Welcome to our website https://www.drsturm.com (hereinafter, the “Website”). Please read this Privacy Policy carefully.

Sections 1-14 serve as our Privacy Policy. Additional notices may be made at the point of collection, in which case those will supplement this Privacy Policy and govern that collection in the event of a conflict with this main Privacy Policy. Capitalized terms used but not defined herein will have the meanings given to them in applicable laws where we are subject to such laws, which may differ from one applicable jurisdiction to another.

Section 13 of this Privacy Policy describes Consumers’ privacy rights under State Privacy Laws that apply to us (“State Privacy Rights”) and how to exercise them and serves as our pre-collection notice.

1.    Our Commitments

We respect Users' (defined below) right to be informed regarding the processing of their personal information or personal data (referred herein as “Personal Data”), as those terms are defined under the applicable law.

For the purposes of the Data Protection Legislation (as defined below), companies of the PUIG Group that may need to have access to and process the Personal Data collected on the Website for one of the purposes listed below shall be considered as a separate and independent controller of your Personal Data. In this context, the following companies (hereinafter, jointly referred to as “Dr. Sturm”, “us”, “we” or “our”) may be classified as controller of your Personal Data with respect to the following data processing activities:

·      Marketing Purposes (as defined below) including general Online Customer and Information/Complaint Services regarding the Website: Antonio Puig, S.A.U. - a Spanish company with registered office at Plaza Europa 48-48, 08902 Hospitalet de Llobregat, Barcelona (Spain), incorporated with the register of trade and companies of Barcelona under number A08158289 (hereinafter referred to as “APSA”).

·      Online Sales (as defined below): Online-Shop United States of America (including Customer Services regarding the Online sale conducted in the Online-Shop): Puig North America, Inc. – a New York corporation with its registered office at 630 5th Ave, 32nd Floor, New York City, NY 10111 (hereinafter referred to as “Puig NA”).

Please note that any Online Sales delivered to one of the following countries are subject to the specific Privacy Policies detailed below:

o  Germany – Privacy Policy

o  United Kingdom – Privacy Policy

o  Wordlwide (except Germany, UK and US)  – Privacy Policy

 

·      Stores / SPAs (as defined below): our stores and/or SPAs located at the United States of America: Puig Retail US, LLC – a New York company with its registered office at 630 5th Ave, 32nd Floor, New York City, NY 10111 (hereinafter referred to as “Puig Retail”). 

You can also purchase Dr. Sturm products and services via our retail partners across the US (our “Retail Partners”). When you purchase Dr. Sturm products or services through a Retail Partner online or in one of their stores, you are contracting directly with that Retail Partner and not with us. Any Personal Data you provide to the Retail Partner will be managed by the Retail Partner and governed by its privacy policy. If you have questions about how our Retail Partners collect, use, and disclose information, you must contact them directly.

This Privacy Policy applies to the Personal Data of any “User” (defined as individuals accessing our Website, using its services and/or filling in forms on our Website with or without purchasing any product from the local online-shops (the “Online-Shops”), as well as recipients of certain communications and marketing messages we send, visitors of our US stores and/or SPAs (the “Stores / SPAs”) or otherwise interact with us in or from the United States of America). This Privacy Policy helps you understand how Dr. Sturm collects and uses your Personal Data and for which purposes and your rights in relation to your Personal Data.

To ensure the accuracy of the Personal Data you provide to us on our files, please communicate to us any changes using the Contact  section below. This allows us to ensure that the information contained in our files is up-to-date and accurate. We reserve the right to suspend or interrupt the provision of the requested services should you knowingly provide inaccurate Personal Data, without prejudice to any action allowed by law.

2.    Applicable Law

Any and all User Personal Data will be collected and/or processed by Dr. Sturm pursuant to the laws applicable to the state/country of residence of the User including: (i) as it pertains to residents of the European Union, EU Regulation 2016/679 (“GDPR”) without prejudice however to any applicable local mandatory laws benefitting to consumers, in accordance with EU Regulation 593/2008 (“ROME I”), or any other conflict of laws rules applicable; and (ii) as it pertains to residents of states with applicable State Privacy Laws to which we are subject, State Privacy Laws (defined in Section 13, below) (together, “Data Protection Legislation”).

3.    Who Collects and Processes Your Personal Data, How and For Which Purposes?

Dr. Sturm may collect and process your Personal Data for a variety of different purposes. The reasons for collecting Personal Data are expressly listed in the information below. The responsible controller is specified per each particular purpose.

·      Commercial Purposes (Stores/SPAs and Online Sales): Your Personal Data may be processed to provide services you subscribed to or reserved (as long as it is applicable and you provide the appropriate consent, if required separately), notably to fulfill orders for products, to contact you in case of any order issues or where we need to provide your Personal Data to our service providers to fulfill your order (hereinafter, the "Commercial Purposes"). This data processing is based on the fulfillment of our contractual obligations with the User in relation to the order.

Your Personal Data may also be processed (when permitted by applicable regulations) to send to you, including through a newsletter or other mailing, commercial information and updates related to your purchased products, including product information, offers, exclusive sales, promotional campaigns and on events and similar initiatives organized by Dr. Sturm, which is acting as a seller, if such data processing by law does not require your separate consent and thus can be based on our legitimate interests as long as you don’t raise an objection to us.

We may have access to third parties' Personal Data which was directly disclosed by Users to us, for example when the User buys a product they request to send to a friend, when the User paying for the product is different from the recipient of the product, or when a User wishes to recommend to a friend a service of the Website or the sale of a particular product.

In this case, please make sure you receive the consent of such individuals before disclosing their Personal Data to us and make sure you inform them about this Privacy Policy; you will be the only person liable in connection with the disclosure of information and data regarding such third parties if they have not provided you with their prior explicit consent for it and for any improper and unlawful use of that information.

Dr. Sturm which is acting as a seller, shall be considered as the controller of your Personal Data collected and processed for Commercial Purposes, as it will determine the purposes and means of processing Personal Data.

