Privacy Policy

Privacy Policy (Effective from 10 August 2022) Contents 1. Who are we? 2. What information is covered by this Privacy Policy? 3. What personal information do we collect from you and how do we collect that information? 4. How do we use your personal information? 5. Matters specific to the internet 6. Do we use your personal information for direct marketing? 7. Sharing your data with third parties 8. Where do we transfer your personal information? 9. What are your rights in relation to your personal information? 10. Do we use CCTV? 11. How do we protect your personal information? 12. How long do we keep your personal information? 13. How do we deal with children's privacy? 14. How can you contact us? 15. Which version of this Privacy Policy applies? Aesop is committed to protecting your privacy. This Privacy Policy explains the types of personal information we collect, how we use that information, who we share it with, and how we protect that information.

Please read the following carefully to understand our views and practices regarding your personal information.

1. Who are we? This Privacy Policy applies to information that Emeis Cosmetics Pty Ltd, and its parent, subsidiaries and affiliate entities worldwide (individually and collectively referred to herein as "Aesop", "we", "us" or "our") collects from you. The personal information we collect is controlled by Aesop UK Limited, Hay's Galleria, 1 Hay's Lane, Hay's Lane House, 3rd Floor, London, SE1 2HD (registered number 05192303), Emeis Cosmetics Pty Ltd, 23 Waterloo Road, Collingwood VIC 3066, Australia, (ACN registration: 007 409 001) and the relevant local corporate affiliates. For the purposes of applicable data protection laws, the relevant Aesop entity as set out in section 14 below is a data controller of your personal information. 2. What information is covered by this Privacy Policy? This Privacy Policy covers all personal information that we collect, use and process which means information that (either in isolation or in combination with other information) enables you to be identified directly or indirectly. 3. What personal information do we collect from you and how do we collect that information? The types of personal information we may collect, and hold vary depending on the nature of our interaction with you and may include:

• identifying and contact information such as your name, postal and email address, telephone number, gender, date of birth and title;

• payment information;

• information ascertained about you from social media such as your profile picture, likes, location and friend list;

• geo-location details when using one of our mobile applications;

• health information such as skin concerns and adverse reactions to products; and

• product preferences and other information.

We may collect your personal information in a number of ways including when you:

• visit our website and register an account with us and/or purchase products through our website and/or undertake a live consultation;

• visit one of our Aesop retail stores or counters, including if you register an account with us in store; or

• correspond with us across any of our channels (e.g. messaging platforms such as text message, live chat and WhatsApp, social media and email).

We typically collect your personal information directly from you. On some occasions, we may collect your personal information from third parties such as payment platform providers. 4. How do we use your personal information? Why we process your information: To provide you with information about our products and services. How we use your information for this purpose: We process your order history to develop, market, sell or otherwise provide products, services or information to you. We also process your name and contact details to provide you with copies of our newsletter and information about our products, store launches, partnerships and in-store events, contact you regarding service related matters, and provide you with other marketing or promotional information where we are permitted to do so in accordance with applicable laws or if you have provided consent for us to do so. We also process this information to ensure that we do not contact you for direct marketing purposes if you have asked us not to. Based on the following justification: Using your personal information in this way is necessary for us to perform our contractual obligations to you. It is also in our legitimate interests to provide you with the best possible customer experience online and instore.

Why we process your information: To process your payments and protect you against fraudulent transactions. How we use your information for this purpose: We process your personal information including your payment details (credit card, debit card and/or other payment details) to fulfil your purchase orders for our products, services and/or gift cards. We also process this information to keep your payment details safe and protect you against fraudulent transactions. We process details of your device when you shop on our website to enable us to detect any fraudulent transactions or suspicious purchasing activity. Based on the following justification: It is in our legitimate interests to process personal information to keep payments secure and necessary for the performance of our contract with you. Providing us with certain personal information is voluntary but we may not be able to process your order and send you the required order acknowledgement and shipping confirmation e-mails if you do not provide us with certain requested information.

Why we process your information: To provide you with products and services that you have purchased from us. How we use your information for this purpose: We may need to use your name and contact details to perform our obligations under a contract with you (e.g. where you have purchased a product or service from us, like a hand cream or a facial treatment). Based on the following justification: It is necessary for us to process your personal information in this way for us to perform our statutory and/or contractual obligations to you.

