Jump to content
Unlock 15% off + a FREE mini Charlotte’s Magic Cream with your first order! Use code DARLING15 at checkout. T&Cs apply.

privacy policy - australia

CHARLOTTE TILBURY

PRIVACY POLICY – UK & EEA

LAST UPDATED: APRIL 2026

1. Introduction

At Charlotte Tilbury, we are committed to protecting your personal data and respecting your privacy. You must be 18 or older to buy our products and services and/or create an account. This website is not intended for children, and we do not knowingly collect data relating to children.

2. Who We Are

This website is operated by Charlotte Tilbury Beauty Limited, registered in England and Wales (company number 08037372) with registered address at 8 Surrey Street, London WC2R 2ND, United Kingdom

The data controller of your personal data depends on the delivery destination of your order or, where you are not placing an order, your location:

For orders with a UK delivery address, or where you are otherwise located in the UK, the data controller is Charlotte Tilbury Beauty Limited. For orders with an EEA delivery address, or where you are otherwise located in the EEA, the data controller is Charlotte Tilbury Beauty Ireland Limited, a company registered in Ireland (company number 736254) with registered address at 6th Floor, 2 Grand Canal Square, Dublin 2, D02 A342, Ireland.

References in this Privacy Policy to "us", "we" or "our" refer to the relevant data controller identified above, unless we state otherwise.

In some cases, other Charlotte Tilbury group entities, Puig group companies or authorised Retail Partners may act as independent controllers for their own processing activities. Where this applies, the relevant controller will be identified at the point of collection, purchase or interaction.

Our Group Companies

We are part of the Charlotte Tilbury group, which includes entities owned or controlled by Charlotte Tilbury Beauty Limited that operate Charlotte Tilbury websites or are responsible for stores, concessions, stands or events in your country.

We are also part of the wider Puig group of companies. Where you provide your consent (where required by law), we may share your personal data with other Puig group companies so that they can send you their own marketing communications. The Puig group operates a portfolio of brands across beauty, fashion and fragrance. We will provide you with information about the relevant Puig group companies and this processing at the time we ask for your consent. You can withdraw your consent at any time.

Retail Partners

Charlotte Tilbury products and services may also be sold through authorised third-party retailers (“Retail Partners”). A list of our authorised Retail Partners is available here. Where you purchase Charlotte Tilbury products from a Retail Partner, that Retail Partner will typically act as an independent controller in relation to its own processing of your personal data. Please refer to the Retail Partner’s privacy notice for information about how they use your personal data.

3. Contact Us

If you have questions, want to exercise your rights, or have a complaint, you can contact us and our EU representative via:

  • Online: Privacy Request Portal
  • Email: dpo@charlottetilbury.com
  • EU Representative Email: dpocharlottetilburyeurope@dentons.com
  • Post: Data Protection Officer, Charlotte Tilbury Beauty Limited, 8 Surrey Street, London, United Kingdom WC2R 2ND, UK

For customer service enquiries (non-privacy), please contact Customer Care via our help page.

4. Updates

We may update this Privacy Policy from time to time. If we make material changes that may affect your rights, we may provide additional notice (for example, by email or via our website).

5. When we will collect your personal data

We may collect personal data about you when you:

  • use our website or app (including via cookies and similar technologies);
  • create or manage an account, or join our loyalty programme;
  • buy products or services (online or in-store from us);
  • where you purchase from an authorised Retail Partner (in which case we may receive limited information about your purchase from the Retail Partner);
  • interact with us in-store (including appointments/consultations) and via in-store technologies (such as CCTV, Wi-Fi and footfall/traffic measurement where used);
  • contact Customer Care or otherwise communicate with us;
  • submit surveys, reviews, or other feedback, or participate in competitions/events/pop-ups/activations;
  • interact with our marketing and advertising (including on third-party platforms);
  • interact with our social media pages or mention us (subject to your settings).

Cookies and similar technologies: We use cookies and similar technologies on our website and app. For more information, please see our Cookie Policy. You can manage your cookie preferences at any time using the “Manage Cookies” link or your browser/device settings. Our website does not currently respond to “Do Not Track” browser signals.

