Privacy Policy

Last revised August 2023

1. Name and address of the Controller and information about our Data Protection Officer

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

  • KPSS (UK) Limited, 6 Agar Street London, WC2N 4HN
  • Kao Germany GmbH, Pfungstädter Strasse 98-100, 64297 Darmstadt, Germany (part of the Kao Group) is the EU representative in Germany and EU.

2. Categories of Personal Data and Processing Purposes - What personal data do we process about you and why?

2.1 Metadata

You may use this Website without providing any personal data about you. In this case, we will collect only the following metadata that result from your usage of the Website: browser type and version, operating system and interface, website from which you are visiting us (referrer URL), webpage(s) you are visiting on our Website, date and time of accessing our Website and internet protocol (IP) address.

Your IP address will be used to enable your access to our Website. The metadata will be used to improve the quality and services of our Website and services by analysing the usage behaviour of our users.

2.2 Contacting Us

When you contact us via email, we will collect your email address andany other information you provide within the subject line and body of the email. We will only use this information for the purpose of corresponding with you to resolve your query. We will delete your personal data as soon as we have processed your request or you withdraw your consent.

2.3 Newsletter

If you request to receive our newsletter, we process the following information from you, which can also include personal data: your email address.The provision of further personal data (for example your name) is possible, but not mandatory. We process such personal data for purposes of providing the newsletter to the extent permitted by applicable law and analysing your interests for marketing purposes. Salutation and your name are requested in order to provide you with a personalized experience. Under certain circumstances, the newsletter will not be sent by the Controller, but by another “Kao company” of the “Kao Group”. In this case, this “Kao company” will also receive
your email address.

2.4 Salon Finder

On our website you have the opportunity to find the nearest salons to your location that offers our products. You have the option of having your location determined by geolocation based on your IP address or by manually entering a postal code or address. There is no storage or linking of your location data with other personal data.

2.5 Customer account

When you create an account for our webshop, you will be asked to provide the following information, which may include personal data: first name, last name, email address, self-selected password.

We process this personal data for account management purposes, to respond to your inquiries or requests for information, to analyse your interests for marketing purposes, to improve our webshop according to user behaviour, and for technical administration or other purposes to which you have
consented.

The legal basis for processing your personal data is your consent, the fulfillment of a contract and/or our legitimate interest in pursuing the aforementioned purposes.

2.6 Product orders

When you order a product / products via our webshop, we collect and process the following personal data from you: salutation, first and last name, email address, phone number, billing and shipping address, and the products ordered, in order to provide you with the requested products or services and related information.

This personal data is added to your personal data stored in connection with your account unless you check out as a guest.

We process such personal data to perform the contractual relationship and product order, to comply with legal obligations, to defend, establish and enforce legal claims and to analyse your interests for marketing purposes.

The processing of your personal data is based on one of the following legal grounds: your consent (if required), performance of a contract, legal obligation and/or legitimate interest, as we have an interest in pursuing the purposes mentioned in the previous section.

2.7 Payment

We process your personal data to document and process the payment transactions you make on our website.

The following categories of personal data are processed: name, information about the third-party payment provider used, payment confirmation, address.

We base the processing of your personal data on the following legal grounds: performance of a contract, legal obligation, legitimate interest to protect our business and legal interests.

2.8 Competitions

If you participate in a competition, we may collect and process the following personal data about you: name, gender (salutation), postal address, email address, telephone number and selection as winner. We process such personal data for purposes of carrying out the competition, informing the winner, delivering the prize to the winner, carrying out the event, and providing you with marketing materials where you have provided us consent to do so, to the extent permitted by applicable law, and analysing your interests for marketing purposes.

3. Our appearances in social networks

We have various presences in so-called social media platforms. We operate the presences with the following providers:

We rely on the technical platform and services of the providers for these information services. We would like to point out that you use our appearances on social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g., commenting, sharing, rating). When you visit our websites, the providers of the social media platforms collect, among other things, your IP address and other information that is available in the form of cookies on your terminal device. This information is used to provide us, as the operator of the accounts, with statistical information about the interaction with us.

The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. Where this is the case, we ensure that we have the necessary safeguards in place with the companies for the transfer of your data, namely standard data protection clauses, however, we recommend that you regularly review the privacy policies of these platforms (linked above) as they will be controllers of any data provided to them via cookies or otherwise. We are not aware of how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. The data processing may differ depending on whether you are registered and logged in to the social network or visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your terminal device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your end device can be used to track how you have moved around the network. Buttons embedded in websites enable the platforms to record your visits to these website pages and assign them to your respective profile. Based on this data, content or advertising can be offered tailored to you. If you wish to avoid this, you should log out or deactivate the "stay logged
in" function, delete the cookies present on your device and restart your
browser.

We, as the provider of the information service, only process the data from your use of our service that you provide to us and that requires interaction. If, for example, you ask a question that we can only answer by e-mail, we will store your information in accordance with the general principles of our data processing, which we describe in this privacy policy. The legal basis for the processing of your data on the social media platform is Art. 6 (1) p. 1 lit. f GDPR.

To exercise your data subject rights, you can contact us or the provider of the social media platform. To the extent that one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the operator of the social media platform directly for questions about the profiling, processing of your data when using the website. For questions about the processing of your interaction with us on our site, write to the contact details provided by us above.

The providers describe what information the social media platform receives and how it is used in their privacy statements. There you will also find information about contact options as well as about the settings options for advertisements.

