PRIVACY POLICY

Last Updated: 8 April 2026

WHAT DOES THIS POLICY COVER?

This Privacy Policy (also referred to as “Policy”) describes how Huda Beauty (also referred to as “us”, “our” or “we”) will make use of your personal data whenever you interact with us and our website at https://hudabeauty.com/ (“website”), order any of our products and related services whether online or in-store, or otherwise interact with a property that links to this Policy (collectively, the “Services”). It also describes data protection rights that may apply to you, including the right to object to some of the processing which we carry out. More information about these rights, and how to exercise them, is set out in the “Your rights and choices” section.

We also may provide you with additional information when we collect personal data, where we feel it would be helpful, more relevant and timely.

“Huda Beauty”, “us”, “our” or “we” means any company within the Huda Beauty Group of Companies, which includes:

COMPANY NAME

COUNTRY OF INCORPORATION

Huda Beauty DMCC

United Arab Emirates

Huda Beauty FZ-LLC

United Arab Emirates

HB UK Hold Co

United Kingdom

Huda Beauty LLC

United Arab Emirates

HB USA Holdings Inc

United States of America

HB FR SAS

France

H B Beauty Products Trading DWC FZ LLC

United Arab Emirates

Huda Beauty APAC PTE Ltd

Singapore

All the companies within the Huda Beauty Group of Companies are jointly responsible for the personal data that you share with us. The controller of your personal data will be the Huda Beauty entity from which you purchase products and services.

WHO THIS POLICY APPLIES TO

This Privacy Policy applies to you where you engage with us, such as when buying our products, signing up to one of our brand-led newsletters, entering a competition, joining a membership or an affiliate scheme, or otherwise interacting with us. This Privacy Policy also applies to personal data we may collect about you from other sources.

We set out below information on the personal data we might collect or hold about you, how and why we use it, who we share it with, how we protect it and keep it secure, and your rights around your personal data. It also describes data protection rights that may apply to you, including the right to object to some of the processing which we carry out. You must be at least 18 years old or older to use our services and sign up to promotional content unless the local laws where you are based or the terms for a specific service or marketing sign-up state otherwise. Not all the information set out below may apply to you.

WHAT IS NOT COVERED BY THIS POLICY?

This Privacy Policy does not apply to Huda Beauty employees, job applicants, and shareholders. It does not cover other companies or organisations (which may advertise our products and services and use cookies, tags and other tracking technologies) collecting and using your personal data to offer relevant online advertisements to you. You should review their cookie and privacy policies before giving them your personal data.

WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU AND HOW DO WE USE IT?

How do we collect your personal data?

There are many ways we may collect your personal data, including via our websites, forms, devices, third party sellers or our brand pages on social media. Sometimes you give this to us directly (e.g. when you create an account, contact us, join our email list, purchase from our websites or stores, enter a competition or promotion, or interact with us for any other purpose). Sometimes we (and other entities) automatically collect Online Browsing Data (as defined below) using cookies and similar tracking technology to understand how you use our websites. See the “Digital Advertising & Analytics” section below to learn more about the use of this data and the choices available to you. Sometimes we receive your personal data from other Huda Beauty Group entities or third parties (e.g. when you mention Huda Beauty products or services on non-Huda Beauty pages or social media platforms or smart devices).

Depending on where you are located, we may need a valid legal basis to process your personal data. If we do, the table below sets out which legal basis we rely on when processing your personal data. Please note that the legal basis we rely on may vary depending on the country you are located in.

To explain what a ‘legal basis’ is – under data protection laws, the legal basis for the processing of your personal data can be:

Your consent – where we ask for your agreement to use your personal data for a specific purpose.

The performance of a contract – where we need to process your personal data to provide you with a service/something under an agreement we have with you or as part of preparing to enter into an agreement with you. An example of this would be the purchase of a product.

Our legitimate interests – where the use of your personal data is in our legitimate business interests, e.g. tailoring experiences for you based on your shopping preferences, responding to customer service requests. Our legitimate interest will vary depending on what we are using your data for, and we explain further below what the interest is and how it relates to the processing operations that we are carrying out. Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. [In the UK, we do not need to conduct a balancing test if we process personal data for a “recognised legitimate interest.”] You can obtain more information about this balancing test by using the contact details at the end of the notice.

To comply with a legal obligation – where we need to use your personal data for our own legal and regulatory compliance reasons (e.g. to comply with our tax and financial reporting obligations).

When we collect personal data, we will indicate which types of personal data we require via asterisks (e.g. mandatory information to allow us to create your account or deliver the products you have purchased on our websites/apps). If you do not provide the personal data marked with an asterisk, this may affect the products and services that we can provide.

What ways could we collect your personal data?

What data may we hold about you?

How and why, we may use it?

What is the legal basis for being able to process this data?

Account creation and management

Where we collect your personal data while creating or managing your account on Huda Beauty Services or through a social media login or in store.

