CUSTOMER CARE

Community Campaign Privacy Policy

FAQS Contact Us Authorised Retailers Accessibility

Privacy Policy – Consumer Product Testing Program

Effective Date: 29/05/25
Company Name: BYOMA
Contact: dpo@byoma.com

We value your privacy. This Privacy Policy explains how BYOMA (“we,” “our,” or “us”) collects, uses, and protects your personal data when you apply to and participate in our consumer product testing program.

This policy applies to individuals participating from the UK, EU, and United States.

 

1.       Who We Are

BYOMA is the controller of your personal data. We process your data in accordance with:

  • The UK GDPR and Data Protection Act 2018 (for UK residents)
  • The EU GDPR (for EU residents)
  • Relevant U.S. state privacy laws, such as the California Consumer Privacy Act (CCPA/CPRA), where applicable

 

2. What Personal Data We Collect

As part of the product testing program, we may collect the following:

  • Contact details: name, email address, shipping address (for test products)
  • Demographic data: age range, gender, skin type or concerns
  • Photographs: initial selfie and progress photos and videos during the trial
  • Feedback: written comments or survey responses
  • Marketing consent: your permission to use photos/videos/ testimonials publicly

 

Special Category Data

We also collect the following special category data:

·       Health information, including any medical conditions (e.g. presence of skin conditions such as acne, rosacea, eczema) and skin type (e.g., oily dry, sensitive) and any changes to these reported during the product testing program.

This may be collected through completion of questionnaires and feedback from participants including written feedback, photos and videos.


 

 

3. Why We Collect Your Data (Purposes & Legal Bases)

Purpose

Legal Basis (UK/EU GDPR)

Legal Basis (U.S. laws)

Assess eligibility for participation

Legitimate interest

Business purpose, namely, Research and Development, Marketing and Advertising Activities, and Data Analysis and Insights

Ship products and communicate with you

Contractual necessity

Business purpose, namely Operational and Compliance Obligations

Collect product feedback and monitor skin response

Legitimate interest

Business purpose, namely, Research and Development, Marketing and Advertising Activities, and Data Analysis and Insights

Use your images/testimonials on our website or social media

Consent

Consent

Maintain records of consent and interactions

Legal obligation / Legitimate interest

Business purpose, namely Legal and Compliance Obligations and Auditing Purposes

 

Special Category Data

Purpose

Legal Basis (EU/ UK GDPR)

Legal Basis (U.S. laws)

Collection and analysis of data regarding participants’ skin condition and health

Consent

Consent

 

4. How We Use Your Photos and Data

  • We use your photos and videos to assess product performance and gather insights during the trial.
  • If you give explicit, opt-in consent, your images or quotes may be used in our marketing content, including:
    • Instagram, TikTok, Facebook, or our website
  • Photos, videos and feedback will never be used in marketing without your prior consent.

5. How We Store and Protect Your Data

  • Data is stored securely on encrypted servers, with access restricted to authorised personnel only.
  • Progress photos and videos are used only internally unless consent is provided for external use.
  • We use contractual agreements with service providers (e.g., cloud storage, email systems) to ensure data protection compliance.

 

6. How Long We Keep Your Data

Data is retained only for the minimum time necessary and is securely deleted or, when legally permissible, anonymised when no longer needed.

Data Type

Retention Period

Questionnaire and Submission data of unsuccessful applicants

Up to 12 weeks from receipt

Application and test data of successful applicants

Up to 6 months after trial ends

Photos and videos used in internal testing only

Up to 6 months after trial ends

Marketing photos (if consent given)

Retained indefinitely or until consent is withdrawn

You may request deletion at any time (see Section 8).

 

7. Who We Share Your Data With

We do not sell your personal data.

We may share it with:

  • Service providers for fulfilment, hosting, communication, and analytics
  • Marketing partners (only if you consent to marketing use)
  • Regulators or authorities where required by law

All service providers and marketing partners are subject to contractual data protection obligations.

 

8. Your Rights

Depending on your location, you have the following rights:

UK/EU Residents (under GDPR):

  • Access your data
  • Correct or update inaccuracies
  • Withdraw consent
  • Request erasure (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with the ICO (UK) or your local data protection authority

U.S. Residents (including California):

  • Request to know what personal data we have
  • Correct or update inaccuracies
  • Request deletion of your data
  • Opt-out of sale (not applicable here, as we do not sell data)
  • Non-discrimination for exercising your privacy rights

To exercise any rights, contact us at: dpo@byoma.com

You will be required to submit information about yourself that we will use to determine if we have information about you. If we are able to locate information about you, then we will fulfil your request.

9. International Transfers

If data is transferred outside of your country (e.g., to the U.S. or UK), we ensure adequate safeguards are in place, including:

  • Standard contractual clauses (SCCs) for EU/UK transfers
  • Data processing agreements with vendors

 

Contact Us

If you have questions about this policy or how your data is handled:

Email: dpo@byoma.com