Shop the look

Select your location & currency

Region:
Currency:
 
  1. GENERAL PROVISIONS

This privacy policy (“Privacy Policy”) applies to all Personal Data processed by Lovisa Pty Ltd (“Lovisa”, “we”, “us”, or “Data Controller”). Lovisa complies with:

  • the Australian Privacy Principles in the Privacy Act 1988 (Cth) (Privacy Act); and
  • the General Data Protection Regulation (“GDPR”).

This privacy policy explains how we collect, hold, use, disclose and otherwise manage:

  • personal information in Australia (that is, information or an opinion about you, whether true or not, which identifies you or from which your identity is reasonably identifiable); and
  • personal data in Europe (that is, personal data is defined as any information relating to an identified or identifiable natural person under Art 4 no 1 of the GDPR).

         (together, “Personal Data”)

  1. YOUR PRIVACY: OVERVIEW

At Lovisa, we take our responsibilities under current data protection regulations and laws seriously. We recognise the importance of the Personal Data you have entrusted to us and are committed to properly managing, protecting, and processing Personal Data.

  1. REVISIONS TO THIS PRIVACY POLICY

Lovisa reserves the right to change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date of this Privacy Policy. If we make material changes to this Privacy Policy, we will provide you with additional notice (such as adding a statement to our websites’ homepage).

  1. COLLECTION, PURPOSE AND USE OF PERSONAL DATA

Lovisa only collects Personal Data where it is reasonably necessary for our business activities.  Unless it is not reasonable or practicable to do so, and in other cases allowed by law, we will collect Personal Data about you directly from you. The kinds of Personal Data that Lovisa collects will vary depending on our particular interaction or dealing with you. However, generally speaking, the kinds of Personal Data Lovisa collects and the purposes for which Lovisa uses Personal Data are set out in this clause

4.1. SENSITIVE INFORMATION

Lovisa may collect sensitive information for the primary purpose of enabling you to buy and receive a piercing in the respective body part (for example, the ear lobe, ear helix or nose) and to analyse and respond to any of your queries, claims or complaints. The kinds of sensitive information that Lovisa may collect includes certain health information such as:

  • history of medication; and
  • history of infection.

Lovisa may also collect and hold other kinds of sensitive information as permitted or required by law or other kinds of personal information that we notify you of at or about the time of collection. 

4.2. WEBSITE DATA COLLECTION

When accessing our website, your device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

  • browser type and browser version
  • operating system used
  • referrer URL
  • host name of the accessing computer
  • time of the server request
  • IP address

We save this data for the following purposes:

  • Load balancing, i.e., to distribute the access to our website across several devices and to be able to offer you the fastest possible loading times.
  • Ensuring the security of our IT systems in accordance with Art 32 GDPR and based on our legitimate interest in protecting us from misuse of our service, for example, to prevent specific attacks on our systems and to identify attack patterns.
  • Ensuring the proper operation of our IT systems, for example if errors occur that we can only remedy by storing the IP address.
  • To enable criminal prosecution, security, or legal prosecution if there are specific indications of criminal offenses.

This processing takes place on the basis of our predominant legitimate interests mentioned above in accordance with Sec 25 para 2 no 2 German Telecommunications and Telemedia Data Protection Act (TTDSG) and Art 6 Para 1 lit f) GDPR). 

4.3. REGISTRATION DATA

To be able to use all functions within our website, you have to register. For this, you have to provide the following mandatory information:

  • Full Name
  • Email Address
  • Phone Number
  • Password

Your registration data is required to set up and manage a user account for you and so that you can use all the features of our website. In this case, you conclude a (free) usage contract with us on the basis of which we collect this data (Art 6 para 1 lit b) GDPR).

In order to conclude the contract, you have to provide us with this data. However, you are neither contractually nor legally obliged to conclude the contract and thus to provide the data.

In addition, you can provide further voluntary information as part of the registration, for example, you can provide your birthday date. This information is voluntary and not necessary for your registration. We collect this data in order to be able to provide you with the corresponding functions of our website (Art 6 para 1 lit b) GDPR).

