PRIVACY NOTICE
Here at KarenMillen.com Ltd (‘Karen Millen’) we are committed to protecting and respecting the privacy of your personal data. This privacy notice explains how your data is collected, used, transferred and disclosed by Karen Millen. It applies to data collected when you use our websites, iOS and android applications, when you interact with us through social media, email, or phone, or when you participate in our competitions or events. It also applies to the extent that someone has nominated you through our "refer a friend" function or purchased an e-gift card on your behalf. It covers:
- The personal data we collect
- How we collect your data
- How we use your data
- Marketing preferences, adverts and cookies
- Links to other websites and third parties
- How we share your data
- Your rights
- Changes to this privacy notice
- How to contact us
Who is Karen Millen
Karen Millen is a leading online fashion retail company. We design, source, market and sell clothing, shoes and accessories.
KarenMillen.com Ltd, of 49-51 Dale Street, Manchester M1 2HF (collectively referred to as “Karen Millen”, “we”, “us” and “our” in this privacy notice) is the controller and responsible for your personal data collected through the www.karenmillen.com website (the “website”) and Karen Millen app (the “app”).
Details of our Data Protection Officer responsible for overseeing questions in relation to this privacy notice, and our details are set out in the “How to Contact Us” section at the end of this notice.
Karen Millen is part of the Boohoo Group (“Group”) and, as part of the Group, is affiliated with a number of brands, including Warehouse, Debenhams, Oasis, Coast, Dorothy Perkins, Debenhams, Burton, Wallis, Boohoo,boohooMAN, Prettylittlething and Nasty Gal. In this privacy notice, such brands together with any other brand which is acquired into the Group shall be referred to as the “affiliated group companies”.
Our commitment to you
We take the protection of your personal data seriously and will process your personal data fairly, lawfully and transparently. This privacy notice describes the personal data we are collecting about you and how it is used.
We will only collect and use your personal data for the following purposes, to:
- fulfil your order(s)
- fulfil orders made on your behalf (e.g., e-gift card orders)
- communicate with you following a "refer a friend" nomination
- keep you up to date with the latest offers and trends
- give you a better shopping experience
- help us to make our marketing more relevant to you and your interests
- improve our products and services
- meet our legal responsibilities
We will also use your personal information in any other way we may describe when you provide the information or for any other purpose with your consent.
How we keep your data safe and secure
We have appropriate organisational safeguards and security measures in place to protect your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
The communication between your browser and our website uses a secure encrypted connection wherever your personal data is involved.
We require any third party who is contracted to process your personal data on our behalf to have security measures in place to protect your data and to treat such data in accordance with the law.
In the unfortunate event of a personal data breach, we will notify you and any applicable regulator when we are legally required to do so.
The personal data we collect
Personal data means any information about an individual from which that person can be identified. It does not include anonymised data, where the identity and identifying information has been removed.
While our website is designed for a general audience, we will not knowingly collect any data from children under the age of 13 or sell products to children. If you are under the age of 13, you are not permitted to use or submit your data to the website.
The following groups of personal data are collected:
- Identity Data includes information such as: first name, last name, title, date of birth (optional), occupation, personal description, photo and gender.
- Contact Data includes information such as: email address, billing address, delivery address, location, country, telephone number, loyalty programme membership number, and social media id (if you log in by social media).
- Financial Data includes information such as: payment card details and bank account.
- Transaction Data includes information such as: details of your purchases and the fulfilment of your orders (such as basket number, order number, subtotal, title, currency, discounts, shipping, number of items, product number, single item price, category, tax etc.); payments to and from you and details of other products and services you have obtained from us, correspondence or communications with you in respect of your orders, and details of any rewards and bonuses awarded.
- Technical Data includes information such as: details of the device(s) you use to access our services, your internet protocol (IP) address, login data, your username and password, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
- Profile Data includes information such as: purchases or orders made by you, product and style interests, preferences, feedback, and survey responses.
- Usage Data includes information such as: how and when you use our website/app, how you moved around it, what you searched for; website/app performance statistics, traffic, location, weblogs and other communication data; loyalty programme activities; and details of any other Karen Millen products and services used by you.
- Marketing and Communications Data includes information such as: your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
How we collect your data
We may collect personal data about you in the following ways:
- Direct interactions – you may give us your Identity, Contact, Financial, Transaction, Profile, and Marketing and Communications data (as described above) by filling in forms, entering information online or by corresponding with us by post, phone, email, telephone or otherwise. This includes personal data you provide, for example, when you:
- Create an account or purchase products on our website;
- Subscribe to our newsletter, discussion boards, social media sites or create wish lists;
- Enter a competition;
- Join a Karen Millen loyalty programme;
- Complete a voluntary market research survey;
- Contact us with an enquiry or to report a problem (by phone, email, social media, or messaging service);
- Use the “refer a friend” function on our website; or
- When you log in to our website via social media.
- Automated technologies or interactions – as you interact with our website, we may automatically collect the following types of data (all as described above): Technical Data about your equipment, Usage Data about your browsing actions and patterns, and Contact Data where tasks carried out via our website remain uncompleted, such as incomplete orders or abandoned baskets. We collect this data by using cookies, server logs and other similar technologies. Please see our Cookie Policy for further details.
