Supplemental EU/EEA and UK Privacy Policy (“GDPR Policy”) 

In conjunction with our Master Privacy Policy the following describes how Skinfix Inc collects and processes your Personal Information Skinfix's data practices in accordance with: 

(a) if you are located in the EU or EEA, the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); or  
(b) if you are located in the United Kingdom (“UK”) the retained version of the EU GDPR in the UK and the Data Protection Act 2018,   

(together referred to in this GDPR Policy as the “GDPR”). 

If there is any inconsistency or conflict between this GDPR Policy and our Master Policy, this GDPR Policy shall prevail.  

This GDPR Policy was last updated on 3/27/23.  

 

Controller  

Skinfix Inc. is the controller and responsible for your Personal Information (collectively referred to as "Skinfix", "we", "us" or "our" in this GDPR Policy). 

 

Contact Details  

If you have any questions about this GDPR Policy or our privacy practices, please contact our data privacy responsible person in the following ways: 

  • Full name of legal entity: Skinfix Inc 
  • Email address: info@skinfix.com
  • Postal address: 1701 Hollis St. Suite 800 Halifax N.S B3J 3M8
  • Telephone number: 1-866-927-2783

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk), or the relevant EU member state supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the ICO/supervisory authority so please contact us in the first instance.  

 

Lawful Basis of Processing 

We will only process the Personal Information subject to the GDPR as it is described in this GDPR Policy if we have a lawful basis for doing so. Most commonly, we will use your Personal Information in the following circumstances:  

  • Where we need to perform the contract we are about to enter into or have entered into with you. 
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 
  • Where we need to comply with a legal obligation. 

Generally, we do not rely on consent as a lawful basis for processing your Personal Information.  

Skinfix may, in exceptional circumstances, process Special Categories of Personal Information. Special Categories of Personal Information means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.  

In particular, as part of dealing with consumer complaints, queries, questions or complying with our obligations relating to cosmetovigilance, Skinfix may process Personal Information relating to health. We will only process such Special Categories of Personal Information where we have satisfied ourselves that, (a) in the case of Personal Information relating to health, such processing is necessary for the purposes of preventative or occupational medicine for the assessment of medical diagnosis, or the provision of health treatment; and (b) in all other cases, where we have obtained your explicit consent. This means that we will obtain an affirmative clear statement of your consent from you.  

Where you voluntarily provide Special Categories of Personal Information (other than Personal Information relating to health) which relate to you without being asked by us to provide that Personal Information, then doing so will constitute your explicit consent.  

 

Purposes For Which We Will Use Your Personal Information  

We have set out below, in a table format, a description of all the ways we plan to use your Personal Information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. 

Note that we may process your Personal Information for more than one lawful ground depending on the specific purpose for which we are using your Personal Information . Please contact us if you need details about the specific legal ground we are relying on to process your Personal Information where more than one ground has been set out in the table below.  

Categories of Data Subjects  

 

Categories of Personal Information  

 

Purpose of Processing 

Lawful Basis for Processing (and Lawful Basis for Processing Special Categories of Personal Information, if applicable) 

Skinfix customers/consumers (including website users) 

 

Personal details including name and contact information. 

  1. Maintaining and enhancing Skinfix’s products and services. 
  2. Providing products and services and customer management. 
  3. Account management. 
  4. Supporting network and system security. 
  5. Auditing. 
  6. Detecting and preventing fraud. 
  7. Complying with legal obligations, including cosmetovigilance. 
  8. Conducting web analytics. 

                 

                1. Contract  
                2. Legal Obligation  
                3. Necessary for our Legitimate Interests (to enhance performance of our website; to keep our records updated and to study how customers use our products/services; for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) 

                    Device details. 

                     

                    1. Conducting web analytics. 
                    1. Necessary for our Legitimate Interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 
                    2. Consent 

                      User activity details and user preferences. 

                       

                      1. Conducting web analytics. 
                      1. Necessary for our Legitimate Interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 
                      2. Consent 

                        Browser history details. 

                         

                        1. Conducting web analytics. 
                        1. Necessary for our Legitimate Interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 
                        2. Consent 

                          Location details. 

                           

                          1. Conducting web analytics. 
                          1. Necessary for our Legitimate Interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 

                          Electronic identification data including IP address and information collected through cookies. 

                           

                          1. Conducting web analytics. 
                          1. Necessary for our Legitimate Interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) 
                          2. Consent 

                            Financial details. 

