...
...
New Arrivals Clothing Tops Bottoms Intimates MILLS’ PICKS

Delta Galil Privacy and Data Protection Policy and Notice

Last Revised: August 2023.

This privacy and data protection policy and notice (the “Privacy Policy”) applies to the website Florencebymillsfashion.com through which certain licensed florence by mills branded products are marketed and sold to customers (the “Services”). The Website and Services are offered by  Delta Galil (and its corporate entities, licensees, and its and their respective affiliates and distributors, “DG”, “we”, “us” or “our”).

We are  committed to protecting the personal information that is shared with us. DG respects the privacy of its customers(these and any others with respect to whom we collect personal data shall collectively be referred to as the “Data Subjects” or “you”).

The Privacy Policy explains the types of information we might collect from you, that we receive from you or that may be provided to us in the course of your interest in or use of our Services, business transactions, or when you visit our Website. Please read this Privacy Policy carefully in order to understand our practices regarding the processing of your personal data and how we will treat it.

  1. INFORMATION ABOUT DG

For the purposes of the EU General Data Protection Regulation (the “GDPR”) and other applicable privacy laws, DG is a data controller (a “Controller”) in relation to your personal data. Likewise, DG is a Business (as defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”) regarding your personal data. Please note that we maintain a separate privacy policy concerning our processing of personal data of our employees.

  1. INFORMATION WE COLLECT AND HOW WE COLLECT IT

Summary: We collect various categories of personal data in order to meet our contractual obligations and various legitimate interests, such as fraud prevention and marketing.

We collect data about you in connection with your online engagement with us. One type of data collected by us is non-identifiable and anonymous information (“Non-Personal Data”). We also collect several categories of personal data (“Personal Data”) as described below:

  1. Business-Relationship Data:

We collect business relationship-related Personal Data through our online interactions with you.

This Personal Data generally includes, where applicable, your name (first and last), address, email address, phone number, job title, company name, the content of your inquiry, online identifiers such as Internet Protocol addresses and details about the devices and browsers you use in connection with our services, purchase history, browsing and Services history, warranty information, Website session information, and any direct communication.

You do not have any legal obligation to provide any information to us. However, we require certain information in order to establish a business relationship with you, fulfill orders placed by customers, or to process and respond to your inquiry, and to provide the Services. If you choose not to provide us with certain information, then we may not be able to establish a business relationship with you, fulfill your order, respond to your inquiry or provide you or your organization with some or all of the Services.

  1. Technical and Behavioral Data We Collect Through the Website:

When you access our Website, our systems collect and process the information relating to such usage, either independently or through the help of third-party services (as described further below). This includes technical information and behavioral information, such as your Internet Protocol (IP) address used to connect your device to the internet, your Uniform Resource Locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, ‘clickstream’ and other session and browsing records, the period of time you accessed the Website and methods used to browse away from a page. Additionally, we obtain location data related to the general geographic location of your computer, mobile device or other digital device through which you accessed our Websites, for analytics and security purposes. We likewise may place cookies on your browsing devices (see Section 7 (Data Collection from Websites and Cookies) in this Privacy Policy).

  1. THE PURPOSES FOR WHICH WE COLLECT PERSONAL DATA

Summary: We process Personal Data to operate our Website, meet our obligations, protect our rights and manage our business.

We use Personal Data in order to provide and improve the Services for our customers, operate our Website and meet our contractual, ethical and legal obligations.: The legal basis for our processing is as follows:

