🚚 Free standard shipping on orders over $100 Learn More

Skip to content

Privacy Policy

    We take your privacy seriously; we’re sure you do too, so please do have a read of the full policy.

    Summary

    The Lush Group take your privacy seriously by complying with the Australian Privacy Act 1988 (Cth) (APA) and the Australian Privacy Principles (set out in Schedule 1, APA) (APPs) in Australia, the Privacy Act 1993 in New Zealand (NZPA) (together the “Privacy Acts”), and any other applicable privacy laws in Australia and New Zealand; we’re sure you do too, so please do have a read of the full privacy policy.

    We realise it’s quite long, so we’ve tried to help you out by summarising it here, but we’d still love you to take the time to read it in full. In summary:

    • We collect your personal information to make Lush's website useful to you and provide products and services to you.
    • We’ll keep you posted with Lush news if you opt in.
    • We may share your personal information with companies we work with, but you won’t be plagued with irrelevant material. Your information will not be publicly available, although we may have to pass on your details where required by law or if you breach our Content Standards.
    • By giving us this personal information, you agree it may be stored and processed outside Australia and New Zealand. A list of these countries is available in our privacy policy. We do all we can to ensure this is done securely and in accordance with the privacy policy.
    • To remember you, our system will store cookies. This helps us to improve the website, although you can opt out.
    • We will never sell your personal information.
    • Our privacy policy sets out how you can access or correct your personal information or make a complaint about a breach of the APPs and Privacy Acts and how that complaint will be handled.

    Contents

    1. Important information and who we are

    2. The data we collect about you

    3. How is your personal data collected?

    4. How we use your personal data

    5. Disclosures of your personal data

    6. International transfers

    7. Data security

    8. Data retention

    9. Your legal rights 

    10. Glossary

    Privacy Policy

    Introduction

    Welcome to the Lush Group’s Australian and New Zealand privacy policy.

    The Lush Group respects your privacy and is committed to protecting your personal information. This privacy policy will inform you as to how we look after your personal information when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

    This privacy policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively you can download a pdf version of the policy here. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.

    1. Important information and who we are

    Purpose of this privacy policy

    This privacy policy aims to give you information on how The Lush Group manages personal information provided to or collected by us through your use of this website, including any personal information you may provide through this website when you sign up to our newsletter, purchase a product or service or take part in a competition or event.

    This website is not intended for children and we do not knowingly collect personal information relating to children.

    It is important that you read this privacy policy together with any other privacy policy we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your personal information. This privacy policy supplements the other policies and is not intended to override them.

    This privacy policy does not apply to the collection, use or disclosure of the personal information of current of former employees of Lush in Australia to the extent that the employee record exemption applies under the Privacy Act. If you are a current or former employee of Lush in Australia, and have a query about the personal information Lush collects, uses or discloses, you should first contact Human Resources.

    Lush Limited (United Kingdom) and its subsidiaries and affiliates, are referred to as ‘The Lush Group’.  This privacy policy is issued on behalf of Lush Limited and its subsidiaries so when we mention "Lush", "we", "us" or "our" in this privacy policy, we are referring to the relevant company in the Lush Group responsible for processing your data. Certain group entities within Lush may have specific privacy policies on their websites, so when visiting or using these services please make sure you are informed of how they also use your personal information.

    Lush Australasia Retail Pty Limited (ABN 24 077 737 663) is responsible for this Australian and New Zealand website.

    If you have any questions about this privacy policy, or you wish to request access to your personal information, or to correct or update your details or raise any privacy concerns, you can contact Lush on the contact details below.

    ..

    Contact details

    Our full details are:

    Full name of legal entity: Lush Australasia Retail Pty Limited (ABN 24 077 737 663)

    Email address: [email protected]

    Postal address: Lush Customer Care, Unit 1A, 74-76 Biloela St, Villawood, NSW 2163

    Telephone number: 1300 587 428

    You have the right to make a complaint at any time to the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) in Australia, and the Office of the Privacy Commissioner (www.privacy.org.nz/about-us/contact) in New Zealand. We would, however, appreciate the chance to deal with your concerns, so please contact us in the first instance.