·      Marketing Purposes (Website, Stores/SPAs, individual Online-Shops, and Communications): We may also use your Personal Data collected on the Website, our social media campaigns, computerized devices in Stores/SPAs or when permitted by applicable regulations (for example, by having previously purchased on our Website) for marketing purposes (herein the "Marketing Purposes"):

o  To send you by postal mail, text messages, email, push notifications or other digital communications (including ads on social media platforms), related to commercial information and updates on our products, offers, exclusive sales, promotional campaigns and on events and similar initiatives organized by Dr. Sturm. For this purpose, we occasionally may use your email address to customize ads for your interests or generate a "lookalike audience" or similar audience through the Facebook, Instagram, Google, Snapchat, Pinterest or TikTok advertising platforms (“Third-Party Digital Businesses”). This allows us to target advertisements on those platforms to potential customers who appear to have shared interests or similar demographics to you, based on the platforms' own data. It is the policy of these Third-Party Digital Businesses to hash your email address prior to uploading it, match the hashed data against their own customers, generate the lookalike audience, then delete the uploaded email address and use it for no other purpose. We do not have access to the identity of anyone in the lookalike audience unless they choose to click on the ads. We are not responsible for these Third-Party Digital Businesses, including without limitation their data security practices and/or failure to comply with your or our opt-out instructions.

If you wish to opt out, please send an email to [email protected], click the 'unsubscribe' link which is included in all of our marketing communications, or follow the instructions provided in the text messages from us (e.g., reply ‘STOP’ to our text messages). 

Even if you opt out of receiving promotional communications, we may, subject to applicable law, continue to send you non-promotional communications, such as those about your account, transactions, servicing, or our ongoing business relations.

o  We may also collaborate with third parties to provide us with browsing data (“Traffic Data”) resulting from the use of the Website and of our services to provide us analytics services and serve Dr. Sturm’s ads and banners when you are browsing on apps and other websites. We do this by way of various ad exchanges and digital marketing networks. We and our advertising partners use various advertising technologies, for instance, ad tag, cookies, pixels, identifiers and web beacons (“Tracking Technologies”). This information may be used by Dr. Sturm to analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Website and other websites, and better understand your online activity. The ads and banners you see are based on information that we hold about you, or on your prior use of our Website, for example, products you have browsed previously, content you have read on our Website, or on Dr. Sturm’s banners or ads that you have engaged with in the past. We may also work with and use services offered by Third-Party Digital Businesses to serve ads to you as part of a customized campaign on those third-party sites and platforms. As part of these ad campaigns, we or the Third-Party Digital Businesses may convert information about you, such as your email address and phone number, into a unique value that can be matched with a user account on these platforms to allow us to learn about your interests and to serve you advertising that is customized to your interests.

If you wish to exercise your opt-out/in rights, as applicable, with respect to your cookie data, please visit our Cookies Polic , use our cookie management too to manage your preferences, or follow the instructions outlined in the Do Not Sell/Share/Target Opt-out section below. 

o  We may offer sweepstakes, contests, and other promotions (each, a “Promotion”), including Promotions jointly sponsored or offered by third parties, which may require submitting Personal Data. If you voluntarily choose to enter a Promotion, your information, including Personal Data, may be disclosed to us, co-sponsors, service providers, and other third parties, including for administrative purposes and as required by law (e.g., on a winners list). By entering, you are agreeing to the official rules that govern that Promotion, which may include consent to additional or differing data practices from those contained in this Privacy Policy. Please review those rules carefully.

APSA is the controller of your Personal Data collected and processed for Marketing Purposes, as it determines the purposes and means of processing Personal Data.

·      Security Purposes: Based on the Dr. Sturm’s legitimate interest, your Personal Data may be processed to:

o  detect fraudulent activity on your device and to keep the Website and Online Sales away from attackers who may try to access your account by impersonating you. In particular, Dr. Sturm may use IP address, device, profile, usage, payment data and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, phishing, incentive abuses); and monitor all actions that could cause fraud or in the commission of a criminal offence related to the payment method employed by you; if any irregularities are detected, Dr. Sturm reserves the right to retain the data provided and share it with the competent Authorities to carry out the relevant investigation. 

APSA shall be considered as the controller of your Personal Data collected and processed for the abovementioned purposes. 

o  CCTV surveillance and Traffic analytics (footpath analysis sensors) systems in place across our US Stores/SPAs to safeguard the safety and security of team members, customers, property, and assets; to prevent and detect crime, including theft, fraud, and vandalism; and to monitor the operation of our Stores/SPAs for the purposes of improving customer service and team member training. 

Puig Retail shall be considered as the controller of your Personal Data collected and processed for the abovementioned purposes 

·      Routine Finder tool: If you use our Routine Finder tool, we may collect Personal Data related to your skin characteristics. This may involve the use of ‘profiling’ or automated decision making to predict your interests and personalise recommendations. We use this Personal Data to provide you with a personalised skincare routine and for the Marketing Purposes described above.

We will only process Personal Data collected through the Routine Finder tool with your consent. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. This tool is not intended to be used by those under the legal age.

4.    Choices: Tracking and Communications Options

A.  Tracking Technologies Generally

Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options, so you may need to set them separately. Please be aware that if you disable or remove these technologies, some parts of the Website may not work and that when you revisit the Website your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations. Accordingly, you may want to consider the more limited opt-out choices noted in the next section.

Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no consensus among industry participants as to what “Do Not Track” means in this context. Like many online services, Dr. Sturm currently does not alter its practices when it receives a “Do Not Track” signal from a visitor’s browser. However, we do honor browser signals known as “Global Privacy Controls” and provide cookie preference tools on our Website as more fully explained in the Do Not Sell/Share/Target Opt-out subsection of the State Privacy Rights section.

Some third parties, however, may offer you choices regarding their Tracking Technologies. For specific information on some of the choice options offered by third party analytics and advertising providers, see the next section. We do not represent that these third-party tools, programs or statements are complete or accurate.