  1. Processing which is necessary for the purpose of fulfillment contractual obligations:
  • Carrying out our obligations arising from any orders and to provide you with the information, support and Services that you request from DG;
  • Sending you order-related communications; and
  • Verifying and carrying out financial transactions in relation to payments you make in connection with the Services.
  1. Processing which is necessary for the purpose of our legitimate interests or those of a third party, including providing efficient and wide-ranging Services to our customers:
  • Notifying you about changes to our Website and the Services and our policies;
  • Establishing a business relationship with you;
  • Providing support to you, answering queries sent by you and contacting you upon your request;
  • Contacting you to give you commercial and marketing information which may be of interest to you (subject to your consent for such communications when required under applicable laws) – you may opt out of such communications at any point;
  • Soliciting feedback in connection with the Services;
  • Tracking use of our Website to enable us to optimize it;
  • For security purposes and to identify and authenticate your access to the login zone;
  • Sending you announcements in relation to security, privacy or administrative related communications - these communications are not marketing orientated, and we do not rely on consent, so you may not opt out; and
  • Assessing employment candidates.
  1. Processing which is based on your consent (when required under applicable law):
  • Processing which involves the use of cookies and other tracking technologies, for purposes which are not purely operational, such as for marketing and analytics purposes (for more information, see our Cookie Policy [here]).
  1. Processing which is necessary for the purpose of compliance with legal obligations to which DG is subject:
  • Compliance and audit purposes, such as meeting our reporting obligations in the various jurisdictions within which we operate, anti-money laundering and tax-related obligations, and crime prevention and prosecution in so far as it relates to our staff, customers, service providers, facilities, etc.; and
  • If necessary, we will use Personal Data to enforce our terms, policies and legal agreements, to comply with court orders and warrants and assist law enforcement agencies as required by law, to collect debts, to prevent fraud, infringements, identity theft and any other service misuse, and to take any action in any legal dispute and proceeding.
  1. SHARING DATA WITH THIRD PARTIES

Summary: We share Personal Data with our third parties that qualify as our processors, when the processing of Personal Data is done on our behalf, and with third parties that qualify as controllers, when the processing of Personal Data is for their own purposes, both for the purposes set forth below:

  1. Third Party processors

 

 

  1. Third Party controllers

 

We transfer Personal Data to FBM so that FBM can contact you with regard to it and its licensees’ products and services. Since you have purchased and/or have shown interest in the FBM products we sell on our Website, FBM would like to contact you by email to provide you with information on their and their licensees’ products, for instance by informing you about new products, news and information on products you purchased or liked, and other news or events, and information about the FBM brand and/or Millie Bobby Brown. 

 

We will only transfer the Personal Data listed below to FBM if you have given us your consent to do so.

 

Purpose:                                              marketing purposes of FBM and its third party licensees

Personal Data transferred:            email address, name, gender

Legal basis:                                         consent

 

 

We transfer Personal Data to:

  • Affiliates: We may share your Personal Data internally with our affiliated companies, joint-venture partners, wholly or partly owned subsidiaries, to the extent necessary to fulfill the purposes listed above. Sharing your Personal Data from the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland to DG’s affiliates located outside of the aforementioned jurisdictions will always take place under an approved transfer mechanism, such as the relevant Standard Contractual Clauses (SCCs), if required.
  • Third Parties: We transfer your Personal Data to third parties under a variety of circumstances. We endeavor to ensure that these third parties use your Personal Data only to the extent necessary to perform their functions and to have a contract in place with such third parties in order to govern their processing on our behalf. These third parties may include business partners, suppliers, affiliates, agents and subcontractors for the performance of any contract we enter into with you. They assist us in providing the Services we offer, processing transactions, fulfilling requests for information, receiving and sending communications, analyzing data, providing IT and other support services or in other tasks from time to time. These third parties also include analytics and search engine providers that assist us in the improvement and optimization of our Website and marketing.

We periodically add and remove third-party providers. At present, services provided by third-party providers to whom we transfer Personal Data include the following types of service providers:

  • Website analytics;
  • Data analytics and business intelligence;
  • Client support;
  • Online Payment Services;
  • Marketing, mailing lists, and various forms of advertising;
  • On-site and cloud-based database services, cloud storage and processing;
  • Membership, client and loyalty program solutions;
  • Shipping, fulfilment and logistics;
  • Warehouse management solutions;
  • CRM software;
  • Data security, data backup, and data access control systems;
  • Website cookie management and data subject request management tools;
  • Our lawyers, accountants, and other standard business software and partners.

