PERSONAL DATA PROTECTION POLICY

• We respect your privacy and your choices.
• We make sure that privacy and security are embedded in everything we do.
• We will not send you marketing communications unless you have asked us to. You can change your mind at any time.
• We will never share or sell your personal data.
• We are committed to keeping your personal data safe and secure. This includes only working with trusted partners. 
• We are committed to openness and transparency about how we use your personal data.
• We will not use your personal data in ways that we have not told you about.
• We respect your rights and will always try to accommodate your requests as far as is possible, in line with our own legal and operational responsibilities.
  
   

In order to further explain our data protection and privacy practices, we set out below the different types of personal data we may obtain directly from you or as a result of your interaction with us, how we may use it, with whom we may share it, how we protect it and ensure its security, and the rights you have in relation to your personal data. Of course, not all of these situations may apply to you. This privacy policy is intended to give you an overview of the range of situations in which we may interact with each other.

The more you communicate with us and provide us with information about yourself, the better we are able to provide you with personalised services.
When you provide us with personal data or when we collect personal data from you, we will use it in accordance with this Policy. Please read this information carefully, as well as our Frequently Asked Questions (FAQ) page. If you have any questions or concerns about your personal data, please contact us at [email protected].

CTRP, Centre Thermal de la Roche Posay is responsible for the personal data you provide to us. The terms "CTRP", "we", "us" or "our" used herein refer to the CTRP company. In accordance with the applicable regulations on the protection of personal data, CTRP is the "data controller". 

CTRP, a simplified joint stock company with a capital of 5,647,105.00 euros, whose registered office is located at 4 Cours Pasteur - 86270 La Roche Posay, registered in the Poitiers Trade and Companies Register under the number 533 334 660 RCS, intra-community VAT number FR50 533334660.

Representative : Mr. Julien PRINCE

CTRP is part of the L'Oréal Group.

"Personal data" means any information or pieces of information that could identify you directly (e.g. your name) or indirectly (e.g. through pseudonymised data such as a unique identifier). This means that personal data includes information such as postal/email addresses, mobile phone numbers, usernames, profile pictures, personal preferences and shopping habits, user-generated content, financial data and information relating to your beauty/wellbeing. Personal data may also include unique numerical identifiers such as your computer’s IP address or your mobile device’s MAC address, as well as cookies.

CTRP believes that you, as a consumer, are central to everything we do. We like to receive information from you, get to know you, and create and deliver services and products that you value. And we know that many of you like to communicate with us. For these reasons, there are many ways that you might share your personal data with us and ways we can collect it.

We may collect or receive personal data from you you in a number of ways, including via our websites, questionnaires, applications, devices, CTRP service, product or brand pages on social networks or by any other means. In some cases, you provide us with personal data directly (e.g. when you create an account, when you contact us, or when you make a purchase on our websites/applications or in a spa/care facility/store). In other cases, we collect such data (e.g., by using cookies to understand how you use our websites/applications) or when the data in question is sent to us by third parties, including other L'Oréal Group entities.

Where we collect data, we mark mandatory fields with an asterisk. Some of the data we request from you is necessary for the following reasons:

• The performance of the contract we have entered into with you (e.g. in order to organise and collect the treatment you have ordered or to deliver the goods you have purchased on our website/application);
• To provide the service you have requested from us (e.g. to send you a newsletter);
• Fulfilling legal obligations (e.g. billing).
• Failure to complete the fields marked with an asterisk may affect our ability to treat you for the services and products you have requested.

If you do not provide the personal data marked with an asterisk, this may affect the goods and services that we can provide.

A NOTE ON SENSITIVE PERSONAL DATA
The processing of special categories of personal data (or ‘sensitive personal data’) is limited to data made public by you or a third party on your behalf, or where you have given us consent to use such information.  For example, we may need to understand your health, including dietary, requirements when preparing access and catering for an event you are attending, or when handling a query or complaint made by you.  We will always check such requirements with you and you only need provide the information you are comfortable with us using.