Sensitive Personal Data

We may collect and use certain personal data that is treated under data protection laws as special category data or sensitive personal data, but only where an appropriate condition under UK/EU data protection law applies, such as your explicit consent or compliance with legal obligations (for example, product safety reporting). This may include information such as allergy or skin-sensitivity information, or information you provide in relation to product safety or events.

Where we process facial imagery for features such as skin analysis or virtual try-on, we use it to provide the requested feature and do not use it to verify your identity or for identity authentication purposes.

Where we rely on your explicit consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Where we must process and retain information to comply with legal obligations (for example, product safety reporting), we may continue to process that information even if consent is withdrawn.

6. How we use your personal data and legal basis

The table below summarises the categories of personal data we process, the purposes for which we use it, and the legal bases we rely on. Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You can contact us for more information about these assessments.

Data Category

What Data We May Use

Why We Use It

Legal Basis

Identity & Contact Details

Name, email address, postal address, telephone number, account credentials

Account creation and management; authentication; order processing; service communications; deduplication

Contract; Legitimate Interest

Demographic Information

Age, gender, optional demographic indicators.

Segmentation; birthday treats; service optimisation

Legitimate interests; Consent

Beauty Profile & Preferences

Skin tone, hair/eye colour, preferences, quiz responses, beauty goals.

Personalisation; recommendations; user experience

Legitimate Interest; Consent

Skin Information

Limited health info (e.g., allergies/reactions)

Product safety; compliance; customer claims

Explicit consent; Legal obligations

Pro Beauty Tech

Facial imagery, skin analysis, virtual try-on scans, optional storage

Feature delivery; personalised recommendations

Consent

Transactional

Purchases, payment method, billing details, order history, refunds

Transactions; fraud prevention; accounting/audit

Contract; Legal Obligation; Legitimate Interest

Order Delivery

Name, address, order details, recipient message

Delivery via couriers/postal services

Contract

Technical and Usage

IP address, device IDs, cookie IDs, browser/OS, logs, session data, language, referrer, usage

Security; performance; analytics; personalisation; fraud detection

Legitimate interests; Consent (where required for cookies)

Location

Approximate location (IP); precise location (opt-in)

Location-based content; analytics; fraud prevention

Legitimate interests; Consent (precise location).

Customer Care  and Communications

Emails, chat, SMS/WhatsApp, call recordings (where applicable), logs and correspondence

Responding to requests; complaint handling; quality assurance; training

Contract; Legitimate Interest.

Marketing & Communications

Contact details, preferences, purchase/browsing activity, VIP/store/advisor preferences

Marketing communications; tailored offers; events; back-in-stock messages

Consent (electronic direct marketing, subject to applicable “soft opt-in” rules); Legitimate interests (postal marketing and preference/suppression management); Contract (requested service messages such as back-in-stock)

Survey and Feedback

Survey responses, reviews, ratings, contest submission

Improve products/services; satisfaction analysis

Consent; Legitimate Interest

Social media and Public Profile

Handles, profile information (depending on your settings), public posts and interactions with our brand accounts.

Community engagement; social listening; complaint handling

Legitimate Interest; Consent (platform-dependent).

User-Generated Content

Reviews, photos, videos, comments

Publishing content; marketing (where permitted); product improvement

Consent; Legitimate Interest

CCTV and In-Store Surveillance

Video recordings in retail locations/counters

Security; safety; loss prevention; incident investigation

Legitimate interests; Legal obligation (where applicable)

Behavioural

Behavioural profiles; predicted preferences; wishlists; searches/returns

Personalisation; product development; targeted marketing; analytics

Legitimate Interest

Optional Additional Information

Birthday; physical characteristics; optional preferences

Enhanced personalisation; virtual tools

Consent; Legitimate Interest

Advertising & Cross-Device Tracking

Email/device IDs, hashed identifiers, browsing history

Personalised advertising; measurement; cross-device targeting

Consent

Behavioural and AI-Powered Experiences

Prompts (text/images) submitted to AI tools; outputs

Virtual assistants; recommendations; analytics; safety monitoring

Consent; Legitimate Interest

Anti-Counterfeit & IP Enforcement Data

ID data, contact info, purchase history, social handles

Prevent and investigate counterfeit activity, protect IP, manage enforcement actions, and comply with legal obligations

Legitimate interest; Legal Obligation

Event/ Image Data

Photos/videos at events/in-store or submitted

Marketing and promotional activities

Consent

Global Account Recognition

Account info, customer ID, transaction history, preferences

Recognition across channels for consistent service

Legitimate Interest

Anonymised and aggregated data

We may anonymise or aggregate personal data so that it no longer identifies you and use it for analytics, testing, research and service improvement.

