Privacy Policy

Privacy Policy

Effective as of 19 June 2020.

Laycy Pte Ltd

This Privacy Policy applies to the products, services, website(s) provided, mobile application(s) provided and/or the business conducted, by Laycy Pte Ltd (collectively and individually referred to as “LAYCY”, "we", "our", "us") and explains how we handle Personal Data and comply with the requirements of Singapore’s Personal Data Protection Act ("PDPA"). LAYCY takes the security and privacy of the Personal Data of its customers and users of its website(s) (such as www.laycy.com) and of LAYCY’s mobile application(s) (such website(s) and mobile application(s) may be collectively or individually referred to as the “Site”; our mobile application(s) may be referred to as the “App”) very seriously.

This Privacy Policy will assist you in understanding how we collect, use, disclose and/or process the Personal Data you have provided to us or that we possess about you, as well as to assist you in making an informed decision before providing us with any of your Personal Data.

The term “Personal Data” refers to information that is connected to you as an identifiable individual, defined under the PDPA to mean data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which an organisation has or is likely to have access (“Personal Data”). This may include your name, address, telephone number, email address, date of birth, gender, credit card details, Profile information, photographs, personal images, device ID, operating system or version, information about your purchases or preferences, and any other information collected by us where you are identified or identifiable. If you, at any time, have any queries about this Privacy Policy or any other queries in relation to how we may manage, protect and/or process your Personal Data, please email our Data Protection Officer at info@laycy.com. This Privacy Policy is subject to Singapore laws.

1. Collection of Personal Data

1.1 We may collect Personal Data from you through various means, including but not limited to instances when you: • provide your Personal Data through our Site for the purpose of registering for and creating an account; or access your existing account through the Site; • participate in a promotion or other website features; • request for a product or services information or to receive any marketing, promotional or other types of communications; • provide your ratings and review of products as a customer; • make purchases through our retail store or Site; • make enquiries or comments through our Customer Department through info@laycy.com; and/or • interact with our sales staff or with us, including in store via sign-up pads.

1.2 In addition to the above, we may use the following technologies (elaborated below) to automatically collect information about your activities on the App or Site, as the case may be (each a “Mobile Technology”):

• Cookies • Flash Cookies • Web beacons, clear pixels, or pixel tags • Analytical tags • Web server logs • Geo-location technologies

Do refer to paragraph 9 of this Privacy Policy for more information about these Mobile Technologies and how they operate to collect information about you.

1.3 You have no obligation to provide any of the Personal Data requested by us. However, depending on circumstances, it may be the case that if you do not provide the requested Personal Data, we may not be able to provide you with certain products and services, or transact with you, that depend on the collection, use or disclosure of your Personal Data.

2. Children’s Privacy

2.1 We do not and do not intend to, transact through the Site directly with anyone we know to be under the age of 18. If you are under the age of 18, you should use the Site only with the involvement of a parent or guardian and should not submit any Personal Data to us. By providing any Personal Data to us, you declare that you are over the age of 18.

3. Purposes For Collection, Use, Disclosure And Processing Of Personal Data

3.1 We will/may collect, use, disclose and/or process your Personal Data for one or more of the following purposes:

(a) administering, facilitating, processing and/or dealing in any matters relating to your use or access of the Site. Without limiting the generality of the foregoing, if you:

(i) gain access to or sign in to the Site, using your login credentials of a Social Networking Site, or (ii) use any features of a Social Networking Site such as its widgets, plug-ins and browser push notifications, made available to you on our Site, it may result in information or your Personal Data being collected or shared between us and the third party. For example, if you use Facebook’s “Like” feature, Facebook may register the fact that you “liked” a product and may post that information on Facebook. (“Social Networking Site” refers to an online or digital platform owned or operated by a third party, that is used by people to build social networks or social relations, or to interact, with other people, such as but not limited to Facebook, Instagram, Twitter). By your proceeding pursuant to (i) or (ii) above, you consent to such collection, use or disclosure of your Personal Data;

(b) monitoring, processing and/or tracking your use of the Site in order to provide you with a seamless experience, facilitating or administering your use of the Site, and/or to assist us in improving your experience in using the Site;