Additionally, we process your Personal Data for the following purposes:

  • Complete Transactions. Complete transactions you request and perform our contractual obligations, including sending notifications related to your purchases, exchanges, and returns based on Art 6 para 1 lit b) GDPR.
  • Respond to You. To manage your queries, claims and complaints for products in order to identify fraudulent behaviour and technical support matters through email, our chat function, telephone and through social media based upon Art 6 para 1 lit f) GDPR.
  • Comply with Legal Obligations. To comply with legal obligations, court findings and decisions from authorities based upon Art 6 para 1 lit c) GDPR.

Registration data only needed for providing your user account will be deleted once your user account is closed. 

4.4. CONTACT VIA EMAIL OR LIVE CHAT

If you send us a question/query e.g. via e-mail, via our contact page https://www.lovisa.com.au/pages/contact-us or via our live chat, your details will be saved and used to process the question/query. The contact details you provide us with will be used to respond to you in response to your question/query.

Our contact forms and live chat functionality are provided by a service desk management platform, on the servers of the service provider Zendesk Inc. (“Zendesk”) 1019 Market Street, San Francisco, CA 94103 USA. Zendesk processes your data on our behalf, i.e., exclusively according to our instructions. The processing takes place in each region we operate in. From time to time, data may be transferred to the United States as part of Zendesk’s backup and recoverability procedures based upon standard contractual clauses approved by the EU Commission in accordance with Art 46 para 2 lit c) GDPR available at: https://www.zendesk.de/company/data-processing-form/. More information regarding Zendesk’s data and privacy policies can be found here:

https://www.zendesk.com/company/privacy-and-data-protection/.

We store inquiries about contracts or of potentially legal relevance and all other inquiries for the duration of the general limitation period or applicable legal obligations to store such Personal Data.

The storage takes place on the basis of our legitimate interest to document our business operations and the securing of our legal positions (Art 6 para 1 lit f) GDPR). For inquiries about contracts, the data is saved for the initiation and implementation of the respective contractual relationship (Art 6 para 1 lit b) GDPR) and, if applicable, for the fulfilment of legal obligations (Art 6 para 1 lit c) GDPR). 

4.5. IN STORE DATA

We offer our customers a choice of either physical or digital receipt when they are shopping in store. When a customer selects to receive a digital receipt, we collect the following information:

  • Full Name
  • Phone Number
  • Email address

The customer’s email address is saved in our CRM System (Klaviyo) for the purpose of being able to send a digital receipt to the customer. 

4.6. OUR SOCIAL MEDIA CHANNELS

4.6.1 SOCIAL MEDIA GENERALLY

If you visit our social media channels (Facebook Fanpage, Instagram, TikTok, Pinterest) we will process certain data, e.g., when you interact with one of our channels or our social media account, like or comment on a post. The corresponding data processing is carried out based on our legitimate interest (Art 6 para 1 lit. f) GDPR) in providing you with the respective functions or based upon your consent provided to the respective social media provider (e.g., Facebook Ireland, TikTok Technology Limited, Pinterest Europe Ltd.)

Please note that these areas are publicly accessible and any personal information you post or provide when registering may be viewed by others. We cannot control how other users use this information. In particular, we cannot prevent unsolicited messages from being sent to you by third parties.

Content posted in community areas may be stored for an unlimited period of time. If you would like us to remove any content you have posted, please send us an e-mail to the address given. 

4.6.2 FACEBOOK FANPAGES

You can find us on our Facebook Fanpage: https://www.facebook.com/lovisajewellery/.

For users outside the U.S. and Canada Facebook Services are provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta Ireland”). For users in the U.S. and Canada Meta Platforms Inc., 1601 South California Avenue, Palo Alto, CA 94304, U.S., provides the services.

Even if you are not registered with Facebook and visit our Facebook Fanpage, Meta may collect pseudonymous usage data from you. You can find more information in Meta’s data policy at https://www.facebook.com/privacy/policy/ and at https://www.facebook.com/legal/terms/information_about_page_insights_dataIn the data policy, you will also find information on the settings options for your Facebook account.

