accessibility.goToContent
NAOS Logo
Privacy Policy

Last update of this Policy: 4 December 2025

Privacy Policy

1.               Overview

1.1            NAOS Australia Pty Ltd (ABN 55 635 284 276) (NAOS, we, us, our) is dedicated to safeguarding your privacy. In the same way that we are committed to caring for your skin, we place the utmost importance on ensuring your Personal Data is protected.

1.2            We have prepared this Privacy Policy to describe to you our practices regarding Personal Data we collect from users of our services, including our website at https://naos.com/en-au (Website), and all other services provided by NAOS (Services).

1.3            Our primary privacy obligations are derived from Australian law. Our Privacy Policy, available on our Website, sets out how we comply with these obligations. Sometimes, we also handle the information of EU citizens or share data with other organisations which do so or provide Services to individuals located in the EU. To the extent that we do so, this Privacy Policy also addresses our obligations under the EU General Data Protection Regulation (GDPR).

1.4            The processing of Personal Data will always be in line with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth), the GDPR, and in accordance with country-specific data protection regulations and other regulations applicable to NAOS.

1.5            We invite you to read this Privacy Policy (Policy). It provides all the necessary information regarding the data we collect, how we use it, how long we retain it, the measures we implement to protect it, the rights you have, etc.

1.6            This Policy may be updated or modified to reflect changes in our practices and applicable regulations. As these modifications take effect immediately, we encourage you to review it regularly.

2.               What data is covered by this Policy?

2.1            Personal data (referred to as 'personal information' under Australian law) means any information that directly or indirectly identifies a natural person (Personal Data). This includes, for example, your name, email address, phone number, as well as data related to your consumption habits, skin type, etc.

2.2            This Policy applies to all Personal Data that you provide to us or that we collect during your visits to one or more of our Websites or when purchasing our products.  

3.               Why do we collect your Personal Data?

3.1            We collect your Personal Data only when necessary.

3.2            Specifically, we collect and process your data for the following purposes:

(a)         to provide Services and offers on our Website;

(b)         to manage your participation in our loyalty program and grant you its benefits;

(c)         to process your product purchases on our Website (e.g., order management, tracking, shipping, etc.) and handle customer relations following your purchase;

(d)         to ensure the functionality and content of our Websites and Services to better meet your needs and requests;

(e)         to better understand you and segment data based on your needs and preferences, allowing us to send personalised information, advice and offers;

(f)          to respond to your inquiries and provide personalised advice, particularly through our customer service channels (contact forms, social media, phone, etc.);

(g)         to collect your feedback on our products;

(h)         to conduct audience analyses and statistical studies, such as measuring Website visits, user activity, subscription rates to our Services and the effectiveness of promotional offers;

(i)           to manage cosmetovigilance (handling reports of adverse effects related to our products, conducting safety studies and implementing corrective actions if necessary);

(j)           to organise product testing and contests;

(k)         to carry out targeted communications via email or advertising banners on partner sites (analysing the Personal Data you provide or data related to your visits on our Websites to assess your preferences, needs and interests and display or offer tailored content);

(l)           if you have given your consent, to send you postal or electronic communications (email, SMS/MMS) about our products, Services and activities, which may be personalized;

(m)       to detect fraudulent behaviour on our Websites and manage disputes;

(n)         to ensure the security of our Websites and Services; and

(o)         to manage our social media pages.

3.3            We agree to not use or disclose this information for a secondary purpose unless you consent to us doing so, or another exception applies under applicable laws.

3.4            For the purposes of the law, some information we hold about you may be considered 'sensitive' as a special category of data and therefore subject to greater protection. If we hold sensitive information about you, we will only disclose or use that information with your consent or if another exception applies under applicable laws.

3.5            We will also use or disclose your Personal Data or sensitive information if we are required to do so by law or a court / tribunal order, or if we reasonably believe that the use or disclosure of the information is reasonably necessary for an enforcement related activity or on behalf of an enforcement body, in which case we will make a written note of the use or disclosure or another exception applies under relevant laws.

4.               What data is collected, when and for how long?

4.1            We collect and process your Personal Data in a fair and lawful manner. We also ensure that the data, if necessary, is updated so that it does not become outdated.

4.2            This data may be collected either:

(a)         directly from you, for example, when you complete our data collection forms on our Website (e.g., registration form, contact form, etc.); or

(b)         indirectly, for example, through our partners (e.g., advertising networks, etc.).

4.3            We define the retention periods for your Personal Data based on the duration necessary to fulfill the purposes of the data collection. Once these purposes have been achieved, we delete your data, unless certain legal obligations require us to retain it.

4.4            The table below shows when your data is collected, what data is collected, the retention periods and the legal basis on which we rely.