First name and surname;

Gender;

Email address;

Address;

Phone number;

Photo;

Birthday or age range;

ID/username, and password;

Personal description or preferences;

Order and/or appointment details;

Social media profile (where you use your social media login or share this personal data with us);

Loyalty code;

User Generated Content; and/or

Other information you have shared with us about yourself (e.g. via your “My Account” page, by contacting us, asking a question via the chat function available on some websites, or by participating in a contest, game, survey etc.).

Manage your account, orders and/or appointments;

Provide customer support

Offer and manage a loyalty program;

Allow you to manage your preferences;

and/or

Manage any competitions, promotions, surveys or contests you enter.

The performance of a contract: so you can create and manage your account, and we can provide you with the services that you request.

Give you better insights to tailor these communications to your interests which may be tailored to your “profile” (i.e. based on the personal data we know about you and your preferences);

Offer personalised services based on your beauty characteristics;

Monitor and improve our websites;

Run analytics or collect statistics;

Secure our websites and protect you and us against fraud or other unlawful activity; and/or

Respond to your questions and otherwise interact with you.

Our legitimate interests: (i) to improve our products and services; (ii) better engage with you; (iii) send or display personalised content; (iv) prevent fraud or criminal activity; and (v) maintain the security of our websites/apps.

In the UK, we rely on our recognised legitimate interest to prevent, detect or investigate crime.

Where we use cookies or similar technologies, we rely on your consent where required.

Send you personalised marketing and promotional communications via direct means, including email, SMS, WhatsApp and postal mail in relation to our relevant products and Services and to provide you with tailored content and ads on our website and other sites, apps or social media platforms (including social media such as Google, Meta/Facebook, Instagram, Snapchat, TikTok, Amazon, and Pinterest) based on your interactions on our website and other sites or apps or social media platforms (including measuring the effectiveness of our advertising campaigns);

Enable you to send content on your behalf to your friends and/or family.

(hereafter defined as “Marketing and Advertising”)

Consent, where required by applicable law, we ask for your consent to send or display personalised marketing communications or content (including profiling) both directly to you and online via third parties such as social media platforms, and where required, when we use cookies or similar technologies.

Where consent is not required by applicable law, we rely on our legitimate interests to send or display personalised marketing communications or content (including profiling) both directly to you and online via third parties such as social media platforms.

Newsletter and marketing subscription

Where your personal data is collected when you subscribe to receive our marketing communications.

First name and surname;

Email address

Marketing and Advertising as defined above

Keep an up-to-date suppression list if you have asked not to be contacted.

Our legitimate interests: to (i) improve our products and services, and (ii) to maintain suppression lists to ensure we respect your communication preferences.

Purchases and order management

Where your personal data are collected during the purchase process on Huda Beauty Services, in store or on voice assistant platforms.

First name and surname;

Email address;

Address;

Phone number;

Personal description or preferences;

Gender;

Social media profile (where you use your social media login or share this personal data with us);

Transaction information including purchased products;

Payment and billing information; and/or

Purchase history.

Process your order including delivering the product to the address you indicated; and/or

Manage payment. Please note that your payment information (credit card number/PayPal/bank account details) are not collected by us directly, but by secure payment service providers.

The performance of a contract: so you can make a purchase, and we can manage the associated logistics.

Contact you to finalise your order where you have saved your shopping cart or placed products in your cart without completing the checkout process;

Inform you when a product you wanted to purchase is available;

Manage any contact you have with us about your order and/or contact you to request feedback on our products/services;

Secure your transactions against fraud. We may use a third-party provider’s solution to detect fraud or other unlawful activity and make sure that payment is completed;

If you place a purchase using a registered account, we will add this transaction to Your Profile so we can understand your interests and preferences, and you will see a record of your transactions with us within your account (where applicable); and/or

Run analytics or collect statistics.

Our legitimate interests: (i) to improve our products and services; (ii) better engage with you; (iii) send or display personalised communications or content to you (profiling); (iv) prevent fraud or criminal activity; and (v) secure our tools.

In the UK, this is a recognised legitimate interest when we do this to prevent, detect, or investigate a crime.

Where we use cookies or similar technologies, we rely on your consent where required.

Manage any dispute relating to a purchase.

Where we have a legal obligation under EEA/EEA Member State or UK law to meet these requests, it is necessary for us to comply with our legal obligations.

Otherwise, it is in our legitimate interests to manage disputes and defend our rights.

Marketing and Advertising as defined above

Consent where required by applicable law, we ask for your consent to send or display personalised marketing communications or content (including profiling) both directly to you and online via third parties such as social media platforms, and where required, when we use cookies or similar technologies.

Browsing and Usage Data

Where your personal data are collected by cookies or similar technologies (“cookies”*) when you browse Huda Beauty Services or on third-party websites/apps where we have cookies.

*cookies are small text files stored on your device (computer, tablet or mobile) when you are on the Internet, including on Huda Beauty websites.