4. Processing Basis and Consequences - What is the legal basis for processing your personal data and what happens if you choose not to provide it?

We rely on the following legal grounds for the collection, processing, and use of your personal data:

  • your consent to the processing of your data for one or more specific purposes;

  • the fulfillment of the purchase-contract in cases that you place an order in our webshop;

  • the provision of your personal data is not required by a statutory or contractual obligation when you just browse our website. However, the provision of your personal data is necessary to enter into a contract with us or to receive our services/products as requested by you.


Not providing your personal data may result in disadvantages for you; for example, you may not be able to receive certain products and services. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.

5. Categories of Recipients and International Transfers - Who do we transfer your personal data to and where are they located?

We may transfer your personal data to third parties for the processing purposes described above as follows:

  • Within the Kao Group: Our parent entity, Kao Corporation in Japan, and each of its affiliates and/or subsidiaries (each affiliate or subsidiary including us referred to as "Kao Company") within the global Kao Group may receive your personal data as necessary for the processing purposes described above. Depending on the categories of personal data and the purposes for which the personal data has been collected, different internal departments within the Kao Company may receive your personal data. Moreover, other departments within the Kao Company may have access to certain personal data about you on a need-to-know basis,
    such as the legal department, the finance department or internal auditing.

  • With data processors: Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the processing purposes described above, such as Website service providers, order fulfilment providers, customer care providers, marketing service providers, IT support service providers, and other service providers who support us in maintaining our commercial relationship with you. The Processors will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal data, and to process the personal data only as instructed.

  • Other recipients: We may transfer - in compliance with applicable data protection law - personal data to law enforcement agencies, governmental authorities, judicial
    authorities, legal counsel, external consultants, or business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. We will not disclose your personal data to third parties for advertising or marketing purposes or for any other purposes without permission. Any access to your personal data is restricted to those individuals that have a need-to-know in order to fulfill their job responsibilities.

International transfers: The personal data that we collect or receive about you may be transferred to and processed by recipients that are located inside or outside the European Economic Area ("EEA"). Recipients outside of the EEA are located in countries with adequacy decisions (in particular, Andorra, Argentina, Canada (for non-public organizations subject to the Canadian Personal Information Protection and Electronic Documents Act), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Japan, United Kingdom, Uruguay and, in each case, the transfer is
thereby recognized as providing an adequate level of data protection from a European data protection law perspective. Other recipients might be located in countries which do not adduce an adequate level of protection from a European data protection law perspective. We will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority, approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient. You can ask for a copy of such appropriate safeguards by contacting us as set out in Section 8 below.

6. Children’s Personal Data

Customers need to be over 18 years old to create an account with us and to sign up to receive our newsletter. We do not knowingly collect Personal Data from children under the age of eighteen (18).

7. Retention Period - How long do we keep your personal data?

Your personal data will be retained as long as necessary to provide you with the services and/ or products requested by you. Once you have terminated the contractual relationship with us or otherwise ended your relationship with us, we will remove your personal data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which the Kao Company is subject, e.g., taxation purposes).

Also, we may be required by applicable law to retain certain of your personal data for a period of 10 years after the relevant taxation year. We may also retain your personal data after the termination of the contractual relationship if your
personal data are necessary to comply with other applicable laws or if we need your personal data to establish, exercise or defend a legal claim, on a need-to know basis only. To the extent possible, we will restrict the processing of your personal data for such limited purposes after the termination of the contractual relationship.

8. Your Rights - What rights do you have and how can you assert your rights?

  • Right to withdraw your consent: If you have declared your consent regarding certain collecting, processing and use of your personal data (in particular, regarding the receipt of direct marketing communication), you can withdraw this consent at any time. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. The withdrawal can be made without formalities and should preferably be addressed to dataprivacy.emea@kao.com. Further, you can unsubscribe from our marketing at any time by contacting us on the above email address or by clicking the ‘unsubscribe’ link in any of our marketing emails.

  • Further data privacy rights: Pursuant to applicable data protection law, you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; and/or (vi) object to the processing of your personal data (including objection to profiling).


Please note that these aforementioned rights might be limited under the applicable local data protection law. Below please find further information on your rights to the extent that the GDPR applies:

  • Right to request access to your personal data: You may have the right to obtain from us confirmation as to whether personal data concerning you is being processed, and, where that is the case, to request access to the personal data. This access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right, and the interests of other individuals may restrict your right of access. You may have the right to obtain a copy of the personal data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

  • Right to request rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  • Right to request erasure (right to be forgotten): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.

  • Right to request restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In such case,
    the respective data will be marked and may only be processed by us for certain purposes.

  • Right to request data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

  • Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Such right to object may especially apply if we collect and process your personal data for profiling purposes in order to better understand your interests in our products and services or for direct marketing.

    If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. You may exercise this right by contacting us as stated in Section 8 below.

    Such a right to object may, in particular, not exist if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.


To exercise your rights, please contact us as stated under Section 8 below. You also have the right to lodge a complaint with the competent data protection supervisory authority.

9. Cookies and other tracking technologies

This Website uses cookies and other tracking technologies. For further information, please visit our Cookie Policy.

10. Question and Contact Information

If you have any questions about this Privacy Policy contact us at dataprivacy.emea@kao.com; or if you want to exercise your rights as stated above in Section 6, please contact us at: www.kao.com/global/en/EU-Data-Subject-Request/