Privacy Policy
BATH & BODY WORKS PRIVACY POLICY
Last Updated: 28 March 2019
At Bath & Body Works, we value your privacy and strive to protect your personal data in compliance with the governing laws of the countries we operate in.
Our Privacy Policy has been drafted out to help you understand how Bath & Body Works collects, records, manages, uses, stores, transfers and discloses your personal data. As an organization, we strive to maintain the highest standards of data security and privacy, always adhering to the laws of each country we operate in.
We may update this Privacy Policy from time to time to reflect changes to our privacy practices or for other legal, operational or regulatory reasons. If we amend this Privacy Policy, we will revise the “last updated” date located at the top of this Privacy Policy.
PLEASE READ THE FOLLOWING TO UNDERSTAND OUR PRACTICES REGARDING YOUR PERSONAL DATA AND HOW WE WILL TREAT IT.
SECTION 1: ABOUT Bath & Body Works
SECTION 2: SOURCES OF DATA
SECTION 3: HOW DO WE USE YOUR DATA
SECTION 4: DISCLOSURE AND TRANSFER OF PERSONAL DATA
SECTION 5: SECURITY OF YOUR DATA
SECTION 6: COOKIES
SECTION 7: Individuals and Organizations That May Access Information
Section 8: Rights and Responsibilities of Customers under the Privacy Policy
SECTION 9: ACCESS, CORRECTION AND WITHDRAWAL OF CONSENT
SECTION 10: PAYMENT SECURITY POLICY
SECTION 1 – ABOUT Bath & Body Works
This Privacy Policy/ Personal Data Protection Policy (“Privacy Policy” or “Policy”) is designed by Lux Viet American Beauty Company Limited (“Bath&bodyworks” or “Company” or “We” or “Ourselves” or “Us”) to help customers (“Customers”) understand how We collect, use, protect, disclose and/or process personal data that Customers have provided to Us through the use of the Website with the domain name http://www.bathandbodyworks.vn (“Website”) for shopping or sharing information with Us whether now or in the future, as well as to help Customers make informed decisions before providing Us with any of their personal data.
We, Lux Viet American Beauty Company Limited, always commit to ensuring our Customers that We are always serious in fulfilling our responsibilities regarding information security in accordance with the regulations on the protection of personal information confidentiality under Vietnamese law and commit to respecting the privacy and concerns of all Customers regarding Bath&bodyworks' Website.
By accessing, using the Website and/or signing up as a member, Customers agree with Us that they accept the methods, requirements and/or policies described in this Privacy Policy and hereby acknowledge that they are fully aware of and consent to Bath&bodyworks collecting, using, disclosing and/or processing their personal data as described in Section 2 of this Policy.
Please read this Policy carefully, as our business operations will continuously develop, our Personal Data Protection Policies, Website and Terms of Use may also be updated continuously. Customer's use and/or continued use of our products, services are understood as Customers accepting the updated Privacy Policy. Customers agree that they are responsible for regularly checking for any updates or changes to this Privacy Policy. Unless otherwise provided, our current Policy applies to all information We have about Customers and Customers' accounts, including but not limited to Customers' personal information and/or any information, data that We may obtain from Customers through the Website. Customers' access to our Website and any privacy disputes shall be governed by this Privacy Policy.
This policy is applied in conjunction with notices, contractual terms, other applicable consent terms relating to our collection, storage, use, protection, disclosure and/or processing of Customers' personal data. We reserve the right to modify this Policy at any time within the scope permitted by applicable laws and regulations. We will notify Customer of any material changes to this Policy by posting it on the Website or by any other means We deem appropriate. The amended Policy will be effective when Customers are notified in a reasonable manner according to our regulations or when it is posted on the Website. If We amend this Privacy Policy, We will revise the “last updated” date located at the top of this Privacy Policy.
SECTION 2: SOURCES OF DATA
2.1. Definitions
“Personal data” refers to information in the form of symbols, writing, numbers, images, sounds or similar forms in the electronic environment associated with a specific individual or aiding in identifying a specific individual. Personal data includes basic personal data and sensitive personal data specifically regulated in Decree No. 13/2023/ND-CP and may be amended, supplemented or replaced by subsequent effective documents. “Processing of personal data” refers to one or more activities affecting personal data, such as: collection, recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.
