Privacy policy

1. General information

1.1 What does this Privacy Policy cover?

This Privacy Policy (“Privacy Policy”) governs the processing of personal data collected from individual users (“you” and “your”) via the e-commerce website https://xlash.com and the related domain names (collectively, “Xlash”). This Privacy Policy does not apply to any other websites, applications or software that are integrated with Xlash or other third-party products and services (for example, our social media providers that are linked to Xlash).

1.2 Who is responsible for the personal data?

Xlash is owned and operated by Beauty Generation AB, Fiskargatan 8, 116 20 Stockholm, Sweden, company registration number SE5591503270 (“we,” “us,” and “our”).

1.3 Minors

Xlash is not intended to be used by persons under 18 years of age. Therefore, we do not knowingly collect personal data from children. If you become aware that a child has provided us with their personal data and you are a parent or guardian of that child, please contact us immediately and we will delete the child’s personal data from our systems.

1.4 Period and termination

This Privacy Policy enters into force on the date indicated at the top of the Privacy Policy (“Last updated”) and remains in force until it is terminated or updated by us.

1.5 Changes

We reserve the right to amend this Privacy Policy from time to time. This may be necessary, among other things, in order to comply with applicable laws, regulations and industry standards. The amended version of the Privacy Policy will be published on this page and, if we have your email address, we will send you a notification of the changes made by us. We recommend that you review our Privacy Policy regularly to stay informed. In the event of significant changes to the Privacy Policy, we may request your consent.

2. What data do we collect through Xlash?

2.1 From what sources do we obtain your personal data?

We obtain your personal data from the following sources:
• Directly from you: for example, if you provide your personal data when purchasing something from us or contacting us;
• Directly or indirectly through your activity on Xlash: when you use Xlash we automatically collect technical information about your use of Xlash; and
• From third parties: we may receive information about you from third parties to whom you have previously provided your personal data, if those third parties have a legal basis to disclose your personal data to us (for example for payment purposes).

2.2 What personal data do we collect?

We follow the data minimization principle. This means that we only collect a minimal amount of personal data necessary for your use of Xlash. We use your personal data for limited, specified and legitimate purposes explicitly stated in this Privacy Policy. In general, your personal data is used to provide you with access to Xlash, maintain and improve Xlash, process your orders, respond to your inquiries and pursue our legitimate interests. We do not reuse your personal data. This means that we do not use the data for any purposes other than those for which your personal data was provided. Below you will find an overview of the types of personal data we collect, the purposes for which we use them and the legal bases we rely on when processing them.

• Orders

When you place an order, we collect your first name, last name, city, region, address, email address and telephone number. We use this information to send you transaction receipts, deliver your orders, contact you when necessary and to maintain our business records. The legal bases we rely on are ‘performance of a contract with you’ and ‘pursuing our legitimate interests’ (i.e. providing Xlash). We will store this data for as long as required under applicable law (at least 7 years) or until you delete your user account, whichever occurs later.

• Payments

When you make a payment, our payment processors Klarna and PayPal collect your personal data, such as first name, last name, billing and shipping addresses and payment details (e.g. credit card or PayPal details). Please note that the types of personal data you need to provide depend on the payment processor you choose. We do not have access to your full payment details; only part of your personal data is made available to us by the payment processors. Your payment details are used to process payments and to carry out our accounting. The legal bases we rely on are ‘performance of our contractual obligations’ and ‘pursuing our legitimate interests’ (i.e. operating our business). We store such data for the period prescribed by law (at least 7 years).

• Inquiries

When you contact us via email, we collect your name, your email address and any information that you choose to provide in your message. When you contact us via the ‘Contact Us’ function, we collect your first name, last name, email address, telephone number and any information that you choose to include in your message. When you contact us as a company via the ‘Contact Us’ function, we collect your email address, company type, company name, website (optional), VAT registration number, telephone number, email address for invoicing, buyer’s name, delivery address, country and any other information that you choose to provide to us in your message. We use such data to respond to your inquiries and provide you with the requested information. The legal bases we rely on are ‘pursuing our legitimate interests’ (i.e. maintaining and growing Xlash) and ‘your consent’ (for optional personal data). We will store this data until you cease communicating with us.

• Cookies

When you visit Xlash, we or our third-party analytics service provider (explained below) collect your location and cookie-related data. We use such information to analyze the technical aspects of your use of Xlash, prevent fraud and abuse and ensure the security of Xlash. For more information about our use of cookies, please see our Cookie Policy. The legal bases we rely on are ‘pursuing our legitimate interests’ (i.e. analyzing our content and protecting Xlash) and ‘your consent’. We will store this data as long as necessary for our activities or until you withdraw your consent (if you have provided it).

• Reviews

When you submit a review of the products you have purchased, we collect your name and any information that you choose to include in your review. We use this data to display your review on Xlash. The legal basis we rely on is ‘your consent’. We will store this data until you ask us to delete your review.

