Privacy policy

Privacy policy 

Effective Date: 20 June 2025 

What does this Privacy Notice apply to? 

The Body Shop, are fully committed to the responsible collection, use and care of the personal data of its customers and website users. This Global Privacy Notice for Customers and Website Users (“Privacy Notice”) provides you with information on how we collect, use, and share personal data through our websites, products, mobile applications, or other sites that display this Privacy Notice. 

If you are in a jurisdiction that recognizes the concept of a Data Controller or similar, the Data Controller is the Body Shop entity (including Group of Companies) with which you have a customer relationship. If you have a query about how your Personal Data is being used, you can contact the data controller through the Data Protection Officer (DPO) team at privacy@us.thebodyshop.com 

Key Definitions 

Capitalized terms not otherwise defined in this Notice have the following meanings: 

Personal Data means any information relating to an identified or identifiable living individual. 

Sensitive Personal Data means any information relating to an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, criminal records/history or processing of genetic data or biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. Depending on the country you are based sensitive personal data may also refer to personal information that, once leaked or illegally used, may cause harm to natural persons, including but not limited to information on specially designated status, financial accounts, individual location tracking, as well as the personal information of minors or information on social security, driver’s license, state identification, and passport numbers, precise geolocation, combination of email address, debit card, or credit card with security or access code, password, or other credentials allowing access to a financial account(s). 

Processing means the use of personal data including collection, recording, organization, structuring, adaptation or alteration, analysis, retrieval, consultation, providing or blocking access to (including remote access), disclosure, dissemination, aligning, copying, transfer, storage, deletion, hosting, combination, destruction, disposal, or other use or handling of personal data. 

Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In our company, the ultimate data controller is The Body Shop International Limited. 

Third Party means any natural person or legal entity, public authority, agency or any other body other than Data Subject, Data Controller, any vendor, supplier or service provider who solely or jointly process personal data on behalf of the Data Controller and acts on the Data Controller’s instructions. 

Data Subject means the identified or identifiable living individual to whom the Personal Data relates. 

TBS Group of Companies means the Body Shop International Limited its owner, affiliates and subsidiaries. 

Personal Data we collect and process

We collect, store, and process your Personal Data in a number of ways including when you:

•           Visit our websites, and branded pages and applications through third-party platforms;

•           Register an account with us and/or purchase products through our website and/or undertake a live consultation;

•           Visit one of our retail stores or counters, including if you register an account with us in store;

•           Provide data to our Customer Engagement, our Franchisees, direct marketing campaigns, sweepstakes and competitions; 

•           Correspond with us across any of our channels (e.g. messaging platforms such as text message, live chat, social media and email); and 

•           Submit a review regarding our products at our websites, and branded pages and applications. The following categories of Personal Data are followed by information about their source(s), purpose(s), legal bases and disclosure(s). 

The following categories of Personal Data are followed by information about their source(s), purpose(s), legal bases and disclosure(s). 

Personal data 

Basic Identifiers may include your name, postal and email address, telephone number, gender, date of birth, country/state of residence, title, login information, your consultant/representative ID number, IP address, device identifier or similar other identifiers, beauty profile information. We may get identifiers directly from you when you correspond or communicate with us by phone, email, and online chat, or otherwise; register or create an account; participate in a contest, sweepstakes or an online survey; sign up for our rewards program or other program or club; sign up for email and/or SMS news and alerts; or use social media to interact with us, or to share something from our websites with others. We may also get identifiers from third parties. like social media platforms, or individuals who purchase goods or services to be delivered to you (such as gifts or gift cards). 