The table below provides more detailed information explaining the following:

1. In what situations may your personal data be provided or collected? This column lists the events in which you engage, or the situations in which you find yourself, when we use or collect your personal data. For example, if you are making a purchase, signing up for a newsletter or browsing a website/application.
2. What personal data can we obtain directly from you, or as a result of your interaction with us? This column shows what types of data, about you, we may collect depending on the situation.
3. How and why may we use it? This column explains what we may do with your data, and for what purposes we collect it.
4. What is the legal basis for our use of your personal data? This column explains why we may use your data.

Depending on the purpose for which the data is used, the legal basis for processing your data may be:

• Your consent ;
• Our legitimate interest which may include:
  • The improvement of our products and services, and more specifically our business interests to help us better understand your needs and expectations and thus improve our services, in the interest of our customers: websites / applications / devices, products and brands.
  • Fraud prevention, to ensure that payments are made and not subject to fraud or embezzlement.
  • Securing our tools, to ensure the protection and security of the tools you use (our websites/applications/devices) and to ensure that they work properly and are continuously improved.
• The performance of a contract, specifically the provision of the services you request from us.
• Legal obligations where the processing of data is required by applicable legislation.

Click here for a detailed overview of the information about your interactions with us, and their consequences for your personal data.

Automated decision making means the ability to make decisions using technology, without human involvement.

In order to secure transactions on our websites/applications/devices and to protect them against fraud and embezzlement, we use a solution developed by a third party provider.

The fraud detection solution is based on, among other things, the following methods: simple comparisons, association rules, clustering, prediction and outlier detection using intelligent agents, data fusion techniques and various data mining techniques.

This fraud detection process may be fully automated or may involve human intervention where the final decision is made by a person. In all cases, we take all reasonable precautions and safeguards to limit access to your personal data.

Due to automatic fraud detection, (i) the processing of your order/application may be delayed while we review your transaction; and (ii) you may be excluded from a service, or access to the service may be limited if a fraud risk is detected. You have the right to access the information on which our decision is based. See the section "Your rights and choices" below.

When we send or display personalised communications or content, we may use certain techniques known as "profiling" (defined as any form of automated processing of personal data which involves using that personal data to evaluate certain personal aspects relating to an individual - including analysing or predicting matters relating to that individual's personal preferences, interests, financial situation, reliability, behaviour, location, health, reliability, or movements). This means that we may collect personal data about you in the different scenarios mentioned in the table above. We aggregate this data and analyse it to assess and predict your personal preferences and/or interests.

Based on this analysis, we send or display communications and/or content suitable to your interests/needs.

You have the right in certain circumstances to object to the use of your data for "profiling" purposes. Please see "Your rights and choices" below.

We are always responsible for personal data that we collect about you. In some cases, for example when we collaborate with our trusted partners, we may be jointly responsible with those partners for protecting your personal data. 
Our data protection commitments as joint controllers are as follows:

• We will agree the respective roles and responsibilities of each party involved;
• We will make sure that both parties are transparent about the joint purposes for processing your personal data, and explain how your personal data is used for these purposes; and
• We will make sure that you are always able to exercise your legal rights.

Where we work jointly with another party, we will inform you about your rights and other important information at the point we ask for your personal data.

We may share your personal data within CTRP to prevent fraud and/or to secure our tools, to improve our products and services or after obtaining your consent.
We may also share your personal data in a pseudonymised form (i.e. not directly identifiable) with scientists at L'Oréal's medical and academic research centres or Research & Innovation division for research and innovation purposes.

Where permitted, we may also share some of your personal data, including that collected through cookies, between our brands, in order to harmonise and update the information you provide to us, to produce statistics based on your characteristics and to tailor our communications.

We invite you to visit the L'Oréal Group's La Roche Posay Brand website for more information about the L'Oréal Group, its brands and sites.

Your personal data may also be processed on our behalf by trusted service providers.

We use trusted third parties to perform a range of business operations and tasks on our behalf. We only provide them with the information they need to carry out the service, and require them not to use your personal data for any other purpose. We always make every effort to ensure that all such third parties with whom we work, maintain the confidentiality and security of your data. We may, for example, ask to provide services that require the processing of your personal data to :