Meta Ireland may share your data within the Meta group companies and with other third parties. This may involve the transfer of Personal Data to the U.S. and other third countries for which there is no EU Commission adequacy decision. In this case, Meta Ireland will use the standard contractual clauses approved by the EU Commission in accordance with Art 46 para 2 lit c) GDPR. Further information can also be found in Meta's data policy.

We are also jointly responsible with Meta for the processing of so-called insights data when visiting our Facebook fan page. With the help of this insights data, Meta Ireland analyses the behaviour on our Facebook fan page and makes this data available to us in anonymised form. For this purpose, we have concluded an agreement with Meta Ireland on joint responsibility for data processing, which can be viewed here: https://www.facebook.com/legal/terms/page_controller_addendum In this agreement, Meta Ireland undertakes, among other things, to assume primary responsibility under the GDPR for the processing of insights data and to fulfil all obligations under the GDPR with regard to the processing of insights data. The processing serves our legitimate economic interests in the optimisation and needs-based design of our Facebook fan page, Art 6 para 1 lit f) GDPR.

We would also like to draw your attention to the following: If you visit or like our Facebook fan page as a registered Facebook user, Meta Ireland collects Personal Data. If you are not registered with Facebook and visit the Facebook fan page, Meta Ireland may collect pseudonymous usage data.

Specifically, the following information is collected by Meta Ireland:

  • Accessing a page or a post or a video from a page;
  • Subscribe or unsubscribe to a page;
  • Tag a page or post with "like" or "no longer like";
  • Recommend a Page in a post or comment;
  • Comment on, share or respond to a Page post (including how to respond);
  • Hide a Page post or report it as spam;
  • Click on a link leading to the Page from another page on Facebook or from a website outside Facebook;
  • Hover over the name or profile picture of a Page to preview Page content;
  • Click on the webpage button, phone number button, "plan a route" button or any other button on a page; and
  • Information whether you are logged in via a computer or a mobile device.

For more information, please see Facebook's privacy policy at: https://www.facebook.com/legal/terms/information_about_page_insights_data

4.7. NEWSLETTERS, NOTIFICATIONS AND SURVEYS (DIRECT MARKETING)

In addition to the purposes outlined in this clause 4, we may use and disclose Personal Data in order to inform you of events, products or services that may be of interest to you.  This may include Lovisa disclosing Personal Data to related companies of Lovisa or other entities with which Lovisa has a commercial relationship or arrangement for the purpose of the other entity contacting you for such marketing purposes. Details of these marketing purposes are set out in further detail below.  If you do not wish to receive such communications, you can opt-out by contacting Lovisa via the contact details set out in paragraph 20 of this privacy policy or through the opt-out mechanism contained in a marketing communication to you. 

4.7.1 EMAIL MARKETING

Our customers can sign up to our newsletter list by providing an email address. As a subscriber to our newsletter, they will receive marketing emails including but not limited to: special offers, new products & services, time sensitive email alerts and surveys.

We offer a free newsletter to keep you informed about special offers, product, and styling news and so-called trigger-based communications with time sensitive reminders such as abandoned cart e-mails and post purchase surveys (in order for us to receive feedback on product or website experience, brand and customer satisfaction. If you would like to receive such newsletters, reminders or surveys, we require your e-mail address for registration. 

By opting in, you consent to receiving unsolicited electronic commercial messages via email for an indefinite period until you opt out. You may opt out at any time by following the instructions to unsubscribe in any of these messages.

No further Personal Data is collected unless provided by you on a voluntary basis. We use this data exclusively for sending the requested information.

The processing of your Personal Data is based on your consent (Art 6 para 1 lit a) GDPR).

Further storage for the purpose of proving consent is based on our legitimate interest, the proper documentation of our business operations and the assertion, safeguarding or defence of claims (Art 6 para 1 lit f) GDPR).

We operate an e-mail marketing platform on the servers of the service provider Klaviyo, Inc. (“Klaviyo”). Klaviyo processes your Personal Data on our behalf, i.e., exclusively according to our instructions. The processing takes place in the United States and for this purpose we have entered into standard contractual clauses approved by the EU Commission in accordance with Art 46 para 2 lit c) GDPR available at https://www.klaviyo.com/legal/dpa. More information regarding Klaviyo's data and privacy policies can be found here:

https://www.klaviyo.com/privacy/policy 

4.7.2 SMS MARKETING / MOBILE MESSAGE SERVICE

If you provide us with your consent, we will send you text notifications as specified in the Mobile Terms of Service [include link to the Mobile Terms of Service] via SMS in the future.