We may use these Personal Data to provide and improve the features, products and services you request; for registration, contests and promotions; to enable you to participate in our values related campaigns, petitions and activities (including our loyalty programs); to communicate with you to provide information; to provide personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or our Group Of Companies; when we perform our duties in a commercial relationship with you; to provide customer support when you communicate with us; to improve our Sites and Apps, our customer service and support, and the user experience; to contact you via post, telephone or text message with offers relevant to your preferences; to allow you to log in with a social media account and share activities on your social media pages, such as Facebook; to verify your identity; to communicate with you about your account and activities on the Sites; to send notice of changes to any of our websites or policies; for processing of Personal Data needed for the assessment and acceptance of customers or vendors; to deliver relevant advertising; and/or for research. When you review a product on our websites, and/or branded pages and applications used for marketing purposes including reprinting in brochures/other market materials and upon obtaining your consent, where required. Depending on the laws applicable in the country you are based, we will process such Personal Data on the basis of our legitimate interest (where applicable and depending on the country you are based), your consent, for the performance of our commercial relationship with you, or as otherwise permitted by law, as applicable. 

Commercial Data 

We may obtain information on the products and services that you have shown an interest in or purchased, including product preferences, billing address, shipping address, together with purchase details (products, color, size, quantity, price), methods of payment and/or any communications we have received about your order or purchase; name, card issuer and card type, credit or debit card number, expiration date, CVV code, and/or billing address; fraud checks or flags raised about your transactions, payment card refusals, suspected crimes, complaints and/or claims. We get this directly from you when you purchase goods and services at any of our retail locations online or in person and in some cases from third parties. 

We may use this Personal Data to provide and improve the features, products and services you request; to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or our Group of Companies; to perform all management activities connected with fulfilment of your order, including administrative management of the contract, delivery of goods, payment processing, management of any claims and litigation, and fraud prevention; to validate, confirm, verify, deliver, install, and track your order, including to arrange for shipping, handle returns and refunds, and maintain a record of the purchases you make; to provision products you purchased from us; to provide you offers that may be of interest to you; and/or to deliver relevant advertising. We may also use this data to protect you, other customers and our business against criminal activities and risks, and to make sure we understand and can meet our legal obligations to you and others, and can defend ourselves. Depending on the laws applicable in the country you are based, we will process your Personal Data on the basis of our legitimate interest (where applicable and depending on the country you are based), for the performance of our contract with you, to comply with applicable legal obligations, or as otherwise permitted by law. 

Internet or other similar network activity 

You can generally visit the website without providing any personal data about yourself. In this case we only collect and store data about your website access which will automatically be transmitted from your browser to us when you access the website. We get this indirectly from you (e.g., from observing your actions on our Sites) or from third parties like data analytics providers. This may include: IP address, MAC address or other unique identifier information (“Device Identifier”) for the computer, mobile device, technology or other device (collectively, “Device”), domain name, browser type and version, browsing history, search history, information about your visit (including products viewed, purchased or search for), details of any website which has referred you to our website, application, or advertisement; location and time zone setting, browser plug-types and versions, operating system and platform, page responses times and errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, keystrokes typed, and mouseovers); the amount of time you spend viewing or using the Website and the pages visited, the number of times you return, or other click-stream or site usage data and mouseovers) and methods used to browse away from the page. 

We may use this Data to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or our group of companies; and/or to deliver relevant advertising. We also use this Data to enable the technical delivery of our website's content to your device; to improve our online services and the experience you receive when engaging with us online; as well as for purposes of the technical security of our website. Depending on the laws applicable in the country you are based, we will process your Personal Data with your consent, and/or for the performance of our contract with you, and/or on the basis of our legitimate interests (where applicable and depending on the country you are based) in ensuring the security of the website, optimizing the website and services we offer to you, improving marketing, analytics, or site functionality, or as otherwise permitted by law. In certain jurisdictions you may be able to select your cookies preferences based on consent. 

Preference information and inferences drawn from other personal data 

This includes a profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. It also includes information ascertained about you from social media such as your profile picture, likes, location, and product preferences. We receive these inferences indirectly from you (e.g., from observing your actions on our Sites) or from third parties, such as a data analytics provider. 