    Changes to the privacy policy and your duty to inform us of changes

    This version was last updated in March 2019.

    It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

    Third-party links

    This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

    1. The personal information we collect about you

    In Australia, personal information, means any information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not. In New Zealand, personal information, means information about an identified individual. In both countries, it does not include data where the identity has been removed (anonymous data or de-identified data).

    We may collect, use, store and disclose different kinds of personal information about you which we have grouped together as follows:

    • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, proof of identity, occupation and photographs or video surveillance recordings of you if you are physically present in our stores.
    • Contact Data includes billing address, delivery address, email address and telephone numbers.
    • Financial Data includes bank account and payment card details.
    • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
    • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.  
    • Usage Data includes information about how you use our website, products and services.
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
    • Employment Data includes any personal information collected in our application forms or during the recruitment process. This may include information relating to your employment history, working eligibility rights, suitability for the role you are applying for, and your referee details.
    • Other Data includes any other personal information you may supply to us.

    We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but in accordance with the Privacy Acts is not considered personal information as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this privacy policy. We may also collect other types of information from you that in some instances is not personal information, including:

    • shopping preferences and lists of products and services purchased from us. This may include shopping history, items, colours, or other attributes of products and services we have provided or may provide in the future; or
    • information provided to us via application forms, or directly to team members within our stores in relation to our products and services.

    We do not collect any Sensitive Information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

    If you fail to provide personal information

    Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that personal information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

    1. How is your personal information collected?

    We use different methods to collect personal information from and about you including through:

    • Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise, or by visiting our stores. This includes personal information you provide when you:
    • apply for our products or services;
    • create an account on our website;
    • subscribe to our service or publications;
    • engage with us on social media;
    • download and install apps;
    • request marketing to be sent to you;
    • enter a competition, promotion or survey, attend an event; or
    • give us some feedback or make a complaint.
    • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.


    1. Purpose of collecting your personal information

    We will collect your personal information for the purpose of:

    • performing the contract we are about to enter into or have entered into with you;
    • providing you with products and services that you have requested from us;
    • providing you with relevant consumer information and notifying you of products, services and special offers that may be of interest to you;
    • communicating with you, including about products and services, special offers, and events which might interest you;
    • answering questions and providing you with information or advice;
    • creating orders, transaction records, agreements for the sale of products or services, accounts, tax invoices or receipts;
    • providing your personal information to third parties that assist us in providing products and services you have requested, such as delivery service providers;
    • carrying out administration, marketing, planning, fraud and loss prevention activities, procurement, product and service development, quality control and research to improve the way Lush and its associated entities and related bodies corporate and service providers provide products and services to individuals;
    • considering and responding to complaints made by you;
    • complying with applicable laws or regulations or to comply with any directions given by regulators or authorities; or
    • assessing an applicant or candidates suitability for an employment position at Lush.


    1. If Lush are unable to collect your personal information

    If we are unable to collect your personal information, some or all of the following may occur:

    • we may be unable to provide products or services to you, to the requested standard or at all;
    • we may be unable to communicate with you to provide information about products and services that you have purchased from us, or may intend to purchase in the future;
    • we may be unable to tailor the content of our marketing communications to suit your preferences;
    • an individual's experience when interacting with Lush may be delayed or not as efficient as they may expect; or
    • if you are an applicant or candidate for employment, Lush may not be able to process your application for a position at Lush.


    1. Cookies

    We may use temporary (session) cookies or permanent cookies when you access our Australian and New Zealand websites.

    You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

    What are cookies?

    Cookies are pieces of code added to a browser during a visit to a website. They facilitate an enhanced user journey, may provide behavioural information, analytical information, or simply enable functionality of a website.

    Cookies can exist during a browsing session or be retained on your computer hard drive for pre-defined periods.