(c) assessing and processing your request for the purchase of and/or subscription to our products and/or services;

(d) registering you as a customer of LAYCY and/or to deal with, process and/or administer the account that you may open with us, including to facilitate your transactions or activities on the Site, or your transactions or activities with us;

(e) administering, facilitating, processing and/or dealing with your relationship with us, any transactions or activities carried out by you on the Site or at our retail stores. This includes processing your application, orders and payment transactions; implementing transactions and the supply of products and/or services to you that you have requested. Without limiting the generality of the foregoing, should you make a purchase to be delivered to a third party recipient, you consent to us disclosing Personal Data that identifies you, to the said third party recipient (such as but not limited to your name). Further, you acknowledge and agree that delivery of your purchase could involve disclosure of certain Personal Data about you to bring about delivery of the same such as your name and contact details, which may be disclosed on the cover of the parcel, on an envelope or a delivery related document, as the case may be, which could be seen by third parties who view such parcel, envelope or said document;

(f) carrying out your instructions or responding to any enquiry given by (or purported to be given by) you or on your behalf including responding to your customer service enquiries and complaints; or responding to or dealing with your interactions with us;

(g) contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing your use of the Site, your account with us, your relationship with us or any transactions made by you with us. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain Personal Data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;

(h) providing services to you as our account holder, as our customer, as a member of our loyalty program(s) or when requested by you; dealing with or administering your participation in contests, gamification, social events organized by us;

(i) sharing or disclosing (at our discretion) your suggestions, comments, feedback or content (including audio, video etc.) (collectively “Feedback” ) that you provide through Social Networking Sites, to the Site or to us (including at the retail stores), with other users of the Site or with the public, for publicity and/or promotion purposes with a view to marketing or showcasing the business of LAYCY, and/or to acquiring customers, and/or for the purpose of providing the public with your Feedback which may be useful for the public’s purchasing decision or for the public’s information or otherwise. This includes us disclosing your name together with your Feedback. Without limiting the generality of the foregoing, in the above regard, your Feedback and name may/will be published or shared by us on public media platforms such as the newspaper, the Internet, in our (including our affiliates’) annual reports (if any) etc., and/or incorporated as part of LAYCY’s marketing collaterals/materials or corporate video to be disclosed to the public, and you hereby consent to the same. Do not provide us with Feedback if you do not wish for such Feedback to be disclosed to the public. If you wish to give us your Feedback without it being disclosed to the public, please separately email our Customer Department at info@laycy.com and head the subject of your email with the word “Confidential”;

(j) where you have provided your consent to us, whether such consent was obtained through the Site, the retail store(s) or otherwise, sharing your Profile Personal Data with or disclosing your Profile Personal Data to other users of the Site or with/to the public, through the Site or any other media (whether print, online or otherwise) or communication platform as we so choose, at our discretion, such as but not limited to as part of LAYCY’s marketing collaterals/materials or corporate video. “Profile Personal Data” includes your name, skin type/ concerns, eye colour, hair colour and type and other information which you provide;

(k) carrying out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations (whether Singapore or foreign Country/Region) applicable to us or our affiliates/associated companies, the requirements or guidelines of governmental authorities (whether Singapore or foreign Country/Region) which we determine are applicable to us or our affiliates/associated companies, and/or our risk management procedures that may be required by law (whether Singapore or foreign Country/Region) or that may have been put in place by us or our affiliates/associated companies;

(l) to prevent or investigate any fraud, unlawful activity or omission or misconduct, whether or not there is any suspicion of the aforementioned; dealing with and/or investigating complaints;

(m) complying with or as required by any applicable law, court order, order of a regulatory body, governmental or regulatory requirements of any jurisdiction applicable to us or our affiliates/associated companies, including meeting the requirements to make disclosure under the requirements of any law binding on us or our affiliates/associated companies, and/or for the purposes of any guidelines issued by regulatory or other authorities (whether of Singapore or elsewhere), with which we or our affiliates/associated companies are expected to comply