By opting in, you consent to receiving unsolicited electronic commercial messages via SMS for an indefinite period until you opt out. You may opt out at any time by following the instructions to unsubscribe in any of these messages.

No further Personal Data other than your name, phone number, country, time of consent and consent method is collected unless provided by you on a voluntary basis.  We use this data exclusively for providing you with the Service as specified in the Mobile Terms of Service.

The processing of your Personal Data is based on your consent (Art 6 para 1 lit a) GDPR).

Further storage for the purpose of proving consent is based on our legitimate interest, the proper documentation of our business operations and the assertion, safeguarding or defence of claims (Art 6 para 1 lit f) GDPR).

  1. PIERCING CONSENT

In order to carry out piercing procedures in our store, we require that you fill out our piercing consent form. You can access this consent form via QR codes accessible in our stores. After you complete the consent form on your personal device and have digitally signed it, this information is sent to the local store email address.

The respective Lovisa company in your jurisdiction acts as the data controller: Lovisa Holdings Ltd [Australia] and all of its subsidiaries including Lovisa Austria GmbH [Austria], Lovisa Australia Pty Ltd [Australia], Lovisa Pty Ltd [Australia], Lovisa Belgium BV [Belgium], Lovisa Canada Ltd [Canada], Lovisa France SARL [France], Lovisa Retail France SARL [France], Lovisa Retail Germany GmbH [Germany], Lovisa Hong Kong Ltd [Hong Kong], Lovisa Luxembourg SARL [Luxembourg], Lovisa Malaysia Sdn Bhd [Malaysia], Lovisa Retail Mexico S.A. DE [Mexico], Lovisa Netherlands BV [Netherlands], Lovisa New Zealand Pty Ltd [New Zealand], Lovisa Poland sp. Z o.o. [Poland], Lovisa Singapore Pte Ltd [Singapore], DCK Jewellery South Africa (Pty) Ltd [South Africa], Lovisa Accessories (Pty) Ltd [South Africa], Lovisa Switzerland AG [Switzerland], Lovisa UK Ltd [United Kingdom], Lovisa America LLC [United States of America].

The processing of the following Personal Data is carried out solely for the purpose of the providing you our piercing services:

Information

What we use for

 Full Name

For contact tracing – consent form accuracy

Date of Birth

For contact tracing – consent form accuracy

 Phone Number

 For contact tracing - consent form accuracy

Address

For contact tracing – consent form accuracy

Lobe or cartilage piercing

For consent form accuracy.

E-mail address

Send consent form to customer so they retain copy.

Confirm not on any medications

Consent form accuracy - legal requirement.

Confirm don't have history of infection

Consent form accuracy - legal requirement.

Confirm not pregnant

Consent form accuracy - legal requirement.

Confirm not under influence of drugs/alcohol

Consent form accuracy - legal requirement.

Confirm customer does not have series of diseases (such as diabetes and epilepsy)

Consent form accuracy - legal requirement.

You may additionally provide the respective Lovisa entity with consent for general evaluation purposes to better understand the use of our services and to be able to adapt our services accordingly.

The corresponding data processing is carried out based on your consent (Art 9 para 2 lit a) GDPR for health data and Art 6 para 1 lit a) GDPR for all other Personal Data).

We will store your consent and any Personal Data provided in your consent forms in accordance with paragraph 16.You can withdraw your consent at any time with effect for the future at https://www.lovisajewellery.eu/pages/data-privacy. Your consent withdrawal however does not affect the lawfulness of the processing carried out or statutory retention obligations

  1. COOKIES 

We may use cookies and similar technologies (we will refer to all of these as “Cookies”) to enable you to use certain features on our website, store your preferences, recognise you when you return to our website and maintain information about your use of our website. Cookies are small files that are saved on your device with the help of your internet browser.