You will need to set preferences on each browser that you use to access our Website and clearing cookies on your browser(s) may disable some preference settings.

B.  Analytics and Advertising Technology

Dr. Sturm may engage and work with third parties, including Third-Party Digital Businesses, to serve advertisements on the Website and/or on other online services. Some of these ads may be tailored to your interest based on your browsing of the Website and elsewhere on the Internet, which may include use of precise location and/or cross-device data, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”), which may include sending you an ad on another online service after you have left our Website (i.e., “retargeting”).

You may choose whether to receive some Interest-based Advertising by submitting opt-outs through the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, including use of Cross-device Data for serving ads, visit http://www.aboutads.info/choices/. Please be aware that, even if you opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected DAA members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser or use a non-browser-based method of access (e.g., mobile app), your DAA browser-based opt-out may not, or may no longer, be effective. Dr. Sturm supports the ad industry’s Self-regulatory Principles for Online Behavioral Advertising and expects that ad networks Dr. Sturm directly engage to serve you Interest-based Advertising will do so as well, though Dr. Sturm cannot guaranty their compliance. Also note that the DAA program is national and not the same as Do Not Sale/Share/Target Opt-out rights under State Privacy Laws.

We may also use Google Ad Services. To learn more about the data Google collects and how your data is used by it and to optout of certain Google browser Interest-Based Advertising, please visit: http://www.google.com/settings/ads.

In addition, we may serve ads on other online services that are targeted to reach people on those services that are also identified on one of more of our data bases (“Matched List Ads”). This is done by using Tracking Technologies or by matching common factors between our data bases and the data bases of the other online services. For instance, we may use such ad services offered by Meta (Facebook and Instagram) or X (f/k/a Twitter) and other Third-Party Digital Businesses, which may offer user controls that you can use to limit Matched List Ads. We are not responsible for these Third-Party Digital Businesses, including without limitation their security of the data or their failure to comply with your or our opt-out instructions, and they may not give us notice of opt-outs to our ads that you give to them, and they may change their options without notice to us or you.

Dr. Sturm may use Google Analytics or other Third-Party Digital Businesses for analytics services. These analytics services may use Tracking Technologies to help Dr. Sturm analyze users and how they use the Website. Data generated by these Tracking Technologies (e.g., your IP address and other usage data) may be transmitted to and stored by these Third-Party Digital Businesses on servers in the U.S. (or elsewhere) and these Third-Party Digital Businesses may use the data for purposes such as evaluating your use of the Website, compiling statistic reports on the Website’s activity, and providing other services relating to Website activity and other Internet usage. Dr. Sturm is not responsible for, and makes no representations regarding, the policies or business practices of any third parties, including, without limitation, Third-Party Digital Businesses associated with the Website, and encourages you to familiarize yourself with and consult their privacy policies and terms of use.

You may exercise choices regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. You may exercise choices regarding the use of cookies from Adobe Analytics by going to http://www.adobe.com/privacy/opt-out.html under the section labeled “Tell our customers not to measure your use of their web sites or tailor their online ads for you.”

Dr. Sturm is not responsible for effectiveness of, or compliance with, any third parties’ opt-out options or programs or the accuracy of their statements regarding their programs.

Residents of certain U.S. states have additional, more comprehensive, rights more fully explained in the Do Not Sell/Share/Target Opt-out subsection of the State Privacy Rights section.

5.    What Happens If You Do Not Disclose Your Personal Data to Us? 

Granting your Personal Data to us (in particular, your personal details, your e-mail address, your address, your Credit/Debit Card numbers and bank code and your telephone number) is necessary for processing your order for the purchase of products on the Website or in Store, supplying other services provided on the Website upon your request, or when your Personal Data is needed to fulfil obligations required by law or regulations. The refusal to provide us with some of your Personal Data necessary for performing the above purposes may consequently prevent us from processing your order for the purchase of products sold on the Website or in Store, sending you requested newsletters or fulfilling obligations required by law and other regulations etc. Therefore, failing to provide Personal Data may constitute, in some cases, a legitimate and justified reason for not processing your order for the purchase of products sold on the Website or in Store, or not providing the Website’s services.

Disclosure of further Personal Data to us other than that required for fulfilling legal or contractual obligations and to be properly browse our services with necessary Traffic Data is, on the contrary, optional and does not have any effect on the use of the Website and of its services or on the purchase of products on the Website. 6.    To Whom Your Personal Data Will Be Disclosed

Your Personal Data will be disclosed to trusted third party providers that perform a range of business operations (hereinafter, the "Trusted Third Parties"), such as:

·      Customer service, for purposes related to the shipping, delivery and return of products purchased on the Website and customer service to users of the Website.

·      Computer services, for purposes related to hosting Dr. Sturm servers.

·      Payment platforms, for purposes related to the payment method and its execution.

·      Logistic services, for purposes related to shipping and delivery and return of the products purchased on the Website or in Store.

·      Marketing services, for the analysis of use of our Website, sending communications, managing advertising content, etc.

·      Promotion services.

·      Security services, for purposes related to payment fraud, identity fraud, account hacking, phishing, incentive abuses, etc. (“Fraud Detectors”). Fraud Detectors collect Personal Data from the Website (e.g., identifiers and contact information, personal records, commercial information, internet activity, geolocation data, and inferences) and elsewhere and use that data to analyze, evaluate, and predict whether a particular transaction is unusual for a particular consumer or otherwise indicative of fraudulent activity, such as if a credit card is suddenly used for multiple transactions in different locations within a short period, or if the proposed transaction does not align with the prior purchase behavior of a particular consumer, including spending patterns, location, transaction amounts, frequency of transactions, and types of merchants. If the Fraud Detectors detect fraud or illegal activity, then you may be prevented from completing a transaction/purchase. This Fraud Detector activity is beneficial to consumers because it is meant to prevent misuse of consumers’ credit card information on our Website and to otherwise protect consumers’ other Personal Data.

