Privacy Policy

EFFECTIVE DATE: This Privacy Notice may vary from time to time so please check it regularly. These terms were most recently updated on August 2019.

We may change or discontinue our site, its content, services, functions or features, and modify this Privacy Notice, any terms we post that govern use of and/or interaction with our site, at any time without notice. If any of these terms shall be deemed invalid, void, or for any reason unenforceable, that term shall be deemed severable and shall not affect the validity and enforceability of any remaining condition terms of this Privacy Notice.


1.1       This is the Privacy Notice of Penhaligon’s Inc., located at 400 Madison Avenue, Suite 10B, New York, NY 10017

1.2       This Privacy Notice sets out how Penhaligon’s Inc.(‘we’, ‘us’ or ‘our’) and our group companies (including Puig S.L.) collect and process your personal information when you access and use our site (‘our site’). This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data. The “site” includes by definition, and this Privacy Notice applies to, our site itself, and any mobile app, web pages, interactive features, other applications, widgets, blogs, social networks, social network "tabs," or other online or wireless offerings that link to this Privacy Notice, whether accessed via computer, mobile device or other technology, manner or means.

1.3       This Privacy Notice relates to personal information identifying you. We refer to this information throughout this Privacy Notice as ‘personal data’ and section 2 sets out further detail of what this includes.

1.4       Please read this Privacy Notice to understand how we may use your personal data.


We may collect the following personal data about you:

2.1       Personal data you provide to us via our site, including information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site and when you make purchases from our site. For example:

2.1.1       Your name and title;

2.1.2       Your billing and delivery postal address, phone, fax and email addresses;

2.1.3       Your gender (although this is not mandatory);

2.1.4       Where you have registered with us, your user name and password; and

2.1.5       How you heard about us.

2.2       Personal data you provide when you enter a competition or promotion sponsored by us, and/or when you report a problem with our site;

2.3       Responses you voluntarily provide to surveys that we use for research purposes, although you do not have to respond to them;

2.4       Details of transactions you carry out through our site and of the fulfilment of your orders;

2.5       Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access;

2.6       Information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual;

2.7       Personal data gathered using cookies – please see our Cookie Policy for further information;

2.8       Personal data you provide when you request our marketing material or email newsletter or submit a query to us or which is collected via social media;

2.9       Personal data you provide when using interactive features of our site; and

2.10       Personal data you provide when applying for a job advertised or submit a speculative job application and/or your CV.


3.1        Data controller and contact details

3.1.1        If you have a concern or question regarding your privacy, you can contact our company by emailing [email protected].

3.2        Processing data

3.2.1        We collect and process your personal data for a variety of different purposes which are set out in further detail below.

3.3        How we use your personal data for marketing and promotions

3.3.1        We may ask for your consent to contact you by telephone, SMS, post and/or email about other offers, products, promotions, developments or services which we think may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.

3.3.2        We may ask for your consent to group companies including Puig SL to contact you by telephone, SMS, post and/or email about other offers, products, promotions, developments or services which may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.

3.3.3        We may ask for your consent to allow third parties to contact you by telephone, SMS, post and/or email about other third party offers, products, promotions, developments or services which may be of interest to you and for other marketing purposes. You can indicate your consent by ticking the relevant box.

3.3.4        We also request consent for some cookies in accordance with our Cookie Policy.

3.4        Withdrawing your consent for marketing materials

3.4.1        You may at any time withdraw the consent you give to our processing your personal data for those purposes set out in section 3.3 above by contacting us at [email protected].

3.4.2        If you want to stop receiving future marketing messages and materials at any time, you can do so alternatively by clicking the 'unsubscribe' link which is included in all of our email marketing messages.