Specifically, we use the following Cookies (unless other Cookies are specified elsewhere in this data protection declaration):

  • Session Cookies: These Cookies are required to save certain technical data during your visit to our website, e.g., to determine whether you have logged in.
  • Login Cookies: These Cookies are required to save your login over a session if you want to.

The legal basis for the use of these Cookies is Sec 25 para 2 no 2 German Telecommunications and Telemedia Data Protection Act (TTDSG) and Art 6 para 1 lit f) GDPR, insofar as these Cookies are essentially necessary for the us to provide you with our website content.

For all other (non-essentially necessary) Cookies we will only use these Cookies based upon your consent. If we use Cookies based upon your consent, you can withdraw your consent at any time with effect for the future by adjusting your Cookie settings at https://www.lovisajewellery.eu/pages/data-privacy. Alternatively, you can change your settings at any time via the "Cookie settings" link at https://www.lovisajewellery.eu/pages/data-privacy. You will find the link in the footer of the website. Your withdrawal does not affect the lawfulness of the processing carried out up to the point.

The following Cookies are integrated into our website:

Name

Provider

Purpose

Duration

Category

Google Optimize

Google LLC

Google Optimize is an optimization tool used to test different combinations of website content.

90 days (can vary depending on length of the experiment)

Analytics

Hotjar

Hotjar Limited

Hotjar is a suite of analytic tools to assist in the gathering of qualitative data, providing feedback through tools such as heatmaps, session recordings, and surveys.

365 days

Analytics

Microsoft Clarity

Microsoft Corporation

Microsoft Clarity provides website usage statistics, session recordings, and heatmaps.

Up to 3 months from the time of recording

Analytics

Awin

Awin Ltd

Affiliate marketing tracking

30 days (can vary between brands)

Marketing

Maxmind

MaxMind, Inc

MaxMind provides location data for IP addresses. Geoip tracking for regionalisation.

Up to 30 days

Website Functionality

Tiktok Pixel

Tik Tok Inc.

The TikTok Pixel tracks the impact of our TikTok ads on the website.

13 months from the date of last use

Marketing

Google Tag Manager

Google LLC

Google Tag Manager is a tag management system that allows configuration and ability to instantly deploy tags to our website.

30 days

Analytics

Barilliance

Barilliance Systems Ltd

Barilliance is an analytics tool which helps deliver a personalized omnichannel shopping experience on the website.

Cookies are retained for the length of the session

Analytics

Klaviyo

Klaviyo, Inc

Klaviyo, a marketing automation platform that automates SMS and e-mail marketing.

24 months

Marketing

Lexer

Lexer Pty Ltd

The Lexer Customer Data Platform serves as your all-in-one hub for insight-driven marketing, sales, and service.

30 days

Analytics

Hero

Hero Towers Limited

Virtual shopping platform

30 days

Marketing

Fullstory

FullStory, Inc.

An analytics tool used to discover user trends and identify, troubleshoot, and fix site issues.

7 days

Analytics

Pinterest

Pinterest Inc.

The Pinterest Pixel (Pinterest Tag) allows us to measure, optimize and build audiences for ad campaigns.

24 months

Marketing

Tagalys Tagalys LLC Tagalys uses user interaction data (namely: views, add to carts, orders, and user sign-ins) to help improve the product discovery experience across collections, search and recommendations. 24 months Analytics
  1. RECIPIENTS / CATEGORIES OF RECIPIENTS / DISCLOSURE

Disclosure of your Personal Data will generally be for the primary purpose of providing products or services to you in accordance with this Privacy Policy.  In addition, Lovisa may disclose your Personal Data  for purposes related to the above purpose, other purposes which we notify you of when we collect the information and for purposes otherwise permitted or required by law.  This may include Lovisa disclosing Personal Data to related companies of Lovisa or other entities with which Lovisa has a commercial relationship, including to third parties in the following cases:

7.1 LEGAL ENQUIRIES

If it is necessary to clarify an illegal use of our services or for legal prosecution, Personal Data will be forwarded to the law enforcement authorities and, if necessary, to injured third parties. However, this only happens if there are concrete indications of unlawful or abusive behaviour. Data may also be passed on if this serves to enforce contracts or other agreements. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities. This data is disclosed on the basis of our legitimate interest in combating abuse, prosecuting criminal offences, and securing, asserting, and enforcing claims, Art 6 para 1 lit f) GDPR or on the basis of a legal obligation pursuant to Art 6 para 1 lit c GDPR. 

