Privacy policy
OVESSI ("we", "us", "our") operates this website and store (the "Services"). This Privacy Policy describes how we collect, use and disclose your personal information when you visit, use or make a purchase on ovessi.com, or otherwise communicate with us.
By using the Services you confirm that you have read and understood this Privacy Policy.
Information We Collect
Depending on how you interact with us, we may collect the following categories of personal information:
- Contact details : name, billing and shipping address, phone number and email address.
- Payment information : payment card details, transaction details and confirmation. Card numbers are processed by our payment provider and are not stored by us.
- Account information : username, password, account preferences and order history.
- Order information : the products you purchase, returns and customer-service correspondence.
- Customer-support information : messages you send us by email or contact form.
- Usage information : device identifiers, IP address, browser type, pages viewed, referring site and similar information collected through cookies and similar technologies.
- Marketing preferences : your subscription status and engagement with our marketing communications.
- Skin AI data : if you choose to use our on-site skin-analysis tool, photographs of your face and answers to skin-related questions. See the dedicated section below.
How We Use Your Information
We use personal information to:
- Process and fulfil orders, including payment, dispatch and customer service.
- Operate, maintain and improve the Services.
- Communicate with you about your orders, account and our products.
- Send marketing communications where you have agreed to receive them.
- Prevent fraud, secure our Services and comply with legal obligations.
- Generate personalised product recommendations through our optional Skin AI tool.
Lawful Basis
Where UK or EU GDPR applies, we rely on one or more of the following lawful bases : performance of a contract (to fulfil your order), legitimate interests (to run and secure our business), your consent (for marketing, analytics cookies and the Skin AI tool), and compliance with legal obligations.
Skin AI
We offer an optional on-site skin-analysis tool ("Skin AI") that produces personalised product recommendations. Use of the tool is entirely optional and is initiated only when you choose to start the reading.
If you choose to use the tool, you may submit a photograph of your face and answer questions about your skin. We process this data in order to generate your skin reading and personalised product recommendations. Photographs and quiz responses may include information that constitutes "special category" or "sensitive" personal data under UK GDPR, EU GDPR and certain US state privacy laws. We rely on your explicit consent (given by submitting the photograph and your answers) as the lawful basis for this processing.
To deliver this feature, we use carefully selected third-party technology partners who act as data processors on our behalf and are bound by contractual confidentiality and data-protection obligations. Data may be processed and stored outside the United Kingdom and the European Economic Area. Where data is transferred internationally, we rely on appropriate safeguards permitted under applicable law, such as Standard Contractual Clauses or equivalent mechanisms.
We do not sell or share photographs, quiz responses or skin-analysis results with third parties for advertising or marketing purposes. The data is used only to deliver your reading, generate product recommendations, and improve the tool. Photographs are not displayed publicly and are not used to identify you outside the tool.
You have the right to access, correct, delete or withdraw consent at any time. To exercise these rights, contact us using the details in the "Contact" section below.
How We Share Information
We share personal information with the following categories of service providers and partners, all of whom act as our data processors and are bound by written contracts that meet UK GDPR Article 28 and EU GDPR requirements:
| Processor | Purpose | Region of processing |
|---|---|---|
| Shopify International Limited (Ireland) and Shopify Inc. (Canada) | E-commerce platform, hosting, checkout, order management, fraud screening, customer accounts. | EU (Ireland), Canada, US |
| Shopify Payments / Stripe | Card payment processing, 3-D Secure, payouts, chargeback handling. | EU, UK, US |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment processing for customers who choose PayPal at checkout. | Luxembourg, EU |
| Apple Inc. and Google LLC | Apple Pay and Google Pay tokenised checkout, where you choose to use them. | US |
| Made-to-order fulfilment provider | Manufacture and dispatch of EU and US orders. Receives recipient name, address and order contents only. | EU, US |
| Klaviyo Inc. | Transactional and marketing email and SMS, on-site signup forms, subscriber profile storage, abandoned-cart and back-in-stock automations. | US (Standard Contractual Clauses in place for EU and UK data) |
| Google LLC (Google Analytics 4, Google Tag Manager) | Site analytics, traffic measurement and aggregated reporting. Fires only after analytics-cookie consent under our Consent Mode v2 implementation. | US, EU (Google Ireland) |
