GDPR Privacy Policy


Please note that this document is provided for informational purposes only. Its contents may be subject to change over time. The information in this document does not modify existing contractual arrangements and may not be construed as legal advice.


HairDirect is committed to protecting the privacy and security of our customers’ personal information. The information you share with us allows us to provide you with the best experience with our products and services. HairDirect believes strongly in protecting our customers’ personal data and understands that doing so is critical to help us preserve the trust and confidence of our customers. We have a dedicated global privacy program that protects all the personal information we collect. This privacy policy presents HairDirect’s approach to GDPR preparation and compliance.


Our principles regarding user privacy and data protection:

  • We believe customer privacy and data protection are human rights.
  • We take protecting your privacy seriously, and we recognize we have a duty of care to the people whose data we hold.
  • We will only collect and process data when it is necessary, and when we do, we will make it clear why we are doing so and how it will be used.
  • We will not share or sell your personal information to another individual or organization.


HairDirect: HairDirect means HairDirect, Inc., 1866 Colonial Village Suite 106, Lancaster, PA 17601, United States.

GDPR: General Data Protection Regulation Act.

Data Controller: Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

Data Processor: Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.

Data Subject: Data Subject is any living individual who is using our services and is the subject of Personal Data.

Personal Data: Any information relating to an identified or identifiable person.

EEA: European Economic Area. EEA and European Union countries currently include Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

Who does the GDPR apply to?

The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because HairDirect serves customers in the EEA directly, the GDPR applies to these elements of its business. HairDirect believes strongly in data protection and privacy, it gives its customers the rights afforded by the GDPR to control their personal data, wherever they live. 


The GDPR also gives certain rights to identified or identifiable persons (referred to as data subjects), including customers visiting stores belonging to HairDirect. These include the right to request:

  • Deletion (erasure) of their personal data.
  • Correction (rectification) of their data.
  • Access to their data.
  • An export of their data in a common (portable) format.

What data does the GDPR apply to?

The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • Name
  • Shipping and Billing Address
  • Email
  • Phone Number
  • IP address
  • Credit card number
  • Information from cookies


Personal data does not include information that is purely financial and cannot be linked to an individual, such as:

  • How many times a specific product has sold
  • How much revenue your store has made

What personal information about customers does HairDirect collect?

We collect your personal information in order to provide and continually improve our products and services. Here are the types of personal information we collect:

  • Information You Give Us: We receive and store any information you provide in relation to our products and services. You can choose not to provide certain information, but then you might not be able to take advantage of many of our services.
  • Automatic Information: We automatically collect and store certain types of information about your use of our products and services, including information about your interaction with content and services available through our website. Like many websites, we use "cookies" and other unique identifiers, and we obtain certain types of information when your web browser or device accesses our website. 
  • Information from Other Sources: We might receive information about you from other sources, such as updated delivery and address information from our carriers, which we use to correct our records and deliver your next purchase more easily. 

For what purposes does HairDirect use your personal information?

We use your personal information to operate, provide, develop, and improve the products and services that we offer our customers. These purposes include:

  • Purchase and delivery of products and services. We use your personal information to take and handle orders, deliver products and services, process payments, and communicate with you about orders, products and services, and promotional offers.
  • Provide, troubleshoot, and improve our services. We use your personal information to provide functionality, analyze performance, fix errors, and improve the usability and effectiveness of our products and services.
  • Recommendations and personalization. We use your personal information to recommend features, products, and services that might be of interest to you, identify your preferences, and personalize your experience.
  • Comply with legal obligations. In certain cases, we collect and use your personal information to comply with laws and tax liability. 
  • Communicate with you. We use your personal information to communicate with you in relation to our products and services via different channels (e.g., by phone, e-mail, chat).
  • Advertising. We use your personal information to display interest-based ads for features, products, and services that might be of interest to you. We do not use information that personally identifies you to display interest-based ads. 
  • Fraud Prevention and Credit Risks. We use personal information to prevent and detect fraud and abuse in order to protect the security of our customers, HairDirect, and others. We may also use scoring methods to assess and manage credit risks.