AI-enabled features and chatbots

We may offer AI-enabled features, including chatbots and virtual assistants, to help you interact with our services more efficiently (for example, to answer questions, provide product information, support customer care queries, and offer personalised recommendations). When you use these features, we may process the information you choose to provide in your prompts (such as text and, where the feature allows, images), together with related interaction data (for example, date/time, device and session identifiers, and the content of our responses) in order to provide the feature, improve our services and maintain security.

Please do not include unnecessary personal data in your prompts, and do not share special category data (such as health information) or any sensitive or confidential information. AI outputs may be inaccurate or incomplete and should be reviewed. Additional information about specific AI features (including the data used, retention, and any relevant technology providers) will be provided at the point you use the feature and/or in the relevant feature terms. Automated decision making

We use automated tools to help operate our services (for example, to prevent fraud, protect security and personalise content). We do not make decisions about you that produce legal effects (or similarly significant effects) based solely on automated processing. If you would like more information, please contact us.

7. Marketing, analytics and app features

App: If you use our app, we may process device, usage and, where enabled, location data to operate and improve app features.

Marketing: If you opt in to receive marketing emails, our email marketing provider may collect engagement information (such as email opens, clicks and approximate location) to help us understand how our emails perform and tailor communications.

We may use engagement data, purchase history and your interactions with us to personalise communications, administer loyalty programme benefits, send basket reminders, and measure the performance of our marketing and services You can opt out at any time.

Charlotte’s Darlings Loyalty Club

If you join Charlotte’s Darlings Loyalty Club, we may use your interactions with us (for example, purchases and engagement) to build a profile so we can administer the programme, provide benefits and send tailored offers.

Basket reminders

If you are a registered customer and have opted in to marketing emails, we may send you reminders about items left in your basket. You can opt out at any time using the unsubscribe link in our emails.

Pro Skin Analysis

If you use Pro Skin Analysis, we process facial scan data and related analysis data to provide personalised insights and recommendations. We do not store your image unless you choose to save it to your account. If you save your image, we retain the saved image and related analysis data for up to 12 months from capture and then delete it. If you do not use the feature for 6 months, we may notify you that your saved data will be deleted within a further 6 months unless you use the feature again. We provide additional information at the point of collection. For more details, please see the Pro Skin Analysis Terms of Use.

8. Sharing your personal data

We may share your personal data with:

  • Charlotte Tilbury group companies: We may transfer your personal data to our subsidiaries and affiliates worldwide for the purposes described in this Privacy Policy including to provide you with a consistent and personalised level of service across our global operations.
  • Puig group companies, including our parent company, PUIG BRANDS, S.A. (registered office: Plaça Europa 46-48, Torre Puig, 08902 L'Hospitalet de Llobregat, Barcelona, Spain): we may share personal data within the Puig group where necessary for the purposes described in this Privacy Policy, including group administration, oversight, security, reporting and providing consistent services across our business.
  • Other Puig group companies for their own marketing (with your consent): where you have consented, we may also share your data with selected Puig group companies for their own marketing communications.
  • Service Providers: We share your personal data with trusted third parties who process personal data on our behalf (for example, IT, hosting, payments, delivery, analytics, customer support, fraud prevention and marketing support services). Where service providers process personal data on our behalf, we require them to process data only on our instructions, apply appropriate security measures, and maintain confidentiality.

We may also share personal data:

  • with fraud prevention and security providers to help detect and prevent criminal activity (for example, suspicious transactions);
  • in connection with a business transaction (such as a merger, acquisition, or sale of assets), with appropriate safeguards; and
  • with regulators, law enforcement, courts and authorities where required by law or where necessary to protect rights, safety or prevent fraud.

