Privacy Policy
PRIVACY POLICY
Last Updated: September 25, 2025
This Privacy Policy describes how Tower 28 Beauty, Inc and our brands and subsidiaries (“Tower28”, “we”, “us”, or “our”) collect, use and share information about you. This policy applies to information we collect when you use our websites, apps, shop in our online stores or otherwise interact with us as described below (collectively, the “Site”). We may change this Privacy Policy from time to time. If we make material changes to this policy, we will notify you by revising the date at the top of this policy and, where required by applicable law, we will obtain your consent or provide you with additional prominent notice (such as adding a statement to the homepages of our
websites or sending you an email notification). We encourage you to review the Privacy Policy whenever you interact with us to stay informed about our information practices and the ways you can help protect your privacy. Capitalized terms not defined herein shall have the meanings ascribed thereto in our Terms of Service.
ACCEPTANCE OF THESE TERMS
By using this Site, you signify your acceptance of this policy and any changes to this policy. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.
PERSONAL DATA WE COLLECT
Tower28 collects Personal Data directly from you, automatically when you use our Site, or interact with us, and from third parties. The definition of “Personal Data” depends on the applicable law of where you reside. For purposes of this policy, “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual or
household. This does not include aggregated or de-identified information that is maintained in a form that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual or household.
Personal Data You Provide to Us. We ask you for certain Personal Data to provide you with the products or services you request. The Personal Data we collect from you depends on how you interact with us or use our Site or otherwise interact with us. For example, we collect information when you use our websites, shop in our online stores, call us on the phone, create an online account, join our subscription and loyalty programs, sign up to receive our emails, participate in a sweepstakes, contest, promotion or survey, communicate with us via third party social media sites, request customer support, apply for a job or otherwise communicate with us. The categories and types of Personal Data we may collect includes:
Identifiers. Your name, email address, phone number, date of birth, and other identifiers, as well as any personal and demographic information that you share with us, such as photos, and images you provide to us or post to social media, and product preferences.. When you make a purchase, we collect your payment or credit card information and shipping and billing address.
Commercial Information. We collect information about your purchases, favorites, and items that you view or add to your cart, or other purchasing or consuming histories or tendencies.
Communications. When you communicate with us, we collect your contact details and keep a record of the communications, as well as our responses. We also maintain records of information that you post on our social media channels, and information you provide to us related to any
customer support requests.
Physical Characteristics. Including skin tone and type, hair color and type, eye color, and other beauty profile information you provide.
Health Information. Including information you choose to provide regarding skin conditions in connection product recommendation.
Payment Information. Processed securely via third-party payment processors (we do not store full credit card details).
User Content. Including your communications with us and any other content you provide (such as social media profiles, photographs, images, videos, survey responses, comments, product reviews, testimonials, and other content).
Information We Collect Automatically. We and our third-party service providers automatically collect certain information about you when you access or use our Site or transact business with us, including the following categories and types:
Device information. When you interact with our Site, we collect technical information about your device including your IP address; unique identifiers; unique device identifier and device type; domain, browser type, version, and language; operating system and system settings; general
location information and time zone; and similar device and usage information.
Online Activity and Browsing Information. We use cookies, log files, pixel tags, software development kits (“SDKs”) and other tracking technologies to automatically collect information about your interaction with our websites and apps and communications you receive from us. This
information includes links clicked, page views, purchases, searches, features used, items viewed, time spent within the Site, information uploaded, items you add to your cart and your interactions with others within the Platform. For more information, see the “Cookies” section below.
Inferences. Inferences drawn from or created based on any of the information identified above.
Retention and Transfer of Personal Data. We retain Personal Data that you provide us as long as we consider it potentially useful in contacting you about our products and services, or as needed to comply with our legal obligations, resolve disputes and enforce our agreements. In some cases we may delete
Personal Data at an earlier date. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, whether we can achieve those purposes through
other means, and the applicable legal requirements. We will delete this information from the servers at an earlier date if you so request by unsubscribing, opting-out, or emailing us at hey@tower28beauty.com.
Personal Data may be transferred to and stored on secure servers in the United States. For users in the European Economic Area (EEA), we ensure appropriate safeguards are in place for such transfers in accordance with applicable data protection laws.