• Third parties who assist and support us in providing digital and e-commerce services, such as social listening, shop locator, loyalty programmes, identity management, rating and comment management, customer relationship management (CRM), web analytics and search engines, user generated content creation tools;
• Advertisers, marketing agencies, social networking and digital agencies to help us run advertising, marketing and sales campaigns, analyse their effectiveness and help us help you with your contacts and queries;
• Third parties that are needed to provide and deliver a product to you, for example, postal/delivery services;
• Third parties who assist us in providing IT services, such as platform providers, hosting services, maintenance and support services for our databases and software and applications which may contain your data (these services may sometimes require access to your data in order to perform the requested tasks);
• Payment service providers and market intelligence agencies for the purposes of assessing your creditworthiness and verifying your information where required, to enter into a contract with you;
• Third parties who assist us in studies and who carry out research programmes on behalf of the professional bodies of which we are members (CNETH and AFRETH) in the field of thermal medicine or satisfaction surveys which have been the subject of an agreement with the UNCAM;
• Third parties who help us with customer service.

We may also disclose your personal data to third parties:

• If we sell a business or assets, in which case we may disclose your personal data to the prospective purchaser of that business or assets. If CTRP or any part of its assets are acquired by a third party, the personal data held about its customers and related to those assets is one of the transferred assets. In the latter case, the acquirer who will work as the new data controller will process your data and its data protection policy will govern the processing of your personal data.
• If we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use/sale or any other terms you have agreed to; or to protect the rights, property or safety of CTRP, its customers or employees.

If we have your consent. Or if we are permitted to do so by law. We may disclose your personal data to our partners:

If the service you sign up for has been created by CTRP in collaboration with a partner (e.g., a co-branded application). In this case, CTRP and the partner concerned will each process your personal data for their own purposes. Thus, your data is processed:

• By CTRP in accordance with this Privacy Policy;
• By the partner also working as a data controller on its own terms and conditions and in accordance with its own data protection policy.
• If you have agreed to receive communications or marketing from a CTRP partner through a designed registration/opt-in procedure (e.g. via an application marketed by CTRP and made available to its partners). In this case, your data will be processed by the partner working as a data controller under its own terms and conditions and in accordance with its data protection policy.
• We may publish content from social networks on our supports. If you view content from social networks on our website/applications, a cookie from the relevant social network may be placed on your device. For more information, please read the Cookie Policy of those social networks.
• When we use Google advertising services on our websites/applications, Google will have access to and use your personal data. If you would like to know more about how Google uses your personal data in this context, please see Google's Privacy Policy and Terms of Service, which governs these services and the related data processing.

 

Information Meta collects and shares with us:
All Facebook features and services available on our websites/apps are governed by the Facebook Privacy Policy, where you can find more information about your rights and settings options.
By using any of our websites/apps, you can:

Register with your Facebook account. In this case, you agree to share certain information from your public profile with us;

Use Facebook social plug-ins, such as "like", or "share" our content on the Facebook platform;

Accepting cookies from this website/application (also known as "Facebook Pixel"), which will help us understand your activities, including information about your device, how you use our services, the purchases you make, and the advertisements you view, whether or not you have a Facebook account or are logged into Facebook.
When you use these Facebook features, we collect data that helps us to:

Display ads that may be of interest to you on Facebook (or Instagram, Messenger, or any other Facebook service);

Measure and analyse the effectiveness of our websites/apps and advertisements.

We may also use the personal information you provide to us on this website/application (such as your first and last name, email address, gender, and phone number) to identify you on Facebook (or Instagram, Messenger, or any other Facebook service) in order to display ads that are more relevant to you. In doing so, Facebook will not share your personal information and will delete the information once this matching process is complete.

The data we collect from you may be transferred to, accessed from and stored in a country outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our service providers. 

CTRP will only transfer personal data outside the EEA in a secure manner and in accordance with applicable law. As some countries may not have laws governing the use and transfer of personal data, we will take all necessary steps to ensure that such third parties comply with the terms of this Policy. These measures may include monitoring the personal data protection and security standards applied by such third parties and/or signing appropriate contracts (based on the model adopted by the Commission of the European Union).

When we transfer your personal data outside of the territories described above, we take all necessary steps to ensure that such third parties comply with the terms of this Policy and we:

• Review and/or enter into appropriate contracts (including adding the European Commission’s standard contractual clauses; or
• Rely on the applicable European Commission adequacy decision which finds the third country to which we may transfer your personal data offers an adequate level of data protection

For any different information, please contact us in accordance with the instructions in the "Contact" section below.

