Privacy policy

Last updated: 14 July 2026

We take your privacy very seriously and are confident that you do the same. Please take a moment to read this policy carefully.

This privacy policy describes how we collect, use, store, and protect your personal data in accordance with the European Union General Data Protection Regulation (GDPR) and Estonian personal data protection legislation.

We understand that this document is comprehensive, therefore we have summarized the main points below:

We collect your personal data to provide the functionality and services of the Lush website.

If you give consent, we will send you Lush news.

We share data only with trusted partners, never publicly or for sale.

If required by law, we may transfer data to authorities.

Your data may be processed outside Estonia, but always securely in accordance with GDPR.

Cookies help us remember you and improve the experience (you may opt out of them).

We never sell your personal data.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legislation, our services, or our data processing practices. The latest version will always be available on our website.

1. Who we are

Under this privacy policy, the data controller is:

Eetiline Kosmeetika OÜ (Lush Estonia)

Registry code: 11314204

Registered address: Narva mnt 5, 10117 Tallinn, Estonia

Email: customerservice@lush.ee

You may contact us regarding any data protection questions.

2. What data we collect

We collect only necessary personal data. These may include:

-Identity data: name, date of birth, username

-Contact data: email, phone, billing and delivery address

-Order and payment data: purchase information, payment transaction details and payment status. Payment information is processed securely by our payment service providers.

-Account profile data: password (encrypted), purchase history, preferences

-Technical data: IP address, device information, browser data, cookies

-Marketing and communication preferences

-Website usage data: visits, clicks, purchasing behaviour

We do not collect special categories of personal data (ethnicity, health, etc.).

3. How we collect data

We collect data in the following ways:

-when creating an account

-when placing an order

-when contacting our customer support 

-when giving marketing consent

-through analysis of website behaviour (cookies)

4. Legal basis for processing

We process data on the following bases:

-performance of a contract (order, account management)

-consent (newsletter, marketing)

-legitimate interest (security, fraud prevention, improving user experience)

-legal obligation (accounting, tax requirements)

5. What we use the data for

We use your data to:

-process orders and deliver goods

-manage user accounts

-provide customer support

-send notifications and important service updates

-improve user experience and the website

-offer personalized offers (only with consent)

-prevent fraud and ensure security

We do not sell your data.

6. Data sharing

We may share your personal data with carefully selected third-party service providers where necessary to operate our business and provide our services, including providers of:

- e-commerce services;

- payment services;

- delivery services;

- website analytics;

- email marketing; and

- customer communication services

We may also disclose personal data to public authorities where required by law.

All third-party service providers process personal data only for the agreed purposes and in accordance with applicable data protection legislation.

7. Data transfer outside the EU

If personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with the GDPR, including:

-European Commission standard contractual clauses (SCC)

-assessment of the level of data protection

8. Data retention

We retain data as long as necessary:

-during the customer relationship and order processing

-for accounting purposes for the period required by applicable Estonian legislation

-until you withdraw marketing consent

After the retention period, data is deleted. 

9. Cookies

We use cookies to improve user experience and functionality.

You may refuse cookies in your browser settings.

Please refer to our separate Cookie Policy for detailed information about the cookies we use and how you can manage your preferences.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, alteration or disclosure. Access to personal data is limited to authorised personnel and trusted service providers who require it to perform their duties.

11. Your rights

You have the right to:

-access your data

-correct inaccurate data

-request deletion (“right to be forgotten”)

-restrict processing

-object to processing

-withdraw consent

-request data portability to another service provider

We respond to requests within 1 month.

12. Complaints and supervisory authority

If you believe your data has been violated, you may contact:

Data Protection Inspectorate
Tatari 39, 10134 Tallinn
Email: info@aki.ee

13. Children's Privacy

Our website is not intended for children and we do not knowingly collect personal data from children.

14. Third-Party Websites

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of these websites and encourage you to review their privacy policies before providing any personal data.