COOKIES AND SIMILAR ONLINE TRACKING TECHNOLOGIES
We and our third–party partners and service providers (such as advertising networks, analytics providers and social media platforms and networks) use pixels, web beacons, software developer kits, third–party libraries, cookies, and other similar online tracking technologies (collectively, “online tracking technologies”) to gather information when
you interact with our Sites, or email communications. Some online tracking technologies help us maintain the security of our websites and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.
We also permit third parties and service providers to use online tracking technologies on our Sites for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders (depending on your communication preferences). The third parties and service providers use their technology to provide advertising about products and services tailored to your interests which may appear on our Sites, on other websites, or in our email communications.
To the extent these online tracking technologies are deemed to be a “sale” / “sharing” (which includes targeted advertising, as defined under the applicable laws) under applicable U.S. state laws, you can opt-out of these online tracking technologies by submitting a request via email to hey@tower28beauty.com. Please note, some features of our websites may not be available to you as a result. For Google Analytics, at your end, you may exercise an opt out going to tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. You may adjust your Google advertising settings by visiting adssettings.google.com.
Please see our Cookie Policy at https://www.tower28beauty.com/cookie-policy for more information regarding how we use cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our websites. If you would like to opt out of the collection and use of tracking data for ad targeting, please visit www.aboutads.info/choices/.
USE OF PERSONAL DATA
We may use information about you for various purposes, including to: (i) facilitate and improve your online shopping experience; (ii) provide the products and services you request, process transactions and send you related information, including confirmations and receipts; (iii) respond to your comments, questions and requests and provide customer service; (iv) communicate with you about products, services, offers, promotions, rewards and events and provide news and information we think will be of interest to you; (v) manage your online account(s) and send you technical notices, updates, security alerts and support and administrative messages; (vi) personalize your online experience and provide advertisements, content or features that match your profile and interests; (vii) monitor and analyze trends, usage and activities; (viii) process and deliver contest, promotion and sweepstakes entries and
rewards; (ix) link or combine with information we get from others to help understand your needs and provide you with better service; and (x) carry out any other purpose for which the information was collected. We are based in the United States and the information we collect is governed by U.S. law.
SHARING OF PERSONAL DATA
We may share information about you as follows: (i) with vendors, consultants and other service providers who need access to such information to carry out work on our behalf; (ii) with our business partners and other third parties for purposes of sending their own direct mail, only where you have provided explicit consent for such sharing; (iii) in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process or as otherwise required by any applicable law, rule or regulation; (iv) if we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of us or any third party; (v) in connection with, or during negotiations of, any merger, sale of company assets, financing or transfer of all or a portion of our business to another company; or (vi) with your consent or at your direction. We may also
share aggregated or de-identified information, which cannot reasonably be used to identify you.
We use Shopify to power our online store--you can read more about how Shopify uses your Personal Data here: https://www.shopify.com/legal/privacy.
We also use Google Analytics to help us understand how our customers use the Site -- you can read more about how Google uses your Personal Data here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of
Google Analytics here: https://tools.google.com/dlpage/gaoptout.
ADVERTISING AND ANALYTICS
We engage third parties to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may use cookies, web beacons and other technologies to collect information about your use of our websites, such as your IP address, web browser, pages viewed, time spent on pages, links clicked and conversion information. This information may be used by us and others, with your consent where required by law, to analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests
on our websites and other websites and better understand your online or offline activity. You have the right to withdraw your consent or opt out of personalized advertising at any time through our preference center or by contacting us. We may also work with third parties to serve ads to you as part of a customized campaign on other websites or platforms.
LINKS TO 3 RD PARTY WEBSITES
Our Site may contain links to other websites. Our Privacy Policy does not apply to the practices of other websites and Tower28 is not responsible for the actions and privacy policies of third parties. We encourage you to be aware of when you leave our Site and to read the privacy policies of each website that you visit.
SECURITY
We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. We use organizational, procedural, and technical safeguards to secure data in our possession, consistent with the sensitivity level of such data. When sensitive information (such as a credit card data) is collected on our Site it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol and may be processed by third parties using similar levels of protection. Regardless of the precautions we take, no transmission of data over the internet is guaranteed to be completely secure. It may be
possible for third parties not under our control to intercept or access transmissions or private communications unlawfully. While we strive to protect Personal Data, we cannot ensure or warrant the security of any information you transmit to us.
