Privacy Policy

We take your privacy very seriously and are confident that you do the same. Please take a moment to read this policy carefully.

This privacy policy describes how we collect, use, store, and protect your personal data in accordance with the European Union General Data Protection Regulation (GDPR) and Estonian personal data protection legislation.

We understand that this document is comprehensive, therefore we have summarized the main points below:

We collect your personal data to provide the functionality and services of the Lush website.

If you give consent, we will send you Lush news.

We share data only with trusted partners, never publicly or for sale.

If required by law, we may transfer data to authorities.

Your data may be processed outside Estonia, but always securely in accordance with GDPR.

Cookies help us remember you and improve the experience (you may opt out of them).

We never sell your personal data.

1. Who we are

Under this privacy policy, the data controller is:

Eetiline Kosmeetika OÜ (Lush Estonia)

Registry code: 11314204

Registered address: Narva mnt 5, 10117 Tallinn, Estonia

Email: customerservice@lush.ee

You may contact us regarding any data protection questions.

2. What data we collect

We collect only necessary personal data. These may include:

-Identity data: name, date of birth, username

-Contact data: email, phone, billing and delivery address

-Order and payment data: purchase information, payment transactions

-Account profile data: password (encrypted), purchase history, preferences

-Technical data: IP address, device information, browser data, cookies

-Marketing and communication preferences

-Website usage data: visits, clicks, purchasing behaviour

We do not collect special categories of personal data (ethnicity, health, etc.).

3. How we collect data

We collect data in the following ways:

-when creating an account

-when placing an order

-when contacting our customer support 

-when giving marketing consent

-through analysis of website behaviour (cookies)

4. Legal basis for processing

We process data on the following bases:

-performance of a contract (order, account management)

-consent (newsletter, marketing)

-legitimate interest (security, fraud prevention, improving user experience)

-legal obligation (accounting, tax requirements)

5. What we use the data for

We use your data to:

-process orders and deliver goods

-manage user accounts

-provide customer support

-send notifications and important service updates

-improve user experience and the website

-offer personalized offers (only with consent)

-prevent fraud and ensure security

We do not sell your data.

6. Data sharing

We may share data with:

-Lush group companies (Cosmetic Warriors) and service providers (IT, payment solutions, logistics)

-cloud and e-commerce service providers (e.g. Shopify, Montonio, Parcely)

-law enforcement authorities if required by law

All service providers comply with GDPR and process data only for agreed purposes.

7. Data transfer outside the EU

If data is transferred outside the European Economic Area (e.g. United Kingdom), we use GDPR-required safeguards, such as:

-European Commission standard contractual clauses (SCC)

-assessment of the level of data protection

8. Data retention

We retain data as long as necessary:

-during the customer relationship and order processing

-for accounting purposes for 7 years (Estonian law)

-until you withdraw marketing consent

After the retention period, data is deleted or anonymized.

9. Cookies

We use cookies to improve user experience and functionality.
You may refuse cookies in your browser settings.

Special policy: A cookie policy will be added as a separate document if desired.

10. Your rights

You have the right to:

-access your data

-correct inaccurate data

-request deletion (“right to be forgotten”)

-restrict processing

-object to processing

-withdraw consent

-request data portability to another service provider

We respond to requests within 1 month.

11. Complaints and supervisory authority

If you believe your data has been violated, you may contact:

Data Protection Inspectorate
Tatari 39, 10134 Tallinn
Email: info@aki.ee