L'OREAL NEW ZEALAND PRIVACY POLICY

L’Oréal is committed to protecting the privacy of individuals and is bound by the Information Privacy Principles (IPPs”) set out in the Privacy Act 2020 (“the Act”). L’Oréal will only collect, use or disclose personal information in accordance with the Act and this privacy policy. L’Oréal will not use or disclose personal information of an individual except as permitted by the relevant individual or the Act. A copy of the Act, the IPPs and the Privacy Commissioner’s Guidelines to the IPPs are available from the Privacy Commissioner at www.privacy.org.nz. The 13 IPPs are defined as follows: 1. Purpose of collecting personal information. 2. Source of personal information. 3. Collecting information from subject. 4. Manner of collecting personal information. 5. Storage and security. 6. Access to personal information. 7. Correcting personal information. 8. Accuracy to be checked before use. 9. How long personal information is held. 10. Limits on use of personal information. 11. Limiting disclosures of personal Information. 12. Disclosure of personal information outside New Zealand 13. Unique identifiers.

L’Oréal will, from time to time, collect personal information.

The types of personal information L’Oréal collects and the purposes for which that personal information is used will depend on the circumstances. We give examples below of the typical information L’Oréal collects in given situations. 2.1 Employees

L’Oréal may collect personal information from its employees in connection with their employment. Personal information includes an employee’s name, address, date of birth, photographs, bank account details and employee records.

Any personal information obtained and held by L’Oréal directly related to an employee’s employment with L’Oréal will be exempt from compliance with the Act. L’Oréal may be required to disclose the personal information of its employees, from time to time, for the purposes of conducting its business or otherwise in accordance with this policy.

L’Oréal may, from time to time, obtain sensitive information about its employees, either directly or indirectly. Where L’Oréal comes into possession of sensitive information relating to an employee, this information will only be used for the purposes for which it was obtained.

In the ordinary course of its business, L’Oréal may be required, from time to time, to transfer the personal information of employees overseas in accordance with clause 4 of this privacy policy. 2.2 Consumer

L’Oreal sometimes collects personal information about consumers. This information includes name, contact information (including postal and email address and telephone numbers), gender, age, product preferences and purchasing histories of consumers. We use that information to assist in the supply of products and services for promotional purposes and for our internal administrative purposes. We may also use personal information for marketing, although we will not do so if the person concerned indicates to us that they do not wish to receive marketing material from us.

Personal information of consumers is not usually disclosed by L’Oreal to third parties. 2.3 Web Site Users

Typically, L’Oréal collects personal information from visitors to the L’Oréal web site such as name, contact information (including postal and email address and telephone numbers), gender, age or age group and credit card details. Depending on the purpose for which we sought that information, we may use it to supply goods and services and for our internal administrative purposes related to that supply, or to enter people in promotions and competitions. We may also use personal information for marketing, although we will not do so if the person concerned indicates to us that they do not wish to receive marketing material from us.

L’Oréal may also collect “clickstream” information (such as which areas of the web sites you have accessed, the time and date of access, the type of browser software used, the visitor’s IP address and the previous web site that visitor has linked to the site from) from a visitor’s use of our web sites. We may also store “cookie” information (such as user preferences relating to a visitor’s use of the web site) on the visitor computer. That information is used to customize and improve L’Oréal web sites.

L’Oréal does not use cookies to retrieve from a visitors’ computer information that was not originally sent by us. We do not allow for shared third party access to cookies placed by L’Oréal web sites. If visitors do not want us to store cookie information on their computer, they can adjust the settings on their Internet browser to disable this feature. However, parts of our web sites will not function if cookies have been disabled. 2.4 Applicants for Employment

L’Oréal collects a range of personal information about applicants for employment such as name, contact information (including postal and e-mail address and telephone numbers), employment and training history and any other information included as part of an application, resume or curriculum vitae. We may also obtain personal information from psychological or aptitude tests and from referees. We use all of that information only to assess a person’s suitability for available employment positions.

Applicants for employment agree to L’Oréal collecting, using and disclosing the information for the purposes for which it was disclosed and to the extent permitted by the Act.