CROSS-BORDER TRANSFERS OF YOUR DATA
If you live outside of the United States, you should know that as a global organization, some recipients of your Personal Data may be located abroad, including outside USA, and that the data privacy and security requirements in other countries including the USA may not offer the same level of protection as the requirements in your home
country. Nevertheless, Tower28 and its partners have implemented measures that are designed to ensure an equivalent level of protection for your data, irrespective of where it is located or stored, and in compliance with applicable regulations relating to the protection of Personal Data.
YOUR PERSONAL DATA CHOICES AND CONTROL
You may be able to exercise certain privacy rights. The rights available to you depend on our reason for processing your Personal Data and the requirements of applicable law (i.e., your rights will vary depending on whether you are located in, for example, the European Union, the United Kingdom, Brazil, or US states). Regulations include the
General Data Protection Regulation “GDPR” (European Union); Personal Information Protection and Electronic Documents Act “PIPEDA” (Canada); Lei Geral de Proteção de Dados “LGPD” (Brazil); Protection of Personal Information Act “POPIA” (South Africa); California Consumer Privacy Act “CCPA”; California Privacy Rights
Act “CPRA” (California); Colorado Privacy Act “CPA” (Colorado); Utah Consumer Privacy Act “UCPA” (Utah); Virginia Consumer Data Protection Act “VCDPA” (Virginia); Connecticut Data Privacy Act “CTDPA” (Connecticut). Specifically, you may have the following rights:
Right to Access (PIPEDA, GDPR Article 15, CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA, LGPD, POPIA) You may have the right to obtain from us confirmation as to whether Personal Data processed, and, where that is the case, to request access to the Personal Data. Depending on where you are located, you may also have the right to information about public and private entities with which the controller has disclosed personal data.
Right to Rectification (PIPEDA, GDPR Article 16, CPRA, CPA, VCDPA, CTDPA, LGPD, POPIA) You may have the right to request that we correct any Personal Data about you that is inaccurate. Depending on the purpose of the processing, you also have the right to request that we complete the Personal Data we
hold about you where you believe it is incomplete, including by means of providing a supplementary statement.
Right to Portability (PIPEDA, GDPR Article 20, LGPD) You may have the right to request that we transfer the Personal Data we have collected about you to another organization, or directly to you, in a structured, commonly used, and machine-readable format, under certain conditions.
Right to be Forgotten (right to erasure) (GDPR Article 17, CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA, LGPD, POPIA) You may have the right to request the deletion of your Personal Data we have collected from you, subject to certain conditions and limitations under the law.
Right to Restriction of Processing (GDPR Article 18, LGPD) You may have the right to restrict our processing of your Personal Data under certain circumstances. In this case, we will not process your Data for any purpose other than storing it.
Right to Opt Out (CPRA, CPA, VCDPA, CTDPA, UCPA) You may have the right to opt out of the processing of your Personal Data for purposes of: (1) Targeted advertising; (2) The sale of Personal Data; and/or (3) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Under CPRA, you have the right to opt out of the sharing of your Personal Data to third parties and our use and disclosure of your Sensitive Personal Data to uses necessary to provide the products and services reasonably expected by you.
Right to Objection (GDPR Article 21, LGPD, POPIA) Where the legal justification for our processing of your Personal Data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate
grounds for processing which override your interests and rights, or if we need to continue to process the Personal Data for the establishment, exercise or defense of a legal claim.
Nondiscrimination and Nonretaliation (CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA) You have the right not to be denied service or have an altered experience for exercising your rights.
File an Appeal (CPA, VCDPA, CTDPA) You have the right to file an appeal based on our response to you exercising any of these rights. In the event you disagree with how we resolved the appeal, you have the right to contact the attorney general located here:
If you are based in Colorado, please visit this website to file a complaint.
If you are based in Virginia, please visit this website to file a complaint.
If you are based in Connecticut, please visit this website to file a complaint.
File a Complaint (GDPR Article 77, LGPD, POPIA) You may have the right to bring a claim before their competent data protection authority.