- Third parties – we may receive personal data about you from various third parties, including:
- Identity and Contact data from another individual when they purchase an e-gift card for you or use the "refer a friend" function on our website;
- Technical Data from third parties, including analytics providers such as Google. Please see further information in the section entitled ‘Marketing preferences, adverts and cookies’.
- Technical Data from affiliate networks through whom you have accessed our website;
- Identity and Contact Data from social media platforms when you log in to our website using such social media platforms;
- Identity and Contact data from third parties, including organisations (including law enforcement agencies), associations and groups, who share data for the purposes of fraud prevention and detection and credit risk reduction; and
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
Marketing preferences, adverts and cookies
Marketing - your preferences
We may send you marketing communications and promotional offers:
- if you have opened an account with us or purchased goods from us, or registered for a promotion or event, and you have not opted out of receiving that marketing (in accordance with your preferences, as explained below);
- by email if you have signed up for email newsletters;
- if you have provided us with your details when you entered a competition and you have consented to receiving such marketing (in accordance with your preferences, as explained below).
We may use your Identity, Contact, Technical, Transactional, Usage, Profile Data and Marketing and Communications Data to form a view on what we think you may like, or what may be of interest to you, and to send you details of products and offers which may be relevant for you.
We may check your details with appropriate third parties (for example credit reference agencies, such as Experian) before we send you promotions for financial services products. This is to ensure your information is accurate, that the product is suitable for you, and to tailor those offers to you.
We will ask you for your preferences in relation to receiving marketing communications by email, post, SMS and other communication channels.
From time to time we may also include with your order, inserts advertising goods, services or offers from other third-party companies that you may be interested in.
You will always have full control of your marketing preferences. If you do not wish to continue receiving marketing information from us (or any third party, if applicable) at any time:
- you can unsubscribe or ‘opt-out’ by using the unsubscribe button and following the link included in the footer of any marketing email; or
- account holders may withdraw their consent by simply logging in to My Account and editing your ‘Contact Preferences’.
We will process all opt-out requests as soon as possible, but please note that due to the nature of our IT systems and servers it may take a few days for any opt-out request to be implemented.
Cookies
Our website uses cookies to distinguish you from other users of our website and to keep track of your visits. They help us to provide you with the very best experience when you browse our website and to make improvements to our website. They also help us and our advertising networks to make advertising relevant to you and your interests.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.
For detailed information on the cookies which we and our third-party providers use and the reasons why we use them, please refer to our Cookie Policy.
Online ads
We use online advertising to keep you aware of what we’re up to and to help you find our products. Like many companies, we may target Karen Millen banners and ads to you when you use other websites and apps, based on your Contact, Technical, Usage and Profile Data. We do this using a variety of digital marketing networks and ad exchanges, and a range of advertising technologies such as web beacons, pixels, ad tags, cookies, and mobile identifiers, as well as specific services offered by some sites and social networks, such as Facebook’s Custom Audience Service.
SMS
Cookies enable personalization of your experience on the Messaging Service (e.g. sending you personalized text messages such as shopping cart/browse reminders). No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
Our use of analytics and targeted advertising tools
We use a range of analytics and targeted advertising tools to display relevant website content on our website and online advertisements on other websites and apps (as described above) to you, deliver relevant content to you in marketing communications (where applicable), and to measure the effectiveness of the advertising provided. For example, we use tools such as Google Analytics to analyse Google's interest-based advertising data and/or third-party audience data (such as age, marital status, life event, gender and interests) to target and improve our marketing campaigns, marketing strategies and website content. We may also use tools provided by other third parties, such as Facebook, Content Square, Adroll, Bloomreach, Criteo and Bing to perform similar tasks, using your Contact, Technical, Usage and Profile Data.
In order to opt out of targeted advertising you need to disable your ‘cookies’ in your browser settings (see Cookie Policy for details) or opt-out of the relevant third-party Ad Settings. For example, you can opt-out of the Google Display Advertising Features. As an added privacy measure, you can also use The Digital Advertising Alliance (which includes companies such as Google, Bloomreach and Facebook) provides a tool called WebChoices that can perform a quick scan of your computer or mobile devices, find out which participating companies have enabled customised ads for your browser, and adjust your browser preferences accordingly.
If you would like any further information about the data collected by these third parties or the way in which the data is used, please contact us.
Links to other websites and third parties
Our website may include links to and from the websites of our partner networks, advertisers and affiliates, or to social media platforms. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to their websites.
