Privacy policy
1. Introduction and Scope
Elm Lab Skincare Limited was founded on the values of care, transparency and
scientific integrity. This Privacy Policy reflects our commitment to respecting your
personal information just as we respect your skin health and our farming origins.
This Privacy Policy outlines how Elm Lab Skincare Limited (“Elm Lab”, “we”, “us”, or
“our”) collects, uses and shares your personal information when you visit or make a
purchase from www.elmlabskincare.com or any associated subdomains (the “Site”). It
also explains how you can access, update or request deletion of your personal
information and where to direct any privacy-related queries.
Elm Lab is committed to protecting your privacy. We will never sell or distribute your
personal information except as described in this Privacy Policy and only where
necessary to provide our products and services. If you have any questions or wish to
exercise your rights, please contact us at hello@elmlabskincare.com.
2. What personal information do we collect?
We collect and use personal information from customers, visitors and users of the Site
and our associated social media channels.
The type of personal information we collect depends on how you interact with us and may include:
• Your name, email address, phone number and shipping or delivery address;
• Billing information and payment details (such as credit card details);
• Information about products or services you have purchased, browsed or
enquired about;
• Account login credentials and preferences, if you choose to create an account;
• Any personal information you voluntarily provide when contacting us, submitting
product questions or engaging with our content;
• Information you provide when participating in competitions, promotions, events,
surveys or questionnaires whether run by Elm Lab or third parties; and
• Information collected from publicly available sources, including, but not limited
to, social media platforms.
We refer to information collected during purchases or attempted purchases as “Order
Information”. This includes your billing and shipping address, payment method, contact
details and the products or services you have ordered.
When you visit the Site, we also automatically collect certain information about the device you are using, including:
• Your web browser, IP address, time zone and some of the cookies installed on
your device; and
• The individual web pages or products you view, what websites or search terms
referred you to the Site and how you interact with the Site (“Device Information”).
We collect Device Information using the following technologies:
• Cookies;
• Log files; and
• Web beacons, tags and pixels.
We use Device Information to help screen for potential risk and fraud (particularly your
IP address) and to improve and optimise the Site.
Elm Lab may also collect publicly available information through social media platforms
such as Facebook, Instagram, TikTok, Pinterest and others. If you engage with us
through these platforms, we may use that information for business purposes. These
services are governed by their own privacy policies, which we encourage you to review.
By using, browsing or submitting information through the Site or social media channels,
you consent to the collection, use and disclosure of your personal information as
outlined in this Privacy Policy.
3. How do we use your personal information?
We use your personal information for the purposes for which it was collected. This
includes:
• Providing our products, services, Site and social media channels to you;
• Customising online content and advertising displayed on the Site or our social
media channels;
• Improving and developing our products, services and digital platforms;
• Operating, maintaining, testing and upgrading our systems; and
• Notifying you of product or service opportunities we believe may be of interest.
We may disclose personal information to our business partners, third-party contractors,
agents, suppliers and service providers (as outlined in Clause 4) in connection with
delivering our products and services to you.
We use Order Information to:
• Fulfil orders placed through the Site, including processing payment, arranging
shipping and providing invoices and order confirmations;
• Communicate with you about your order;
• Screen for potential risk or fraud; and
• Provide product or service updates and advertising, in line with your stated
preferences.
We use Device Information to:
• Help screen for potential risk and fraud (particularly your IP address); and
• Improve and optimise the Site, for example, by generating analytics about how
customers browse and interact with the Site and assessing the performance of
our marketing campaigns.
If you provide personal information to us, whether via the Site, social media channels,
promotions, competitions or otherwise, we may use it to send you direct mail, emails,
SMS messages, surveys or invitations to participate in customer research or discussion
groups. These communications may include product, service and event information,
tips, promotions or competitions. If you prefer not to receive such communications,
please refer to Clause 5.
We may also contact you to respond to product questions or concerns you raise. These
communications are necessary to serve you, address your enquiries and uphold the
level of customer care we aim to provide.
4. Sharing your personal information
We may share your personal information with third parties to help us use it as described
in this Privacy Policy. For example, we use Shopify to power our online store. You can
read more about how Shopify handles personal information on their privacy page.
