Privacy & Cookies

Lashfactor is committed to protecting and respecting our client's privacy. This privacy policy explains what we do with your data - how we collect, use and process your data and how we comply with our legal requirements.

This notice applies to company's' website users and suppliers.


Under GDPR, all personal data we obtain and hold must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

  • Processing is fair, lawful and transparent
  • Data is collected for specific, explicit, and legitimate purposes
  • Data collected is adequate, relevant and limited to what is necessary for processing
  • Data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
  • Data is not kept for longer than is necessary for its given purpose
  • Data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
  • We comply with the relevant GDPR procedures for the international transfer of personal data


We keep several categories of personal data on our customers, website users and suppliers in order to carry out effective and efficient processes. We keep this data within our computer systems.

Specifically, we hold the following types of data as appropriate to your status:

Personal Information we collect from you:

  • Full name, title, address, email, phone number
  • Your IP address, technical information about your phone, tablet or computer, browsing history on our site, and basket contents whilst using our site.
  • Your name, email address and any other personal information you submit to us via post, telephone, email, messenger via social platforms when you make a product, customer services query, or message us.
  • Your name, title, delivery address, billing address, and debit/credit card/PayPal details when you purchase from us.
  • Your name and email address when you subscribe to the newsletter or otherwise forget information from us.

*Please note that the above list of categories of personal data we may collect needs to be completed.


You provide several pieces of data to us directly, such as:

Information that you provide by filling in forms on our site 

  • Directly through suppliers by phone or email.
  • Sometimes, we collect data about you from third parties, such as agencies or credit reference agencies.
  • Personal data is kept in files or within the Company’s IT systems.
  • IP addresses and cookies

We may collect information about your computer, including, where available, your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers.

This is statistical data about our users’ browsing actions and patterns and does not identify anyone.

For the same reason, we may obtain information about your general internet usage using a cookie file stored on your computer's hard drive.

Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

  • To estimate our audience size and usage pattern
  • To store information about your preferences, and so allow us to customise our site according to your interests
  • To speed up your searches
  • To recognise you when you return to our site

You may refuse to accept cookies by activating the setting on your browser, which allows you to refuse the setting of cookies. However, if you select this setting, you may be unable to access certain parts of our site. Unless you have adjusted your browser setting to refuse cookies, our system will issue cookies when you log on to our site.


We use information held about you in the following ways:

  • To ensure that content from our site is presented most effectively for you and your computer.
  • To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
  • To carry out our obligations arising from any contracts between you and us.
  • To allow you to participate in interactive features of our service, when you choose to do so.
  • To notify you about changes to our service.
  • If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale to you.
  • If you are a new customer, we will contact you electronically only if you have consented.
  • If you do not want us to use your data this way, please tick the relevant box on the form on which we collect your data.

*Please note that this list is not exhaustive.


Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

Once we have received your information, we use strict procedures and security features to prevent unauthorised access.


The law on data protection allows us to process your data for specific reasons only. In the main, we process your data to comply with legal requirements or manage our service with you effectively.


Special categories of data are data relating to your:

  • Health
  • Sex life
  • Sexual orientation
  • Race
  • Ethnic origin
  • Religion
  • Genetic and biometric data
  • We carry out processing activities using particular category data:
  • For bespoke services

Most commonly, we will process special categories of data when the following applies:

  • You have given explicit consent to the processing
  • We must process the data in order to carry out our legal obligations
  • We must process data for reasons of substantial public interest
  • You have already made the data public.


Your failure to provide us with data may mean we cannot fulfil our requirements for entering into a service or contract with you. This could include being unable to offer the service or administer treatments and advice.


Employees within our company responsible for delivering the administration of returns and carrying out any related processes will have access to your data relevant to their function. All employees with such responsibility have been trained to ensure data is processed in line with GDPR.

Data is shared with third parties for the following reasons: for the administration of payments, bookings, fulfilment of orders or services and marketing.

We may also share your data with third parties as part of a Company sale or restructuring or for other reasons to comply with a legal obligation upon us. We have a data processing agreement with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

We do not share your data with bodies outside the European Economic Area.


We know the requirement to protect your data against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

If you suspect any misuse or loss of or unauthorised access to your personal information, please let us know immediately.


We only keep your data for as long as we need it. The law sets some data retention periods. Retention periods can vary depending on why we need your data, as set out below:


Automated decision-making means making decisions about you without human involvement, e.g., computerised filtering equipment. No decision will be made about you solely on the basis of automated decision-making (where a decision is taken about you using an electronic system without human involvement), which significantly impacts you.


Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.


You have the right to access the personal data which we hold. You can learn more about how to request access to your data by reading our Subject Access Request below.


If you discover that the data we hold about you needs to be corrected or completed, you have the right to have the data corrected. If you wish to have your data corrected, you should contact us.