We use such Data to provide and improve the features, products and services you request; to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or our Group of Companies; to contact you via telephone or text message with offers relevant to your preferences; to improve our websites, products and services, customer service, and customer shopping experience; to create a session replay that shows your visit to our site; and/or to deliver relevant advertising or provide you with copies of our newsletter and information about our products, store launches, partnerships and in-store events, to contact you regarding service-related matters. We may use your data to gather feedback from you, to enable you to participate in customer research or focus groups, to inform you about products and commercial opportunities you may be interested in, to improve your experience as a Customer by building a profile of your preferences (including purchasing records) to offer you personalized products and offers; to enable your participation in our promotions, contests, prize draws, and special offers; to improve existing and develop new products and services; and to fulfil our administrative and commercial purposes and interests in activities such as those for security purposes, statistic and marketing analyses, systems maintenance, to manage product warranties and refunds. Depending on the laws applicable in the country you are based, we will process your Personal Data on the basis of our legitimate interest (where applicable and depending on the country you are based) and, when required by law, on your consent. 

Communication data 

We may collect communication data from various sources, including contact lists, demographic information originally collected from other companies within TBS Group of Companies, and Personal Data legally obtained from other third parties, which may be combined with other information that we collect for the purposes described in this section, including information on your communications with us (e.g. your emails, letters, calls, posts and messages on our social media). This may include communications with Sales Managers, Regional Managers, and/or Beauty Entrepreneurs if they share such communications with us. 

We use such Data to provide and improve the features, products and services you request; to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or our Group of Companies; and/or to deliver relevant advertising. Depending on the laws that apply in your country, we will process your Personal Data on the basis of our legitimate interest (where applicable and depending on the country you are based), for the performance of our contract with you and, when required by law, on your consent. 

Other personal data we may have collected with your consent 

We get this information directly from you. This may include: Information you provide by calling, emailing, texting, or chatting online with our team and/or store staff or by responding to surveys or competitions. 

Information ascertained about you from social media such as your profile picture, likes, general geo-location details when using one of our mobile applications. 

Other information we have collected from you with your consent. 

We use such Data to provide and improve the features, products and services you request; to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products or the TBS Group of Companies; when we perform our duties in a contract with you; and/or for processing of Personal Data needed for the assessment and acceptance of customers and to assist you to find your nearest store. Depending on the laws that apply in your country, we process your Personal Data on the basis of our legitimate interest(where applicable and depending on the country you are based), for the performance of our contract with you and, when required by law, on your consent. 

Sensitive personal data 

We limit the circumstances where we collect and process these special categories of data. In some instances, you may have requested services or products that do not directly involve the collection of any special categories of data, but may imply or suggest your religion, health or other special categories of data, such as skin concerns and adverse events from you which may include information on your health and or ethnicity. 

We may use these Personal Data to provide products and services you request; for registration, contests and promotions; to provide you with personalized content, information, and to send you brochures, coupons, samples, offers and other information on our products within the TBS Group Of Companies; to confirm your identity as a registered member; for responding enquiries related to the product use; for analytical and demographic purposes; and when we perform our duties in a contract with you. We process such Sensitive Personal Data on the basis of your consent or as otherwise permitted by the laws applicable depending on the country you are based. This Sensitive Personal Data may be shared for business purposes within the TBS Group of Companies and with service providers. Your Sensitive Personal Data will not be used for any additional purposes that are incompatible with the purposes listed above unless we provide you with notice of those additional purposes. 

About Third-party sites 

You may be able to access our website from a third-party site or vice versa. Your use of third-party websites is governed by the privacy policy of that site. Different terms and conditions and privacy policies may apply. They may send their own cookies or tracking files to your Device, and they may collect your Personal Data for their own purposes. That information is not subject to this Privacy Notice. 

How long we store your Personal Data 

We store your Personal Data processed for the purposes stated in this Notice and for the duration of our business relationship with you. Once our business relationship with you has ended and your data is no longer required for these purposes, we will delete your data, unless your data is required also for other purposes set out in this Privacy Notice, and/or is necessary to fulfill applicable legal or regulatory obligations. We also may store your data for dealing with any complaints regarding our products and services. Our retention periods are being determined as per the legal requirements of the country you are based. 