Data related to your use of our Services, including:

Where you came from;

Location;

Data related to your navigation on our Services, incl. scroll/mouse movement (but in a manner that does not identify you);

Pages/ads/content you looked at, clicked or tapped on;

Duration of your visit; and/or

Products you searched for and/or selected to create your basket.

Technical information, such as:

Your IP address;

Browser information;

Device information;

Your unique ID which is given to each visitor, and the expiration date of the ID; and/or;

Your visitor ID.

We use cookies, together with other personal data you have already shared with us (such as previous purchases, or whether you’re signed up to our email newsletters) to:

support targeted advertising, and show you:

online advertisements for products which may be of interest to you, based on your previous behaviour; and/or

ads and content on social media platforms or other websites.

tailor our services for you to:

show you recommendations, marketing, or content based on Your Profile and interests; and/or

display our websites in a tailored way, for example, show you products we think you might like.

allow our websites/apps to function properly, such as to:

ensure the proper display of content;

create and remember your shopping cart;

create and remember your account login details;

interface personalisation, such as language, or any user-interface customisation (i.e. parameters attached to your device including your screen resolution or font preference), etc.;

perform troubleshooting and/or

improve user experience and our websites/apps, for example, by testing new ideas or layouts.

ensure our websites/apps are secure and safe, and to protect you against fraud or misuse of our websites/apps or services.

run statistics, that is to:

avoid visitors being recorded twice;

know users’ reactions to our advertising campaigns;

improve our offers; and/or

understand how you discovered our websites/apps.

allow sharing of our content on social media platforms.

recognize returning users across all touchpoints using fingerprinting device intelligence technology.

Our legitimate interests: to ensure that we provide you with websites/ apps, advertisements and communications that function properly, and to continuously improve cookies that are (i) fundamental to the operation of our websites; and (ii) used to ensure the protection and security of our websites.

Consent for all other cookies where required.

Social Media Platforms

Where your personal data are collected from your activity on social media platforms.

We may get information you publicly post on social media platforms (e.g. TikTok) and use it to better understand how consumers view our products/services and interact with us. For example, we may use public posts to identify beauty trends. Where possible, we do this in a way that we are unable to directly identify you.

We may also collect your personal data when you mention us on social media platforms. The personal data we collect may include:

Social media handle;

Photo; and/or

Any comments mentioned in your post.

If we want to re-use any content you post on social media platforms, we will always ask your permission first.

Monitor and improve our products and the Services; and/or

Run analytics or collect statistics.

Our legitimate interests: (i) to improve our products and services; and (ii) better engage with you.

Where we use cookies or similar technologies, we rely on your consent where required.

Promotions

Where your personal data are collected during a competition, prize draw, game, contest, promotional offer, sample request, survey etc.

Depending on the promotional offer and/or the frequency of your interactions with us, this personal data may include:

First name and surname;

Email address;

Phone number;

Birthday or age range;

Gender;

Address;

Personal description or preferences;

Social media profile (where you use your social media login or share this personal data with us); and/or

User Generated Content;

Other information you have shared with us about yourself (e.g. via your “My Account” page, by contacting us, a question via the chat function available on some of our websites, or by participating in a contest, game, survey etc.).

To complete tasks that you have asked us to, for example, to manage your participation in the promotion or prize draw, taking into account your feedback and suggestions.

The performance of a contract: so you may enter into the competition or prize draw, and we can deliver the prize.

Run analytics and statistics; and/or

Add your participation to Your Profile so we can understand your interests and preferences.

Our legitimate interests: to send you communications related to your request, and to help us better understand your needs and expectations and thus improve our services, products and brands.

Send you samples.

Consent: to provide you with the samples you have requested

User Generated Content

Where your personal data are collected when you submit content (for example images or ratings and reviews) on one of our Services, or accept our re-use of any content you posted on social media platforms.

First name and surname or alias;

Email address;

Photo;

Personal description or preferences;

Social media profile (where you use your social media login or share this personal data with us); and/or

Other information you have shared with us about yourself (e.g. via your “My Account” page, by contacting us, or by providing your own content such as photos or reviews, or a question via the chat function available on some websites).

Use the content you have created and/or shared in accordance with the specific terms and conditions accepted by you (e.g. to post your review/content and to promote our products).

Consent: to reuse the content you’ve uploaded.

Contact you to request feedback on our products and/or services;

Syndicate your ratings and reviews across our brand websites in other countries where we operate;

Run analytics and compile statistics; and/or

Add your content to Your Profile so we can understand your interests and preferences.

Our legitimate interests: to help us better understand your needs and expectations and, in doing so, improve and promote our services, products and brands.

Marketing and Advertising as defined above

Consultations and Product Recommendations

Where your personal data are collected in connection with certain uses of our Services, like when you try on our products virtually.