| Meta Platforms Ireland Limited (Facebook, Instagram) | Conversion tracking and advertising audiences. Fires only after marketing-cookie consent. | EU (Ireland), US |
| TikTok Information Technologies UK Limited | Conversion tracking and advertising audiences. Fires only after marketing-cookie consent. | UK, EEA, US, Singapore |
| Face Age (Skin AI provider) | Powers the optional on-site Skin AI tool. Receives the photograph and quiz answers you submit, returns a skin reading and product recommendations. Used only with your explicit consent. | EU, US (Standard Contractual Clauses where applicable) |
| BOGOS.io | Powers the free-candle-with-ritual gift offer at checkout. Receives cart contents only, no contact data. | US |
| Shopify Collabs | Manages our Partner Programme creator relationships and commission payouts. Receives creator-supplied profile data only when a creator applies. | EU, US |
| Royal Mail Group, DHL, FedEx, UPS, La Poste, Deutsche Post | Shipping and delivery. Receives recipient name, address and contact details to deliver your order. | UK, EU, US (varies by carrier and route) |
| Cloudflare, Inc. | Content delivery, DDoS protection, bot mitigation for ovessi.com. | Global edge network |
| Microsoft / Zoho Mail | Operating our hello@ovessi.com inbox infrastructure. | EU, US |
| MailerSend | Transactional order emails (order confirmation, dispatch, delivery, receipts) sent from send.ovessi.com. | EU, US |
| Professional advisors | Lawyers, accountants and similar advisors, where necessary. | UK, EU |
We may also disclose personal information to authorities where required by law, regulation or legal process, or to protect our rights or those of others; and to successors in the event of a merger, acquisition or sale of assets.
We do not sell your personal information. We do not share it for cross-context behavioural advertising without your consent.
International Transfers
Your information may be transferred to, stored and processed in countries outside your country of residence, including outside the United Kingdom and the European Economic Area. Where we transfer personal data internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, the UK Addendum, or equivalent mechanisms. You may request a copy of the relevant safeguards by contacting us.
How Long We Keep Information
We keep personal information for as long as necessary to provide the Services, comply with our legal obligations (including tax and accounting), resolve disputes and enforce our agreements. Typical retention periods : order and tax records for seven years; marketing-subscriber profiles until you unsubscribe plus two years; Skin AI photographs for ninety days unless you save them to your account, after which they are deleted or anonymised. When information is no longer needed it is deleted or anonymised.
Cookies and Similar Technologies
We use cookies and similar technologies to operate the Services, remember your preferences, measure performance and personalise your experience. On first visit we show a privacy banner in line with UK GDPR, EU ePrivacy and applicable US state laws. Until you accept analytics or marketing cookies, only strictly necessary cookies are set; advertising and analytics tags such as Google Analytics, Meta Pixel and TikTok Pixel are gated by Consent Mode v2 and remain inactive. You can change your choice at any time using the "Cookie preferences" link in the footer of the site.
Your Rights
Subject to applicable law, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Request deletion of your information.
- Restrict or object to certain processing.
- Withdraw consent at any time, where processing is based on consent.
- Request a copy of your information in a portable format.
- Lodge a complaint with your local data-protection authority. In the United Kingdom this is the Information Commissioner's Office (ico.org.uk). In Germany, your competent state data-protection authority. In Ireland, the Data Protection Commission. Residents of California and other US states with comprehensive privacy laws have equivalent rights under those laws.
To exercise any of these rights, email hello@ovessi.com. We will respond within the time limits set by applicable law (one month under UK and EU GDPR, extendable by two months where the request is complex).
California Notice (CCPA / CPRA)
California residents have the right to know what personal information we collect, to request its deletion or correction, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell personal information for money. Our use of analytics and advertising cookies may, depending on settings, constitute "sharing" for cross-context behavioural advertising under California law. You can opt out at any time using the "Cookie preferences" link in the footer, or by sending a Global Privacy Control (GPC) signal from your browser, which we honour automatically.
Children
The Services are not directed to children under the age of 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for legal reasons. The most current version is always available on this page. Material changes will be notified by email to subscribers and via a notice on the site.
Contact
OVESSI is operated by Wiseman FO. For privacy-related questions or to exercise your rights, write to hello@ovessi.com.
With care. OVESSI
Still exploring
Begin where your skin asks you to.
Two minutes of Skin Reading, then we match you with the ritual your skin is actually asking for. Browse the full range, or write to us with any question.