We will only keep your personal data for as long as is necessary to fulfil the purpose for which we hold the data, to meet your needs or to fulfil our legal obligations. 

In determining how long we keep your data, we apply the following criteria:

• If you purchase products and services, we will retain your personal data for the duration of our contractual relationship; 
• If you purchase spa treatments, we will retain your personal data until you ask us to delete it (which we will do subject to legitimate or legal grounds for retention) or delete it after a period of inactivity (no active interaction with the brands) of ten years; 
• If you purchase Spa and wellness skin care, we will retain your personal data until you ask us to delete it (which we will do subject to legitimate or legal grounds for retention) or delete it after a period of inactivity (no active interaction with the brands) of five years; 
• If you join a loyalty programme, we will retain your personal data for the duration of your participation in the programme;
• If you participate in a competition, we will keep your personal data for 3 months after the end of the competition;
• If you wish to be informed about the availability of a product or service, we will keep your personal data for 3 months from the notification sent to you;
• If you participate in a promotional offer, we will retain your personal data for the duration of the promotional offer;
• If you contact us in connection with an enquiry, we will retain your personal data for as long as is necessary to process your enquiry;
• If you create an account, we will retain your personal data until you ask us to delete it or after a period of inactivity (no active interaction with the brands) as defined by local regulations and instructions; 
• If you have consented to receive marketing messages, we will retain your personal data until you unsubscribe or request us to delete it or after a period of inactivity (no active interaction with the brands) of three years; 
• If cookies are placed on your computer, we retain your data only for as long as is necessary to fulfil their purpose (e.g. for the duration of a session for shopping cart cookies or session identification cookies) and for any period of time as defined by local regulations and instructions.

 
We may retain certain personal data in order to fulfil our legal or regulatory obligations, and to enable us to exercise our rights (e.g. to bring an action before any court) or for statistical or historical purposes.

When we no longer need to use your personal data, we will delete it from our systems and files or anonymise it so that it no longer identifies you. 

We attach great importance to the protection of your personal data, and take all reasonable precautions to ensure this. We require trusted third parties who help us with your personal data to do the same by contract.

We always do our utmost to protect your personal data. Upon receipt of your data, we apply strict procedures and security measures to try to prevent unauthorised access. As data transmission via the Internet is not completely secure, we cannot guarantee the absolute security of your data transmitted to our site. Therefore, any transmission is at your own risk. 

Our websites and applications may occasionally contain links to websites belonging to our networks, advertisers and affiliate partners. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we are not responsible for these policies. We encourage you to review the terms of these policies prior to submitting any personal data to these websites.

We may also treat you as a member of your social networks. If you choose to do so, please note that you are providing us with your profile information based on the settings of the social networks you use. We invite you to visit the relevant social media and consult its privacy policy to understand how your data is shared and used in this context.

Some of our websites and applications allow users to upload their own content. We remind you that any content submitted to any of the social networks we use may be publicly available. Therefore, we urge you to be cautious about providing certain personal data such as financial data or an address. We are not responsible for any actions taken by third parties in the event that you post personal data on one of our social networks, and we recommend that you do not disclose such information.

CTRP respects your right to privacy: it is important that you have control over your personal data. You have the following rights: 

If you have any questions or comments about the way we process and use your personal data, or if you wish to exercise any of your rights mentioned above, please contact us at the following e-mail address: [email protected] or write to us at the following address Centre Thermal de La Roche-Posay, 4 cours Pasteur - 86270 La Roche Posay

You can also contact our DPO at the following address: [email protected]

If you believe that the processing of your personal data does not comply with the regulations on the protection of personal data, you have the right to lodge a complaint with the supervisory authority at the following address:

Cnil - Service des plaintes
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Phone: + 33 (0)1 53 73 22 22

SPECIAL PROVISIONS FOR FRANCE

We remind you that in accordance with the provisions of article 85 of the modified law 78-17 of 6 January 1978, you have the right to formulate general directives (with a trusted digital third party certified by the CNIL) or particular directives (with the data controller) relating to the conservation, deletion and communication of your personal data after your death.

Please note, we may make changes this Privacy Policy from time to time. Changes may be due to, for example, amendments to applicable laws, regulations or due to changes we make to our services. We encourage you to review our Privacy Policy to stay informed.