DERMALOGICA (CANADA) LTD.

PRIVACY POLICY

Currency: February 1, 2009

At DERMALOGICA (CANADA) LTD. (“Dermalogica”, “we”, “our” or “us”), we are committed to protecting the privacy and the confidentiality of personal information of our customers (“Customers”). In order to comply with applicable privacy legislation and to instil confidence in our Customers that the personal information they entrust to us is safe, we have developed this Privacy Policy. We want our Customers to know why we ask for their personal information, how we use it, what safeguards we employ and how to contact us with privacy-related questions.

In this Privacy Policy, “Personal Information” means information that specifically identifies a Customer as an individual and is provided to or collected by Dermalogica. The type of personal information Dermalogica collects, uses and discloses may include a Customer’s name, age, gender, residential mailing address, residential phone numbers or email addresses, financial, credit and banking information. Personal Information does not, however, include a Customer’s business title, business address or business telephone number in such individual’s capacity as an employee of an organization or enterprise.

I. IDENTIFYING THE PURPOSES AND USE OF PERSONAL INFORMATION

Before collecting any Personal Information, Dermalogica will identify why the Personal Information is required and how it will be used. This Personal Information is documented and kept on file at Dermalogica’s offices. Dermalogica will obtain the Customer’s consent before using or disclosing Personal Information for purposes other than the original reasons given. Dermalogica collects and uses a Customer’s Personal Information for the following purposes:

• Collecting, recording and using Personal Information relevant to the performance of the services rendered to and for a Customer;
• Recording and determining the services received by a Customer during his or her relationship with us;
• Administration, billing, accounting and collection in relation to a Customer’s relationship with us;
• Protecting against fraud and error;
• Offering a Customer additional products and services which may be of interest to such Customer;
• Communicating with a Customer generally or to ensure Customer satisfaction;
• Improving the goods and services offered to Customers in the future;
• Communicating Personal Information to an agent, intermediary or other third party during the course of a contract or mandate for the performance of any of the purposes listed in this Privacy Policy;
• Complying with all applicable laws; and
• Such other specific purposes which are communicated to a Customer by Dermalogica and its representatives before collection of the Personal Information.

We may use, share and disclose a Customer’s Personal Information to our affiliates, associates, agents, suppliers and such other third parties as Dermalogica, acting reasonably, may deem necessary for the fulfillment of the purposes noted above or where otherwise permitted by law. In the unlikely event that Dermalogica or substantially all of its assets are acquired by a third party, a Customer’s Personal Information may be one of the assets transferred to such third party.

II. CONSENT

Except in certain extraordinary circumstances, Dermalogica does not collect, use or disclose a Customer’s Personal Information without their knowledge and consent. Such extraordinary circumstances may include, without limitation, when legal, medical or security reasons make it impossible or impractical to obtain consent. A Customer’s consent will be obtained at the time of collection of the Personal Information, or when a new use for the Personal Information is identified. A Customer may withdraw their consent at any time, subject to any legal or contractual restrictions and on the provision of reasonable notice to Dermalogica. If a Customer chooses to withdraw his or her consent, he or she is required to do so in writing to the Chief Compliance Officer (please see section VII of this Privacy Policy). Any implications to withdrawing consent will be explained to the Customer at the time written notice of such withdrawal is received by Dermalogica. Such implications may include, but are not limited to, a breakdown, interruption or cessation of Dermalogica’s relationship with the Customer. By retaining the services of Dermalogica, Customers have consented to the disclosure of their Personal Information to a third party in the circumstances, or for the purposes, set out in this Privacy Policy.

III. LIMITING COLLECTION

Dermalogica limits the collection of a Customer’s Personal Information to that which is necessary for the purposes identified in this Privacy Policy, or for any additional purpose identified to the Customer before collection of the Personal Information.

IV. LIMITING USE, DISCLOSURE AND RETENTION

Personal Information is not used or disclosed for purposes other than those for which it was originally collected, except with the consent of the Customer, or as permitted by law. Personal Information is only retained as long as may be necessary for the fulfillment of these purposes, or to meet government requirements, whichever is longer, following which it is destroyed, erased, or rendered anonymous.

V. ACCURACY

Dermalogica strives to ensure that a Customer’s Personal Information is as accurate, complete and up to date as necessary for the purposes for which it is used. Information is updated only when necessary to fulfill specified purposes.