2.2 Do we collect sensitive data?

We do not collect any special categories of personal data (“sensitive data”) from you, unless you voluntarily decide to provide such data to us. Sensitive data refers to your health, religious and political beliefs, racial origin, membership in a professional/trade organization or sexual orientation.

2.3 What happens if you refuse to provide your personal data?

If you decide not to provide us with your personal data when we request it, we may not be able to perform certain requested processes (for example, process your order) and you may not be able to use all features of Xlash, receive the requested information, or obtain our response. Please notify us immediately if you believe that any personal data we collect is excessive or unnecessary for the intended purpose.

2.4 Do we collect analytics data?

Yes. When you visit Xlash, we collect or have access to certain technical analytics data collected from you. Such data includes the following information:
• Your activity on Xlash (visit time, pages visited, products viewed, time on each page, clicks, scroll depth, interaction with widgets);
• URLs from which you access Xlash;
• Your browser type and version;
• Your operating system;
• Your device information;
• Information about your orders;
• Your general online behavior; and
• Cookie-related data, explained in our Cookie Policy.

2.5 For what purposes do we use analytics data?

We use your analytics data to analyze the type of users who access and use Xlash, measure your engagement with Xlash, identify which products are of interest to you, improve our content, develop new products and services and investigate and prevent security issues and abuse. In most cases, such analytics data is non-personal and does not allow us to identify you as a natural person. However, certain data such as your IP address may be considered personal data, and we will ensure that we have the necessary legal basis to process such data. When we process analytics data that includes personal data, we rely on the legal bases ‘legitimate interest’ (for example to analyze and improve Xlash) and ‘your consent’.

2.6 Do we retain your feedback?

If you contact us, we may record any questions, responses, complaints, recommendations or compliments from you. Where possible, we will de-identify your personal data (i.e. remove all personal data that is not necessary to maintain such records).

2.7 What happens if we combine or de-identify your data?

If your non-personal data is combined with certain elements of your personal data in a way that allows us to identify you as an individual, we will treat such combined information as personal data. If your personal data is de-identified in such a way that it can no longer be associated with an identified or identifiable natural person, it will not be considered personal data and may therefore be used for any legitimate purpose.

2.8 When do you receive our commercial communication?

We only send our commercial communication if (i) you subscribe to our newsletter, (ii) you subscribe to a newsletter by providing your email address, or (iii) you purchase something from us and we want to inform you about our similar products. In such cases, you will receive information about our new products, Xlash features and special offers. The legal bases we rely on are ‘your consent’ or ‘our legitimate interests’ (i.e. promoting Xlash’s business and sales). You can opt out of receiving our commercial communication at any time free of charge by clicking the “Unsubscribe” link included in our newsletters, or by contacting us directly.

2.9 When do you receive our transactional messages?

If we have your email address and it is necessary, we may send you important informational messages, such as order updates, payment receipts, invoices, shipping information and other technical or administrative emails. Please note that such messages are sent “as needed” if they do not fall within the scope of commercial communication, which may require your prior consent. You cannot opt out of service-related messages.

2.10 Cart reminders

If you have added products to your cart but have not completed your purchase, we may send a reminder via email to facilitate your shopping experience. This communication is based on our legitimate interest in providing you with a better shopping experience. You may unsubscribe from these reminders at any time via the link in the email or by contacting us.

2.11 Processing of personal data for SMS communication

2.11.1 Purpose and legal basis for processing

By voluntarily providing your phone number and consenting to receive SMS communication from Xlash, you agree that we process your personal data for the following purposes:

To send transactional messages related to your orders (e.g. order confirmations, delivery updates).
To send marketing messages, including campaigns, reminders and exclusive offers.

The legal basis for processing your personal data for SMS marketing is your explicit consent in accordance with Article 6(1)(a) of the GDPR. For SMS communication necessary to perform a purchase agreement (e.g. order updates), processing is based on contractual obligations under Article 6(1)(b) of the GDPR.

2.11.2 Collection and storage of data

We collect and process personal data for SMS communication in accordance with applicable laws. This may include phone numbers and related information collected through various channels, such as:

Direct registration via our website or checkout.
Purchases or interaction with our services.
Previous engagement with our marketing channels.

For SMS marketing, we only use phone numbers where we have verified consent. We store SMS-related data only as long as necessary for the purpose for which it was collected, or until you withdraw your consent. If you withdraw your consent, we will immediately stop sending SMS and delete or anonymize your data, unless we are legally required to retain it.

2.11.3 Third-party providers and international data transfers

We do not sell or share your phone number with third parties for their own marketing purposes. However, we use third-party providers (e.g. Klaviyo) to manage and send SMS. These providers act as data processors under Article 28 of the GDPR, and we have entered into data processing agreements (DPAs) with them to ensure that your data is handled securely and in accordance with applicable regulations.

SMS opt-in data and consent status will not be shared with external third parties for purposes that are not directly related to our services.

