Privacy policy
Hair & Compounds, Inc. Global Privacy Policy
Last Updated: December 15th, 2025
1. Introduction
Hair & Compounds, Inc. ("H&C," "we," "us," or "our") operates this website and online store to provide products and services to customers and visitors globally. This Global Privacy Policy explains how we collect, use, disclose, and protect personal information in compliance with applicable privacy laws, including:
- The European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- The United Kingdom GDPR (UK GDPR)
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Other applicable data protection and privacy laws
By using or accessing our Services, you acknowledge that you have read and understood this Privacy Policy.
1.1 Data Controller Details
Hair & Compounds, Inc.
7820 Burnet Ave #A
Van Nuys, CA 91405, USA
Email: hair@haircompounds.com
1.2 European and UK Representative (GDPR Article 27)
Hair & Compounds, Inc. has appointed Data Protection Representative Limited ("DataRep") as our official Data Protection Representative for the purposes of the EU/EEA GDPR and the UK GDPR. If you are located in the EEA or the UK, you may contact DataRep to submit any request related to your data protection rights.
Contact Details for DataRep:
Company Name: Data Protection Representative Limited (trading as DataRep)
Address: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Email: datarequest@datarep.com (please include "Hair & Compounds, Inc." in the subject line)
Webform: www.datarep.com/data-request
Full instructions for submitting GDPR inquiries are provided in our DataRep Instructions for Submitting GDPR Inquiries, which includes contact addresses for DataRep's local offices in different countries throughout the EU/EEA and UK. This document forms an integral part of this Privacy Policy.
For all non-data protection-related inquiries (such as product questions or customer support), please contact Hair & Compounds, Inc. directly at hair@haircompounds.com.
2. At-a-Glance Privacy Summary
What We Collect
- Contact information (name, address, email, phone)
- Payment information
- Account information (username, preferences, settings, etc.)
- Transaction/order information (items purchased, returns, etc.)
- Device and usage information (IP address, browser type, analytics, etc.)
- Communications (customer support inquiries)
- Professional verification data (licenses, certifications)
How We Use It
- Process orders, payments, and returns
- Provide customer support and respond to inquiries
- Improve site functionality, performance, and user experience
- Personalize content and experience
- Detect and prevent fraud
- Send marketing communications (where permitted)
Sharing / Sale of Personal Information
- We do not sell personal information for monetary consideration
- We may share data for cross-context behavioral advertising (United States residents can opt out)
Your Rights
EU/EEA and UK Residents (GDPR):
- Access, rectify, or erase personal data
- Restrict or object to processing
- Data portability
- Withdraw consent
- Lodge a complaint with a supervisory authority
United States Residents (CCPA/CPRA):
- Know what personal information is collected
- Delete personal information
- Correct inaccurate information
- Opt out of sale/sharing
- Limit use of sensitive personal information
- Non-discrimination for exercising rights
How to Exercise Your Rights
- EU/EEA and UK Residents: Contact DataRep at datarequest@datarep.com or www.datarep.com/data-request
- United States Residents: Use "Do Not Sell or Share My Personal Information" link in website footer, Global Privacy Control (GPC) signal, or email hair@haircompounds.com
- All Other Users: Email hair@haircompounds.com
3. Why Personal Data Is Collected
We collect and process personal data for specific and lawful purposes, including:
- Providing and delivering products and services
- Communicating regarding orders, accounts, or inquiries
- Personalizing and improving the website and user experience
- Maintaining security and proper website functionality
- Complying with applicable legal and regulatory obligations
Only data necessary and proportionate to these purposes is collected. Personal data is not sold for monetary consideration or used for incompatible purposes. H&C applies data protection by design and by default to all processing activities, ensuring that privacy and data protection principles are integrated into our systems, processes, and products from the outset.
4. Personal Data We Collect
H&C may collect and process the following categories of personal data:
4.1 Categories of Personal Information
Identification & Contact Details:
Name, billing/shipping address, email, phone number.
Purpose: To process orders, provide customer support, and send transactional communications.
Account Information:
Username, password, login credentials, preferences, settings.
Purpose: To manage your account, personalize your experience, and maintain security.
Financial & Payment Information:
Payment card data, billing details, payment method, transaction details, payment confirmation, purchase history.
Purpose: To process payments securely, prevent fraud, and complete transactions.
Transaction & Order Information:
Items viewed or purchased, returns/exchanges, order history.
Purpose: To fulfill orders, manage returns/exchanges, and analyze purchasing trends.
Device & Usage Information:
IP address, browser type, operating system, device identifiers, analytics data.
Purpose: To improve website functionality, analyze performance, and enhance user experience.
Communications:
Customer support inquiries, messages, and inquiries you send to us.
Purpose: To respond to questions, provide support, and maintain customer relationships.
Professional Verification Data:
Cosmetology or stylist license numbers, certification documents, proof of professional status, and any supporting documentation submitted to verify eligibility for Pro Access.
Purpose: To verify eligibility for professional services or Pro Access.
Marketing Preferences:
Consents and preferences for promotions and marketing communications.