·      CCTV vendors, for purposes related to in-Store safety, crime prevention, and training purposes.

 

Moreover, your Personal Data may be disclosed to the police or to judicial authorities, according to applicable laws and upon a formal request by such entities, for example in the event we need to prevent fraud on the Website.

7.    Security Measures and Retention Period

We have adopted security measures to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access and against all other reasons for data processing that do not comply with our Privacy Policy.

For the best possible protection of your Personal Data outside the limits of our control and management of the same, it is advisable that your computer be provided with software devices that protect network data transmission/receipt (such as updated antivirus systems) and that your Internet service provider take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).

We will only hold your Personal Data for so long as is necessary for us to fulfil the purposes set out in this Privacy Policy (e.g., in case of online sales for as long as required by local tax, corporate and warranty laws; in case of a consent as long as you revoke your consent). Where we no longer need to process your Personal Data for the purposes set out in this Privacy Policy, then we will delete your Personal Data from our system.

8.    Transfer of Your Personal Data to Other Countries

The Personal Data we collect from you is currently held within the European Union (‘EU’), except Personal Data which is collected via Tracking Technologies on the Website. However, it is possible that in the future such Personal Data may be transferred, stored and/or processed outside the EU.

By submitting your Personal Data, you agree to this transfer, storing and/or processing. Please note that some cookie providers and data recipients may be in the United States or other countries which may have a lower level of data protection. However, we will take reasonable steps to ensure that your Personal Data is given equivalent protection in accordance with the Data Protection Legislation, by implementing adequate contractual conditions in our agreements with business partners dealing with transfer of Personal Data to ensure that Personal Data are processed according to our instructions, and in such a way to maintain their integrity and security.

9.    Children and Teens

Our Website is intended for individuals who are of the age of majority in the jurisdiction in which they reside, and are not directed at, marketed to, nor intended for children or other minors. Dr. Sturm does not knowingly collect any data, including Website Personal Data, from children or other minors. If you believe that we have inadvertently collected Personal Data from a child under 13 years of age, please contact us, and we will take immediate steps to delete or otherwise treat the data as required by applicable law. Some State Privacy Laws provide additional consideration for children and teens. More information on the privacy of the Personal Data of / from children and, where regulated by State Privacy Laws, teen (collectively “Child-Aged”) consumers is included in the Child-Aged Consumers of Certain States subsection of the State Privacy Rights section below.

10. Opt-in/Opt-out

Each time your consent is required, Dr. Sturm will inform you in advance and will give you the option to either provide or refuse your consent for the use of your Personal Data, including your e-mail address, for the above purposes, by ticking the appropriate boxes. Further, in the alternative, we may also offer you the opportunity to opt-out of certain processing purposes (e.g., Marketing Purposes).

We wish to inform you that we may process your Personal Data also without your consent in certain circumstances, such as when such processing is necessary for performing a legal obligation to which we are subject or when such processing is necessary for providing you with the products or services you requested.

11. Contact Us

You may contact us at the following email address [email protected] for questions, concerns or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, your choices and rights regarding such use. If you are a resident of a state with a State Privacy Law, please also see Section 13, below, regarding any additional privacy rights afforded to you by law.

You can also contact our Data Protection Officer by through the following email: [email protected].

12. Amendments and Updates to This Privacy Policy

We may amend or simply update all or part of this Privacy Policy, including when amendments are made to legal provisions or regulations, which govern data protection and protect your rights. The amendments and the updating of the Privacy Policy shall be binding as soon as they are published on the Website. Therefore, you are requested to regularly access this section to check the publication of the most recent and updated Privacy Policy.

13. U.S. State Privacy Notice for our Customers in Certain U.S. States

EFFECTIVE DATE: JULY 1, 2024

This U.S. State Privacy Notice (“Privacy Notice”) supplements the information contained in the Privacy Policy and applies only to Consumers, as defined under the applicable State Privacy Laws (defined below), who do not interact with us in the HR Context (defined below) (“Consumers”). In California, the term “Consumer” is not limited to data subjects acting as individuals in a household goods and services context and includes individuals acting in a business-to-business context.

This Privacy Notice is designed to provide Consumers with notice of our Personal Information or Personal Data (as those terms are defined under the State Privacy Laws (collectively, “Personal Data”) practices over the prior 12 months, including our online and offline business activities (the “Business Activities”), and to meet the notice requirements of the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act (the “CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act (effective October 1, 2024), Chapter 603A of the Nevada Revised Statutes, and, effective in January of 2025, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Nebraska Data Privacy Act, the New Hampshire Data Privacy Law, and the New Jersey Privacy Law, substantially similar state consumer privacy laws that may hereafter be applicable to us, and all laws implementing, supplementing, or amending the foregoing, including regulations promulgated thereunder (each a “State Privacy Law,” collectively, “State Privacy Laws”).

If our processing materially changes between updates to this Privacy Notice, we will provide a supplemental notice when or before the changes apply. Otherwise, this Privacy Notice serves as our notice at collection (i.e., pre-collection notice).

A.  Notice of Collection and Privacy Practices

If you interact with us in the “HR Context” (e.g., as a California employee, former employee, job applicant, independent contractor, etc.) this Privacy Notice does not apply to you. Please contact our HR Department to obtain a copy of the Privacy Notice that applies to Personal Data collected in the HR Context.

Notably, this Privacy Notice does not apply to data that is not treated as Personal Data, or to the extent the data is subject to an exemption under applicable State Privacy Laws.

Generally, the processing purposes for which we collect, retain, use, disclose and otherwise process your Personal Data in connection with our Business Activities, include providing or promoting to you our products and services and as otherwise related to the operation of our business, which includes both Business Purposes, and Commercial Purposes such as sharing with Third-Party Digital Businesses, each as more fully explained below. This may include disclosing or otherwise making available Personal Data to our vendors that perform services for us in their role as “service providers” or “processors,” as the terms are defined under State Privacy Laws (collectively, “Processors”), as well as to third parties, each as more fully explained below.