2.2. Sources of data
We (or our service providers) collect Your information: (a) through www.bathandbodyworks.vn, (b) when You sign up or use our website to create an account with us, (c) when You communicate with Us through telephone calls (which may be recorded), letters, conversations on the Website or via email, via third-party social media sites, (d) when You make purchases from Us or engage in other activities on our Website, (e) when You participate in a contest or other promotion, (f) when You provide feedback or complaints to us, (g) when You otherwise communicate with Us or provide information to us, or any other cases as determined by Us and/or current legal regulations. Note: The cases We mention here are not intended to list all possible cases but are only common cases of personal data collection.
During the Customer's use of the Website and depending on our decision to upgrade the functionality of the Website to include online shopping functionality through an online personal account, at each moment, We may collect and process the following Personal Data:
a) Identification information including user identification, profile pictures, usernames (nicknames) or similar identification information, date of birth and gender;
b) Contact information including name, email address and phone number;
c) Transaction data including payments to or from the Customer and details of the products and services purchased by the Customer from Us and the information Customer enter on the Website when Customer register for events, participate in promotional programs organized by us, for example, Customer’s name, email address, phone number and products purchased by the Customer;
d) Customer account login data, browser type and version, timezone and region configuration, location data of our stores where the Customer registers the location, browser plugin type and version, operating system, platform and other technology on the device used to access the Website;
e) Account profile data including user identification information, usernames (nicknames), passwords, any purchase transactions or orders of the Customer, preferences, priorities, feedback and survey evaluation opinions of the Customer;
f) Usage data including information about how the Customer uses our Website and services, products;
g) Marketing and communication data including preferences for receiving marketing information from Us and preferences for how to receive that marketing information;
h) Basic personal data defined in Decree No. 13/2023/ND-CP and other effective legal documents on personal data (if any).
By accessing or using our services, You signify Your consent to the above collection and processing of Your personal information.
SECTION 3: HOW DO WE USE YOUR DATA
3.1. Purposes of personal data collection
We (and our service providers, on our behalf) may use the information We collect from and about You for a variety of purposes, including the following:
a) To fulfil Your requests for products and services and to keep You updated about Your orders;
b) Keeping You informed (either via post, telephone, email or SMS service) about our new stores, products, services, upcoming events, or promotions;
c) To facilitate Your participation in any contests or events;
d) Where appropriate for market research;
e) Affiliate marketing initiatives with partners or third-party service provides related to Bath & Body Works;
f) Analytics, search engine, marketing campaign & CRM (Customer Relationship Management) service providers purely based on Bath & Body Works initiatives for marketing & communication purposes.
g) Creating and managing Customer accounts on Bath&bodyworks’ Website;
h) Handling delivery to Customers and returns in case of exchanges;
i) Processing payments from Customers and issuing refunds (if any);
j) Enforcing Terms of Use, Terms and Conditions;
k) Performing functions in other ways for Customers at the time of collection;
l) As requested by law or permitted by law;
m) For other purposes related to the operation of the website, policies, programs according to our business activities.
For the Purposes for which We have, are and will collect, use, disclose, protect or process the Personal Data of Customers depends on the current circumstances, that purpose may not be explicitly stated above. However, We will inform Customers of other purposes at the time of requesting Customer permission, unless the processing of data without Customer consent is permitted by the provisions of the law on the protection of personal information or other legal regulations.
3.2. Provision of personal data by Customers
Personal data collected with the clear consent of Customers shall only be used for activities specified in this Policy, except in the following cases:
a) A separate agreement between Us and Customers regarding the use of personal information for purposes and scope beyond those clearly defined in this Policy.
b) We provide products or services at the request of Customers.
c) We fulfill our obligations under the law and current regulations.
Customers hereby agree not to provide Us with any false or misleading information and also agree to notify and update Us of any inaccurate or changing information. We reserve the right, at our discretion, to request documents or texts deemed necessary to verify any information provided by Customers.
In case Customers do not agree to provide personal data and do not agree to allow Us to collect and process the personal data information mentioned in this Policy, Customers may not participate/create an account on our Website. However, please note that refusing or revoking permission for Us to collect, use or process Customers' personal data may affect Customers' use of the Website for their shopping.
3.3. Data retention period
Customer information will be stored by Us for the duration of the account's existence. For accounts that have become inactive, We will still retain the personal information and access of Customers to serve the purposes of fraud prevention, investigation, addressing inquiries and other requests related to the purchase history of Customers.