(n) complying with or as required by any request or direction of any governmental authority (whether Singapore or foreign Country/Region) which we are expected to comply with; or responding to requests for information from public agencies, ministries, statutory boards or other similar authorities (including but not limited to Singapore Customs and Ministry of Health) (whether Singapore or foreign Country/Region). For the avoidance of doubt, this means that we may/will disclose your Personal Data to such parties upon their request or direction;

(o) conducting research (including customer research), surveys, market surveys, analysis and/or development activities (including but not limited to data analytics, surveys and/or profiling) to improve our services and facilities, or to improve our understanding of your interests, concerns and preferences, in order to enhance any continued interaction between yourself and us connected or in relation to the Site, or improve any of our products or services. Without limiting the generality of the foregoing, we may/will in this regard send you surveys or request a face to face interview survey, by way of email or postal mail;

(p) storing, hosting, backing up (whether for disaster recovery or otherwise) of your Personal Data, whether within or outside Singapore;

(q) facilitating, dealing with and/or administering external audit(s) or internal audit(s) of the business of LAYCY or that of its affiliates/related corporations;

(r) for marketing purpose and in this regard, we would be providing you with marketing, advertising and promotional information, materials and/or documents relating to products, contests, services and/or events (including those of third party organisations whom LAYCY may collaborate with) that LAYCY (including its affiliates/related corporations) or such third party organisations may be selling, marketing, offering, organizing, involved in or promoting, whether such products, services and/or events exist now or are created in the future:

(i) by way of postal mail, electronic transmission to your email address(es), push notifications, other forms of in-app notifications or harnessing other technologies (such as geo-location technology) for our App on your mobile device(s) or other technologies on your computers, and/or through other modes of communication that is not the 3 DNC Modes, in compliance with the PDPA. You may opt out of this or withdraw from this at any time by sending an email to our Data Protection Officer.

For the avoidance of doubt, unlike (ii) below, the application of or your acceptance of or your consent to, this Privacy Policy, constitutes your consent to this subparagraph (i); and/or (ii) if you have separately expressly consented to one or more of the following 3 DNC Modes, by way of the 3 modes of communications of voice calls, text messages or faxes (the “3 DNC Modes” ) to your Singapore telephone number, in compliance with the requirements of the PDPA.

For the avoidance of doubt, this subparagraph is without prejudice to subparagraph (o) above for which you have hereby consented to us contacting you for a survey, which you may subsequently opt out of by sending our Data Protection Officer notice; (s) dealing with and/or facilitating a business asset transaction or a potential business assert transaction, where such transaction involves LAYCY as a participant or involves only a related corporation or affiliated company of LAYCY as a participant or involves LAYCY and/or any one or more of LAYCY’s related corporations or affiliated companies as participant(s), and there may be other third party organisations who are participants in such transaction. “business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation;

(t) to implement and maintain our information technology systems, including to store and process Personal Data in computer databases and servers located within and outside Singapore;

(u) anonymization of your Personal Data. In this regard, you acknowledge that Personal Data that has been anonymized is no longer Personal Data and the requirements of the PDPA would no longer apply to such anonymized data;

(v) record-keeping purposes and producing statistics and research for internal and/or statutory reporting and/or record-keeping requirements, of LAYCY or of its affiliates/related corporations; and (w) LAYCY parent corporation’s reporting purposes including but not limited to reporting on LAYCY’s business performance (“LAYCY” means LAYCY, its affiliates, related corporations and associated companies globally); (the purposes set out in this paragraph 3.1 above shall be collectively referred to as the “Purposes”). 3.2 For the avoidance of doubt, you acknowledge and consent to LAYCY sharing anonymised information such as but not limited to in the following circumstances. For the further avoidance of doubt, the PDPA does not apply to anonymised data that does not identify an individual and the PDPA does not provide you with a right to object to an organisation handling or processing anonymised data:

(a) Aggregate information. We may share anonymised aggregate information about our customers with advertisers and marketing partners;

(b) Behavioural-based advertising. A third party may use technology to collect anonymised information about your use of Site so that they can provide advertising about products and services tailored to your interest. That advertising may appear either when you are using the Site, or using the Internet or your mobile device to visit other websites.