Other Individuals' Data:
Information provided for gift delivery or referrals.
4.2 Required Information
Providing certain personal data (such as billing and shipping details) is required to complete your purchase. Without this information, we cannot fulfill your order or provide services.
4.3 Sensitive Personal Information
We do not collect sensitive personal information such as racial/ethnic origin, genetic data, or religious beliefs unless required by law or necessary to provide our Services. We use sensitive information only as necessary to:
- Process payments securely (Shopify Payments)
- Fulfill orders
- Prevent fraud
- Maintain security
California residents may limit the use of sensitive information via the opt-out mechanisms described in Section 10.2.
4.4 Children's Privacy for the United States Residents (CCPA/CPRA)
Our Services are not directed at children under 16. We do not knowingly collect, sell, or share personal information of minors under 16 without parental consent.
For United States residents, we comply with the Children's Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA/CPRA) requirements regarding minors. If you believe we have collected information from a minor under 16, please contact us at hair@haircompounds.com to request deletion.
5. How Personal Data Is Collected
We collect personal information from the following sources:
- Directly from you: When creating an account, making purchases, or contacting us.
- Automatically: Through cookies, pixels, and analytics tools (e.g., Google Analytics, Facebook Pixel).
- From service providers: Such as payment processors, hosting platforms (e.g., Shopify, AWS, Google Cloud), shipping companies, and analytics platforms.
- From third parties: Advertising networks, social media, public sources.
- From other individuals: For gift orders or referrals.
We also collect information automatically through cookies and similar technologies.
6. Purposes and Lawful Bases for Processing
H&C processes personal data only where a lawful basis under applicable law applies. For EU/EEA and UK residents, we rely on the following lawful bases under Article 6 of the GDPR and UK GDPR:
6.1 Performance of a Contract
To process and fulfill orders, provide services, and manage customer accounts.
6.2 Consent
For marketing communications, newsletters, and non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing (see Section 10).
6.3 Legal Obligation
To comply with applicable laws, regulations, and accounting or tax requirements.
6.4 Legitimate Interests
For fraud prevention, website security, analytics, and improving user experience. We balance our legitimate interests against your rights and interests.
7. Disclosure, Sale, and Sharing of Personal Information
7.1 Who We Share With
We may disclose or share personal information with:
- Service providers and processors: IT hosting (e.g., Shopify, AWS, Google Cloud), payment processors, shipping companies, analytics platforms.
- Business and marketing partners: Only with your consent.
- Regulatory authorities: Where required by law or to comply with legal obligations.
- Corporate successors: In the event of a merger, acquisition, or similar transaction.
- Affiliates or corporate entities: For business operations and service delivery.
All service providers are contractually obligated to process personal information only as instructed by H&C and are bound by contracts ensuring adequate safeguards.
7.2 Sale / Sharing of Personal Information
H&C does not sell personal information for monetary consideration. However, we may share certain data for cross-context behavioral advertising, which may be considered a "sale" or "sharing" under California law. California residents can opt out of such sharing via:
- "Do Not Sell or Share My Personal Information" link in the website footer
- Global Privacy Control (GPC) signal
- Email: hair@haircompounds.com
7.3 Shopify Disclosure
Our online store is hosted by Shopify Inc. ("Shopify"), which provides the e-commerce platform that enables us to sell our products and services to you. Shopify also processes certain personal data on our behalf, such as checkout information, payments, and store analytics. In some cases, Shopify may act as an independent data controller (for example, for fraud prevention or legal compliance).
Your personal data is stored securely through Shopify's data storage, databases, and application systems. Shopify maintains data on protected servers behind a firewall and uses industry-standard security measures.
For more details on how Shopify and our other service providers handle personal information, please review:
- Shopify Privacy Policy
- Shopify Terms of Service
- Shopify Data Processing Addendum
- Shopify Cookie Policy
8. International Data Transfers
Hair & Compounds, Inc. operates its own on-premise servers as well as cloud servers hosted with providers like AWS and Google Cloud, all located exclusively in the United States. Personal data stored on these servers is managed under strict security and privacy protocols, giving us direct control over the handling, access, and protection of your information.
Shopify may also store and process personal data in the United States and other countries where it or its service providers maintain facilities. As a result, your personal data may be transferred outside the European Economic Area (EEA) or the United Kingdom (UK).
When personal data is transferred outside the EEA or UK (for example, to the United States), Hair & Compounds, Inc. implements appropriate safeguards to ensure your information remains protected, including:
- Use of EU Standard Contractual Clauses (SCCs)
- The UK International Data Transfer Addendum
- Transfers to countries with an adequacy decision by the European Commission or UK Government
- Contracts with service providers that include data protection commitments
A copy of these safeguards is available upon request at hair@haircompounds.com.
9. Data Retention
We retain personal data only for as long as necessary to provide our services, comply with legal obligations, or support legitimate business purposes. You may request deletion of your personal data at any time, and we will honor your request unless retention is required by law.