How we share your data
We may disclose and share your personal data with the parties set out below:
- where you have consented for us to do so. For example, if you have consented to receive marketing materials from third parties, or in respect of third parties’ (including co-branded or jointly promoted) products and services, we may pass your data on to the relevant third parties for the purpose of sending you such marketing communications;
- to business partners, suppliers, sub-contractors and other third parties that we use in connection with the running of our business for the purposes set out in the table above in the section ‘How we use your data’, such as:
- third party service providers that we engage to provide IT systems and software, and to host our website;
- third party payment processing services (including Worldpay, Adyen, Paypal, and in certain regions, Klarna, Afterpay and Laybuy (please see T&C’s https://www.klarna.com/us/terms-of-use/ / https://www.afterpay.com/en-US/terms-of-service / https://www.laybuy.com/us/consumer-terms for more information) to process your payment to us. Karen Millen does not store your payment information. Your payment details are provided to the payment processing service you have selected, who are required to comply with applicable regulations and data protection laws. Please refer to the privacy policy of the relevant provider for details of how they process your personal data;
- services and to provide marketing and advertising services;
- third party service providers that we engage to deliver and process your e-gift card orders and e-gift card payment (including Jigsaw Business Solutions Ltd and Stripe Payments UK Ltd)
- third party service providers that we engage to deliver goods you have ordered and to manage any returns;
- third party service providers that we engage to send emails and postal mail on our behalf including in relation to incomplete orders or abandoned baskets, or marketing communications, to provide data cleansing services and to provide marketing and advertising services;
- analytics and search engine providers that assist us in the improvement and optimisation of our website;
- affiliate networks through whom you have accessed our website;
- to any third party to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- to protect our customers, boohoo group companies and website from fraud and theft, we may share personal data that is required to make identity checks and personal data that we obtain from making identity checks (including data relating to your age, name and location), together with account information, with other boohoo group companies and with third party organisations (including law enforcement agencies), involved in fraud prevention and detection and credit risk reduction. Please note that the other boohoo group companies and these third parties may retain a record of the information that we provide to them for this purpose;
- we may share your personal data with Ravelin and/or Risk Guardian and/or other fraud prevention and analysis service providers, in order to carry out fraud prevention checks on our behalf. If personal data is provided to Ravelin, Ravelin will also use this personal data to improve its service and machine learning to improve its automated processing. A copy of Ravelin's privacy notice can be found at: https://www.ravelin.com/privacy-policy-new which explains how Ravelin will use your personal data for these purposes; and
- we may further share personal data that is required to make identity checks and personal data that we obtain from making identity checks (including data relating to your age, name and location), together with account information, with organisations (including law enforcement agencies), involved in fraud prevention and detection and credit risk reduction. Please note that these third parties may retain a record of the information that we provide to them for this purpose;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or
- to our professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Worldpay
Worldpay are the data controller in respect of the Personal Information that you give to them (and which they hold about you) when you sign up for, access, or use services, features, technologies or functions offered on the Worldpay website (including when using Worldpay to pay for goods or services offered on the Karen Millen website) and in relation to Personal Information collected during the course of business as set out in their Privacy Policy which can be found on their website at https://www.worldpay.com/.
Do Not Track Signals
We also may use automated data collection technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, we do not honor such signals and we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received by us.
Accessing, Correcting, and Deleting Your Personal Data
You can review and change your personal data by logging into your account and visiting your account profile page. You may also send us an email at DPO@karenmillen.com to request access to, correct or delete any personal data that you have provided to us. We cannot delete your personal data except by also deleting your user account. We may not accommodate a request to change or delete your personal data if we believe the change or deletion would violate any law or legal requirement or cause the information to be incorrect.
Jurisdiction-Specific Privacy Rights
The law in some jurisdictions may provide you with additional rights regarding our use of personal data. To learn more about any additional rights that may be applicable to you as a resident of one of these jurisdictions, please see the privacy addendum for your state that is attached to this privacy notice.
Use of Chat Transcripts
We use transcriptions we record and retain from your chat session to provide you with support and respond to your inquiries, and to help develop and improve our products and services. Our chat service may be provided by a third-party service, however we do not control these third parties’ technology. If you have questions about the use of the chat service, you should contact the chat provider directly. Your chat transcript will be made available to you and we may also share for the above purposes with our subsidiaries and affiliates, and with contractors, service providers, and other third parties we use to support our business.
Your California Privacy Rights
If you are a resident of California, you have the additional rights described in the Privacy Notice Addendum for California Residents.
Your GDPR Privacy Rights
If you are a resident of the European Economic Area, Switzerland, or the United Kingdom, you have the additional rights described in our GDPR Privacy Addendum.
Changes to this privacy notice
From time to time we may change this privacy notice. If there are any significant changes we will post updates on our website, applications or let you know by email.
How to contact us
We welcome feedback and are happy to answer any questions you may have about your data.
Please send any questions, comments or requests for more information to our Data Protection Officer, who can be contacted at DPO@karenmillen.com.
This privacy notice was last updated on July 27th, 2023 (Version v1.12)
KarenMillen.com Limited,
Registered Company Number: 12054246,
UK VAT Number: 185 4874 61.
GDPR Privacy Addendum
This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in our privacy notice and applies solely to customers and users of our websites, iOS and android applications, individuals who interact with us through social media, email, or phone, and individuals that participate in our competition and events that are located in the European Economic Area, the United Kingdom, or Switzerland. We adopt this GDPR Privacy Addendum to comply with the European Union’s General Data Protection Regulation, and any laws implementing the foregoing by any member states of the European Economic Area, the United Kingdom (including the UK Data Protection Act and the UK-GDPR), and or Switzerland (collectively, the “GDPR”). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or our privacy notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our privacy notice.