Where L’Oréal holds personal information from a previous employment application, the applicant can request to access the personal information in accordance with clause 7 of this policy. The request must be provided to L’Oréal within a reasonable timeframe and must particularise the information sought and the purpose for which the information is sought. L’Oréal will provide access unless an exception to access applies under the Act.

L’Oréal will take reasonable steps to destroy all personal information it holds if the information is no longer required for the purpose for which it was obtained. 2.5 Suppliers, Purchasers, Customers and Contractors

The personal information L’Oréal collects about suppliers, purchasers or contractors who are individuals is typically name, contact information (including postal and e-mail addresses and telephone numbers), payment and banking details. We use that information for our transactions with that individual, our internal administrative purposes related to our relationship with that person as a supplier, purchaser or contractor and in building and managing our commercial relationship with them.

L’Oréal does not generally disclose personal information to third parties except:

• where third party contractors appointed by L’Oréal require access to personal information held by us to perform services for us on our behalf (such as marketing agencies, customer service, parties who provide credit card processing services and website data hosting);

• to our related companies;

• to our professional advisors, accountants, insurers, lawyers and auditors on a confidential basis;

• in the unlikely event that we, or any of our assets, are or may be acquired by a third party, to that third party and its advisors;

• in certain circumstances, to third parties that require information for law enforcement or to prevent a serious threat to public safety;

• where L’Oréal is required or authorised by law to disclose personal information; or

• with the consent of the individual concerned.

Where those third parties require access to personal information held by L’Oréal to perform those services, L’Oréal requires that our contractors are obliged to keep that personal information confidential and not to use or disclose it for any purpose other than performing services for us or on our behalf.

You should be aware that some information that you upload to parts of our websites or to social media pages may be available to be viewed by the public. You should use discretion in deciding what information to upload to such sites.

As L’Oréal is an international business, some information (including personal information) may be transferred to countries outside of New Zealand in the ordinary course of our business including to parties located in:

• Australia;

• the USA;

• Canada;

• Singapore;

• other countries in Asia;

• the UK and

• countries in the EU.

When L’Oréal discloses personal information outside of New Zealand we will comply with this privacy policy and other requirements of the Act.

L’Oréal will take reasonable steps to ensure the security of personal information that it holds.

Individuals have the right to seek access to personal information which L’Oréal holds about them and to request correction of that information.

There are a number of circumstances in which L’Oréal may decline to grant such access. These are set out in the Act. Those circumstances include, but are not limited to, where granting access would reveal evaluative information generated within L’Oréal in connection with a commercially sensitive decision making process, where granting access would prejudice negotiations with that individual, where granting access would reveal information relating to existing or anticipated legal proceedings which would not be discoverable in those proceedings or where the request for access is frivolous or vexatious.

If you have any questions or concerns about L’Oréal’s collection, use or disclosure of your personal information, or if you would like to access, update or correct the information we hold about you, please contact us (see section 9 of this policy).

L’Oréal will endeavor to acknowledge such requests as soon as possible and within at least 20 days.

If L’Oréal is required to or otherwise agrees to grant access to the personal information, it will endeavor to give access within 14 days. At that time, L’Oréal will notify the person concerned of the method by which it will give them access to the information.

If L’Oréal is not required to and elects not to grant access to the personal information, it will inform the individual concerned of the grounds on which it is not required to grant access and inform them of their options to seek to have that decision reviewed.

We may amend this privacy policy at any time and for any reason. The updated version will be available at www.loreal.co.nz. We may highlight changes to this policy on our websites, but you should check this policy regularly for changes.

If you are concerned that L’Oréal may have breached its privacy obligations, the Act or this privacy policy, please contact us (see section 9 of this policy).

All complaints will be taken seriously and will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information we may require.

If individuals are not satisfied with our handling of a complaint by them, they may refer the issue to the Privacy Commissioner at www.privacy.org.nz.

Privacy Policy (Effective until 31 May 2025) Contents

1. Who are we?

2. What information is covered by this Privacy Notice?

3. What information do we collect from you?

4. How do we use your personal information?

5. Do we use your personal information for direct marketing?

6. Sharing your data with third parties

7. Where do we transfer your personal information?

8. What are your rights (EEA residents only)?

9. Do we use CCTV?

10. How do we protect your personal information?

11. How long do we keep your personal information?

12. How do we deal with children's privacy?

13. How can you contact us?

14. Which version of this Privacy Notice applies?

Aesop is committed to protecting your privacy and ensuring the highest level of security for your personal information. This Privacy Notice explains the types of personal information we collect, how we use that information, who we share it with, and how we protect that information.