Building up a picture of you

We may analyse how you use our services, including products viewed or purchased and interactions with our website, app and marketing, to understand customer preferences, personalise content, measure campaign performance and deliver more relevant advertising.

Where permitted and based on your choices, this may involve the use of cookies and similar technologies and sharing identifiers, including hashed contact details (such as email address or phone number), with advertising and social media partners to create custom or lookalike audiences. We do not receive the identity of individuals in lookalike audiences unless they engage with our advertising.

Information we receive from third parties

We may also receive information about you from third parties such as Retail Partners, review platforms, competition partners and public social media sources, subject to your settings and applicable law. We may combine this information with information you provide to us where we have a lawful basis to do so.

Marketing service providers

We may share limited information with selected marketing service providers who support us with audience insights, segmentation, measurement and campaign optimisation. Where appropriate, we use measures such as hashing, encryption and/or pseudonymisation before sharing data. Our service providers are contractually restricted to processing personal data only on our instructions. They are not permitted to use your personal data for their own independent purposes. Where a provider acts as an independent controller (for example, certain advertising platforms), this will be clearly explained at the point of data collection and, where required, will be subject to your consent.

9. International transfers of your personal data

As a global business, some of our group companies and service providers are located outside the UK or EEA, which may require your personal data to be transferred to or accessed from countries outside those territories.

Where this happens, we ensure an appropriate safeguard is in place as required by applicable data protection law, such as an adequacy decision, the EU Standard Contractual Clauses, the UK Addendum to the SCCs, or the UK International Data Transfer Agreement, as applicable.

10. Security and Retention

We use appropriate technical and organisational security measures to protect personal data, including encryption and access controls. Employees with access to personal data are subject to confidentiality obligations.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide services, comply with legal and regulatory obligations, resolve disputes and enforce our agreements. For example, we generally retain order and transaction records for up to six years after the end of the relevant financial year. After that, data is deleted or anonymised where appropriate.

Third Party Links

Our website may contain links to third-party websites, which are subject to their own privacy notices and terms.

11. Your Marketing Choices

We want to keep you up to date by email, post and by SMS/WhatsApp about our latest products, services, offers and events, subject to your marketing preferences. To update your preferences, or opt out:

  • Emails: To unsubscribe from emails, click on the 'unsubscribe' button on any email we send you.
  • Text Messages: To unsubscribe from SMS, find instructions on how to do this in any SMS message that we send you.
  • Push Notifications: In our App, you can manage your preferences and opt out from push notifications in the ‘Settings’ section.
  • Other marketing: We may include marketing inserts in parcels or order communications where permitted by law.
  • Mobile Device & Browser Preferences: Depending on your mobile device or web browser, we may request your location or request to send you push notifications. You can edit your preferences using the settings on your device.

Please note that it may take a short time for changes to take effect. Opting out of marketing will not stop service communications such as order updates or requested back-in-stock notifications.

12. Your rights in relation to your personal data

  • You have the following rights in relation to your personal data, subject to certain exceptions and limitations under applicable law:
  • Right to be informed: you have the right to receive clear, transparent and easily understandable information about how we use your personal data and your rights.
  • Right of access: you have the right to access the personal data we hold about you.
  • Right to rectification: you have the right to ask us to correct personal data we hold about you if it is inaccurate or incomplete.
  • Right to restriction of processing: you have the right to ask us to restrict our processing of your personal data in certain circumstances.
  • Right to erasure: you have the right to ask us to erase your personal data in certain circumstances. This is not an absolute right, as we may have legal or legitimate grounds for retaining it.
  • Right to object: you have the right to object to our processing of your personal data in certain circumstances, including where we rely on legitimate interests.
  • Right to object to direct marketing: you can opt out of direct marketing communications at any time.
  • Right to data portability: where applicable, you have the right to receive certain personal data you have provided to us in a structured, commonly used and machine-readable format and to have that data transmitted to another controller.
  • Right to withdraw consent: where we rely on your consent, you may withdraw it at any time.
  • Right to complain: you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or place of the alleged infringement.

To submit a request, please use the Privacy Request Portal and/or the contact details provided at the top of this Privacy Policy. We may require proof of your identity and full details of your request before we process it.

© CHARLOTTE TILBURY BEAUTY LIMITED 2026. All rights reserved.