How we share and disclose your Personal Data 

As a global Company, we may disclose your Personal Data to: 

•           TBS Group Of Companies; 

•           Customers, Sales Leaders of The Body Shop, if you have indicated a desire to purchase products this way; 

•           We disclose personal information to third parties for their own marketing purposes and to expand the reach and effectiveness of our own marketing campaigns. Depending on where you reside, these activities may constitute “sales” and you may opt out of these disclosures (see the Opt Out of Sales, Sharing, and Targeted Advertising section below for details). If you provide a product review or otherwise post content on our Services, the public/other users of our Services will be able to see this information. 

•           Third-parties who provide goods or services to help us conduct our business and improve our services; 

•           External auditors and or legal advisors; 

•           Other parties to whom we are authorised or required by law to disclose information; 

•           Law enforcement and other government authorities. To do so, the authority requires an appropriate judicial order or warrant, for which they need to demonstrate that the disclosure of the requested or intercepted information is required. We reserve the right to challenge these requests.  

•           We disclose personal information if we believe that your actions are inconsistent with our user agreements or policies, if we believe that you have violated the law, or if we believe it is necessary to protect the rights, property, and safety of TBS Group, our users, the public, or others. 

•           We make personal information available to third parties when we have your consent or you intentionally direct us to do so. 

•           We may disclose aggregated or de-identified information that cannot reasonably be used to identify you. We will not attempt to re-identify such information, except as permitted by law. 

•           We may share or transfer your Personal Data in the course of any direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies, and sales of all or part of our assets. Your Personal Data may be shared following the completion of such transaction and/or during the assessment pending transfer (subject to confidentiality requirements). If transferred, your Personal Data will remain subject to this Privacy Notice or a policy that, at a minimum, protects your privacy to an equal degree as this Privacy Notice unless you otherwise consent. 

International Data Transfers: We may transfer your Personal Data to our affiliates and subsidiaries or to other third parties, in accordance with applicable local law, depending on the country you are based. We may also transfer your Personal Data from your country or jurisdiction to other countries or jurisdictions in accordance with legal requirements. 

•           For international data transfers subject to EEA, UK and Swiss law: we primarily use European Union Commission Standard Contractual Clauses. 

•           For transfers between other jurisdictions, we may rely on other legal mechanisms for international transfers, as appropriate under the relevant law. 

•           We have also concluded and executed an Intra-Group Agreement to ensure safe and lawful transfers of personal data take place among entities within the TBS Group of Companies, and also among different countries around the world, where such transfers are necessary in the course of business. 

We carry out Transfers Impact Assessments to implement supplementary measures to ensure your personal data is processed under the standards that apply to your territory. Your Sensitive Personal Data will not be used for any additional purposes that are incompatible with the purposes listed above unless we provide you with notice of those additional purposes. We do not sell your Personal Data or your Sensitive Personal Data, nor do we share it with third parties for cross-context behavioural advertising. 

How we protect your Personal Data 

We implement comprehensive technical, physical and organizational measures to ensure a level of security appropriate to the risk to the personal data we process and to ensure compliance with applicable legal requirements. These measures are aimed at safeguarding the ongoing integrity and confidentiality of personal data. We evaluate and improve these measures on an ongoing basis. 

How we approach to children’s privacy 

Our websites are designed and intended for adults. We understand the importance of taking extra precautions to protect the privacy and safety of children using The Body Shop products and services. Where one of our websites may be intended for a younger audience, depending on the country our audiences are based we get consent from a parent or guardian in accordance with the applicable local law. If you learn that a child has, in violation of this Privacy Notice, registered for email newsletters, or otherwise provided their Personal Data, please report it to us using the contact information provided at the bottom of this Privacy Notice. If we become aware that an underage user has provided Personal Data without parental permission, we will terminate that account and delete all Personal Data provided by that user to the extent feasible and as soon as practicable. Depending on the country you are based, we may use your personal data to carry out age verification checks and enforce any such age restrictions. 