The categories of sources from which we collect your Personal Data include: you, other Consumers, your employer (in the business-to-business context), our Service Providers, and other third parties, including Third-Party Digital Businesses.

To learn about your privacy rights under State Privacy Laws and how to exercise them, please refer to the Your Rights and Choices section, which includes a notice of how to exercise Do Not Sell/Share/Target Opt-out rights.

B.  Processing of Personal Data

Generally, we collect, retain, use, and disclose your Personal Data to provide you our products and services, or information about them, and as otherwise related to the operation of our business, including for one or more of the following “Business Purposes”:

•                Providing Products or Services: Operating or distributing products and services, processing or fulfilling transactions, administering accounts, providing customer service, verifying customer information, and processing payments. 

•                Managing Interactions and Transactions: Performing services on behalf of the business, including maintaining or servicing accounts and providing customer service, verifying customer information, processing payments, providing analytics services, and customizing your experience, offers and content.

•                Security and Debugging: Helping to ensure the security and integrity of our systems and data to the extent the use of the Consumer’s Personal Data is reasonably necessary and proportionate for these purposes. Debugging to identify and repair errors that impair existing functionality.

•                Advertising and Marketing: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with State Privacy Laws. Short-term transient use including, without limitation, for providing advertising and marketing services, except for cross-context behavioral advertising (i.e., targeted advertising, which is a separate commercial purpose described below for which there is a right to opt-out), customizing your experience, offers, and content 

•                Quality Assurance: Undertaking activities to verify or maintain the quality or safety of our products and services, and to improve, upgrade, or enhance our products or services.

•                Research and Development: Undertaking internal research for technological development and demonstration.

 

•                Operation of our Business: For our additional legitimate Business Purposes that are compatible with the purposes of collecting your Personal Data and that are not prohibited by law in the context that is not a “sale,” “share” or “targeted advertising” under State Privacy Laws, such as disclosing it to a person that processes Personal Data on our behalf, such as our Processors, to the Consumer, or to other parties at the Consumer’s direction or through the Consumer’s action (e.g., for payment processing, shipping, customs, and Fraud Detectors); for additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties, including litigants, to comply with law or legal process or to protect or enforce legal rights or obligations or prevent harm; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”), or otherwise with your consent ,(“Additional Business Purposes”). Subject to restrictions and obligations under State Privacy Laws, our Service Providers may also use your Personal Data for Business Purposes and other purposes permitted by law and may engage their own vendors to enable them to perform services for us.

We may also use and disclose your Personal Data, regardless of the other purposes for which, we collect it, for Commercial Purposes, which may be considered a “sale” or “share” or “targeted advertising” under applicable State Privacy Laws, when Third-Party Digital Businesses collect your Personal Data, or we otherwise make it available to them. Under State Privacy Laws some of these processing disclosure activities do not qualify as Business Purposes disclosures and are subject to a right to opt-out. The specific purpose for this selling or sharing is to help us and others provide you with more relevant content and marketing messages (e.g., targeted advertising), and related activities and when we and third parties process your Personal Data for certain advertising purposes (e.g., creating profiles and inferences, measurement, some types of analytics, conversion tracking, audience extension, etc.) and the parties we disclose it to are detailed, by type of Personal Data, in the Disclosures of Personal Data section below. For more information on the meaning of selling, sharing, and targeted advertising and how to adjust your preferences with respect to such processing, please refer to the Do Not Sell/Share/Target Opt-out subsection of the State Privacy Rights section below.

The Business Purposes and Commercial Purposes for processing described above may apply to all categories of your Personal Data, other than sensitive Personal Data, but we detail our disclosures (including selling and sharing), and detail our sensitive Personal Data processing purposes, by Personal Data category in the charts below for additional transparency.

C.  Collection, Disclosure and Retention of Personal Data

We have collected the following categories of Personal Data from Consumers within the last twelve (12) months:

Category of Personal Data	Examples of Personal Data Collected and Retained	Categories of Recipients
Identifiers	First and last name, postal address, unique personal or online identifier, IP address, email address, and account name.	Disclosures for Business Purposes: ·      Processors (e.g., cloud storage vendors, IT vendors, email/messaging, customer support providers, data analytics and marketing vendors)(“Operational Service Providers”); ·      Other members of our corporate group, and/or other parties in connection with a Corporate Transaction (“Corporate Recipients”); ·      Governmental entities (e.g., making requests pursuant to legal or regulatory process)(“Government”); and/or ·      Other parties (e.g., professional advisors (accountants and lawyers), litigants and where you have directed or caused the disclosure) within the limits of Additional Business Purposes (“Other Business Recipients”).   Sale/Share: Third-Party Digital Businesses
Personal Records	Name, signature, address, telephone number, financial information (e.g., payment card information). Some Personal Data included in this category may overlap with other categories.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: Third-Party Digital Businesses
Personal Characteristics or Traits	In some circumstances, we may collect Personal Data that is considered protected under U.S. law, such as age, gender, nationality, race, or information related to medical conditions, but only when the information is relevant for our Business Purposes. We abide by the legal requirements imposed under applicable law regarding such information.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share:  None
Commercial Information	Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: Third-Party Digital Businesses
Internet or Other Electronic Network Activity Information	Browsing or search history, information regarding the consumer’s interaction with online services or advertisements.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: Third-Party Digital Businesses
Geolocation Data	If you interact with us online, we may gain access to the approximate location of the device you are using.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: Third-Party Digital Businesses
Audio, Electronic, Visual, or Sensory Information	Such as CCTV recordings in our offices and customer service recordings.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: None
Inferences from Personal Data Collected	Inferences drawn from Personal Data to create a profile about a consumer reflecting their preferences.	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: None

 

We collect and process data that is Sensitive Personal Data under certain State Privacy Laws.  The table below describes the categories and examples of sensitive Personal Data we collect and the Business Purposes for and recipients of the same.