We will store or retain Personal Data obtained in electronic form recorded by our servers or servers of third parties contracting with Us (if any).
3.4. Processing of personal data
Depending on the purpose of collecting personal information, We will perform one or more activities affecting Customers' personal data, including but not limited to: collecting, recording, analyzing, verifying, storing, disclosing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions permitted by law. Processing activities of Customer's personal data may be carried out by Us through automated or manual methods or by any other method that We deem appropriate.
3.5. Data cancellationand deletion, adjustment of personal data
We will maintain personal data in compliance with the regulations of data protection laws and/or other applicable laws. We will delete or erase personal data when requested by the Customer in accordance with legal requirements or when We have a reasonable basis to determine that (i) storage is no longer necessary for any purpose of collecting that personal data, (ii) storage is no longer necessary for any lawful purpose or business purpose; (iii) there are no other legitimate interests to continue retaining this personal data. If the Customer stops using our Website or Customer’s rights to use the Website are terminated or revoked, We may continue to store, use according to this Privacy Policy and fulfill our obligations under applicable data protection laws. Depending on legal requirements, We may securely destroy Customer's personal data without prior notice and consent of the Customer.
We reserve the right to delete, destroy personal data in cases where requests from the Customer do not comply with the current legal regulations or cases where We are not allowed to delete under legal regulations.
Customers have the right to request Us to update, adjust or delete their personal information that We hold, subject to certain exceptional cases as prescribed by law, by sending an email, updating on the Customer's personal account provided on the Website or by written request to Us via contact information. We may request certain specific personal information to verify the identity of the requester.
SECTION 4 – DISCLOSURE AND TRANSFER OF PERSONAL DATA
In order to provide the above services to You, We may share Your personal information with our subsidiaries and affiliated companies worldwide, and selected third parties including our business partners, franchisors, brand principals and third-party service providers for storage or processing for reporting purposes, conducting analysis to evaluate our business activities in Vietnam, provide goods and services to Customer and/or have other purposes as appropriate and permitted by law. We will only transfer Customers’s personal data abroad in compliance with the regulations of personal data protection laws and this Policy.
The Bath & Body Works headquarters is in Malaysia, however the personal data We collect from You may be transferred to, processed and stored in different countries depending on the circumstances, including any countries where Bath & Body Works operates (Malaysia, Singapore, Thailand, Indonesia, Vietnam, New Zealand, Russia, Macau, Philippines). When transferring Customer's personal data abroad, We will take appropriate protective measures according to the law and current regulations to protect Customer's personal data. Please note Your personal data may be transferred to, processed and stored in countries which may or may not provide the same level of protection as the country in which You initially provided the information. In such cases we ensure that adequate protection for Your personal data is provided as required by applicable law and at least equivalent to those prescribed by Vietnamese law.
We may disclose Your personal information to law enforcement agencies and government bodies if We are required to do so by law; or when We believe in good faith that such disclosure is reasonably necessary to comply with legal process.
By providing personal information to us, You consent to Your personal data being transferred to, processed and stored in these countries in accordance with local laws.
SECTION 5 – SECURITY OF YOUR DATA
We have put in place reasonable measures to safeguard Your personal information against loss, theft and unauthorised access, use or modification.
Such measures include limiting access to personal information to only Bath & Body Works employees and authorized third party service providers who need to know such information for the purposes described in this Privacy Policy, as well as other technical and physical safeguards.
All direct payment gateways We use adhere to the standards set by PCI-DSS (Payment Card Industry Data Security Standards) as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
If You provide Us with Your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with an AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, We follow all PCI-DSS requirements and implement additional generally accepted industry standards.
The Bath & Body Works Website may contain links to other third-party websites and microsites, whose privacy practices may differ from Bath & Body Works. Such websites are governed by their respective privacy policies, which are beyond our control. Once You leave our servers (You can know where You are by checking the URL in the location bar on Your browser), use of any information You provide is governed by the privacy policy of the operator of the website You are visiting. That policy may differ from ours. If You can’t find the privacy policy of any of these websites via a link from the website’s homepage, You should contact the website directly for more information.
SECTION 6 – COOKIES
A cookie is a small text file that is stored on a user’s computer for record-keeping purposes. We use cookies on all websites related to Bath & Body Works. We do link the information We store in cookies to any personally identifiable information You submit while on our Website.
