Privacy Policy - O Boticário

This website is managed and administered by Tudo Azul SA, which carries out continuous work to guarantee the protection of personal data provided by the holder, processing the information under the terms provided for in Portuguese laws no. 58/2019 and 59/2019 of August 8, 2019, in accordance with Regulation (EU) 2016/679 of April 27, 2016. As well as applying the best cybersecurity and data protection practices, described in ISO/IEC 27001:2013, ISO/IEC 27701:2019, ENISA, NIST CSF, Cert RMM, among other good market practices.

 

This privacy policy describes:

1. Who are we?
2. Who is responsible for processing my personal data?
3. What personal data does Tudo Azul collect? How?
4. For what purposes are my personal data collected?
5. What is the legal basis for processing my data?
6. How long will my personal data be kept?
7. How do you store my personal data?
8. How is my access to the platform managed?
9. To which entities can my personal data be sent?
10. What are my rights?
11. How can I find out about any changes to this privacy policy?

1. Who are we?

TUDO AZUL – COMÉRCIO DE PRODUTOS NATURAIS, SA (“TUDO AZUL”), with registered offices at Edifício Espace, Alameda dos Oceanos, No. 59 - Floor 3 - Block C, 1900-207 LISBON, is an integrated group of companies and including O Boticário, a brand linked to O BOTICÁRIO FRANCHISING , licensed to Tudo Azul, whose main activity is the marketing of natural products, hygiene, cosmetics and perfumery products.

TUDO AZUL is committed to protecting the personal data of users of products and services, as well as the personal data of their respective holders in all situations in which personal data is processed by the various companies and entities of TUDO AZUL, having, in this context, drawn up this Policy, which is based on its commitment to respecting the rules for the protection of personal data.

2. Who is responsible for processing my personal data?

TUDO AZUL is the entity responsible for processing personal data and determines the purposes and means of processing them.

 

For this purpose, if the holder of personal data needs to contact the person responsible for data processing, they can contact us and our data protection officer via email privacidade.pt@grupoboticario.com or through the portal:

Data subject portal at Boticário , to manage your rights (for more information on what your rights are as a data subject, see item 9 - What are my rights? in this policy).

3. What personal data is collected? How?

ID	Collection Means	Personal Data Category
1	Website Registration www.oboticario.pt (Newsletter)	E-mail
2	Website Registration www.oboticario.pt	E-mail Password
3	Website Registration www.oboticario.pt	E-mail Name Username Phone number NIF Household Location Postal Code Purchase history
4	Website Registration www.oboticario.pt	Order Data Purchasing behavior
5	Website Registration www.oboticario.pt (Contacts)	Name and Surname Phone number E-mail Other information you have shared with us regarding your question (which may include information about wellbeing and health)
6	Website Registration www.oboticario.pt	Social media profile (when you choose to register via social media)
7	Registration on the website www.oboticario.pt or in annual campaigns (separate website promoted on social networks)	Name E-mail Phone number Household Date of birth NIF Purchase History
8	Registration on the website www.oboticario.pt	E-mail Name Purchase History
9	Registration or browsing on the website www.oboticario.pt	IP Address
10	Registration on the website www.oboticario.pt	Order data Gender Date of birth Geographical area Nationality Purchasing behavior
11	Satisfaction survey (by email)	Name E-mail Opinions

4. For what purposes are my personal data collected?

TUDO AZUL collects your personal data, namely by telephone, in writing, through its websites and through the Customer area, ensuring, whenever necessary, the prior consent of the holder of the personal data.

If the holder of the personal data is not a TUDO AZUL customer, the respective personal data will only be processed when they are made available, namely through the subscription to the sending of newsletters, in which case the rules of this Privacy Policy will apply.

The personal data collected may be processed through technologies in an automated or non-automated manner, ensuring in all cases strict compliance with personal data protection legislation, being stored in specific databases created for this purpose and, under no circumstances, will the data collected be used for any purpose other than that for which it was collected or for which consent was given by the data subject.