Please read the following carefully to understand our views and practices regarding your personal information.

1. Who are we?

This Privacy Notice applies to information that each of Emeis Cosmetics Pty Ltd, Aesop UK Limited and their parents, subsidiaries and affiliate entities worldwide (individually and collectively referred to herein as "Aesop", "we", "us" or "our") collects from you.

The personal information we collect is controlled by Aesop UK Limited, Hay's Galleria, 1 Hay's Lane, Hay's Lane House, 3rd Floor, London, SE1 2HD (registered number 05192303), Emeis Cosmetics Pty Ltd, 23 Waterloo Road, Collingwood VIC 3066, Australia, (ACN registration: 007 409 001) and the relevant local corporate affiliates. For the purposes of applicable data protection laws, the relevant Aesop entity as set out in section 14 below is a data controller of your personal information.

2. What information is covered by this Privacy Notice?

This Privacy Notice covers all personal information processed by Aesop which means information that (either in isolation or in combination with other information) enables you to be identified directly or indirectly.

3. What information do we collect from you?

We may collect information about you from the following sources:

3.1 Information we receive from you

We may collect personal information (such as your name, postal and email address, telephone number, date of birth, title, payment information, health and other information) that you provide to us when you:

• visit our website and register an account with us and/or purchase products through our website;

• fill out a profile card when visiting one of our Aesop retail stores or counters; and

• subsequently correspond with us.

3.2 Information we collect about you

When you visit our website, we may use cookies and other technologies to automatically collect the following information:

• technical information, including your IP address, your login information, browser type and version, details of any website which has referred you to our website, device identifier, location and time zone setting, browser plug-in types and versions, operating system and platform, page response times, and download errors;

• information about your visit, including the websites you visit before and after our website and products you viewed or searched for; and

• length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouseovers) and methods used to browse away from the page.

If your web browser is set up to accept cookies, a cookie will be stored on your hard drive when you visit Aesop's website. Cookies allow Aesop to collect information about your computer, which may include your IP address (a number assigned to your computer when you register with an Internet Service Provider), type of browser, operating system, domain name, and the details of any website which has referred you to our website. Aesop uses cookies to track and collect information about which parts of Aesop's website and newsletter (including links to other websites) are visited by you.

Cookies also allow Aesop to recognise your computer while you are on Aesop's website, and to send you to the country of origin and language you selected on your first visit to Aesop's site. This information is used to maintain the quality of our service and to provide tracking and statistics regarding the use of our website.

The types of cookies we use:

• Strictly necessary cookies that are required for the operation of our website, such as cookies that enable you to log into your account or make purchases, or cookies that enable us to comply with the law (for example, to keep your information safe). We would not be able to operate our website without using "strictly necessary" cookies.

• Performance cookies which recognise and count the number of users to our website and help us see how users move around our website. These cookies do not collect information that identifies a visitor. [Any information collected by these cookies is anonymous.] We only use such information to improve our website. This information helps us to find out how well the website is working and highlights where it can be improved.

• Functionality cookies which are used to recognise when you return to our website and assist us to personalise your content and website experience by remembering your preferences. These cookies are also used to provide services you have asked for (such as watching a video). By using our website, you agree that we can place these types of cookies on your device, however you can block these cookies using your browser settings (please see below).

• Targeting cookies which are used to record your visit to our website, the pages you have visited and the links you have followed. These cookies are used to advertise relevant products to you on other websites, based on the products and categories you looked at on our website.

We also use third party cookies of suppliers who set their own cookies on our website with our permission to improve customer experience and offer additional functionality. This website utilizes the online advertising program “Google AdWords” and the associated conversion tracking cookie is set on the user’s browser. The information collected by the conversion cookies are used to provide aggregate conversion statistics to AdWords clients who have opted-in for conversion tracking. They are not used to acquire personal information. If you do not want to allow these cookies on your device, you can deactivate the Google conversion-tracking cookie through your user settings in your internet browser.