Category of Sensitive Personal Data	Examples of Sensitive Personal Data	Processing Purpose(s)	Categories of Recipients
Government Issued Identifiers	Social Security number, driver’s license, state identification card, or passport information	Provide our Services: to provide you with our Website, including offers Enable additional features: to provide you with additional Dr. Sturm Websites and features and enhance our services Process orders: to process or fulfill an order or transaction Account management: to process your registration with our Website, verify your info is active and valid, and otherwise manage your account Customer Service: to respond to any questions, comments, or requests you have for us or for other customer service purposes Payment and other purchase-related purposes: to facilitate a purchase made using our Website, including payment processing and customs clearance Other: administrative, operational, business, and commercial purposes subject to applicable law and not inconsistent with this Privacy Policy or other notice by us at collection	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Fraud Detectors; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: None
Account Log-in	Username and password to online account with Dr. Sturm	Provide our Services: to provide you with our Website, including offers Enable additional features: to provide you with additional Dr. Sturm Websites and features and enhance our services Process orders: to process or fulfill an order or transaction Account management: to process your registration with our Website, verify your info is active and valid, and otherwise manage your account Customer Service: to respond to any questions, comments, or requests you have for us or for other customer service purposes Payment and other purchase-related purposes: to facilitate a purchase made using our Website, including payment processing Other: administrative, operational, business, and commercial purposes subject to applicable law and not inconsistent with this Privacy Policy or other notice by us at collection	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: None
Precise Geolocation	Any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of between 1,750 – 1,850 feet. Precise geolocation may include, but is not limited to, GPS that provides the Consumer’s latitude and longitude coordinates	Provide our Services: to provide you with our Website, including offers Enable additional features: to provide you with additional Dr. Sturm Websites and features and enhance our services Process orders: to process or fulfill an order or transaction Account management: to process your registration with our Website, verify your info is active and valid, and otherwise manage your account Customer Service: to respond to any questions, comments, or requests you have for us or for other customer service purposes Payment and other purchase-related purposes: to facilitate a purchase made using our Website, including payment processing Other: administrative, operational, business, and commercial purposes subject to applicable law and not inconsistent with this Privacy Policy or other notice by us at collection	Disclosures for Business Purposes: ·      Operational Service Providers; ·      Corporate Recipients; ·      Government; and/or ·      Other Business Recipients.   Sale/Share: None

 

We obtain the categories of  Personal Data and Sensitive Personal Data listed above from the following categories of sources:

·      Directly from our customers or their agents. For example, from information that our customers provide in order to facilitate the purchase of our products.

·      Indirectly from our clients or their agents. For example, through information we collect from our customers in the course of providing products to them.

·      From Third-Party Digital Businesses, such as Instagram, Facebook, Google, Snapchat, Pinterest or TikTok, when you submit content to us or post or interact with ads on those Third-Party Digital Businesses. We are not responsible for the policies or business practices of Third-Party Digital Businesses, including how they collect, use, or disclose your information, including through Tracking Technologies that collect information regarding your visit to the Service as well as after your visit is over. These Third-Party Digital Businesses may have their own terms of service, privacy policies or other policies and ask you to agree to the same. Be sure to review any available policies before submitting any  Personal Data to or otherwise interacting with any Third-Party Digital Businesses.

·      Both directly and indirectly from activity on our Website.

D.  Disclosures of Personal Data

As described in the Collection, Disclosure and Retention of Personal Data section and Use of Personal Data section above, we may disclose your Personal Data to a third party for a Business Purpose.

Certain disclosures of Personal Data to Dr. Sturm (e.g., transfers to provide marketing services, to facilitate Promotions, advertising purposes, etc.) may be considered a “sale” or “share” because of the way these terms are defined in the State Privacy Laws. Dr. Sturm process Personal Data as explained in this Private Notice, the Privacy Policy and the Data Protection Legislation (as defined above) and do not sell or share your Personal Data in the plain language meaning of those terms.

E.    Your Rights and Choices

Subject to meeting the requirements for a Verifiable Consumer Request (defined below) and limitations permitted by State Privacy Laws, Dr. Sturm provides Consumers residing in states with applicable State Privacy Laws to which we are subject the privacy rights described in this section.

For residents of states without applicable State Privacy Laws, or where we are not subject to a state’s jurisdiction (e.g., we do not meet applicability thresholds) we will consider requests but will apply our discretion with respect to if and how we process such requests. We will consider applying state law rights prior to the effective date of such laws but will do so in our discretion.

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, follow the instructions in Section 13.F., below. We do not accept or process Consumer privacy rights requests through other means (e.g., via fax, chats, or social media, etc.). Please respond to any follow-up inquiries we make to help us complete your request.

i)              Right to Limit Sensitive Personal Data Processing

We only process Sensitive Personal Data for purposes that are exempt from consumer choice under State Privacy Laws. For example, we process your Personal Data to perform the services/provide the goods that you requested. In addition, we may process Consumers’ Personal Data with their consent where required by State Privacy Laws. If a Consumer provides us with their sensitive Personal Data for a particular purpose, they will have consented to processing for that purpose.

ii)            Right to Access Categories / Confirm Processing

California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

•                The categories of Personal Data we have collected about you.

•                The categories of sources from which we collected your Personal Data.

•                The Business Purposes or Commercial Purposes for our collecting, selling, or sharing your Personal Data.

•                The categories of third parties to whom we have disclosed your Personal Data.

•                A list of the categories of Personal Data disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.

•                A list of the categories of Personal Data sold or shared about you and, for each, the categories of recipients, or that no sale or share occurred.

Residents of other applicable states are entitled to confirm our processing of their Personal Data.  They can do so by making a Categories request.