    Cookie types

    • Strictly necessary cookies. These are cookies that are required for the operation of our websites. They include, for example, cookies that enable you to log into secure areas of our website or use a shopping cart.
    • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
    • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences.
    • Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the content displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
    • Third party cookies. The cookies that we described above are known as ‘first party’ cookies. These are cookies that are placed on your device by us. ‘Third party’ cookies are cookies that are placed on your device by a third party when you visit our websites.

    Avoiding Cookies

    You can block cookies by activating the relevant setting. You are able to delete, block, accept, and clear cookies when you close your browser depending on the browser you are using.  However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

    Alternatively we always will enable you to subscribe or unsubscribe to each category of cookie.

    Should you opt out of all cookies you will affect the functionality of our website.

    If you do not wish to allow cookies we would be happy to receive your order by phone. Please call Lush Customer Care on 1300 587 428 to place your order.

    1. Disclosures of your personal information

    We may disclose your personal information for the purpose for which it was collected or for a related purpose consented to or if we are authorised or required by law. Some of the recipients we may disclose your personal information to include, other organisations within our group, third-party organisations that provide applications/functionality, data processing or IT services, delivery couriers, third-party organisations that assist us with the administration of our promotions, recruitment agencies and related organisations, auditors, lawyers, accountants and other professional advisers, law enforcement or other government and regulatory agencies, credit card and payment providers, third party email marketing and CRM specialists, and other third parties to help us personalise our offers to you and to fulfil our obligations to our customers.

    Where personal information is shared with a third party, we will take reasonable steps to ensure that these third parties observe the confidential nature of such personal information and prohibit them from using any or all of this personal information other than for the purpose for which it was provided.

    Such third parties include but are not limited to:

    • Internal Third Parties as set out in the Glossary below.
    • External Third Parties as set out in the Glossary below.
    • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. When we share personal information with others, we put contractual arrangements and security mechanisms in place to protect the personal information and to comply with our data protection, confidentiality and security standards but we will never sell your data to third parties.


    1. Overseas disclosure

    Some of our associated companies and service providers with whom we disclose personal information may be located overseas. The countries in which the recipients are likely to be located include those Internal Third Parties and External Third Parties listed in the Glossary below. These associated companies and service providers will often be subject to privacy and confidentiality obligations dictated by applicable laws in their own jurisdictions. Nevertheless, we will take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach applicable privacy laws or principles. 

    1. Direct Marketing Communications

    If you consent to receiving direct marketing communications from us in order for us to tell you about our products, services, promotions and offers, we may send you direct marketing communications and information about products and services offered by us via email, SMS or regular mail.

    If you have indicated a preference for a method of communication, we will endeavour to use that method wherever practicable to do so.

    You may opt out of receiving marketing communications at any time by responding via the channel in which they received the marketing communication or by contacting Lush via the details provided below. You can unsubscribe from emails by clicking the unsubscribe link on the footer of the email communication you have received.

    We will not provide your personal information to any other organisations for the purpose of direct marketing.

    1. Integrity

    We will take reasonable steps to ensure the integrity of the personal information we collect and hold about you, and ensure that it is correct. To assist us, we ask you ensure that the personal information you provide to us is accurate, up-to-date, and complete and to ensure that you contact us if your details change.

    1. Security

    We understand the importance of securing personal information and we have put in place appropriate security measures to safeguard and secure your personal information to prevent unauthorised access or disclosure, or loss resulting in unauthorised access or disclosure, maintain accuracy and ensure the appropriate use of your personal information.

    In addition, we limit access to your personal information to those employees, agents, contractors and other third parties businesses on a need-to-know basis. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

    We secure access to all transactional areas of our websites and apps using ‘https’ technology.

    We regularly monitor our system for possible vulnerabilities and attacks, and we carry out vulnerability testing to identify ways to further strengthen security.

    We have put in place procedures to deal with any suspected data breach and will notify you and the OAIC and/or Office of the Privacy Commissioner in New Zealand (as applicable) of an eligible data breach where we are legally required to do so.

    1. Data retention

    How long will you use my personal information for?