In addition, we will disclose your Personal Data to third parties if some or all of our companies or assets are acquired by a third party, including by way of a merger, share acquisition, asset purchase or any similar transaction in which case Personal Data will be one of the transferred assets. Likewise, we transfer Personal Data to third parties if we are under a duty to disclose or share your Personal Data in order to comply with any legal, audit or compliance obligation in the course of any legal or regulatory proceeding or investigation, in order to enforce or apply our terms and other agreements with you or with a third party, or in order to assert or protect our rights, property or safety of DG, our customers or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection, credit risk reduction and in order to prevent cybercrime.

Further, for the avoidance of doubt, DG may transfer and disclose Non-Personal Data, including Personal Data that was anonymized or aggregated, to third parties at its own discretion.

  1. WHERE WE STORE YOUR DATA

Summary: We store your Personal Data across multiple jurisdictions globally.

We store your Personal Data on servers owned and controlled by DG or its affiliates or processed by third parties on behalf of DG, such as reputable cloud service providers (see Sections 3 (Sharing Data with Third Parties) and 5 (International Data Transfers) in this Privacy Policy). This includes, but is not limited to, the USA, the EU and the UK.

  1. INTERNATIONAL DATA TRANSFERS

Summary: We transfer Personal Data internationally with appropriate safeguards in place.

Personal Data is transferred to, and stored and processed at destinations located outside of the EEA and the UK. This includes transfers to our different affiliates and service providers, which may be located in jurisdictions which have been deemed adequate by the European Commission, such as Switzerland or Israel, or which have not been deemed adequate by the European Commission, such as the USA.

Where your Personal Data is transferred outside of the EEA or the UK, we will take reasonably necessary steps to ensure that your Personal Data is subject to appropriate safeguards, and that such Personal Data is treated securely and substantively in accordance with this Privacy Policy. Transfers from the EEA to Israel are made based on an adequacy ruling by the European Commission. Transfers from the EEA to the United States of America (“US”) are made based on Standard Contractual Clauses (SCCs) published by the European Commission or other appropriate safeguards approved by the European Commission. Transfers from the UK to the EEA or Israel are made based on the UK’s Adequacy Regulations. Transfers from the UK to the US or other non-adequate countries are made based on the UK’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. For more information about these safeguards, please contact us as set forth below.

We transfer Personal Data to locations outside of the EEA and the UK in order to meet the processing purposes noted above, and more specifically to:

  • Store or backup information;
  • Enable us to provide you with the Services and fulfill our contract with you;
  • Fulfill any legal, audit, ethical or compliance obligation which requires us to make such transfer;
  • Facilitate the operations of our group business where it is in our legitimate interests and we have concluded that such a transfer does not override your rights;
  • Serve our customers across multiple jurisdictions; and
  • Operate our affiliates in an efficient and optimal manner.
  1. DATA RETENTION

Summary: We retain Personal Data in accordance with our data retention policy and as required to meet our obligations, protect our rights and manage our business.

DG will retain Personal Data we process only for as long as required in our view in accordance with our general data retention practices and as necessary to comply with our legal and other obligations, to resolve disputes and to enforce agreements. We will also retain Personal Data to meet any audit, compliance and business best-practices.

Personal Data that is no longer retained will be anonymized or deleted. Likewise, Non-Personal Data, some metadata and statistical information concerning the use of our Website and the Services are not subject to the deletion procedures in this Privacy Policy and our data retention policy and will be retained by DG. We will not be able to identify you from this data. Some data may also be retained on our third-party service providers’ servers until deleted in accordance with their privacy policy and their retention policy, and in our backups until overwritten.

  1. DATA COLLECTION FROM THE WEBSITE AND FROM COOKIES

Summary: We place cookies on your device. You control our use of cookies through a cookie management tool on our Website or through your device and browser.