We use both session ID cookies and persistent cookies. We use session cookies to make it easier and secure for You to navigate our Website. A session ID cookie expires when You close Your browser. A persistent cookie remains on Your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in Your Internet browsers “help” file. Reference for cookies can be found at http://www.cookiecentral.com/. We use session cookies to store the secure session and browsing preferences of the user. We set a persistent cookie to store Your username and interests, so You don’t have to enter it more than once. Persistent cookies also enable Us to track and target the interests of our users to enhance the experience on our Websites. If You reject cookies, You may still use our Website, but Your ability to use some areas of our Website, will be limited. Cookies are used in the shopping bag to enable enhanced security and to ensure there is no URL based spamming.
Unless You voluntarily identify Yourself (through registration, for example), We will have no way of knowing who You are, even if We assign a cookie to Your computer. The only personal information a cookie can contain is information You supply (an example of this is when transact as a guest or add items to shopping bag). A cookie cannot read data off Your hard drive.
Some of our business partners (e.g., advertisers) set cookies while delivering banners on our Website. We have no access to or control over these cookies.
This privacy statement covers the use of cookies by Bath & Body Works Websites only and does not cover the use of cookies by any advertisers.
We do use cookies on point of collection pages of email address, but We do not use them in emails. Our web servers automatically collect limited information about Your computer’s connection to the Internet, including Your IP address, when You visit our Website. (Your IP address is a number that lets computers attached to the Internet know where to send You data — such as the web pages You view.) Your IP address does not identify You personally. We use this information to deliver our web pages to You upon request, to tailor our Website to the interests of our customers, to measure traffic within our Website and let advertisers know the geographic locations from where our visitors come.
When You visit any of Bath & Body Works Websites, our Company servers will automatically record information that Your browser sends whenever You visit a Website. This data may include but not limited to:
a) Your computer’s IP address (as explained in Cookie Section above)
b) Browser type
c) Webpage You were visiting before You came to our site
d) The pages with in our network You visit
e) The time spent on those pages, items and information searched for on our site, access times and dates, and other statistics.
SECTION 7: Individuals and Organizations That May Access Information
In Vietnam, Bath&bodyworks’ legal entity controlling Customer's personal data is Lux Viet American Beauty Company Limited
We may share (or permit sharing) Customer’s personal data and/or transfer Customer's personal data to third parties and/or our affiliates for the purposes mentioned in this Privacy Policy. Third parties and affiliates may be present in or outside Vietnam, including but not limited to:
a) Companies that are members of the Valiram Group;
b) Service providers (e.g., agents, retailers, contractors and partners in fields such as payment services, transportation and delivery services, marketing, Customer data analysis or research, social media, Customer service, installation services, information technology and web hosting services);
c) Service providers and their related companies;
d) Website and App users (if any) or other Services;
e) When disclosing Customer’s personal data to third parties, We ensure that third parties and our affiliates will safeguard Customer’s personal data from unauthorized access, collection, use, disclosure, unauthorized data processing or similar risks and only retain Customer’s personal data for the necessary period to achieve the purposes mentioned above;
f) We may also share personal data in connection with any acquisition, merger or any acquisition in our business activities, provided that We meet the requirements of data protection laws applicable when disclosing Customer’s personal data;
g) We may transfer or permit the transfer of Customer’s personal data outside Vietnam for any purposes specified in this Privacy Policy. However, We will not transfer or permit any personal data of Customer’s to be transferred outside Vietnam unless such transfer of personal data complies with the regulations of the applicable law.
We may share Customer’s personal data with third-party service providers or our affiliates (e.g., payment service providers) for them to provide services to Customer beyond the services Customer use on our Website and App or our Services. Customers’s agreement to use services from third-party service providers or our affiliates will be subject to the terms and conditions agreed upon between Customers and the third-party service provider or our affiliate. When Customer agree to the provision of services by third-party service providers or our affiliates, the collection, use, disclosure, storage, transfer and processing of Customers’s personal data (including Customers’s personal data and any data disclosed by Us to the third-party service provider or affiliate) must comply with the applicable privacy policy of the third-party service provider or our affiliate, who will be the data controller of the data provided. Customers agree that any inquiries or complaints related to Customers’s agreement to use services from third-party service providers or our affiliates will be forwarded to the entity named in the applicable privacy policy.