7.2 PASSING ON DATA

We rely on contractually affiliated third-party companies and external service providers ("processors") to provide the services. In such cases, we pass on Personal Data to these processors in order to enable them to continue processing. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors may only use the data for the purposes specified by us and we also contractually oblige these processors to process your Personal Data in accordance with applicable data protection laws.

The transfer of data to processors takes place on the basis of Art 28 para 1 GDPR. In addition to the processors already mentioned in this Privacy Policy, we also use the following categories of processors:

  • IT service providers
  • Cloud service providers
  • Hosting service providers
  • Software service providers
7.3 TRANSMISSION TO AUTHORITIES

    In the context of administrative processes and the organisation of our operations, financial accounting, and compliance with legal obligations, such as archiving, we disclose or transmit the same data that we have received in the context of the provision of our contractual services to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.

    This data is passed on based upon our legitimate interest in maintaining our business activities, performing our tasks, and providing our services, Art 6 para 1 lit f) GDPR or on the basis of a legal obligation pursuant to Art 6 para 1 lit c) GDPR.

    7.4 COMPLIANCE

    In the course of the further development of our business, the structure of may change by changing its legal form or by founding, buying, or selling subsidiaries, parts of companies or components. In such transactions, data of our customers and contact persons in particular will be passed on together with the part of the company to be transferred. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is done in accordance with this Privacy Policy and the relevant data protection laws.

    Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as required, Art 6 para 1 lit f) GDPR.

    1. PROTECTING YOUR PERSONAL DATA

    Any Personal Data collected by Lovisa will be processed fairly, lawfully, and in a transparent manner. “Processing” includes, but is not limited to, collection, storage, transfer, dissemination, or erasure of Personal Data. Lovisa takes appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data.

    However, to the extent that the Internet is not completely secure, we cannot guarantee that any of your personal information stored or sent to us will be completely safe. We encourage you to use caution when using internet to access our web sites, applications, or social media.

    1. WEBHOSTING

    We operate our website on servers of the service provider Shopify, Inc., 150 Elgin Street, 8th Floor, Ottawa, Ontario, Canada K2P 1L4 (“Shopify”). Shopify processes your data on our behalf, i.e., exclusively according to our instructions. The processing takes place in Canada based upon the adequacy decision for Canada in accordance with Art 45 GDPR. More information regarding Shopify’s GDPR compliance can be found here:

    https://help.shopify.com/en/manual/your-account/privacy/GDPR/GDPR-Shopify

    1. APPLICATIONS

    If you contact Lovisa via our website to apply for a job, we will process your e-mail address and the other contact details you provide, as well as your application documents and the information contained therein, in order to process your application or to decide whether to offer you employment.

    We use the worldmanager.com service provided by World Manager Pty Ltd ("World Manager") Level 14, Suite 3, 383 Kent Street, Sydney, NSW 2000 Australia to process your data as part of the application process. We have engaged World Manager as a processor, which means that World Manager will only process your data in accordance with our instructions.

    Your application documents will only be made available to the persons responsible for the application within our company. The data processing is carried out on the legal basis of Sec 26 para 1, 3 German Federal Data Protection Act ("BDSG").

    If we are unable to offer you a position, your application documents will generally be retained for up to 6 months after completion of the respective application process in order to be able to answer queries in connection with your application. Further storage may take place if we feel you are a potential candidate for future employment or if this is necessary for the provision of evidence, in particular for the defence, assertion, or enforcement of claims (Art 6 para 1 lit f) GDPR).

    Otherwise, we only store your applicant data if you have expressly consented to this (Art 6 para 1 lit a) GDPR). You can withdraw your consent at any time with future effect. You can do this, for example, by contacting the contact details given. Withdrawing your consent does not affect the processing that took place before your withdrawal.

    1. AUTOMATED INDIVIDUAL DECISION-MAKING; INCLUDING PROFILING

    We do not use automated processing for decision-making or profiling.