Data Controller and Data Protection Officer
KarenMillen.com Ltd, of 49-51 Dale Street, Manchester M1 2HF (collectively referred to as “Karen Millen”, “we”, “us” and “our” in this privacy notice) is the controller and responsible for your personal data collected through the www.karenmillen.com website (the “website”) and Karen Millen app (the “app”). Details of our Data Protection Officer responsible for overseeing questions in relation to this privacy notice and our details are set out in the “How to Contact Us” section at the end of this notice.
Information We Collect About You and How We Collect It
The Personal Data we collect and the ways in which we collect it is described in our privacy notice.
The personal data we collect from you is required to enter into a contract with Karen Millen, for Karen Millen to perform under the contract, and to provide you with our products and services. If you refuse to provide such personal data or withdraw your consent to our processing of personal data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it.
The legal basis for processing your personal data
We will only collect and process your personal data where we have a legal basis to do so. As a data controller, the legal basis for our collection and use of your personal data varies depending on the manner and purpose for which we collected it.
We will only collect personal data from you when:
- we have your consent to do so, or
- we need your personal data to perform a contract with you. For example, to process a payment from you, fulfil your order or provide customer support connected with an order, or
- the processing is in our legitimate interests and not overridden by your rights, or
- we have a legal obligation to collect or disclose personal data from you.
Uses made of your personal data
Your personal data is used by Karen Millen to support a range of different activities. These are listed in the table below together with the types of data used and the legal bases we rely on when processing them, including where appropriate, our legitimate interests. Please be aware that we may process your personal data using more than one lawful basis, depending on the specific activity involved. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity
|
Type of data
|
Lawful basis for processing including basis of legitimate interest
|
To create an account and register you as a new customer (either directly or via social media).
|
|
|
To process and deliver your order including: recording your order details; keeping you informed about the order status; process payments and refunds, collect money owed to us;
To protect our customers, boohoo group companies and website from fraud and theft, which involves automated decision making to assist such fraud prevention and detection.
|
- Identity
- Contact
- Financial
- Transaction
|
- Performance of a contract with you
- Necessary for our legitimate interests (e.g. to recover debts due to us)
- For automated decision making we consider that fraud detection and prevention is in our legitimate interests to ensure that fraudulent transactors are unable to benefit from our services and in the legitimate interest of the public as whole due to the impact of fraud on the consumer market; we also consider it a necessary element of entering into a contract with you that we are able to verify your identity and prevent fraud.
|
To manage our relationship with you, including: providing you with any information, products and services that you request from us(or that has been requested on your behalf through our "refer a friend" function); notifying you about changes to our services, terms and conditions or privacy notice; asking you to leave a review or take a survey.
|
- Identity
- Contact
- Profile
- Marketing and Communications
|
- Consent
- Performance of a contract with you
|
To enable you to take part in a competition, event, survey, or receive a reward for shopping with us.
|
- Identity
- Contact
- Profile
- Usage
- Marketing and Communications
|
- Where you have decided to enter into a competition or event, for the performance of a contract with you
|
To administer, protect and improve our business and our website/app, including: troubleshooting, data analysis, testing, system maintenance, support, data analysis, reporting and hosting of data; setting default options for you, such as language and currency.
|
- Identity
- Contact
- Profile
- Technical
- Transaction
- Marketing and Communications
|
|
To deliver relevant website content, online advertisements and information for you; and measure the effectiveness of the advertising provided.
|
- Identity
- Contact
- Profile
- Usage
- Marketing and Communications
- Technical
|
|
To use data analytics to: improve our website, products, services, marketing, customer relationships and experiences;
and for market research, statistical and survey purposes.
|
|
|
To recommend products, services discounts and offers that may be of interest to you, including to send you such information by email, post or SMS.
|
- Identity
- Contact
- Technical
- Usage
- Profile
- Marketing and Communications
|
See further details in the section ‘Marketing preferences, adverts and cookies'
|
To inform or remind you by email of any task carried out via our website which remains uncompleted, such as incomplete orders or abandoned baskets.
|
|
|
To protect our customers, boohoo group companies and website from fraud and theft
|
|
- Necessary for our legitimate interests (to detect and prevent fraud)
|
To process and deliver your e-gift card orders including taking payment and communicating with you and/or the nominated recipient if delivered to another person.
|
- Identity
- Contact
- Financial
- Transaction
|
- Performance of a contract
|
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process personal data without your consent, in compliance with the above rules, where this is required or permitted by law.
If you have any questions about how Karen Millen use any of your personal data, please contact our Data Protection Officer at DPO@karenmillen.com.
Your Rights
You have several rights under the GDPR. This includes, under certain circumstances, the right to:
- request access to your personal data
- request correction of your personal data
- request erasure of your personal data
- request restriction of processing of your personal data
- request the transfer of your personal data
- object to processing of your personal data
- request human intervention for automated decision making
Brief details of each of these rights are set out below. If you wish to exercise any of these rights, please email us at DPO@karenmillen.com.
Request access to your personal data
You have the right to obtain a copy of the personal data we hold about you and certain information relating to our processing of your personal data.
Request correction of your personal data
You are entitled to have your personal data corrected if it is inaccurate or incomplete. You can update your personal data at any time by logging into your account and updating your details directly, or by emailing us at DPO@karenmillen.com.
