Effective Date: November 13, 2023
1. Our General Privacy Principles.
We are committed to protecting the privacy of all visitors to our website www.cosmossbykatemoss.com (the "Site") whether “you” are purchasing our products or are just checking us out.
3. Basic Information.
In general, we are the "processor" under GDPR or “service provider” under CCPA of the personal information you entrust to us and that we process on your behalf, and in some limited instances, we may be considered a “controller” or “business” for example when you consent to receive marketing advertisements from us based on your product preferences. We will then determine the purposes of the processing of your personal information (e.g., to use third party service providers to help us with our marketing campaigns), subject at all times to your opt-out rights.
4. Contact Details
You can send us a written correspondence at COSMOSS Group Limited, National House 60-66 Wardour Street, London W1F 0TA, ENGLAND; or you write us, in the United States, at COSMOSS Privacy, 1887 Whitney Mesa Dr #7556, Henderson, NV 89014 USA.
5. How We Collect Your Personal Information
5.1 We collect your personal information when you interact with us or use our Services, such as when you use our Site to place an order. We also look at how visitors use our Site, and we further use your personal information to help us improve our services and to optimise your customer experience.
5.2 We collect information:
(a) when you create an account with us or you change your account settings;
(b) when you place an order with us as a guest or as an account holder, and during the order process (including for payment processing and order delivery);
(c) through your interactions with us, such as when you request information or support or when you have agreed to receive marketing, information about our initiatives or other communications from us by email;
5.3 We also collect your personal information from third party sites with your prior consent, such as from advertising and social media platforms.
6. Personal Information We Collect From You
6.1 As part of our commitment to the privacy of our customers and visitors to our Site more generally, we want to be clear about the sorts of information we will collect from you.
6.2 When you visit the Site, set up an account or place an order through the Site, including any partner’s website we work with to provide delivery services, you are asked for information about yourself including your name, contact details, delivery address, order details, and payment information such as credit or debit card details. We will also collect information from you when you contact us on our Site (e.g., when you are contacting our Customer Service team). Please note that we do not store or retain your complete payment card information. Your payment card details are stored and managed by our trusted third party payments processors who maintain strong, industry required security safeguards to protect payment card information (referred to as “PCI-DSS
6.3 We collect information about your use of the Site and information about you from any messages you post to the Site or when you contact us or provide us with feedback, including through email, post, or online reviews.
6.4 We collect information from your mobile device or computer, such as its operating system, the device and connection type from which you are accessing our Site. We also collect technical information about your use of our Site through a mobile device, for example, carrier identity, anonymized location data and performance data such as mobile payment methods, interaction with other retail technology. Unless you have elected to remain anonymous through your device and/or platform settings, this information may be collected and used by us automatically if you use the Site on your mobile device(s) through your mobile's browser or otherwise.
6.5 Where we need to collect personal information required by law, or under the terms of a contract we have with you, and you fail to provide that personal information, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services). In this case, we may have to cancel the Services we are offering you, but we will notify you directly if this is the case at the time.
7. How We Use Your Personal Information
7.1 We will only use and process your personal information if there is a reason for doing so (e.g., a recognized “business purpose” under CCPA), and if that reason is permitted by law (e.g., a lawful basis for processing your personal information under GDPR).
7.2 Where we need to provide you with the products you have ordered and/or to enter into a contract with you, we use your personal information to:
(a) enable us to provide you with access to the relevant parts of the Site (e.g., we collect necessary cookies from your device so that we recognize you and your device);
(b) supply the products you have ordered (e.g., we collect your name, contact details, delivery address and order details);
(c) enable us to collect payment from you (e.g., we collect your credit or debit card information, which we do not retain but which we immediately share with our payments processing service providers); and
(d) contact you, where necessary, concerning our Services, such as to resolve issues you may have with your order (e.g., we collect the personal information listed above and any additional information we may need to resolve your issue).
7.3 We also process your personal information where we have a legitimate interest for doing so, which are to:
(a) personalise our Site, including to make it easier and faster for you to place orders;
(b) improve the effectiveness and quality of the ordering and delivery process that our customers can expect from us in the future;
(c) tailor content that we or our partners display to you, for example so that we make sure you see the advertising which is most relevant to you (where you have not opted-out from receiving advertising and marketing messaging), based on characteristics determined by us;
(d) enable our Customer Service Team to help you with any enquiries or complaints in the most efficient way possible and to provide a positive customer experience;
(f) send you information by post about our products, promotions and initiatives where you’ve consented to receiving these promotional materials (and if you do not want to receive these, you can opt-out and let us know by getting in touch (Please see Section 4 ‘Contact Details’));
(g) analyse your browsing activity on the Site so that we can administer, support, improve and develop our business including for statistical and analytical purposes; and
(h) detect, investigate, report and seek to prevent fraud or crime.