If you are based in the EEA, please visit this website (https://edpb.europa.eu/about-edpb/about-edpb/members_en) for a list of local data protection authorities.
Right to Withdraw Consent: Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time with future effect. Depending on where you are located, you may also have the right to request deletion of personal data that was processed based on your consent, or the right to know the consequences of revoking your consent. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Right to limit the use and disclosure of sensitive Personal Data: We will only use sensitive or special Personal Data as needed for the purposes for which it was collected or with your consent. We do not currently process sensitive Personal Data for purposes that may be limited under applicable law. If this changes, we will notify you, and you may have the right to restrict such additional uses.
Right to obtain a list of third parties to which Personal Data was disclosed. You can email us for a list of the subprocessors who may process data in order to provide our offerings.
Nevada Residents
Tower28 does not ‘sell’ personal information as defined under Nevada’s consumer privacy law (SB 220). As an added assurance to individuals who entrust their Personal Data to us, you may email us at hey@tower28beauty.com and include the reference line “Nevada Do Not Sell” with your privacy request. We may contact you for additional information in order to process your request.
Use of Global Privacy Controls
Tower28 also honors requests from California and Virginia residents that are submitted to us via the Global Privacy Controls feature offered through certain browsers. In accordance with those laws, we naturally will take steps to verify the request.
EXERCISING YOUR RIGHTS
To exercise any of your rights as set out above, please contact us by contacting us at: (i) by mail at Tower 28 Beauty, Inc., 2633 Lincoln Blvd., Suite 108, Santa Monica, CA 90405; (ii) by email at hey@tower28beauty.com. Please note that you will need to verify your identity before we can fulfill your request. Your request must: (i)
provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Data or an authorized representative of that person; and (ii) describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will only use Personal Data provided in a
verifiable consumer request to verify the requestor’s identity or authority to make the request. We will respond to your verifiable request within any prescribed timelines. In some regions, there may be limitations on how often a request relating to Personal Data may be submitted. We respond to all requests we receive from individuals wishing
to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request.
CHILDREN
We do not knowingly collect any Personal Data from children under the age of 16 in the EEA or California, or under the age of 13 in other jurisdictions. If we learn we have collected or received Personal Data from a child without verification of parental consent where required by applicable law, we will delete that information. We do not sell products for purchase by children and all children’s products we sell are for purchase by adults only. If we learn we have collected or received Personal Data from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please
contact us at hey@tower28beauty.com.
CALIFORNIA PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
This supplemental notice describes additional rights afforded to California residents under the California Privacy Rights Act ("CPRA" formerly known as CCPA) and its regulations, beyond those described in our main Privacy Policy above.
Tower28 uses and collects your information for the purposes described in this Privacy Policy, which include “business purposes” under the CPRA. We do not and will not sell your Personal Data. However, the CPRA’s definition of “sale” is very broad, and may include situations where browsing data is sent to referral advertisers (when you click on an ad that sends you to Tower28, we may send a hashed identifier to the referring site so they can receive credit for the referral). We, along with millions of other sites, may use these services from time to time. While we limit the information sent to what is needed to properly record the referral, the fact that you clicked on the link and visited Tower28 may be added to your profile by the ad publisher. This is all done on the Site
primarily through targeted advertiser cookies, and if you opt out of the sale of your Personal Data, we will turn them off. You may opt out of all “sales” of your Personal Data on the Do Not Sell my Personal Information https://www.tower28beauty.com/do-not-sell page.
Information We Collect
As required by the CPRA, the following table details the categories of Personal Data we have collected in the last 12 months, as defined by California law:
Category Examples Collected
A. Identifiers A real name, alias, postal address, unique personal identifier,
online identifier, Internet Protocol address, email address,
account name, Social Security number, driver's license number,
passport number, or other similar identifiers.