First name and surname;

Gender;

Email address;

Phone number;

Photo;

Location;

Birthday and/or age range;

Personal description or preferences, including characteristics such as skin tone, skin/hair type (e.g. your beauty profile);

Recordings of online consultations;

Application or device usage data;

Consultation data (pictures, attributes, scores, survey answers, products recommended);

Provide you with the service(s) you requested (e.g. test our products virtually, enable you to purchase our products, provide you with online consultations to speak with an expert about your skin and receive bespoke skincare recommendations, advice and notifications regarding your sun exposure, skin/hair routine etc.).

The performance of a contract: to deliver the service you have requested (e.g. to enable you to try on products virtually).

Analyse your personal characteristics and recommend appropriate products (including bespoke products) and routines;

Conduct research and innovation by scientists within the Huda Beauty Group;

Monitor and improve our Services and devices;

Run analytics and statistics; and/or

Enrich Your Profile to tailor these communications to your interests.

Our legitimate interests: to improve our products and services to meet your needs and expectations, and advance research and innovation; to publish content.

Where we use cookies or similar technologies, we rely on your consent where required.

Marketing and Advertising as defined above

Enquiries

Where your personal data are collected when you ask questions (e.g., via customer service) relating to our brands, our products and their use, or your purchases, account or rights.

First name and surname;

Phone number;

Email address; and/or

Other information you have shared with us about yourself in relation to your enquiry (which may include call recordings).

Answer and manage your enquiries, including to connect you with the appropriate service if necessary;

Send you satisfaction surveys as a result of interactions with us (e.g. after a purchase or customer service contact);

Compile and analyse statistics;

Add your questions or concerns to Your Profile so we can understand your interests and preferences;

Monitor and prevent any adverse reactions related to the use of our products;

Carry out studies concerning the safety or use of our products; and/or

Carry out and follow up on corrective actions taken, if necessary.

Our legitimate interests: (i) to respond to your enquiries, (ii) to improve our products and services; (iii) send you satisfaction surveys as a result of interactions with us, (iv) better engage with you; (v) secure our tools and (vi) carry out studies concerning the safety or use of our products.

Legal obligation: to comply with the legal obligation to monitor the adverse effects of our products.

Our Premises

Where your personal data are collected when you visit our premises (e.g. our store(s) or our hairdressing academy).

Photo/Video captured via CCTV; and/or

Attendance/visitor forms (which may include the collection of welfare data).

Assist in the prevention and detection of crime and manage enquiries;

Help ensure the health, safety and security of our employees and visitors; and/or

Help ensure the security of information located or stored within our premises or assets.

Our legitimate interests: to (i) prevent fraud and criminal activity; and (ii) secure our tools.

In the UK, this is a recognised legitimate interest when we do this to prevent, detect, or investigate a crime.

Legal obligation: to meet health and safety requirements.

All of the above

All relevant data

To protect our business interests, to establish, exercise, or defend legal claims and to protect and enforce the rights, contracts, property, security or safety of us, our business or others, including investigating and helping to prevent fraud or other unlawful activity.

Our business interests can sometimes involve undertaking mergers, acquisitions, reorganisations or disposals, as permitted/required in accordance with applicable law.

When we have a legal obligation under EEA/EEA Member State or UK law, we process the data in order to comply with applicable law and regulations.

When we have a legal obligation under laws outside the EEA/UK or our processing is not pursuant to a legal obligation, we have a legitimate interest in protecting our business interests and legal rights, and the interests and legal rights of our users.

In the UK, this is a recognised legitimate interest when we do this to prevent, detect, or investigate a crime.

To meet requests and requirements to disclose from any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals.

Where we have a legal obligation under EEA/EEA Member State or UK law to meet these requests, it is necessary for us to comply with our legal obligations

Otherwise, it is in our legitimate interests to meet the requests from these sources

In the UK, this is a recognised legitimate interest when we do this to prevent, detect, or investigate a crime.

To maintain the security of our websites and services and to detect, investigate, monitor, remediate and/or prevent security or cyber incidents.

Where we have a legal obligation under EEA/EEA Member State or UK law, we process the data in order to comply with applicable law and regulations.

Otherwise, it is in our legitimate interests to maintain the security of our websites and services.

In the UK, this is a recognised legitimate interest when we do this to prevent, detect, or investigate a crime.

A note on sensitive personal data

Some of the personal data we process may be considered special categories of personal data or ‘sensitive personal data’. Our processing of this data is limited to data you make available to us (or a third party provides on your behalf).

Joint Controllers

We are always responsible for personal data that we collect about you. In some cases, for example, when we collaborate with our trusted partners, we may be jointly responsible with those partners for protecting your personal data.

Our data protection commitments as joint controllers are as follows:

We will agree the respective roles and responsibilities of each party involved;

We will make sure that both parties are transparent about the joint purposes for processing your personal data, and explain how your personal data is used for these purposes; and

We will make sure that you are always able to exercise your legal rights.

Where we work jointly with another party, we will inform you about your rights and other important information at the point we ask for your personal data.

SHARING YOUR PERSONAL DATA

Sharing personal data within the Huda Beauty Group of Companies

We may share your personal data between our Group of Companies to build a central record, keep the information we hold about you up to date (for example, you may be a Customer of more than one of our brands), tailor our communications with you, fulfil your orders, respond to your inquiries or to run analytics and perform statistics.