3.4.3        Our Cookie Policy sets out how to manage cookies.

3.5        How we use your personal data

3.5.1        These are some of the ways we use your personal data:

  • Notifying winners of online competitions;
  • Sending you surveys in connection with our goods and services;
  • To send you important notices such as communications about changes to our terms and conditions and policies;
  • To assist in the investigation of suspected illegal or wrongful activity. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction;
  • To deal with any misuse of our site;
  • To contact you by telephone, SMS/text message, post and/or email about other offers, products, promotions, developments or services our ours which we think may be of interest to you and for other marketing purposes. Please make it clear when you provide personal data to us, should you not wish to receive such information to send you information you have requested;
  • To deal with your enquiries;
  • To allow you to participate in interactive features of our service, when you choose to do so;
  • Where you have submitted a job application we may for a reasonable period keep your details on file for future reference should a suitable position subsequently become available and we may send you information about job opportunities;
  • To develop, deliver and improve our goods or services;
  • To help us develop our site to be more useful to you;
  • For internal purposes for research, analysis, testing, monitoring, customer communication, risk management and administrative purposes;
  • To protect and defend our rights or property or those of our customers or others;
  • To sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers; and
  • In order to enforce or apply our site’s Terms of Website Use or Terms and Conditions of Sale and other agreements with third parties.

3.5.2        [[[[re-confirm]]]] We will do our best to inform you when we carry out any of the above activities, but it may be that we are unable to do so in each case. 

3.6        Who receives the personal data you provide to us

3.6.1        We will share your personal data with the following recipients:

(a)        Bloomreach in relation to our marketing email communications with our customers;

(b)        Adyen– and PayPal, Amazon Pay, Klarna and Apple Pay – to process payments made on our site

(c)        Winparf in relation to point of sale

(d)        One Market in relation to electronic receipts

(e)         Sprout in relation to social media marketing with our customers

(f)        CDL Logistics in relation to order fulfilment and delivery services

(g)        Hybris in relation to online transactional services

(h)         Meta in relation to our social customer audience segments

(i)         Zendesk in relation to customer support software

(j)        LogicMelon in relation to recruitment

(k)         MentionMe in relation to referral programmes

(l)       SAP and SAP Hybris for finance and logistical purposes

(m)        Puig S.L. for management of Group Company data

(n)        Use of first party data (cookie data, email addresses) to build remarketing audiences on Google Ads and Bing

(o)        Use of first party data (cookie data, email addresses) to build custom audiences for targeting on Facebook and Instagram

(p)        Google Firebase in relation to online fragrance profiling;

(q)         Hero in relation to our clienteling app to connect with stores

(r)        Use of first party data (cookie data, email addresses) to build remarketing audiences in Criteo Display advertising;

(s)         Use of first party data (cookie data, email addresses) to build remarketing audiences in Snapchat advertising;

(t)        HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation;

(u)        External professional advisers such as accountants, bankers, insurers, auditors and lawyers;

(v)       Law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights; and

(w)        Third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

(x)       We partner with Rakuten Advertising, who may collect personal information when you interact with our site. The collection and use of this information is subject to the privacy policy located here and here.

Use of first party data (cookie data) to anonymously record that a user has clicked on a Rakuten Advertising link, referring the user to our website. This information is collected in order to enable us to pay a commission to Rakuten Advertising and its affiliates for any sales they may drive on our site.

However, we do not forward personal data to these third parties for any promotional purposes by those companies.

(z)        Givex UK Corporation Limited when purchasing an e-gift card

3.7        Transfers of your personal data to other countries

3.7.1       The personal data we collect from you is currently held within the European Economic Area (‘EEA’). However, it is possible that in the future such personal data may be transferred, stored and/or processed outside the EEA.

3.7.2       By submitting your personal data, you agree to this transfer, storing and/or processing. You should be aware that countries outside the EEA may not offer the same level of data protection as the United Kingdom.

3.8        Data Retention

3.8.1       We will only hold your personal data for so long as is necessary for us to do so, however because this depends in each case on how each of our customers interact with us, we keep the length of time that we hold your personal data for under review.

3.8.2       Where we no longer need to process your personal data for the purposes set out in this Privacy Notice then we will delete your personal data from our system.

3.9       Why should you provide us with personal data?

3.9.1       Please be aware that we do need to use certain of your personal data in order to fulfil our contractual obligations to you and to provide you with the goods and services you have elected to receive. If you do not provide it then we may not be able to perform the contract to the level you expect or at all. Please see our Terms and Conditions of Sale for further details.