Where applicable, we also follow the data-retention practices of our service providers (e.g., Shopify, Google Cloud, and AWS), who may retain certain information to operate their platforms, comply with legal requirements, prevent fraud, or maintain security. For more information, you can review their respective privacy policies (see Section 7.3).
10. Your Data Protection Rights
10.1 Rights for EU/EEA and UK Residents (GDPR)
Under the GDPR and UK GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete information.
- Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances.
- Restriction of Processing: Ask us to limit how your data is used.
- Data Portability: Receive your data in a structured, commonly used, machine-readable format, or request that we transmit it to another controller.
- Objection: Object to processing based on legitimate interests or for direct marketing.
- Withdraw Consent: Withdraw consent at any time (e.g., via unsubscribe links or cookie settings).
- No Automated Decision-Making: Hair & Compounds, Inc. does not use automated decision-making or profiling that produces legal or similarly significant effects.
Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR or UK GDPR, you have the right to lodge a complaint with a supervisory authority:
European Economic Area (EEA):
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
United Kingdom:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
How to Exercise Your Rights (EU/EEA and UK Residents)
If you are located in the EEA or the UK, please submit any requests to exercise your GDPR or UK GDPR rights through our appointed Data Protection Representative (DataRep):
- Email: datarequest@datarep.com (please include "Hair & Compounds, Inc." in the subject line)
- Webform: www.datarep.com/data-request
Full instructions for submitting GDPR inquiries are provided in our DataRep Instructions for Submitting GDPR Inquiries, which includes contact addresses for DataRep's local offices in different countries throughout the EU/EEA and UK. This document forms an integral part of this Privacy Policy.
For all non-data protection-related inquiries (such as product questions or customer support), please contact Hair & Compounds, Inc. directly at hair@haircompounds.com.
10.2 Rights for the United States Residents (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following rights:
- Know: Request disclosure of what personal information is collected, used, disclosed, or sold.
- Delete: Request deletion of personal information.
- Correct: Request correction of inaccurate personal information.
- Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
- Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information.
- Non-Discrimination: Receive non-discriminatory treatment for exercising your rights.
How to Exercise Your Rights (California Residents and Other Residents of The United States)
California residents and other residents of the United States may submit requests to exercise their rights via:
- "Do Not Sell or Share My Personal Information" link in the website footer
- Email: hair@haircompounds.com
- Global Privacy Control (GPC) signal
Verification may be required to confirm your identity. Authorized agents may submit requests on your behalf with written consent. We will respond within 45 days, extendable once by 45 days if necessary.
10.3 Rights for All Other Residents
Individuals outside the EEA, UK, and the United States may contact us directly at hair@haircompounds.com to exercise their data protection rights where applicable under local law.
11. Security of Personal Data
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
- Encryption of data in transit and at rest
- Secure servers with firewall protection
- Limited personnel access to personal data
- Regular security assessments and updates
- Contractual obligations with service providers
While no system is completely secure, H&C continuously reviews and enhances its safeguards to protect your personal data.
12. Records of Processing Activities
Hair & Compounds, Inc. maintains internal records of all personal data processing activities in accordance with Article 30 of the GDPR and the UK GDPR. These records are kept for accountability and compliance purposes and include information such as:
- The categories of personal data we process and the purposes for which we process it
- The categories of individuals whose data we process
- The lawful bases relied upon for each processing activity
- The categories of recipients with whom personal data is shared
- Details of any international data transfers and the safeguards in place
- The applicable data retention periods
- A description of the technical and organizational measures used to protect personal data
These internal records are regularly reviewed and updated to ensure ongoing accuracy and compliance with applicable data protection laws.
13. Personal Data Breach Response and Notification
Hair & Compounds, Inc. has implemented a data breach response plan consistent with Articles 33 and 34 of the GDPR and UK GDPR. In the event of a personal data breach:
- We will promptly assess the scope and impact of the incident
- Notify the relevant supervisory authority within 72 hours where required by law
- Communicate the breach to affected individuals without undue delay when it is likely to result in a high risk to their rights and freedoms
- Document all breaches, including the facts, effects, and remedial actions taken
14. Updates to This Privacy Policy
We may update this Privacy Policy periodically to reflect operational, legal, or regulatory changes. Material updates will be announced on our website, and the "Last Updated" date at the top of this document will indicate the most recent revision. We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data.
15. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Hair & Compounds, Inc.
7820 Burnet Ave #A
Van Nuys, CA 91405, USA
Email: hair@haircompounds.com
For EU/EEA and UK Residents:
Company Name: Data Protection Representative Limited (trading as DataRep)
Address: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Email: datarequest@datarep.com (please include "Hair & Compounds, Inc." in the subject line)
Webform: www.datarep.com/data-request
Full instructions for submitting GDPR inquiries are provided in our DataRep Instructions for Submitting GDPR Inquiries, which includes contact addresses for DataRep's local offices in different countries throughout the EU/EEA and UK. This document forms an integral part of this Privacy Policy. For all non-data protection-related inquiries (such as product questions or customer support), please contact Hair & Compounds, Inc. directly at hair@haircompounds.com.