                            1. Providing products and services and customer management. 
                            2. Account management. 
                              1. Contract  

                               

                              Credit card information and payment details. 

                              1. Providing products and services and customer management. 
                              2. Account management. 
                                1. Contract  

                                Contractual details including the goods and services provided. 

                                1. Maintaining and enhancing Skinfix’s products and services. 
                                2. Providing products and services and customer management. 
                                  1. Contract  
                                  2. Necessary for our Legitimate Interests (to keep our records updated and to study how customers use our products/services) 

                                    Special categories of Personal Information including data relating to health, genetics[, race, ethnicity and religious beliefs]. 

                                    1. Maintaining and enhancing Skinfix’s products and services. 
                                    2. Providing products and services and customer management. 
                                    3. Complying with legal obligations, including cosmetovigilance. 
                                      1. Legal Obligation  
                                      2. Necessary for the Purposes of Preventative or Occupational Medicine 
                                      3. Explicit Consent  

                                          Skinfix suppliers and distributors 

                                           

                                           

                                          Name and contact information. 

                                          1. To obtain products and services. 
                                          2. Evaluating potential suppliers and distributors. 
                                            1. Contract  

                                            Financial and payment details. 

                                            1. Supplier administration, order management, and accounts payable. 
                                            1. Contract 

                                             

                                            Marketing  

                                            We do not market directly to data subjects within the EU or UK. If we plan to change our approach to marketing to data subjects within the EU or UK we will update this GDPR Policy to reflect that.

                                             

                                            International Transfers  

                                            We are a Canadian company, accordingly when you share your Personal Information with us, this will involve transferring your Personal Information outside the UK and the EU/EEA. 

                                            Many of our external third parties are based outside the UK and EU/EEA so their processing of your Personal Information will involve a transfer of data outside the UK and EU/EEA.  

                                            Skinfix discloses Personal Information to the following categories of recipients, some of which are located in countries outside of the UK and EEA:  

                                            • Skinfix, Inc.
                                            • Business partners.
                                            • Auditors and professional advisors, such as lawyers and consultants.
                                            • Law enforcement officials.
                                            • Third-party service providers, such as providers of: 
                                            (a) IT system management;  
                                            (b) information security; and 
                                            (c) marketing agencies.] 
                                            • Skinfix transfers Personal Information (including Special Categories of Personal Information) to the following countries (some of which are known as "third countries" under the Data Protection Legislation):  
                                            (a) Canada. 
                                            (b) The United States of America (USA).  

                                            Whenever we transfer your Personal Information out of the UK and EU/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:  

                                            • We will only transfer your Personal Information to countries that have been deemed to provide an adequate level of protection for Personal Information. For further details, see:  
                                            • Where we use certain service providers, we may use specific contracts approved for use in the UK which give Personal Information the same protection it has in the UK and/or EU/EEA. For further details, see: 

                                            Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Information out of the UK or EU/EEA.  

                                             

                                            Access to Information and Your Rights 

                                            For United Kingdom and EU residents subject to the GDPR, you have certain rights relating to your Personal Information, subject to local data protection laws. These rights may include: 

                                            • To access your Personal Information held by us (right to access); 
                                            • To rectify inaccurate Personal Information and, taking into account the purpose of processing the Personal Information, ensure it is complete (right to rectification); 
                                            • To erase/delete your Personal Information, to the extent permitted by applicable laws (right to erasure; right to be forgotten); 
                                            • To restrict our processing of your Personal Information to the extent permitted by law (right to restriction of processing); 
                                            • To transfer your Personal Information to another controller or processor, to the extent possible (right to data portability); 
                                            • To object to any processing of your Personal Information carried out on the basis of our legitimate interests (right to object). Where we process your Personal Information for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection. Please note that we do not currently market to data subjects within the UK and EU/EEA; 
                                            • To the extent we base the collection, processing, and sharing of your Personal Information on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal. 

                                            Please submit your specific request by using the Information in the Contact section above to exercise these rights.  

                                             

                                            Timeframe for Responding to Requests 

                                            Skinfix will respond to your request within thirty (30) days of receipt. The response period may be extended if your request is particularly complex or you have made a number of requests. In that event, we will inform you of the reason and extension period in writing, and keep you updated. 

                                             

                                            Required Information for Responding to Requests  

                                            Skinfix may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 

                                             

                                            Fee 

                                            We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, in which case we will charge a reasonable fee. Alternatively, we could refuse to comply with your request in these circumstances.