Access within the Huda Beauty Group is controlled on a need-to-know basis, such as to fulfil our contractual obligation with you (such as to refund you) or to allow us to perform any necessary or legitimate functions. This may include sending you marketing communications about other brands where we have a marketing permission to do so.

We may also share information that has been deidentified or aggregated without limitation.

Sharing personal data with other product manufacturers

Where we sell products manufactured by other companies on our website and you have made a purchase of those products, we may share your personal information with the supplier of those products, to allow them to provide you with an enhanced customer experience, fulfil your order, or improve their products and services.

Sharing personal data with our service providers

We provide service providers with the information they need to perform the service they are providing. For example, we may trust service providers to deliver services that involve the processing of your personal data as follows:

To provide, personalize, analyse, and improve our products and the Service;

To review social media and public profiles as well as ratings and reviews;

To provide community platform management and User Generated Content curation tools;

As required to deliver a product to you, for example, postal/delivery services;

Payment service providers who process payments on our behalf;

Advertising, marketing, digital and social media agencies to help us deliver advertising, marketing, and campaigns, to analyse their effectiveness, and to manage your contact details, questions, and our relationship;

To assist us with customer care, product queries and complaints;

To provide us with IT services such as website hosting and platform management services;

To help us provide training, seminars, and events, such as training providers, travel agencies, and event management companies; and/or

To enable the provision of services you have requested through voice assistant platforms (such as Amazon Alexa, Google Assistant or similar services).

Sharing personal data with law enforcement and regulatory authorities

We may share your personal data with regulatory, law enforcement, tax or governmental authorities, courts or tribunals where we are required to do so by law, or where it is necessary for the establishment, exercise or defence of legal claims, or to protect the rights, property or safety of Huda Beauty, our customers, or others.

Sharing personal data with fraud prevention and security providers

We may share your personal data with fraud prevention and security service providers to detect, investigate, monitor, remediate and/or prevent fraud, security incidents or other unlawful activity in connection with your transactions and use of our websites, apps and services.

Sharing personal data with our own trusted partners

Your information may be shared with our trusted parties if they are co-creating content with us for an event. We will each use your personal data for our own purposes and as such your personal data will be used by the partner acting also as a controller, and its privacy policy shall govern the use of your personal data for its purposes.

We may share your User Generated Content such as ratings and reviews with our partners so it may be displayed on their websites.

We may also share personal data with our partners for advertising and analytics purposes as described in the “Digital Advertising & Analytics” section. Content created by our partners linked on the Service or interactive third-party features available on the Service are subject to the privacy policies of the third party that provides the content or features, as further described in the “Third Party Links & Tools” section below.

Other purposes for data sharing

We may also disclose your personal data to other parties:

If we sell any or part of our business or assets, we may disclose your personal data to the prospective buyer of such business or assets. Your personal data will usually be processed by the buyer acting as the new controller and its privacy policy will govern the processing of your personal data;

If we are under a duty to disclose or share your personal data to comply with a legal obligation, or in order to enforce or apply our terms of use/sales or other terms and conditions you have agreed to, or to protect the rights, property, or safety of Huda Beauty, our customers, or others; and/or

In other circumstances if we have your consent or we are permitted to do so by law.

DIGITAL ADVERTISING & ANALYTICS

We may partner with ad networks and other ad serving providers (“Advertising Providers”) that serve ads on behalf of us and others on non-affiliated platforms. Some of those ads may be personalized, meaning that they are intended to be relevant to you based on information Advertising Providers collect about your use of the Service and other sites or apps over time, including information about relationships among different browsers and devices. This type of advertising is known as interest-based advertising.

You may visit the DAA Webchoices tool at www.aboutads.info to learn more about this type of advertising and how to opt out of this advertising on websites by companies participating in the DAA self-regulatory program. You can also exercise choices regarding interest-based advertising on your mobile device by downloading the appropriate version of the DAA’s AppChoices tool at https://youradchoices.com/appchoices.

If you delete your cookies or use a different browser or mobile device, you may need to renew your opt-out choices exercised through the DAA Webchoices tool. Note that electing to opt out will not stop advertising from appearing in your browser or applications. It may make the ads you see less relevant to your interests.

We may also work with third parties that collect data about your use of the Service and other sites or apps over time for non-advertising purposes. We use Google Analytics and other third-party services to improve the performance of the Service and for analytics and marketing purposes. For more information about how Google Analytics collects and uses data when you use our Service, visit www.google.com/policies/privacy/partners, and to opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout/.

Additionally, your browser may offer tools to limit the use of cookies or to delete cookies; however, if you use these tools, our Service may not function as intended.

Where we store your personal data

Due to the global nature of our business, the personal data that we collect from you may be transferred to, accessed in, and stored at, a destination outside your home country. It may also be processed by staff operating outside your home country who work for us or for one of our service providers.

