Privacy Policy
Last Updated: Dec 18, 2025
We collect the personal information you provide to us when you purchase our products or visit our website. The categories of information we may collect include:
Consumers
- Personal Identifiers, including name, email address, postal address, telephone number, and online Identifiers
- Internet Activity
- Commercial Information, including purchases
- Financial Information, including credit or debit card number
- Physical and Audio Data, including physical characteristics or descriptions and audio recordings
- Protected Classifications and Other Personal Characteristics, including age and sex, gender, or gender identity
- Inferences from Other Data, including inferences created from other personal information collected
Spa Visitors
- Personal Identifiers, including name, email address, and telephone number
Browser Cookies
We use cookies to create a better experience for you on our site. For example, cookies prevent you from having to login repeatedly, and they help us remember items you've added to your cart. We also use third-party cookies, which are cookies placed by third parties for advertising and analytics purposes. You can control these cookies through your browser settings.Information from other sources
We may collect personal information about you from third-party sources, including Other consumers (e.g., referrals) and Retail Partners.
The categories of information we may collect include:
Other consumers (e.g., referrals)
- Personal Identifiers, including Name, Email address, Postal address, Telephone number, and Online Identifiers
- Physical and Audio Data, including Physical characteristics or descriptions
- Protected Classifications and Other Personal Characteristics, including Age and Sex, gender, or gender identity
- Inferences from Other Data, including Inferences created from other personal information collected
Retail Partners
- Personal Identifiers, including Name, Email address, Postal address, and Telephone number
- Commercial Information, including Purchases
How long we keep your data
We do not retain data for any longer than is necessary for the purposes described in this Policy.
We generally retain data according to the guidelines below.| Type of Data | Retention Period |
|---|---|
| Cookies and online data we collect while you use our website, including Online Identifiers | We delete or anonymize data concerning your use of our website within 7 years of collecting it. |
| Data we collect in order to process and ship orders you place with us, including Name, Email address, Postal address, Telephone number, Credit or debit card number, Audio recordings, Inferences created from other personal information collected | We keep personal information related to products and services you purchase for as long as the personal data is required for us to fulfill our contract with you, and for 7 years from your last purchase with us. We may keep data beyond this period in anonymized form. |
| Data we collect when you contact us for customer support and other inquiries, including Name, Email address, Postal address, Telephone number, Purchases, Credit or debit card number, Physical characteristics or descriptions, Audio recordings, Age, Sex, gender, or gender identity, Data related to physical or mental health, Inferences created from other personal information collected | We keep customer feedback and correspondence with our customer service for up to 2 years to help us respond to any questions or complaints. We may keep data beyond this period in anonymized form. |
| Data we collect when you sign up for promotional and marketing communications, including Name, Email address, Telephone number, Purchases | Where you have signed up to receive promotional and marketing communications from us, we will retain any data collected until you opt out or request its deletion. We may keep data beyond this period in anonymized form. We will further retain a record of any opt-outs in order to prevent sending you future communications. |
| Data we collect when you review our products, answer surveys, or send feedback, including Name, Email address, Telephone number | We retain review, survey, and feedback data for up to 7 years following your last contact with us. We may keep data beyond this period in anonymized form to help improve our products and services. |
| Data we collect in connection with privacy requests, including Name, Email address, Online Identifiers | We retain records related to privacy requests for a minimum of 24 months following the completion of the request. |
| Data we collect for security purposes, including Internet Activity, Inferences created from other personal information collected | We retain security-related data as long as necessary to comply with our legal obligations and to maintain and improve our information security measures. |
Why we process your information
We process personal information for the following business and commercial purposes:
- Conducting Surveys
- Creating Customer Profiles
- Delivering Targeted Ads
- Fulfilling Customer Orders
- Improving our Products & Services
We may disclose personal information about you for business and commercial purposes when you purchase our products or visit our website:
| Personal Information Category | Categories of Service Providers | Categories of Third Parties |
|---|---|---|
| Personal Identifiers | Ad Networks, Business Operations Tool, Cloud Computing & Storage Providers, Collaboration & Productivity Tools, Commerce Software Tools, Fraud Prevention Tools, Governance, Risk & Compliance Software, Guest & Event Management Tool, IT Contractors, IT Infrastructure Services, Payroll & Benefits Management Software, Sales & Marketing Tools, Shipping Services, and Web Hosting Services | Ad Networks, Data Analytics Providers, Payment Processors, and Sales & Marketing Tools |