Legal basis for processing

Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal bases under which personal data may be processed. These reasons include:

  • Consent
  • Contractual obligations
  • Legal obligations
  • The public’s interests
  • Legitimate interests of the controller or third party, balanced against the rights of the data
  • Subject


Consent of the data subject means the data subject has agreed to the processing of their personal data with a clear affirmative action. This agreement must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
Purpose/Activity Type of data Lawful basis for processing
To register you as a new customer (a) Identify 
(b) Contact
Performance of a contract with you
To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us (a) Identify 
(b) Contact
(c) Financial
(d) Transaction 
(e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary for our legitimate interests to recover debts owed to us 
To manage our relationship with you which will include: (a) Notifying you about changes to our terms of privacy policy (b) Asking you to leave a review or take a survey (a) Identify 
(b) Contact
(c) Profile 
(e) Marketing and Communications
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests to keep our records updated and study how customers user our products/services 

Data transfers

Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the

recipient has adequate protections in place. These protections may include:

  • Adherence to domestic laws that have been deemed adequate by the European Commission.
  • Negotiated agreements (such as the EU-U.S. Privacy Shield).
  • Contractual protections.
  • Approved sets of internal policies (Binding Corporate Rules).
  • Approved codes of conduct or certifications.

Disclosures to third parties

HairDirect will never independently sell personal data for commercial purposes. However, HairDirect does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:

  • Store platform data.
  • Operate the forums and other portions of HairDirect’s website.
  • Respond to and manage support inquiries.


Additionally, HairDirect may provide personal data, where permitted, to prevent, investigate, or respond to:

  • Potential fraud
  • Illegal conduct
  • Physical threats
  • Violations of any agreements with HairDirect

Data subject rights

The GDPR provides data subjects (in this case, customers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous. As a data subject, you have the right to access, rectification, erasure, restriction of processing and data portability with regard to your personal data. In addition, you can withdraw your consent and object to our processing of your personal data. 

  • You can withdraw your consent to the processing of your personal data by us at any time. As a result, we may no longer process your personal data based on this consent in the future. The withdrawal of consent has no effect on the lawfulness of processing based on consent before its withdrawal.
  • You have the right to obtain access to your personal data that is being processed by us. In particular, you may request information on the purposes of the processing, the categories of personal data concerned, the categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information as to the personal data’s source (where they are not collected from you), the existence of automated decision-making, including profiling and, where appropriate, meaningful information on its details. Your right to access may be limited by national law.
  • You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • You have the right to obtain from us the erasure of personal data concerning you, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims. The right to erasure may be limited by national law.
  • You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller ("right to data portability").
  • You have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or the registered office of the controller.



Data subjects have the right to request that their personal data be erased in certain circumstances. If we receive a request from a customer to erase their personal data, we will:

  • Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data).
  • Confirm there is no legal reason to preserve this data.


If both conditions are satisfied, after a request is received, HairDirect will ensure that the relevant personal data is erased. 


Personal data will not be erased from HairDirect if the customer has made an order within the last 180 days (the usual window in which a customer can make a chargeback). However, HairDirect will log the erasure request, and automatically erase the data once this time has passed. If the customer makes another purchase after their information has been redacted, a new customer account will be created.


When processing a request for erasure, HairDirect will anonymize the personal data of the customer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method. HairDirect will also not redact any text that has been entered manually into free-form text boxes, such as comments on a customer’s timeline or notes on orders. 


Data portability

Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format. Many data types can be exported to common formats such as Excel or CSV:

  • Transaction histories
  • Payouts
  • Product lists
  • Customer lists


Data protection and security

Under the GDPR, controllers and processors are required to implement appropriate technical and organizational measures. HairDirect has implemented many of the controls and processes identified in the GDPR, including:

  • Anonymizing and encrypting personal data.
  • Ensuring confidentiality, integrity, availability, and resilience of processing systems.
  • Restricting who may access personal data.
  • Ensuring availability and access to personal data in the event of a physical or technical incident.
  • Performing regular testing, assessments, and evaluation of technical and organizational security measures.

What the customer needs to do?

If you want us to delete your data from our systems or provide you a copy of all the data we have on you, please email us at

If you need more information on our data collection processes, please refer to our Privacy Policy Notice on our website

 If you wish to learn more about GDPR, please visit