Why we process your information: To learn more about why you use certain products and inform our product developers. How we use your information for this purpose: We process your personal or health information (e.g. skin type or where you suffer an adverse reaction to a product) to update your account with us. We also process this data to conduct internal administrative activities, research, analytics, planning and product development. If you have a customer account (whether created online or in-store), we may also collect information about the products you browse online or purchase, where you purchased the products from and other information relevant to your customer relationship with Aesop. We use this information for our internal demographic insights into our customers, to offer you an enhanced service according to your preferences, including by identifying relevant products, services and events which may be of interest to you, and to personalise your experience with Aesop. Together with non-personal information, we may also use this information for our internal marketing analysis and demographic studies, to analyse, profile and monitor customer patterns so we can consistently improve our products. This means that we can offer more personalised and integrated shopping and interactive experiences to our customers across all our channels. Based on the following justification: It is in our legitimate interests to develop our products and market the right products to you.

Why we process your information: To improve your experience on our website. How we use your information for this purpose: We process information such as your Aesop account username and password, IP address, information about your purchases and your other activity on our website to improve our website, including to modify it to your usage, history and preferences and troubleshoot problems. Based on the following justification: It is in our legitimate interests to ensure we provide you with a seamless online experience.

Why we process your information: To assess the online activities of our website users. How we use your information for this purpose: We process information collected by our websites automatically and through cookies and other technologies to assess the activities of our users, to measure the interest in and use of our website and communications, and to customise the website and our communications with you. We do this on both an individual basis and in the aggregate. Please see the section titled 'Matters specific to the Internet' for more detail. Based on the following justification: It is in our legitimate interests to process personal information using cookies and other technologies that we need to use to run our website. Where required by applicable law, we will ask for your consent to the use of cookies that aren't necessary to run our website.

Why we process your information: To understand and analyse our sales, your needs and preferences. How we use your information for this purpose: We may use your information such as your geographical location to help us conduct focused market research (such as surveys) based on trends and common factors so that we develop, enhance, market and provide products and services to meet your individual needs. Based on the following justification: It is in our legitimate interests to process personal information to develop, enhance, market and provide products and services to you.

Why we process your information: To understand your preferences based on information included in your Aesop profile (completed online, in-store or at one of our counters) or in other communications you send to Aesop. How we use your information for this purpose: We process your information in this way to better understand you, to maintain, update and service your account with us. This processing also allows us to conduct internal administrative activities, research, analytics, planning and project development. Based on the following justification: It is in our legitimate interests to process personal information so that we can better provide our products to you.

Why we process your information: To process exchanges or returns. How we use your information for this purpose: We process your personal information to perform our obligations under our contract with you. Based on the following justification: It is necessary for us to process your personal information to fulfil our statutory and/or contractual obligations to you.

Why we process your information: To respond to requests or complaints. How we use your information for this purpose: If you contact Aesop by live chat from our site, by email or phone, or in person at a store or counter, Aesop will collect your personal information and use this to identify you as a customer, help with your query, process your order, process payments, deliver products and services, update our records and to generally manage your account with us under our terms with you. Based on the following justification: It is necessary for us to process your personal information to fulfil our statutory and/or contractual obligations to you.

Why we process your information: To ensure the security and integrity of Aesop resources, including the website. How we use your information for this purpose: Aesop will process personal information to assess and enhance the security and reliability of our remote and electronic resources, including analysis of information collected during technological development, and program enhancements. Based on the following justification: We process your personal information in an effort to provide safe, reliable access to our goods and services.

Why we process your information: To assess or ensure compliance with applicable laws, regulations, and policies. How we use your information for this purpose: We may process your personal information to audit, confirm, and document compliance with legal, administrative, industry, and ethical standards, including Aesop’s policies and procedures, code of conduct, and corporate responsibility initiatives. We will also process your personal information to audit our affiliates’ and service providers’ compliance with contractual obligations as well as applicable privacy and other standards. Based on the following justification: We process your personal information to obey laws and regulations, to enforce internal policies, and to prevent and detect fraud and other practices that undermine Aesop’s commitment to fair and ethical conduct.