Your rights in relation to the processing of your Personal Data 

You may have some or all of the following rights: 

•           To obtain information on the personal data processed concerning you and to obtain a copy of such data (right of access); 

•           To obtain the rectification of any inaccurate personal data and, having regard to the purposes of the processing, the completion of incomplete personal data (right to rectification) (please let us know if and to what extent your data stored by us has changed, so that we can rectify or update the respective data); 

•           If there are legitimate reasons, to request the deletion of the personal data (right to erasure); 

•           To request the restriction of the processing of the personal data, if the legal requirements are met (right to restriction of processing); 

•           To withdraw your consent at any time, if the data processing is based on consent, provided that such withdrawal does not affect the lawfulness of the previous processing of your data (consent withdrawal); 

•           To receive the personal data provided by you in a structured, commonly used and machine-readable format and to transfer this personal data to another controller or, if technically feasible, to have it transferred by us (right to data portability); and 

•           Not to be subject to a decision based solely on automated processing which produces legal effects concerning you or significantly affects you in a similar way, if the legal requirements are not met (not to be subject to automated processing). 

•           To object, where applicable law provides, to the processing of your data (right to object): 

•           which is being processed for the purposes of our legitimate interests (where applicable and depending on the country you are based) unless such interests outweigh your individual rights; and/or 

•           for direct marketing purposes, without any special reason 

Our digital marketing communications may provide unsubscribe or opt-out mechanisms that allow you to modify your communications preferences. Please note that if you opt-out of marketing communications, we may still contact you with non-promotional communications, such as those about ongoing business relations or administrative messages (e.g. updates on online orders). 

In order to exercise your rights, including the withdrawal of your consent, please contact privacy@us.thebodyshop.com  

You may also designate an authorized agent to make a request on your behalf. In order to protect your data from unauthorized access or alteration by third parties, all requests regarding your personal information will be subject to verification of the identity of the requesting individual. We endeavour to respond to a verifiable request within required time frames. A Data Subject who feels that we are not adhering to this Notice or applicable data protection laws with respect to his or her Personal Data may contact us to register a complaint; submit requests for exercising rights; or address any other issue arising under this Notice. Complaints by any person may also be referred to the DPO team privacy@us.thebodyshop.com 

Without prejudice to any other remedies, you also have the right to lodge a complaint with a supervisory authority at any time. 

Geolocation Data 

If you have previously consented to sharing precise geolocation information with our digital services, you can choose to stop the collection of this information at any time by changing the preferences on your browser or mobile device settings. 

Push Notifications/Alerts 

If you have permitted one of our mobile applications to send you push notifications or alerts, you can deactivate these messages at any time in the notification settings on your mobile device. 

Changes we make 

We may update this Notice periodically and will revise the date at the bottom of this Notice to reflect the date when such update occurred. If we make any material changes in the way we collect, use, and/or share the personal information that you have provided, we will endeavour to provide you with notice before such changes take effect, such as by posting prominent notice on our Company website. Continued use of the website constitutes acceptance of the new Privacy Notice. We encourage you to periodically review this page for the latest information on our privacy practices. Where required to do so by the applicable law depending on the country you are based, we may seek your prior consent to any material changes we make to this Privacy Notice. In the event of any difference in interpretation or meaning between the English version and any other translation of this Privacy Notice, the English version shall prevail.  

Additional Disclosures for Individuals In Certain U.S. States 

This California Consumer Privacy Statement supplements the Body Shop Privacy Policy and applies solely to personal information collected about California consumers.  This California Consumer Privacy Statement does not apply to personal information collected about Body Shop personnel or job applicants.  

This California Consumer Privacy Statement uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations (collectively, the “CCPA”). 