Request erasure of your personal data
This enables you to request that Karen Millen delete your personal data, where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Request restriction of processing of your personal data
You have a right to ask Karen Millen to suspend the processing of your personal data in certain scenarios, for example if you want us to establish the accuracy of the data, or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Where processing is restricted, we are allowed to retain sufficient information about you to ensure that the restriction is respected in future.
Request the transfer of your personal data
You have the right to obtain a digital copy of your personal data or request the transfer of your personal data to another company. Please note though that this right only applies to automated data which you initially provided consent for us to use or where we used the data to perform a contract with you.
Object to processing of your personal data
You have the right to object to the processing of your personal data where we believe we have a legitimate interest in processing it (as explained above). You also have the right to object to our processing of your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
Request human intervention for automated decision making and profiling
You have the right to request human intervention where we are carrying out automated decision making when processing your personal data. This form of processing is permitted where it is necessary as part of our contract with you, providing that appropriate safeguards are in place or your explicit consent has been obtained.
We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of the above rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to lodge a complaint
If you have any concerns or complaints regarding the way in which we process your data, please email us directly at DPO@karenmillen.com. You also have the right to make a complaint to the ICO (the data protection regulator in the UK). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
Your data and countries outside of Europe
The personal data we collect from you may be transferred to, and stored at, destinations outside the European Economic Area ("EEA") using legally-provided mechanisms to lawfully transfer data across borders. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy notice.
Whenever we transfer personal data outside the EEA, we will ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards, as required by law, are in place. This may include using specific contractual clauses approved by the European Commission which give personal data the same protection as it has in Europe. More information about these is available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32010D0087
Please contact us if you want further information on the countries to which we may transfer personal data and the specific mechanism used by us when transferring your personal data outside the EEA.
How long we keep your data for
We will keep your personal data for no longer than is necessary for the purpose(s) it was provided for and to meet our legal obligations. Further details of the periods for which we retain data are available on request.
Changes to this GDPR Addendum
From time to time we may change this GDPR Addendum. If there are any significant changes we will post updates on our website, applications or let you know by email.
How to contact us
We welcome feedback and are happy to answer any questions you may have about your data.
Please send any questions, comments or requests for more information to our Data Protection Officer, who can be contacted at DPO@karenmillen.com.
This privacy notice was last updated on 1st January 2023 (Version v1.11)
To contact us:
In the United Kingdom: KarenMillen.com Limited,
49-51 Dale Street, Manchester M1 2HF
Registered Company Number: 12054246,
UK VAT Number: 185 4874 61.
In the European Union: eudataprotection@boohoo.com
Privacy Notice Addendum for California Residents
Effective Date: 1st January 2023
Last Reviewed on: 1st January 2023
This Privacy Notice Addendum for California Residents (the “California Privacy Addendum”) supplements the information contained in Karen Millen’s privacy notice and describes our collection and use of Personal Information (as defined below). This California Privacy Addendum applies solely to all visitors, users, and others who reside in the State of California (“Consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”) and any terms defined in the CPRA have the same meaning when used in this notice.
Scope of this California Privacy Addendum
This California Privacy Addendum applies to information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your device (“Personal Information”) that we collect when you use our websites, iOS and android applications, when you interact with us through social media, email, or phone, or when you participate in our competitions or events. It also applies to your Personal Information to the extent that someone has nominated you through our "refer a friend" function or purchased an e-gift card on your behalf. However, publicly available information that we collect from government records and deidentified or aggregated information (when deidentified or aggregated as described in the CPRA) are not considered Personal Information and this California Privacy Addendum does not apply.
This California Privacy Addendum does not apply to employment-related Personal Information collected from our California-based employees, job applicants, contractors, or similar individuals (“Personnel”). Please contact your local human resources department if you are part of our California Personnel and would like additional information about how we process your Personal Information.
Information We Collect About You and How We Collect It
Boohoo collects, and over the prior twelve (12) months have collected, the following categories of Personal Information about Consumers:
Category
|
Applicable Pieces of Personal Information Collected
|
A. Identifiers.
|
A real name; alias; postal address; unique personal identifier (loyalty programme information); online identifier; Internet Protocol address; email address; account name; and other similar identifiers.
|
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
|
A name; signature; physical characteristics or description; address; telephone number; occupation; bank account number; credit card number, debit card number, or any other financial information. Credit card and debit card numbers are only collected by our payment processor, and we only receive tokenized versions of this information for future online payments and for returns. The tokenized credit card and debit card information cannot be used to make purchases outside of our websites.
Some Personal Information included in this category may overlap with other categories.
|
C. Protected classification characteristics under California or federal law.
|
Race; color; sex (including gender). Providing this information is completely optional.
|
D. Commercial information.
|
Records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
|
F. Internet or other similar network activity.
|
Browsing history; search history; information on a Consumer’s interaction with a website, application, or advertisement.
|
G. Geolocation data.
|
IP-based physical location or movements, which may determine your location to town, city, and state. We do not collect information that may locate you within 1,850 feet.
|
H. Sensory data.
|
Visual or similar information, such as photographs if you choose to provide them.
|
K. Inferences drawn from other Personal Information.
|
Profile reflecting a person’s preferences; characteristics; psychological trends; predispositions; behavior; attitudes; intelligence; abilities; and aptitudes.
|
L. Sensitive Personal Information (“Sensitive Personal Information”)
|
- Complete account access credentials (user names; account numbers; or card numbers combined with required access/security code or password)
- Racial or ethnic origin (only if provided by you, including through a photograph that you may optionally provide).
|
Boohoo will not collect additional categories of Personal Information without providing you notice.