5. Matters specific to the internet Further information on how we use cookies can be found in our Cookie Policy. 6. Do we use your personal information for direct marketing? We will only use your personal information with your consent to send you marketing materials by email, text, WhatsApp or post, depending on your marketing preferences. Our marketing communications may include the products, services and other offers of Aesop or of third parties who have a relationship with us. You can opt out of receiving direct marketing from us at any time by contacting us as described below. When we send you direct marketing communications by email or other electronic means, we'll always give you the option to unsubscribe in the message itself. 7. With which third parties do we share your personal information? Your personal information is intended for Aesop but may be shared with third parties in certain circumstances: Aesop's group of companies: We may share your personal information among our group of companies to register your account with us, deliver our products, provide you with customer support, process your payments, understand your preferences, send you information about products that may be of interest to you and conduct the other activities described in this Privacy Policy. Some of the companies in our group may be located overseas as discussed in the section titled 'Where do we transfer your personal information?'. Our service providers: We use other companies, agents and contractors to perform services on our behalf or to assist us with the provision of the Aesop products to you. We may share personal information with such service providers including the following:

• infrastructure and IT service providers, including for email archiving, mailing, online messaging, payment/billing, booking/appointment systems, IT support desk and cloud-based services;

• advertising partners, including digital advertising partners such as social media sites and Google;

• marketing, advertising and communications agencies and information services companies; • transportation and logistics providers;

• external auditors and advisers; and

• other parties to whom we are authorised or required by law to disclose information.

While providing such services, these service providers may have access to your personal information. Third parties permitted by law: In certain circumstances, we may be required to disclose or share your personal information to comply with a legal or regulatory obligation (for example, we may be required to disclose personal information to the police, regulators, government agencies or to judicial or administrative authorities). We may also disclose your personal information to third parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, law enforcement, to enforce our contracts or protect your rights or those of the public. Third parties connected with business transfers: We may transfer your personal information to third parties relating to a reorganisation, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Policy. Aesop will not sell your personal information to third parties for monetary compensation but may share your information with affiliated companies and contractors to better serve you by, for instance, tailoring your online experiences and customizing the products and services you are offered. Please note our website may, from time to time, contain links to and from the websites of our partners or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we have no control over how they may use your personal information. This is the same for your use of social media sites. You should check the privacy policies of third-party websites before you submit any personal information to them. 8. Where do we transfer your personal information? Aesop is a global brand and we provide our products and services all over the world. Your personal information may be transferred to and processed in:

• the EEA;

• Switzerland;

• Australia;

• New Zealand;

• Japan;

• Hong Kong;

• Singapore;

• Malaysia;

• Macau;

• Taiwan;

• Korea;

• the United States of America;

• Canada; and

• Brazil, by our affiliates and our service providers.

9. What are your rights in relation to your personal information? You have the following rights available to you in respect of the personal information we hold about you:

• Access. You have the right to request a copy of the personal information we are processing about you. For your own privacy and security, at our discretion we may require you to prove your identity before providing the requested information. • Rectification. You have the right to request that incomplete or inaccurate personal information that we process about you be rectified. • Deletion. In some jurisdictions in which we operate, you have the right to request that we delete personal information that we process about you, except we are not obliged to do so if we need to retain such data to comply with a legal obligation or to establish, exercise or defend legal claims. • Restriction. In some jurisdictions in which we operate, you have the right to restrict our processing of your personal information where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it. • Portability. In some jurisdictions in which we operate, you have the right to obtain personal information we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal information which you have provided to us, and (b) if we are processing that data based on your consent or to perform a contract with you. • Objection. In some jurisdictions in which we operate, where the legal justification for our processing of your personal information is our legitimate interest, including the profiling we undertake to send you personalised offers, product recommendations and similar content, you have the right to object to such processing on grounds relating to your situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim. • Withdrawing Consent. If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge. This includes cases where you wish to opt out from marketing messages that you receive from us.

You can make a request to exercise any of these rights in relation to your personal information by sending the request to privacy@aesop.com.