Notice of Collection and Use of Personal Information 

We may collect (and may have collected during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement) the following categories of personal information about you and your organization, in addition to those described in the Body Shop Privacy Policy: 

Identifiers: Identifiers such as a real name, phone number, billing and shipping address, IP address and email address; 

Additional Data Subject to Cal. Civ. Code § 1798.80: Additional data such as financial information (including payment card details); 

Protected Classifications: Characteristics of protected classifications under California or federal law, such as age and gender; 

Commercial Information: Commercial information, including records of personal property, products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies; 

Online Activity: Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with websites, applications or advertisements; and 

Inferences: Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. 

We may use (and may have used during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement) your personal information for the purposes described in the Body Shop Privacy Policy and for the following business purposes: 

Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling transactions, verifying user or client information, processing payments, providing financing, providing analytics services, providing storage or providing similar services; 

Providing advertising and marketing services; 

Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance; 

Short-term, transient use, such as nonpersonalized advertising shown as part of your current interaction with us; 

Helping to ensure security and integrity; 

Undertaking activities to verify or maintain the quality or safety of our services or devices and to improve, upgrade or enhance them; 

Debugging to identify and repair errors; and 

Undertaking internal research for technological development and demonstration. 

We do not collect or process sensitive personal information as defined in the CCPA for purposes of inferring characteristics about consumers.  

Sale or Sharing of Personal Information 

We do not sell personal information for monetary compensation.  We share your personal information by allowing certain third parties (such as online advertising services, social networks, and data analytics providers) to collect personal information via automated technologies on our online services for cross-context behavioral advertising.  These kinds of sharing may be considered sales or sharing under the CCPA when the information is exchanged for monetary or non-monetary consideration.  In addition to cookie-based ad targeting, we may disclose information about your purchases and contact information (such as email and mailing address) to other brands in the corporate family, advertising partners, and other third parties for marketing and advertising purposes.  You have the right to opt-out of such sales or sharing of your information. 

We may share for cross-context behavioral advertising purposes or sell (and may have shared or sold during the 12-month period prior to the Last Updated date of this Privacy Statement) the following categories of personal information about you: Identifiers; Commercial Information; Online Activity; and Inferences.  You have the right to opt out of this disclosure of your personal information, as detailed below.  We do not have actual knowledge that we sell or share the personal information of minors under 16 years of age. 

Disclosure of Personal Information 

During the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement, we may have disclosed the following categories of personal information about you for a business purpose to the following categories of third parties: 

Categories of Personal Information	Categories of Third Parties
Identifiers	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       Social networks  ·       ISPs and operating systems and platforms
Additional Data Subject to Cal. Civ. Code § 1798.80	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       Social networks  ·       ISPs and operating systems and platforms
Protected Classifications	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Data analytics providers  ·       Social networks  ·       ISPs and operating systems and platforms
Commercial Information	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Online advertising services  ·       Data analytics providers  ·       Social networks  ·       ISPs and operating systems and platforms
Online Activity	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Online advertising services  ·       Data analytics providers  ·       Social networks  ·       ISPs and operating systems and platforms
Inferences	·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Data analytics providers  ·       ISPs and operating systems and platforms

  

In addition to the categories of third parties identified above, during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement, we may have disclosed personal information about you to government entities and third parties in connection with corporate transactions, such as mergers, acquisitions or divestitures. 

Your California Privacy Rights 

You have certain choices regarding your personal information, as described below. 

•           Access: You have the right to request, twice in a 12-month period, that we disclose to you the categories of personal information we have collected, used, disclosed and sold or shared about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.. 

•           Correction: You have the right to request that we correct the personal information we maintain about you, if that information is inaccurate. 

•           Deletion: You have the right to request that we delete certain personal information we have collected from you, subject to certain exceptions. 

•           Opt-Out of Sale or Sharing: You have the right to opt-out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising purposes. 

•           Shine the Light: You also have the right to request that we provide you with (a) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (b) the identity of those third parties. 