We may use the information we collect from you for the following purposes:

• Your contact details will be used to process and send orders and communicate with customers, process requests for information and any complaints;
• Analysis of customer behavior (Profilling) to target them and send them future personalized marketing actions;
• Analysis of the results of using the online channel (O Boticário website www.oboticario.pt ), observing purchasing behavior through direct data collection via the website;
• Carrying out satisfaction surveys on services and products among registered users and/or those who have made a purchase in stores or on the O Boticário website (www.oboticario.pt).
• Your contact details will be used to participate in competitions and/or contests;
• Registration on the website www.oboticario.pt to create and manage an account and to investigate fraud or unauthorized access to it;
• Compliance with legal cosmetovigilance obligations;
• Compliance with a legal or judicial order.

5. What is the legal basis for processing my data?

ID	Personal Data	Purpose	Legal basis	Retention period
1	E-mail	Send you marketing communications including news, promotions and events of interest to you	Consent	12 months from last contact
2	E-mail Password	Investigation of fraud and unauthorized access to the registration account	Legitimate interest	30 days from the date of completion
3	E-mail Name Username Phone number NIF Household Location Postal Code Purchase history	Manage and track your orders, including the delivery of the product to the address you indicated. Manage any contact you have with us regarding your order	Execution of a contract	After 3 years from your last purchase and for invoicing purposes for 10 years (if there are VAT adjustments, 10 years from the date of the last adjustment)
4	Order Data Purchasing Behavior	Sales Analysis (Business Intelligence)	Legitimate Interest	12 months from last contact or if you have withdrawn your consent
5	Name and surname Phone number E-mail Other information you have shared with us regarding your question (which may include information about wellbeing and health)	Respond to your questions and comply with legal cosmetovigilance obligations	Legitimate interest and for the purpose of cosmetovigilance: to comply with the legal obligation to monitor the undesirable effects of the respective products	After 3 years of inactivity or request for deletion by the user
6	Social media profile (when you choose to register via social media)	Form of creating an account/registration on the website using your social network, in order to manage and track your orders, including the delivery of the product to the address you indicated. Manage any contact you have with us regarding your order	Execution of a contract	After 12 months from the end of the commercial relationship and for invoicing purposes for 10 years (if there are VAT adjustments, 10 years from the date of the last adjustment)
7	Name E-mail Phone number Household Date of birth NIF Purchase History	Participation in competitions, prize operations and online or social media sales campaigns	Consent	For winners after 2 years and 1 year for all competitors
8	E-mail Name Purchase History	Extrajudicial debt recovery	Legitimate interest	12 months
9	IP Address	Analysis of navigation information	Consent (when you accept Cookies)	12 months
10	Order data Gender Date of birth Geographical area Nationality Purchasing behavior	Profiling (consumer targeting) Personalized marketing actions	Consent	12 months from last contact or if you have withdrawn your consent
11	Name E-mail Opinions	Carrying out satisfaction surveys regarding services and products	Legitimate interest	12 months from last contact or if you have withdrawn your consent

6. How long will my personal data be kept?

The period of time during which personal data is stored and retained varies according to the purpose for which the information is processed, indicated in the table above, in item 5.

In fact, there are legal requirements that require data to be kept for a minimum period of time. Therefore, and whenever there is no specific legal requirement, data will be stored and kept only for the minimum period necessary to pursue the purposes that motivated its collection or subsequent processing, under the terms defined by law.

7. How do you store my personal data?

Tudo Azul is committed to applying safe practices, based on the principles established in the General Data Protection Regulation and all applicable legislation.

Your personal data will be kept in a secure environment, in accordance with current legislation and taking into account best data protection practices, and may only be accessed by people qualified and/or authorized by Tudo Azul.

Our obligation is to keep your personal data safe and, for this purpose, we apply appropriate security measures to ensure the protection of your personal data and prevent access by unauthorized persons, as well as applying various cybersecurity and data protection practices based on the references already mentioned, such as: vulnerability management, intrusion tests on our systems and technologies, employee awareness of cybersecurity and data protection, management and response to security incidents, privacy impact assessment, review and constant improvements in internal processes, among other practices.