If SMS data is transferred outside the European Economic Area (EEA), we ensure that such transfers are based on:
Adequacy decisions issued by the European Commission (where applicable).
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented with additional safeguards where necessary.

2.11.4 Your rights under GDPR

You have the following rights regarding your personal data:

Right to withdraw consent – You can unsubscribe from SMS marketing at any time by clicking the unsubscribe link in the SMS message or by contacting us via our form here.
Right of access – You may request a copy of the personal data we process about you.
Right to rectification – You have the right to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) – You may request that we delete your personal data unless we are legally required to retain it.
Right to restriction of processing – Under certain conditions, you may request that we restrict how we process your data.
Right to data portability – Where processing is based on consent or contract, you may request your data in a machine-readable format.
Right to object – You may object to our processing if it is based on legitimate interest.
Right to lodge a complaint – If you believe we process your data in violation of GDPR, you have the right to file a complaint with a supervisory authority.

2.11.5 Location data

If we use location-based services for SMS communication (e.g. geographically tailored offers or local store reminders), we may collect and process approximate location data based on:

The IP address used when you interact with our website or SMS messages.
Location data from your mobile operator, where applicable and where you have consented.

This data is processed only with your explicit consent, and you may withdraw consent at any time via your device settings or by contacting us. We do not share location data with third parties for marketing purposes.

3. How long do we store your data?

3.1 How long do we store your personal data?

We and our data processors listed in section 4 below store your personal data only for as long as such data is required for the purposes described in this Privacy Policy, or until you ask us to update or delete your personal data, whichever occurs first. For more information on the retention period for each type of personal data, see section 2.2. After your personal data is no longer necessary for its purposes and we have no other legal basis for storing it, we will immediately delete your personal data from our systems in a secure manner. We do not store personal data longer than absolutely necessary.

3.2 How long do we store your anonymous data?

We retain anonymous data (i.e. data that is not considered personal data) relating to you for as long as necessary for the purposes described in this Privacy Policy. This may include storing non-personal data for the period necessary for us to manage our business operations, fulfill our contractual obligations, pursue our legitimate interests, conduct audits, comply with (and demonstrate compliance with) legal requirements and resolve any disputes.

3.3 When are we legally required to store your personal data?

Where we are legally required to store your personal data for a certain period (e.g. for accounting and business records), we will retain your personal data for the period prescribed by applicable law (in most cases 7 years) and securely delete the personal data as soon as the required retention period expires.

4. How do we share your personal data?

4.1 When do we share your personal data?

We keep your personal data confidential. However, if necessary for the intended purpose of your personal data, we will disclose your personal data to companies that provide services on our behalf or support our business (our data processors). Your personal data may be shared with companies that provide technical support services, such as hosting, payment processing, shipping and email distribution services. We do not sell your personal data to third parties and do not intend to do so in the future. Disclosure of your personal data is limited to situations where it is required for the following purposes:
• Ensure that Xlash functions properly;
• Deliver your products;
• Process your payments;
• Respond to your inquiries;
• Pursue our legitimate interests;
• Maintain our rights, prevent fraud, security purposes;
• Perform our contractual obligations;
• Law enforcement purposes; or
• If you have given your prior consent.

4.2 Who has access to your personal data?

We carefully select our data processors and ensure that they maintain an adequate level of protection for personal data in accordance with this Privacy Policy and applicable data protection laws. The data processors that will have access to your personal data are:
• Our hosting and database provider, GleSys, based in Sweden;
• Our newsletter providers, Klaviyo in the USA and Jojka in Sweden;
• Our development service provider WooCommerce (Automattic), based in the USA;
• Our support service provider, Zendesk in the USA;
• Our shipping service providers;
• Our marketing service providers, Facebook, Google, Pinterest, Snapchat and TikTok in the USA;
• Our analytics service providers, Google Analytics and SEMrush in the USA;
• Our payment service providers, Klarna in Sweden and PayPal in the USA; and
• Our logistics provider, E-logistik in Sweden; and
• Our independent contractors and consultants.

4.3 Do we transfer your personal data outside the EEA?

Although we are based in Sweden, which is part of the European Economic Area (EEA), some of our data processors are located outside the EEA or your country of residence. Therefore, we may need to transfer your personal data outside your country. If such a transfer is necessary, we will ensure that the country where our data processor is located provides an adequate level of protection, or we will enter into agreements (e.g. Standard Contractual Clauses).

4.4 Do we share your anonymous data?

Your anonymous data may be shared with third parties for any purpose, as it does not identify you as an individual.

4.5 What happens if we receive a legal request?

If required by a public authority, we will disclose user information to the extent necessary.

5. How do we protect your data?

We implement technical and organizational security measures to protect your data.

6. Your rights

You have rights under GDPR including access, correction, deletion, restriction, portability, objection, withdrawal of consent and complaint.

7. Contact

Contact form:
https://xlash.zendesk.com/hc/en-gb/requests/new

Postal address:
Beauty Generation AB
Fiskargatan 8
116 20 Stockholm
Sweden