How to Submit a Request; Verifying Requests.  Please refer to the Your Choice section of our Privacy Policy for more information about how to submit an access, correction, deletion or opt-out request and the steps we will take to verify your request.  You can submit a Shine the Light request by emailing us at privacy@us.thebodyshop.com the subject line “California Shine the Light Request”.    

Body Shop Colorado Consumer Privacy Statement 

 Last Updated: April 22, 2025 

This Colorado Consumer Privacy Statement supplements the Body Shop Privacy Policy and applies solely to personal data collected about Colorado consumers who interact with us in an individual or household (not an employment or commercial) capacity.  This Statement uses certain terms that have the meaning given to them in the Colorado Privacy Act (“CPA”). 

Collection, Use and Sharing of Personal Data 

We may collect, use and share the personal data we obtain as described in the below section of this Privacy Policy and the chart below.  

Category of Personal Data	Processing Purpose(s) (see full list below)	Used for Targeted Advertising?		Sold or Shared
Contact information	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  Social networks
Demographic information (which may be considered sensitive data)	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Commercial information	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.              Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Payment information	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not sold.     Shared with:  ·       Vendors who provide services on our behalf
Identity verification information	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms
Social media information	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
User content	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not sold.  Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Geolocation information (which may be considered sensitive data)	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Inferences	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Online activity, device and usage information, and similar data collected through automated technologies	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy	Yes		Not Sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks
Other information you choose to provide	·       Personalize your experience  ·       Send you technical and support messages  ·       Communicate with you and advertise and market  ·       Provide customer service  ·       Monitor effectiveness of our advertising  ·       Analyze trends and usage  ·       Develop products and services  ·       Facilitate promotions  ·       Support business operations  ·       Detect, investigate and help prevent security incidents and fraud  ·       Comply with our legal and financial obligations  ·       Provide loyalty programs  ·       Otherwise process information as set forth in this Privacy Policy		Yes	Not sold.     Shared with:  ·       Our affiliates  ·       Vendors who provide services on our behalf  ·       Professional services organizations, such as auditors and law firms  ·       Online advertising services  ·       Data analytics providers  ·       ISPs and operating systems and platforms  ·       Social networks

  

Processing Purposes: 

•           Personalize your experience with us; 

•           Send you technical notices, security alerts, support messages, and other transactional or relationship messages; 

•           Communicate with you about products, services, and events offered by Body Shop and others, and provide news and information that we think will interest you, including through advertisements; 

•           Provide you with customer service support; 

•           Monitor and analyze the effectiveness of our advertising including our advertising on third-party platforms and websites; 

•           Monitor and analyze trends, usage, and activities in connection with our products and services; 

•           Develop new products and services; 

•           Facilitate contests, sweepstakes, surveys, and promotions we may offer and process and deliver entries and rewards; 

•           Support our internal business operations; 

•           Detect, investigate, and help prevent security incidents and other malicious, deceptive, fraudulent, or illegal activity, and help protect the rights and property of Body Shop and others; 

•           Comply with our legal and financial obligations; 

•           Provide and administer loyalty programs that we offer; and 

•           Process information as disclosed at the time you provide and/or we collect the information and as set forth in this Privacy Policy or in any other documentation made available to you. 

We do not knowingly process personal data from children under the age of 13.  We also do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers, as defined in the CPA.  

Your Colorado Privacy Rights 

If you are a Colorado consumer who interacts with us in an individual or household capacity (and not in a commercial or employment context), you have the right to: (1) request access to, correction of or deletion of your personal data; and (2) opt-out of the processing of your personal data for purposes of targeted advertising or the sale of your personal data.  In addition, you have the right to obtain your personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the personal data to another entity.  Please refer to the Your Choice section of our Privacy Policy for more information about how to submit a request and the steps we may take to verify your request. 

To submit an opt-out request as an authorized agent on behalf of a consumer, please submit a request via this web form.