For Delaware residents, you may request a list of the categories of third parties with whom we have disclosed your Personal Data. For Oregon residents, you may request a list of the specific third parties with whom we have disclosed your Personal Data, if we are able to, or Personal Data, generally.

iii)          Right to Access Specific Pieces of Data

Consumers have a right to obtain a transportable copy, subject to applicable request limits, of your Personal Data that we have collected and are maintaining. California residents may also request a specific pieces their Personal Data. For a copy of your specific pieces of Personal Data, as required by applicable State Privacy Laws, we will apply the heightened verification standards (as defined in subsection F(ii), below). We have no obligation to re-identify data or to keep Personal Data longer than we need it or are required to by applicable law to comply with access requests.

iv)          Do Not Sell/Share/Target Opt-out

Consumers of certain states have a right to opt-out of Personal Data “sales”; provided, however, that Nevada residents are only entitled to the non-cookie opt-out explained below. California also has an opt-out for “sharing” for cross-context behavioral advertising (i.e., the use of Personal Data derived from different businesses or services to target advertisements). Non-California states have an opt-out of “targeted advertising” (defined differently per the applicable State Privacy Law but generally addressing tracking, profiling and targeting of advertisements).

Third-Party Digital Businesses may associate cookies and other Tracking Technologies that collect Personal Data about you on our Website, or otherwise collect and process Personal Data that we make available about you, including digital activity information and identifiers. We understand that giving access to Personal Data on the Website or otherwise, to Third-Party Digital Businesses could be deemed a sale/sharing under the State Privacy Laws and as such, we will treat such Personal Data (e.g., cookie ID, IP address, and other online IDs and Internet or other electronic activity data) collected by Third-Party Digital Businesses, where not limited to acting as our Processor, as a sale/sharing that is subject to a Do Not Sell/Share/Target opt-out request.

Opt-out for Non-Cookie Personal Data: If you would like to submit a Do Not Sell/Share/Target request for your non-cookie Personal Data (e.g., your email address), you must submit an opt-out request via Section13.F., below.

Opt-out for Cookie Personal Data: If you would like to limit our processing of your cookie-related Personal Data for targeted advertising or opt-out of the sale/sharing of such data, you must exercise a separate opt-out request via our consent management tool, which is accessible via the “Do Not Sell or Share My Personal Information” link on the footer of the Website. This is because we must use different technologies to apply your opt-out of cookie Personal Data and opt-out of non-cookie Personal Data. Our consent management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our consent management tool. Note that if you use ad blocking software, our cookie banner and/or the “Do Not Sell or Share My Personal Information” link may not appear when you visit our Website or other websites, and you may have to use the link here to access the tool. Also note that if you visit our Website from outside of the U.S. non-essential cookies will be on an opt-in rather than opt-out basis, thereby not constituting a sale or share and even if you opt-in to Targeted Advertising cookies you can always change that to reject them.

Opt-out Preference Signals (also known as global privacy control or “GPC”): Some State Privacy Laws require businesses to process certain types of signals, referred to as opt-out preference signals in California or universal opt-out mechanism in other states, which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the sale or sharing of Personal Data, and of processing of Personal Data for targeted advertising, which we understand to include GPC signals. We currently look for and recognize GPC signals. To use a GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the GPC. We process GPC with respect to sales and sharing that may occur in the context of collection of cookie Personal Data, discussed above, and apply it to the specific browser on which you enable GPC. We do not process GPC for opt-outs of sales and sharing in other contexts (e.g., non-cookie Personal Data like email) because we lack the ability to match that data to your browser . We do not: (1) charge a fee for use of the Website if you have enabled GPC; (2) change your experience with any product or service if you use GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the GPC, except that we may display a message confirming that we recognize the signal.

We may disclose your Personal Data for the following purposes, which are not a sale or sharing: (i) if you direct us to disclose Personal Data; (ii) to comply with a privacy rights request you submit to us; (iii) disclosures amongst the entities that constitute the Dr. Sturm as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

v)            Child-Aged Consumers of Certain States

We do not knowingly sell or share, or use for targeted advertising, the Personal Data of / from Child-Aged or other similar term (as defined by the applicable State Privacy Law) Consumers who are residents of certain states, unless we receive affirmative opt-in authorization from (i) the applicable consumer if the consumer is at least 13 years of age and consumer consent is required under the applicable State Privacy Law; or (ii) the parent or guardian of the consumer if the consumer is less than 13 years of age. If you think we may have unknowingly sold or shared Personal Data, or used Personal Data for targeted advertising, of / from a consumer under the threshold age (as set by the applicable state privacy law) without the appropriate affirmative opt-in authorization, please report that to us .

vi)          Deletion Request Rights

You have the right to request that we delete any of your Personal Data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your Verifiable Consumer Request, we will delete your Personal Data from our records and direct our Service Providers, and third parties to delete from their records, unless an exception applies. If an exception applies, we will limit processing to such permitted purposes and to the duration of those purposes.

We may deny your deletion request if retaining the Personal Data is necessary for us or our Service Providers to:

1.    Complete the transaction for which we collected the Personal Data, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

2.    Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

3.    Debug products to identify and repair errors that impair existing intended functionality.

4.    Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

5.    Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.).

6.    Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

7.    Comply with a legal obligation.

8.    Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

9.    Other purposes permitted by State Privacy Laws.

Please be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of your Personal Data or content that you may have posted. Note also that depending on where you reside (e.g., California), we may not be required to delete your Personal Data that we did not collect directly from you.

vii)          Correction Request Rights

You have a right to bring inaccuracies you find in your Personal Data that we maintain to our attention, and we will act upon such complaint as required by applicable law.

viii)        Automated Decisionmaking / Profiling

Some of the State Privacy Laws require us to state whether we carry out processing of Personal Data that implicates “profiling” (as defined by applicable State Privacy Laws) in furtherance of decisions that produce legal or similarly significant effects. One activity that we carry out that may constitute profiling is where we, like most businesses, utilize one or more Fraud Detectors. The categories of Personal Data processed as part of this activity are Identifiers, Personal Records, Commercial Information, Geolocation Data, Internet or Other Electronic Network Activity Information, and Inferences Drawn from other Personal Data. We are unable to offer an opt-out of this activity because doing so would restrict our ability to detect and prevent fraudulent and other illegal transactions and to comply with our legal obligations. If you are unable to make a purchase on the Website or in-store due to suspected fraud, please follow the instructions that are presented to you at the time of your attempted lawful transaction, such as utilizing a different payment method, including a different credit card, or cash (if you visit us in-person at one of our retail locations).

