Privacy policy

1. Introduction and Scope  
Elm Lab Skincare Limited was founded on the values of care, transparency and 
scientific integrity. This Privacy Policy reflects our commitment to respecting your 
personal information just as we respect your skin health and our farming origins.

This Privacy Policy outlines how Elm Lab Skincare Limited (“Elm Lab”, “we”, “us”, or 
“our”) collects, uses and shares your personal information when you visit or make a 
purchase from www.elmlabskincare.com or any associated subdomains (the “Site”). It 
also explains how you can access, update or request deletion of your personal 
information and where to direct any privacy-related queries. 

Elm Lab is committed to protecting your privacy. We will never sell or distribute your 
personal information except as described in this Privacy Policy and only where 
necessary to provide our products and services. If you have any questions or wish to 
exercise your rights, please contact us at hello@elmlabskincare.com. 

2. What personal information do we collect?  
We collect and use personal information from customers, visitors and users of the Site 
and our associated social media channels.

The type of personal information we collect depends on how you interact with us and may include: 
• Your name, email address, phone number and shipping or delivery address; 
• Billing information and payment details (such as credit card details); 
• Information about products or services you have purchased, browsed or 
enquired about; 
• Account login credentials and preferences, if you choose to create an account; 
• Any personal information you voluntarily provide when contacting us, submitting 
product questions or engaging with our content; 
• Information you provide when participating in competitions, promotions, events, 
surveys or questionnaires whether run by Elm Lab or third parties; and 
• Information collected from publicly available sources, including, but not limited 
to, social media platforms. 

We refer to information collected during purchases or attempted purchases as “Order 
Information”. This includes your billing and shipping address, payment method, contact 
details and the products or services you have ordered. 

When you visit the Site, we also automatically collect certain information about the device you are using, including: 
• Your web browser, IP address, time zone and some of the cookies installed on 
your device; and 
• The individual web pages or products you view, what websites or search terms 
referred you to the Site and how you interact with the Site (“Device Information”).  

We collect Device Information using the following technologies: 
• Cookies; 
• Log files; and 
• Web beacons, tags and pixels.  
We use Device Information to help screen for potential risk and fraud (particularly your 
IP address) and to improve and optimise the Site.  

Elm Lab may also collect publicly available information through social media platforms 
such as Facebook, Instagram, TikTok, Pinterest and others. If you engage with us 
through these platforms, we may use that information for business purposes. These 
services are governed by their own privacy policies, which we encourage you to review. 
By using, browsing or submitting information through the Site or social media channels, 
you consent to the collection, use and disclosure of your personal information as 
outlined in this Privacy Policy. 

3. How do we use your personal information?  
We use your personal information for the purposes for which it was collected. This 
includes: 
• Providing our products, services, Site and social media channels to you;  
• Customising online content and advertising displayed on the Site or our social 
media channels;  
• Improving and developing our products, services and digital platforms;  
• Operating, maintaining, testing and upgrading our systems; and 
• Notifying you of product or service opportunities we believe may be of interest. 
We may disclose personal information to our business partners, third-party contractors, 
agents, suppliers and service providers (as outlined in Clause 4) in connection with 
delivering our products and services to you. 
We use Order Information to: 
• Fulfil orders placed through the Site, including processing payment, arranging 
shipping and providing invoices and order confirmations;  
• Communicate with you about your order;  
• Screen for potential risk or fraud; and  
• Provide product or service updates and advertising, in line with your stated 
preferences.  

We use Device Information to: 
• Help screen for potential risk and fraud (particularly your IP address); and 
• Improve and optimise the Site, for example, by generating analytics about how 
customers browse and interact with the Site and assessing the performance of 
our marketing campaigns. 

If you provide personal information to us, whether via the Site, social media channels, 
promotions, competitions or otherwise, we may use it to send you direct mail, emails, 
SMS messages, surveys or invitations to participate in customer research or discussion 
groups. These communications may include product, service and event information, 
tips, promotions or competitions. If you prefer not to receive such communications, 
please refer to Clause 5.

We may also contact you to respond to product questions or concerns you raise. These 
communications are necessary to serve you, address your enquiries and uphold the 
level of customer care we aim to provide. 

4. Sharing your personal information 
We may share your personal information with third parties to help us use it as described 
in this Privacy Policy. For example, we use Shopify to power our online store. You can 
read more about how Shopify handles personal information on their privacy page.