We also use Google AdWords remarketing codes to log when users view specific pages or take specific actions on a website. This allows us to provide targeted advertising in the future. If you do not wish to receive this type of advertising from us in you can opt out using the DoubleClick opt-out page (http://www.google.com/settings/ads) or the Network Advertising Initiative opt-out page (http://www.networkadvertising.org/managing/opt_out.asp).

We will not disclose personal information we collect from you to third parties without your permission except to the extent necessary:

• to fulfil your requests for services;

• to protect ourselves from liability; or

• to respond to legal process or comply with law, or because of a merger, acquisition, or liquidation of the company.

If you would rather not have any of this information stored on your computer, you can configure your browser so it does not accept cookies. However, if you disable cookies you may not be able to access all parts of this website, including the purchase section. For more information and to learn how to disable cookies, please visit www.allaboutcookies.org or www.youronlinechoices.com.

4. How do we use your personal information?

Why we process your information:

How we use your information for this purpose:

Based on the following justification:

To provide you with information about our products and services.

We process your order history to develop, market, sell or otherwise provide products, services or information to you.

We also process your name and contact details to provide you with copies of our newsletter (such as our Ledger publication) or information about our products, store launches, partnerships, in-store events or other marketing or promotional information. We also process this information to ensure that we do not contact you if you have asked us not to.

Using your personal information in this way is necessary for us to perform our statutory and/or contractual obligations to you. It is also in our legitimate interests to provide you with the best possible customer experience online and instore.

To process your payments and protect you against fraudulent transactions.

We process your personal information including your card details to fulfil your purchase orders for our products, services and/or gift cards.

We also process this information to keep your payment details safe and protect you against fraudulent transactions.

It is in our legitimate interests to process financial information to keep payments secure and necessary for the performance of our contract with you.

To provide you with products and services that you have purchased from us.

We may need to use your name and contact details to perform our obligations under a contract with you (e.g. where you have purchased a product or service from us, like a hand cream or a facial treatment).

It is necessary for us to process your personal information in this way for us to perform our statutory and/or contractual obligations to you.

To learn more about why you use certain products and inform our product developers.

We process your health information (e.g. where you suffer an adverse reaction to a product) to update your account with us.

We also process this data to conduct internal administrative activities, research, analytics, planning and product development.

It is in our legitimate interests to develop our products and market the right products to you.

To improve your experience on our website.

We process information such as your Aesop account username and password, IP address, information about your purchases and your other activity on our website to improve our website, including to modify it to your usage, history and preferences and troubleshoot problems.

It is in our legitimate interests to ensure we provide you with a seamless online experience.

To detect fraudulent or suspicious transactions.

We process the details of your device when you shop on our website to enable us to detect any fraudulent transactions or suspicious purchasing activity.

It is in our legitimate interests to process personal information in this way.

To assess the online activities of our website users.

We process information collected by our websites automatically and through cookies and other technologies to assess the activities of our users, to measure the interest in and use of our website and communications, and to customise the website and our communications with you. We do this on both on an individual basis and in the aggregate. Please see the section titled 'Information we collect about you' for more detail.

It is in our legitimate interests to process personal information using cookies and other technologies that we need to use to run our website. Where required by applicable law, we will ask for your consent to the use of cookies that aren't necessary to run our website.

To understand and analyse our sales, and your needs and preferences.

We may use your information such as your geographical location to help us conduct focused market research based on trends and common factors so that we develop, enhance, market and provide products and services to meet your individual needs.

It is in our legitimate interests to process personal information to develop, enhance, market and provide products and services to you.

To understand your preferences based on information included in your Aesop profile completed in-store or in other communications you send to Aesop.

We process your information in this way to better understand you to maintain, update and service your account with us.

This processing also allows us to conduct internal administrative activities, research, analytics, planning and project development.

It is in our legitimate interests to process personal information so that we can better provide our products to you.

To process exchanges or returns.

We process your personal information to perform our obligations under our contract with you.

It is necessary for us to process your personal information to fulfil our statutory and/or contractual obligations to you.

To respond to requests or complaints.

We will need to process your name and contact details to respond to requests or complaints.