8. How is my access to the platform managed?

• The User is responsible for creating a password with appropriate security parameters and, in the event of loss, recovering and changing it. The password and login required from the User are confidential and may not be used by third parties, under penalty of cancellation of the registration. It is the sole responsibility of the Platform User to keep their access codes confidential and not to share them with third parties.
• The User is responsible for keeping his/her personal data up to date so that Tudo Azul can contact him/her if necessary. Tudo Azul will not be held liable if it is unable to locate you due to incorrect or outdated data.
• Access to the Platform is subject to an internet connection, and access or registration is not possible without such a tool. Tudo Azul is not responsible for said connection.
• Although Tudo Azul takes security measures to protect Users' data, it cannot be held responsible for any forced breach of security or information leak caused by third parties.

9. To which entities can my personal data be sent?

We only send data to third parties without your consent when required by law or judicial authority.

TUDO AZUL is committed to adopting appropriate safeguards to protect your data.

Your personal data may be transferred to O BOTICÁRIO FRANCHISING LTDA., headquartered at Avenida Rui Barbosa, nº 4.110, blocks 1 and 22, Parque da Fonte neighborhood, municipality of São José dos Pinhais, State of Paraná, Brazil, for the purposes of centralized management of resellers, based on our legitimate interest, which implies an international transfer of your data to Brazil or with other subcontractors that have their headquarters located outside the EEA.

Although countries outside the EU do not offer an adequate level of protection under Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data, we guarantee the secure processing of your data, through a contract concluded for this purpose with European Union standard contractual clauses.

The management of the commercial relationship with you may involve subcontracting the processing of your personal data to service providers (subcontractors), who act on our behalf, namely marketing and digital and social media agencies, accounting management services, auditors and lawyers, external entities that provide us with IT services, such as platform providers, hosting services, maintenance and support for our databases.

Your personal data collected to manage and track your orders, including the delivery of the product to the address you indicated, may also be shared with logistics and transport service providers to execute the contract we have with you.

Your data may also be shared with collection companies, in the event of non-payment of invoices, based on our legitimate interest.

We may also share your contact details with third parties for the purpose of conducting satisfaction surveys to improve Tudo Azul products and services.

Your personal data collected to manage and track your orders, including the delivery of the product to the address you indicated, may also be transmitted to logistics, transport and graphics service providers to execute the contract we have with you.

Based on legitimate interest, we may transfer your data to third parties in the event of transactions and corporate changes involving Tudo Azul, with customer/reseller data being considered a commercial asset, and the transfer of information necessary for the continuity of services; in the event of such sharing, all conditions and responsibilities set forth in this Policy will be ensured.

In any case, TUDO AZUL SA remains responsible for the personal data made available to it.

10. What are my rights?

As the data subject, you may exercise the following rights, within the legally established limits:

• Right to access your personal data to know which data is being processed and the processing operations carried out on your data;
• Right to rectify any of your inaccurate or outdated personal data;
• Right to erase your personal data;
• Right to object , that is, to request that your personal data not be processed, for reasons related to your personal situation;
• Right to withdraw your consent at any time, when this was the legal basis for the processing of your data;
• Right to request the limitation of the processing of your personal data in the following cases:
• If you dispute the accuracy of your data, for a period that allows Tudo Azul to verify its accuracy.
• If the processing of certain data is unlawful and the Data Subject opposes the erasure of the data, requesting instead the limitation of its use.
• When Tudo Azul no longer needs to process your data, but you request it for the purposes of declaring, exercising or defending a right in legal proceedings.
• When you have objected to the processing of your data carried out by Tudo Azul based on a legitimate interest, while it is verified whether or not the legitimate interest invoked prevails over the reasons invoked by the holder.
• Right to portability , that is, to receive the personal data you have provided in a structured, commonly used and machine-readable format, and to transmit them to another data controller.

To exercise these rights, you may send a written request to the contact details provided in section “1. Who is responsible for my personal data?” of this Policy.

To exercise your rights, you must indicate in your request your name, citizen card number and the right you are exercising.

Without prejudice to being able to submit complaints directly to Tudo Azul, through the contacts provided for this purpose, the holder may complain directly to the Supervisory Authority, which is the National Data Protection Commission (CNPD), using the contacts provided by this entity for this purpose.

11. How can I find out about any changes to this privacy policy?

Tudo Azul reserves the right to, at any time, make modifications or updates to this Privacy Policy, and these changes will be duly updated on our website https://oboticario.pt/pages/politica-de-privacidade

We suggest that you check them regularly to be aware of any changes.

Last updated: December 19, 2024