We also engage other companies and individuals to perform functions consistent with 
this Privacy Policy. These may include: 
• Customer support providers;  
• Internet and website service providers;  
• Fulfilment companies (including product delivery and mail coordination);  
• Cloud-based storage providers;  
• Marketing and research agencies; 
• Financial and credit card institutions; and 
• Professional advisors.

These third parties are granted access to personal information only to perform their 
specific functions.

We also use Google Analytics to help us understand how customers interact with the 
Site. You can read more about how Google uses personal information on their privacy 
page. 

In the event of a business transition, such as a sale, merger or acquisition, we may 
transfer personal information to the new owners, who may continue to use it in 
accordance with this Privacy Policy. 

We may also share personal information to comply with applicable laws and 
regulations, respond to lawful requests (such as court orders) or protect our rights. 
Additionally, we may exchange information with other companies and organisations for 
credit fraud protection and risk reduction. This may include responding to requests from financial institutions for proof of payment authorisation.

Elm Lab complies with the New Zealand Privacy Act 2020 and requires all third parties 
to respect the security of your personal information and to treat it in accordance with 
the law. We do not permit our service providers to use your personal information for 
their own purposes. 

5. Data Security  
Elm Lab takes the protection of your Personal Information seriously. We’ve 
implemented safeguards to prevent it from being accidentally lost, misused, accessed 
in an unauthorised way, altered or disclosed.

Access to your Personal Information is restricted to employees, contractors, agents, 
and service providers who need it to perform their duties. They are bound by 
confidentiality obligations and will only process your Personal Information according to 
our instructions. 

We also have procedures in place to respond to any suspected Personal Information 
breach. If such a breach occurs and we’re legally required to notify you or a regulator, 
we will do so promptly and transparently. 

6. Communications and Marketing  
If you’ve given us express permission, or if we’re operating under legitimate interest, we 
may share promotional content that aligns with your preferences. This may be informed 
by your interactions with our services, your purchase history, program settings, 
participation in surveys or promotional activities, your engagement with the Site, apps, 
and other digital platforms as well as any other information you’ve provided. 
These communications may be delivered via post, email, text message, phone call, 
social media, or other online methods, including tailored content or advertising shown 
on our website or social channels. 

We may also send you service or product updates and notifications, but only if you’re an existing customer or user and the updates are necessary for the proper functioning of 
the services or products you use.

If you’d rather not receive marketing messages or promotional offers, you can opt out at any time by: 
(a) clicking the unsubscribe link included in our emails or texts, or 
(b) contacting us using the details listed in the Introduction and Scope above. 
To opt out of targeted advertising, you can use the following tools: 
• Facebook Ad Preferences 
• Google Ad Settings 
• Google Analytics Opt-Out 

7. Data Retention 
We retain personal information only for as long as it’s genuinely needed to fulfil the 
purpose it was collected for, or to meet legal and regulatory obligations. That includes 
delivering the services you’ve asked for, maintaining accurate records for tax and 
accounting and ensuring we meet our legal responsibilities. 

If there’s a complaint or we reasonably believe there may be a legal issue relating to our 
relationship with you, we may retain relevant information for longer to help resolve it 
properly and meet our obligations. 
When deciding how long to retain your information, we consider a few key factors:  
• the type and sensitivity of the data;  
• the risk of harm if it were misused or disclosed;  
• the reasons we collected it in the first place;  
• whether those reasons can be met in other ways; and 
• any legal, tax or regulatory requirements we’re bound by.  

For example, we’re required by law to keep basic customer details, like your name, 
address and financial transaction history, for up to seven years after you stop being a 
customer, to meet tax record-keeping obligations. 

8. Protecting your personal information 
We take reasonable steps to protect your personal information from unauthorised 
access, use, alteration or destruction. That includes maintaining safeguards designed 
to keep your data secure and treated with care.

However, no method of transmission over the internet or electronic storage is 
completely secure. While we do our best, we cannot guarantee or warrant the security 
of personal information you disclose to us, whether actively provided or automatically 
collected through your use of our services. 

Accordingly, all personal information disclosed by you to us is at your own risk and we 
are not liable for any unauthorised access that may occur. 

9. Changes  
We may update the Privacy Policy from time to time to reflect changes in our practices, 
operations, legal obligations or regulatory requirements. 

Updates may be made without prior notice and we encourage you to check this page 
periodically to stay informed. 

If we make changes, the revised version will be posted right here on this webpage.