarios where we would have to share your data. These may include:

• Where we are legally compelled to do so.
• Where there is a duty to the public to disclose.
• Where disclosure is required to protect our interest.
• Where disclosure is made at your request or with your consent.
• Complying with civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities.
• Cooperating with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state or local laws, rules, regulations or ordinances.
• Exercising or defending legal claims.

Business Transfers

In the event that another company acquires HydraFacial, its stock or assets, we reserve the right to include Personal Information among the assets transferred to the acquiring company.

International Transfers

Hydrafacial is a company operating globally. Therefore, Personal Information of individuals who visit our websites and/or who use or buy our product or services, or otherwise interact with us, may be transferred and accessed from around the world, such as from countries where Hydrafacial, its Affiliates, or our processors operate.

We will protect your Personal Information in accordance with this Privacy Notice wherever it is processed. We do not voluntarily or actively transfer or disclose our customers’ Personal Information to the government or law enforcement authorities (“Authorities”) and/or otherwise grant any Authorities access to your Personal Information. In the event of a request from the Authority, we have procedures and controls in place to make sure that any such request is assessed according to the procedure outlined in our  Transparency Report .

Information for individuals in the European Economic Area (“EEA”), in the United Kingdom (“UK”) and/or Switzerland

Operating globally, Hydrafacial may transfer Personal Information from the EEA or the UK to the United States and other countries, including Personal Information we receive from individuals residing in the EEA, the UK, or Switzerland who visit our websites and/or who may buy our product or use our services, or otherwise interact with us.

When Hydrafacial engages in such transfers of Personal Information, it relies on:

• Adequacy Decisions, as adopted by:
  • European Commission (“EC”), based on Article 45 of Regulation (EU) 2016/679 (GDPR) – for more information, and to access the full list of countries deemed adequate to date, please visit https://commission.europa.eu/select-language?destination=/node/1304 .
  • UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018 - for more information, and to access the full list of countries deemed adequate to date, please visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/ ; or
  • The EC’s   Standard Contractual Clauses   (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board,

The EC’s and the UK’s Information Commissioner’s Office ("ICO”) have determined that the SCCs and IDTA may provide sufficient safeguards to protect Personal Information transferred outside the EEA and the UK. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en   and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ .

Hydrafacial performs transfers impact assessments and continually monitors the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the European and UK data protection laws.

We apply the same conditions and requirements described in this Privacy Notice for all international data transfers, regardless of location, with adequate safeguards and always keeping your personal information safe, using the most convenient international data transfer tools, in accordance with the model contract prepared by regulators.

Additional information for individuals from the European Union, UK and Switzerland: EU-US Data Privacy Framework:

As part of our commitment to maintaining high data protection standards when transferring Personal Information between European EEA/UK/Switzerland and the United States (“US"), Hydrafacial participates in the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”). The following US based entities are adhering to the EU-U.S. DPF Principles, including as applicable under the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles, and are covered by Hydrafacial’s DPF submission:

• The Beauty Health Company
• LCP Edge Intermediate, LLC
• Edge Systems Holdings Corporation
• Edge Systems Intermediate, LLC
• Esthetic Medical Inc.
• The HydraFacial Company Mexico Holdings, LLC
• HydraFacial LLC

Hydrafacial and all the affiliates listed above complies with the EU-US DPF and the UK Extension to the EU-US DPF, and the Swiss-US DPF Principles as set forth by the US Department of Commerce. Hydrafacial has certified to the U.S. Department of Commerce that it adheres to the EU-US DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom (and Gibraltar) in reliance on the EU-US DPF and the UK Extension to the EU-US DPF. Hydrafacial has certified to the US Department of Commerce that it adheres to the Swiss-US DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Privacy Notice and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-US DPF Principles, Hydrafacial commits to resolve complaints about your privacy and our collection or use of your Personal Information transferred to the United States pursuant to the EU/Swiss DPF Principles. European Union, UK and Swiss individuals with DPF inquiries or complaints should first contact Hydrafacial: Ignacio de la Corte, Data Protection Officer, dpo@hydrafacial.com.

Hydrafacial will investigate and attempt to resolve any complaints or disputes regarding processing of Personal Information within 45 days of receiving your privacy complaint.

Hydrafacial has further committed to refer unresolved privacy complaints under the EU/Swiss DPF Principles to an independent dispute resolution mechanism. In this sense, Hydrafacial commits to cooperate with the EU data protection authorities (EU DPAs) under the EU-U.S. DPF, the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) under the UK Extension to the EU-U.S. DPF, or the Swiss Federal Data Protection and Information Commissioner (FDPIC) under the Swiss-U.S. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following links for more information and to file a complaint. This service is provided free of charge to you.

DPAs in the EEA: https://edpb.europa.eu/about-edpb/about- edpb/members_es#member-no 

DPA in the UK: https://ico.org.uk/global/contact-us/ 

DPA in Switzerland https://www.edoeb.admin.ch/edoeb/en/home.html 

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms

See: https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures- dpf?tabset-35584=2 

Hydrafacial is subject to the jurisdiction of the US Federal Trade Commission for the purposes of DPF enforcement.

Accountability for Onward Transfers.

Hydrafacial acknowledges the responsibility for the processing of Personal Information received and subsequently transferred to Third Parties/Agents/Service Providers. Hydrafacial remains liable under the DPF Principles if a Third Party/Agent/Service Provider processes Personal Information covered by this Notice in a manner inconsistent with the DPF Principles, except where Hydrafacial can demonstrate that it is not responsible for the event giving rise to the damages.

Information for individuals in China, South Korea and Indonesia

Where Personal Information is processed, it is stored on local servers in each country, with no cross-border data transfers to third countries.