| Internet Activity | Ad Networks, Business Operations Tool, Cloud Computing & Storage Providers, Collaboration & Productivity Tools, Commerce Software Tools, IT Contractors, IT Infrastructure Services, Sales & Marketing Tools, and Web Hosting Services | Ad Networks, Data Analytics Providers, Payment Processors, and Sales & Marketing Tools |
| Commercial Information | Ad Networks, Business Operations Tool, Cloud Computing & Storage Providers, Collaboration & Productivity Tools, Commerce Software Tools, IT Contractors, IT Infrastructure Services, Sales & Marketing Tools, and Web Hosting Services | Ad Networks, Data Analytics Providers, Payment Processors, and Sales & Marketing Tools |
| Financial Information | Business Operations Tool, Cloud Computing & Storage Providers, Collaboration & Productivity Tools, Commerce Software Tools, IT Contractors, IT Infrastructure Services, Sales & Marketing Tools, and Web Hosting Services | Data Analytics Providers, Payment Processors, and Sales & Marketing Tools |
| Physical and Audio Data | IT Contractors, IT Infrastructure Services, Sales & Marketing Tools, and Web Hosting Services | Sales & Marketing Tools |
| Protected Classifications and Other Personal Characteristics | Business Operations Tool, Collaboration & Productivity Tools, Commerce Software Tools, IT Contractors, IT Infrastructure Services, Sales & Marketing Tools, and Web Hosting Services | Ad Networks, Data Analytics Providers, and Sales & Marketing Tools |
| Inferences from Other Data | Business Operations Tool, Cloud Computing & Storage Providers, Collaboration & Productivity Tools, Commerce Software Tools, IT Contractors, IT Infrastructure Services, Payroll & Benefits Management Software, Sales & Marketing Tools, and Web Hosting Services | Ad Networks, Data Analytics Providers, and Sales & Marketing Tools |
If you are located in the EEA or the United Kingdom and have questions about your personal data or would like to request to access, update or delete it, you may contact our representative at:
Bird & bird GDPR Representative Services SRL
Avenue Louise 235
1050 Bruxelles
Belgium
moc.sdribowt@yeliRyadnuS.evitatneserperUE
Key contact: Vincent Rezzouk-Hammachi
Bird & Bird GDPR Representative Services UK
12 New fetter Lane
London
EC4A 1JP
United Kingdom
moc.sdribowt@yeliRyadnuS.evitatneserperKU
Key contact: Vincent Rezzouk-Hammachi
This section provides additional information for people in the European Economic Area (EEA) or United Kingdom (UK)and Switzerland ("CH") and Switzerland ("CH"). It should be read together with our main Privacy Policy. Where there is a conflict, this notice applies to individuals in the EEA, UK, and CH. It should be read together with our main Privacy Policy. Where there is a conflict, this notice applies to individuals in the EEA, UK, and CH. The terms used in this section have the same meaning as in the General Data Protection Regulation and the UK Data Protection Act (GDPR) and the Swiss Federal Act on Data Protection ("FADP"). The term “personal information” as used in this notice has the same meaning as “personal data” in the GDPR.
Controller Information
Data Controller: Sunday Riley UK Ltd
Registered Address: Office 3F, The Hide; 3 Kingly Court; London W1B 5PW United Kingdom
Email:moc.yeliryadnus@ycavirp
Where required under applicable law, Sunday Riley UK Ltd acts as the data controller for personal data processed in connection with individuals in the EEA, UK, and CH.
If we are required to appoint a data protection officer ("DPO") or EU/UK representative, the relevant contact details will be provided here.
Collection and Disclosure of Personal Data
The personal data we collect and how we share it is described above in our Privacy Policy.
We may disclose your personal information to the following third party controllers for business purposes:Wave, Vested, Concord, Pinterest Ads, Apple Pay, PayPal - Pay with PayPal, Venmo, Pay Later, CJ, Forter, Expensify, Dyno Mapper, Mazars, Meta Ad Network. To understand how these parties handle your data, please refer to their respectiveprivacy policies.
The categories of personal data we collect, and the sources of that data, are described in the "Information You Provide to Us" and related sections of our Privacy Policy. This may include, depending on how you interact with us:
- Identifiers (such as name, email address, postal address, phone number, online identifiers)
- Transaction and payment information
- Device and usage information
- Communications and customer service information
Cookie Notice
We use cookies to improve your experience on our site and to allow us and third parties to personalize the marketing content you see on other websites and social media. Website visitors from European Privacy Law regions can control cookie settings. Manage your region specific consent settings here.
Essential Cookies
We use these cookies for things like security, logins, site errors, and processing payments. We can't turn these necessary cookies off, but you can control them in your browser.
| Cookie Name | Provider | Duration |
|---|---|---|
| __cfruid | Chadwick Horn | Session |
| cart_currency | Shopify | 14 Days |
| keep_alive | Shopify | 31 Mins |
| localization | Chadwick Horn | 1 Year |
| secure_customer_sig | Shopify | 1 Year |
| shopify_pay_redirect | Shopify | 1 Hour |
| VISITOR_INFO1_LIVE | Chadwick Horn | 5 Months 27 Days |
| YSC | Chadwick Horn | Session |
Analytics Cookies
These cookies tell us how you use our sites and apps, and provide information to help us improve your experience. These cookies are set only with your consent.
| Cookie Name | Provider | Duration |
|---|---|---|
| _ga | Google Analytics | 1 Year 28 Days |
| _gat | Google Analytics | 2 Mins |
| _gid | Google Analytics | 1 Day |
| _landing_page | Shopify | 14 Days |
| _orig_referrer | Shopify | 14 Days |
| _s | Shopify | 31 Mins |
| _shopify_s | Shopify | 31 Mins |
| _shopify_sa_p | Shopify | 31 Mins |
| _shopify_sa_t | Shopify | 31 Mins |
| _shopify_y | Shopify | 28 Days |
| _y | Shopify | 28 Days |
You may withdraw or change your consent at any time using our cookie management tool or browser settings.