Yes
B. Personal Data Categories – as listed
in the California Customer Records
statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical
characteristics or description, address, telephone number,
passport number, driver's license or state identification card
number, insurance policy number, education, employment,
employment history, bank account number, credit card number,
debit card number, or any other financial information, medical
information, or health insurance information. Some Personal Data included in this category may overlap with
other categories. Yes
C. Protected classification
characteristics under California or
federal law. Age (40 years or older), race, color, ancestry, national origin,
citizenship, religion or creed, marital status, medical condition,
physical or mental disability, sex (including gender, gender
identity, gender expression, pregnancy or childbirth and related
medical conditions), sexual orientation, veteran or military
status, genetic information (including familial genetic
information). Yes
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Yes
E. Biometric information. Genetic, physiological, behavioral, and biological
characteristics, or activity patterns used to extract a template or
other identifier or identifying information, such as, fingerprints,
faceprints, and voiceprints, iris or retina scans, keystroke, gait,
or other physical patterns, and sleep, health, or exercise data. No
F. Internet or other similar network
activity. Browsing history, search history, information on a consumer's
interaction with a website, application, or advertisement. Yes
G. Geolocation data. Physical location or movements. No
H. Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
No
I. Professional or employment-related
information. Current or past job history or performance evaluations. No
J. Non-public education information
(per the Family Educational Rights and
Privacy Act (20 U.S.C. Section 1232g,
34 C.F.R. Part 99)).
Education records directly related to a student maintained by an
educational institution or party acting on its behalf, such as
grades, transcripts, class lists, student schedules, student
identification codes, student financial information, or student
disciplinary records. No
K. Inferences drawn from other
Personal Data.
Profile reflecting a person's preferences, characteristics,
psychological trends, predispositions, behavior, attitudes,
intelligence, abilities, and aptitudes.
Yes
L. Equipment information. Information about your internet connection, the equipment you
use to access our Site, and usage details. Yes
Personal Data does not include:
Publicly available information from government records.
Deidentified or aggregated consumer information.
Information excluded from the CCPA’s scope, like:
health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
Personal Data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Information You Provide to Us
Tower28 collects and processes the categories of Personal Data listed above from the following categories of sources, and we only collect and process this information where we have a valid legal basis to do so:
Directly from you. For example, from forms you complete or products and services you purchase.
Indirectly from you. For example, from observing your actions on our Site.
As further described in the Personal Data We Collect section above.
How We Use Your Information
We may use or disclose the Personal Data we collect as described in Use of Personal Data section above.
Disclosure of Your Information
We do not sell, trade, or rent Users' Personal Data to others and we have not done so during the preceding twelve (12) months.
Our disclosure practices for California residents align with the general disclosure practices described in the "Sharing of Personal Data" section above. All such disclosures are made for business purposes as defined by the CPRA.
In the preceding 12 months, we have disclosed Personal Data from categories A (Identifiers), B (Customer Records), D (Commercial Information), and F (Internet Activity) for business purposes as described above. We retain this information for only as long as necessary to fulfill the purposes for which it was collected.
Rights Under CPRA
You have the rights regarding your Personal Data as described in the Your Privacy Choices and Control above.
Submitting a Request
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a request related to your Personal Data. You may also make a verifiable consumer request on behalf of your minor child.
The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative of a California resident who wishes to make a request.
We may not be able to respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. We will inform you if we cannot verify your identity or authority and explain the reasons for our inability to verify. Making a verifiable consumer request does not require you to create an account with us. We will ask you for the email information that you used to interact with us or sign up for a loyalty, email or to make purchases to help verify your identity or authority to make the request and confirm that your information is in our system. Information provided to submit a request will only be used for request purposes.
California consumers may make requests by either:
Emailing your request to hey@tower28beauty.com with "California Privacy Rights Request" in the subject
line; or
Calling the toll-free number listed below in our Contact Us section.
Timing
We will respond to a verified consumer request within 45 days of receipt. If we require more time, we will inform you of the reason and extension in writing. You may only make a request for access or data portability twice
within a 12-month period.
Other California Privacy Rights
California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Site that are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please send an email to hey@tower28beauty.com; or write us at:
Tower 28 Beauty, Inc., 1902A Lincoln Blvd., #108, Santa Monica CA, 90405, United States.
CONTACT US
If you have any questions about this Privacy Policy, the practices of this Site, or your dealings with this Site, please contact us at: (i) by mail at Tower 28 Beauty, Inc., 1902A Lincoln Blvd., #108, Santa Monica CA, 90405, United States; (ii) by email at hey@tower28beauty.com; or (iii) by phone at (833) 217-2685.