Section 8: Rights and Responsibilities of Customers under the Privacy Policy
Depending on our decision to upgrade the functionality of the Website to include online shopping through an online personal account, Customers have the following rights regarding their Personal Data:
a) Be informed about the processing activities of their personal information.
b) Request access to their Personal Data. Customers may request copies of the data We hold and may confirm that We are processing their Personal Data lawfully.
c) Request correction of their Personal Data when the information is incomplete or inaccurate. However, in this case, We may need to verify the accuracy of the new information provided by the Customers.
d) Request withdrawal of their consent in accordance with the procedures specified in this Policy and/or as provided by applicable law.
e) Request that We delete their Personal Data, subject to the provisions of the law and this Privacy Policy. However, at the time of invoicing, We may not always be able to comply with Customers’s deletion request for certain legal reasons (Customer will be notified if applicable).
f) Request the restriction of processing of their personal information in accordance with the provisions of the law and this Policy.
g) Object to the processing of their Personal Data if the processing by Us or any third party processing the Personal Data makes the Customers feel that it affects their fundamental rights or freedoms in specific situations they are placed in. Customers may object to the processing of this Personal Data.
h) Withdraw their consent if they do not agree to the processing of Personal Data mentioned in this policy. However, this will not affect the legality of the processing of Personal Data before the Customers withdraws their consent. Additionally, Customers acknowledge that if they withdraw their consent, We may not be able to provide them with a specific product or service. In such cases, We will notify Customers’s when the Customers withdraws their consent.
i) Complain, report or litigate in accordance with the law.
j) Request compensation for damages as provided by law in case of violation of provisions on personal data protection, except as provided in this Policy and/or other provisions of the law.
k) Comply with the provisions stated in this Policy.
l) Comply with the laws on personal data protection and participate in preventing and combating violations of provisions on personal data protection.
SECTION 9: ACCESS, CORRECTION AND WITHDRAWAL OF CONSENT
If You have any queries, comments, complaints or updates about our Privacy Policy or our collection and processing of Your personal data, please contact Us at:
Data Protection Officer
LUX VIET AMERICAN BEAUTY COMPANY LIMITED 19th Floor, Room 1901 Saigon Trade Center No. 37 Ton Duc Thang Ben Nghe Ward, District 1, Ho Chi Minh City, Vietnam Email: cs@bathandbodyworks.vn
If You wish to access, update or withdraw consent for the use of the Personal Information collected by us, please email the above contact. Alternatively, You may also log into the Bath & Body Works microsite located in our Website (www.bathandbodyworks.vn) and access Your account to amend or change Your data if You find it incorrect.
We will not correct Your personal data upon request from any third party, unless such third party is able to produce documentary evidence of Your authorization to do so.
SECTION 10: PAYMENT SECURITY POLICY
We prioritize information security and implement the best measures to protect our customers' personal information during the payment process. Therefore, all customer transaction information is kept confidential, except when disclosure is required by a competent state agency.
Currently, our website only accepts online payments via international payment cards (Visa and Mastercard) through Payoo, a legally licensed payment gateway partner in Vietnam (“Payment Gateway Partner”). Our card payment security standards comply with those of the Payment Gateway Partner, including:
Customer payment card information is protected by the SSL (Secure Sockets Layer) protocol, which encrypts the information provided by the customer during the transaction process.
The payment system meets the PCI-DSS (Payment Card Industry Data Security Standard) managed by the PCI Security Standards Council.
Principles and regulations on information security in the banking and finance industry as prescribed by the State Bank of Vietnam.
VERIFIED BY VISA
Our payment gateway WireCard supports Verified by Visa (VbV), a security technology that authenticates Your Visa card and ensures that only the authorized cardholder is placing the order. If the bank that issued Your Visa card supports VbV, You may be prompted to enter Your password during Checkout.MASTERCARD SECURECODE
Our payment gateway WireCard supports MasterCard SecureCode, a security technology that authenticates Your MasterCard card and ensures that only the authorized cardholder is placing the order. If the bank that issued Your MasterCard supports SecureCode, You may be prompted to enter Your password during Checkout.
We do not store card information for use in subsequent payments. If You encounter any issues related to the security of your payment card information, please contact the Payment Gateway Partner for assistance.