Our Website uses cookies, pixel tags and other forms of identification and local storage (collectively, “cookies”) to distinguish you from other users of our Website. This helps us to provide you with an optimal user experience and allows us to provide and improve our Website and the Services and promote our marketing efforts. Functionality cookies (also called ‘essential cookies’) do not require your consent. For other cookies, however, depending on your jurisdiction and applicable laws, we request your consent before placing them on your device or browser.

Our detailed Cookies Policy is available [here]. You can choose to change your cookies settings for our Websites at any time by following the instructions set forth in our Cookies Policy.

The Website uses cookies to collect information around abandoned shopping carts. A cart is considered abandoned within one hour of inactivity/lack of purchase. Once the cart is considered abandoned, if the customer has consented to SMS messages, then an SMS message will be sent as a reminder. 

  1. SECURITY AND STORAGE OF DATA

Summary: We take data security very seriously, invest in security systems and train our staff. In the event of a breach, we make the appropriate notifications as required by law.

We take great care in implementing, enforcing and maintaining the security of the Personal Data we process. DG implements, enforces and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of Personal Data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Likewise, we take at least industry standard steps to ensure our Website and Services are safe and to prevent unauthorized access to our databases.

Please note, however, that no data security measures are perfect or impenetrable and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.

 DG endeavors to limit access to Personal Data to those of our personnel who: (i) require access in order to fulfill their obligations, including also under our agreements, and as described in this Privacy Policy, (ii) have been appropriately and periodically trained with respect to the requirements applicable to the processing, care and handling of the Personal Data, and (iii) are under confidentiality obligations as may be required under applicable law.

DG act in accordance with our policies and with applicable law to promptly notify the relevant authorities and Data Subjects in the event that any Personal Data is lost, stolen, modified or disclosed or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. DG shall promptly take reasonable remedial measures.

  1. DATA SUBJECT RIGHTS

Summary: Depending on the law applicable to your Personal Data, you may have various data subject rights, such as a right to access, erasure and rectification, as well as certain information rights. We will respect any lawful request to exercise such rights.

Data Subjects in certain jurisdictions, such as in the EU and the UK, have rights granted pursuant to local laws under certain circumstances and with certain exceptions, including:

  • Access – the right to receive confirmation whether your Personal Data is being processed by us, what types of Personal Data, for what purposes, with whom is it or will it be shared (if at all) and for how long will it be stored.
  • Rectification – the right to correct your Personal Data held by us that may be inaccurate or incomplete.
  • Erasure – the right to have your Personal Data held by us deleted.
  • Restriction of Processing – the right to require us to cease processing your Personal Data.
  • Portability – the right to receive a copy of any of your Personal Data held by us in a convenient format and to have any of your Personal Data held by us transferred to a third party.
  • Objection – the right to object to the processing of your Personal Data by us.
  • Objection to Direct Marketing – the right to object to the processing of your Personal Data by us for the purposes of direct marketing, including profiling – this can be achieved by opting out using the unsubscribe/opt-out feature displayed in our communications with you.
  • Objection to Automated Decision-Making – the right to refuse to have your Personal Data processed in connection with automated decision-making.
  • Withdrawal of Consent – where we rely upon your consent in order to process your Personal Data, you have the right to withdraw such consent at any time.

In order to exercise any of your rights, you can contact us at customercare@florencebymillsfashion.com. Please note that DG may have to undertake a process to identify a Data Subject prior to facilitating the exercise of such Data Subject’s rights. DG may keep details of rights exercised for our own compliance and audit requirements. Furthermore, please note that Personal Data provided to us may be either deleted or retained in an aggregated manner without being linked to any personal identifiers depending on technical and commercial capabilities. Such data may continue to be used by DG.