Protecting your data

Hydrafacial strives to implement appropriate technical and organizational measures in order to protect your Personal Information against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your Personal Information are appropriate for the risks presented by the nature and use of your Personal Information. We follow recognized industry practices for protecting our IT environment and physical facilities. Some of these measures are:

• Access management
• VPN (virtual private network) for remote Access
• Encryption of data at rest and in transit
• Backup and recovery capabilities
• Firewalls
• Antivirus software
• Multi-factor authentication (MFA)
• Email security filtering
• Security awareness training

On our websites and apps, we protect any data you have given us by providing you with a User ID and password. We also use industry standard security to encrypt sensitive data in transit to our servers. The User ID and password helps us to protect your Personal Information. You must keep this password safe and must not disclose it to anyone.

Some suspicious emails contain attachments or links to websites that try to install malicious software on your computer. If you have entered your password on what you think might be a malicious website, please contact us immediately and ask us to change your password.

If you have entered your payment card information on what you think might be a malicious website or replied to an e-mail with that information, you should contact your credit card company immediately. Do not forget to contact us to update your card details.

When you ask for a quote from us, we will process the data on a secure server. Your browser will confirm that you are in a secure area by displaying an unbroken key or lock in the bottom right-hand corner of your browser window.

Many organisations use security features such as firewalls to protect their computer systems. These firewalls may prevent you from connecting to our secure server. If you are at work and cannot connect to our web site, please speak to your IT administrator.

Please be aware that communications over the Internet, such as emails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered - this is the nature of the Internet. We cannot accept responsibility for any unauthorized access or loss of personal information that is beyond our control.

Additionally, you can protect your system by installing anti-virus and running scans as recommended by the vendor. You should also run any security updates / patches you receive for your system from the supplier.

Never respond to unsolicited emails from unfamiliar sources. Such emails may be fraudulent and attempt to get you to provide your personal details or payment information.

How long do we keep your data

We will not process your Personal Information for longer than is necessary nor will we process it for purposes beyond what it was collected for. We store your Personal Information for different time periods depending on the category of Personal Information and the nature of the relationship that you have with us. We determine how long we need Personal Information on a case-by-case basis, but our goal is to keep your Personal Information for as short a period as possible to achieve the purpose for which Personal Information is collected.

We are subject to various legal requirements concerning the retention of data and have our own legitimate interests in retaining your data for a period of time. These include defence of any late or delayed claims and improving our products and services.

If you do not take any action after receiving an email/SMS from Hydrafacial inviting you to create an account, because you have received a Hydrafacial treatment (Syndeo), we will automatically delete your data within a reasonable time.

Children’s privacy

We do not knowingly collect any personal information from children under 13, and our products are not intended for purchase or use by children. Parents should be aware that there are parental control tools available online that can be used to prevent children from submitting information online without parental permission or from accessing material that is harmful to minors.

Links to other websites

To enhance your Hydrafacial experience, our website may include links to other sites. This Privacy Notice does not apply to third-party websites that are accessible through our website. Those websites will have their own privacy policies that you may wish to review. Hydrafacial has no responsibility for the content hosted on third party linked websites.

Your rights

You may have certain rights relating to your Personal Information, depending on your location and subject to local applicable laws.

ADDITIONAL INFORMATION FOR CONSUMERS IN THE EEA, UK AND SWITZERLAND

• The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your Personal Information and your rights. This is why we are providing you with the information in this Privacy Notice. If you have any additional questions, for example regarding transfers and locations of data or our legitimate interests basis, please contact us.
• The right of access. You have the right to obtain access to your Personal Information (if we are processing it), and certain other information (similar to that provided in this Privacy Notice).
• The right to rectification.You have the right to request us to correct inaccurate Personal Information we hold about you.
• The right to erasure. This is also known as the ‘right to be forgotten’ and enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right, there are exceptions.
• The right to restrict processing. You have rights to ‘block’ or suppress further use of your Personal Information in certain circumstances. When processing is restricted, we can still store your Personal Information, but we may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
• The right to data portability. You have the right, in certain circumstances, to request that we send a copy of your Personal Information to a third party. If we do this, we will send your Personal Information in a structured, commonly-used and machine- readable format. This is not a general right, there are exceptions.
• The right to object. You have the right to object to certain types of processing, including processing for direct marketing or where we are relying on our legitimate interests for processing.

• The right to lodge a complaint You have the right to lodge a complaint about the way we handle or process your Personal Information with your Data Protection Authority (“DPA”) should you feel unsatisfied with our processing of your Personal Information.

  DPAs in the EEA: https://edpb.europa.eu/about-edpb/about- edpb/members_es#member-no

  DPA in the UK: https://ico.org.uk/global/contact-us/ 

  DPA in Switzerland: https://www.edoeb.admin.ch/edoeb/en/home.html 

• The right to withdraw consent.If you have given your consent to anything we do with your Personal Information, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Information with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Information for marketing purposes.

Additional Information for Consumers in the United States

California & Delaware “Do Not track Disclosures”

Privacy regulations in the United States, such as the laws of California and Delaware, require Hydrafacial to indicate whether it honors your browser’s “Do Not Track” settings concerning targeted advertising. Hydrafacial adheres to the standards set out in this Privacy Notice and does not monitor or respond to Do Not Track browser requests.

Contact Us

For our customers: please contact the Hydrafacial entity identified on your order form.

If you would like to access, review, update, correct, delete any Personal Information we hold about you, or exercise any other privacy rights available to you, you fill out this request form.

Controller’s Contact Information:

Data Protection Officer: Ignacio de la Corte

dpo@hydrafacial.com 

Any questions or enquiries in relation to this notice, your personal data or to know & enforce your rights please let us know how we can help.