We take your privacy seriously; we’re sure you do too, so please do have a read of the full policy.
We realise it’s quite long, so we’ve tried to help you out by summarising it here, but we’d still love you to take the time to read it in full. In summary:
- We collect your personal information to make Lush's website useful to you and provide products and services to you.
- We’ll keep you posted with Lush news if you opt in.
- We may share your personal information with companies we work with, but you won’t be plagued with irrelevant material. Your information will not be publicly available, although we may have to pass on your details where required by law or if you breach our Content Standards.
- To remember you, our system will store cookies. This helps us to improve the website, although you can opt out.
- We will never sell your personal information.
1. Important information and who we are
2. The data we collect about you
3. How is your personal data collected?
4. How we use your personal data
5. Disclosures of your personal data
6. International transfers
7. Data security
8. Data retention
9. Your legal rights
- Important information and who we are
This website is not intended for children and we do not knowingly collect personal information relating to children.
Lush Australasia Retail Pty Limited (ABN 24 077 737 663) is responsible for this Australian and New Zealand website.
Our full details are:
Full name of legal entity: Lush Australasia Retail Pty Limited (ABN 24 077 737 663)
Email address: [email protected]
Postal address: Lush Customer Care, Unit 1A, 74-76 Biloela St, Villawood, NSW 2163
Telephone number: 1300 587 428
You have the right to make a complaint at any time to the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) in Australia, and the Office of the Privacy Commissioner (www.privacy.org.nz/about-us/contact) in New Zealand. We would, however, appreciate the chance to deal with your concerns, so please contact us in the first instance.
This version was last updated in March 2019.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
- The personal information we collect about you
In Australia, personal information, means any information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not. In New Zealand, personal information, means information about an identified individual. In both countries, it does not include data where the identity has been removed (anonymous data or de-identified data).
We may collect, use, store and disclose different kinds of personal information about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, proof of identity, occupation and photographs or video surveillance recordings of you if you are physically present in our stores.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Employment Data includes any personal information collected in our application forms or during the recruitment process. This may include information relating to your employment history, working eligibility rights, suitability for the role you are applying for, and your referee details.
- Other Data includes any other personal information you may supply to us.
- shopping preferences and lists of products and services purchased from us. This may include shopping history, items, colours, or other attributes of products and services we have provided or may provide in the future; or
- information provided to us via application forms, or directly to team members within our stores in relation to our products and services.
We do not collect any Sensitive Information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
If you fail to provide personal information
Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that personal information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
- How is your personal information collected?
We use different methods to collect personal information from and about you including through:
- Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise, or by visiting our stores. This includes personal information you provide when you:
- apply for our products or services;
- create an account on our website;
- subscribe to our service or publications;
- engage with us on social media;
- download and install apps;
- request marketing to be sent to you;
- enter a competition, promotion or survey, attend an event; or
- give us some feedback or make a complaint.
- Purpose of collecting your personal information
We will collect your personal information for the purpose of:
- performing the contract we are about to enter into or have entered into with you;
- providing you with products and services that you have requested from us;
- providing you with relevant consumer information and notifying you of products, services and special offers that may be of interest to you;
- communicating with you, including about products and services, special offers, and events which might interest you;
- answering questions and providing you with information or advice;
- creating orders, transaction records, agreements for the sale of products or services, accounts, tax invoices or receipts;
- providing your personal information to third parties that assist us in providing products and services you have requested, such as delivery service providers;
- carrying out administration, marketing, planning, fraud and loss prevention activities, procurement, product and service development, quality control and research to improve the way Lush and its associated entities and related bodies corporate and service providers provide products and services to individuals;
- considering and responding to complaints made by you;
- complying with applicable laws or regulations or to comply with any directions given by regulators or authorities; or
- assessing an applicant or candidates suitability for an employment position at Lush.
- If Lush are unable to collect your personal information
If we are unable to collect your personal information, some or all of the following may occur:
- we may be unable to provide products or services to you, to the requested standard or at all;
- we may be unable to communicate with you to provide information about products and services that you have purchased from us, or may intend to purchase in the future;
- we may be unable to tailor the content of our marketing communications to suit your preferences;
- an individual's experience when interacting with Lush may be delayed or not as efficient as they may expect; or
- if you are an applicant or candidate for employment, Lush may not be able to process your application for a position at Lush.
We may use temporary (session) cookies or permanent cookies when you access our Australian and New Zealand websites.
What are cookies?
Cookies are pieces of code added to a browser during a visit to a website. They facilitate an enhanced user journey, may provide behavioural information, analytical information, or simply enable functionality of a website.
Cookies can exist during a browsing session or be retained on your computer hard drive for pre-defined periods.
- Strictly necessary cookies. These are cookies that are required for the operation of our websites. They include, for example, cookies that enable you to log into secure areas of our website or use a shopping cart.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences.
- Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the content displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
- Third party cookies. The cookies that we described above are known as ‘first party’ cookies. These are cookies that are placed on your device by us. ‘Third party’ cookies are cookies that are placed on your device by a third party when you visit our websites.
You can block cookies by activating the relevant setting. You are able to delete, block, accept, and clear cookies when you close your browser depending on the browser you are using. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
Alternatively we always will enable you to subscribe or unsubscribe to each category of cookie.
Should you opt out of all cookies you will affect the functionality of our website.