7.4 We also process your personal information to enforce our contractual terms with you and any other agreement, to ensure compliance with our internal policies and procedures and for the exercise or defence of legal claims and to protect the rights of COSMOSS, our partners, or other third parties with whom we conduct business.
7.5 If you submit comments and feedback regarding our products either directly to us or to our social media sites and you’ve agreed to allow us to post those comments publicly, we may use such comments and feedback on the Site and in any marketing or advertising materials including on our social media sites. We will only identify you for this purpose by your first name and last initial which you provide us with, and you agree that such comments and feedback may be displayed publicly on the Site including on our social media sites.
7.6 We will also analyse data about your use of the Site to create customer profiles relating to you and for you. This means that we may make certain assumptions about what you may be interested in and use this data based on your prior consent, for example, to send you more tailored marketing communications, to present you with partners that we think you will prefer, or to let you know about special offers or products which we think you may be interested in. This activity is referred to as profiling. You have certain rights in relation to this type of processing. Please see Section 14 ‘Your Rights’ for more details. We will not directly send you COSMOSS marketing communications or share your personal information with our partners unless you have consented to and given us permission to contact you or share your personal information with third parties. If you give us permission, you can always opt-out by changing your privacy preferences and settings by contacting us at: [email protected].
7.7 We may also use your information to comply with any legal obligation or regulatory requirement to which we are subject.
9.1 Where you have given your prior consent or where we have a legitimate interest for doing so (and are permitted to do so by law), we will use your personal information to let you know about our other products or services we offer, or initiatives that may be of interest to you and, if you have agreed, we may contact you to do so by email.
9.3 You can ask us to stop sending you marketing messages at any time by changing your marketing preferences and cookie settings or by contacting us at [email protected]
, and by following the opt-out links on any marketing message we send to you.
9.4 We may still contact you through email where you have opted out of direct marketing with Service-related communications, including, but not limited to, correspondence providing information about your order, Service interruption and delivery safety or status.
10. Retention of Your Personal Information
10.1 We will only retain your personal information for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
10.2 When determining the appropriate retention periods, we will take into account factors including:
(a) our contractual obligations and rights in relation to the personal information involved;
(b) legal obligation(s) under applicable law to retain personal information for a certain period of time;
(c) statute of limitations under applicable law(s);
(d) our legitimate interests for retaining the personal information (please see Section 7 "How We Use Your Personal Information");
(e) whether there is an actual or potential dispute; and
(f) guidelines issued by relevant data protection authorities.
10.3 Otherwise, we securely erase your personal information where we no longer require it for the purposes we collected it for.
10.4 You can also request that we delete and terminate your COSMOSS account in its entirety once we have completed all active orders associated with your account.
11. Sharing Your Personal Information
11.1 We are very careful and transparent about who else we share your personal information.
11.2 We share your personal information with our other affiliated COSMOSS Group companies only where necessary for the purposes set out in Section 7 – “How We Use Your Personal Information”.
11.3 We share your personal information with third party subprocessors and service providers that provide services to you on our behalf. The types of third party service providers and subprocessors with whom we share your information include for example:
(a) payment providers (including online payment providers and fraud detection providers);
(b) IT service providers (including cloud providers, web hosts and email providers);
(c) logistics providers (including address verification services and delivery providers);
(d) insurance companies;
(e) customer support providers (including, but not limited to, companies that assist us to provide customer or technical support); and
(f) professional advisers such as our accounting, legal or business advisory consultants.
11.4 You agree we may engage third party subprocessors and service providers to process personal information on your behalf. Some third party subprocessors and service providers will apply to you as default, and some third party subprocessors and service providers will apply only if you opt-in.
11.5 We have currently appointed, as third party subprocessors and service providers, specific third parties (which include COSOMOSS Group affiliates) a list of which are available upon written request to: [email protected]
11.7 Where you have given us prior consent to use your personal information in connection with the delivery of marketing communications to you, we will share your personal information when we promote a programme or offer a service or product in conjunction with a third-party business partner. We will share your personal information with that partner to assist in marketing or to provide the associated product or service (and only for that limited purpose). In most of those cases, the programme or offer we are promoting will include the name of the third-party business partner, either alone or with ours. An example of such a business partner relationship would be a partner that we partner with for providing delivery services.
11.8 If you submit comments and feedback regarding the Site, our products, and our partners, we may share such comments and feedback with our partners for the partner’s internal use only.
11.10 If our business enters into a joint venture with, purchases or is sold to or merged with another business entity, your personal information may be disclosed or transferred to the target company, our new business partners or owners or their advisors.