Moment of collection

Categories of data collected

Retention period

Legal bases

You browse on one of our Websites or on a third party partner’s website

We and/or our subcontractors collect certain data through cookies or similar technologies:

·    your technical connection and navigation data (e.g., your IP address, browser, device information, analytical data, number of clicks and pages viewed, time spent on the Websites); or

·    specific Websites elements; language and country of consultation; geolocation by city, transaction number, identifiers, clicked ads, etc.).

For more information, please refer to clause 5 regarding cookies.

13 months from the date of cookie placement or other similar technologies.

Some third-party partners may retain your Personal Data for a longer period. We encourage you to review their privacy policies. Your cookie preferences will be saved for 6 months. However, our cookie management partner

will retain proof of your consent(s) for 5 years.

 

Legitimate interest: For strictly necessary cookies required for the functioning of our Websites.

 

Consent: For cookie categories that require your prior consent before being set.

You join our loyalty program

We and/or our subcontractors collect and process

·    your identification data (e.g., name, surname, email address, postal address, etc.);

·    Data related to your consumption habits;

·    Data related to your skin type (e.g., oily, dry, etc.)

3 years from joining the loyalty program

Legitimate interest: To provide you with the requested Service

You subscribe to one of our commercial communications

We and/or our subcontractors collect and process:

·    Your identification data (e.g., name, surname, email address, etc.)

·    We also use data related to your consumption habits, preferences, interests, skin type, etc., only if we have previously collected such data through other means (e.g., skin diagnosis, past purchases, etc.).

This enables you with personalized content tailored to your skin and needs.

Until you unsubscribe or for a maximum of 3 years from the date of data collection or your last interaction with us.

Consent: To send you commercial communications.

You participate in a promotional game

The data that we and/or our subcontractors collect and process depend on the specific promotional game:

·    your identification data (e.g., name, surname, postal or email address, etc.);

·    your social media profile (if the promotional game is conducted on one of our social media pages, if you use a social media account to log in or if you voluntarily provide it to us);

·    your consumption habits;

·    your interests;

·    date related to your skin type (e.g., oily, dry, etc.).

Duration necessary for managing the promotional game

Performance of a contest: To provide the requested service (contest participation).

You report an adverse reaction following the use of one of our products

In accordance with regulations, we are required to monitor and record adverse reactions related to the use of our products and to promptly report all serious adverse reactions to the competent authority.

When you, a close relative or a healthcare professional report an adverse reaction to our customer and consumer service, we collect and process:

·    your identification data (e.g., name, surname, email address, phone number, etc)

·    a description of the adverse reaction experienced;

·    your consumption habits (e.g., the product used);

·    personal life data (e.g., if you are reporting an adverse reaction experienced by a family member)

This data allows us to forward your case to our partner so that they may contact you to conduct a medical analysis of your reaction through a detailed questionnaire administered by qualified professionals.

For this purpose, our partner will collect and process only the data strictly necessary for the assessment of the adverse event, including:

·    your identification data (e.g., name, surname, email address, identification number, etc.);

·    health-related data (e.g., skin conditions, allergies, medical test results, etc.);

·    data related to your consumption habits (e.g., products used);

·    data related to your skin type (e.g., oily, dry, etc.);

·    data related to your ethnic origins if necessary (e.g., phototype);

·    personal life data (e.g., if you are reporting an adverse reaction experienced by a family member).

Our customer and consumer service retains your data for the time necessary to process your request (transmission of information to the relevant and authorized teams, etc.).

Our cosmetovigilance service retains your data for 3 years from the date of collection. The data are then archived securely for 10 years from the date the product concerned is withdrawn from the market.

Our partner retains your data for one year from the date of collection. At the end of the current year, your data is returned to us and our partner proceeds with its destruction.

Legitimate interest: Respond to your request

Performance of a public interest task or the exercise of official authority: The collection of data as part of health vigilance for reasons of public interest. Its primary objective is to ensure compliance with high standards of quality and safety for our products.

5.               What types of cookies do we use and why?

5.1            We use:

(a)         strictly necessary cookies to operate the Website, keep you signed in, apply security and manage consent; and

(b)         analytics cookies to measure use and improve performance and content. Cookies may be first‑party or third‑party (such as Google Analytics and Didomi), and may be session or persistent.

5.2            We only set non‑essential cookies with your consent. You can accept, reject or customise settings at any time in our cookie settings centre or via your browser. Strictly necessary cookies operate without consent.

5.3            Third‑party providers that set cookies act as independent controllers and may process information about your device and browsing on the Website. Information may be processed outside your jurisdiction and is protected in line with applicable law.

5.4            Session cookies expire when you close your browser. Persistent cookies generally last 1 day to 13 months (and not more than 24 months) unless you delete them sooner.

6.               Do we use profiling?

6.1            When we display personalised content or send you personalised communications, we use techniques referred to as “profiling”.

6.2            Profiling is defined as "any form of automated processing of Personal Data consisting of using such data [...] to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict elements concerning their economic situation, interests, behaviour, location, etc.”.