Sources of Personal Information
We collect Personal Information about you from the sources described in our privacy notice.
Purposes for Our Collection of Your Personal Information
Through the use of cookies on our websites and applications, we may use, “sell” for monetary or other valuable consideration, “share” for the purposes of cross-context behavioral advertising, or disclose the Personal Information we collect and, over the prior twelve (12) months, have used, “sold” for monetary or other valuable consideration, “shared” for the purpose of cross-context behavioral advertising, or disclosed the Personal Information we have collected, for the purposes described in our privacy notice.
Boohoo will not use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Third Parties to Whom Do We Disclose Your Personal Information for Business Purposes
When we disclose Personal Information to non-affiliated third-parties for a business purpose, we enter a contract that describes the purpose, requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for the purposes for which the Personal Information was disclosed and requires the recipient to otherwise comply with the requirements of the CPRA.
In the preceding twelve (12) months, Karen Millen has disclosed the following categories of Personal Information for one or more of the business purposes described below to the following categories of third parties:
Personal Information Category
|
Categories of Non-Service Provider and Non-Contractor Third Party Recipients
|
A. Identifiers.
|
Advertisers and advertising networks, Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen, Social media companies, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
|
Advertisers and advertising networks, Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen, Social media companies, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
C. Protected classification characteristics under California or federal law.
|
Advertisers and advertising networks, Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen, Social media companies, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
D. Commercial information.
|
Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
F. Internet or other similar network activity.
|
Service providers, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
G. Geolocation data.
|
Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
H. Sensory data.
|
Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
K. Inferences drawn from other Personal Information.
|
Advertisers and advertising networks, Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
Sensitive Personal Information Category
|
Categories of Third Party Recipients
|
Complete account access credentials (user names, account numbers, or card numbers combined with required access/security code or password)
|
Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
Racial or ethnic origin
|
Service providers, Affiliates, parents, and subsidiary organizations of Karen Millen.
|
We disclose your Personal Information to the categories of third parties listed above for the following business purposes:
- Helping to ensure security and integrity of our products, services, and IT infrastructure to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short–term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with us. Our agreements with third parties prohibit your Personal Information from disclosure to another third-party and from using your Personal Information to build a profile about the you or otherwise alter your experience outside your current interaction with us.
- Performing services on behalf of us, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to Consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
In addition to the above, we may disclose any or all categories of Personal Information to any third-party (including government entities and/or law enforcement entities) as necessary to:
- comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
- cooperate with law enforcement agencies concerning conduct or activities that we (or one of our service providers) believe may violate federal, state, or local law;
- comply with certain government agency requests for emergency access to your Personal Information if you are at risk or danger of death or serious physical injury; or
- exercise or defend legal claims.
To Whom Do We Sell or Share Your Personal Information
We do not sell Personal Information as the term “sell” is commonly understood to require an exchange for money. However, the use of advertising and analytics cookies on our Website is considered a “sale” of Personal Information as the term “sale” is broadly defined in the CPRA to include both monetary and other valuable consideration. Our “sale” is limited to our use of third-party advertising and analytics cookies and their use in providing behavioral advertising and their use in understanding how people use and interact with our website(s) and applications. Our “sales” of your Personal Information in this matter is subject to your right to opt-out of those sales (see Your Choices Regarding our “Sale” or “Sharing” of your Personal Information).
“Sharing” of Your Personal Information for Cross-Context Behavioral Advertising
Karen Millen may “share” your Personal Information for the purpose of cross-context behavioral advertising, subject to your right to opt-out of that sharing (see Your Choices Regarding our “Sale” or “Sharing” of your Personal Information). Our “sharing” for the purpose of cross-context behavioral advertising would be limited to our use of third-party advertising cookies and their use in providing you cross-context behavioral advertising (i.e., advertising on other websites or in other mediums). When the recipients of your Personal Information disclosed for the purpose of cross-context behavioral advertising are also permitted to use your Personal Information to provide advertising to others, we also consider this disclosure as a “sale” for monetary or other valuable consideration under the CPRA.