If you do not wish to allow cookies we would be happy to receive your order by phone. Please call Lush Customer Care on 1300 587 428 to place your order.
- Disclosures of your personal information
We may disclose your personal information for the purpose for which it was collected or for a related purpose consented to or if we are authorised or required by law. Some of the recipients we may disclose your personal information to include, other organisations within our group, third-party organisations that provide applications/functionality, data processing or IT services, delivery couriers, third-party organisations that assist us with the administration of our promotions, recruitment agencies and related organisations, auditors, lawyers, accountants and other professional advisers, law enforcement or other government and regulatory agencies, credit card and payment providers, third party email marketing and CRM specialists, and other third parties to help us personalise our offers to you and to fulfil our obligations to our customers.
Where personal information is shared with a third party, we will take reasonable steps to ensure that these third parties observe the confidential nature of such personal information and prohibit them from using any or all of this personal information other than for the purpose for which it was provided.
Such third parties include but are not limited to:
- Internal Third Parties as set out in the Glossary below.
- External Third Parties as set out in the Glossary below.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. When we share personal information with others, we put contractual arrangements and security mechanisms in place to protect the personal information and to comply with our data protection, confidentiality and security standards but we will never sell your data to third parties.
- Overseas disclosure
Some of our associated companies and service providers with whom we disclose personal information may be located overseas. The countries in which the recipients are likely to be located include those Internal Third Parties and External Third Parties listed in the Glossary below. These associated companies and service providers will often be subject to privacy and confidentiality obligations dictated by applicable laws in their own jurisdictions. Nevertheless, we will take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach applicable privacy laws or principles.
- Direct Marketing Communications
If you consent to receiving direct marketing communications from us in order for us to tell you about our products, services, promotions and offers, we may send you direct marketing communications and information about products and services offered by us via email, SMS or regular mail.
If you have indicated a preference for a method of communication, we will endeavour to use that method wherever practicable to do so.
You may opt out of receiving marketing communications at any time by responding via the channel in which they received the marketing communication or by contacting Lush via the details provided below. You can unsubscribe from emails by clicking the unsubscribe link on the footer of the email communication you have received.
We will not provide your personal information to any other organisations for the purpose of direct marketing.
We will take reasonable steps to ensure the integrity of the personal information we collect and hold about you, and ensure that it is correct. To assist us, we ask you ensure that the personal information you provide to us is accurate, up-to-date, and complete and to ensure that you contact us if your details change.
We understand the importance of securing personal information and we have put in place appropriate security measures to safeguard and secure your personal information to prevent unauthorised access or disclosure, or loss resulting in unauthorised access or disclosure, maintain accuracy and ensure the appropriate use of your personal information.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties businesses on a need-to-know basis. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We secure access to all transactional areas of our websites and apps using ‘https’ technology.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out vulnerability testing to identify ways to further strengthen security.
We have put in place procedures to deal with any suspected data breach and will notify you and the OAIC and/or Office of the Privacy Commissioner in New Zealand (as applicable) of an eligible data breach where we are legally required to do so.
- Data retention
How long will you use my personal information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
At the end of that retention period, your personal information will either be deleted completely or anonymised or de-identified, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
- Access to your personal information
You may request access to your personal information. This enables you to receive a copy of the personal information we hold about you. Normally we will provide you with a record of your personal information via your preferred contact method (phone, email or mail) and Lush will not charge a fee. If a legal exception applies and we decide not to provide you with access to any personal information we hold about you, we will advise you of the reasons for our decision and how you may complain. For example, we may refuse to provide access if your request is unlawful, or it may have an unreasonable impact on the privacy of other individuals.
- Correction of your personal information
You may request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us. Where reasonable we will make the requested amendments if we are satisfied that any personal information is inaccurate, incomplete, out of date, misleading or irrelevant (having regard to the purpose for which it is held). If we do not agree that the personal information needs correction, you may ask that we attach a statement to this effect to our record.
In most cases you will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
- What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- Time limit to respond
We will respond to all requests within a reasonable period, but in any case no later than 20 working days. Occasionally it may take us longer than 20 days to provide you with the requested information if your request is particularly complex or you have made a number of requests. In this case, we will notify you within the 20 day timeframe of when we expect to provide you with the requested information and keep you updated.
- Complaints and queries
You can let Lush know if you have any concerns or complaints about the way Lush is handling your personal information so Lush can address them.
If Lush is unable to satisfactorily resolve your concerns or complaints, an individual can contact the OAIC in Australia or the Office of the Privacy Commissioner in New Zealand.
To make a query concerning your privacy rights, or to lodge a complaint about how Lush has handled your personal information, you can contact the Office of the Privacy Commissioner in New Zealand using any of the contact details listed at www.privacy.org.nz/about-us/contact or, if you are in Australia, you may call the OAIC’s hotline on 1300 363 992, or visit the OAIC's website at www.oaic.gov.au. The OAIC has the power to investigate and make a determination.
- Changes to the Policy
Internal Third Parties
Other companies in the Lush Group, acting as joint controllers or processors and who are based in:
UK and Ireland
and provide IT and system administration services and undertake leadership reporting.
External Third Parties
Service providers acting as joint controllers or processors based:
- South Africa
Services providers acting as processors and controllers based:
who provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
Other Third parties
- Google Analytics
- Google Cloud
- Google Business
- Vacancy Filler
- Australia Post
- NZ Couriers
- Ethical Consumer
- Vacancy Filler