    We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

    At the end of that retention period, your personal information will either be deleted completely or anonymised or de-identified, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

    1. Access to your personal information

    You may request access to your personal information. This enables you to receive a copy of the personal information we hold about you. Normally we will provide you with a record of your personal information via your preferred contact method (phone, email or mail) and Lush will not charge a fee. If a legal exception applies and we decide not to provide you with access to any personal information we hold about you, we will advise you of the reasons for our decision and how you may complain. For example, we may refuse to provide access if your request is unlawful, or it may have an unreasonable impact on the privacy of other individuals.

    1. Correction of your personal information

    You may request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us. Where reasonable we will make the requested amendments if we are satisfied that any personal information is inaccurate, incomplete, out of date, misleading or irrelevant (having regard to the purpose for which it is held). If we do not agree that the personal information needs correction, you may ask that we attach a statement to this effect to our record.

    In most cases you will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

    1. What we may need from you

    We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    1. Time limit to respond

    We will respond to all requests within a reasonable period, but in any case no later than 20 working days. Occasionally it may take us longer than 20 days to provide you with the requested information if your request is particularly complex or you have made a number of requests. In this case, we will notify you within the 20 day timeframe of when we expect to provide you with the requested information and keep you updated.

    1. Complaints and queries

    You can let Lush know if you have any concerns or complaints about the way Lush is handling your personal information so Lush can address them.

    If Lush is unable to satisfactorily resolve your concerns or complaints, an individual can contact the OAIC in Australia or the Office of the Privacy Commissioner in New Zealand.

    To make a query concerning your privacy rights, or to lodge a complaint about how Lush has handled your personal information, you can contact the Office of the Privacy Commissioner in New Zealand using any of the contact details listed at www.privacy.org.nz/about-us/contact or, if you are in Australia, you may call the OAIC’s hotline on 1300 363 992, or visit the OAIC's website at www.oaic.gov.au. The OAIC has the power to investigate and make a determination.

    1. Changes to the Policy

    Lush may, from time to time, amend this privacy policy, in whole or in part, in its sole discretion. Any changes which are significant or will impact on your rights or freedoms will be notified to you [at least 14 days] in advance. If you do not agree with the terms of this privacy policy, as amended from time to time, in whole or part, you must not access our products or services, including this Australian and New Zealand website.

    1. Glossary

    THIRD PARTIES

    Internal Third Parties

    Other companies in the Lush Group, acting as joint controllers or processors and who are based in:

    UK and Ireland

    Austria

    Germany

    Hungary

    Italy

    Sweden

    France

    Portugal

    Spain

    Czech

    Holland

    Luxembourg

    Belgium

    UAE

    Hong Kong

    Australia

    New Zealand

    Japan

    and provide IT and system administration services and undertake leadership reporting.

    External Third Parties

    Service providers acting as joint controllers or processors based:

    • Kuwait
    • Lebanon
    • Macedonia
    • Saudi
    • Slovenia
    • Bulgaria
    • Ukraine
    • Panama
    • Mexico
    • Thailand
    • South Africa
    • Oman
    • Bahrain
    • Singapore

    Services providers acting as processors and controllers based:

    • Switzerland
    • Croatia
    • Russia
    • Norway
    • Chile
    • Finland
    • Korea
    • USA
    • Canada

    who provide IT and system administration services.

    • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
    • Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

    Other Third parties

    • Google Analytics
    • Google Cloud
    • Google Business
    • Electio
    • MetaPack
    • Olark
    • MailChimp/Mandrill
    • FFW
    • Adyen
    • Braze
    • PayPal
    • Hotjar
    • Slack
    • Sendgrid
    • Cloudflare
    • Conversocial
    • Booker
    • Rackspace
    • Crazyegg
    • Anchoris
    • Zendesk
    • Mitingu
    • Eventbrite
    • Vacancy Filler
    • Sorted
    • Australia Post
    • NZ Couriers
    • DPD
    • UPS
    • Ethical Consumer
    • Sage
    • Eventbrite
    • Mitingu
    • Vacancy Filler
    • Fabric.io
    • Queueflow

    Homepage - Privacy Policy