Where we transfer your personal data

Where Huda Beauty transfers personal data outside of your home country, this will be done in a secure and lawful way. As some countries may not have laws governing the use and transfer of personal data, we will take steps to ensure that third parties adhere to the commitments set out in this Privacy Policy (e.g. reviewing their privacy and security standards and subjecting them to appropriate contractual obligations).

Where these locations do not provide an adequate level of data protection, we ensure appropriate safeguards are in place to protect the transfer of your personal data to these countries.

When we transfer your personal data outside of your home country, we:

review and/or enter into appropriate contracts (including adding the European Commission’s standard contractual clauses (available here) which may include the UK’s Addendum to the standard contractual clauses (available here) or other national standard contractual clauses); or

rely on the applicable European Commission adequacy decision (or other national adequacy decisions, as applicable) which finds the third country to which we may transfer your personal data offers an adequate level of data protection (copies of adequacy decisions available here).

For further information, please contact us as per the “Contact us” section below.

How long do we retain your personal data and how do we keep it secure?

We will keep your personal data for as long as we need it subject to the different use cases described above. For example, we retain certain personal data for the following periods:

For the duration of our contractual relationship and for a reasonable period after it ends in case of a query or claim or, if longer, to comply with legal obligations, resolve disputes, enforce agreements, or satisfy any similar essential purposes;

Where you create an account, we keep your personal data until you request that we delete it or after a period of inactivity (i.e. where you have not interacted with us for a period of time). This period is defined in accordance with local regulations and our internal operating procedures;

We keep User Generated Content for a reasonable period necessary to achieve the purpose we collected it for (e.g. for the duration of a campaign) and otherwise for a period defined in accordance with local regulations and guidance; and

Where cookies are placed on your browser, they are stored for as long as necessary to achieve their purposes (e.g. statistics on your social media post) and otherwise for a period defined in accordance with local regulations and guidance.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period of 30 after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future;

Where we process personal data for site security purposes, we retain it for 6 months;

Once the retention period expires and if not otherwise required to retain personal data by law, we will delete or deidentify personal data. We are committed to keeping your personal data secure and taking all reasonable steps to do so. We contractually require that trusted third parties who handle your personal data for us do the same. However, as no sharing of information via the Internet is completely secure, we cannot guarantee the security of your personal data transmitted to our site. Any sharing is therefore at your own risk.

THIRD-PARTY LINKS & TOOLS

Our Service may, from time to time, contain links to third-party websites or apps. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that they are not covered by this Policy. Please check these privacy policies of other websites or apps that you use to learn more about their data practices before you share any personal data with these websites.

We may also offer you the opportunity to use integrated social media tools or “plug-ins,” such as social networking tools offered by third parties that allow you to use your social media login when interacting with our Service. If you use these tools to share personal data or you otherwise interact with these features on the Service, please be aware that those companies may collect personal data about you and may use and share such data in accordance with your platform settings, including by sharing such information with the general public.

Your interaction with third-party companies and your use of their features are governed by the privacy policies of the companies that provide those features. Please visit the relevant platform and review the privacy policy for any accounts you create to understand how your personal data is shared and used in this context.

Social Media and User Generated Content

Some interactive features on our Service allow users to submit their own content. Please remember that any content submitted to our features can be viewed by the public, and you should be cautious about providing certain personal data (e.g. financial information or address details). If you disclose personal data in one of these forums, this information can be viewed, collected, and used by others. We are not responsible for any actions taken by other individuals if you post personal data on these interactive features, and we recommend that you do not share such information.

Virtual Shade Finder Tool

We offer a virtual shade finder tool on our website to help users identify suitable product shades. The tool is provided and operated by a third-party technology partner, Holition Limited (“Holition”).

How the Tool Works

When you use the virtual shade finder:

The tool may access your device camera in real time solely to enable the shade matching experience.

Images are not captured, stored, saved, or recorded by us or by Holition.

No biometric data, facial recognition data, or personal identifiers are extracted or retained.

All processing occurs only while the tool is actively in use.

Once you close the tool or leave the page, all data is immediately discarded.

We do not receive, store, or retain any images or personal data generated through your use of the virtual shade finder.

The virtual shade finder is designed to operate without collecting or storing personal data. Any visual data processed during use is transient, used solely to provide the functionality requested, and is not retained after the session ends.

As a result:

No personal data is stored in our systems as part of this tool.

No personal data is used for marketing, profiling, or analytics purposes.

No personal data is sold, shared, or disclosed for cross-context behavioral advertising.

Where UK GDPR or EU GDPR applies, any temporary processing required to operate the tool is carried out on the basis of:

Your explicit action to activate the tool, and

Our legitimate interest in providing an interactive product experience requested by you.

Because no personal data is retained, no ongoing processing takes place after the session ends.

Third-Party Service Provider

Holition acts as a service provider / processor solely to support the operation of the virtual shade finder. Holition is contractually required to:

Process data only on our instructions,

Not retain, use, or disclose data for any independent purpose, and

Apply appropriate technical and organizational security measures.