In the preceding twelve (12) months, Karen Millen has “sold” for monetary or other valuable consideration, or “shared” for the purpose of cross-context behavioral advertising, the following categories of Personal Information to the following categories of third parties:
Personal Information Category
|
Sold or Shared
|
Categories of Third Parties To Whom Your Personal Information is Sold or Shared
|
A. Identifiers.
|
Sold and Shared
|
Business partners, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
|
Shared
|
Business partners
|
C. Protected classification characteristics under California or federal law.
|
Shared
|
Business partners
|
D. Commercial information.
|
Shared
|
Business partners
|
F. Internet or other similar network activity.
|
Sold and Shared
|
Advertisers and advertising networks, Internet cookie information recipients, such as analytics and behavioral advertising services.
|
G. Geolocation data.
|
No
|
N/A
|
H. Sensory data.
|
No
|
N/A
|
K. Inferences drawn from other Personal Information.
|
Shared
|
Business partners
|
Sensitive Personal Information Category
|
Sold or Shared
|
Business Purpose for Sale or Sharing (as appropriate)
|
Categories of Third Parties To Whom Your Personal Information is Sold or Shared
|
Complete account access credentials (user names, account numbers, or card numbers combined with required access/security code or password)
|
No
|
N/A
|
N/A
|
Racial or ethnic origin
|
No
|
N/A
|
N/A
|
Your Personal Information may be “sold” or “shared” as described above for the following business or commercial purposes:
- To market their goods and services to you
- To provide us with cross-context behavioral advertising on other websites and platforms
- To provide us with analytics services for our websites and applications
Sale of Personal Information of Minors Under the Age of 16
We do not “sell” the Personal Information of minors under the age of 16 for monetary or other valuable consideration and we do not “share” such Personal Information for cross-context behavioral advertising without affirmative consent as required by the CPRA. More information on how minors under the age of 16 may change their choice regarding the “sale” or “sharing” of their Personal Information can be found in Your Choices Regarding our “Sale” or “Sharing” of Your Personal Information.
Consumer Data Requests
The CPRA provides California residents with specific rights regarding their Personal Information. This section describes your CPRA rights and explains how to exercise those rights. You may exercise these rights yourself or through your Authorized Agent. For more information on how you or your Authorized Agent can exercise your rights, please see Exercising Your CPRA Privacy Rights . These rights include the right to:
- Request to know the categories of Personal Information we have collected about you and how we have used it.
- Request access to your Personal Information.
- Request correction of your Personal Information.
- Request deletion of your Personal Information.
Brief details of each of these rights are set out below. You also have the right to opt-out of our sale or sharing of your personal data, as described further below.
Right to Know.
You have the right to request that Karen Millen disclose certain information to you about our collection and use of your Personal Information over the past 12 months (a “Right to Know” Consumer Request).
Access to Specific Pieces of Information (Data Portability).
You also have the right to request that Karen Millen provide you with a copy of the specific pieces of Personal Information that we have collected about you, including any Personal Information that we have created or otherwise received from a third-party about you (a “Data Portability” Consumer Request).
Correction.
You have the right to request that we correct any incorrect Personal Information about you to ensure that it is complete, accurate, and as current as possible. In addition to other methods you may have to exercise this right as described below, you may review and correct some Personal Information about yourself by logging into your account page and updating your details directly.
Deletion.
You have the right to request that Karen Millen delete any of your Personal Information that we collected from you and retained, subject to certain exceptions.
Exercising Your CPRA Privacy Rights
To exercise the rights described above, please submit a request (a “Consumer Request”) to us by either:
- Emailing us at DPO@karenmillen.com
- Writing to us at: Boohoo Group Legal Team, 8431 Melrose Place, Los Angeles, USA
If you fail to make your Consumer Request in accordance with the ways described above, we may either treat your request as if it had been submitted with our methods described above or provide you with information on how to submit the request or remedy any deficiencies with your request.
Only you, or your Authorized Agent that you authorize to act on your behalf, may make a Consumer Request related to your Personal Information. To designate an Authorized Agent, see Authorized Agents below.
All Consumer Requests must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an Authorized Agent of such a person. This may include:
- Verifying Personal Information that we may already have about you, such as prior order numbers, address / ZIP code, and other similar information.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm which Personal Information relates to you or the individual for whom you are making the request as their Authorized Agent.
Making a Consumer Request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account.
We will only use Personal Information provided in a Consumer Request to verify the requestor’s identity or authority to make the request.
For instructions on exercising sale opt-out rights, see Your Choices Regarding our “Sale” or “Sharing” of Your Personal Information.
Authorized Agents
You may authorize your agent to exercise your rights under the CPRA on your behalf by registering your agent with the California Secretary of State or by providing them with power of attorney to exercise your rights in accordance with applicable laws (an “Authorized Agent”). We may request that your Authorized Agent submit proof of identity and that they have been authorized exercise your rights on your behalf. We may deny a request from your Authorized Agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.
In response to a Right to Know or Data Portability Consumer Request, we will provide you with all relevant information we have collected or maintained about you on or after January 1, 2022, unless an exception applies. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For Data Portability Consumer Request, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, such as CSV file(s) and/or PDF file(s).
We do not charge a fee to process or respond to your Consumer Request unless it is excessive, repetitive, or manifestly unfounded. We reserve the right to consider more than two (2) total Right to Know or Data Portability Consumer Requests (or combination of the two) in a twelve (12) month period to be repetitive and/or excessive and require a fee. If we determine that your Consumer Request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Your Choices Regarding our “Sale” or “Sharing” of Your Personal Information
“Sale” of Your Personal Information
As described above, our use of cookies is considered a “sale” under the CPRA. We do not otherwise sell your Personal Information for monetary consideration. If you are 16 years of age or older, you have the right to direct us to not “sell” your Personal Information for monetary or other valuable consideration at any time (the “right to opt-out”). We do not “sell” the Personal Information of Consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the Consumer who is between 13 and 16 years of age, or the parent or guardian of a Consumer less than 13 years of age. Consumers who opt-in to Personal Information “sales” may opt-out of future “sales” at any time.