4. Sharing and Disclosure of Personal Information

4.1 LAYCY may/will need to disclose your Personal Data to third parties, whether located within or outside Singapore, for one or more of the above Purposes, as such third parties, would be processing your Personal Data for one or more of the above Purposes. In this regard, you hereby acknowledge, agree and consent that we are permitted to disclose your Personal Data to such third parties (whether located within or outside Singapore) for one or more of the above Purposes and for the said third parties to subsequently collect, use, disclose and/or process your Personal Data for one or more of the above Purposes. Without limiting the generality of the foregoing or of paragraph 3, such third parties include :

(a) our related corporations and affiliates either in Singapore or overseas including the Countries/Regions listed in Appendix A to this Privacy Policy;

(b) any of our agents, contractors or third party service providers that process or will be processing your Personal Data on our behalf or otherwise, including but not limited to those which provide administrative or other services to us such as mailing houses, call centres, telecommunication companies, logistics companies, information technology companies and data centres;

(c) our business partners;

(d) any actual or proposed assignee or transferee of the business of LAYCY, or a merged entity in the event LAYCY is merged to create the said merged entity;

(e) any other person to whom such disclosure is required by law or regulatory requirement or pursuant to a court order;

(f) third parties to whom disclosure by LAYCY is for one or more of the Purposes and such third parties would in turn be collecting and processing your Personal Data for one or more of the Purposes.

4.2 We will provide our preferred service providers with the information they need to perform their services and work with them to respect and protect your Personal Data. We require our service providers to adhere to strict privacy guidelines and not to use your Personal Data for unauthorised purposes.

4.3 Where your Personal Data is to be transferred out of Singapore, we will comply with the PDPA in doing so. This includes taking appropriate steps to ascertain that the overseas recipient organisation of the Personal Data is bound by legally enforceable obligations to provide to the transferred Personal Data a standard of protection that is at least comparable to the protection under the PDPA.

5. Provision Of Third Party Personal Data By You

5.1 Should you provide LAYCY with Personal Data of individual(s) other than yourself, you represent and warrant to LAYCY and you hereby confirm that :

(a) prior to disclosing such Personal Data to us, you would have and had obtained consent from the individuals whose Personal Data are being disclosed to us, to:

(i) permit you to disclose the individuals’ Personal Data to LAYCY for the Purposes; and

(ii) permit LAYCY to collect, use, disclose and/or process the individuals’ Personal Data for the Purposes, as set out in paragraph 3 above;

(b) any Personal Data of individuals that you disclose to us is accurate; and

(c) you are validly acting on behalf of such individuals and that you have the authority of such individuals to provide their Personal Data to LAYCY and for LAYCY to collect, use, disclose and process such Personal Data for the Purposes.

6. Request For Access And/ Or Correction Of Personal Data

6.1 You may request to access and/or correct your Personal Data currently in our possession or control by submitting a written request to us. We will need enough information from you in order to ascertain your identity as well as the nature of your request, to deal with your request. Please submit your written request to info@laycy.com.

6.2 For a request to access Personal Data, once we have sufficient information from you to deal with the request, we will seek to provide you with the relevant Personal Data within 30 days. Where we are unable to respond to you within the said 30 days, we will notify you of the soonest possible time within which we can provide you with the information requested. The PDPA exempts certain types of Personal Data from being subject to your access request.

6.3 For a request to correct Personal Data, once we have sufficient information from you to deal with the request, we will deal with your request in compliance with the PDPA, including correct your Personal Data within 30 days. Where we are unable to do so within the said 30 days, we will notify you of the soonest practicable time within which we can make the correction. Note that the PDPA exempts certain types of Personal Data from being subject to your correction request as well as provides for situation(s) when correction need not be made by us despite your request.

6.4 We may also charge you a reasonable fee for the handling and processing of your requests to access your Personal Data. If so, we will provide you with a written estimate of the fee. Please note that we are not required to respond to or deal with your access request unless you have agreed to pay the fee.

7. Request To Withdraw Consent

7.1 You may withdraw your consent for the collection, use and/or disclosure of your Personal Data in our possession or under our control by submitting your request to info@laycy.com.

7.2 We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will subsequently not collect, use and/or disclose your Personal Data in the manner stated in your request, unless the law or the PDPA allows us to.

7.3 However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal. In this regard, depending on the extent of your withdrawal of consent for us to process your Personal Data, it may mean that we may not be able to fulfill the transaction you have entered into with us or continue with your relationship with us, or send you information that you have requested, as examples depending on the circumstances.

8. Protecting and Managing Your Personal Data

8.1 We will endeavour to take all reasonable steps to ensure your Personal Data is kept confidential and secure, and to take appropriate technical and organizational measures to prevent unlawful or accidental destruction, accidental loss, unauthorized disclosure or access or other unlawful forms of processing. We will not rent, trade, distribute or sell any Personal Data that you give us to any third party unless we receive your prior consent or applicable law permits the same.

8.2 We will put in place reasonable security arrangements to ensure that your Personal Data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of your Personal Data. However, we cannot assume responsibility for any unauthorized use of your Personal Data by third parties which are wholly attributable to factors beyond our control.

8.3 We will take reasonable efforts to ensure that your Personal Data is accurate and complete, if your Personal Data is likely to be used by us to make a decision that affects you, or disclosed to another organisation. However, this means that you must also update us of any changes in your Personal Data that you had initially provided us with. We will not be responsible for relying on inaccurate or incomplete Personal Data arising from you not updating us of any changes in your Personal Data that you had initially provided us with.

8.4 We will also put in place measures such that your Personal Data in our possession or under our control is destroyed and/or anonymized as soon as it is reasonable to assume that (i) the purpose for which that Personal Data was collected is no longer being served by the retention of such Personal Data; and (ii) retention is no longer necessary for any other legal or business purposes.

9. Cookies and Mobile Technology

9.1 Cookies. For users of the Site, please note that LAYCY may deposit “cookies” in your computer or your mobile device in order to identify you. Cookies are small data text files that are sent from a server computer during a browsing session. Cookies are typically stored on the computer’s hard drive and are used by web-sites to simulate a continuous connection to the site. Security measures have been employed to prevent unauthorized access to visitor data. However, visitors acknowledge that LAYCY does not control the transfer of data over telecommunication facilities including the Internet. Therefore, to the extent permitted by law, LAYCY will not be responsible for any breach of security or the unauthorized disclosure or use of any such data on the Internet, through no fault of LAYCY. Not all cookies collect Personal Data and you may configure your browser to reject cookies. However, this may mean you may not be able to take full advantage of the services or features on the Site. Where the data collected by such cookies constitute your Personal Data, such Personal Data is being collected, used or disclosed for one or more of the Purposes. By continuing to use the Site, you are agreeing to the use of cookies on the Site. However, please note that we have no control over the cookies used by third parties.

9.2 Flash Cookies. "Flash Cookies" (also called Local Shared Objects or "LSOs") are data files similar to cookies, except that they can store more complex data. Flash Cookies are used to remember settings, preferences, and usage, particularly for video, interactive gaming, and other similar services.

9.3 Web Beacons. Web beacons are small graphic images on a web page or in an e-mail that can be used for such things as recording the pages and advertisements clicked on by users, or tracking the performance of e-mail marketing campaigns.

9.4 Analytics Tags. We use analytical tags to analyse what our clients like to do and the effectiveness of our features and advertising. They can also help us customize your browsing and shopping experience. We may use information collected through analytical tags or tracked links in combination with your Personal Data. We may also combine Personal Data you provide to us with other Personal Data (such as purchase history and demographic information). We often work with other companies such as, for example, AppsFlyer Ltd., to help us track, collect and analyse this information but they are prohibited from using this information for any other purpose.

9.5 Web Server Logs. Web server logs are records of activity created by the mobile device or computer that delivers the webpages you request to your browser. For example, a web server log may record the search term you entered or the link you clicked to bring you the webpage. The Web server log also may record information about your browser, such as your IP address and the cookies set on your browser by the server.

9.6 Geo-Location Technologies. Geo-location technology refers to technologies that permit us to determine your Country/Region. We may ask you to manually provide Country/Region information (like your postal code), or to enable your mobile device to send us precise Country/Region information. For example, the first time you download the App you will/may be asked to choose between allowing or not allowing the App to access your Country/Region and/or to send you mobile notifications. If you choose “Do Not Allow,” you will have opted-out of having the App accessing your Country/Region to send you Country/Region-specific offer notifications. If you choose “OK” the App will communicate with your mobile device and collect certain data as provided in this Policy in order to send you targeted offers based on your Country/Region. You can always opt-out of sharing Country/Region data with the App by changing your device settings.

9.7 We utilise software manufactured by Sailthru Inc (or any other third party) and as the case may be, other software developers which works with your mobile device running the App to create a more personalised experience to make you aware of in-store offers, events and products. If you have enabled access to your Country/Region, depending on the features included in the App, LAYCY may collect the following information: • Information about your mobile device including make, model, operating systems and similar information; • The state of your mobile device (e.g. location services on/off, Bluetooth on/off, WiFi on/off, cellular data on/off, and other similar information); • Information about your version and your use of the App such as your use of various features, functions or clicks on notifications or content as well as application permissions (e.g., deliver notifications, use location services, use Bluetooth, and other similar information); • Information about your Beauty Pass membership status (if applicable) and products you have expressed an interest in (including those in your Basket, in Wishlist or that you have purchased); • Information you may provide to us by participating in a survey, labelling a Country/Region you visit, providing feedback, sending us questions or otherwise responding to requests for information; • Periodic collection of your Country/Region (e.g., latitude and longitude coordinates) and time of day or your Country/Region when/if your device is near any stores or other Country/Region; and • Attributes of WiFi networks visible to your device.

10. Registration Information

Our Site contains areas where you can submit information to us (such as our registration service), and we also have features (such as cookies and performance tracking technology) that automatically collect information from the visitors to our Site. During the registration process, you must provide us with a password, your name, address and a valid email address, etc. It is your responsibility to keep your password strictly confidential.

11. Changes to this Privacy Policy

Our privacy practices will be continuously assessed against new technologies, business practices and our customers’ needs. As we update and diversify our services, our Privacy Policy may evolve. LAYCY reserves the right to change its Privacy Policy at any time and notify you by posting an updated version of the policy on the Site. Please check the Site or send your request by email to info@laycy.com if you would like to receive the latest updated Privacy Policy.

12. Problems, queries or complaints

12.1 If you have any queries relating to our Privacy Policy, or if you wish to request for access to or correction of your Personal Data or to withdraw your consent, please contact or send your request to our Data Protection Officer by email to info@laycy.com.

12.2 You may also contact us at the details above if you have a complaint about how we have handled your Personal Data. We will investigate your complaint and will use reasonable endeavours to respond to you in writing as soon as possible.

13. General

13.1 Your consent that is given pursuant to this Privacy Policy is additional to and does not supersede any other consents that you provided to LAYCY with regard to processing of your Personal Data.

13.2 For the avoidance of doubt, in the event that Singapore Personal Data protection law permits an organisation such as us to collect, use or disclose your Personal Data without your consent, such permission granted by the law shall continue to apply.

APPENDIX A

COUNTRIES/REGIONS IN WHICH OVERSEAS RECIPIENTS ARE LIKELY TO BE LOCATED

Aruba; Australia; Austria; Bahrain; Barbados; Belgium; Bermuda; Brazil; Canada; Chile; China; Colombia; Czech Republic; Denmark; Dominican Republic; Finland; France; Germany; Greece; Guam; Hong Kong SAR; Hungary; India; Indonesia; Ireland; Israel; Italy; Japan; Kazakhstan; Kuwait; Lebanon; Luxembourg; Macau SAR; Malaysia; Mexico; Mongolia; Morocco; Netherlands; New Zealand; Norway; Panama; Philippines; Poland; Portugal; Qatar; Romania; Russian Federation; Saipan; Saudi Arabia; Singapore; South Africa; South Korea; Spain; Sweden; Switzerland; Taiwan; Thailand; Turkey; Ukraine; United Arab Emirates; United Kingdom; Uruguay; United States of America; Vietnam.