3.10       Where we store your personal data

3.10.1       All information you provide to us is stored on our secure servers.

3.10.2       We will keep your information secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage.

3.10.3       Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

3.10.4       Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. 3.10.5 Payment transactions are made using payments providers. All credit/debit card transactions on our site are processed using, a secure online payment gateway that encrypts your card details and cannot be accessed by us.


This policy only applies to Penhaligon’s Inc. Our site may, from time to time, contain links to and / or from websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices or policies and that we do not accept any responsibility or liability for any use of your personal data that is made by unconnected third party websites. You should remember to read and understand those websites’ privacy notices or policies as well.


Our site interest-based advertising, which is the collection of browsing data over time so that our ads and marketing can be personalized and displayed to you on our websites and 3rd party websites.  You can choose to opt out of having your data used for targeting and serving interest-based advertising by using the opt-outs provided by the Network Advertising Initiative and the Digital Advertising Alliance:

This does not mean that we will not serve you ads, but it does mean that we will not use interest-based advertising to do so.

6        DO NOT TRACK

Do-Not-Track is a public-private initiative that has developed a “flag” or signal that an Internet user may activate in the user’s browser software to notify websites that the user does not wish to be “tracked” by third-parties as defined by the initiative. The online community has not agreed on what actions, if any, should be taken by the websites that receive the “do not track” signal, and therefore Do-Not-Track is not yet standardized. Our website does not alter its behavior or change its services when it receives a “do-not-track” flag or signal from your browser.


On our website, we do not intentionally gather Personal Information from visitors under the age of 13.  If you believe we have inadvertently collected information about your child, please contact our Data Protection Officer, and we will attempt to delete the information.


Under Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third parties for those third parties' direct marketing purposes, and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at [email protected] with "Request for California Privacy Information" on the subject line and in the body of your message. Be sure to provide in the request sufficient information to properly identify you and/or the members of your family

8.1        Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:




A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.


B. Personal information categories listed in the California Customer Records statute (Cal. Civ.Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.


C. Protected classification characteristics under California or federal law

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).


D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.


E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.


F. Internet or other similar network activity.

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.



Physical location or movements.


H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.


I. Professional or employment-related information

Current or past job history or performance evaluations.


J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.


K. Inferences drawn from other personal information

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.


8.2        Personal information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA's scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from our customers or their agents. For example, from information that our customers provide in order to facilitate the purchase of our products.
  • Indirectly from our clients or their agents. For example, through information we collect from our customers in the course of providing products to them.
  • Both directly and indirectly from activity on our website (

8.3        Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

  • To fulfill or meet the reason for which the information is provided. For example, if you provide us with your address, we will use this information to ship products to you.
  • To provide you with information, products or services that you request from us.
  • We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

  • To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.
  • To improve our website and present its contents to you.
  • For testing, research, analysis and product development.
  • As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

8.4        Sharing Personal Information

We may disclose your personal information to a third party for a business purpose.  When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

  • Category A:        Identifiers.
  • Category B:        California Customer Records personal information categories.
  • Category C:        California Protected Class information
  • Category D:        Commercial Information

We disclose your personal information for a business purpose to the following categories of third parties:

  • Our affiliates or other entites part of the same Group of Companies.
  • Service providers.
  • Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.
  • DoubleClick, from Google

In the preceding twelve (12) months, we have not sold any personal information.

8.5        Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.

  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

8.6        Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

8.7        Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
    We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  Making a verifiable consumer request does not require you to create an account with us.  We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  Making a verifiable consumer request does not require you to create an account with us.  We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

8.8        Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable.  For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

8.9        Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

8.10        Changes to Our Privacy Notice

We reserve the right to change this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.

8.11        Contact Information

If you have any questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: +44(0)800 011 9877
Website: ;
Email: [email protected]
Postal Address: 1 Cathedral Piazza, 123 Victoria Street, London, SW1E 5BP

9. Klarna: Draft privacy notice text (all markets except Switzerland)

In order to offer you Klarna’s payment methods, we might in the checkout pass your personal data in the form of contact and order details to Klarna, in order for Klarna to assess whether you qualify for their payment methods and to tailor those payment methods for you. Your personal data transferred is processed in line with Klarna’s own privacy notice