Welcome to the TATCHA, LLC ("TATCHA," "we," "us," or "our") website. TATCHA offers our users (collectively, "Users," "you," or "your") high-quality, holistic skincare products made with time-tested ingredients (the "Products") through our website at www.tatcha.com (the "Site").
Information We Receive From Your Use of the Site:
When you visit, use and interact with the Site, we may receive certain information about your visit, use or interactions. For example, we may monitor the number of people that visit our Site, peak hours of visits, which page(s) are visited on our Site, the domains our visitors come from (e.g., google.com, yahoo.com, etc.), and which browsers people use to access and visit our Site (e.g., Firefox, Microsoft Internet Explorer, etc.), broad geographical information, and Site-navigation pattern. In particular, the following information is created and automatically logged in our systems:
- Log data: Information (“log data”) that your browser automatically sends whenever you visit the Site. Log data includes your Internet Protocol (“IP”) address (so we understand which country you are connecting from when you visit the Site), browser type and settings, the date and time of your request, and how you interacted with the Site.
- Device information: Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
- Usage information: We collect information about how you use our Site, such as the types of content that you view or engage with, the features you use, the actions you take, and the time, frequency and duration of your activities.
How We Use Information
We use your Personal Data for the following purposes:
To process your orders, including processing your payments, dispatching products, tracking orders and providing you with related customer service, including communicating with you as necessary in connection with your orders. This processing is necessary to perform our contract with you.
As necessary for certain legitimate business interests, which include the following:
- To respond to your inquiries, comments, feedback or questions;
- To customize your browsing and shopping experience on the Site. For example, we use information on your use of Site features, including information that we obtain through cookies and other technologies, to better understand your needs and interests in order to personalize your experience by presenting Products and offers tailored to your interests (please read below to learn how we use (cookies and other technologies);
- To send administrative information to you, for example, information regarding the Site, and changes to our terms, conditions, and policies;
- To conduct analytics to inform our marketing strategy and enable us to enhance and personalize the experience we offer to our users, including by creating User profiles to enable personalized direct marketing communications.
- If you ask us to delete your data and we are required to fulfill your request, to keep basic data to identify you and prevent further unwanted processing;
- To prevent fraud, criminal activity, or misuses of our Site, block prohibited reseller traffic, and to ensure the security of our IT systems, architecture and networks; and
- To comply with legal obligations and legal process and to protect our rights, privacy, safety or property, and/or that of our affiliates, you or other third parties.
For information about what we mean by legitimate interests and the rights of individuals in the European Union (“EU”), please see the “EU Users” section below.
Marketing. We may contact you to tell you about services or Products we believe will be of interest to you. For instance, if you elect to provide your date of birth and your skin type through your account page, we may use that information to inform you about Products we believe would work well for you or to send you special offers on or near your birthday. If we do, where required by law, for example if you are a User in the EU, we will only send you marketing information if you consent to us doing so at the time you provide us with your Personal Data. You may opt out of receiving such emails by following the instructions contained in each promotional email we send you or by updating your user settings. In addition, if at any time you do not wish to receive future marketing communications, please contact us at email@example.com. If you unsubscribe from our marketing lists, we will continue to contact you via email regarding the provision of our Site and Products (i.e. to update you about your orders) and to respond to your requests.
Contests, Surveys And Promotions
Targeted Advertisements. We may display targeted advertisements based on Personal Data. TATCHA does not provide any Personal Data to the advertiser when a User interacts with or views a targeted advertisement. However, please be aware that by interacting with or viewing an advertisement the third party that served the ad may make the assumption that you meet the targeting criteria used to display the advertisement. Please read the “Cookies and other Technologies” section below for information about advertising cookies and other technologies that we use on the Site, and your choices in relation to such use.