“Sharing” of Your Personal Information
If you are 16 years of age or older, you have the right to direct us to not share your Personal Information for the purposes of cross-context behavioral advertising, which is showing advertising on other websites or other media based on your browsing history with our websites and applications (the “right to opt-out”). We do not share the Personal Information of Consumers we actually know are less than 16 years of age for this purpose, unless we receive affirmative authorization from either the Consumer who is between 13 and 16 years of age, or the parent or guardian of a Consumer less than 13 years of age. Consumers who opt-in to our sharing of Personal Information for these purposes may opt-out of future such sharing at any time.
How You May Opt-Out of Our Sale or Sharing of Your Personal Information
To exercise the right to opt-out of the “sale” and the “sharing” your Personal Information for the purposes of cross-context behavioral advertising, you may do so by any of the following: clicking the link below, adjusting your cookie preferences, or by configuring your browser to send us a privacy signal as described in more detail below. You may also opt-out of such “sales” and “sharing” by setting your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of our websites or applications or other websites. You can find more information about cookies at http://www.allaboutcookies.org and http://youronlinechoices.eu.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back into the sale of Personal Information at any time by:
- If you have opted out of the sale or sharing of your Personal Information through cookies by adjusting your cookie preferences or by following the above link, you may simply re-adjust your cookie preferences.
- If you have opted out of the sale or sharing of your Personal Information through the use of a browser privacy control signal, you may turn off the signal and re-adjust your cookie preferences.
If you (or your Authorized Agent) submit a request to opt-in to our “sale” or “sharing” of your Personal Information, we will use a two-step process in order to confirm that you want to opt-in for such “sale” or “sharing” of your Personal Information. This may include confirming your choice by a popup box or other requirement to confirm your new choice.
Browser Privacy Control Signals
You may also exercise your right to opt-out of the “sale” of your Personal Information for monetary or other valuable consideration and the “sharing” of your Personal Information for the purposes of cross-context behavioral advertising by setting the privacy control signal on your browser, if your browser supports it. We currently recognize and support the following privacy signals sent by browsers:
When we receive one of these privacy control signals, we will opt you out of any further “sales” or “sharing” of your Personal Information when you interact with our websites or applications through that browser and on that device. We will only be able to propagate your choice to opt-out to your account if you are currently logged in when we receive the privacy control signal from your browser. When we are able to propagate your choice to your account, you will be opted out of “sale” or “sharing” of your Personal Information on all browsers and devices on which you are logged in, and for both online and offline “sales” and “sharing.”
Your Choices Regarding our Use and Disclosure of Your Sensitive Personal Information
As further described below, we do not use or disclose your Sensitive Personal Information for any purpose other than the following:
- To perform the services or provide the goods reasonably expected by an average Consumer who requests such goods or services;
- To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that our use of your Personal Information is reasonably necessary and proportionate for such purposes;
- To resist malicious, deceptive, fraudulent, or illegal actions directed at Karen Millen and to prosecute those responsible for those actions, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
- To ensure the safety of natural persons, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
- For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with us, provided that the Personal Information is not disclosed to another third-party and is not used to build a profile about you or otherwise alter your experience outside the current interaction with us;
- To perform services on behalf of us, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us; and
- To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
Financial Incentives
We may offer you certain financial incentives permitted by the CPRA that can result in different prices, rates, or quality levels. Any CPRA-permitted financial incentive we offer will reasonably relate to your Personal Information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. We may offer you certain financial incentives permitted by the CPRA that can result in different prices, rates, or quality levels. Any CPRA-permitted financial incentive we offer will reasonably relate to your Personal Information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
In determining the value of your Personal Information we collect as part of your participation in our financial incentives, we consider:
- the revenue generated by Karen Millen of the sale, collection, or deletion of your Personal Information, which we have calculated to be $0.
Personal Information Retention Periods
We will keep your Personal Information for no longer than is necessary for the purpose(s) it was provided for and to meet our legal obligations. Further details of the periods for which we retain Personal Information are available on request.
Other California Privacy Rights
California Civil Code Section 1798.83 (California’s “Shine the Light” law) permits users of our websites that are California residents and who provide Personal Information in obtaining products and services for personal, family, or household use to request certain information regarding our disclosure of Personal Information to third parties for their own direct marketing purposes. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared your Personal Information with for the immediately prior calendar year (e.g., requests made in 2023 will receive information regarding such activities in 2022). You may request this information once per calendar year. To make such a request, please send an email to DPO@karenmillen.com.
Changes to This CPRA Privacy Addendum
Karen Millen reserves the right to amend this California Privacy Addendum at our discretion and at any time. When we make changes to this California Privacy Addendum, we will post the updated addendum on the website and update the addendum’s effective date. If there are any significant changes we will post updates on our website, applications or let you know by email. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.
Contact Information
If you have any questions or comments about this California Privacy Addendum, the ways in which Karen Millen collects and uses your information described in this California Privacy Addendum, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us through our Data Protection Officer at DPO@karenmillen.com.