Free shipping on qualifying orders Dermatologist tested & sensitive skin approved Pay with Apple Pay & Google Pay
Legal

Privacy Policy

Last updated: January 2025

1. Introduction and Scope

La Branche Limited, trading as Vishpha Beauty ("we", "us", "our", "the Company"), is committed to protecting your privacy and processing your personal data in a transparent, lawful, and secure manner. This Privacy Policy explains what personal data we collect about you, why we collect it, how we use it, with whom we may share it, and your rights in connection with it.

This Privacy Policy applies to:

  • All visitors to our website at vishphabeauty.com (the "Website");
  • Customers who purchase products from us;
  • Individuals who contact us by email, through our contact form, or via social media;
  • Individuals who subscribe to our newsletter or marketing communications.

Please read this policy carefully before using the Website or submitting personal data to us. By using our Website, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018, the data controller is:

La Branche Limited
Trading as: Vishpha Beauty
Registered address: Unit 13 Burnell Square, Mayne River Way, Northern Cross, Dublin, D17 W284, Ireland
Email: hello@vishphabeauty.com

We are not currently required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. Any data protection enquiries may be directed to the email address above.

3. Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with us:

3.1 Data you provide directly

  • Identity data: First name, last name.
  • Contact data: Email address, telephone number, billing address, shipping address.
  • Account data: Username, password (stored in encrypted form — we do not have access to plaintext passwords), account preferences.
  • Order data: Details of products purchased, order history, transaction amounts, delivery instructions.
  • Communication data: The content of any emails, contact form submissions, or other communications you send us.
  • Marketing preferences: Whether you have opted in to receive marketing communications from us.

3.2 Data collected automatically

  • Technical data: Your IP address, browser type and version, operating system, device type, time zone, browser plug-in types, pages viewed, referring URLs, and other standard web log data.
  • Usage data: Information about how you navigate and interact with our Website (pages visited, links clicked, time on page).
  • Cookie data: Data collected through cookies and similar tracking technologies, subject to your consent. See Section 8 and our Cookie Policy for details.

3.3 Payment data
We do not collect, process, or store your payment card details. All payment transactions are handled directly by Stripe Payments Europe, Ltd, our PCI-DSS-compliant payment processor. We receive only a transaction reference and confirmation. See Section 6 for more on third-party processors.

3.4 Sensitive data
We do not intentionally collect or process any special categories of personal data (e.g., health data, racial or ethnic origin, biometric data). Please do not include such information in messages sent to us.

4. How We Use Your Personal Data

We use your personal data only for specific, legitimate purposes. The table below sets out the purposes for which we process your data and the corresponding lawful basis under Article 6 GDPR:

  • Processing and fulfilling orders (including delivery, invoicing, payment confirmation) — Lawful basis: Performance of a contract.
  • Managing customer accounts (account creation, profile management) — Lawful basis: Performance of a contract.
  • Customer service (responding to enquiries, returns, complaints) — Lawful basis: Performance of a contract / Legitimate interests.
  • Fraud prevention and security (detecting and preventing fraudulent transactions, security monitoring) — Lawful basis: Legitimate interests.
  • Website analytics and improvement (understanding how users interact with the Website, improving design and content) — Lawful basis: Legitimate interests (subject to cookie consent where analytics cookies are used).
  • Marketing communications (sending promotional emails, newsletters, product updates — only where you have opted in) — Lawful basis: Consent.
  • Retargeted advertising (displaying personalised ads on third-party platforms such as Instagram/Facebook via Meta Pixel — only with your consent to marketing cookies) — Lawful basis: Consent.
  • Legal and regulatory compliance (maintaining financial records, responding to regulatory requests, compliance with consumer protection law, tax obligations) — Lawful basis: Legal obligation.

We will not use your personal data for any purpose incompatible with the purpose for which it was originally collected without notifying you and, where required, obtaining your consent.

5. Marketing Communications

We will only send you marketing emails or newsletters if you have explicitly opted in to receive them — for example, by subscribing through our Website or checking a marketing consent box at checkout. We do not rely on "soft opt-in" (previous customer) exemptions without clearly informing you.

You have the right to withdraw your consent to receive marketing communications at any time, at no cost, by:

  • Clicking the "unsubscribe" link in any marketing email we send you;
  • Contacting us at hello@vishphabeauty.com and requesting removal from our mailing list.

Withdrawal of consent to marketing does not affect the lawfulness of processing carried out prior to withdrawal, nor does it affect our ability to contact you regarding your orders or other contractual matters.

6. Sharing Your Personal Data with Third Parties

We do not sell, rent, or trade your personal data. We may share your personal data with trusted third-party service providers solely to the extent necessary to operate our business and deliver our services to you. The categories of recipients are as follows:

  • Payment processing: Stripe Payments Europe, Ltd (an EU-based entity). Your card details are processed directly by Stripe and are never accessible to us.
  • Ecommerce platform: Where the Website is hosted on or connected to a third-party platform (e.g., Shopify Inc.), that platform may process order and account data on our behalf under a data processing agreement.
  • Shipping and logistics: Carriers such as An Post, DPD, or similar — we share your name and delivery address to fulfil your order.
  • Email marketing platform: A third-party email service provider (to be confirmed at launch) — used to send transactional and marketing emails only if you have opted in. This provider is bound by a data processing agreement and may not use your data for its own purposes.
  • Analytics: Google Analytics (Google Ireland Limited) — anonymised usage data, subject to your analytics cookie consent.
  • Advertising: Meta Platforms Ireland Limited (Meta Pixel) — if you have consented to marketing cookies, limited browsing data may be shared for retargeting purposes.
  • Professional advisers: Solicitors, accountants, auditors, and insurers — only to the extent legally required.
  • Regulatory authorities: The Revenue Commissioners, the Data Protection Commission, or other Irish/EU authorities — where required by law.