Sharing And Disclosure Of Information
In certain circumstances we may share your Personal Data with third parties without further notice to you, unless required by the law, as set forth below:
- Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions: providers of hosting, cloud services and other information technology services providers; our payment processor PayPal, Inc.; order management services; e-commerce platforms; rating and reviews platforms; email communication and customer support services (including live chat); web analytics, marketing and digital advertising services (for more details on the third parties that place cookies through the Site, please see the “Cookies and Other Technologies” section below). Pursuant to our instructions, these parties will access, process or store Personal Data in the course of performing their duties to us.
- Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data and other information may be transferred to a successor or affiliate as part of that transaction along with other assets.
- Legal Requirements: If required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of Users of the Site, or the public, or (v) protect against legal liability.
If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.
To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case it is no longer Personal Data.
Update Your Information
If you need to change or correct your Personal Data, or wish to have it deleted from our systems, you may contact us at firstname.lastname@example.org. We will address your request as required by applicable law. You may also update your Personal Data from your user settings.
California Privacy Disclosures
TATCHA does not knowingly collect Personal Data from children under the age of 13. If you have reason to believe that a child under the age of 13 has provided Personal Data to TATCHA through the Site please contact us and we will endeavor to delete that information from our databases.
Links To Other Websites
Scope. This section applies if you are a User in the EU (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway and, to the extent applicable, Switzerland).
Data Controller. Tatcha, LLC is the data controller for the processing of your Personal Data. To find out our contact details, please see the “Contact Us” section below, which also provides the contact details of our representative in the EU for purposes of the General Data Protection Regulation.
Your Rights. Subject to applicable EU law, you have the following rights in relation to your Personal Data:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to erasure: You may ask us to delete or remove your Personal Data, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by automated means. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Data, and we will do so:
- If we are relying on a legitimate interest to process your Personal Data -- unless we demonstrate compelling legitimate grounds for the processing or
- If we are processing your Personal Data for direct marketing.
- Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.
Please see the “Contact Us” section below for information on how to exercise your rights.
Data Transfers. We rely on the EU-U.S. and Swiss-U.S. Privacy Shield certification to transfer Personal Data that we receive from the EU and Switzerland to TATCHA in the U.S. (for more information, please read the “Privacy Shield” section below).
You use the Site at your own risk. We comply with industry standards to protect Personal Data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration or destruction. For example, we use available technology and other techniques to implement systems like firewalls, and/or encryption to secure marketing data transfers. However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us in connection with our use of the Site, including purchases of Products, may not be secure. Therefore, you should take special care in deciding what information you send to us via the Site or e-mail. Please keep this in mind when disclosing any Personal Data to TATCHA via the internet. We cannot control the actions of other Users with whom you may choose to share information. Therefore, we cannot, and do not, guarantee that information or content posted by a User on or through the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site or third party websites.
General. We rely on our Privacy Shield certifications to transfer Personal Data that we receive from the EU and Switzerland to TATCHA in the U.S. and we process such Personal Data in accordance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability (“Privacy Shield Principles”), as described below.
Accountability for Onward Transfers. We may be accountable for the Personal Data that we transfer to third-party service providers (as described in the “Sharing and Disclosure of Information” section above). If such service providers process Personal Data in a manner inconsistent with the Privacy Shield Principles, we are responsible for the harm caused.
Access. EU Users have certain rights to access, correct, amend, or delete Personal Data where it is inaccurate, or has been processed in violation of the Privacy Shield Principles. Please see the “EU Users” section above for more information on the rights of Users in the EU (and, to the extent applicable, Users in Switzerland).
TATCHA, Attention: Legal
1517 North Point St., #533, San Francisco, CA 94123
We have further committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider JAMS (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. TATCHA will cooperate with JAMS pursuant to the JAMS International Mediation Rules, available on the JAMS website at www.jamsadr.com/international-mediation-rules.
If your complaint is not resolved through these channels, under certain conditions a binding arbitration option may be available before a Privacy Shield Panel. For additional information, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
We are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to Personal Data received or transferred pursuant to the Frameworks.