Usually, we will comply with a request to rectify data within one month unless the request is particularly complex. In this case, we may write to you to inform you we require an extension to the standard timescale. The maximum extension period is two months.

You will be informed if we decide not to act due to the request. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.

Third parties to whom the data was disclosed will be informed of the rectification.


In certain circumstances, we must delete the data we hold on you. Those circumstances are:

  • Where it is no longer necessary for us to keep the data;
  • Where we relied on your consent to process the data, and you subsequently withdrew that consent. Where this happens, we will consider whether another legal basis applies to our continued use of your data;
  • Where you object to the processing (see below), and the Company has no overriding legitimate interest to continue the processing;
  • Where we have unlawfully processed your data;
  • Where we are required by law to erase the data.

If you wish to request data deletion, you should contact us.

We will consider each request individually. However, you must be aware that processing may continue under one of the permissible reasons. Where this happens, you will be informed of the continued use of your data and the reason for this.

Third parties to whom the data was disclosed will be informed of the erasure where possible unless doing so will cause a disproportionate effect on us.


You have the right to restrict the processing of your data in certain circumstances.

We will be required to restrict the processing of your data in the following circumstances:

  • Where you tell us that the data we hold on you must be more accurate. Where this is the case, we will stop processing the data until we have taken steps to ensure that the data is accurate;
  • Where the data is processed for the performance of a public interest task or because of our legitimate interests, and you have objected to data processing. In these circumstances, the processing may be restricted whilst we consider whether our legitimate interests mean it is appropriate to continue to process it;
  • When the data has been processed unlawfully;
  • Where we no longer need to process the data, but you need the data in relation to a legal claim.
  • If you wish to request data restriction, you should contact us.
  • Where data processing is restricted, we will continue to hold the data but will only process it if you consent to the processing required for a legal claim.
  • Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless doing so will cause a disproportionate effect on us.

You will be informed before any restriction is lifted.


You have the right to obtain the data we process on you and transfer it to another party. We will transfer the data directly to the other party where our technology permits.

Data which may be transferred is data which:

  • You have provided to us; and
  • Is processed because you have provided your consent or because it is needed to perform the contract between us; and
  • Is processed by automated means.

If you wish to exercise this right, please contact us.

We will respond to a portability request without undue delay and within one month at the latest unless the request is complex or we receive several requests, in which case we may write to you to inform you that we require an extension to provide reasons for this. The maximum extension period is two months.

We will not charge you for access to your data for this purpose.

You will be informed if we decide not to take any action due to the request, for example, because the data you wish to transfer does not meet the above criteria. In these circumstances, you are able to complain to the Information Commissioner and have access to a judicial remedy.

The right to data portability relates only to the data defined above. You should be aware that this differs from the data accessible via a Subject Access Request.


You have a right to require us to stop processing your data, known as a data objection.

  • You may object to processing where it is carried out:
  • In relation to the Company’s legitimate interests;
  • For the performance of a task in the public interest;
  • In the exercise of official authority; or
  • For profiling purposes.

If you wish to object, you should do so by contacting us.

In some circumstances, we will continue to process the data you have objected to. This may occur when:

  • We can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights; or
  • Processing is required concerning legal claims made by or against us.

If the response to your request is that we will take no action, you will be informed of the reasons.


Although subject access requests may be made verbally, we advise that a request be handled more efficiently and effectively if made in writing.

Requests made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.

Requests concerning your data from a third party should be accompanied by evidence that the third party can act on your behalf. If this is not provided, we may contact the third party to request that such evidence be forwarded before we comply with the request.


Usually, we will comply with your request without delay and, at the latest, within one month. Where requests are complex or numerous, we may inform you that an extension of time is required. The maximum extension period is two months.

7.2. FEE

We will generally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and set reasonably in the circumstances.

In addition, we may also charge a reasonable fee if you request further copies of the same information.


When you make a subject access request, you will be informed of:

Whether or not your data is processed and the reasons for the processing of your data;

  • The categories of personal data concerning you;
  • Where has your data been collected from if it was not collected from you;
  • Anyone to who your data has been disclosed or will be disclosed, including anyone outside of the EEA and the safeguards utilised to ensure data security;
  • How long your data is kept for (or how that period is decided);
  • Your rights in relation to data rectification, erasure, restriction of and objection to processing;
  • Your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
  • The reasoning behind any automated decisions taken about you.


We may only deal with your subject access request if it is manifestly unfounded, excessive, or repetitive. Where we decide to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and a judicial remedy.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information subject to legal privilege or related to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and will explain the reason.


A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. High risk may be, for example, where there is an immediate threat of identity theft or if special categories of data are disclosed online.

This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:

  • A description of the nature of the breach
  • The name and contact details of the (delete as appropriate - data protection officer/ appointed compliance officer) where more information can be obtained
  • A description of the likely consequences of the personal data breach and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.


If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone at 0303 123 1113 (local rate) or 01625 545 745.


Our Data Protection Officer can be contacted at: