Select Page

Privacy Policy

Privacy Policy

Last updated: 06 October 2025

This Privacy Policy explains how Sophie Dibou (“we”, “us”, “our”) collects, uses, shares and protects your personal data when you purchase makeup products, book or attend our makeup courses, or use our websites and online services (together, the Services). It also explains your privacy rights and how the law protects you.

We are committed to handling personal data fairly, lawfully and transparently in accordance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1) Who we are (Controller)

Controller: Sophie Dibou [insert full legal entity name]
Registered office: [insert address]
Company number: [insert]
VAT number: [insert]
Data protection contact/DPO: [insert name/role if applicable]
Email: [insert privacy/contact email]
Telephone: [insert phone]

If you have questions about this policy or your data, contact us using the details above.

2) Personal data we collect

We collect, use, store and transfer different kinds of personal data depending on how you interact with us:

  • Identity Data: first name, last name, title, date of birth (if required for age verification).
  • Contact Data: billing and delivery addresses, email address, phone number, emergency contact for in‑person courses (where provided).
  • Account & Profile Data: username, password, purchases, bookings, preferences, reviews, survey responses, communications with us.
  • Transaction Data: order details, payments (amounts, timestamps), refunds, chargebacks. (We do not store full card details; our payment processors do.)
  • Course Data: enrolments, attendance, assignments/assessments (where applicable), certificates, images/recordings captured during training sessions if you consent or as set out in our course terms.
  • Health/Sensitivity Data (optional): allergy or patch‑test information you choose to share to help us keep you safe during courses. We only collect this with your explicit consent, and you may withdraw consent at any time (see Section 10).
  • Marketing & Communications Data: your preferences for receiving marketing and your communication choices (email/SMS/push).
  • Technical & Usage Data: IP address, device identifiers, browser type, time zone, operating system, cookie IDs, pages viewed, clicks, time on page, referring URLs, and interactions with emails (opens/clicks). Collected via cookies, pixels and similar technologies (see Cookie Policy).
  • User‑Generated Content: product reviews, images you upload, social media tags/mentions when engaging with our campaigns (subject to platform terms and your settings).

We do not intentionally collect information about children under 16. If you believe a child provided us data without appropriate consent, contact us so we can delete it.

3) How we collect your data

  • Direct interactions: you create an account, place an order, book a course, contact support, request marketing, enter a competition, complete a survey, or give a course testimonial.
  • Automated technologies: as you interact with our Site, we automatically collect Technical & Usage Data via cookies and similar technologies.
  • Third parties: payment processors, fraud‑prevention providers, analytics providers, advertising platforms (e.g., Google, Meta), delivery and logistics partners, e‑learning and video platforms, and social networks when you interact with our content or use social sign‑in (if enabled).

4) How we use your data (purposes & lawful bases)

We will only use your personal data when the law allows. The main purposes and lawful bases are:

PurposeExamplesLawful basis
Order processingCreate/verify account; take payment; fulfil orders; provide customer service; manage returns/refundsContract (perform our contract with you); Legal obligation (tax/records)
Course deliveryManage bookings; attendance; issuing certificates; health & safety; course communicationsContract; Legitimate interests (safe, effective delivery); Consent for any optional health data
MarketingEmail/SMS/newsletters; similar products/services to existing customers (soft opt‑in)Consent (non‑customers & SMS); Legitimate interests (existing customers under PECR soft opt‑in)
Analytics & improvementsSite/app performance, content testing, features, troubleshootingLegitimate interests (to run/improve our Services)
Personalisation & adsOn‑site recommendations; remarketing (e.g., Meta Pixel, Google Ads)Consent (via cookie banner)
Fraud prevention & securityIdentity checks, transaction monitoring, misuse preventionLegitimate interests; Legal obligation where applicable
Legal & complianceRespond to lawful requests; tax/VAT reporting; dispute handlingLegal obligation; Legitimate interests

Special category data (allergy/health): processed only with your explicit consent or to protect vital interests in an emergency during a course.

We do not sell personal data.

5) Marketing choices

  • Email/SMS marketing: We’ll send marketing if you opt in, or under PECR soft opt‑in where you purchased from us and did not opt out. You can unsubscribe at any time via the link in our emails/SMS or by contacting us.
  • Profiling: We may use purchase, course and browsing data to segment audiences and tailor offers. You can opt out of marketing at any time; you’ll still receive essential transactional messages.

6) Cookies and similar technologies

We use cookies, pixels and similar technologies for essential functions, analytics, and advertising. Where required, we obtain your consent via our cookie banner. For details on types, purposes, retention and how to change your preferences, see our separate Cookie Policy.

7) Disclosures of your data (recipients)

We may share personal data with trusted recipients who act as our processors (they process data on our behalf) or independent controllers:

  • Payment & fraud prevention: e.g., Stripe, PayPal, checkout risk tools.
  • Fulfilment & logistics: warehouses, Royal Mail, DPD, Evri and similar couriers.
  • Customer communications & CRM: email/SMS providers (e.g., Mailchimp/Klaviyo/Twilio), helpdesk tools, review platforms.
  • E‑learning & events: online course platforms and video‑conferencing tools (e.g., Thinkific/Teachable, Zoom) for live or recorded sessions.
  • Analytics & advertising: Google Analytics, Google Ads, Meta (Facebook/Instagram) and similar platforms—only where you have given consent for non‑essential cookies.
  • Professional services: IT support, auditors, insurers, legal advisers.
  • Corporate: in a business reorganisation, merger, or asset sale, subject to confidentiality and applicable law.

Where recipients are outside the UK (or UK‑adequate countries), we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, and implement additional measures where necessary.

8) Data security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where feasible, secure development practices, staff training and vetted suppliers. No system is completely secure; we cannot guarantee absolute security.

9) Data retention (how long we keep data)

We keep personal data only as long as necessary for the purposes set out in this policy and to meet legal, accounting and reporting requirements. Typical retention periods are:

Data categoryTypical retention
Orders & transactions6 years from financial year end (tax/legal obligations)
Customer accountsActive period + 24 months of inactivity (then delete/anonymise)
Course records (enrolment, attendance, certificates)6 years from course end
Customer support communications24 months from last contact
Marketing preferences and consentsUntil you withdraw consent/opt out + 24 months for audit
Allergy/health forms (if consented)Up to 12 months after the relevant course unless longer is necessary for safety/legal claims, then securely deleted
CCTV at training premises (if used)Typically 30–90 days unless required for an investigation
Cookies & analytics identifiersAs set out in the Cookie Policy

10) Your rights

Under data protection law, you have rights to:

  • Access your personal data and receive a copy;
  • Rectify inaccurate or incomplete data;
  • Erase your data in certain circumstances (“right to be forgotten”);
  • Restrict processing in certain circumstances;
  • Data portability for data you provided to us with consent or under contract;
  • Object to processing based on our legitimate interests (including direct marketing);
  • Withdraw consent at any time where we rely on consent (e.g., marketing or health data). This does not affect processing before withdrawal.

To exercise your rights, contact us at [insert privacy email]. We may need to verify your identity. We aim to respond within one month (extensions apply for complex requests).

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would appreciate the chance to address your concerns before you approach the ICO.

11) Course photography & recordings

We may photograph or record segments of our courses for educational and marketing purposes. We will always seek your consent where you are identifiable and the purpose is marketing. If you prefer not to be captured, please inform us before the session starts so we can accommodate.

12) Automated decision‑making

We do not carry out automated decisions that produce legal or similarly significant effects. We may use automated fraud screening during checkout; where screening flags a risk, a human reviews the decision.

13) Third‑party links

Our Site may include links to third‑party websites, plug‑ins and applications. Clicking those links or enabling connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy statements.

14) Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be posted on our Site with the “Last updated” date. Material changes will be notified by email or prominent notice on the Site.

15) Contact us

Questions, requests or complaints about this Privacy Policy or your personal data:

Email: [insert privacy email]
Postal: Data Protection, Sophie Dibou, [insert postal address]
Phone: [insert phone]

If you need this policy in an alternative format (e.g., large print), please contact us.

Related documents

  • Terms & Conditions
  • Cookie Policy (explains our cookies, pixels and how to change preferences)