Please note that these rights only apply under certain circumstances and may be limited by law, as well as be subject to exceptions. For example, where accepting your request to exercise a right would adversely affect other individuals, expose our trade secrets or intellectual property, where there are overriding public interests, or where we are required by law to retain your Personal Data. In addition, Data Subjects’ rights cannot be exercised in a manner inconsistent with our rights, i employees and staff or third-party rights. As such, reviews, internal notes and assessments, documents and notes, including proprietary information or forms of intellectual property, cannot be accessed, erased or rectified by Data Subjects. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, such as emails, or where other exceptions apply.

Data Subjects in the EU, the UK and other jurisdictions have the right to lodge a complaint with a local data protection supervisory authority. If such supervisory authority fails to respond to such a complaint, such Data Subjects may have the right to an effective judicial remedy.

  1. US STATES’ PRIVACY RIGHTS

Summary: We do not sell the personal information we collect. We share limited Website user data for advertising purposes. California and other US state resident consumers have certain rights in relation to their personal information. They can exercise those rights by contacting us.

This section provides additional details about the Personal Data we collect about consumers in the US states of California, Virginia, Colorado, Connecticut, Utah and other applicable US states and the rights afforded to them under the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”) and other applicable laws.

For details about the Personal Data we have collected as a business over the last 12 months, please see Section 1 (Which Information Do We Collect?) of this Privacy Policy. We collect this Personal Data for the business and commercial purposes described in Section 2 (What are the Purposes for Which We Collect Personal Data?) of this Privacy Policy. We share this information with the categories of third parties described in Section 3 (Sharing Data with Third Parties) of this Privacy Policy.

Please note that we do share information with third parties for the purpose of cross-context behavioral advertising (as defined in the CCPA) or targeted advertising (as defined in other applicable US state laws), and use third-party cookies for such purposes as further described in our Cookie Page. If you are a resident of California, Virginia, Colorado, Utah, Connecticut and other applicable jurisdictions, you may opt out of the sharing of your data for such purposes by clicking “Reject All” on the “Cookie Setting” of our cookie banner, or by clicking the “Do Not Sell or Share my Personal Information” link on the banner of this site.

Subject to certain limitations, the CCPA and other applicable US state laws provide consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to access their  information in a portable format, to correct or delete their personal information, to opt out of any “sales, cross-contextual behavioral advertising or targeted advertising” that may be occurring, and to not be discriminated against for exercising these rights. To make such requests, please send an email to customercare@florencebymillsfashion.com. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights on their behalf.

  1. DO NOT TRACK SIGNALS

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers in order to inform websites that they do not wish to be tracked. We do not respond to or honor DNT signals.

  1. THIRD-PARTY LINKS

We may include third-party links on our Website and allow registration and login through third-party accounts. Please note that this Privacy Policy only applies to the Personal Data that we (or third parties on our behalf) collect from or about you and we cannot be responsible for Personal Data collected or stored by third parties. Third parties have their own terms and conditions and privacy policies and you should read these carefully before you submit any Personal Data to such parties. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites or terms and conditions or policies.

  1. CHANGES TO THIS PRIVACY POLICY

The terms of this Privacy Policy will govern the use of the Services, our Website and any data collected in connection with them and DG’s contractual obligations. DG may amend or update this Privacy Policy from time to time. The most current version of this Privacy Policy will be available at: florencebymillsfashion.com. Changes to this Privacy Policy are effective as of the date stated as “Last Revised” and your continued use of the Services or Website will constitute your active acceptance of the changes to the terms of this Privacy Policy.

  1. CONTACT US

DG aims to process only adequate, accurate and relevant data limited to the needs and purposes for which it is gathered. We also aim to store data only for the time period necessary in order to fulfill the purpose for which the data is gathered. DG only collects data in connection with a specific lawful purpose and only processes data in accordance with this Privacy Policy. Our policies and practices are constantly evolving and improving and we invite any suggestions for improvements, questions, complaints or comments concerning this Privacy Policy. You are welcome to contact us (details below) and we will make an effort to reply within a reasonable timeframe.

DG may be contacted concerning this privacy policy at customercare@florencebymillsfashion.com.