We do not retain any data from the virtual shade finder. All processing is session-based and ephemeral, and ends automatically when the tool is closed.

Because no personal data is stored or retained through the virtual shade finder, there is no personal data held by us that can be accessed, corrected, or deleted in connection with this tool. Your statutory rights under applicable data protection laws remain unaffected.

YOUR RIGHTS AND CHOICES

You may have certain rights and choices over the personal data we collect about you, depending on the country you are located in. These rights may be limited depending on our rights as a business and/or the legal basis on which we use the data (for example if fulfilling your request would reveal personal data about another person or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep). If you are subject to an applicable privacy law, you may exercise these rights by contacting us using the details provided below.

International privacy rights

Right

Summary

The right of access

Enables you to receive a copy of your personal data

The right to rectification

Enables you to correct any inaccurate or incomplete personal data we hold about you

The right to erasure

Enables you to ask us to delete your personal data in certain circumstances

The right to restrict processing

Enables you to ask us to halt the processing of your personal data in certain circumstances

The right to object

Enables you to object to us processing your personal data on the basis of our legitimate interests (or those of a third party), including processing for direct marketing purposes or profiling for purposes of direct marketing, or where we are performing a task in the public interest – your objection will be upheld, and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for the exercise or defence of legal claims that may be brought by or against us.

As such, you can opt-out from our email marketing at any time by contacting us (see the ‘Contact Us’ section below) or using the link provided at the bottom of each marketing message. If you opt out of our email marketing, we will still send you messages related to our transactions and relationship with you, such as order confirmations.

The right to data portability

Enables you to request us to transmit personal data that you have provided to us, to a third party without hindrance, or to give you a copy of it so that you can transmit it to a third party, where technically feasible

The right to withdraw consent

Wherever we rely on your consent, you may also withdraw any consent you previously provided to us at any time. This will not affect the lawfulness of our use of your personal data based on your consent before its withdrawal. We may however have other legal grounds for processing your data for other purposes, such as those set out above.

If you live in France

The right to instruct us regarding the use of your personal data after your death

Enables you to instruct us on the processing (retention, deletion, and disclosure) of your personal data after your death. You can change or revoke such instructions at any time.

If you live in the UK

The right to make a complaint to us

Enables you to make a complaint to us using the contact details above if you have any unresolved concerns about how we process your personal information.

If you have unresolved concerns, you have the right make a complaint to us and to the data protection authority in the country that you reside in or, the country of your place of work or the country where the alleged infringement took place.

U.S. STATE PRIVACY RIGHTS

Specific U.S. states grant individuals certain rights under state privacy laws with respect to personal data we collect. These states include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. If you are a resident of one of these states, this section of the Policy contains disclosures required by law and explains rights that may be available to you.

Personal data we collect and disclose

In the preceding 12 months, we collected and disclosed the following categories of personal data:

Personal and online identifiers (such as first and last name, address, email address, phone number, username/password, or unique online identifiers);

Recordkeeping information (such as credit card number, debit card number, or other financial information);

Characteristics of legally protected classifications (such as age or gender);

Commercial or transactions information (such as records of products or services purchased, obtained, or considered);

Internet or other electronic network activity information (such as interactions with a website, email, application, or advertisement);

Geolocation information (such as address);

Sensory information (such as call recordings, CCTV recordings, or photos you upload);

Inferences drawn from the above information about your predicted characteristics and preferences; and

Other information about you that is linked to the personal data above.

Some of this information is “sensitive personal information,” as defined by the California Consumer Privacy Act (CCPA). Specifically, we collect login credentials. We do not use or disclose sensitive personal information, as defined by the CCPA, for purposes other than those specified in the CCPA.

Sources of personal data

We collect personal data from the following categories of sources:

You;

Huda Beauty Group of Companies;

Our service providers;

Our product manufacturers;

Social media platforms;

Trusted partners with whom we co-host events; and

Advertising companies and networks.

Our purposes for processing personal data

We use and disclose the personal data we collect for our commercial and business purposes, as further described above in the “What Personal Data Do We Collect and How Do We Use It?” section of this Policy.

We may use and share deidentified data to the extent permitted by applicable law. When we use deidentified data, we maintain and use the data in deidentified form and do not attempt to reidentify it, except to check whether our deidentification processes satisfy the requirements of applicable law.

Recipients of personal data

We disclose the categories of personal data designated above to the categories of third parties listed in the “Sharing Your Personal Data” section of this Policy for commercial and business purposes.

We share personal data for targeted advertising purposes but do not otherwise engage in “sales” of personal data as defined by state laws. In the past 12 months, we have disclosed the following categories of personal data to third-party business partners—such as advertising networks—for advertising and marketing purposes, including targeted advertising:

Personal and online identifiers;

Internet or other similar network activity information;

Commercial or transactions information (such as records of products or services purchased, obtained, or considered); and

Inferences drawn from other personal information (excluding any information that may be considered sensitive under applicable state laws).