11.11 We may also share your personal information:
(a) if we are under a duty to disclose or share your personal information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation or regulatory requirement;
(b) in order to enforce our contractual terms with you and any other agreement;
(c) to protect our rights or those of our partners or others, including to prevent fraud; and
(d) with such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police or for health and safety purposes.
12.1 We adopt robust technologies and policies to protect your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
12.2 We will implement and maintain appropriate technical and organizational measures to protect personal information from personal information security incidents (such as a data breach), in accordance with applicable data protection laws. Notwithstanding any provision to the contrary, we may modify or update our security measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the security measures.
12.3 We have implemented procedures to deal with any data breach and will notify you and any applicable regulator without undue delay of a breach where we are legally required to do so.
12.5 We will ensure that any personnel whom we authorize to process personal information on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that personal information.
12.6 Unfortunately, the transmission of information via the internet is not completely secure. Although we do take steps to protect your personal information, we cannot guarantee the security of your personal information transmitted to the Site or in connection with your use of our Services; any transmission of personal information over the internet is at your own risk. Once we have received your personal information, we will use strict procedures and security measures to try to prevent unauthorised access.
12.7 When you open an account you may create a password, or other secure login method. You must use a unique password and keep any password you create, or other secure login method, secret in order to help prevent others from accessing your account.
13. Data Transfers
, and in particular that personal information may be transferred to and processed by Cosmoss, Inc. in the United States and to other jurisdictions where members of the Cosmoss Group and its subprocessors and service providers have operations. Wherever personal information is transferred outside its country of origin, Cosmoss and its subprocessors and service providers will ensure such transfers are made in compliance with the requirements of data protection laws including GDPR and CCPA.
13.2 In some cases the personal information we collect from you might be processed outside the United Kingdom or the European Economic Area (EEA), such as the United States and in other countries in which COSMOSS operates. These countries may not have the same protections for your personal information as the UK or EEA has. To the extent these countries have not been lawfully recognised as providing an adequate level of data protection, we will ensure that the personal information that is processed by us and our subprocessors and service providers outside of the UK or EEA is protected in the same way as it would be if it was processed within the UK or the EEA. We will use an appropriate data transfer mechanism, such as reliance on the protections set out in approved standard contractual clauses. See also Section 14 below.
13.3 Please contact us using the contact details above for further information on the specific mechanism used by us when transferring your information.
14. Your Rights Under GDPR and CCPA.
14.1 Under certain circumstances, you have rights under data protection law including GDPR and CCPA in relation to the personal information we process about you.
15. California Notice of Collection; Your Rights under Various U.S. State Privacy Laws.
These rights include:(a) The right of access
. This is also known as a “data subject access request”. You have the right to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. You can initiate a data subject access request by sending us an email at [email protected]
. We will respond and manage your request in a way that complies with the relevant data protection and privacy laws that applies to you (if we are able to determine your place of residency). In all cases, we will respond as quickly as is commercially reasonable. We may need to verify your identity before we take the requested action.(b) The right to rectification
. You are entitled to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us.(c) The right to erasure
. This is also known as “the right to be forgotten” which enables you to request the deletion or removal of certain of the personal information that we hold about you where there is no good reason for us continuing to process it. This right is not absolute and only applies in certain circumstances.(d) The right to restrict processing
. You have the right to block or suppress further use of your personal information in certain circumstances. When processing is restricted, we may still have a lawful reason to store your information, but we will not use it further.(e) The right to data portability
. You have the right to receive your personal information in a structured, commonly used and machine-readable format which you can transfer to another service provider or other third party. This right is not absolute and only applies in certain circumstances.(f) The right to withdraw consent
. Where we rely on consent to use your personal information, you have the right to withdraw that consent at any time. Withdrawing consent will not, however, make unlawful our use of your personal information before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you.(g) The right to object to processing
and Section 9 ‘Marketing’ or by contacting us at [email protected]
14.3 You have the right not to be subject to a decision based solely on automated processing of your personal information.
14.4 To exercise any of these rights, please contact us in writing at [email protected]
14.5 If you are unhappy with how we have handled your information under GDPR, you can contact your local data protection authority. In the UK, this is the Information Commissioner’s Office where you can issue a complaint here: https://ico.org.uk/make-a-complaint/
, or through the data protection authority of Poland (Personal Data Protection Office) which can be contacted here: https://uodo.gov.pl/en/681/1404
. We would, however, really appreciate the chance to deal with your concerns before you approach your local data protection authority and so we please ask that you contact us first. See Section 14.4 for the email address to use in order to contact us to exercise any of your rights under applicable data protection and privacy laws.
Current State of U.S. Privacy Laws
If you are a California resident or a resident of a growing number of U.S. states, you may have additional rights that we summarize in our separate California Notice of Collection and Summary of U.S. State Privacy Rights
16. Third Party Sites