We also engage other companies and individuals to perform functions consistent with
this Privacy Policy. These may include:
• Customer support providers;
• Internet and website service providers;
• Fulfilment companies (including product delivery and mail coordination);
• Cloud-based storage providers;
• Marketing and research agencies;
• Financial and credit card institutions; and
• Professional advisors.
These third parties are granted access to personal information only to perform their
specific functions.
We also use Google Analytics to help us understand how customers interact with the
Site. You can read more about how Google uses personal information on their privacy
page.
In the event of a business transition, such as a sale, merger or acquisition, we may
transfer personal information to the new owners, who may continue to use it in
accordance with this Privacy Policy.
We may also share personal information to comply with applicable laws and
regulations, respond to lawful requests (such as court orders) or protect our rights.
Additionally, we may exchange information with other companies and organisations for
credit fraud protection and risk reduction. This may include responding to requests from financial institutions for proof of payment authorisation.
Elm Lab complies with the New Zealand Privacy Act 2020 and requires all third parties
to respect the security of your personal information and to treat it in accordance with
the law. We do not permit our service providers to use your personal information for
their own purposes.
5. Data Security
Elm Lab takes the protection of your Personal Information seriously. We’ve
implemented safeguards to prevent it from being accidentally lost, misused, accessed
in an unauthorised way, altered or disclosed.
Access to your Personal Information is restricted to employees, contractors, agents,
and service providers who need it to perform their duties. They are bound by
confidentiality obligations and will only process your Personal Information according to
our instructions.
We also have procedures in place to respond to any suspected Personal Information
breach. If such a breach occurs and we’re legally required to notify you or a regulator,
we will do so promptly and transparently.
6. Communications and Marketing
If you’ve given us express permission, or if we’re operating under legitimate interest, we
may share promotional content that aligns with your preferences. This may be informed
by your interactions with our services, your purchase history, program settings,
participation in surveys or promotional activities, your engagement with the Site, apps,
and other digital platforms as well as any other information you’ve provided.
These communications may be delivered via post, email, text message, phone call,
social media, or other online methods, including tailored content or advertising shown
on our website or social channels.
We may also send you service or product updates and notifications, but only if you’re an existing customer or user and the updates are necessary for the proper functioning of
the services or products you use.
If you’d rather not receive marketing messages or promotional offers, you can opt out at any time by:
(a) clicking the unsubscribe link included in our emails or texts, or
(b) contacting us using the details listed in the Introduction and Scope above.
To opt out of targeted advertising, you can use the following tools:
• Facebook Ad Preferences
• Google Ad Settings
• Google Analytics Opt-Out
7. Data Retention
We retain personal information only for as long as it’s genuinely needed to fulfil the
purpose it was collected for, or to meet legal and regulatory obligations. That includes
delivering the services you’ve asked for, maintaining accurate records for tax and
accounting and ensuring we meet our legal responsibilities.
If there’s a complaint or we reasonably believe there may be a legal issue relating to our
relationship with you, we may retain relevant information for longer to help resolve it
properly and meet our obligations.
When deciding how long to retain your information, we consider a few key factors:
• the type and sensitivity of the data;
• the risk of harm if it were misused or disclosed;
• the reasons we collected it in the first place;
• whether those reasons can be met in other ways; and
• any legal, tax or regulatory requirements we’re bound by.
For example, we’re required by law to keep basic customer details, like your name,
address and financial transaction history, for up to seven years after you stop being a
customer, to meet tax record-keeping obligations.
8. Protecting your personal information
We take reasonable steps to protect your personal information from unauthorised
access, use, alteration or destruction. That includes maintaining safeguards designed
to keep your data secure and treated with care.
However, no method of transmission over the internet or electronic storage is
completely secure. While we do our best, we cannot guarantee or warrant the security
of personal information you disclose to us, whether actively provided or automatically
collected through your use of our services.
Accordingly, all personal information disclosed by you to us is at your own risk and we
are not liable for any unauthorised access that may occur.
9. Changes
We may update the Privacy Policy from time to time to reflect changes in our practices,
operations, legal obligations or regulatory requirements.
Updates may be made without prior notice and we encourage you to check this page
periodically to stay informed.
If we make changes, the revised version will be posted right here on this webpage.