    1. OVERSEAS DISCLOSURE AND TRANSFERS

    In instances where Personal Data is collected inside the EU or European Economic Area (“EEA”) and transferred to countries without adequacy decisions (see Art 45 GDPR and https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en for further information), transfers within the Lovisa Group will only be carried out in accordance with its binding corporate rules relating to data transfers outside the EU / EEA. 

    In all other cases, we make use of the standard contractual clauses approved by the EU Commission in accordance with Art 46 para 2 lit c) GDPR when structuring contractual relationships with recipients in third countries. With our service providers who process your data on our behalf ("processors"), we conclude the standard contractual clauses for transfers to processors in third countries. For transfers to third parties who act as controllers in third countries, we use the standard contractual clauses for transfers to third parties as data controllers. You can request a copy of these standard contractual clauses using the contact details.

    Some of the parties to whom Lovisa discloses your Personal Data to may be located outside Australia, including in the United States of America, United Kingdom, Canada and the Philippines and related companies of Lovisa located in countries including the United States of America, Europe, including France, the Netherlands and Switzerland, the United Kingdom, the Philippines, Israel and Bulgaria.  We also take reasonable steps to ensure that any such overseas recipients do not hold, use or disclose your Personal Data in a way that is inconsistent with the obligations imposed under the Privacy Act and the Australian Privacy Principles in the Privacy Act. 

    1. HOW WE SECURE YOUR PERSONAL DATA

    We have an obligation to ensure that your Personal Data is protected from unauthorised processing, accidental disclosure, access, loss, destruction, or alteration. Accordingly, we have a range of technical security measures and procedures in place to ensure that your personal information is protected appropriately. These include but are not limited to:

    • Restricting access to information systems through access control measures and authentication techniques;
    • Encrypting sensitive data while at rest and in transmission;
    • Providing information security training to internal employees; and
    • Binding employees and contractors to information security policies

    Your Personal Data will be kept on databases held on servers kept in a physically and technologically secured environment, accessed only by authorised personnel or contractors. Where personal information is held in hard copy, it will be held in controlled, access restricted premises which only authorised personnel or contractors will be permitted to access.

    1. REQUIREMENT TO PROVIDE DATA

    You are neither legally nor contractually obliged to provide your Personal Data (including any sensitive information).

    However, the provision of your Personal Data is necessary to a certain extent so that we can provide you with the functions on our website and our services. In particular, the provision of your Personal Data is necessary to enable us to receive and process your enquiries, to enable us to initiate or execute contracts, and to enable you to use the community functions in connection with our social media presences.

    If it is necessary to provide your data, we will indicate this by marking the relevant field as mandatory. The provision of further Personal Data is voluntary. In the case of required Personal Data, failure to provide this Personal Data will result in Lovisa not being able to provide the corresponding functions and services, in particular we will not be able to receive and process your enquiries and/or enable the initiation or execution of a contract. Furthermore, you will not be able to use the community functions of our social media sites. If you do not provide us with the required Personal Data in connection with your application, we will not be able to consider your application. Insofar as voluntary information is concerned, the failure to provide it means that we cannot provide the corresponding functions and services or cannot provide them to the usual extent.

    1. PROCESSING FOR OTHER PURPOSES

    Your data will only be processed for purposes other than those described in this Privacy Policy if this is permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

    1. RETENTION OF PERSONAL DATA

    Unless otherwise stated within this Privacy Policy, we will delete or anonymise your Personal Data as soon as it is no longer required for Lovisa to achieve the purpose for which we collected or used your Personal Data.

    Insofar as Lovisa is legally obliged to store your Personal Data, we also store it for the legally required period (Art 6 para 1 lit c) GDPR). Legal storage requirements may arise in particular from the retention periods (e.g. the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention period according to these regulations is usually between 6 and 10 years from the end of the year in which the corresponding process was completed, e.g., we have finally processed your enquiry, or the contract has ended or your piercing was completed. Your Personal Data will then be archived to be used in the event of a litigation or dispute for the statute of limitation term applicable to the related purpose. If a judicial action is initiated, the personal information may be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law. The storage is based on our legitimate interest, the proper documentation of our business operations and the protection of our legal positions (Art 6 para 1 lit f) GDPR). If your Personal Data is relevant to the initiation of a contract or the execution of contracts, it is stored for the initiation and execution of the respective contractual relationship (Art 6 para 1 lit b GDPR).