Retention of personal data

We retain personal data according to the processes and procedures described in the “How long do we retain your personal data and how do we keep it secure?” section of this Policy.

Your rights

Residents of certain states have rights with respect to the personal data we collect. You may be able to exercise the following rights regarding personal data, subject to certain exceptions and limitations:

The right to confirm whether we are processing personal data about you.

The right to access a copy of the specific pieces of personal data we have collected about you.

The right to know the categories and specific pieces of personal data we collect, use, disclose, and sell about you; the categories of sources from which we collected personal data about you; our purposes for collecting or selling personal data about you; the categories of personal data about you that we have sold or disclosed for a business purpose; and the categories of third parties with which we have shared personal data.

In some states, the right to obtain the categories of third parties to which we disclosed personal data. In other states, the right to obtain a list of the third parties to which we disclosed personal data.

The right to correct inaccuracies in the personal data we have collected about you.

The right to request that we delete the personal data we have collected about you.

The right to opt out of “selling” and sharing of personal data for targeted (also called “cross-context behavioral”) advertising. Please note that if you opt out of certain practices, we may be unable to provide you with some services. Additionally, we do not knowingly sell or share personal data of individuals under 18.

The right to opt out of (i) the sharing or processing of personal data for targeted advertising; or (ii) the sale of personal data. Please note that if you opt out of certain practices, we may be unable to provide you with some services.

The right not to be retaliated against for the exercise of the above privacy rights.

To exercise the above rights (other than the right to opt out), please contact us using the following information and submit the required verifying information, as further described below:

Through our “Contact Us” webform by selecting “General question” and describing your privacy request.

By emailing us at [email protected].

Additionally, for individuals subject to certain state laws, if you have submitted a request that we have not reasonably fulfilled, you may contact us to appeal our decision by sending an email with the subject line “Appeal” to [email protected].

Notice of the Right to Opt Out

To exercise the right to opt out, visit our Cookie Preferences tool and select “Reject All.” Alternatively, you can visit our Sites with the Global Privacy Control (“GPC”) enabled. The GPC is a third-party tool; more information and instructions on implementing this tool are available here. The Sites have implemented mechanisms to respond to GPC signals that we receive, where required, and we treat these signals as requests to opt out of “sales” and sharing for targeted advertising.

Verification process and required information

Where permitted by law, note that we may need to request additional information from you to verify your identity or understand the scope of your request. You will not be required to create an account with us to submit a request or have it fulfilled. We will require you to provide, at a minimum, basic contact information like your name and email address.

Authorized agent

Depending on your state law, you may also designate an authorized agent to make requests on your behalf. An authorized agent can make a request on your behalf through one of the submission methods described above. We will require the agent to provide us with proof that you have authorized the agent to make requests on your behalf prior to accepting requests from the agent.

Notice of financial incentive and loyalty program

We may provide you with opportunities to receive rewards, including discounts on our products, in exchange for providing information and/or completing surveys. These rewards may be considered “financial incentives” or “bona fide loyalty programs” under U.S. state privacy laws. When you participate in these activities, we may collect and share your personal data as described in the “What Personal Data Do We Collect and How Do We Use It?” section of the Policy, including with all categories of third-party recipients listed in the “Sharing Your Personal Data” section of the Policy. These third-party recipients may be considered “data brokers” under applicable law.

Specifically, we may disclose the following categories of personal data to third-party business partners – such as advertising networks – for targeted advertising:

Personal and online identifiers;

Internet or other similar network activity information;

Geolocation information; and

Inferences drawn from other personal information (excluding any information that may be considered sensitive under applicable state laws).

In order to receive rewards, you are required to have an account with us so that we can track your rewards and administer benefits. If you submit a deletion request under state privacy laws as described above, it will be impossible for us to collect this information. Therefore, you will be unable to participate in the rewards program once your personal data is deleted.

The terms associated with these activities, such as the amount of points you will receive if you provide information or complete a survey, are presented to you when you opt into the offer. You can opt into these offers by providing the requested information associated with the specific offer. You can withdraw from the financial incentives we offer at any time by not responding to incentive offers or deleting your account.

The value of the incentive you receive is reasonably related to the value that we receive from processing personal data. We estimate this value by considering a variety of factors as permitted by law, including (but not limited to) the expenses incurred in collecting and retaining the data and the expenses incurred in administering the program.

CHANGES TO THIS PRIVACY POLICY

We may make changes to this Privacy Policy from time to time. We encourage you to review our Privacy Policy to stay informed. If we make material changes, we may provide additional notice, such as via email or via a notice on our website, or obtain your consent.

For its companies in the EU, UK and Singapore, Huda Beauty has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO), and the DPO may be reached:

by using the following email: [email protected]

by mail at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium

If your relationship is with a Huda company in any other country and you have any questions or concerns about how we treat and use your personal data, please contact us at [email protected].

PRIVACY POLICY

Login

Register