Aesop will generally provide you with access to your personal information if practicable and will take reasonable steps to amend any of your personal information which is inaccurate or out of date. In some circumstances and in accordance with applicable privacy laws, we may not permit you access to your personal information, or may refuse to correct your personal information, in which case we will provide you reasons for this decision. Please note that where you have withdrawn your consent to our collection, use and disclosure of your personal information at any time (subject to contractual and legal restrictions and reasonable notice) or do not provide us with the personal information we request of you, we may be unable to provide you the products or services you have requested or contact you in the future.

You also have the right to lodge a complaint with us and the local data protection authority if you believe that we have not complied with applicable data protection laws. Please advise us of your concern or complaint in writing and send it to the relevant Aesop entity at the address set out below under the section titled "How can you contact us?". Your concern or complaint will be considered or investigated by us and we will respond to your complaint within a reasonable time. It is our intention to use our best endeavours to resolve any complaint to your satisfaction. However, if you are unhappy with our response, in Australia, you may contact the Office of the Australian Information Commissioner who may investigate your complaint further. If your complaint relates to the processing of your health information and you reside in Victoria, New South Wales or the Australian Capital Territory, you can lodge a complaint with the relevant State/Territory health complaints commissioner. Please click here for a list of local data protection authorities in EEA countries. 10. Do we use CCTV? Please note that where CCTV is in operation in our stores you may be captured on CCTV and your image stored. All CCTV footage is captured purely for your security and for the prevention and detection of crime. If you would like to know more about this, please contact us using the details provided below. 11. How do we protect your personal information? We do several things designed to keep our data secure, including administrative, technical and physical safeguards such as firewalls and encryption measures. While we endeavour to protect our systems, website, operations and information against unauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be safe from intrusion by others, such as hackers.

Aesop takes reasonable steps to: a) make sure that the personal information we collect, use and disclose is accurate, complete and up-to-date; b) protect the personal information that we hold from misuse and loss and from unauthorised access, modification or disclosure; and c) where permitted by law, destroy or permanently anonymise personal information that is no longer needed by Aesop. Aesop's credit card transactions are fulfilled by an authorised banking institution. When collecting credit card information for online purchases, Aesop offers secured server transactions that encrypt your information in transit to help prevent others from accessing it. Personal information is stored on servers that are protected by appropriate safeguards and will be accessible by authorised employees and agents who require access relating to their responsibilities. Your credit card details are encrypted and then removed from our system once your order has been dispatched. We don't usually collect unsolicited personal information. In the event we receive unsolicited personal information, we will determine if it would have been permissible to collect that personal information if it had been solicited. If we determine that collection would not have been permissible, to the extent permitted by law, we will destroy or anonymise that personal information as soon as practicable. Aesop will generally provide individuals with the option of not identifying themselves when entering into transactions when it is lawful and practicable to do so. However, on many occasion, we will not be able to do this. For example, we will need your address to deliver any products purchased through our website. 12. How long do we keep your personal information? We will only retain your personal information to the extent permitted by applicable laws and regulations. When we no longer need to use personal information, including for any contractual, legal, or regulatory requirement, we will remove it from our systems and records and/or take steps to anonymise it so that you can no longer be identified from it. 13. How do we deal with children's privacy? We will never knowingly collect personal information from individuals under the age of sixteen (16) years. If we become aware that a person under 16 has provided personal information to us, we will remove such personal information from our files. 14. How can you contact us? If there are any questions or concerns regarding this Privacy Policy, please contact us at privacy@aesop.com.

If you live in Switzerland, you should contact Aesop Switzerland AG, Gasometerstrasse 16, 8005 Zürich. 

If you live in the UK, the data controller you should contact is Aesop UK Limited at Hay's Galleria, 1 Hay's Lane, Hay's Lane House, 3rd Floor, London, SE1 2HD If you live in the EEA you should contact, Aesop Germany, Pfeilstrasse 45, Cologne 50672, Germany.

If you live outside the EEA and UK, Emeis Cosmetics Pty Ltd is responsible for your personal information. You can contact Emeis Cosmetics Pty Ltd at 23 Waterloo Road, Collingwood VIC 3066, Australia. 15. Which version of this Privacy Policy applies? We reserve the right to change our Privacy Policy from time to time. To obtain a copy of the latest version of our Privacy Policy at any time, visit our website at http://www.aesop.com/ or contact us by email: privacy@aesop.com. This Privacy Policy was last updated on 30th November 2023.