    Your Personal Data will then be anonymized or deleted.

    1. WHAT ARE YOUR RIGHTS? 
    17.1 RIGHT TO ACCESS

      You have the right to request information on the Personal Data that Lovisa holds about you. You are entitled to know what Personal Data we are processing, why we have processed it, and whether we have shared your Personal Data. You may exercise your right to request access and to obtain copies of any Personal Data we have collected from you, and request that your Personal Data be provided to you in a format that can be easily read.

      You can contact our Privacy Officer using the contact details in the contact section of this Privacy Policy and we will provide you with your Personal Data via e-mail.

      17.2 RIGHT TO RECTIFICATION

      You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete by contacting https://www.lovisa.com.au/pages/contact-us.

      If you are dissatisfied with Lovisa’s refusal to grant correct, your Personal Data, you may make a complaint to the relevant regulatory authority, including the Office of the Australian Information Commissioner.

      17.3 RIGHT TO OBJECT

      You have the right to object to the processing of your Personal Data that is done based upon Art 6 para 1 lit e) or f) GDPR (Art 6 para 1 lit f) GDPR being Lovisa’s legitimate interests). Lovisa will not continue to process the Personal Data unless we can demonstrate a legitimate ground which overrides your interest and rights, or due to legal claims.

      You also have the right to object to direct marketing. You can opt out from Lovisa’s direct marketing by following the instructions contained in each marketing e-mail. After your objection, we will stop the processing.

      17.4 RIGHT TO RESTRICTION

      In limited circumstances, you have the right to request that Lovisa restricts the processing of your Personal Data. These circumstances include:

      • If you object to a processing based on Lovisa’s legitimate interest, in which case Lovisa shall restrict all processing the data pending the verification of the legitimate interest;
      • If your Personal Data is incorrect, in which case Lovisa will restrict the processing of your data pending verification of the accuracy of your Personal Data; and
      • If the processing is unlawful, in which case you can request restriction of your Personal Data as opposed to deletion.

      If Lovisa no longer requires your Personal Data but it is required by you to defend legal claims. We process the Personal Data you provide Lovisa when making use of your aforementioned rights for the purpose enabling these rights and to be able to provide proof thereof. This processing is based on the legal basis of Art 6 para 1 lit c) GDPR in conjunction with Art 15 - 22 GDPR and Section 34 para 2 German Federal Data Protection Act (“BDSG”).

      17.5 RIGHT TO DATA PORTABILITY

      This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

      17.6 RIGHT TO LODGE A COMPLAINT

      You have a right to make a complaint if you are unhappy with how your personal information has been treated under this privacy policy.  Such complaints should be sent to the Lovisa Privacy Officer at privacy@lovisa.com.  At all times, privacy complaints:

      • will be treated seriously;
      • will be dealt with promptly;
      • will be dealt with in a confidential manner; and
      • will not affect your existing obligations or affect the commercial arrangements between you and Lovisa.

      We will seek to resolve your complaint within 30 days of receipt, unless we inform you otherwise and seek your agreement in writing.

      On receipt of your complaint, our Privacy Officer will commence an investigation and you will be informed of the outcome following completion of the investigation.  In the event that you are dissatisfied with the outcome of your complaint, or an extension to the time in which Lovisa will resolve it, you may refer the complaint to the Office of the Australian Information Commissioner (www.oaic.gov.au).

      1. CONSENT MANAGEMENT

      You can manage your consent and take other data-related actions on the Data Privacy page .

      1. BREACH

      In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, Lovisa will assess the risk to your rights and freedoms and if appropriate report this breach to the relevant authorities.

      1. CONTACT US

      If you have any questions or comments about this Privacy Policy email us at privacy@lovisa.com, or write to us at:

      Privacy Officer

      Lovisa Pty Ltd

      Level 1, 818 Glenferrie Road Hawthorn

      Victoria 3122

      Australia