Personalization Cookies
We do not use cookies to personalize content for you.
Advertising Cookies
We do not use cookies for marketing or advertising purposes.
Advertising and Personalization Cookies
We do not set advertising or personalization cookies for users in the EEA, UK, or CH unless you have provided explicit consent. Where consent is provided, we may work with advertising partners to measure campaign performance or display relevant advertisements.
Disclosure of Personal Data
We may share personal data with third parties where necessary for the purposes described above, including:
- Payment processors (e.g., Apple Pay, PayPal, Venmo) to process transactions
- Fraud prevention providers (e.g., Forter) to protect against fraudulent activity
- Professional advisers and auditors (e.g., Mazars)
- Analytics and website service providers (e.g., Shopify, Google Analytics), subject to consent where required
These third parties act either as processors on our behalf or as independent controllers, depending on the service provided. We encourage you to review their respective privacy notices for further information.
Lawful Bases and Legitimate Interests
Purposes of Processing and Lawful Bases
We process personal data only where permitted by law. The table below summarizes our primary purposes and lawful bases under GDPR/UK GDPR:
| Purpose of Processing | Lawful Basis |
| Processing and fulfilling orders | Performance of a contract |
| Managing accounts and customer relationships | Performance of a contract |
| Payment processing | Performance of a contract |
| Fraud prevention and security | Legitimate interests |
| Operating, maintaining, and improving our website and services | Legitimate interests |
| Analytics and performance measurement | Consent |
| Marketing communications (where required by law) | Consent |
| Compliance with legal and regulatory obligations | Legal obligation |
Where we process personal data on the basis of our legitimate interests, we pursue the following interests: Creating Customer Profiles, Delivering Targeted Ads, Improving our Products & Services, Conducting Surveys, Fulfilling Customer Orders, Internal Business Operations, Meeting Compliance & Legal Requirements, Organizing & Managing Data, Processing Payments, Tracking Purchases & Customer Data, Operating Our Website or Mobile Apps, Preventing Fraud, Providing Customer Support, and Sending Promotional Communications.
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your fundamental rights and freedoms. You may object to this processing at any time.
International Data Transfers
We may send the personal data of individuals in the EEA/UK/CH to third countries, including the United States, where it may be stored or processed, for example on our service providers’ cloud servers. When we transfer personal data, we rely either on Adequacy Decisions as adopted by the European Commission (EC), the UK Information Commissioner's Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC) on the basis of the EU-US Data Privacy Framework, UK-US Data Bridge, and Swiss-U.S. Data Privacy Framework agreements, Standard Contractual Clauses (SCCs) issued by the EC or the FDPIC, or International Data Transfer Agreements (IDTAs) approved by the ICO. Data protection authorities have determined that the SCCs and IDTAs provide sufficient safeguards to protect personal data transferred outside the EEA/UK/CH. You may read more about international data transfer mechanisms at the following links:
- https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
- https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html
Privacy Rights
Individuals in the EEA/UK/CH have the following rights regarding their personal data.Make a Privacy Request by clicking here. Once you submit a request, we will verify your identity and process your request in most cases within 30 days.
Right to access. You have the right to request a copy of the personal data we hold about you.
Right of portability. You have the right to ask us to transfer your data to another party.
Right to rectification. You have the right to request that we rectify any incorrect information we have about you.
Right of erasure. You have the right to request that we erase (delete) any personal information we hold about you.
Right to withdraw consent. You have the right to withdraw your consent at any time when we rely on your permission to process your personal data.
Right to object. You have the right to object to our use of data about you.
Right to restrict processing. In certain circumstances, you have the right to restrict our processing of your personal data to storage only, subject to some exceptions. This right applies when:
- You have contested the accuracy of your personal data and we are still verifying its accuracy.
- Your personal data has been unlawfully processed under the GDPR.
- You need for us to keep your data in order to establish, exercise, or defend a legal claim.
- You have previously objected to our processing of your personal data and the status of that review is still pending.
Right to lodge a complaint with a supervisory authority. You have a right to lodge a complaint with a supervisory authority. For more information, you can visit theInformation Commissioner’s Office website at https://ico.org.uk/, the Federal Data Protection and InformationCommissioner’s website at https://www.edoeb.admin.ch/, or see a list of EU Data Protection Authorities athttps://www.gdprregister.eu/gdpr/dpa-gdpr/.
Inquiries
Controller contact information
Sunday Riley UK