VI. SAFEGUARDS

Dermalogica has security safeguards in place designed to protect against loss, theft, unauthorized access, disclosure, copying, use or modification of Personal Information under the care of Dermalogica. The nature of the safeguards depends on the sensitivity, format, location and storage of the Personal Information. These security measures may from time to time include locked cabinets, computer passwords, software firewalls to stop hackers, encryption software, restricting access to Personal Information to only those employees or representatives who have a need to know and, if deemed necessary by Dermalogica in its sole discretion, confidentiality covenants from third parties to whom Personal Information has been disclosed. E-mail and the internet are not a 100% secure medium, and Customers should be aware of this when contacting us to send Personal Information. Dermalogica may collect user information from www.dermalogica.ca, www.dermalinstitute.ca, http://education.dermalogica.ca and http://education.dermalinstitute.ca (the “Sites”) (for example, via cookies which are alphanumeric identifiers transmitted from a website to a visitor’s browser and IP address). This information is used solely for enabling us to provide you with a customized online experience and to find ways to improve our website. Although cookies are widely used, it may be possible to disable cookies via your browser settings. However, in so doing, some websites may not function properly or optimally. The Sites may contain links to other third party sites that are not governed by this privacy policy. Although we endeavour to link only to sites with high privacy standards, our Privacy Policy will no longer apply once you leave the Sites (www.dermalogica.ca and www.dermalinstitute.ca). We are not responsible for privacy policies employed by other third parties or any foreign affiliates, since they would be governed by privacy legislation applicable in their country of residence. We suggest, therefore, that you examine the privacy statements of those sites to learn how personal information may be collected, used and/or disclosed

VII. ACCOUNTABILITY AND OPENNESS

Dermalogica is responsible for the Personal Information under its control and has appointed a Chief Compliance Officer to ensure that we comply with all applicable privacy legislation and the terms of this Privacy Policy. Personal Information provided to third party service providers with whom Dermalogica has a contractual agreement will have levels of protection comparable to the internal protection of Personal Information maintained at Dermalogica. The Chief Compliance Officer addresses and investigates questions or concerns regarding a Customer’s Personal Information. The Chief Compliance Officer may be reached by mail at 720 King Street West, Suite 300, Toronto, Ontario M5V 2T3, Attention: Chief Compliance Officer, or by email at privacy@dermalogica.ca. A copy of this Privacy Policy, and any future updates or amendments hereto, are available at the Sites and upon request from Dermalogica.

VIII. INDIVIDUAL ACCESS

Upon written request of a Customer, Dermalogica will provide such Customer with access to his or her Personal Information. Dermalogica will correct or amend any inaccuracies in the Customer’s Personal Information, and such amended information will be forwarded to any third parties who require access to the information. Dermalogica has the right to refuse a request for access to Personal Information:

• If the information is protected by legal privilege;
• If granting access would reveal confidential commercial or financial information;
• If doing so would reasonably be expected to threaten the life or security of another individual;
• If the information was collected for purposes related to the detection and prevention of fraud;
• If the information was generated in the course of a formal dispute resolution process;
• If the information would likely reveal Personal Information about another Customer;
• If the request is vexatious or frivolous; and/or
• To protect Dermalogica’s rights and property.

If the request of a Customer for such individual’s Personal Information is denied, the individual will be informed in writing of the reasons for the denial, as well as any recourse available to such individual. Access to a Customer’s Personal Information will be at no cost to such Customer. Minimal charges may apply, however, for the transcription, reproduction or transmission of documents containing Personal Information.

IX. CHALLENGING COMPLIANCE

If a complaint (“Complaint”) regarding Dermalogica’s handling of Personal Information is received, an individual (the “Investigator”) with the skills necessary to conduct an investigation fairly and impartially will be assigned. The Investigator will have access to all relevant records and will be permitted to speak with employees of Dermalogica who handled the Personal Information access request. The complainant will receive notification of the outcome of the investigation clearly and promptly. Any inaccurate Personal Information or policy/procedure changes will be modified, if necessary, based on the outcome of the Complaint.

X. CURRENCY OF THIS PRIVACY POLICY

Dermalogica reserves the right to change this Privacy Policy at any time and from time to time. Any changes or additions to section I of this Privacy Policy regarding those situations where Dermalogica will collect, use or disclose Personal Information will not apply to a Customer without the prior consent of such Customer. All Customers are encouraged to contact Dermalogica to determine if any updates have been made to this Privacy Policy.