F.    Exercising Your Consumer Privacy Rights

To submit a request to exercise your consumer privacy rights, or to submit a request as an authorize agent, please submit a Verifiable Consumer Request to us through by email at [email protected]. Please respond to any follow-up inquiries we make to help us complete your request. We do not accept or process requests through other means (e.g., via fax, chats, or social media, etc.), except that notices of Child-Aged Personal Data issues and general privacy inquiries may be directed to us by contacting us .

i)              Authorized Agent Requests

Only you or a person that you authorize to act on your behalf, may make a Verifiable Consumer Request related to your Personal Data, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you, in accordance with the Verification of Your Request section below. You may also make a Verifiable Consumer Request on behalf of your minor child. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity, or authority to make the request, and confirm the Personal Data relates to you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable laws.

ii)            Verification of Your Request

We do not verify opt-outs of sale/sharing or requests to limit sensitive Personal Data processing unless we suspect fraud. As permitted or required by State Privacy Laws, any other request you submit to us must a “Verifiable Consumer Request,” meaning when you make a request, we may ask you to provide verifying information, such as your name, email, phone number, account and/or transaction information. We will review the information you provided and may request additional information (e.g., customer history) via email or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Access Categories / Confirm Processing, Right to Access Specific Pieces of Information, Deletion, or Correction request(s) unless you have provided sufficient information for us to reasonably verify you are the consumer about whom we collected Personal Data. Only you, or someone legally authorized to act on your behalf (your authorized agent), may make a Verifiable Consumer Request related to your Personal Data or the Personal Data of your child.

We verify each request as follows:

•                Right to Access Categories / Confirm Processing (California residents only): We verify your request to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Privacy Policy for a general description of our data practices.

•                Right to Access Specific Pieces of Information: We verify your request to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the consumer whose Personal Data is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat your request as a Right to Access Categories / Confirm Processing request.

•                Do Not Sell/Share/Target Opt-out: No specific verification required unless we suspect fraud.

•                Deletion Request: We verify your request to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the Personal Data and the risk of harm posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target Opt-out request.

•                Correction Request: We verify your request to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the Personal Data and the risk of harm posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use Personal Data provided in a Verifiable Consumer Request only to verify your identity and authority to make the request and to track and document request responses unless you also gave it to us for another purpose. 

iii)          Response Timing and Format

We endeavor to respond to a Verifiable Consumer Request within the time permitted under State Privacy Laws. To the extent permitted by State Privacy Laws, if we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We endeavor to respond to requests to opt-out of sale/sharing with 15 days of receipt.

We do not charge a fee to process or respond to your Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Consistent with applicable State Privacy Laws and our interest in the security of your Personal Data, we will not deliver you information regarding your Social Security number, driver’s license number, or other government-issued ID number, financial account number, an account password, or answers to security questions in response to a consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

iv)          Appeals

You may appeal the Dr. Sturm’s decision regarding a consumer privacy rights request you submitted (or that was submitted on your behalf by your authorized agent) by following the instructions provided in our response to your request. California and Utah residents are not entitled to request an appeal.

G.  Non-Discrimination

We will not discriminate against you for exercising any of your rights under applicable State Privacy Laws. Unless permitted by State Privacy Laws, we will not:

·      Deny you goods or services.

·      Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

·      Provide you a different level or quality of goods or services.

·      Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

H.  Notice of Financial Incentive

We may offer discounts or other rewards (“Incentive(s)”) from time-to-time to Consumes who provide us with Personal Data, such as name, phone number, email address, IP address, or location. You may opt-in to Incentives by entering a competition, promotion, or survey or other loyalty Incentive programs we may offer from time-to-time (“Program(s)”). Each Program may have additional terms, available on the Program page or at Program sign-up. The Incentives will be described in the Program page or at Program sign-up.

We measure the value of your Personal Data collected from Programs by the cost of operating the applicable Program (excluding Incentive costs) and/or the cost of providing the Incentive. We deem the value of the Personal Data to be reasonably related to the value of the Incentive, and by subscribing to these Programs, you indicate you agree. If you do not agree, please do not subscribe to the Programs. If you subsequently wish to withdraw from the Programs, the method for doing so will be explained in the applicable Program terms. We do not limit participation in our financial incentive programs to Consumers who do not exercise their Consumer privacy rights. However, a deletion request will not delete Program Personal Data because the information is necessary to maintain your participation in the Program. If you desire to delete Program Personal Data, terminate your participation in the Program before making a deletion request pursuant to State Privacy Laws.

 

I.      Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect. use, and disclose your Personal Data as required or permitted by applicable law and this may override your rights under State Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

 

J.    Additional Notice for California Residents

This Privacy Notice provides information about our online practices and your California rights specific to our Website. Without limitation, Californians who visit our Website and seek to acquire goods, services, money, or credit for personal, family, or household purposes are entitled to the following notices of their rights:

California’s “Shine the Light” law (Civil Code section 1798.83) permits users of our Website who are California residents to request certain information regarding our disclosure of Personal Information to third parties (including our affiliates) for those third parties’ own direct marketing purposes. We do not currently disclose Personal Information to third parties other than our affiliates for those third parties’ direct marketing purposes. To make such a request, please send an email to [email protected] or by writing to us at 630 5th Ave, 32nd Floor, New York City, NY 10111. You must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. This right is different than, and in addition to, Consumer privacy rights, and must be requested separately. We will not accept Shine the Light requests by telephone or by fax and are not responsible for requests not labeled or submitted properly, or that are incomplete.

 

Last update: 1^st October 2024

© Antonio Puig, S.A.U. 2024. All rights reserved.