All third-party processors are required to maintain appropriate security measures and are only permitted to process your data in accordance with our instructions. Where applicable, data processing agreements (DPAs) conforming to Article 28 GDPR are in place.

7. International Data Transfers

Some of our third-party service providers (such as Google, Stripe, or our email platform) may process personal data in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place in compliance with Chapter V of the GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Adequacy decisions by the European Commission confirming an equivalent level of data protection in the recipient country;
  • Binding Corporate Rules where applicable.

You may request further information about international transfer safeguards by contacting us at hello@vishphabeauty.com.

8. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies (including local storage and pixel tags) to improve your experience, analyse usage, and support personalised advertising. Cookies are small text files placed on your device by the website you are visiting.

We use the following categories of cookies:

  • Strictly necessary cookies: Essential for the Website to function. Cannot be switched off. These include session management, cart functionality, and fraud prevention cookies.
  • Analytics cookies: Used to understand how visitors interact with the Website (e.g., Google Analytics). Set only with your consent.
  • Marketing cookies: Used to display relevant advertising on third-party platforms (e.g., Meta Pixel). Set only with your consent.

When you first visit our Website, a cookie consent banner will appear giving you the choice to accept all cookies, decline non-essential cookies, or customise your preferences. You can change your preferences at any time by clicking the cookie settings link in the footer.

For full details on the cookies we use, their purpose, duration, and third-party providers, please read our Cookie Policy.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:

  • Order and transaction records: 7 years from the date of the order, in accordance with Irish tax law (Taxes Consolidation Act 1997) and the requirements of the Revenue Commissioners.
  • Customer account data: For the duration of the account, plus 2 years after account closure or last login.
  • Marketing data: Until you unsubscribe or withdraw consent, after which we will retain only a suppression record (your email address on a "do not contact" list) to prevent re-subscription.
  • Customer service communications: 3 years from the date of the last communication, unless there is an ongoing legal matter.
  • Website analytics data: Up to 26 months (in accordance with Google Analytics default settings), unless anonymised earlier.
  • Cookie consent records: 1 year from the date of consent, renewable upon re-consent.

When personal data is no longer required, we will securely delete or anonymise it in a manner that prevents reconstruction.

10. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:

  • HTTPS encryption for all data transmitted to and from our Website;
  • Access controls limiting who within our organisation can access personal data;
  • Use of reputable, PCI-DSS-compliant payment processors so that payment card data is never held on our systems;
  • Regular review of our data processing practices and third-party providers.

Despite these measures, no internet transmission or electronic storage system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where required under Article 34 GDPR, we will also notify you directly without undue delay.

11. Your Rights Under GDPR

Under the GDPR and the Irish Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with supplementary information about how it is processed.
  • Right to rectification (Article 16 GDPR): You have the right to request correction of inaccurate or incomplete personal data held about you without undue delay.
  • Right to erasure ("right to be forgotten") (Article 17 GDPR): You have the right to request deletion of your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis for processing. Note that this right may be subject to legal retention obligations (e.g., tax records).
  • Right to restriction of processing (Article 18 GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while the accuracy of your data is being contested.
  • Right to data portability (Article 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
  • Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data where we rely on legitimate interests as the lawful basis, including profiling. You also have the absolute right to object to processing for direct marketing purposes at any time, and we will immediately cease such processing.
  • Rights related to automated decision-making (Article 22 GDPR): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on you.
  • Right to withdraw consent: Where we rely on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at hello@vishphabeauty.com or in writing to La Branche Limited, Unit 13 Burnell Square, Mayne River Way, Northern Cross, Dublin, D17 W284, Ireland. We will respond to all valid requests within one calendar month. In complex or multiple requests, we may extend this period by a further two months, and we will notify you accordingly.

We will not charge a fee for responding to your rights requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

12. Right to Lodge a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the supervisory authority responsible for data protection in Ireland:

Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: dataprotection.ie
Telephone: +353 (0)1 765 0100 / 1800 437 737
Email: info@dataprotection.ie

We ask that you please attempt to resolve any concerns with us first by contacting hello@vishphabeauty.com before lodging a formal complaint, although you are not required to do so.

EU residents in other member states may also lodge a complaint with the supervisory authority in their country of residence or place of work.

13. Children's Privacy

Our Website and products are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If you believe a child under 16 has provided us with personal data without parental consent, please contact us immediately at hello@vishphabeauty.com and we will take steps to delete that data.

14. Third-Party Links

Our Website may contain links to third-party websites (such as social media platforms). These websites are operated by third parties and are not covered by this Privacy Policy. We are not responsible for the content or privacy practices of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory requirements. The updated policy will be published on this page with a revised "Last updated" date. Where changes are material, we will provide appropriate advance notice — for example, by email to registered customers or by displaying a prominent notice on the Website.

Your continued use of the Website after any changes to this Privacy Policy constitutes your acknowledgement of the changes. We recommend reviewing this page periodically.

16. Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or to exercise any of your rights, please contact us:

Email: hello@vishphabeauty.com
Post: La Branche Limited, Unit 13 Burnell Square, Mayne River Way, Northern Cross, Dublin, D17 W284, Ireland

We aim to respond to all privacy-related enquiries within 5 business days, and to all formal data subject access requests within one calendar month as required by law.