It is necessary for us to process your personal information to fulfil our statutory and/or contractual obligations to you.

5. Do we use your personal information for direct marketing?

We will only use your information with your consent when we send you marketing materials by email, text or post, depending on your marketing preferences. You can opt out at any time by contacting us as described below. When we send you communications by email or other electronic means, we'll always give you the option to unsubscribe in the message itself.

6. With which third parties do we share your personal information?

Your personal information is intended for Aesop but may be shared with third parties in certain circumstances:

Aesop's group of companies: We may share your personal information among our group of companies to register your account with us, deliver our products, provide you with customer support, process your payments, understand your preferences, send you information about products that may be of interest to you and conduct the other activities described in this Privacy Notice.

Our service providers: We use other companies, agents or contractors to perform services on our behalf or to assist us with the provision of the Aesop products to you. We may share personal information with the following categories of service provider:

• infrastructure and IT service providers, including for email archiving, mailing, billing and cloud-based services;

• marketing, advertising and communications agencies;

• external auditors and advisers; or

• other parties to whom we are authorised or required by law to disclose information.

While providing such services, these service providers may have access to your personal information. However, we will only provide our service providers with personal information which is necessary for them to perform their services, and we require them not to use your information for any other purpose. We will use our best efforts to ensure that all our service providers keep your personal information secure.

Third parties permitted by law: In certain circumstances, we may be required to disclose or share your personal information to comply with a legal or regulatory obligation (for example, we may be required to disclose personal information to the police, regulators, government agencies or to judicial or administrative authorities).

We may also disclose your personal information to third parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, law enforcement, to enforce our contracts or protect your rights or those of the public.

Third parties connected with business transfers: We may transfer your personal information to third parties relating to a reorganisation, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal information in a manner consistent with this Privacy Notice.

We will not sell your personal information to third parties.

Please note our website may, from time to time, contain links to and from the websites of our partners or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we have no control over how they may use your personal information. You should check the privacy policies of third party websites before you submit any personal information to them.

7. Where do we transfer your personal information?

Aesop is a global brand and we provide our products and services all over the world. Your personal information may be transferred to and processed in:

• the EEA;

• Switzerland;

• Australia;

• New Zealand;

• Japan;

• Hong Kong;

• Singapore;

• Malaysia;

• Macau;

• Taiwan;

• Korea;

• the Unites States of America;

• Canada; and

• Brazil,

by our affiliates and our service providers. We will take all steps that are reasonably necessary to ensure that your personal information is treated securely and in accordance with this Privacy Notice as well as applicable data protection laws, including, where we transfer personal information from the EEA, by entering EU standard contractual clauses (or equivalent measures) with parties outside the EEA (where relevant).

8. What are your rights?

You have the following rights available to you in respect of the personal information we hold about you:

• Access. You have the right to request a copy of the personal information we are processing about you. For your own privacy and security, at our discretion we may require you to prove your identity before providing the requested information.

• Rectification. You have the right to have incomplete or inaccurate personal information that we process about you rectified.

• Deletion. You have the right to request that we delete personal information that we process about you, except we are not obliged to do so if we need to retain such data to comply with a legal obligation or to establish, exercise or defend legal claims.

• Restriction. You have the right to restrict our processing of your personal information where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.

• Portability. You have the right to obtain personal information we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal information which you have provided to us, and (b) if we are processing that data based on your consent or to perform a contract with you.

• Objection. Where the legal justification for our processing of your personal information is our legitimate interest, including the profiling we undertake to send you personalised offers, product recommendations and similar content, you have the right to object to such processing on grounds relating to your situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.

• Withdrawing Consent. If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge. This includes cases where you wish to opt out from marketing messages that you receive from us.

You can make a request to exercise any of these rights in relation to your personal information by sending the request to privacy@aesop.com.

Aesop will generally provide you with access to your personal information if practicable and will take reasonable steps to amend any of your personal information which is inaccurate or out of date.

Please note that where you have withdrawn your consent to our collection, use and disclosure of your personal information at any time (subject to contractual and legal restrictions and reasonable notice), we may be unable to provide you the products or services you have requested or contact you in the future.

You also have the right to lodge a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. Please click here for a list of local data protection authorities in EEA countries.