6.3            We may therefore use the Personal Data collected in accordance with the table above to analyse and predict your preferences. These analyses enable us to display and/or send communications tailored to your interests, needs, skin type or consumption habits.

6.4            You have the right to object to the use of your data for profiling purposes at any time. Please refer to the “How can you exercise your rights over your data?” section of this Policy for instructions on how to do so.

7.               How do we collect minors ‘data?

Our Websites are accessible to all individuals. However, we do not knowingly collect Personal Data from minors. If you are under the age of 18, you must have your parent or guardian's permission to provide Personal Data to us.

8.               Who are the recipients of your data?

8.1            We may be required to share your data with companies, organisations and/or individuals in carrying out the processing described in this Policy. Only the data necessary for them to perform the entrusted service(s) will be shared with them.

8.2            We rely on service providers and partners to assist us with:

(a)         our commercial operations such as customer relationship management (CRM), content creation, managing our social media, analytics and statistics, managing our loyalty program;

(b)         hosting our Websites and the data we collect;

(c)         maintaining our IT tools and databases; and

(d)         managing cases of cosmetovigilance.

8.3            We select subcontractors, service providers and suppliers who provide sufficient guarantees to ensure the protection, security and confidentiality of your Personal Data.

8.4            We may also share certain Personal Data about you with social media platforms or search engines (e.g. google, Facebook, etc.) in order to carry out targeted advertising. When we transmit this information, your data is securely encrypted. We do not retrieve any data about you from these companies.

8.5            Your Personal Data may also be disclosed to administrative or judicial authorities upon their request, as well as to third parties or recipients authorised to comply with a legal obligation or for the exercise of legitimate interests.

8.6            Finally, we may share certain data with employees of the NAOS group companies who need to process it as part of the processing activities outlined in this Policy.

9.               How do we ensure the security of your data?

9.1            We are committed to implementing measures to ensure that your Personal Data is adequately protected, taking into account the sensitive nature of certain information. We use various technologies and procedures to ensure that your data is processed in a way that guarantees its protection against loss, destruction, alteration, disclosure or unauthorised access, whether unlawful or accidental.

9.2            We require an equivalent level of security from our subcontractors and service providers.

10.           Where is your data stored?

10.1        We process and store your Personal Data using third-party hosting providers, including Adobe on Adobe Cloud, hosted on Amazon Web Services (AWS). These providers generally store data on servers located in Europe, although the exact country is determined automatically and may not always be identifiable.

10.2        Where we transfer Personal Data from within the European Union or European Free Trade Association States (EFTA States) to outside, we ensure an adequate level of protection for the rights of data subjects based on the adequacy of the receiving country’s data protection laws.

10.3        We may disclose Personal Data to our related bodies corporate and third-party suppliers and service providers located overseas for some of the purposes listed above. We take reasonable steps to ensure that the overseas recipients of your Personal Data do not breach the privacy obligations relating to your Personal Data.

11.           How can you exercise your rights regarding your data?

11.1        In accordance with applicable laws, including the GDPR and Privacy Act 1988 (Cth), you have various rights regarding your data:

(a)         right to information;

(b)         right to access;

(c)         right to rectification;

(d)         right to erasure;

(e)         right to object to processing;

(f)          right to withdraw your consent;

(g)         right to restriction of processing;

(h)         right to data portability;

(i)           right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or significantly affects you;

(j)           right to object to commercial prospecting, including profiling; and

(k)         right to issue directives concerning the retention, erasure and communication of your data after death.

11.2        You can exercise these rights at any time by emailing privacy@au.naos.com, via our contact form or by postal mail to the address: Suite 3.01, Level 3, 22 Gordon St, Cremorne VIC 3121.

11.3        You will receive a response within one month from the receipt of your request.

11.4        We reserve the right not to follow up on requests that are clearly unfounded, in accordance with applicable regulations. You will be informed of any refusal made by us.

12.           Contact Information

12.1        NAOS welcomes your comments or questions regarding this Policy.

12.2        If you have a question regarding this Policy or you would like to make a complaint, please contact us by email by using the details below.

12.3        If you reside in the European Union or EFTA States, the data controller that is responsible for your Personal Data is:

NAOS Australia Pty Ltd (ACN 635 284 276)

Email: privacy@au.naos.com

Address: Suite 3.01, Level 3, 22 Gordon St, Cremorne VIC 3121

12.4        If you wish to raise a concern about our use of your information you have the right to do so with your local supervisory authority.

13.           Changes to this Policy

13.1        This Policy is subject to occasional revision and NAOS reserves the right, at its sole discretion, to modify or replace any part of this Policy. It is your responsibility to check this Policy periodically for changes. Continued use of our Services including the Website shall indicate your acknowledgement that it is your responsibility to review the Policy periodically and become aware of any modifications. We may amend this Policy from time to time.

13.2        Not all changes to our Policy will require your consent, for example where office security procedures are changed. We will notify you of any change to our information handling policy that requires your consent before being implemented.To complete