Terms of service

This Privacy Policy forms part of the Terms of Use of the Outlet Beauty Shop website, together with the Legal Notice, the Cookies Policy, and the Returns Policy.

Last updated: 05/09/2025

Legal basis: This policy is governed by Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and the national regulations applicable in each EU Member State.

---

1. Who is the data controller?

• Controller: Outlet Beauty Shop
• Business activity: Retail sale of makeup and cosmetics products
• Website: https://www.outletbeautyshop.com
• Contact email and DPO: support@outletbeautyshop.com

2. What data do we process and how do we obtain it?

• Purchase / order: first name, last name, shipping and billing address, email, phone number, payment data (managed by the payment gateway; we do not store card details).
• Account creation: email, password (encrypted), order history.
• Contact / support: email, message, order number and, where applicable, photos and videos of the product/packaging to manage issues.
• Newsletter: email and communication preferences (only with express consent).
• Browsing / cookies: IP address, device, pages visited, and purchasing behaviour (according to the accepted cookie preferences).

3. For what purposes do we process your data?

• Manage orders, payments, shipments, and after-sales support, including returns and issues.
• Verify issues using the opening photos and videos that you send us, used exclusively for that purpose.
• Handle your queries, requests, and complaints.
• Send transactional communications about your order (confirmation, shipment, issue).
• Send newsletter and commercial offers if you have given us your consent.
• Carry out statistical analysis and improvements to the website and shopping experience.
• Prevent fraud and ensure the security of the platform.
• Comply with legal and tax obligations.

4. Legal basis for processing (Art. 6 GDPR)

• Order and shipment management: performance of a contract (Art. 6.1.b).
• Customer service and issues: performance of a contract (Art. 6.1.b).
• Photos/videos to verify issues: performance of a contract + legitimate interest (Art. 6.1.b and 6.1.f).
• Newsletter and commercial communications: consent (Art. 6.1.a).
• Website improvement and statistical analysis: legitimate interest (Art. 6.1.f).
• Fraud prevention and security: legitimate interest (Art. 6.1.f).
• Tax and accounting obligations: legal obligation (Art. 6.1.c).

5. With whom do we share your data?

We do not disclose your data to third parties except where legally required. To provide the service, we rely on data processors acting under our instructions and with whom we have entered into GDPR-compliant agreements (Art. 28):

• Logistics and transport: courier companies to manage order delivery.
• Payment gateways: PCI-DSS-certified payment processors (Shopify Payments, PayPal, or others).
• E-commerce platform: Shopify Inc. (with standard contractual clauses for transfers outside the EU).
• Email marketing tools: only if you have given consent for the newsletter.
• Analytics services: according to your cookie preferences.

In the event of international data transfers outside the European Economic Area, we apply the safeguards provided for under the GDPR (adequacy decision, standard contractual clauses, or other appropriate safeguards).

6. How long do we keep your data?

• Order and billing data: 5 years (tax and commercial obligations).
• Active account data: for as long as the account exists or until you request its deletion.
• Photos and videos of issues: until the issue is resolved + 1 year for possible claims.
• Support communications: 3 years from the last communication.
• Newsletter data: until you withdraw your consent.
• Browsing / cookie data: according to the cookies policy (maximum 13 months).

Once the active retention periods have expired, the data will be kept blocked for the additional legal periods and then deleted or anonymised.

7. Your rights (Arts. 15–22 GDPR)

• Access: know what data we process about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): delete your data when it is no longer necessary.
• Restriction: suspend processing in certain circumstances.
• Objection: object to processing based on legitimate interest.
• Portability: receive your data in a structured, machine-readable format.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Not to be subject to automated decisions with significant effects without human intervention.

How can you exercise them? Write to support@outletbeautyshop.com stating the right you wish to exercise and attaching a copy of your identity document. We will respond within a maximum of 30 days (extendable by a further 60 days in complex cases, with prior notice).

If you believe that your request has not been properly handled, you may lodge a complaint with the supervisory authority in your country. In Spain: Spanish Data Protection Agency (AEPD). For other EU countries, see the directory of authorities at edpb.europa.eu.

8. Photos, videos, and attachments you send us

If you send us photos or videos (for example, the package opening video required to manage issues), we apply the following safeguards:

• They will be used exclusively to verify and resolve your issue.
• They will not be shared with third parties except where legally required or necessary to resolve the claim.
• They will be kept until resolution + 1 year for possible disputes, and then deleted.
• If the videos or photos contain images of people, we will handle that information with special care in accordance with the GDPR.

9. Newsletter and commercial communications

We will only send promotional communications if you have given your express consent. You may unsubscribe at any time:

• By clicking the "Unsubscribe" link in any email.
• By writing to support@outletbeautyshop.com.

Unsubscribing from the newsletter does not affect the sending of transactional communications about your active orders.

10. Third-party services and links

The site may include integrations with external platforms (payment gateways, social networks, video players). Their use is governed by the privacy policies of those third parties:

• YouTube / Google: Google Privacy Policy and YouTube Terms.
• Meta (Instagram / Facebook): their own terms apply when you use social buttons or pixels.
• Payment gateways: they process your payment data under their own policies and PCI-DSS certification.

We are not responsible for the processing that those third parties carry out on your data.

11. Cookies

We use technical, analytics, and marketing cookies in accordance with our Cookies Policy. You can manage your preferences at any time from the cookie banner or by writing to us.

12. Data security

We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or accidental disclosure, in accordance with Art. 32 GDPR. These include:

• Encrypted HTTPS/TLS connection throughout the site.
• Restricted access to personal data by staff.
• Passwords stored using secure hashing.
• Regular security reviews.

In the event of a security breach that poses a risk to your rights, we will notify the competent authority within 72 hours and you as soon as possible, in accordance with Art. 33–34 GDPR.

13) Purchase and returns conditions

See our Returns Policy and, when available, the General Terms and Conditions of Purchase. The processing of data associated with returns and issues is governed in sections 3, 4, and 8 of this policy.

14. Changes to this policy

We may update this policy to adapt it to regulatory or service changes. When the changes are significant, we will notify you by email or by means of a prominent notice on the website. The current version will always be available on this page with its update date.

---

This policy applies without prejudice to the consumer's non-waivable rights recognised by the GDPR and the applicable national regulations in force. Last updated: 05/09/2025.